6 files changed, 206 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 49e96df5fbc4..bb48607d4ee4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -124,6 +124,12 @@ config NF_CONNTRACK_TIMESTAMP
          If unsure, say `N'.
+config NF_CONNTRACK_LABELS
+        bool
+        help
+          This option enables support for assigning user-defined flag bits
+          to connection tracking entries.  It selected by the connlabel match.
 config NF_CT_PROTO_DCCP
        tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
        depends on EXPERIMENTAL
@@ -842,6 +848,18 @@ config NETFILTER_XT_MATCH_CONNBYTES
          If you want to compile it as a module, say M here and read
          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+config NETFILTER_XT_MATCH_CONNLABEL
+        tristate '"connlabel" match support'
+        select NF_CONNTRACK_LABELS
+        depends on NETFILTER_ADVANCED
+        ---help---
+          This match allows you to test and assign userspace-defined labels names
+          to a connection.  The kernel only stores bit values - mapping
+          names to bits is done by userspace.
+          Unlike connmark, more than 32 flag bits may be assigned to a
+          connection simultaneously.
 config NETFILTER_XT_MATCH_CONNLIMIT
        tristate '"connlimit" match support"'
        depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 32596978df1d..b3bbda60945e 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -4,6 +4,7 @@ nf_conntrack-y	:= nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_exp
 nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
 nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
 nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
+nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
 obj-$(CONFIG_NETFILTER) = netfilter.o
@@ -101,6 +102,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLABEL) += xt_connlabel.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index e4a0c4fb3a7c..85aa4b7149c5 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -45,6 +45,7 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_conntrack_timeout.h>
+#include <net/netfilter/nf_conntrack_labels.h>
 #include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_core.h>
@@ -763,6 +764,7 @@ void nf_conntrack_free(struct nf_conn *ct)
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_free);
 /* Allocate a new conntrack: we return -ENOMEM if classification
   failed due to stress.  Otherwise it really is unclassifiable. */
 static struct nf_conntrack_tuple_hash *
@@ -809,6 +811,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
+        nf_ct_labels_ext_add(ct);
        ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL;
        nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
@@ -1352,6 +1355,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
        }
        nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
+        nf_conntrack_labels_fini(net);
        nf_conntrack_helper_fini(net);
        nf_conntrack_timeout_fini(net);
        nf_conntrack_ecache_fini(net);
@@ -1583,7 +1587,15 @@ static int nf_conntrack_init_net(struct net *net)
        ret = nf_conntrack_helper_init(net);
        if (ret < 0)
                goto err_helper;
+        ret = nf_conntrack_labels_init(net);
+        if (ret < 0)
+                goto err_labels;
        return 0;
+err_labels:
+        nf_conntrack_helper_fini(net);
 err_helper:
        nf_conntrack_timeout_fini(net);
 err_timeout:
diff --git a/net/netfilter/nf_conntrack_labels.c b/net/netfilter/nf_conntrack_labels.c
new file mode 100644
index 000000000000..0c542f41f338
--- /dev/null
+++ b/net/netfilter/nf_conntrack_labels.c
@@ -0,0 +1,72 @@
+/*
+ * test/set flag bits stored in conntrack extension area.
+ *
+ * (C) 2013 Astaro GmbH & Co KG
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/ctype.h>
+#include <linux/export.h>
+#include <linux/jhash.h>
+#include <linux/spinlock.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
+#include <net/netfilter/nf_conntrack_labels.h>
+static unsigned int label_bits(const struct nf_conn_labels *l)
+{
+        unsigned int longs = l->words;
+        return longs * BITS_PER_LONG;
+}
+bool nf_connlabel_match(const struct nf_conn *ct, u16 bit)
+{
+        struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+        if (!labels)
+                return false;
+        return bit < label_bits(labels) && test_bit(bit, labels->bits);
+}
+EXPORT_SYMBOL_GPL(nf_connlabel_match);
+int nf_connlabel_set(struct nf_conn *ct, u16 bit)
+{
+        struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+        if (!labels || bit >= label_bits(labels))
+                return -ENOSPC;
+        if (test_bit(bit, labels->bits))
+                return 0;
+        if (test_and_set_bit(bit, labels->bits))
+                return 0;
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nf_connlabel_set);
+static struct nf_ct_ext_type labels_extend __read_mostly = {
+        .len    = sizeof(struct nf_conn_labels),
+        .align  = __alignof__(struct nf_conn_labels),
+        .id     = NF_CT_EXT_LABELS,
+};
+int nf_conntrack_labels_init(struct net *net)
+{
+        if (net_eq(net, &init_net))
+                return nf_ct_extend_register(&labels_extend);
+        return 0;
+}
+void nf_conntrack_labels_fini(struct net *net)
+{
+        if (net_eq(net, &init_net))
+                nf_ct_extend_unregister(&labels_extend);
+}
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 627b0e50b238..e0b10ee180ef 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -43,6 +43,7 @@
 #include <net/netfilter/nf_conntrack_acct.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_timestamp.h>
+#include <net/netfilter/nf_conntrack_labels.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_l4proto.h>
@@ -1598,6 +1599,8 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
        nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
+        nf_ct_labels_ext_add(ct);
        /* we must add conntrack extensions before confirmation. */
        ct->status |= IPS_CONFIRMED;
diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c
new file mode 100644
index 000000000000..9f8719df2001
--- /dev/null
+++ b/net/netfilter/xt_connlabel.c
@@ -0,0 +1,99 @@
+/*
+ * (C) 2013 Astaro GmbH & Co KG
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_labels.h>
+#include <linux/netfilter/x_tables.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
+MODULE_DESCRIPTION("Xtables: add/match connection trackling labels");
+MODULE_ALIAS("ipt_connlabel");
+MODULE_ALIAS("ip6t_connlabel");
+static bool
+connlabel_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_connlabel_mtinfo *info = par->matchinfo;
+        enum ip_conntrack_info ctinfo;
+        struct nf_conn *ct;
+        bool invert = info->options & XT_CONNLABEL_OP_INVERT;
+        ct = nf_ct_get(skb, &ctinfo);
+        if (ct == NULL || nf_ct_is_untracked(ct))
+                return invert;
+        if (info->options & XT_CONNLABEL_OP_SET)
+                return (nf_connlabel_set(ct, info->bit) == 0) ^ invert;
+        return nf_connlabel_match(ct, info->bit) ^ invert;
+}
+static int connlabel_mt_check(const struct xt_mtchk_param *par)
+{
+        const int options = XT_CONNLABEL_OP_INVERT |
+                            XT_CONNLABEL_OP_SET;
+        struct xt_connlabel_mtinfo *info = par->matchinfo;
+        int ret;
+        size_t words;
+        if (info->bit > XT_CONNLABEL_MAXBIT)
+                return -ERANGE;
+        if (info->options & ~options) {
+                pr_err("Unknown options in mask %x\n", info->options);
+                return -EINVAL;
+        }
+        ret = nf_ct_l3proto_try_module_get(par->family);
+        if (ret < 0) {
+                pr_info("cannot load conntrack support for proto=%u\n",
+                                                        par->family);
+                return ret;
+        }
+        par->net->ct.labels_used++;
+        words = BITS_TO_LONGS(info->bit+1);
+        if (words > par->net->ct.label_words)
+                par->net->ct.label_words = words;
+        return ret;
+}
+static void connlabel_mt_destroy(const struct xt_mtdtor_param *par)
+{
+        par->net->ct.labels_used--;
+        if (par->net->ct.labels_used == 0)
+                par->net->ct.label_words = 0;
+        nf_ct_l3proto_module_put(par->family);
+}
+static struct xt_match connlabels_mt_reg __read_mostly = {
+        .name           = "connlabel",
+        .family         = NFPROTO_UNSPEC,
+        .checkentry     = connlabel_mt_check,
+        .match          = connlabel_mt,
+        .matchsize      = sizeof(struct xt_connlabel_mtinfo),
+        .destroy        = connlabel_mt_destroy,
+        .me             = THIS_MODULE,
+};
+static int __init connlabel_mt_init(void)
+{
+        return xt_register_match(&connlabels_mt_reg);
+}
+static void __exit connlabel_mt_exit(void)
+{
+        xt_unregister_match(&connlabels_mt_reg);
+}
+module_init(connlabel_mt_init);
+module_exit(connlabel_mt_exit);

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 49e96df5fbc4..bb48607d4ee4 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -124,6 +124,12 @@ config NF_CONNTRACK_TIMESTAMP
124		124
125	If unsure, say `N'.	125	If unsure, say `N'.
126		126
		127	config NF_CONNTRACK_LABELS
		128	bool
		129	help
		130	This option enables support for assigning user-defined flag bits
		131	to connection tracking entries. It selected by the connlabel match.
		132
127	config NF_CT_PROTO_DCCP	133	config NF_CT_PROTO_DCCP
128	tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'	134	tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
129	depends on EXPERIMENTAL	135	depends on EXPERIMENTAL
@@ -842,6 +848,18 @@ config NETFILTER_XT_MATCH_CONNBYTES
842	If you want to compile it as a module, say M here and read	848	If you want to compile it as a module, say M here and read
843	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.	849	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
844		850
		851	config NETFILTER_XT_MATCH_CONNLABEL
		852	tristate '"connlabel" match support'
		853	select NF_CONNTRACK_LABELS
		854	depends on NETFILTER_ADVANCED
		855	---help---
		856	This match allows you to test and assign userspace-defined labels names
		857	to a connection. The kernel only stores bit values - mapping
		858	names to bits is done by userspace.
		859
		860	Unlike connmark, more than 32 flag bits may be assigned to a
		861	connection simultaneously.
		862
845	config NETFILTER_XT_MATCH_CONNLIMIT	863	config NETFILTER_XT_MATCH_CONNLIMIT
846	tristate '"connlimit" match support"'	864	tristate '"connlimit" match support"'
847	depends on NF_CONNTRACK	865	depends on NF_CONNTRACK


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 32596978df1d..b3bbda60945e 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -4,6 +4,7 @@ nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_exp
4	nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o	4	nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
5	nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o	5	nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
6	nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o	6	nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
		7	nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
7		8
8	obj-$(CONFIG_NETFILTER) = netfilter.o	9	obj-$(CONFIG_NETFILTER) = netfilter.o
9		10
@@ -101,6 +102,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o
101	obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o	102	obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
102	obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o	103	obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
103	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o	104	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
		105	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLABEL) += xt_connlabel.o
104	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o	106	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
105	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o	107	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
106	obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o	108	obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index e4a0c4fb3a7c..85aa4b7149c5 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -45,6 +45,7 @@
45	#include <net/netfilter/nf_conntrack_zones.h>	45	#include <net/netfilter/nf_conntrack_zones.h>
46	#include <net/netfilter/nf_conntrack_timestamp.h>	46	#include <net/netfilter/nf_conntrack_timestamp.h>
47	#include <net/netfilter/nf_conntrack_timeout.h>	47	#include <net/netfilter/nf_conntrack_timeout.h>
		48	#include <net/netfilter/nf_conntrack_labels.h>
48	#include <net/netfilter/nf_nat.h>	49	#include <net/netfilter/nf_nat.h>
49	#include <net/netfilter/nf_nat_core.h>	50	#include <net/netfilter/nf_nat_core.h>
50		51
@@ -763,6 +764,7 @@ void nf_conntrack_free(struct nf_conn *ct)
763	}	764	}
764	EXPORT_SYMBOL_GPL(nf_conntrack_free);	765	EXPORT_SYMBOL_GPL(nf_conntrack_free);
765		766
		767
766	/* Allocate a new conntrack: we return -ENOMEM if classification	768	/* Allocate a new conntrack: we return -ENOMEM if classification
767	failed due to stress. Otherwise it really is unclassifiable. */	769	failed due to stress. Otherwise it really is unclassifiable. */
768	static struct nf_conntrack_tuple_hash *	770	static struct nf_conntrack_tuple_hash *
@@ -809,6 +811,7 @@ init_conntrack(struct net net, struct nf_conn tmpl,
809		811
810	nf_ct_acct_ext_add(ct, GFP_ATOMIC);	812	nf_ct_acct_ext_add(ct, GFP_ATOMIC);
811	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);	813	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
		814	nf_ct_labels_ext_add(ct);
812		815
813	ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL;	816	ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL;
814	nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,	817	nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
@@ -1352,6 +1355,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
1352	}	1355	}
1353		1356
1354	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);	1357	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
		1358	nf_conntrack_labels_fini(net);
1355	nf_conntrack_helper_fini(net);	1359	nf_conntrack_helper_fini(net);
1356	nf_conntrack_timeout_fini(net);	1360	nf_conntrack_timeout_fini(net);
1357	nf_conntrack_ecache_fini(net);	1361	nf_conntrack_ecache_fini(net);
@@ -1583,7 +1587,15 @@ static int nf_conntrack_init_net(struct net *net)
1583	ret = nf_conntrack_helper_init(net);	1587	ret = nf_conntrack_helper_init(net);
1584	if (ret < 0)	1588	if (ret < 0)
1585	goto err_helper;	1589	goto err_helper;
		1590
		1591	ret = nf_conntrack_labels_init(net);
		1592	if (ret < 0)
		1593	goto err_labels;
		1594
1586	return 0;	1595	return 0;
		1596
		1597	err_labels:
		1598	nf_conntrack_helper_fini(net);
1587	err_helper:	1599	err_helper:
1588	nf_conntrack_timeout_fini(net);	1600	nf_conntrack_timeout_fini(net);
1589	err_timeout:	1601	err_timeout:


diff --git a/net/netfilter/nf_conntrack_labels.c b/net/netfilter/nf_conntrack_labels.c new file mode 100644 index 000000000000..0c542f41f338 --- /dev/null +++ b/net/netfilter/nf_conntrack_labels.c
@@ -0,0 +1,72 @@
		1	/*
		2	* test/set flag bits stored in conntrack extension area.
		3	*
		4	* (C) 2013 Astaro GmbH & Co KG
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License version 2 as
		8	* published by the Free Software Foundation.
		9	*/
		10
		11	#include <linux/ctype.h>
		12	#include <linux/export.h>
		13	#include <linux/jhash.h>
		14	#include <linux/spinlock.h>
		15	#include <linux/types.h>
		16	#include <linux/slab.h>
		17
		18	#include <net/netfilter/nf_conntrack_ecache.h>
		19	#include <net/netfilter/nf_conntrack_labels.h>
		20
		21	static unsigned int label_bits(const struct nf_conn_labels *l)
		22	{
		23	unsigned int longs = l->words;
		24	return longs * BITS_PER_LONG;
		25	}
		26
		27	bool nf_connlabel_match(const struct nf_conn *ct, u16 bit)
		28	{
		29	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
		30
		31	if (!labels)
		32	return false;
		33
		34	return bit < label_bits(labels) && test_bit(bit, labels->bits);
		35	}
		36	EXPORT_SYMBOL_GPL(nf_connlabel_match);
		37
		38	int nf_connlabel_set(struct nf_conn *ct, u16 bit)
		39	{
		40	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
		41
		42	if (!labels \|\| bit >= label_bits(labels))
		43	return -ENOSPC;
		44
		45	if (test_bit(bit, labels->bits))
		46	return 0;
		47
		48	if (test_and_set_bit(bit, labels->bits))
		49	return 0;
		50
		51	return 0;
		52	}
		53	EXPORT_SYMBOL_GPL(nf_connlabel_set);
		54
		55	static struct nf_ct_ext_type labels_extend __read_mostly = {
		56	.len = sizeof(struct nf_conn_labels),
		57	.align = __alignof__(struct nf_conn_labels),
		58	.id = NF_CT_EXT_LABELS,
		59	};
		60
		61	int nf_conntrack_labels_init(struct net *net)
		62	{
		63	if (net_eq(net, &init_net))
		64	return nf_ct_extend_register(&labels_extend);
		65	return 0;
		66	}
		67
		68	void nf_conntrack_labels_fini(struct net *net)
		69	{
		70	if (net_eq(net, &init_net))
		71	nf_ct_extend_unregister(&labels_extend);
		72	}


diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 627b0e50b238..e0b10ee180ef 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -43,6 +43,7 @@
43	#include <net/netfilter/nf_conntrack_acct.h>	43	#include <net/netfilter/nf_conntrack_acct.h>
44	#include <net/netfilter/nf_conntrack_zones.h>	44	#include <net/netfilter/nf_conntrack_zones.h>
45	#include <net/netfilter/nf_conntrack_timestamp.h>	45	#include <net/netfilter/nf_conntrack_timestamp.h>
		46	#include <net/netfilter/nf_conntrack_labels.h>
46	#ifdef CONFIG_NF_NAT_NEEDED	47	#ifdef CONFIG_NF_NAT_NEEDED
47	#include <net/netfilter/nf_nat_core.h>	48	#include <net/netfilter/nf_nat_core.h>
48	#include <net/netfilter/nf_nat_l4proto.h>	49	#include <net/netfilter/nf_nat_l4proto.h>
@@ -1598,6 +1599,8 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
1598	nf_ct_acct_ext_add(ct, GFP_ATOMIC);	1599	nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1599	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);	1600	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1600	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);	1601	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
		1602	nf_ct_labels_ext_add(ct);
		1603
1601	/* we must add conntrack extensions before confirmation. */	1604	/* we must add conntrack extensions before confirmation. */
1602	ct->status \|= IPS_CONFIRMED;	1605	ct->status \|= IPS_CONFIRMED;
1603		1606


diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c new file mode 100644 index 000000000000..9f8719df2001 --- /dev/null +++ b/net/netfilter/xt_connlabel.c
@@ -0,0 +1,99 @@
		1	/*
		2	* (C) 2013 Astaro GmbH & Co KG
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/module.h>
		10	#include <linux/skbuff.h>
		11	#include <net/netfilter/nf_conntrack.h>
		12	#include <net/netfilter/nf_conntrack_labels.h>
		13	#include <linux/netfilter/x_tables.h>
		14
		15	MODULE_LICENSE("GPL");
		16	MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
		17	MODULE_DESCRIPTION("Xtables: add/match connection trackling labels");
		18	MODULE_ALIAS("ipt_connlabel");
		19	MODULE_ALIAS("ip6t_connlabel");
		20
		21	static bool
		22	connlabel_mt(const struct sk_buff skb, struct xt_action_param par)
		23	{
		24	const struct xt_connlabel_mtinfo *info = par->matchinfo;
		25	enum ip_conntrack_info ctinfo;
		26	struct nf_conn *ct;
		27	bool invert = info->options & XT_CONNLABEL_OP_INVERT;
		28
		29	ct = nf_ct_get(skb, &ctinfo);
		30	if (ct == NULL \|\| nf_ct_is_untracked(ct))
		31	return invert;
		32
		33	if (info->options & XT_CONNLABEL_OP_SET)
		34	return (nf_connlabel_set(ct, info->bit) == 0) ^ invert;
		35
		36	return nf_connlabel_match(ct, info->bit) ^ invert;
		37	}
		38
		39	static int connlabel_mt_check(const struct xt_mtchk_param *par)
		40	{
		41	const int options = XT_CONNLABEL_OP_INVERT \|
		42	XT_CONNLABEL_OP_SET;
		43	struct xt_connlabel_mtinfo *info = par->matchinfo;
		44	int ret;
		45	size_t words;
		46
		47	if (info->bit > XT_CONNLABEL_MAXBIT)
		48	return -ERANGE;
		49
		50	if (info->options & ~options) {
		51	pr_err("Unknown options in mask %x\n", info->options);
		52	return -EINVAL;
		53	}
		54
		55	ret = nf_ct_l3proto_try_module_get(par->family);
		56	if (ret < 0) {
		57	pr_info("cannot load conntrack support for proto=%u\n",
		58	par->family);
		59	return ret;
		60	}
		61
		62	par->net->ct.labels_used++;
		63	words = BITS_TO_LONGS(info->bit+1);
		64	if (words > par->net->ct.label_words)
		65	par->net->ct.label_words = words;
		66
		67	return ret;
		68	}
		69
		70	static void connlabel_mt_destroy(const struct xt_mtdtor_param *par)
		71	{
		72	par->net->ct.labels_used--;
		73	if (par->net->ct.labels_used == 0)
		74	par->net->ct.label_words = 0;
		75	nf_ct_l3proto_module_put(par->family);
		76	}
		77
		78	static struct xt_match connlabels_mt_reg __read_mostly = {
		79	.name = "connlabel",
		80	.family = NFPROTO_UNSPEC,
		81	.checkentry = connlabel_mt_check,
		82	.match = connlabel_mt,
		83	.matchsize = sizeof(struct xt_connlabel_mtinfo),
		84	.destroy = connlabel_mt_destroy,
		85	.me = THIS_MODULE,
		86	};
		87
		88	static int __init connlabel_mt_init(void)
		89	{
		90	return xt_register_match(&connlabels_mt_reg);
		91	}
		92
		93	static void __exit connlabel_mt_exit(void)
		94	{
		95	xt_unregister_match(&connlabels_mt_reg);
		96	}
		97
		98	module_init(connlabel_mt_init);
		99	module_exit(connlabel_mt_exit);