[SECMARK]: Add secmark support to core networking.

Add a secmark field to the skbuff structure, to allow security subsystems to place security markings on network packets. This is similar to the nfmark field, except is intended for implementing security policy, rather than than networking policy. This patch was already acked in principle by Dave Miller. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: James Morris <jmorris@namei.org> 2006-06-09 03:29:17 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-18 00:29:57 -0400
commit: 984bc16cc92ea3c247bf34ad667cfb95331b9d3c (patch)
tree: 2342638457f43980501179056f4ba1e4e3c2c1aa /net/ipv4
parent: c749b29fae74ed59c507d84025b3298202b42609 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index cff9c3a72daf..d4bb3fae4e49 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+        skb_copy_secmark(to, from);
 }
 /*
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 0bba3c2bb786..431a3ce6f7b7 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        /* This packet will not be the same as the other: clear nf fields */
        nf_reset(nskb);
        nskb->nfmark = 0;
+        skb_init_secmark(nskb);
        tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
author	James Morris <jmorris@namei.org>	2006-06-09 03:29:17 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-18 00:29:57 -0400
commit	984bc16cc92ea3c247bf34ad667cfb95331b9d3c (patch)
tree	2342638457f43980501179056f4ba1e4e3c2c1aa /net/ipv4
parent	c749b29fae74ed59c507d84025b3298202b42609 (diff)