Commit b8f00ba2 authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Patrick McHardy

netfilter: xtables: merge xt_CONNMARK into xt_connmark

Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
parent 28b94988
#ifndef _XT_CONNMARK_H_target #ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target #define _XT_CONNMARK_H_target
#include <linux/types.h> #include <linux/netfilter/xt_connmark.h>
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
XT_CONNMARK_RESTORE
};
struct xt_connmark_tginfo1 {
__u32 ctmark, ctmask, nfmask;
__u8 mode;
};
#endif /*_XT_CONNMARK_H_target*/ #endif /*_XT_CONNMARK_H_target*/
...@@ -12,6 +12,17 @@ ...@@ -12,6 +12,17 @@
* (at your option) any later version. * (at your option) any later version.
*/ */
enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
XT_CONNMARK_RESTORE
};
struct xt_connmark_tginfo1 {
__u32 ctmark, ctmask, nfmask;
__u8 mode;
};
struct xt_connmark_mtinfo1 { struct xt_connmark_mtinfo1 {
__u32 mark, mask; __u32 mark, mask;
__u8 invert; __u8 invert;
......
...@@ -331,6 +331,18 @@ config NETFILTER_XT_MARK ...@@ -331,6 +331,18 @@ config NETFILTER_XT_MARK
"Use netfilter MARK value as routing key") and can also be used by "Use netfilter MARK value as routing key") and can also be used by
other subsystems to change their behavior. other subsystems to change their behavior.
config NETFILTER_XT_CONNMARK
tristate 'ctmark target and match support'
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK
---help---
This option adds the "CONNMARK" target and "connmark" match.
Netfilter allows you to store a mark value per connection (a.k.a.
ctmark), similarly to the packet mark (nfmark). Using this
target and match, you can set and match on this mark.
# alphabetically ordered list of targets # alphabetically ordered list of targets
comment "Xtables targets" comment "Xtables targets"
...@@ -351,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK ...@@ -351,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK
tristate '"CONNMARK" target support' tristate '"CONNMARK" target support'
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK select NETFILTER_XT_CONNMARK
help ---help---
This option adds a `CONNMARK' target, which allows one to manipulate This is a backwards-compat option for the user's convenience
the connection mark value. Similar to the MARK target, but (e.g. when running oldconfig). It selects
affects the connection mark value rather than the packet mark value. CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_CONNMARK. If unsure, say `N'.
config NETFILTER_XT_TARGET_CONNSECMARK config NETFILTER_XT_TARGET_CONNSECMARK
tristate '"CONNSECMARK" target support' tristate '"CONNSECMARK" target support'
...@@ -621,14 +629,11 @@ config NETFILTER_XT_MATCH_CONNMARK ...@@ -621,14 +629,11 @@ config NETFILTER_XT_MATCH_CONNMARK
tristate '"connmark" connection mark match support' tristate '"connmark" connection mark match support'
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK select NETFILTER_XT_CONNMARK
help ---help---
This option adds a `connmark' match, which allows you to match the This is a backwards-compat option for the user's convenience
connection mark value previously set for the session by `CONNMARK'. (e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_connmark. If unsure, say `N'.
config NETFILTER_XT_MATCH_CONNTRACK config NETFILTER_XT_MATCH_CONNTRACK
tristate '"conntrack" connection tracking match support' tristate '"conntrack" connection tracking match support'
......
...@@ -42,10 +42,10 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o ...@@ -42,10 +42,10 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
# combos # combos
obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
# targets # targets
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
...@@ -66,7 +66,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o ...@@ -66,7 +66,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
......
/*
* xt_CONNMARK - Netfilter module to modify the connection mark values
*
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
* Jan Engelhardt <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/checksum.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
MODULE_DESCRIPTION("Xtables: connection mark modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CONNMARK");
MODULE_ALIAS("ip6t_CONNMARK");
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNMARK.h>
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_connmark_tginfo1 *info = par->targinfo;
enum ip_conntrack_info ctinfo;
struct nf_conn *ct;
u_int32_t newmark;
ct = nf_ct_get(skb, &ctinfo);
if (ct == NULL)
return XT_CONTINUE;
switch (info->mode) {
case XT_CONNMARK_SET:
newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_SAVE:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_RESTORE:
newmark = (skb->mark & ~info->nfmask) ^
(ct->mark & info->ctmask);
skb->mark = newmark;
break;
}
return XT_CONTINUE;
}
static bool connmark_tg_check(const struct xt_tgchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
printk(KERN_WARNING "cannot load conntrack support for "
"proto=%u\n", par->family);
return false;
}
return true;
}
static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
{
nf_ct_l3proto_module_put(par->family);
}
static struct xt_target connmark_tg_reg __read_mostly = {
.name = "CONNMARK",
.revision = 1,
.family = NFPROTO_UNSPEC,
.checkentry = connmark_tg_check,
.target = connmark_tg,
.targetsize = sizeof(struct xt_connmark_tginfo1),
.destroy = connmark_tg_destroy,
.me = THIS_MODULE,
};
static int __init connmark_tg_init(void)
{
return xt_register_target(&connmark_tg_reg);
}
static void __exit connmark_tg_exit(void)
{
xt_unregister_target(&connmark_tg_reg);
}
module_init(connmark_tg_init);
module_exit(connmark_tg_exit);
/* /*
* xt_connmark - Netfilter module to match connection mark values * xt_connmark - Netfilter module to operate on connection marks
* *
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com> * by Henrik Nordstrom <hno@marasystems.com>
...@@ -24,15 +24,71 @@ ...@@ -24,15 +24,71 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_connmark.h> #include <linux/netfilter/xt_connmark.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
MODULE_DESCRIPTION("Xtables: connection mark match"); MODULE_DESCRIPTION("Xtables: connection mark operations");
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CONNMARK");
MODULE_ALIAS("ip6t_CONNMARK");
MODULE_ALIAS("ipt_connmark"); MODULE_ALIAS("ipt_connmark");
MODULE_ALIAS("ip6t_connmark"); MODULE_ALIAS("ip6t_connmark");
static unsigned int
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_connmark_tginfo1 *info = par->targinfo;
enum ip_conntrack_info ctinfo;
struct nf_conn *ct;
u_int32_t newmark;
ct = nf_ct_get(skb, &ctinfo);
if (ct == NULL)
return XT_CONTINUE;
switch (info->mode) {
case XT_CONNMARK_SET:
newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_SAVE:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_RESTORE:
newmark = (skb->mark & ~info->nfmask) ^
(ct->mark & info->ctmask);
skb->mark = newmark;
break;
}
return XT_CONTINUE;
}
static bool connmark_tg_check(const struct xt_tgchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
printk(KERN_WARNING "cannot load conntrack support for "
"proto=%u\n", par->family);
return false;
}
return true;
}
static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
{
nf_ct_l3proto_module_put(par->family);
}
static bool static bool
connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{ {
...@@ -62,6 +118,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par) ...@@ -62,6 +118,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
nf_ct_l3proto_module_put(par->family); nf_ct_l3proto_module_put(par->family);
} }
static struct xt_target connmark_tg_reg __read_mostly = {
.name = "CONNMARK",
.revision = 1,
.family = NFPROTO_UNSPEC,
.checkentry = connmark_tg_check,
.target = connmark_tg,
.targetsize = sizeof(struct xt_connmark_tginfo1),
.destroy = connmark_tg_destroy,
.me = THIS_MODULE,
};
static struct xt_match connmark_mt_reg __read_mostly = { static struct xt_match connmark_mt_reg __read_mostly = {
.name = "connmark", .name = "connmark",
.revision = 1, .revision = 1,
...@@ -75,12 +142,23 @@ static struct xt_match connmark_mt_reg __read_mostly = { ...@@ -75,12 +142,23 @@ static struct xt_match connmark_mt_reg __read_mostly = {
static int __init connmark_mt_init(void) static int __init connmark_mt_init(void)
{ {
return xt_register_match(&connmark_mt_reg); int ret;
ret = xt_register_target(&connmark_tg_reg);
if (ret < 0)
return ret;
ret = xt_register_match(&connmark_mt_reg);
if (ret < 0) {
xt_unregister_target(&connmark_tg_reg);
return ret;
}
return 0;
} }
static void __exit connmark_mt_exit(void) static void __exit connmark_mt_exit(void)
{ {
xt_unregister_match(&connmark_mt_reg); xt_unregister_match(&connmark_mt_reg);
xt_unregister_target(&connmark_tg_reg);
} }
module_init(connmark_mt_init); module_init(connmark_mt_init);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment