netfilter: ipv6: propagate routing errors from ip6_route_me_harder()
authorPatrick McHardy <kaber@trash.net>
Fri, 5 Apr 2013 06:41:11 +0000 (06:41 +0000)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 8 Apr 2013 10:34:01 +0000 (12:34 +0200)
commit58e35d1471287c59b9749fb82f04c628c36b9994
treea09f82319c6a2599f8c0ab9f94913aa4faf58448
parentc9e1673a0accf086dfce9b501d8bcb4ec6bbc1e9
netfilter: ipv6: propagate routing errors from ip6_route_me_harder()

Propagate routing errors from ip_route_me_harder() when dropping a packet
using NF_DROP_ERR(). This makes userspace get the proper error instead of
EPERM for everything.

# ip -6 r a unreachable default table 100
# ip -6 ru add fwmark 0x1 lookup 100
# ip6tables -t mangle -A OUTPUT -d 2001:4860:4860::8888 -j MARK --set-mark 0x1

Old behaviour:

PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

New behaviour:

PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/ipv6/netfilter.c
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/ip6table_nat.c