target/linux/generic-2.4/patches/607-netfilter_connmark.patch

   1 --- a/include/linux/netfilter_ipv4/ip_conntrack.h
   2 +++ b/include/linux/netfilter_ipv4/ip_conntrack.h
   3 @@ -226,6 +226,9 @@ struct ip_conntrack
   4                 unsigned int app_data_len;
   5         } layer7;
   6  #endif
   7 +#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
   8 +       unsigned long mark;
   9 +#endif
  10  };
  11
  12  /* get master conntrack via master expectation */
  13 --- /dev/null
  14 +++ b/include/linux/netfilter_ipv4/ipt_CONNMARK.h
  15 @@ -0,0 +1,25 @@
  16 +#ifndef _IPT_CONNMARK_H_target
  17 +#define _IPT_CONNMARK_H_target
  18 +
  19 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
  20 + * by Henrik Nordstrom <hno@marasystems.com>
  21 + *
  22 + * This program is free software; you can redistribute it and/or modify
  23 + * it under the terms of the GNU General Public License as published by
  24 + * the Free Software Foundation; either version 2 of the License, or
  25 + * (at your option) any later version.
  26 + */
  27 +
  28 +enum {
  29 +       IPT_CONNMARK_SET = 0,
  30 +       IPT_CONNMARK_SAVE,
  31 +       IPT_CONNMARK_RESTORE
  32 +};
  33 +
  34 +struct ipt_connmark_target_info {
  35 +       unsigned long mark;
  36 +       unsigned long mask;
  37 +       u_int8_t mode;
  38 +};
  39 +
  40 +#endif /*_IPT_CONNMARK_H_target*/
  41 --- /dev/null
  42 +++ b/include/linux/netfilter_ipv4/ipt_connmark.h
  43 @@ -0,0 +1,18 @@
  44 +#ifndef _IPT_CONNMARK_H
  45 +#define _IPT_CONNMARK_H
  46 +
  47 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
  48 + * by Henrik Nordstrom <hno@marasystems.com>
  49 + *
  50 + * This program is free software; you can redistribute it and/or modify
  51 + * it under the terms of the GNU General Public License as published by
  52 + * the Free Software Foundation; either version 2 of the License, or
  53 + * (at your option) any later version.
  54 + */
  55 +
  56 +struct ipt_connmark_info {
  57 +       unsigned long mark, mask;
  58 +       u_int8_t invert;
  59 +};
  60 +
  61 +#endif /*_IPT_CONNMARK_H*/
  62 --- a/net/ipv4/netfilter/Config.in
  63 +++ b/net/ipv4/netfilter/Config.in
  64 @@ -6,7 +6,8 @@ comment '  IP: Netfilter Configuration'
  65
  66  tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
  67  if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
  68 +  bool '  Connection mark tracking support' CONFIG_IP_NF_CONNTRACK_MARK
  69    dep_tristate '  FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
  70    dep_tristate '  Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
  71    dep_tristate '  TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
  72    dep_tristate '  IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
  73 @@ -42,6 +43,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
  74    if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
  75      dep_tristate '  Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
  76      dep_tristate '  Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
  77 +       if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
  78 +         dep_tristate '  Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
  79 +       fi
  80    fi
  81    if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
  82      dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
  83 @@ -126,6 +130,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
  84      dep_tristate '    MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
  85      dep_tristate '    CLASSIFY target support (EXPERIMENTAL)' CONFIG_IP_NF_TARGET_CLASSIFY $CONFIG_IP_NF_MANGLE
  86    fi
  87 +  if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
  88 +    dep_tristate '  CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
  89 +  fi
  90    dep_tristate '  LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
  91    dep_tristate '  TTL target support' CONFIG_IP_NF_TARGET_TTL $CONFIG_IP_NF_IPTABLES
  92    dep_tristate '  ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
  93 --- a/net/ipv4/netfilter/Makefile
  94 +++ b/net/ipv4/netfilter/Makefile
  95 @@ -93,6 +93,7 @@ obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_
  96
  97  obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
  98  obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
  99 +obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
 100  obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 101  obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
 102  obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
 103 @@ -111,6 +112,7 @@ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += i
 104  obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
 105  obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 106  obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
 107 +obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
 108  obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 109  obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 110  obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 111 --- a/net/ipv4/netfilter/ip_conntrack_core.c
 112 +++ b/net/ipv4/netfilter/ip_conntrack_core.c
 113 @@ -754,6 +754,9 @@ init_conntrack(const struct ip_conntrack
 114                 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
 115                 conntrack->master = expected;
 116                 expected->sibling = conntrack;
 117 +#ifdef CONFIG_IP_NF_CONNTRACK_MARK
 118 +               conntrack->mark = expected->expectant->mark;
 119 +#endif
 120                 LIST_DELETE(&ip_conntrack_expect_list, expected);
 121                 expected->expectant->expecting--;
 122                 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
 123 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c
 124 +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
 125 @@ -107,6 +107,9 @@ print_conntrack(char *buffer, struct ip_
 126                 len += sprintf(buffer + len, "[ASSURED] ");
 127         len += sprintf(buffer + len, "use=%u ",
 128                        atomic_read(&conntrack->ct_general.use));
 129 +       #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
 130 +       len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
 131 +       #endif
 132
 133         #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
 134         if(conntrack->layer7.app_proto)
 135 --- /dev/null
 136 +++ b/net/ipv4/netfilter/ipt_CONNMARK.c
 137 @@ -0,0 +1,118 @@
 138 +/* This kernel module is used to modify the connection mark values, or
 139 + * to optionally restore the skb nfmark from the connection mark
 140 + *
 141 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
 142 + * by Henrik Nordstrom <hno@marasystems.com>
 143 + *
 144 + * This program is free software; you can redistribute it and/or modify
 145 + * it under the terms of the GNU General Public License as published by
 146 + * the Free Software Foundation; either version 2 of the License, or
 147 + * (at your option) any later version.
 148 + *
 149 + * This program is distributed in the hope that it will be useful,
 150 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 151 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 152 + * GNU General Public License for more details.
 153 + *
 154 + * You should have received a copy of the GNU General Public License
 155 + * along with this program; if not, write to the Free Software
 156 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 157 + */
 158 +#include <linux/module.h>
 159 +#include <linux/skbuff.h>
 160 +#include <linux/ip.h>
 161 +#include <net/checksum.h>
 162 +
 163 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
 164 +MODULE_DESCRIPTION("IP tables CONNMARK matching module");
 165 +MODULE_LICENSE("GPL");
 166 +
 167 +#include <linux/netfilter_ipv4/ip_tables.h>
 168 +#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
 169 +#include <linux/netfilter_ipv4/ip_conntrack.h>
 170 +
 171 +static unsigned int
 172 +target(struct sk_buff **pskb,
 173 +       unsigned int hooknum,
 174 +       const struct net_device *in,
 175 +       const struct net_device *out,
 176 +       const void *targinfo,
 177 +       void *userinfo)
 178 +{
 179 +       const struct ipt_connmark_target_info *markinfo = targinfo;
 180 +       unsigned long diff;
 181 +       unsigned long nfmark;
 182 +       unsigned long newmark;
 183 +
 184 +       enum ip_conntrack_info ctinfo;
 185 +       struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
 186 +       if (ct) {
 187 +           switch(markinfo->mode) {
 188 +           case IPT_CONNMARK_SET:
 189 +               newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
 190 +               if (newmark != ct->mark)
 191 +                   ct->mark = newmark;
 192 +               break;
 193 +           case IPT_CONNMARK_SAVE:
 194 +               newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
 195 +               if (ct->mark != newmark)
 196 +                   ct->mark = newmark;
 197 +               break;
 198 +           case IPT_CONNMARK_RESTORE:
 199 +               nfmark = (*pskb)->nfmark;
 200 +               diff = (ct->mark ^ nfmark & markinfo->mask);
 201 +               if (diff != 0) {
 202 +                   (*pskb)->nfmark = nfmark ^ diff;
 203 +                   (*pskb)->nfcache |= NFC_ALTERED;
 204 +               }
 205 +               break;
 206 +           }
 207 +       }
 208 +
 209 +       return IPT_CONTINUE;
 210 +}
 211 +
 212 +static int
 213 +checkentry(const char *tablename,
 214 +          const struct ipt_entry *e,
 215 +          void *targinfo,
 216 +          unsigned int targinfosize,
 217 +          unsigned int hook_mask)
 218 +{
 219 +       struct ipt_connmark_target_info *matchinfo = targinfo;
 220 +       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
 221 +               printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
 222 +                      targinfosize,
 223 +                      IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
 224 +               return 0;
 225 +       }
 226 +
 227 +       if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
 228 +           if (strcmp(tablename, "mangle") != 0) {
 229 +                   printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
 230 +                   return 0;
 231 +           }
 232 +       }
 233 +
 234 +       return 1;
 235 +}
 236 +
 237 +static struct ipt_target ipt_connmark_reg = {
 238 +       .name = "CONNMARK",
 239 +       .target = &target,
 240 +       .checkentry = &checkentry,
 241 +       .me = THIS_MODULE
 242 +};
 243 +
 244 +static int __init init(void)
 245 +{
 246 +       return ipt_register_target(&ipt_connmark_reg);
 247 +}
 248 +
 249 +static void __exit fini(void)
 250 +{
 251 +       ipt_unregister_target(&ipt_connmark_reg);
 252 +}
 253 +
 254 +module_init(init);
 255 +module_exit(fini);
 256 --- /dev/null
 257 +++ b/net/ipv4/netfilter/ipt_connmark.c
 258 @@ -0,0 +1,83 @@
 259 +/* This kernel module matches connection mark values set by the
 260 + * CONNMARK target
 261 + *
 262 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
 263 + * by Henrik Nordstrom <hno@marasystems.com>
 264 + *
 265 + * This program is free software; you can redistribute it and/or modify
 266 + * it under the terms of the GNU General Public License as published by
 267 + * the Free Software Foundation; either version 2 of the License, or
 268 + * (at your option) any later version.
 269 + *
 270 + * This program is distributed in the hope that it will be useful,
 271 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 272 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 273 + * GNU General Public License for more details.
 274 + *
 275 + * You should have received a copy of the GNU General Public License
 276 + * along with this program; if not, write to the Free Software
 277 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 278 + */
 279 +
 280 +#include <linux/module.h>
 281 +#include <linux/skbuff.h>
 282 +
 283 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
 284 +MODULE_DESCRIPTION("IP tables connmark match module");
 285 +MODULE_LICENSE("GPL");
 286 +
 287 +#include <linux/netfilter_ipv4/ip_tables.h>
 288 +#include <linux/netfilter_ipv4/ipt_connmark.h>
 289 +#include <linux/netfilter_ipv4/ip_conntrack.h>
 290 +
 291 +static int
 292 +match(const struct sk_buff *skb,
 293 +      const struct net_device *in,
 294 +      const struct net_device *out,
 295 +      const void *matchinfo,
 296 +      int offset,
 297 +      const void *hdr,
 298 +      u_int16_t datalen,
 299 +      int *hotdrop)
 300 +{
 301 +       const struct ipt_connmark_info *info = matchinfo;
 302 +       enum ip_conntrack_info ctinfo;
 303 +       struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
 304 +       if (!ct)
 305 +           return 0;
 306 +
 307 +       return ((ct->mark & info->mask) == info->mark) ^ info->invert;
 308 +}
 309 +
 310 +static int
 311 +checkentry(const char *tablename,
 312 +          const struct ipt_ip *ip,
 313 +          void *matchinfo,
 314 +          unsigned int matchsize,
 315 +          unsigned int hook_mask)
 316 +{
 317 +       if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
 318 +               return 0;
 319 +
 320 +       return 1;
 321 +}
 322 +
 323 +static struct ipt_match connmark_match = {
 324 +       .name = "connmark",
 325 +       .match = &match,
 326 +       .checkentry = &checkentry,
 327 +       .me = THIS_MODULE
 328 +};
 329 +
 330 +static int __init init(void)
 331 +{
 332 +       return ipt_register_match(&connmark_match);
 333 +}
 334 +
 335 +static void __exit fini(void)
 336 +{
 337 +       ipt_unregister_match(&connmark_match);
 338 +}
 339 +
 340 +module_init(init);
 341 +module_exit(fini);