aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2006-06-09 03:31:46 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-18 00:30:01 -0400
commit7c9728c393dceb724d66d696cfabce82151a78e5 (patch)
treeaf2b67ff7c579d669d01f28af33929f780b9c1b3 /include
parent5e6874cdb8de94cd3c15d853a8ef9c6f4c305055 (diff)
[SECMARK]: Add secmark support to conntrack
Add a secmark field to IP and NF conntracks, so that security markings on packets can be copied to their associated connections, and also copied back to packets as required. This is similar to the network mark field currently used with conntrack, although it is intended for enforcement of security policy rather than network policy. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack.h4
-rw-r--r--include/net/netfilter/nf_conntrack.h4
-rw-r--r--include/net/netfilter/nf_conntrack_compat.h26
3 files changed, 34 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 17d7ef938a09..e0e9951eb8c3 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -121,6 +121,10 @@ struct ip_conntrack
121 u_int32_t mark; 121 u_int32_t mark;
122#endif 122#endif
123 123
124#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
125 u_int32_t secmark;
126#endif
127
124 /* Traversed often, so hopefully in different cacheline to top */ 128 /* Traversed often, so hopefully in different cacheline to top */
125 /* These are my tuples; original and reply */ 129 /* These are my tuples; original and reply */
126 struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; 130 struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index dbe7a114d0c5..411117815807 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -114,6 +114,10 @@ struct nf_conn
114 u_int32_t mark; 114 u_int32_t mark;
115#endif 115#endif
116 116
117#ifdef CONFIG_NF_CONNTRACK_SECMARK
118 u_int32_t secmark;
119#endif
120
117 /* Storage reserved for other modules: */ 121 /* Storage reserved for other modules: */
118 union nf_conntrack_proto proto; 122 union nf_conntrack_proto proto;
119 123
diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h
index 3cac19fb3648..f1b1482d7200 100644
--- a/include/net/netfilter/nf_conntrack_compat.h
+++ b/include/net/netfilter/nf_conntrack_compat.h
@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
20} 20}
21#endif /* CONFIG_IP_NF_CONNTRACK_MARK */ 21#endif /* CONFIG_IP_NF_CONNTRACK_MARK */
22 22
23#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
24static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
25 u_int32_t *ctinfo)
26{
27 struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
28
29 if (ct)
30 return &ct->secmark;
31 else
32 return NULL;
33}
34#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
35
23#ifdef CONFIG_IP_NF_CT_ACCT 36#ifdef CONFIG_IP_NF_CT_ACCT
24static inline struct ip_conntrack_counter * 37static inline struct ip_conntrack_counter *
25nf_ct_get_counters(const struct sk_buff *skb) 38nf_ct_get_counters(const struct sk_buff *skb)
@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
70} 83}
71#endif /* CONFIG_NF_CONNTRACK_MARK */ 84#endif /* CONFIG_NF_CONNTRACK_MARK */
72 85
86#ifdef CONFIG_NF_CONNTRACK_SECMARK
87static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
88 u_int32_t *ctinfo)
89{
90 struct nf_conn *ct = nf_ct_get(skb, ctinfo);
91
92 if (ct)
93 return &ct->secmark;
94 else
95 return NULL;
96}
97#endif /* CONFIG_NF_CONNTRACK_MARK */
98
73#ifdef CONFIG_NF_CT_ACCT 99#ifdef CONFIG_NF_CT_ACCT
74static inline struct ip_conntrack_counter * 100static inline struct ip_conntrack_counter *
75nf_ct_get_counters(const struct sk_buff *skb) 101nf_ct_get_counters(const struct sk_buff *skb)