diff options
author | Piotr Sawicki <p.sawicki2@partner.samsung.com> | 2018-07-19 11:47:31 +0200 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2018-07-23 13:00:03 -0700 |
commit | d66a8acbda926fa2398ae930f50787e8663bce96 (patch) | |
tree | 86c47de8e48fc66af59fc673c440d7895e08d6b0 /security | |
parent | a07ef9516477aef2d052d75129a48f9f94d3b3f3 (diff) |
Smack: Inform peer that IPv6 traffic has been blocked
In this patch we're sending an ICMPv6 message to a peer to
immediately inform it that making a connection is not possible.
In case of TCP connections, without this change, the peer
will be waiting until a connection timeout is exceeded.
Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/smack/smack_lsm.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index aff8397e8c7e..91750205a5de 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -28,6 +28,7 @@ #include <linux/tcp.h> #include <linux/udp.h> #include <linux/dccp.h> +#include <linux/icmpv6.h> #include <linux/slab.h> #include <linux/mutex.h> #include <linux/pipe_fs_i.h> @@ -4009,6 +4010,9 @@ access_check: #ifdef SMACK_IPV6_PORT_LABELING rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); #endif /* SMACK_IPV6_PORT_LABELING */ + if (rc != 0) + icmpv6_send(skb, ICMPV6_DEST_UNREACH, + ICMPV6_ADM_PROHIBITED, 0); break; #endif /* CONFIG_IPV6 */ } |