projects / openwrt / staging / yousong.git / blob
? search:


cbc5f93c0509114b451349235d1af9c9d06fe2cd
[openwrt/staging/yousong.git] / target / linux / generic-2.4 / patches / 607-netfilter_connmark.patch
1 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h
2 ===================================================================
3 --- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h
4 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h
5 @@ -226,6 +226,9 @@ struct ip_conntrack
6 unsigned int app_data_len;
7 } layer7;
8 #endif
9 +#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
10 + unsigned long mark;
11 +#endif
12 };
13
14 /* get master conntrack via master expectation */
15 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_CONNMARK.h
16 ===================================================================
17 --- /dev/null
18 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_CONNMARK.h
19 @@ -0,0 +1,25 @@
20 +#ifndef _IPT_CONNMARK_H_target
21 +#define _IPT_CONNMARK_H_target
22 +
23 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
24 + * by Henrik Nordstrom <hno@marasystems.com>
25 + *
26 + * This program is free software; you can redistribute it and/or modify
27 + * it under the terms of the GNU General Public License as published by
28 + * the Free Software Foundation; either version 2 of the License, or
29 + * (at your option) any later version.
30 + */
31 +
32 +enum {
33 + IPT_CONNMARK_SET = 0,
34 + IPT_CONNMARK_SAVE,
35 + IPT_CONNMARK_RESTORE
36 +};
37 +
38 +struct ipt_connmark_target_info {
39 + unsigned long mark;
40 + unsigned long mask;
41 + u_int8_t mode;
42 +};
43 +
44 +#endif /*_IPT_CONNMARK_H_target*/
45 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_connmark.h
46 ===================================================================
47 --- /dev/null
48 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_connmark.h
49 @@ -0,0 +1,18 @@
50 +#ifndef _IPT_CONNMARK_H
51 +#define _IPT_CONNMARK_H
52 +
53 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
54 + * by Henrik Nordstrom <hno@marasystems.com>
55 + *
56 + * This program is free software; you can redistribute it and/or modify
57 + * it under the terms of the GNU General Public License as published by
58 + * the Free Software Foundation; either version 2 of the License, or
59 + * (at your option) any later version.
60 + */
61 +
62 +struct ipt_connmark_info {
63 + unsigned long mark, mask;
64 + u_int8_t invert;
65 +};
66 +
67 +#endif /*_IPT_CONNMARK_H*/
68 Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
69 ===================================================================
70 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in
71 +++ linux-2.4.35.4/net/ipv4/netfilter/Config.in
72 @@ -6,7 +6,8 @@ comment ' IP: Netfilter Configuration'
73
74 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
75 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
76 - dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
77 + bool ' Connection mark tracking support' CONFIG_IP_NF_CONNTRACK_MARK
78 + dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACKa
79 dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
80 dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
81 dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
82 @@ -42,6 +43,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
83 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
84 dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
85 dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
86 + if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
87 + dep_tristate ' Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
88 + fi
89 fi
90 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
91 dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
92 @@ -125,6 +129,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
93
94 dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
95 fi
96 + if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
97 + dep_tristate ' CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
98 + fi
99 dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
100 dep_tristate ' TTL target support' CONFIG_IP_NF_TARGET_TTL $CONFIG_IP_NF_IPTABLES
101 dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
102 Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
103 ===================================================================
104 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile
105 +++ linux-2.4.35.4/net/ipv4/netfilter/Makefile
106 @@ -93,6 +93,7 @@ obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_
107
108 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
109 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
110 +obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
111 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
112 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
113 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
114 @@ -110,6 +111,7 @@ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += i
115 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
116 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
117 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
118 +obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
119 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
120 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
121 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
122 Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c
123 ===================================================================
124 --- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c
125 +++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c
126 @@ -754,6 +754,9 @@ init_conntrack(const struct ip_conntrack
127 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
128 conntrack->master = expected;
129 expected->sibling = conntrack;
130 +#ifdef CONFIG_IP_NF_CONNTRACK_MARK
131 + conntrack->mark = expected->expectant->mark;
132 +#endif
133 LIST_DELETE(&ip_conntrack_expect_list, expected);
134 expected->expectant->expecting--;
135 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
136 Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c
137 ===================================================================
138 --- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c
139 +++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c
140 @@ -107,6 +107,9 @@ print_conntrack(char *buffer, struct ip_
141 len += sprintf(buffer + len, "[ASSURED] ");
142 len += sprintf(buffer + len, "use=%u ",
143 atomic_read(&conntrack->ct_general.use));
144 + #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
145 + len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
146 + #endif
147
148 #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
149 if(conntrack->layer7.app_proto)
150 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_CONNMARK.c
151 ===================================================================
152 --- /dev/null
153 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_CONNMARK.c
154 @@ -0,0 +1,118 @@
155 +/* This kernel module is used to modify the connection mark values, or
156 + * to optionally restore the skb nfmark from the connection mark
157 + *
158 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
159 + * by Henrik Nordstrom <hno@marasystems.com>
160 + *
161 + * This program is free software; you can redistribute it and/or modify
162 + * it under the terms of the GNU General Public License as published by
163 + * the Free Software Foundation; either version 2 of the License, or
164 + * (at your option) any later version.
165 + *
166 + * This program is distributed in the hope that it will be useful,
167 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
168 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
169 + * GNU General Public License for more details.
170 + *
171 + * You should have received a copy of the GNU General Public License
172 + * along with this program; if not, write to the Free Software
173 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
174 + */
175 +#include <linux/module.h>
176 +#include <linux/skbuff.h>
177 +#include <linux/ip.h>
178 +#include <net/checksum.h>
179 +
180 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
181 +MODULE_DESCRIPTION("IP tables CONNMARK matching module");
182 +MODULE_LICENSE("GPL");
183 +
184 +#include <linux/netfilter_ipv4/ip_tables.h>
185 +#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
186 +#include <linux/netfilter_ipv4/ip_conntrack.h>
187 +
188 +static unsigned int
189 +target(struct sk_buff **pskb,
190 + unsigned int hooknum,
191 + const struct net_device *in,
192 + const struct net_device *out,
193 + const void *targinfo,
194 + void *userinfo)
195 +{
196 + const struct ipt_connmark_target_info *markinfo = targinfo;
197 + unsigned long diff;
198 + unsigned long nfmark;
199 + unsigned long newmark;
200 +
201 + enum ip_conntrack_info ctinfo;
202 + struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
203 + if (ct) {
204 + switch(markinfo->mode) {
205 + case IPT_CONNMARK_SET:
206 + newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
207 + if (newmark != ct->mark)
208 + ct->mark = newmark;
209 + break;
210 + case IPT_CONNMARK_SAVE:
211 + newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
212 + if (ct->mark != newmark)
213 + ct->mark = newmark;
214 + break;
215 + case IPT_CONNMARK_RESTORE:
216 + nfmark = (*pskb)->nfmark;
217 + diff = (ct->mark ^ nfmark & markinfo->mask);
218 + if (diff != 0) {
219 + (*pskb)->nfmark = nfmark ^ diff;
220 + (*pskb)->nfcache |= NFC_ALTERED;
221 + }
222 + break;
223 + }
224 + }
225 +
226 + return IPT_CONTINUE;
227 +}
228 +
229 +static int
230 +checkentry(const char *tablename,
231 + const struct ipt_entry *e,
232 + void *targinfo,
233 + unsigned int targinfosize,
234 + unsigned int hook_mask)
235 +{
236 + struct ipt_connmark_target_info *matchinfo = targinfo;
237 + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
238 + printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
239 + targinfosize,
240 + IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
241 + return 0;
242 + }
243 +
244 + if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
245 + if (strcmp(tablename, "mangle") != 0) {
246 + printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
247 + return 0;
248 + }
249 + }
250 +
251 + return 1;
252 +}
253 +
254 +static struct ipt_target ipt_connmark_reg = {
255 + .name = "CONNMARK",
256 + .target = &target,
257 + .checkentry = &checkentry,
258 + .me = THIS_MODULE
259 +};
260 +
261 +static int __init init(void)
262 +{
263 + return ipt_register_target(&ipt_connmark_reg);
264 +}
265 +
266 +static void __exit fini(void)
267 +{
268 + ipt_unregister_target(&ipt_connmark_reg);
269 +}
270 +
271 +module_init(init);
272 +module_exit(fini);
273 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_connmark.c
274 ===================================================================
275 --- /dev/null
276 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_connmark.c
277 @@ -0,0 +1,83 @@
278 +/* This kernel module matches connection mark values set by the
279 + * CONNMARK target
280 + *
281 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
282 + * by Henrik Nordstrom <hno@marasystems.com>
283 + *
284 + * This program is free software; you can redistribute it and/or modify
285 + * it under the terms of the GNU General Public License as published by
286 + * the Free Software Foundation; either version 2 of the License, or
287 + * (at your option) any later version.
288 + *
289 + * This program is distributed in the hope that it will be useful,
290 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
291 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
292 + * GNU General Public License for more details.
293 + *
294 + * You should have received a copy of the GNU General Public License
295 + * along with this program; if not, write to the Free Software
296 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
297 + */
298 +
299 +#include <linux/module.h>
300 +#include <linux/skbuff.h>
301 +
302 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
303 +MODULE_DESCRIPTION("IP tables connmark match module");
304 +MODULE_LICENSE("GPL");
305 +
306 +#include <linux/netfilter_ipv4/ip_tables.h>
307 +#include <linux/netfilter_ipv4/ipt_connmark.h>
308 +#include <linux/netfilter_ipv4/ip_conntrack.h>
309 +
310 +static int
311 +match(const struct sk_buff *skb,
312 + const struct net_device *in,
313 + const struct net_device *out,
314 + const void *matchinfo,
315 + int offset,
316 + const void *hdr,
317 + u_int16_t datalen,
318 + int *hotdrop)
319 +{
320 + const struct ipt_connmark_info *info = matchinfo;
321 + enum ip_conntrack_info ctinfo;
322 + struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
323 + if (!ct)
324 + return 0;
325 +
326 + return ((ct->mark & info->mask) == info->mark) ^ info->invert;
327 +}
328 +
329 +static int
330 +checkentry(const char *tablename,
331 + const struct ipt_ip *ip,
332 + void *matchinfo,
333 + unsigned int matchsize,
334 + unsigned int hook_mask)
335 +{
336 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
337 + return 0;
338 +
339 + return 1;
340 +}
341 +
342 +static struct ipt_match connmark_match = {
343 + .name = "connmark",
344 + .match = &match,
345 + .checkentry = &checkentry,
346 + .me = THIS_MODULE
347 +};
348 +
349 +static int __init init(void)
350 +{
351 + return ipt_register_match(&connmark_match);
352 +}
353 +
354 +static void __exit fini(void)
355 +{
356 + ipt_unregister_match(&connmark_match);
357 +}
358 +
359 +module_init(init);
360 +module_exit(fini);
Yousong Zhou staging tree