diff options
| -rw-r--r-- | include/linux/netfilter/nf_conntrack_common.h | 4 | ||||
| -rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 1 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 22 | ||||
| -rw-r--r-- | net/netfilter/xt_CONNSECMARK.c | 5 |
4 files changed, 31 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 19747e8f71cf..bad1eb760f61 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h | |||
| @@ -133,6 +133,10 @@ enum ip_conntrack_events | |||
| 133 | /* NAT sequence adjustment */ | 133 | /* NAT sequence adjustment */ |
| 134 | IPCT_NATSEQADJ_BIT = 13, | 134 | IPCT_NATSEQADJ_BIT = 13, |
| 135 | IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), | 135 | IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), |
| 136 | |||
| 137 | /* Secmark is set */ | ||
| 138 | IPCT_SECMARK_BIT = 14, | ||
| 139 | IPCT_SECMARK = (1 << IPCT_SECMARK_BIT), | ||
| 136 | }; | 140 | }; |
| 137 | 141 | ||
| 138 | enum ip_conntrack_expect_events { | 142 | enum ip_conntrack_expect_events { |
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index c19d976b1b75..e3e1533aba2d 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
| @@ -39,6 +39,7 @@ enum ctattr_type { | |||
| 39 | CTA_TUPLE_MASTER, | 39 | CTA_TUPLE_MASTER, |
| 40 | CTA_NAT_SEQ_ADJ_ORIG, | 40 | CTA_NAT_SEQ_ADJ_ORIG, |
| 41 | CTA_NAT_SEQ_ADJ_REPLY, | 41 | CTA_NAT_SEQ_ADJ_REPLY, |
| 42 | CTA_SECMARK, | ||
| 42 | __CTA_MAX | 43 | __CTA_MAX |
| 43 | }; | 44 | }; |
| 44 | #define CTA_MAX (__CTA_MAX - 1) | 45 | #define CTA_MAX (__CTA_MAX - 1) |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 94027c84be52..d4eedc68cc76 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -254,6 +254,22 @@ nla_put_failure: | |||
| 254 | #define ctnetlink_dump_mark(a, b) (0) | 254 | #define ctnetlink_dump_mark(a, b) (0) |
| 255 | #endif | 255 | #endif |
| 256 | 256 | ||
| 257 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 258 | static inline int | ||
| 259 | ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) | ||
| 260 | { | ||
| 261 | __be32 mark = htonl(ct->secmark); | ||
| 262 | |||
| 263 | NLA_PUT(skb, CTA_SECMARK, sizeof(u_int32_t), &mark); | ||
| 264 | return 0; | ||
| 265 | |||
| 266 | nla_put_failure: | ||
| 267 | return -1; | ||
| 268 | } | ||
| 269 | #else | ||
| 270 | #define ctnetlink_dump_secmark(a, b) (0) | ||
| 271 | #endif | ||
| 272 | |||
| 257 | #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) | 273 | #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) |
| 258 | 274 | ||
| 259 | static inline int | 275 | static inline int |
| @@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, | |||
| 392 | ctnetlink_dump_protoinfo(skb, ct) < 0 || | 408 | ctnetlink_dump_protoinfo(skb, ct) < 0 || |
| 393 | ctnetlink_dump_helpinfo(skb, ct) < 0 || | 409 | ctnetlink_dump_helpinfo(skb, ct) < 0 || |
| 394 | ctnetlink_dump_mark(skb, ct) < 0 || | 410 | ctnetlink_dump_mark(skb, ct) < 0 || |
| 411 | ctnetlink_dump_secmark(skb, ct) < 0 || | ||
| 395 | ctnetlink_dump_id(skb, ct) < 0 || | 412 | ctnetlink_dump_id(skb, ct) < 0 || |
| 396 | ctnetlink_dump_use(skb, ct) < 0 || | 413 | ctnetlink_dump_use(skb, ct) < 0 || |
| 397 | ctnetlink_dump_master(skb, ct) < 0 || | 414 | ctnetlink_dump_master(skb, ct) < 0 || |
| @@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, | |||
| 493 | && ctnetlink_dump_mark(skb, ct) < 0) | 510 | && ctnetlink_dump_mark(skb, ct) < 0) |
| 494 | goto nla_put_failure; | 511 | goto nla_put_failure; |
| 495 | #endif | 512 | #endif |
| 513 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 514 | if ((events & IPCT_SECMARK || ct->secmark) | ||
| 515 | && ctnetlink_dump_secmark(skb, ct) < 0) | ||
| 516 | goto nla_put_failure; | ||
| 517 | #endif | ||
| 496 | 518 | ||
| 497 | if (events & IPCT_COUNTER_FILLING && | 519 | if (events & IPCT_COUNTER_FILLING && |
| 498 | (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || | 520 | (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || |
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 2c265e87f396..2333f7e29bc9 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
| @@ -20,6 +20,7 @@ | |||
| 20 | #include <linux/netfilter/x_tables.h> | 20 | #include <linux/netfilter/x_tables.h> |
| 21 | #include <linux/netfilter/xt_CONNSECMARK.h> | 21 | #include <linux/netfilter/xt_CONNSECMARK.h> |
| 22 | #include <net/netfilter/nf_conntrack.h> | 22 | #include <net/netfilter/nf_conntrack.h> |
| 23 | #include <net/netfilter/nf_conntrack_ecache.h> | ||
| 23 | 24 | ||
| 24 | #define PFX "CONNSECMARK: " | 25 | #define PFX "CONNSECMARK: " |
| 25 | 26 | ||
| @@ -40,8 +41,10 @@ static void secmark_save(const struct sk_buff *skb) | |||
| 40 | enum ip_conntrack_info ctinfo; | 41 | enum ip_conntrack_info ctinfo; |
| 41 | 42 | ||
| 42 | ct = nf_ct_get(skb, &ctinfo); | 43 | ct = nf_ct_get(skb, &ctinfo); |
| 43 | if (ct && !ct->secmark) | 44 | if (ct && !ct->secmark) { |
| 44 | ct->secmark = skb->secmark; | 45 | ct->secmark = skb->secmark; |
| 46 | nf_conntrack_event_cache(IPCT_SECMARK, skb); | ||
| 47 | } | ||
| 45 | } | 48 | } |
| 46 | } | 49 | } |
| 47 | 50 | ||