aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@computergmbh.de>2008-01-15 02:39:13 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 18:02:21 -0500
commit96e3227265852ffad332f911887c9cf26c85e40a (patch)
tree1f389c2a3e46cc6858f296f72c5d6f31600039cc /net/netfilter
parente0a812aea5cbf2085f7645bf2bfd9cba91c8a672 (diff)
[NETFILTER]: xt_connmark match, revision 1
Introduces the xt_connmark match revision 1. It uses fixed types, eventually obsoleting revision 0 some day (uses nonfixed types). (Unfixed types like "unsigned long" do not play well with mixed user-/kernelspace "bitness", e.g. 32/64, as is common on SPARC64, and need extra compat code.) Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/xt_connmark.c88
1 files changed, 71 insertions, 17 deletions
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 8ad875bc1589..55c62350b1f2 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -1,8 +1,10 @@
1/* This kernel module matches connection mark values set by the 1/*
2 * CONNMARK target 2 * xt_connmark - Netfilter module to match connection mark values
3 * 3 *
4 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> 4 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
5 * by Henrik Nordstrom <hno@marasystems.com> 5 * by Henrik Nordstrom <hno@marasystems.com>
6 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
7 * Jan Engelhardt <jengelh@computergmbh.de>
6 * 8 *
7 * This program is free software; you can redistribute it and/or modify 9 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by 10 * it under the terms of the GNU General Public License as published by
@@ -37,6 +39,23 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
37 const void *matchinfo, int offset, unsigned int protoff, 39 const void *matchinfo, int offset, unsigned int protoff,
38 bool *hotdrop) 40 bool *hotdrop)
39{ 41{
42 const struct xt_connmark_mtinfo1 *info = matchinfo;
43 enum ip_conntrack_info ctinfo;
44 const struct nf_conn *ct;
45
46 ct = nf_ct_get(skb, &ctinfo);
47 if (ct == NULL)
48 return false;
49
50 return ((ct->mark & info->mask) == info->mark) ^ info->invert;
51}
52
53static bool
54connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
55 const struct net_device *out, const struct xt_match *match,
56 const void *matchinfo, int offset, unsigned int protoff,
57 bool *hotdrop)
58{
40 const struct xt_connmark_info *info = matchinfo; 59 const struct xt_connmark_info *info = matchinfo;
41 const struct nf_conn *ct; 60 const struct nf_conn *ct;
42 enum ip_conntrack_info ctinfo; 61 enum ip_conntrack_info ctinfo;
@@ -49,9 +68,9 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
49} 68}
50 69
51static bool 70static bool
52connmark_mt_check(const char *tablename, const void *ip, 71connmark_mt_check_v0(const char *tablename, const void *ip,
53 const struct xt_match *match, void *matchinfo, 72 const struct xt_match *match, void *matchinfo,
54 unsigned int hook_mask) 73 unsigned int hook_mask)
55{ 74{
56 const struct xt_connmark_info *cm = matchinfo; 75 const struct xt_connmark_info *cm = matchinfo;
57 76
@@ -67,6 +86,19 @@ connmark_mt_check(const char *tablename, const void *ip,
67 return true; 86 return true;
68} 87}
69 88
89static bool
90connmark_mt_check(const char *tablename, const void *ip,
91 const struct xt_match *match, void *matchinfo,
92 unsigned int hook_mask)
93{
94 if (nf_ct_l3proto_try_module_get(match->family) < 0) {
95 printk(KERN_WARNING "cannot load conntrack support for "
96 "proto=%u\n", match->family);
97 return false;
98 }
99 return true;
100}
101
70static void 102static void
71connmark_mt_destroy(const struct xt_match *match, void *matchinfo) 103connmark_mt_destroy(const struct xt_match *match, void *matchinfo)
72{ 104{
@@ -81,7 +113,7 @@ struct compat_xt_connmark_info {
81 u_int16_t __pad2; 113 u_int16_t __pad2;
82}; 114};
83 115
84static void connmark_mt_compat_from_user(void *dst, void *src) 116static void connmark_mt_compat_from_user_v0(void *dst, void *src)
85{ 117{
86 const struct compat_xt_connmark_info *cm = src; 118 const struct compat_xt_connmark_info *cm = src;
87 struct xt_connmark_info m = { 119 struct xt_connmark_info m = {
@@ -92,7 +124,7 @@ static void connmark_mt_compat_from_user(void *dst, void *src)
92 memcpy(dst, &m, sizeof(m)); 124 memcpy(dst, &m, sizeof(m));
93} 125}
94 126
95static int connmark_mt_compat_to_user(void __user *dst, void *src) 127static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
96{ 128{
97 const struct xt_connmark_info *m = src; 129 const struct xt_connmark_info *m = src;
98 struct compat_xt_connmark_info cm = { 130 struct compat_xt_connmark_info cm = {
@@ -107,32 +139,54 @@ static int connmark_mt_compat_to_user(void __user *dst, void *src)
107static struct xt_match connmark_mt_reg[] __read_mostly = { 139static struct xt_match connmark_mt_reg[] __read_mostly = {
108 { 140 {
109 .name = "connmark", 141 .name = "connmark",
142 .revision = 0,
110 .family = AF_INET, 143 .family = AF_INET,
111 .checkentry = connmark_mt_check, 144 .checkentry = connmark_mt_check_v0,
112 .match = connmark_mt, 145 .match = connmark_mt_v0,
113 .destroy = connmark_mt_destroy, 146 .destroy = connmark_mt_destroy,
114 .matchsize = sizeof(struct xt_connmark_info), 147 .matchsize = sizeof(struct xt_connmark_info),
115#ifdef CONFIG_COMPAT 148#ifdef CONFIG_COMPAT
116 .compatsize = sizeof(struct compat_xt_connmark_info), 149 .compatsize = sizeof(struct compat_xt_connmark_info),
117 .compat_from_user = connmark_mt_compat_from_user, 150 .compat_from_user = connmark_mt_compat_from_user_v0,
118 .compat_to_user = connmark_mt_compat_to_user, 151 .compat_to_user = connmark_mt_compat_to_user_v0,
119#endif 152#endif
120 .me = THIS_MODULE 153 .me = THIS_MODULE
121 }, 154 },
122 { 155 {
123 .name = "connmark", 156 .name = "connmark",
157 .revision = 0,
124 .family = AF_INET6, 158 .family = AF_INET6,
125 .checkentry = connmark_mt_check, 159 .checkentry = connmark_mt_check_v0,
126 .match = connmark_mt, 160 .match = connmark_mt_v0,
127 .destroy = connmark_mt_destroy, 161 .destroy = connmark_mt_destroy,
128 .matchsize = sizeof(struct xt_connmark_info), 162 .matchsize = sizeof(struct xt_connmark_info),
129#ifdef CONFIG_COMPAT 163#ifdef CONFIG_COMPAT
130 .compatsize = sizeof(struct compat_xt_connmark_info), 164 .compatsize = sizeof(struct compat_xt_connmark_info),
131 .compat_from_user = connmark_mt_compat_from_user, 165 .compat_from_user = connmark_mt_compat_from_user_v0,
132 .compat_to_user = connmark_mt_compat_to_user, 166 .compat_to_user = connmark_mt_compat_to_user_v0,
133#endif 167#endif
134 .me = THIS_MODULE 168 .me = THIS_MODULE
135 }, 169 },
170 {
171 .name = "connmark",
172 .revision = 1,
173 .family = AF_INET,
174 .checkentry = connmark_mt_check,
175 .match = connmark_mt,
176 .matchsize = sizeof(struct xt_connmark_mtinfo1),
177 .destroy = connmark_mt_destroy,
178 .me = THIS_MODULE,
179 },
180 {
181 .name = "connmark",
182 .revision = 1,
183 .family = AF_INET6,
184 .checkentry = connmark_mt_check,
185 .match = connmark_mt,
186 .matchsize = sizeof(struct xt_connmark_mtinfo1),
187 .destroy = connmark_mt_destroy,
188 .me = THIS_MODULE,
189 },
136}; 190};
137 191
138static int __init connmark_mt_init(void) 192static int __init connmark_mt_init(void)
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-10 16:52:40 -0500