1 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h
2 ===================================================================
3 --- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:06.392204515 +0100
4 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:07.552270623 +0100
6 unsigned int app_data_len;
9 +#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
14 /* get master conntrack via master expectation */
15 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_CONNMARK.h
16 ===================================================================
17 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
18 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2007-12-15 05:20:07.556270849 +0100
20 +#ifndef _IPT_CONNMARK_H_target
21 +#define _IPT_CONNMARK_H_target
23 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
24 + * by Henrik Nordstrom <hno@marasystems.com>
26 + * This program is free software; you can redistribute it and/or modify
27 + * it under the terms of the GNU General Public License as published by
28 + * the Free Software Foundation; either version 2 of the License, or
29 + * (at your option) any later version.
33 + IPT_CONNMARK_SET = 0,
35 + IPT_CONNMARK_RESTORE
38 +struct ipt_connmark_target_info {
44 +#endif /*_IPT_CONNMARK_H_target*/
45 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_connmark.h
46 ===================================================================
47 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
48 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_connmark.h 2007-12-15 05:20:07.564271306 +0100
50 +#ifndef _IPT_CONNMARK_H
51 +#define _IPT_CONNMARK_H
53 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
54 + * by Henrik Nordstrom <hno@marasystems.com>
56 + * This program is free software; you can redistribute it and/or modify
57 + * it under the terms of the GNU General Public License as published by
58 + * the Free Software Foundation; either version 2 of the License, or
59 + * (at your option) any later version.
62 +struct ipt_connmark_info {
63 + unsigned long mark, mask;
67 +#endif /*_IPT_CONNMARK_H*/
68 Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
69 ===================================================================
70 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:07.284255349 +0100
71 +++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:07.568271536 +0100
74 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
75 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
76 - dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
77 + bool ' Connection mark tracking support' CONFIG_IP_NF_CONNTRACK_MARK
78 + dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACKa
79 dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
80 dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
81 dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
83 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
84 dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
85 dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
86 + if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
87 + dep_tristate ' Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
90 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
91 dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
94 dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
96 + if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
97 + dep_tristate ' CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
99 dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
100 dep_tristate ' TTL target support' CONFIG_IP_NF_TARGET_TTL $CONFIG_IP_NF_IPTABLES
101 dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
102 Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
103 ===================================================================
104 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:07.288255579 +0100
105 +++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:07.568271536 +0100
108 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
109 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
110 +obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
111 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
112 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
113 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
115 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
116 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
117 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
118 +obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
119 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
120 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
121 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
122 Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c
123 ===================================================================
124 --- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:06.772226171 +0100
125 +++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:07.568271536 +0100
127 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
128 conntrack->master = expected;
129 expected->sibling = conntrack;
130 +#ifdef CONFIG_IP_NF_CONNTRACK_MARK
131 + conntrack->mark = expected->expectant->mark;
133 LIST_DELETE(&ip_conntrack_expect_list, expected);
134 expected->expectant->expecting--;
135 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
136 Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c
137 ===================================================================
138 --- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:06.036184227 +0100
139 +++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:07.568271536 +0100
141 len += sprintf(buffer + len, "[ASSURED] ");
142 len += sprintf(buffer + len, "use=%u ",
143 atomic_read(&conntrack->ct_general.use));
144 + #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
145 + len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
148 #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
149 if(conntrack->layer7.app_proto)
150 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_CONNMARK.c
151 ===================================================================
152 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
153 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_CONNMARK.c 2007-12-15 05:20:07.568271536 +0100
155 +/* This kernel module is used to modify the connection mark values, or
156 + * to optionally restore the skb nfmark from the connection mark
158 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
159 + * by Henrik Nordstrom <hno@marasystems.com>
161 + * This program is free software; you can redistribute it and/or modify
162 + * it under the terms of the GNU General Public License as published by
163 + * the Free Software Foundation; either version 2 of the License, or
164 + * (at your option) any later version.
166 + * This program is distributed in the hope that it will be useful,
167 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
168 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
169 + * GNU General Public License for more details.
171 + * You should have received a copy of the GNU General Public License
172 + * along with this program; if not, write to the Free Software
173 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
175 +#include <linux/module.h>
176 +#include <linux/skbuff.h>
177 +#include <linux/ip.h>
178 +#include <net/checksum.h>
180 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
181 +MODULE_DESCRIPTION("IP tables CONNMARK matching module");
182 +MODULE_LICENSE("GPL");
184 +#include <linux/netfilter_ipv4/ip_tables.h>
185 +#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
186 +#include <linux/netfilter_ipv4/ip_conntrack.h>
189 +target(struct sk_buff **pskb,
190 + unsigned int hooknum,
191 + const struct net_device *in,
192 + const struct net_device *out,
193 + const void *targinfo,
196 + const struct ipt_connmark_target_info *markinfo = targinfo;
197 + unsigned long diff;
198 + unsigned long nfmark;
199 + unsigned long newmark;
201 + enum ip_conntrack_info ctinfo;
202 + struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
204 + switch(markinfo->mode) {
205 + case IPT_CONNMARK_SET:
206 + newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
207 + if (newmark != ct->mark)
208 + ct->mark = newmark;
210 + case IPT_CONNMARK_SAVE:
211 + newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
212 + if (ct->mark != newmark)
213 + ct->mark = newmark;
215 + case IPT_CONNMARK_RESTORE:
216 + nfmark = (*pskb)->nfmark;
217 + diff = (ct->mark ^ nfmark & markinfo->mask);
219 + (*pskb)->nfmark = nfmark ^ diff;
220 + (*pskb)->nfcache |= NFC_ALTERED;
226 + return IPT_CONTINUE;
230 +checkentry(const char *tablename,
231 + const struct ipt_entry *e,
233 + unsigned int targinfosize,
234 + unsigned int hook_mask)
236 + struct ipt_connmark_target_info *matchinfo = targinfo;
237 + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
238 + printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
240 + IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
244 + if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
245 + if (strcmp(tablename, "mangle") != 0) {
246 + printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
254 +static struct ipt_target ipt_connmark_reg = {
255 + .name = "CONNMARK",
257 + .checkentry = &checkentry,
261 +static int __init init(void)
263 + return ipt_register_target(&ipt_connmark_reg);
266 +static void __exit fini(void)
268 + ipt_unregister_target(&ipt_connmark_reg);
273 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_connmark.c
274 ===================================================================
275 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
276 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_connmark.c 2007-12-15 05:20:07.572271763 +0100
278 +/* This kernel module matches connection mark values set by the
281 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
282 + * by Henrik Nordstrom <hno@marasystems.com>
284 + * This program is free software; you can redistribute it and/or modify
285 + * it under the terms of the GNU General Public License as published by
286 + * the Free Software Foundation; either version 2 of the License, or
287 + * (at your option) any later version.
289 + * This program is distributed in the hope that it will be useful,
290 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
291 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
292 + * GNU General Public License for more details.
294 + * You should have received a copy of the GNU General Public License
295 + * along with this program; if not, write to the Free Software
296 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
299 +#include <linux/module.h>
300 +#include <linux/skbuff.h>
302 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
303 +MODULE_DESCRIPTION("IP tables connmark match module");
304 +MODULE_LICENSE("GPL");
306 +#include <linux/netfilter_ipv4/ip_tables.h>
307 +#include <linux/netfilter_ipv4/ipt_connmark.h>
308 +#include <linux/netfilter_ipv4/ip_conntrack.h>
311 +match(const struct sk_buff *skb,
312 + const struct net_device *in,
313 + const struct net_device *out,
314 + const void *matchinfo,
320 + const struct ipt_connmark_info *info = matchinfo;
321 + enum ip_conntrack_info ctinfo;
322 + struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
326 + return ((ct->mark & info->mask) == info->mark) ^ info->invert;
330 +checkentry(const char *tablename,
331 + const struct ipt_ip *ip,
333 + unsigned int matchsize,
334 + unsigned int hook_mask)
336 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
342 +static struct ipt_match connmark_match = {
343 + .name = "connmark",
345 + .checkentry = &checkentry,
349 +static int __init init(void)
351 + return ipt_register_match(&connmark_match);
354 +static void __exit fini(void)
356 + ipt_unregister_match(&connmark_match);