mirror of https://github.com/OpenIPC/firmware.git
75 lines
2.2 KiB
Diff
75 lines
2.2 KiB
Diff
diff -drupN a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
|
|
--- a/net/ipv4/ip_output.c 2018-08-06 17:23:04.000000000 +0300
|
|
+++ b/net/ipv4/ip_output.c 2022-06-12 05:28:14.000000000 +0300
|
|
@@ -74,6 +74,7 @@
|
|
#include <net/checksum.h>
|
|
#include <net/inetpeer.h>
|
|
#include <net/lwtunnel.h>
|
|
+#include <linux/bpf-cgroup.h>
|
|
#include <linux/igmp.h>
|
|
#include <linux/netfilter_ipv4.h>
|
|
#include <linux/netfilter_bridge.h>
|
|
@@ -287,6 +288,13 @@ static int ip_finish_output_gso(struct n
|
|
static int ip_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
|
|
{
|
|
unsigned int mtu;
|
|
+ int ret;
|
|
+
|
|
+ ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
|
|
+ if (ret) {
|
|
+ kfree_skb(skb);
|
|
+ return ret;
|
|
+ }
|
|
|
|
#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
|
|
/* Policy lookup after SNAT yielded a new policy */
|
|
@@ -305,6 +313,20 @@ static int ip_finish_output(struct net *
|
|
return ip_finish_output2(net, sk, skb);
|
|
}
|
|
|
|
+static int ip_mc_finish_output(struct net *net, struct sock *sk,
|
|
+ struct sk_buff *skb)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
|
|
+ if (ret) {
|
|
+ kfree_skb(skb);
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+ return dev_loopback_xmit(net, sk, skb);
|
|
+}
|
|
+
|
|
int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb)
|
|
{
|
|
struct rtable *rt = skb_rtable(skb);
|
|
@@ -342,7 +364,7 @@ int ip_mc_output(struct net *net, struct
|
|
if (newskb)
|
|
NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
|
|
net, sk, newskb, NULL, newskb->dev,
|
|
- dev_loopback_xmit);
|
|
+ ip_mc_finish_output);
|
|
}
|
|
|
|
/* Multicasts with ttl 0 must not go beyond the host */
|
|
@@ -358,7 +380,7 @@ int ip_mc_output(struct net *net, struct
|
|
if (newskb)
|
|
NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
|
|
net, sk, newskb, NULL, newskb->dev,
|
|
- dev_loopback_xmit);
|
|
+ ip_mc_finish_output);
|
|
}
|
|
|
|
return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
|
|
@@ -1600,7 +1622,8 @@ void ip_send_unicast_reply(struct sock *
|
|
RT_SCOPE_UNIVERSE, ip_hdr(skb)->protocol,
|
|
ip_reply_arg_flowi_flags(arg),
|
|
daddr, saddr,
|
|
- tcp_hdr(skb)->source, tcp_hdr(skb)->dest);
|
|
+ tcp_hdr(skb)->source, tcp_hdr(skb)->dest,
|
|
+ arg->uid);
|
|
security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
|
|
rt = ip_route_output_key(net, &fl4);
|
|
if (IS_ERR(rt))
|