tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: use actual socket sk for REJECT action
True to the message of commit v5.10-rc1-105-g46d6c5ae953c, _do_
actually make use of state->sk when possible, such as in the REJECT
modules.
Reported-by: Minqiang Chen <ptpt52@gmail.com>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Jan Engelhardt
and committed by
Pablo Neira Ayuso
04295878
f7583f02
+21
-16
+2
-2
include/net/netfilter/ipv4/nf_reject.h
+2
-2
include/net/netfilter/ipv4/nf_reject.h
···
8
8
#include <net/netfilter/nf_reject.h>
9
9
10
10
void nf_send_unreach(struct sk_buff *skb_in, int code, int hook);
11
-
void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook);
12
-
11
+
void nf_send_reset(struct net *net, struct sock *, struct sk_buff *oldskb,
12
+
int hook);
13
13
const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,
14
14
struct tcphdr *_oth, int hook);
15
15
struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb,
+2
-3
include/net/netfilter/ipv6/nf_reject.h
+2
-3
include/net/netfilter/ipv6/nf_reject.h
···
7
7
8
8
void nf_send_unreach6(struct net *net, struct sk_buff *skb_in, unsigned char code,
9
9
unsigned int hooknum);
10
-
11
-
void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook);
12
-
10
+
void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
11
+
int hook);
13
12
const struct tcphdr *nf_reject_ip6_tcphdr_get(struct sk_buff *oldskb,
14
13
struct tcphdr *otcph,
15
14
unsigned int *otcplen, int hook);
+2
-1
net/ipv4/netfilter/ipt_REJECT.c
+2
-1
net/ipv4/netfilter/ipt_REJECT.c
+3
-3
net/ipv4/netfilter/nf_reject_ipv4.c
+3
-3
net/ipv4/netfilter/nf_reject_ipv4.c
···
234
234
}
235
235
236
236
/* Send RST reply */
237
-
void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
237
+
void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
238
+
int hook)
238
239
{
239
240
struct net_device *br_indev __maybe_unused;
240
241
struct sk_buff *nskb;
···
268
267
niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
269
268
ip4_dst_hoplimit(skb_dst(nskb)));
270
269
nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
271
-
272
-
if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC))
270
+
if (ip_route_me_harder(net, sk, nskb, RTN_UNSPEC))
273
271
goto free_nskb;
274
272
275
273
niph = ip_hdr(nskb);
+2
-1
net/ipv4/netfilter/nft_reject_ipv4.c
+2
-1
net/ipv4/netfilter/nft_reject_ipv4.c
+1
-1
net/ipv6/netfilter/ip6t_REJECT.c
+1
-1
net/ipv6/netfilter/ip6t_REJECT.c
+3
-2
net/ipv6/netfilter/nf_reject_ipv6.c
+3
-2
net/ipv6/netfilter/nf_reject_ipv6.c
···
275
275
return 0;
276
276
}
277
277
278
-
void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
278
+
void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
279
+
int hook)
279
280
{
280
281
struct net_device *br_indev __maybe_unused;
281
282
struct sk_buff *nskb;
···
368
367
dev_queue_xmit(nskb);
369
368
} else
370
369
#endif
371
-
ip6_local_out(net, nskb->sk, nskb);
370
+
ip6_local_out(net, sk, nskb);
372
371
}
373
372
EXPORT_SYMBOL_GPL(nf_send_reset6);
374
373
+2
-1
net/ipv6/netfilter/nft_reject_ipv6.c
+2
-1
net/ipv6/netfilter/nft_reject_ipv6.c
+4
-2
net/netfilter/nft_reject_inet.c
+4
-2
net/netfilter/nft_reject_inet.c
···
28
28
nft_hook(pkt));
29
29
break;
30
30
case NFT_REJECT_TCP_RST:
31
-
nf_send_reset(nft_net(pkt), pkt->skb, nft_hook(pkt));
31
+
nf_send_reset(nft_net(pkt), pkt->xt.state->sk,
32
+
pkt->skb, nft_hook(pkt));
32
33
break;
33
34
case NFT_REJECT_ICMPX_UNREACH:
34
35
nf_send_unreach(pkt->skb,
···
45
44
priv->icmp_code, nft_hook(pkt));
46
45
break;
47
46
case NFT_REJECT_TCP_RST:
48
-
nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt));
47
+
nf_send_reset6(nft_net(pkt), pkt->xt.state->sk,
48
+
pkt->skb, nft_hook(pkt));
49
49
break;
50
50
case NFT_REJECT_ICMPX_UNREACH:
51
51
nf_send_unreach6(nft_net(pkt), pkt->skb,