diff options
-rw-r--r-- | include/linux/filter.h | 1 | ||||
-rw-r--r-- | include/net/sock.h | 35 | ||||
-rw-r--r-- | net/core/filter.c | 35 |
3 files changed, 36 insertions, 35 deletions
diff --git a/include/linux/filter.h b/include/linux/filter.h index bfc5d31..673e567 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -142,6 +142,7 @@ static inline unsigned int sk_filter_len(const struct sk_filter *fp) struct sk_buff; struct sock; +extern int sk_filter(struct sock *sk, struct sk_buff *skb); extern unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen); extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk); diff --git a/include/net/sock.h b/include/net/sock.h index f4fdd10..09255ea 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -928,41 +928,6 @@ extern void sk_common_release(struct sock *sk); extern void sock_init_data(struct socket *sock, struct sock *sk); /** - * sk_filter - run a packet through a socket filter - * @sk: sock associated with &sk_buff - * @skb: buffer to filter - * @needlock: set to 1 if the sock is not locked by caller. - * - * Run the filter code and then cut skb->data to correct size returned by - * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller - * than pkt_len we keep whole skb->data. This is the socket level - * wrapper to sk_run_filter. It returns 0 if the packet should - * be accepted or -EPERM if the packet should be tossed. - * - */ - -static inline int sk_filter(struct sock *sk, struct sk_buff *skb) -{ - int err; - struct sk_filter *filter; - - err = security_sock_rcv_skb(sk, skb); - if (err) - return err; - - rcu_read_lock_bh(); - filter = rcu_dereference(sk->sk_filter); - if (filter) { - unsigned int pkt_len = sk_run_filter(skb, filter->insns, - filter->len); - err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; - } - rcu_read_unlock_bh(); - - return err; -} - -/** * sk_filter_release: Release a socket filter * @sk: socket * @fp: filter to remove diff --git a/net/core/filter.c b/net/core/filter.c index 85a5feb..bbb53c6 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -64,6 +64,41 @@ static inline void *load_pointer(struct sk_buff *skb, int k, } /** + * sk_filter - run a packet through a socket filter + * @sk: sock associated with &sk_buff + * @skb: buffer to filter + * @needlock: set to 1 if the sock is not locked by caller. + * + * Run the filter code and then cut skb->data to correct size returned by + * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller + * than pkt_len we keep whole skb->data. This is the socket level + * wrapper to sk_run_filter. It returns 0 if the packet should + * be accepted or -EPERM if the packet should be tossed. + * + */ +int sk_filter(struct sock *sk, struct sk_buff *skb) +{ + int err; + struct sk_filter *filter; + + err = security_sock_rcv_skb(sk, skb); + if (err) + return err; + + rcu_read_lock_bh(); + filter = rcu_dereference(sk->sk_filter); + if (filter) { + unsigned int pkt_len = sk_run_filter(skb, filter->insns, + filter->len); + err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; + } + rcu_read_unlock_bh(); + + return err; +} +EXPORT_SYMBOL(sk_filter); + +/** * sk_run_filter - run a filter on a socket * @skb: buffer to run the filter on * @filter: filter to apply |