1 --- a/include/linux/netfilter_ipv4/ip_conntrack.h
2 +++ b/include/linux/netfilter_ipv4/ip_conntrack.h
3 @@ -226,6 +226,9 @@ struct ip_conntrack
4 unsigned int app_data_len;
7 +#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
12 /* get master conntrack via master expectation */
14 +++ b/include/linux/netfilter_ipv4/ipt_CONNMARK.h
16 +#ifndef _IPT_CONNMARK_H_target
17 +#define _IPT_CONNMARK_H_target
19 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
20 + * by Henrik Nordstrom <hno@marasystems.com>
22 + * This program is free software; you can redistribute it and/or modify
23 + * it under the terms of the GNU General Public License as published by
24 + * the Free Software Foundation; either version 2 of the License, or
25 + * (at your option) any later version.
29 + IPT_CONNMARK_SET = 0,
31 + IPT_CONNMARK_RESTORE
34 +struct ipt_connmark_target_info {
40 +#endif /*_IPT_CONNMARK_H_target*/
42 +++ b/include/linux/netfilter_ipv4/ipt_connmark.h
44 +#ifndef _IPT_CONNMARK_H
45 +#define _IPT_CONNMARK_H
47 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
48 + * by Henrik Nordstrom <hno@marasystems.com>
50 + * This program is free software; you can redistribute it and/or modify
51 + * it under the terms of the GNU General Public License as published by
52 + * the Free Software Foundation; either version 2 of the License, or
53 + * (at your option) any later version.
56 +struct ipt_connmark_info {
57 + unsigned long mark, mask;
61 +#endif /*_IPT_CONNMARK_H*/
62 --- a/net/ipv4/netfilter/Config.in
63 +++ b/net/ipv4/netfilter/Config.in
64 @@ -6,7 +6,8 @@ comment ' IP: Netfilter Configuration'
66 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
67 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
68 - dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
69 + bool ' Connection mark tracking support' CONFIG_IP_NF_CONNTRACK_MARK
70 + dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACKa
71 dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
72 dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
73 dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
74 @@ -42,6 +43,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
75 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
76 dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
77 dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
78 + if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
79 + dep_tristate ' Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
82 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
83 dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
84 @@ -126,6 +130,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
85 dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
86 dep_tristate ' CLASSIFY target support (EXPERIMENTAL)' CONFIG_IP_NF_TARGET_CLASSIFY $CONFIG_IP_NF_MANGLE
88 + if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
89 + dep_tristate ' CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
91 dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
92 dep_tristate ' TTL target support' CONFIG_IP_NF_TARGET_TTL $CONFIG_IP_NF_IPTABLES
93 dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
94 --- a/net/ipv4/netfilter/Makefile
95 +++ b/net/ipv4/netfilter/Makefile
96 @@ -93,6 +93,7 @@ obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_
98 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
99 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
100 +obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
101 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
102 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
103 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
104 @@ -111,6 +112,7 @@ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += i
105 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
106 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
107 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
108 +obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
109 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
110 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
111 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
112 --- a/net/ipv4/netfilter/ip_conntrack_core.c
113 +++ b/net/ipv4/netfilter/ip_conntrack_core.c
114 @@ -754,6 +754,9 @@ init_conntrack(const struct ip_conntrack
115 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
116 conntrack->master = expected;
117 expected->sibling = conntrack;
118 +#ifdef CONFIG_IP_NF_CONNTRACK_MARK
119 + conntrack->mark = expected->expectant->mark;
121 LIST_DELETE(&ip_conntrack_expect_list, expected);
122 expected->expectant->expecting--;
123 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
124 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c
125 +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
126 @@ -107,6 +107,9 @@ print_conntrack(char *buffer, struct ip_
127 len += sprintf(buffer + len, "[ASSURED] ");
128 len += sprintf(buffer + len, "use=%u ",
129 atomic_read(&conntrack->ct_general.use));
130 + #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
131 + len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
134 #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
135 if(conntrack->layer7.app_proto)
137 +++ b/net/ipv4/netfilter/ipt_CONNMARK.c
139 +/* This kernel module is used to modify the connection mark values, or
140 + * to optionally restore the skb nfmark from the connection mark
142 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
143 + * by Henrik Nordstrom <hno@marasystems.com>
145 + * This program is free software; you can redistribute it and/or modify
146 + * it under the terms of the GNU General Public License as published by
147 + * the Free Software Foundation; either version 2 of the License, or
148 + * (at your option) any later version.
150 + * This program is distributed in the hope that it will be useful,
151 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
152 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
153 + * GNU General Public License for more details.
155 + * You should have received a copy of the GNU General Public License
156 + * along with this program; if not, write to the Free Software
157 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
159 +#include <linux/module.h>
160 +#include <linux/skbuff.h>
161 +#include <linux/ip.h>
162 +#include <net/checksum.h>
164 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
165 +MODULE_DESCRIPTION("IP tables CONNMARK matching module");
166 +MODULE_LICENSE("GPL");
168 +#include <linux/netfilter_ipv4/ip_tables.h>
169 +#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
170 +#include <linux/netfilter_ipv4/ip_conntrack.h>
173 +target(struct sk_buff **pskb,
174 + unsigned int hooknum,
175 + const struct net_device *in,
176 + const struct net_device *out,
177 + const void *targinfo,
180 + const struct ipt_connmark_target_info *markinfo = targinfo;
181 + unsigned long diff;
182 + unsigned long nfmark;
183 + unsigned long newmark;
185 + enum ip_conntrack_info ctinfo;
186 + struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
188 + switch(markinfo->mode) {
189 + case IPT_CONNMARK_SET:
190 + newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
191 + if (newmark != ct->mark)
192 + ct->mark = newmark;
194 + case IPT_CONNMARK_SAVE:
195 + newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
196 + if (ct->mark != newmark)
197 + ct->mark = newmark;
199 + case IPT_CONNMARK_RESTORE:
200 + nfmark = (*pskb)->nfmark;
201 + diff = (ct->mark ^ nfmark & markinfo->mask);
203 + (*pskb)->nfmark = nfmark ^ diff;
204 + (*pskb)->nfcache |= NFC_ALTERED;
210 + return IPT_CONTINUE;
214 +checkentry(const char *tablename,
215 + const struct ipt_entry *e,
217 + unsigned int targinfosize,
218 + unsigned int hook_mask)
220 + struct ipt_connmark_target_info *matchinfo = targinfo;
221 + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
222 + printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
224 + IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
228 + if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
229 + if (strcmp(tablename, "mangle") != 0) {
230 + printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
238 +static struct ipt_target ipt_connmark_reg = {
239 + .name = "CONNMARK",
241 + .checkentry = &checkentry,
245 +static int __init init(void)
247 + return ipt_register_target(&ipt_connmark_reg);
250 +static void __exit fini(void)
252 + ipt_unregister_target(&ipt_connmark_reg);
258 +++ b/net/ipv4/netfilter/ipt_connmark.c
260 +/* This kernel module matches connection mark values set by the
263 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
264 + * by Henrik Nordstrom <hno@marasystems.com>
266 + * This program is free software; you can redistribute it and/or modify
267 + * it under the terms of the GNU General Public License as published by
268 + * the Free Software Foundation; either version 2 of the License, or
269 + * (at your option) any later version.
271 + * This program is distributed in the hope that it will be useful,
272 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
273 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
274 + * GNU General Public License for more details.
276 + * You should have received a copy of the GNU General Public License
277 + * along with this program; if not, write to the Free Software
278 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
281 +#include <linux/module.h>
282 +#include <linux/skbuff.h>
284 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
285 +MODULE_DESCRIPTION("IP tables connmark match module");
286 +MODULE_LICENSE("GPL");
288 +#include <linux/netfilter_ipv4/ip_tables.h>
289 +#include <linux/netfilter_ipv4/ipt_connmark.h>
290 +#include <linux/netfilter_ipv4/ip_conntrack.h>
293 +match(const struct sk_buff *skb,
294 + const struct net_device *in,
295 + const struct net_device *out,
296 + const void *matchinfo,
302 + const struct ipt_connmark_info *info = matchinfo;
303 + enum ip_conntrack_info ctinfo;
304 + struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
308 + return ((ct->mark & info->mask) == info->mark) ^ info->invert;
312 +checkentry(const char *tablename,
313 + const struct ipt_ip *ip,
315 + unsigned int matchsize,
316 + unsigned int hook_mask)
318 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
324 +static struct ipt_match connmark_match = {
325 + .name = "connmark",
327 + .checkentry = &checkentry,
331 +static int __init init(void)
333 + return ipt_register_match(&connmark_match);
336 +static void __exit fini(void)
338 + ipt_unregister_match(&connmark_match);