aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2006-06-09 03:31:46 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-18 00:30:01 -0400
commit7c9728c393dceb724d66d696cfabce82151a78e5 (patch)
treeaf2b67ff7c579d669d01f28af33929f780b9c1b3 /net
parent5e6874cdb8de94cd3c15d853a8ef9c6f4c305055 (diff)
[SECMARK]: Add secmark support to conntrack
Add a secmark field to IP and NF conntracks, so that security markings on packets can be copied to their associated connections, and also copied back to packets as required. This is similar to the network mark field currently used with conntrack, although it is intended for enforcement of security policy rather than network policy. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/Kconfig12
-rw-r--r--net/ipv4/netfilter/ip_conntrack_core.c3
-rw-r--r--net/ipv4/netfilter/ip_conntrack_standalone.c5
-rw-r--r--net/netfilter/Kconfig12
-rw-r--r--net/netfilter/nf_conntrack_core.c3
-rw-r--r--net/netfilter/nf_conntrack_standalone.c5
6 files changed, 40 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ff4b118f14a..e1d7f5fbc52 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK
55 of packets, but this mark value is kept in the conntrack session 55 of packets, but this mark value is kept in the conntrack session
56 instead of the individual packets. 56 instead of the individual packets.
57 57
58config IP_NF_CONNTRACK_SECMARK
59 bool 'Connection tracking security mark support'
60 depends on IP_NF_CONNTRACK && NETWORK_SECMARK
61 help
62 This option enables security markings to be applied to
63 connections. Typically they are copied to connections from
64 packets using the CONNSECMARK target and copied back from
65 connections to packets with the same target, with the packets
66 being originally labeled via SECMARK.
67
68 If unsure, say 'N'.
69
58config IP_NF_CONNTRACK_EVENTS 70config IP_NF_CONNTRACK_EVENTS
59 bool "Connection tracking events (EXPERIMENTAL)" 71 bool "Connection tracking events (EXPERIMENTAL)"
60 depends on EXPERIMENTAL && IP_NF_CONNTRACK 72 depends on EXPERIMENTAL && IP_NF_CONNTRACK
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 4fe9e69378d..7e4cf9a4d15 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -724,6 +724,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple,
724 /* this is ugly, but there is no other place where to put it */ 724 /* this is ugly, but there is no other place where to put it */
725 conntrack->nat.masq_index = exp->master->nat.masq_index; 725 conntrack->nat.masq_index = exp->master->nat.masq_index;
726#endif 726#endif
727#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
728 conntrack->secmark = exp->master->secmark;
729#endif
727 nf_conntrack_get(&conntrack->master->ct_general); 730 nf_conntrack_get(&conntrack->master->ct_general);
728 CONNTRACK_STAT_INC(expect_new); 731 CONNTRACK_STAT_INC(expect_new);
729 } else { 732 } else {
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 6cb9b989d14..88445aac3f2 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
189 return -ENOSPC; 189 return -ENOSPC;
190#endif 190#endif
191 191
192#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
193 if (seq_printf(s, "secmark=%u ", conntrack->secmark))
194 return -ENOSPC;
195#endif
196
192 if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) 197 if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
193 return -ENOSPC; 198 return -ENOSPC;
194 199
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 10eccdd4d6e..023f81e5f96 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
60 of packets, but this mark value is kept in the conntrack session 60 of packets, but this mark value is kept in the conntrack session
61 instead of the individual packets. 61 instead of the individual packets.
62 62
63config NF_CONNTRACK_SECMARK
64 bool 'Connection tracking security mark support'
65 depends on NF_CONNTRACK && NETWORK_SECMARK
66 help
67 This option enables security markings to be applied to
68 connections. Typically they are copied to connections from
69 packets using the CONNSECMARK target and copied back from
70 connections to packets with the same target, with the packets
71 being originally labeled via SECMARK.
72
73 If unsure, say 'N'.
74
63config NF_CONNTRACK_EVENTS 75config NF_CONNTRACK_EVENTS
64 bool "Connection tracking events (EXPERIMENTAL)" 76 bool "Connection tracking events (EXPERIMENTAL)"
65 depends on EXPERIMENTAL && NF_CONNTRACK 77 depends on EXPERIMENTAL && NF_CONNTRACK
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index bc2bd4c3859..cd299f4b7db 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -990,6 +990,9 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
990#ifdef CONFIG_NF_CONNTRACK_MARK 990#ifdef CONFIG_NF_CONNTRACK_MARK
991 conntrack->mark = exp->master->mark; 991 conntrack->mark = exp->master->mark;
992#endif 992#endif
993#ifdef CONFIG_NF_CONNTRACK_SECMARK
994 conntrack->secmark = exp->master->secmark;
995#endif
993 nf_conntrack_get(&conntrack->master->ct_general); 996 nf_conntrack_get(&conntrack->master->ct_general);
994 NF_CT_STAT_INC(expect_new); 997 NF_CT_STAT_INC(expect_new);
995 } else 998 } else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index e01d20d8e28..e34c574f035 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
213 return -ENOSPC; 213 return -ENOSPC;
214#endif 214#endif
215 215
216#ifdef CONFIG_NF_CONNTRACK_SECMARK
217 if (seq_printf(s, "secmark=%u ", conntrack->secmark))
218 return -ENOSPC;
219#endif
220
216 if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) 221 if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
217 return -ENOSPC; 222 return -ENOSPC;
218 223