Commit 37fccd85 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller

[NETFILTER]: ctnetlink: add support for secmark

This patch adds support for James Morris' connsecmark.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0f417ce9
...@@ -133,6 +133,10 @@ enum ip_conntrack_events ...@@ -133,6 +133,10 @@ enum ip_conntrack_events
/* NAT sequence adjustment */ /* NAT sequence adjustment */
IPCT_NATSEQADJ_BIT = 13, IPCT_NATSEQADJ_BIT = 13,
IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
/* Secmark is set */
IPCT_SECMARK_BIT = 14,
IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
}; };
enum ip_conntrack_expect_events { enum ip_conntrack_expect_events {
......
...@@ -39,6 +39,7 @@ enum ctattr_type { ...@@ -39,6 +39,7 @@ enum ctattr_type {
CTA_TUPLE_MASTER, CTA_TUPLE_MASTER,
CTA_NAT_SEQ_ADJ_ORIG, CTA_NAT_SEQ_ADJ_ORIG,
CTA_NAT_SEQ_ADJ_REPLY, CTA_NAT_SEQ_ADJ_REPLY,
CTA_SECMARK,
__CTA_MAX __CTA_MAX
}; };
#define CTA_MAX (__CTA_MAX - 1) #define CTA_MAX (__CTA_MAX - 1)
......
...@@ -254,6 +254,22 @@ nla_put_failure: ...@@ -254,6 +254,22 @@ nla_put_failure:
#define ctnetlink_dump_mark(a, b) (0) #define ctnetlink_dump_mark(a, b) (0)
#endif #endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
static inline int
ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
{
__be32 mark = htonl(ct->secmark);
NLA_PUT(skb, CTA_SECMARK, sizeof(u_int32_t), &mark);
return 0;
nla_put_failure:
return -1;
}
#else
#define ctnetlink_dump_secmark(a, b) (0)
#endif
#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
static inline int static inline int
...@@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, ...@@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
ctnetlink_dump_protoinfo(skb, ct) < 0 || ctnetlink_dump_protoinfo(skb, ct) < 0 ||
ctnetlink_dump_helpinfo(skb, ct) < 0 || ctnetlink_dump_helpinfo(skb, ct) < 0 ||
ctnetlink_dump_mark(skb, ct) < 0 || ctnetlink_dump_mark(skb, ct) < 0 ||
ctnetlink_dump_secmark(skb, ct) < 0 ||
ctnetlink_dump_id(skb, ct) < 0 || ctnetlink_dump_id(skb, ct) < 0 ||
ctnetlink_dump_use(skb, ct) < 0 || ctnetlink_dump_use(skb, ct) < 0 ||
ctnetlink_dump_master(skb, ct) < 0 || ctnetlink_dump_master(skb, ct) < 0 ||
...@@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, ...@@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
&& ctnetlink_dump_mark(skb, ct) < 0) && ctnetlink_dump_mark(skb, ct) < 0)
goto nla_put_failure; goto nla_put_failure;
#endif #endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if ((events & IPCT_SECMARK || ct->secmark)
&& ctnetlink_dump_secmark(skb, ct) < 0)
goto nla_put_failure;
#endif
if (events & IPCT_COUNTER_FILLING && if (events & IPCT_COUNTER_FILLING &&
(ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
......
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNSECMARK.h> #include <linux/netfilter/xt_CONNSECMARK.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#define PFX "CONNSECMARK: " #define PFX "CONNSECMARK: "
...@@ -40,8 +41,10 @@ static void secmark_save(const struct sk_buff *skb) ...@@ -40,8 +41,10 @@ static void secmark_save(const struct sk_buff *skb)
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo); ct = nf_ct_get(skb, &ctinfo);
if (ct && !ct->secmark) if (ct && !ct->secmark) {
ct->secmark = skb->secmark; ct->secmark = skb->secmark;
nf_conntrack_event_cache(IPCT_SECMARK, skb);
}
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment