Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
b8f00ba2
Commit
b8f00ba2
authored
Feb 26, 2010
by
Jan Engelhardt
Committed by
Patrick McHardy
Mar 17, 2010
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
netfilter: xtables: merge xt_CONNMARK into xt_connmark
Signed-off-by:
Jan Engelhardt
<
jengelh@medozas.de
>
parent
28b94988
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
116 additions
and
156 deletions
+116
-156
include/linux/netfilter/xt_CONNMARK.h
include/linux/netfilter/xt_CONNMARK.h
+1
-21
include/linux/netfilter/xt_connmark.h
include/linux/netfilter/xt_connmark.h
+11
-0
net/netfilter/Kconfig
net/netfilter/Kconfig
+22
-17
net/netfilter/Makefile
net/netfilter/Makefile
+1
-2
net/netfilter/xt_CONNMARK.c
net/netfilter/xt_CONNMARK.c
+0
-113
net/netfilter/xt_connmark.c
net/netfilter/xt_connmark.c
+81
-3
No files found.
include/linux/netfilter/xt_CONNMARK.h
View file @
b8f00ba2
#ifndef _XT_CONNMARK_H_target
#ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target
#include <linux/types.h>
#include <linux/netfilter/xt_connmark.h>
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
enum
{
XT_CONNMARK_SET
=
0
,
XT_CONNMARK_SAVE
,
XT_CONNMARK_RESTORE
};
struct
xt_connmark_tginfo1
{
__u32
ctmark
,
ctmask
,
nfmask
;
__u8
mode
;
};
#endif
/*_XT_CONNMARK_H_target*/
#endif
/*_XT_CONNMARK_H_target*/
include/linux/netfilter/xt_connmark.h
View file @
b8f00ba2
...
@@ -12,6 +12,17 @@
...
@@ -12,6 +12,17 @@
* (at your option) any later version.
* (at your option) any later version.
*/
*/
enum
{
XT_CONNMARK_SET
=
0
,
XT_CONNMARK_SAVE
,
XT_CONNMARK_RESTORE
};
struct
xt_connmark_tginfo1
{
__u32
ctmark
,
ctmask
,
nfmask
;
__u8
mode
;
};
struct
xt_connmark_mtinfo1
{
struct
xt_connmark_mtinfo1
{
__u32
mark
,
mask
;
__u32
mark
,
mask
;
__u8
invert
;
__u8
invert
;
...
...
net/netfilter/Kconfig
View file @
b8f00ba2
...
@@ -331,6 +331,18 @@ config NETFILTER_XT_MARK
...
@@ -331,6 +331,18 @@ config NETFILTER_XT_MARK
"Use netfilter MARK value as routing key") and can also be used by
"Use netfilter MARK value as routing key") and can also be used by
other subsystems to change their behavior.
other subsystems to change their behavior.
config NETFILTER_XT_CONNMARK
tristate 'ctmark target and match support'
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK
---help---
This option adds the "CONNMARK" target and "connmark" match.
Netfilter allows you to store a mark value per connection (a.k.a.
ctmark), similarly to the packet mark (nfmark). Using this
target and match, you can set and match on this mark.
# alphabetically ordered list of targets
# alphabetically ordered list of targets
comment "Xtables targets"
comment "Xtables targets"
...
@@ -351,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK
...
@@ -351,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK
tristate '"CONNMARK" target support'
tristate '"CONNMARK" target support'
depends on NF_CONNTRACK
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK
select NETFILTER_XT_CONNMARK
help
---help---
This option adds a `CONNMARK' target, which allows one to manipulate
This is a backwards-compat option for the user's convenience
the connection mark value. Similar to the MARK target, but
(e.g. when running oldconfig). It selects
affects the connection mark value rather than the packet mark value.
CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_CONNMARK. If unsure, say `N'.
config NETFILTER_XT_TARGET_CONNSECMARK
config NETFILTER_XT_TARGET_CONNSECMARK
tristate '"CONNSECMARK" target support'
tristate '"CONNSECMARK" target support'
...
@@ -621,14 +629,11 @@ config NETFILTER_XT_MATCH_CONNMARK
...
@@ -621,14 +629,11 @@ config NETFILTER_XT_MATCH_CONNMARK
tristate '"connmark" connection mark match support'
tristate '"connmark" connection mark match support'
depends on NF_CONNTRACK
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK
select NETFILTER_XT_CONNMARK
help
---help---
This option adds a `connmark' match, which allows you to match the
This is a backwards-compat option for the user's convenience
connection mark value previously set for the session by `CONNMARK'.
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_connmark. If unsure, say `N'.
config NETFILTER_XT_MATCH_CONNTRACK
config NETFILTER_XT_MATCH_CONNTRACK
tristate '"conntrack" connection tracking match support'
tristate '"conntrack" connection tracking match support'
...
...
net/netfilter/Makefile
View file @
b8f00ba2
...
@@ -42,10 +42,10 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
...
@@ -42,10 +42,10 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
# combos
# combos
obj-$(CONFIG_NETFILTER_XT_MARK)
+=
xt_mark.o
obj-$(CONFIG_NETFILTER_XT_MARK)
+=
xt_mark.o
obj-$(CONFIG_NETFILTER_XT_CONNMARK)
+=
xt_connmark.o
# targets
# targets
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY)
+=
xt_CLASSIFY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY)
+=
xt_CLASSIFY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK)
+=
xt_CONNMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK)
+=
xt_CONNSECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK)
+=
xt_CONNSECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CT)
+=
xt_CT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CT)
+=
xt_CT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP)
+=
xt_DSCP.o
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP)
+=
xt_DSCP.o
...
@@ -66,7 +66,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
...
@@ -66,7 +66,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT)
+=
xt_comment.o
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT)
+=
xt_comment.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES)
+=
xt_connbytes.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES)
+=
xt_connbytes.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT)
+=
xt_connlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT)
+=
xt_connlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK)
+=
xt_connmark.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
+=
xt_conntrack.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
+=
xt_conntrack.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP)
+=
xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP)
+=
xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP)
+=
xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP)
+=
xt_dscp.o
...
...
net/netfilter/xt_CONNMARK.c
deleted
100644 → 0
View file @
28b94988
/*
* xt_CONNMARK - Netfilter module to modify the connection mark values
*
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
* Jan Engelhardt <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/checksum.h>
MODULE_AUTHOR
(
"Henrik Nordstrom <hno@marasystems.com>"
);
MODULE_DESCRIPTION
(
"Xtables: connection mark modification"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_ALIAS
(
"ipt_CONNMARK"
);
MODULE_ALIAS
(
"ip6t_CONNMARK"
);
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNMARK.h>
#include <net/netfilter/nf_conntrack_ecache.h>
static
unsigned
int
connmark_tg
(
struct
sk_buff
*
skb
,
const
struct
xt_target_param
*
par
)
{
const
struct
xt_connmark_tginfo1
*
info
=
par
->
targinfo
;
enum
ip_conntrack_info
ctinfo
;
struct
nf_conn
*
ct
;
u_int32_t
newmark
;
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
if
(
ct
==
NULL
)
return
XT_CONTINUE
;
switch
(
info
->
mode
)
{
case
XT_CONNMARK_SET
:
newmark
=
(
ct
->
mark
&
~
info
->
ctmask
)
^
info
->
ctmark
;
if
(
ct
->
mark
!=
newmark
)
{
ct
->
mark
=
newmark
;
nf_conntrack_event_cache
(
IPCT_MARK
,
ct
);
}
break
;
case
XT_CONNMARK_SAVE
:
newmark
=
(
ct
->
mark
&
~
info
->
ctmask
)
^
(
skb
->
mark
&
info
->
nfmask
);
if
(
ct
->
mark
!=
newmark
)
{
ct
->
mark
=
newmark
;
nf_conntrack_event_cache
(
IPCT_MARK
,
ct
);
}
break
;
case
XT_CONNMARK_RESTORE
:
newmark
=
(
skb
->
mark
&
~
info
->
nfmask
)
^
(
ct
->
mark
&
info
->
ctmask
);
skb
->
mark
=
newmark
;
break
;
}
return
XT_CONTINUE
;
}
static
bool
connmark_tg_check
(
const
struct
xt_tgchk_param
*
par
)
{
if
(
nf_ct_l3proto_try_module_get
(
par
->
family
)
<
0
)
{
printk
(
KERN_WARNING
"cannot load conntrack support for "
"proto=%u
\n
"
,
par
->
family
);
return
false
;
}
return
true
;
}
static
void
connmark_tg_destroy
(
const
struct
xt_tgdtor_param
*
par
)
{
nf_ct_l3proto_module_put
(
par
->
family
);
}
static
struct
xt_target
connmark_tg_reg
__read_mostly
=
{
.
name
=
"CONNMARK"
,
.
revision
=
1
,
.
family
=
NFPROTO_UNSPEC
,
.
checkentry
=
connmark_tg_check
,
.
target
=
connmark_tg
,
.
targetsize
=
sizeof
(
struct
xt_connmark_tginfo1
),
.
destroy
=
connmark_tg_destroy
,
.
me
=
THIS_MODULE
,
};
static
int
__init
connmark_tg_init
(
void
)
{
return
xt_register_target
(
&
connmark_tg_reg
);
}
static
void
__exit
connmark_tg_exit
(
void
)
{
xt_unregister_target
(
&
connmark_tg_reg
);
}
module_init
(
connmark_tg_init
);
module_exit
(
connmark_tg_exit
);
net/netfilter/xt_connmark.c
View file @
b8f00ba2
/*
/*
* xt_connmark - Netfilter module to
match connection mark value
s
* xt_connmark - Netfilter module to
operate on connection mark
s
*
*
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
...
@@ -24,15 +24,71 @@
...
@@ -24,15 +24,71 @@
#include <linux/module.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_connmark.h>
#include <linux/netfilter/xt_connmark.h>
MODULE_AUTHOR
(
"Henrik Nordstrom <hno@marasystems.com>"
);
MODULE_AUTHOR
(
"Henrik Nordstrom <hno@marasystems.com>"
);
MODULE_DESCRIPTION
(
"Xtables: connection mark
match
"
);
MODULE_DESCRIPTION
(
"Xtables: connection mark
operations
"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_ALIAS
(
"ipt_CONNMARK"
);
MODULE_ALIAS
(
"ip6t_CONNMARK"
);
MODULE_ALIAS
(
"ipt_connmark"
);
MODULE_ALIAS
(
"ipt_connmark"
);
MODULE_ALIAS
(
"ip6t_connmark"
);
MODULE_ALIAS
(
"ip6t_connmark"
);
static
unsigned
int
connmark_tg
(
struct
sk_buff
*
skb
,
const
struct
xt_target_param
*
par
)
{
const
struct
xt_connmark_tginfo1
*
info
=
par
->
targinfo
;
enum
ip_conntrack_info
ctinfo
;
struct
nf_conn
*
ct
;
u_int32_t
newmark
;
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
if
(
ct
==
NULL
)
return
XT_CONTINUE
;
switch
(
info
->
mode
)
{
case
XT_CONNMARK_SET
:
newmark
=
(
ct
->
mark
&
~
info
->
ctmask
)
^
info
->
ctmark
;
if
(
ct
->
mark
!=
newmark
)
{
ct
->
mark
=
newmark
;
nf_conntrack_event_cache
(
IPCT_MARK
,
ct
);
}
break
;
case
XT_CONNMARK_SAVE
:
newmark
=
(
ct
->
mark
&
~
info
->
ctmask
)
^
(
skb
->
mark
&
info
->
nfmask
);
if
(
ct
->
mark
!=
newmark
)
{
ct
->
mark
=
newmark
;
nf_conntrack_event_cache
(
IPCT_MARK
,
ct
);
}
break
;
case
XT_CONNMARK_RESTORE
:
newmark
=
(
skb
->
mark
&
~
info
->
nfmask
)
^
(
ct
->
mark
&
info
->
ctmask
);
skb
->
mark
=
newmark
;
break
;
}
return
XT_CONTINUE
;
}
static
bool
connmark_tg_check
(
const
struct
xt_tgchk_param
*
par
)
{
if
(
nf_ct_l3proto_try_module_get
(
par
->
family
)
<
0
)
{
printk
(
KERN_WARNING
"cannot load conntrack support for "
"proto=%u
\n
"
,
par
->
family
);
return
false
;
}
return
true
;
}
static
void
connmark_tg_destroy
(
const
struct
xt_tgdtor_param
*
par
)
{
nf_ct_l3proto_module_put
(
par
->
family
);
}
static
bool
static
bool
connmark_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
connmark_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
{
{
...
@@ -62,6 +118,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
...
@@ -62,6 +118,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
nf_ct_l3proto_module_put
(
par
->
family
);
nf_ct_l3proto_module_put
(
par
->
family
);
}
}
static
struct
xt_target
connmark_tg_reg
__read_mostly
=
{
.
name
=
"CONNMARK"
,
.
revision
=
1
,
.
family
=
NFPROTO_UNSPEC
,
.
checkentry
=
connmark_tg_check
,
.
target
=
connmark_tg
,
.
targetsize
=
sizeof
(
struct
xt_connmark_tginfo1
),
.
destroy
=
connmark_tg_destroy
,
.
me
=
THIS_MODULE
,
};
static
struct
xt_match
connmark_mt_reg
__read_mostly
=
{
static
struct
xt_match
connmark_mt_reg
__read_mostly
=
{
.
name
=
"connmark"
,
.
name
=
"connmark"
,
.
revision
=
1
,
.
revision
=
1
,
...
@@ -75,12 +142,23 @@ static struct xt_match connmark_mt_reg __read_mostly = {
...
@@ -75,12 +142,23 @@ static struct xt_match connmark_mt_reg __read_mostly = {
static
int
__init
connmark_mt_init
(
void
)
static
int
__init
connmark_mt_init
(
void
)
{
{
return
xt_register_match
(
&
connmark_mt_reg
);
int
ret
;
ret
=
xt_register_target
(
&
connmark_tg_reg
);
if
(
ret
<
0
)
return
ret
;
ret
=
xt_register_match
(
&
connmark_mt_reg
);
if
(
ret
<
0
)
{
xt_unregister_target
(
&
connmark_tg_reg
);
return
ret
;
}
return
0
;
}
}
static
void
__exit
connmark_mt_exit
(
void
)
static
void
__exit
connmark_mt_exit
(
void
)
{
{
xt_unregister_match
(
&
connmark_mt_reg
);
xt_unregister_match
(
&
connmark_mt_reg
);
xt_unregister_target
(
&
connmark_tg_reg
);
}
}
module_init
(
connmark_mt_init
);
module_init
(
connmark_mt_init
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment