From 1898df7d6a35967972bae412994623a8d7c262cd Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Wed, 16 Sep 2015 14:58:08 +0200 Subject: [PATCH RFC 4/4] net: tcp_ipv4, udp_ipv4: hook up post demux netfilter chains Run the POST_DEMUX netfilter chain rules after the destination socket has been looked up. Signed-off-by: Daniel Mack --- net/ipv4/tcp_ipv4.c | 8 ++++++++ net/ipv4/udp.c | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 93898e0..33f968e 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -78,6 +78,7 @@ #include #include +#include #include #include #include @@ -1594,6 +1595,13 @@ int tcp_v4_rcv(struct sk_buff *skb) if (!sk) goto no_tcp_socket; + ret = nf_hook(NFPROTO_IPV4, NF_INET_POST_DEMUX, sk, + skb, skb->dev, NULL, NULL); + if (ret != 1) { + sock_put(sk); + return 0; + } + process: if (sk->sk_state == TCP_TIME_WAIT) goto do_time_wait; diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index c0a15e7..0056c20 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -97,6 +97,7 @@ #include #include #include +#include #include #include #include @@ -1632,7 +1633,14 @@ static void flush_stack(struct sock **stack, unsigned int count, struct sock *sk; for (i = 0; i < count; i++) { + int ret; sk = stack[i]; + + ret = nf_hook(NFPROTO_IPV4, NF_INET_POST_DEMUX, sk, + skb, skb->dev, NULL, NULL); + if (ret != 1) + continue; + if (likely(!skb1)) skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC); @@ -1819,6 +1827,13 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, if (sk) { int ret; + ret = nf_hook(NFPROTO_IPV4, NF_INET_POST_DEMUX, sk, + skb, skb->dev, NULL, NULL); + if (ret != 1) { + sock_put(sk); + return 0; + } + if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk)) skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check, inet_compute_pseudo); -- 2.5.0