A packets should be dropped by the firewall if reporting fails.
Tested by Brian Murrell with his SPF code to good effect.
This clears my patch queue,
Rusty.
--- linux/net/ipv4/ip_fw.c.~1~ Mon Dec 14 16:04:20 1998
+++ linux/net/ipv4/ip_fw.c Fri Dec 25 01:16:00 1998
@@ -505,7 +505,7 @@
printk("%s\n",chain->label);
}
-static inline void
+static inline int
ip_fw_domatch(struct ip_fwkernel *f,
struct iphdr *ip,
const char *rif,
@@ -546,9 +546,15 @@
len-(sizeof(__u32)*2+IFNAMSIZ));
netlink_broadcast(ipfwsk, outskb, 0, ~0, GFP_KERNEL);
}
- else duprintf("netlink post failed - alloc_skb failed!\n");
+ else {
+ if (net_ratelimit())
+ printk(KERN_WARNING "ip_fw: packet drop due to "
+ "netlink failure\n");
+ return 0;
+ }
}
#endif
+ return 1;
}
/*
@@ -691,9 +697,13 @@
for (; f; f = f->next) {
if (ip_rule_match(f,rif,ip,
tcpsyn,src_port,dst_port,offset)) {
- if (!testing)
- ip_fw_domatch(f, ip, rif, chain->label, skb,
- slot, src_port,dst_port);
+ if (!testing
+ && !ip_fw_domatch(f, ip, rif, chain->label,
+ skb, slot,
+ src_port, dst_port)) {
+ ret = FW_BLOCK;
+ goto out;
+ }
break;
}
}
@@ -755,6 +765,7 @@
}
} while (ret == FW_SKIP+2);
+ out:
if (!testing) FWC_READ_UNLOCK(&ip_fw_lock);
/* Recalculate checksum if not going to reject, and TOS changed. */
-- .sig lost in the mail.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/