diff options
| author | James Morris <jmorris@namei.org> | 2006-06-09 03:31:46 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-06-18 00:30:01 -0400 |
| commit | 7c9728c393dceb724d66d696cfabce82151a78e5 (patch) | |
| tree | af2b67ff7c579d669d01f28af33929f780b9c1b3 | |
| parent | 5e6874cdb8de94cd3c15d853a8ef9c6f4c305055 (diff) | |
[SECMARK]: Add secmark support to conntrack
Add a secmark field to IP and NF conntracks, so that security markings
on packets can be copied to their associated connections, and also
copied back to packets as required. This is similar to the network
mark field currently used with conntrack, although it is intended for
enforcement of security policy rather than network policy.
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack.h | 4 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack.h | 4 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_compat.h | 26 | ||||
| -rw-r--r-- | net/ipv4/netfilter/Kconfig | 12 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_core.c | 3 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_standalone.c | 5 | ||||
| -rw-r--r-- | net/netfilter/Kconfig | 12 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 3 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_standalone.c | 5 |
9 files changed, 74 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 17d7ef938a09..e0e9951eb8c3 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h | |||
| @@ -121,6 +121,10 @@ struct ip_conntrack | |||
| 121 | u_int32_t mark; | 121 | u_int32_t mark; |
| 122 | #endif | 122 | #endif |
| 123 | 123 | ||
| 124 | #ifdef CONFIG_IP_NF_CONNTRACK_SECMARK | ||
| 125 | u_int32_t secmark; | ||
| 126 | #endif | ||
| 127 | |||
| 124 | /* Traversed often, so hopefully in different cacheline to top */ | 128 | /* Traversed often, so hopefully in different cacheline to top */ |
| 125 | /* These are my tuples; original and reply */ | 129 | /* These are my tuples; original and reply */ |
| 126 | struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; | 130 | struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; |
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index dbe7a114d0c5..411117815807 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
| @@ -114,6 +114,10 @@ struct nf_conn | |||
| 114 | u_int32_t mark; | 114 | u_int32_t mark; |
| 115 | #endif | 115 | #endif |
| 116 | 116 | ||
| 117 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 118 | u_int32_t secmark; | ||
| 119 | #endif | ||
| 120 | |||
| 117 | /* Storage reserved for other modules: */ | 121 | /* Storage reserved for other modules: */ |
| 118 | union nf_conntrack_proto proto; | 122 | union nf_conntrack_proto proto; |
| 119 | 123 | ||
diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h index 3cac19fb3648..f1b1482d7200 100644 --- a/include/net/netfilter/nf_conntrack_compat.h +++ b/include/net/netfilter/nf_conntrack_compat.h | |||
| @@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, | |||
| 20 | } | 20 | } |
| 21 | #endif /* CONFIG_IP_NF_CONNTRACK_MARK */ | 21 | #endif /* CONFIG_IP_NF_CONNTRACK_MARK */ |
| 22 | 22 | ||
| 23 | #ifdef CONFIG_IP_NF_CONNTRACK_SECMARK | ||
| 24 | static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb, | ||
| 25 | u_int32_t *ctinfo) | ||
| 26 | { | ||
| 27 | struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo); | ||
| 28 | |||
| 29 | if (ct) | ||
| 30 | return &ct->secmark; | ||
| 31 | else | ||
| 32 | return NULL; | ||
| 33 | } | ||
| 34 | #endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */ | ||
| 35 | |||
| 23 | #ifdef CONFIG_IP_NF_CT_ACCT | 36 | #ifdef CONFIG_IP_NF_CT_ACCT |
| 24 | static inline struct ip_conntrack_counter * | 37 | static inline struct ip_conntrack_counter * |
| 25 | nf_ct_get_counters(const struct sk_buff *skb) | 38 | nf_ct_get_counters(const struct sk_buff *skb) |
| @@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, | |||
| 70 | } | 83 | } |
| 71 | #endif /* CONFIG_NF_CONNTRACK_MARK */ | 84 | #endif /* CONFIG_NF_CONNTRACK_MARK */ |
| 72 | 85 | ||
| 86 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 87 | static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb, | ||
| 88 | u_int32_t *ctinfo) | ||
| 89 | { | ||
| 90 | struct nf_conn *ct = nf_ct_get(skb, ctinfo); | ||
| 91 | |||
| 92 | if (ct) | ||
| 93 | return &ct->secmark; | ||
| 94 | else | ||
| 95 | return NULL; | ||
| 96 | } | ||
| 97 | #endif /* CONFIG_NF_CONNTRACK_MARK */ | ||
| 98 | |||
| 73 | #ifdef CONFIG_NF_CT_ACCT | 99 | #ifdef CONFIG_NF_CT_ACCT |
| 74 | static inline struct ip_conntrack_counter * | 100 | static inline struct ip_conntrack_counter * |
| 75 | nf_ct_get_counters(const struct sk_buff *skb) | 101 | nf_ct_get_counters(const struct sk_buff *skb) |
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ff4b118f14a9..e1d7f5fbc526 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
| @@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK | |||
| 55 | of packets, but this mark value is kept in the conntrack session | 55 | of packets, but this mark value is kept in the conntrack session |
| 56 | instead of the individual packets. | 56 | instead of the individual packets. |
| 57 | 57 | ||
| 58 | config IP_NF_CONNTRACK_SECMARK | ||
| 59 | bool 'Connection tracking security mark support' | ||
| 60 | depends on IP_NF_CONNTRACK && NETWORK_SECMARK | ||
| 61 | help | ||
| 62 | This option enables security markings to be applied to | ||
| 63 | connections. Typically they are copied to connections from | ||
| 64 | packets using the CONNSECMARK target and copied back from | ||
| 65 | connections to packets with the same target, with the packets | ||
| 66 | being originally labeled via SECMARK. | ||
| 67 | |||
| 68 | If unsure, say 'N'. | ||
| 69 | |||
| 58 | config IP_NF_CONNTRACK_EVENTS | 70 | config IP_NF_CONNTRACK_EVENTS |
| 59 | bool "Connection tracking events (EXPERIMENTAL)" | 71 | bool "Connection tracking events (EXPERIMENTAL)" |
| 60 | depends on EXPERIMENTAL && IP_NF_CONNTRACK | 72 | depends on EXPERIMENTAL && IP_NF_CONNTRACK |
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index 4fe9e69378df..7e4cf9a4d15f 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c | |||
| @@ -724,6 +724,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple, | |||
| 724 | /* this is ugly, but there is no other place where to put it */ | 724 | /* this is ugly, but there is no other place where to put it */ |
| 725 | conntrack->nat.masq_index = exp->master->nat.masq_index; | 725 | conntrack->nat.masq_index = exp->master->nat.masq_index; |
| 726 | #endif | 726 | #endif |
| 727 | #ifdef CONFIG_IP_NF_CONNTRACK_SECMARK | ||
| 728 | conntrack->secmark = exp->master->secmark; | ||
| 729 | #endif | ||
| 727 | nf_conntrack_get(&conntrack->master->ct_general); | 730 | nf_conntrack_get(&conntrack->master->ct_general); |
| 728 | CONNTRACK_STAT_INC(expect_new); | 731 | CONNTRACK_STAT_INC(expect_new); |
| 729 | } else { | 732 | } else { |
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 6cb9b989d14c..88445aac3f28 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c | |||
| @@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
| 189 | return -ENOSPC; | 189 | return -ENOSPC; |
| 190 | #endif | 190 | #endif |
| 191 | 191 | ||
| 192 | #ifdef CONFIG_IP_NF_CONNTRACK_SECMARK | ||
| 193 | if (seq_printf(s, "secmark=%u ", conntrack->secmark)) | ||
| 194 | return -ENOSPC; | ||
| 195 | #endif | ||
| 196 | |||
| 192 | if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) | 197 | if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) |
| 193 | return -ENOSPC; | 198 | return -ENOSPC; |
| 194 | 199 | ||
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 10eccdd4d6ea..023f81e5f96b 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
| @@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK | |||
| 60 | of packets, but this mark value is kept in the conntrack session | 60 | of packets, but this mark value is kept in the conntrack session |
| 61 | instead of the individual packets. | 61 | instead of the individual packets. |
| 62 | 62 | ||
| 63 | config NF_CONNTRACK_SECMARK | ||
| 64 | bool 'Connection tracking security mark support' | ||
| 65 | depends on NF_CONNTRACK && NETWORK_SECMARK | ||
| 66 | help | ||
| 67 | This option enables security markings to be applied to | ||
| 68 | connections. Typically they are copied to connections from | ||
| 69 | packets using the CONNSECMARK target and copied back from | ||
| 70 | connections to packets with the same target, with the packets | ||
| 71 | being originally labeled via SECMARK. | ||
| 72 | |||
| 73 | If unsure, say 'N'. | ||
| 74 | |||
| 63 | config NF_CONNTRACK_EVENTS | 75 | config NF_CONNTRACK_EVENTS |
| 64 | bool "Connection tracking events (EXPERIMENTAL)" | 76 | bool "Connection tracking events (EXPERIMENTAL)" |
| 65 | depends on EXPERIMENTAL && NF_CONNTRACK | 77 | depends on EXPERIMENTAL && NF_CONNTRACK |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index bc2bd4c3859e..cd299f4b7db1 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -990,6 +990,9 @@ init_conntrack(const struct nf_conntrack_tuple *tuple, | |||
| 990 | #ifdef CONFIG_NF_CONNTRACK_MARK | 990 | #ifdef CONFIG_NF_CONNTRACK_MARK |
| 991 | conntrack->mark = exp->master->mark; | 991 | conntrack->mark = exp->master->mark; |
| 992 | #endif | 992 | #endif |
| 993 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 994 | conntrack->secmark = exp->master->secmark; | ||
| 995 | #endif | ||
| 993 | nf_conntrack_get(&conntrack->master->ct_general); | 996 | nf_conntrack_get(&conntrack->master->ct_general); |
| 994 | NF_CT_STAT_INC(expect_new); | 997 | NF_CT_STAT_INC(expect_new); |
| 995 | } else | 998 | } else |
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index e01d20d8e287..e34c574f0351 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
| @@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
| 213 | return -ENOSPC; | 213 | return -ENOSPC; |
| 214 | #endif | 214 | #endif |
| 215 | 215 | ||
| 216 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 217 | if (seq_printf(s, "secmark=%u ", conntrack->secmark)) | ||
| 218 | return -ENOSPC; | ||
| 219 | #endif | ||
| 220 | |||
| 216 | if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) | 221 | if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) |
| 217 | return -ENOSPC; | 222 | return -ENOSPC; |
| 218 | 223 | ||