Skip to content

Commit d66a8ac

Browse files
petersawcschaufler
petersaw
authored and
cschaufler
committed
Smack: Inform peer that IPv6 traffic has been blocked
In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
1 parent a07ef95 commit d66a8ac

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

security/smack/smack_lsm.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
#include <linux/tcp.h>
2929
#include <linux/udp.h>
3030
#include <linux/dccp.h>
31+
#include <linux/icmpv6.h>
3132
#include <linux/slab.h>
3233
#include <linux/mutex.h>
3334
#include <linux/pipe_fs_i.h>
@@ -4009,6 +4010,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
40094010
#ifdef SMACK_IPV6_PORT_LABELING
40104011
rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
40114012
#endif /* SMACK_IPV6_PORT_LABELING */
4013+
if (rc != 0)
4014+
icmpv6_send(skb, ICMPV6_DEST_UNREACH,
4015+
ICMPV6_ADM_PROHIBITED, 0);
40124016
break;
40134017
#endif /* CONFIG_IPV6 */
40144018
}

0 commit comments

Comments
 (0)