From: Menglong Dong <imagedong@tencent.com>
Add skb drop reasons to tcp_v4_route_req() and tcp_v6_route_req().
And the new reason SKB_DROP_REASON_LSM is added, which is used when
skb is dropped by LSM.
Signed-off-by: Menglong Dong <imagedong@tencent.com>
---
include/net/dropreason.h | 5 +++++
net/ipv4/tcp_ipv4.c | 11 +++++++++--
net/ipv6/tcp_ipv6.c | 11 +++++++++--
3 files changed, 23 insertions(+), 4 deletions(-)
@@ -74,6 +74,7 @@
FN(TCP_REQQFULLDROP) \
FN(TCP_ABORTONDATA) \
FN(TCP_ABORTONLINGER) \
+ FN(LSM) \
FNe(MAX)
/**
@@ -336,6 +337,10 @@ enum skb_drop_reason {
* LINUX_MIB_TCPABORTONLINGER
*/
SKB_DROP_REASON_TCP_ABORTONLINGER,
+ /**
+ * @SKB_DROP_REASON_LSM: dropped by LSM
+ */
+ SKB_DROP_REASON_LSM,
/**
* @SKB_DROP_REASON_MAX: the maximum of drop reason, which shouldn't be
* used as a real 'reason'
@@ -1447,12 +1447,19 @@ static struct dst_entry *tcp_v4_route_req(const struct sock *sk,
struct flowi *fl,
struct request_sock *req)
{
+ struct dst_entry *dst;
+
tcp_v4_init_req(req, sk, skb);
- if (security_inet_conn_request(sk, skb, req))
+ if (security_inet_conn_request(sk, skb, req)) {
+ TCP_SKB_DR(skb, LSM);
return NULL;
+ }
- return inet_csk_route_req(sk, &fl->u.ip4, req);
+ dst = inet_csk_route_req(sk, &fl->u.ip4, req);
+ if (!dst)
+ TCP_SKB_DR(skb, IP_OUTNOROUTES);
+ return dst;
}
struct request_sock_ops tcp_request_sock_ops __read_mostly = {
@@ -823,12 +823,19 @@ static struct dst_entry *tcp_v6_route_req(const struct sock *sk,
struct flowi *fl,
struct request_sock *req)
{
+ struct dst_entry *dst;
+
tcp_v6_init_req(req, sk, skb);
- if (security_inet_conn_request(sk, skb, req))
+ if (security_inet_conn_request(sk, skb, req)) {
+ TCP_SKB_DR(skb, LSM);
return NULL;
+ }
- return inet6_csk_route_req(sk, &fl->u.ip6, req, IPPROTO_TCP);
+ dst = inet6_csk_route_req(sk, &fl->u.ip6, req, IPPROTO_TCP);
+ if (!dst)
+ TCP_SKB_DR(skb, IP_OUTNOROUTES);
+ return dst;
}
struct request_sock_ops tcp6_request_sock_ops __read_mostly = {