netfilter: allow hooks to pass error code back up the stack SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: da6836500414ae734cd9873c2d553db594f831e9 [log] [tgz]
author: Eric Paris <eparis@redhat.com> Tue Nov 16 11:52:38 2010 +0000
committer: David S. Miller <davem@davemloft.net> Wed Nov 17 10:54:34 2010 -0800
tree: 1661f8ec37787e77e604a4f26574d48c57016ed4
parent: 37d668004289d202f71dc5bfdadf6c18b34577a2 [diff] [blame]
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 85dabb8..32fcbe2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c

@@ -173,9 +173,11 @@
 			     outdev, &elem, okfn, hook_thresh);
 	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
 		ret = 1;
-	} else if (verdict == NF_DROP) {
+	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
 		kfree_skb(skb);
-		ret = -EPERM;
+		ret = -(verdict >> NF_VERDICT_BITS);
+		if (ret == 0)
+			ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
 		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
 			      verdict >> NF_VERDICT_BITS))
commit	da6836500414ae734cd9873c2d553db594f831e9	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Tue Nov 16 11:52:38 2010 +0000
committer	David S. Miller <davem@davemloft.net>	Wed Nov 17 10:54:34 2010 -0800
tree	1661f8ec37787e77e604a4f26574d48c57016ed4
parent	37d668004289d202f71dc5bfdadf6c18b34577a2 [diff] [blame]