diff options
| author | Laszlo Attila Toth <panther@balabit.hu> | 2008-01-30 22:08:16 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-31 22:27:19 -0500 |
| commit | 4a19ec5800fc3bb64e2d87c4d9fdd9e636086fe0 (patch) | |
| tree | 610bd4e7dbcbdae25ba3806f4256745e98617825 /net | |
| parent | 036c2e27bc3a6498afb35de017d810194032d765 (diff) | |
[NET]: Introducing socket mark socket option.
A userspace program may wish to set the mark for each packets its send
without using the netfilter MARK target. Changing the mark can be used
for mark based routing without netfilter or for packet filtering.
It requires CAP_NET_ADMIN capability.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/sock.c | 11 | ||||
| -rw-r--r-- | net/ipv4/ip_output.c | 3 | ||||
| -rw-r--r-- | net/ipv4/raw.c | 2 | ||||
| -rw-r--r-- | net/ipv6/ip6_output.c | 2 | ||||
| -rw-r--r-- | net/ipv6/raw.c | 3 |
5 files changed, 21 insertions, 0 deletions
diff --git a/net/core/sock.c b/net/core/sock.c index 1c4b1cd16d65..433715fb141a 100644 --- a/net/core/sock.c +++ b/net/core/sock.c | |||
| @@ -667,6 +667,13 @@ set_rcvbuf: | |||
| 667 | else | 667 | else |
| 668 | clear_bit(SOCK_PASSSEC, &sock->flags); | 668 | clear_bit(SOCK_PASSSEC, &sock->flags); |
| 669 | break; | 669 | break; |
| 670 | case SO_MARK: | ||
| 671 | if (!capable(CAP_NET_ADMIN)) | ||
| 672 | ret = -EPERM; | ||
| 673 | else { | ||
| 674 | sk->sk_mark = val; | ||
| 675 | } | ||
| 676 | break; | ||
| 670 | 677 | ||
| 671 | /* We implement the SO_SNDLOWAT etc to | 678 | /* We implement the SO_SNDLOWAT etc to |
| 672 | not be settable (1003.1g 5.3) */ | 679 | not be settable (1003.1g 5.3) */ |
| @@ -836,6 +843,10 @@ int sock_getsockopt(struct socket *sock, int level, int optname, | |||
| 836 | case SO_PEERSEC: | 843 | case SO_PEERSEC: |
| 837 | return security_socket_getpeersec_stream(sock, optval, optlen, len); | 844 | return security_socket_getpeersec_stream(sock, optval, optlen, len); |
| 838 | 845 | ||
| 846 | case SO_MARK: | ||
| 847 | v.val = sk->sk_mark; | ||
| 848 | break; | ||
| 849 | |||
| 839 | default: | 850 | default: |
| 840 | return -ENOPROTOOPT; | 851 | return -ENOPROTOOPT; |
| 841 | } | 852 | } |
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 6e4d5f493bf9..341779e685d9 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
| @@ -168,6 +168,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, | |||
| 168 | } | 168 | } |
| 169 | 169 | ||
| 170 | skb->priority = sk->sk_priority; | 170 | skb->priority = sk->sk_priority; |
| 171 | skb->mark = sk->sk_mark; | ||
| 171 | 172 | ||
| 172 | /* Send it out. */ | 173 | /* Send it out. */ |
| 173 | return ip_local_out(skb); | 174 | return ip_local_out(skb); |
| @@ -385,6 +386,7 @@ packet_routed: | |||
| 385 | (skb_shinfo(skb)->gso_segs ?: 1) - 1); | 386 | (skb_shinfo(skb)->gso_segs ?: 1) - 1); |
| 386 | 387 | ||
| 387 | skb->priority = sk->sk_priority; | 388 | skb->priority = sk->sk_priority; |
| 389 | skb->mark = sk->sk_mark; | ||
| 388 | 390 | ||
| 389 | return ip_local_out(skb); | 391 | return ip_local_out(skb); |
| 390 | 392 | ||
| @@ -1286,6 +1288,7 @@ int ip_push_pending_frames(struct sock *sk) | |||
| 1286 | iph->daddr = rt->rt_dst; | 1288 | iph->daddr = rt->rt_dst; |
| 1287 | 1289 | ||
| 1288 | skb->priority = sk->sk_priority; | 1290 | skb->priority = sk->sk_priority; |
| 1291 | skb->mark = sk->sk_mark; | ||
| 1289 | skb->dst = dst_clone(&rt->u.dst); | 1292 | skb->dst = dst_clone(&rt->u.dst); |
| 1290 | 1293 | ||
| 1291 | if (iph->protocol == IPPROTO_ICMP) | 1294 | if (iph->protocol == IPPROTO_ICMP) |
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 85c08696abbe..f863c3dc5421 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c | |||
| @@ -352,6 +352,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length, | |||
| 352 | skb_reserve(skb, hh_len); | 352 | skb_reserve(skb, hh_len); |
| 353 | 353 | ||
| 354 | skb->priority = sk->sk_priority; | 354 | skb->priority = sk->sk_priority; |
| 355 | skb->mark = sk->sk_mark; | ||
| 355 | skb->dst = dst_clone(&rt->u.dst); | 356 | skb->dst = dst_clone(&rt->u.dst); |
| 356 | 357 | ||
| 357 | skb_reset_network_header(skb); | 358 | skb_reset_network_header(skb); |
| @@ -544,6 +545,7 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, | |||
| 544 | 545 | ||
| 545 | { | 546 | { |
| 546 | struct flowi fl = { .oif = ipc.oif, | 547 | struct flowi fl = { .oif = ipc.oif, |
| 548 | .mark = sk->sk_mark, | ||
| 547 | .nl_u = { .ip4_u = | 549 | .nl_u = { .ip4_u = |
| 548 | { .daddr = daddr, | 550 | { .daddr = daddr, |
| 549 | .saddr = saddr, | 551 | .saddr = saddr, |
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index cfe9e707883c..9ac6ca2521c3 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c | |||
| @@ -257,6 +257,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, | |||
| 257 | ipv6_addr_copy(&hdr->daddr, first_hop); | 257 | ipv6_addr_copy(&hdr->daddr, first_hop); |
| 258 | 258 | ||
| 259 | skb->priority = sk->sk_priority; | 259 | skb->priority = sk->sk_priority; |
| 260 | skb->mark = sk->sk_mark; | ||
| 260 | 261 | ||
| 261 | mtu = dst_mtu(dst); | 262 | mtu = dst_mtu(dst); |
| 262 | if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) { | 263 | if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) { |
| @@ -1439,6 +1440,7 @@ int ip6_push_pending_frames(struct sock *sk) | |||
| 1439 | ipv6_addr_copy(&hdr->daddr, final_dst); | 1440 | ipv6_addr_copy(&hdr->daddr, final_dst); |
| 1440 | 1441 | ||
| 1441 | skb->priority = sk->sk_priority; | 1442 | skb->priority = sk->sk_priority; |
| 1443 | skb->mark = sk->sk_mark; | ||
| 1442 | 1444 | ||
| 1443 | skb->dst = dst_clone(&rt->u.dst); | 1445 | skb->dst = dst_clone(&rt->u.dst); |
| 1444 | IP6_INC_STATS(rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS); | 1446 | IP6_INC_STATS(rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS); |
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 4d880551fe6a..d61c63dedbf6 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c | |||
| @@ -641,6 +641,7 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length, | |||
| 641 | skb_reserve(skb, hh_len); | 641 | skb_reserve(skb, hh_len); |
| 642 | 642 | ||
| 643 | skb->priority = sk->sk_priority; | 643 | skb->priority = sk->sk_priority; |
| 644 | skb->mark = sk->sk_mark; | ||
| 644 | skb->dst = dst_clone(&rt->u.dst); | 645 | skb->dst = dst_clone(&rt->u.dst); |
| 645 | 646 | ||
| 646 | skb_put(skb, length); | 647 | skb_put(skb, length); |
| @@ -767,6 +768,8 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk, | |||
| 767 | */ | 768 | */ |
| 768 | memset(&fl, 0, sizeof(fl)); | 769 | memset(&fl, 0, sizeof(fl)); |
| 769 | 770 | ||
| 771 | fl.mark = sk->sk_mark; | ||
| 772 | |||
| 770 | if (sin6) { | 773 | if (sin6) { |
| 771 | if (addr_len < SIN6_LEN_RFC2133) | 774 | if (addr_len < SIN6_LEN_RFC2133) |
| 772 | return -EINVAL; | 775 | return -EINVAL; |