[NETFILTER]: ctnetlink: add support for secmark

This patch adds support for James Morris' connsecmark. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2007-12-18 01:28:41 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-28 17:58:52 -0500
commit: 37fccd8577d38e249dde71512fb38d2f6a4d9d3c (patch)
tree: ede873cf656ad872b94bc88e6530831f4f2dfb01 /net
parent: 0f417ce989f84cfd5418e3b316064bfbb2708196 (diff)
2 files changed, 26 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 94027c84be52..d4eedc68cc76 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -254,6 +254,22 @@ nla_put_failure:
 #define ctnetlink_dump_mark(a, b) (0)
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline int
+ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
+{
+        __be32 mark = htonl(ct->secmark);
+        NLA_PUT(skb, CTA_SECMARK, sizeof(u_int32_t), &mark);
+        return 0;
+nla_put_failure:
+        return -1;
+}
+#else
+#define ctnetlink_dump_secmark(a, b) (0)
+#endif
 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
 static inline int
@@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
            ctnetlink_dump_protoinfo(skb, ct) < 0 ||
            ctnetlink_dump_helpinfo(skb, ct) < 0 ||
            ctnetlink_dump_mark(skb, ct) < 0 ||
+            ctnetlink_dump_secmark(skb, ct) < 0 ||
            ctnetlink_dump_id(skb, ct) < 0 ||
            ctnetlink_dump_use(skb, ct) < 0 ||
            ctnetlink_dump_master(skb, ct) < 0 ||
@@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
                    && ctnetlink_dump_mark(skb, ct) < 0)
                        goto nla_put_failure;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+                if ((events & IPCT_SECMARK || ct->secmark)
+                    && ctnetlink_dump_secmark(skb, ct) < 0)
+                        goto nla_put_failure;
+#endif
                if (events & IPCT_COUNTER_FILLING &&
                    (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 2c265e87f396..2333f7e29bc9 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -20,6 +20,7 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CONNSECMARK.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 #define PFX "CONNSECMARK: "
@@ -40,8 +41,10 @@ static void secmark_save(const struct sk_buff *skb)
                enum ip_conntrack_info ctinfo;
                ct = nf_ct_get(skb, &ctinfo);
-                if (ct && !ct->secmark)
+                if (ct && !ct->secmark) {
                        ct->secmark = skb->secmark;
+                        nf_conntrack_event_cache(IPCT_SECMARK, skb);
+                }
        }
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2007-12-18 01:28:41 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-28 17:58:52 -0500
commit	37fccd8577d38e249dde71512fb38d2f6a4d9d3c (patch)
tree	ede873cf656ad872b94bc88e6530831f4f2dfb01 /net
parent	0f417ce989f84cfd5418e3b316064bfbb2708196 (diff)