4 files changed, 180 insertions, 0 deletions
diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/linux/netfilter/xt_CONNSECMARK.h
new file mode 100644
index 000000000000..c6bd75469ba2
--- /dev/null
+++ b/include/linux/netfilter/xt_CONNSECMARK.h
@@ -0,0 +1,13 @@
+#ifndef _XT_CONNSECMARK_H_target
+#define _XT_CONNSECMARK_H_target
+enum {
+        CONNSECMARK_SAVE = 1,
+        CONNSECMARK_RESTORE,
+};
+struct xt_connsecmark_target_info {
+        u_int8_t mode;
+};
+#endif /*_XT_CONNSECMARK_H_target */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 023f81e5f96b..b1622b7de1cf 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -195,6 +195,17 @@ config NETFILTER_XT_TARGET_SECMARK
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_TARGET_CONNSECMARK
+        tristate '"CONNSECMARK" target support'
+        depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK)
+        help
+          The CONNSECMARK target copies security markings from packets
+          to connections, and restores security markings from connections
+          to packets (if the packets are not already marked).  This would
+          normally be used in conjunction with the SECMARK target.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_COMMENT
        tristate  '"comment" match support'
        depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3645de046890..6fa4b7580458 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
 # matches
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
new file mode 100644
index 000000000000..8c011e020769
--- /dev/null
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -0,0 +1,155 @@
+/*
+ * This module is used to copy security markings from packets
+ * to connections, and restore security markings from connections
+ * back to packets.  This would normally be performed in conjunction
+ * with the SECMARK target and state match.
+ *
+ * Based somewhat on CONNMARK:
+ *   Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ *    by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_CONNSECMARK.h>
+#include <net/netfilter/nf_conntrack_compat.h>
+#define PFX "CONNSECMARK: "
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
+MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
+MODULE_ALIAS("ipt_CONNSECMARK");
+MODULE_ALIAS("ip6t_CONNSECMARK");
+/*
+ * If the packet has a security mark and the connection does not, copy
+ * the security mark from the packet to the connection.
+ */
+static void secmark_save(struct sk_buff *skb)
+{
+        if (skb->secmark) {
+                u32 *connsecmark;
+                enum ip_conntrack_info ctinfo;
+                connsecmark = nf_ct_get_secmark(skb, &ctinfo);
+                if (connsecmark && !*connsecmark)
+                        if (*connsecmark != skb->secmark)
+                                *connsecmark = skb->secmark;
+        }
+}
+/*
+ * If packet has no security mark, and the connection does, restore the
+ * security mark from the connection to the packet.
+ */
+static void secmark_restore(struct sk_buff *skb)
+{
+        if (!skb->secmark) {
+                u32 *connsecmark;
+                enum ip_conntrack_info ctinfo;
+                connsecmark = nf_ct_get_secmark(skb, &ctinfo);
+                if (connsecmark && *connsecmark)
+                        if (skb->secmark != *connsecmark)
+                                skb->secmark = *connsecmark;
+        }
+}
+static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
+                           const struct net_device *out, unsigned int hooknum,
+                           const struct xt_target *target,
+                           const void *targinfo, void *userinfo)
+{
+        struct sk_buff *skb = *pskb;
+        const struct xt_connsecmark_target_info *info = targinfo;
+        switch (info->mode) {
+        case CONNSECMARK_SAVE:
+                secmark_save(skb);
+                break;
+        case CONNSECMARK_RESTORE:
+                secmark_restore(skb);
+                break;
+        default:
+                BUG();
+        }
+        return XT_CONTINUE;
+}
+static int checkentry(const char *tablename, const void *entry,
+                      const struct xt_target *target, void *targinfo,
+                      unsigned int targinfosize, unsigned int hook_mask)
+{
+        struct xt_connsecmark_target_info *info = targinfo;
+        switch (info->mode) {
+        case CONNSECMARK_SAVE:
+        case CONNSECMARK_RESTORE:
+                break;
+        default:
+                printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
+                return 0;
+        }
+        return 1;
+}
+static struct xt_target ipt_connsecmark_reg = {
+        .name           = "CONNSECMARK",
+        .target         = target,
+        .targetsize     = sizeof(struct xt_connsecmark_target_info),
+        .table          = "mangle",
+        .checkentry     = checkentry,
+        .me             = THIS_MODULE,
+        .family         = AF_INET,
+        .revision       = 0,
+};
+static struct xt_target ip6t_connsecmark_reg = {
+        .name           = "CONNSECMARK",
+        .target         = target,
+        .targetsize     = sizeof(struct xt_connsecmark_target_info),
+        .table          = "mangle",
+        .checkentry     = checkentry,
+        .me             = THIS_MODULE,
+        .family         = AF_INET6,
+        .revision       = 0,
+};
+static int __init xt_connsecmark_init(void)
+{
+        int err;
+        need_conntrack();
+        err = xt_register_target(&ipt_connsecmark_reg);
+        if (err)
+                return err;
+        err = xt_register_target(&ip6t_connsecmark_reg);
+        if (err)
+                xt_unregister_target(&ipt_connsecmark_reg);
+        return err;
+}
+static void __exit xt_connsecmark_fini(void)
+{
+        xt_unregister_target(&ip6t_connsecmark_reg);
+        xt_unregister_target(&ipt_connsecmark_reg);
+}
+module_init(xt_connsecmark_init);
+module_exit(xt_connsecmark_fini);

diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/linux/netfilter/xt_CONNSECMARK.h new file mode 100644 index 000000000000..c6bd75469ba2 --- /dev/null +++ b/include/linux/netfilter/xt_CONNSECMARK.h
@@ -0,0 +1,13 @@
		1	#ifndef _XT_CONNSECMARK_H_target
		2	#define _XT_CONNSECMARK_H_target
		3
		4	enum {
		5	CONNSECMARK_SAVE = 1,
		6	CONNSECMARK_RESTORE,
		7	};
		8
		9	struct xt_connsecmark_target_info {
		10	u_int8_t mode;
		11	};
		12
		13	#endif /_XT_CONNSECMARK_H_target /


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 023f81e5f96b..b1622b7de1cf 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -195,6 +195,17 @@ config NETFILTER_XT_TARGET_SECMARK
195		195
196	To compile it as a module, choose M here. If unsure, say N.	196	To compile it as a module, choose M here. If unsure, say N.
197		197
		198	config NETFILTER_XT_TARGET_CONNSECMARK
		199	tristate '"CONNSECMARK" target support'
		200	depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK \|\| IP_NF_CONNTRACK_SECMARK)
		201	help
		202	The CONNSECMARK target copies security markings from packets
		203	to connections, and restores security markings from connections
		204	to packets (if the packets are not already marked). This would
		205	normally be used in conjunction with the SECMARK target.
		206
		207	To compile it as a module, choose M here. If unsure, say N.
		208
198	config NETFILTER_XT_MATCH_COMMENT	209	config NETFILTER_XT_MATCH_COMMENT
199	tristate '"comment" match support'	210	tristate '"comment" match support'
200	depends on NETFILTER_XTABLES	211	depends on NETFILTER_XTABLES


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 3645de046890..6fa4b7580458 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
29	obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o	29	obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
30	obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o	30	obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
31	obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o	31	obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
		32	obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
32		33
33	# matches	34	# matches
34	obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o	35	obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o


diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c new file mode 100644 index 000000000000..8c011e020769 --- /dev/null +++ b/net/netfilter/xt_CONNSECMARK.c
@@ -0,0 +1,155 @@
		1	/*
		2	* This module is used to copy security markings from packets
		3	* to connections, and restore security markings from connections
		4	* back to packets. This would normally be performed in conjunction
		5	* with the SECMARK target and state match.
		6	*
		7	* Based somewhat on CONNMARK:
		8	* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
		9	* by Henrik Nordstrom <hno@marasystems.com>
		10	*
		11	* (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
		12	*
		13	* This program is free software; you can redistribute it and/or modify
		14	* it under the terms of the GNU General Public License version 2 as
		15	* published by the Free Software Foundation.
		16	*
		17	*/
		18	#include <linux/module.h>
		19	#include <linux/skbuff.h>
		20	#include <linux/netfilter/x_tables.h>
		21	#include <linux/netfilter/xt_CONNSECMARK.h>
		22	#include <net/netfilter/nf_conntrack_compat.h>
		23
		24	#define PFX "CONNSECMARK: "
		25
		26	MODULE_LICENSE("GPL");
		27	MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
		28	MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
		29	MODULE_ALIAS("ipt_CONNSECMARK");
		30	MODULE_ALIAS("ip6t_CONNSECMARK");
		31
		32	/*
		33	* If the packet has a security mark and the connection does not, copy
		34	* the security mark from the packet to the connection.
		35	*/
		36	static void secmark_save(struct sk_buff *skb)
		37	{
		38	if (skb->secmark) {
		39	u32 *connsecmark;
		40	enum ip_conntrack_info ctinfo;
		41
		42	connsecmark = nf_ct_get_secmark(skb, &ctinfo);
		43	if (connsecmark && !*connsecmark)
		44	if (*connsecmark != skb->secmark)
		45	*connsecmark = skb->secmark;
		46	}
		47	}
		48
		49	/*
		50	* If packet has no security mark, and the connection does, restore the
		51	* security mark from the connection to the packet.
		52	*/
		53	static void secmark_restore(struct sk_buff *skb)
		54	{
		55	if (!skb->secmark) {
		56	u32 *connsecmark;
		57	enum ip_conntrack_info ctinfo;
		58
		59	connsecmark = nf_ct_get_secmark(skb, &ctinfo);
		60	if (connsecmark && *connsecmark)
		61	if (skb->secmark != *connsecmark)
		62	skb->secmark = *connsecmark;
		63	}
		64	}
		65
		66	static unsigned int target(struct sk_buff *pskb, const struct net_device in,
		67	const struct net_device *out, unsigned int hooknum,
		68	const struct xt_target *target,
		69	const void targinfo, void userinfo)
		70	{
		71	struct sk_buff skb = pskb;
		72	const struct xt_connsecmark_target_info *info = targinfo;
		73
		74	switch (info->mode) {
		75	case CONNSECMARK_SAVE:
		76	secmark_save(skb);
		77	break;
		78
		79	case CONNSECMARK_RESTORE:
		80	secmark_restore(skb);
		81	break;
		82
		83	default:
		84	BUG();
		85	}
		86
		87	return XT_CONTINUE;
		88	}
		89
		90	static int checkentry(const char tablename, const void entry,
		91	const struct xt_target target, void targinfo,
		92	unsigned int targinfosize, unsigned int hook_mask)
		93	{
		94	struct xt_connsecmark_target_info *info = targinfo;
		95
		96	switch (info->mode) {
		97	case CONNSECMARK_SAVE:
		98	case CONNSECMARK_RESTORE:
		99	break;
		100
		101	default:
		102	printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
		103	return 0;
		104	}
		105
		106	return 1;
		107	}
		108
		109	static struct xt_target ipt_connsecmark_reg = {
		110	.name = "CONNSECMARK",
		111	.target = target,
		112	.targetsize = sizeof(struct xt_connsecmark_target_info),
		113	.table = "mangle",
		114	.checkentry = checkentry,
		115	.me = THIS_MODULE,
		116	.family = AF_INET,
		117	.revision = 0,
		118	};
		119
		120	static struct xt_target ip6t_connsecmark_reg = {
		121	.name = "CONNSECMARK",
		122	.target = target,
		123	.targetsize = sizeof(struct xt_connsecmark_target_info),
		124	.table = "mangle",
		125	.checkentry = checkentry,
		126	.me = THIS_MODULE,
		127	.family = AF_INET6,
		128	.revision = 0,
		129	};
		130
		131	static int __init xt_connsecmark_init(void)
		132	{
		133	int err;
		134
		135	need_conntrack();
		136
		137	err = xt_register_target(&ipt_connsecmark_reg);
		138	if (err)
		139	return err;
		140
		141	err = xt_register_target(&ip6t_connsecmark_reg);
		142	if (err)
		143	xt_unregister_target(&ipt_connsecmark_reg);
		144
		145	return err;
		146	}
		147
		148	static void __exit xt_connsecmark_fini(void)
		149	{
		150	xt_unregister_target(&ip6t_connsecmark_reg);
		151	xt_unregister_target(&ipt_connsecmark_reg);
		152	}
		153
		154	module_init(xt_connsecmark_init);
		155	module_exit(xt_connsecmark_fini);