diff options
-rw-r--r-- | include/linux/netfilter/xt_connmark.h | 5 | ||||
-rw-r--r-- | net/netfilter/xt_connmark.c | 88 |
2 files changed, 76 insertions, 17 deletions
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h index c592f6ae0883..359ef86918dc 100644 --- a/include/linux/netfilter/xt_connmark.h +++ b/include/linux/netfilter/xt_connmark.h | |||
@@ -15,4 +15,9 @@ struct xt_connmark_info { | |||
15 | u_int8_t invert; | 15 | u_int8_t invert; |
16 | }; | 16 | }; |
17 | 17 | ||
18 | struct xt_connmark_mtinfo1 { | ||
19 | u_int32_t mark, mask; | ||
20 | u_int8_t invert; | ||
21 | }; | ||
22 | |||
18 | #endif /*_XT_CONNMARK_H*/ | 23 | #endif /*_XT_CONNMARK_H*/ |
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 8ad875bc1589..55c62350b1f2 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c | |||
@@ -1,8 +1,10 @@ | |||
1 | /* This kernel module matches connection mark values set by the | 1 | /* |
2 | * CONNMARK target | 2 | * xt_connmark - Netfilter module to match connection mark values |
3 | * | 3 | * |
4 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | 4 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> |
5 | * by Henrik Nordstrom <hno@marasystems.com> | 5 | * by Henrik Nordstrom <hno@marasystems.com> |
6 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 | ||
7 | * Jan Engelhardt <jengelh@computergmbh.de> | ||
6 | * | 8 | * |
7 | * This program is free software; you can redistribute it and/or modify | 9 | * This program is free software; you can redistribute it and/or modify |
8 | * it under the terms of the GNU General Public License as published by | 10 | * it under the terms of the GNU General Public License as published by |
@@ -37,6 +39,23 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in, | |||
37 | const void *matchinfo, int offset, unsigned int protoff, | 39 | const void *matchinfo, int offset, unsigned int protoff, |
38 | bool *hotdrop) | 40 | bool *hotdrop) |
39 | { | 41 | { |
42 | const struct xt_connmark_mtinfo1 *info = matchinfo; | ||
43 | enum ip_conntrack_info ctinfo; | ||
44 | const struct nf_conn *ct; | ||
45 | |||
46 | ct = nf_ct_get(skb, &ctinfo); | ||
47 | if (ct == NULL) | ||
48 | return false; | ||
49 | |||
50 | return ((ct->mark & info->mask) == info->mark) ^ info->invert; | ||
51 | } | ||
52 | |||
53 | static bool | ||
54 | connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in, | ||
55 | const struct net_device *out, const struct xt_match *match, | ||
56 | const void *matchinfo, int offset, unsigned int protoff, | ||
57 | bool *hotdrop) | ||
58 | { | ||
40 | const struct xt_connmark_info *info = matchinfo; | 59 | const struct xt_connmark_info *info = matchinfo; |
41 | const struct nf_conn *ct; | 60 | const struct nf_conn *ct; |
42 | enum ip_conntrack_info ctinfo; | 61 | enum ip_conntrack_info ctinfo; |
@@ -49,9 +68,9 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in, | |||
49 | } | 68 | } |
50 | 69 | ||
51 | static bool | 70 | static bool |
52 | connmark_mt_check(const char *tablename, const void *ip, | 71 | connmark_mt_check_v0(const char *tablename, const void *ip, |
53 | const struct xt_match *match, void *matchinfo, | 72 | const struct xt_match *match, void *matchinfo, |
54 | unsigned int hook_mask) | 73 | unsigned int hook_mask) |
55 | { | 74 | { |
56 | const struct xt_connmark_info *cm = matchinfo; | 75 | const struct xt_connmark_info *cm = matchinfo; |
57 | 76 | ||
@@ -67,6 +86,19 @@ connmark_mt_check(const char *tablename, const void *ip, | |||
67 | return true; | 86 | return true; |
68 | } | 87 | } |
69 | 88 | ||
89 | static bool | ||
90 | connmark_mt_check(const char *tablename, const void *ip, | ||
91 | const struct xt_match *match, void *matchinfo, | ||
92 | unsigned int hook_mask) | ||
93 | { | ||
94 | if (nf_ct_l3proto_try_module_get(match->family) < 0) { | ||
95 | printk(KERN_WARNING "cannot load conntrack support for " | ||
96 | "proto=%u\n", match->family); | ||
97 | return false; | ||
98 | } | ||
99 | return true; | ||
100 | } | ||
101 | |||
70 | static void | 102 | static void |
71 | connmark_mt_destroy(const struct xt_match *match, void *matchinfo) | 103 | connmark_mt_destroy(const struct xt_match *match, void *matchinfo) |
72 | { | 104 | { |
@@ -81,7 +113,7 @@ struct compat_xt_connmark_info { | |||
81 | u_int16_t __pad2; | 113 | u_int16_t __pad2; |
82 | }; | 114 | }; |
83 | 115 | ||
84 | static void connmark_mt_compat_from_user(void *dst, void *src) | 116 | static void connmark_mt_compat_from_user_v0(void *dst, void *src) |
85 | { | 117 | { |
86 | const struct compat_xt_connmark_info *cm = src; | 118 | const struct compat_xt_connmark_info *cm = src; |
87 | struct xt_connmark_info m = { | 119 | struct xt_connmark_info m = { |
@@ -92,7 +124,7 @@ static void connmark_mt_compat_from_user(void *dst, void *src) | |||
92 | memcpy(dst, &m, sizeof(m)); | 124 | memcpy(dst, &m, sizeof(m)); |
93 | } | 125 | } |
94 | 126 | ||
95 | static int connmark_mt_compat_to_user(void __user *dst, void *src) | 127 | static int connmark_mt_compat_to_user_v0(void __user *dst, void *src) |
96 | { | 128 | { |
97 | const struct xt_connmark_info *m = src; | 129 | const struct xt_connmark_info *m = src; |
98 | struct compat_xt_connmark_info cm = { | 130 | struct compat_xt_connmark_info cm = { |
@@ -107,32 +139,54 @@ static int connmark_mt_compat_to_user(void __user *dst, void *src) | |||
107 | static struct xt_match connmark_mt_reg[] __read_mostly = { | 139 | static struct xt_match connmark_mt_reg[] __read_mostly = { |
108 | { | 140 | { |
109 | .name = "connmark", | 141 | .name = "connmark", |
142 | .revision = 0, | ||
110 | .family = AF_INET, | 143 | .family = AF_INET, |
111 | .checkentry = connmark_mt_check, | 144 | .checkentry = connmark_mt_check_v0, |
112 | .match = connmark_mt, | 145 | .match = connmark_mt_v0, |
113 | .destroy = connmark_mt_destroy, | 146 | .destroy = connmark_mt_destroy, |
114 | .matchsize = sizeof(struct xt_connmark_info), | 147 | .matchsize = sizeof(struct xt_connmark_info), |
115 | #ifdef CONFIG_COMPAT | 148 | #ifdef CONFIG_COMPAT |
116 | .compatsize = sizeof(struct compat_xt_connmark_info), | 149 | .compatsize = sizeof(struct compat_xt_connmark_info), |
117 | .compat_from_user = connmark_mt_compat_from_user, | 150 | .compat_from_user = connmark_mt_compat_from_user_v0, |
118 | .compat_to_user = connmark_mt_compat_to_user, | 151 | .compat_to_user = connmark_mt_compat_to_user_v0, |
119 | #endif | 152 | #endif |
120 | .me = THIS_MODULE | 153 | .me = THIS_MODULE |
121 | }, | 154 | }, |
122 | { | 155 | { |
123 | .name = "connmark", | 156 | .name = "connmark", |
157 | .revision = 0, | ||
124 | .family = AF_INET6, | 158 | .family = AF_INET6, |
125 | .checkentry = connmark_mt_check, | 159 | .checkentry = connmark_mt_check_v0, |
126 | .match = connmark_mt, | 160 | .match = connmark_mt_v0, |
127 | .destroy = connmark_mt_destroy, | 161 | .destroy = connmark_mt_destroy, |
128 | .matchsize = sizeof(struct xt_connmark_info), | 162 | .matchsize = sizeof(struct xt_connmark_info), |
129 | #ifdef CONFIG_COMPAT | 163 | #ifdef CONFIG_COMPAT |
130 | .compatsize = sizeof(struct compat_xt_connmark_info), | 164 | .compatsize = sizeof(struct compat_xt_connmark_info), |
131 | .compat_from_user = connmark_mt_compat_from_user, | 165 | .compat_from_user = connmark_mt_compat_from_user_v0, |
132 | .compat_to_user = connmark_mt_compat_to_user, | 166 | .compat_to_user = connmark_mt_compat_to_user_v0, |
133 | #endif | 167 | #endif |
134 | .me = THIS_MODULE | 168 | .me = THIS_MODULE |
135 | }, | 169 | }, |
170 | { | ||
171 | .name = "connmark", | ||
172 | .revision = 1, | ||
173 | .family = AF_INET, | ||
174 | .checkentry = connmark_mt_check, | ||
175 | .match = connmark_mt, | ||
176 | .matchsize = sizeof(struct xt_connmark_mtinfo1), | ||
177 | .destroy = connmark_mt_destroy, | ||
178 | .me = THIS_MODULE, | ||
179 | }, | ||
180 | { | ||
181 | .name = "connmark", | ||
182 | .revision = 1, | ||
183 | .family = AF_INET6, | ||
184 | .checkentry = connmark_mt_check, | ||
185 | .match = connmark_mt, | ||
186 | .matchsize = sizeof(struct xt_connmark_mtinfo1), | ||
187 | .destroy = connmark_mt_destroy, | ||
188 | .me = THIS_MODULE, | ||
189 | }, | ||
136 | }; | 190 | }; |
137 | 191 | ||
138 | static int __init connmark_mt_init(void) | 192 | static int __init connmark_mt_init(void) |