9 files changed, 74 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 17d7ef938a09..e0e9951eb8c3 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -121,6 +121,10 @@ struct ip_conntrack
        u_int32_t mark;
 #endif
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+        u_int32_t secmark;
+#endif
        /* Traversed often, so hopefully in different cacheline to top */
        /* These are my tuples; original and reply */
        struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index dbe7a114d0c5..411117815807 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -114,6 +114,10 @@ struct nf_conn
        u_int32_t mark;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+        u_int32_t secmark;
+#endif
        /* Storage reserved for other modules: */
        union nf_conntrack_proto proto;
diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h
index 3cac19fb3648..f1b1482d7200 100644
--- a/include/net/netfilter/nf_conntrack_compat.h
+++ b/include/net/netfilter/nf_conntrack_compat.h
@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
 }
 #endif /* CONFIG_IP_NF_CONNTRACK_MARK */
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
+                                           u_int32_t *ctinfo)
+{
+        struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
+        if (ct)
+                return &ct->secmark;
+        else
+                return NULL;
+}
+#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
 #ifdef CONFIG_IP_NF_CT_ACCT
 static inline struct ip_conntrack_counter *
 nf_ct_get_counters(const struct sk_buff *skb)
@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
 }
 #endif /* CONFIG_NF_CONNTRACK_MARK */
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
+                                           u_int32_t *ctinfo)
+{
+        struct nf_conn *ct = nf_ct_get(skb, ctinfo);
+        if (ct)
+                return &ct->secmark;
+        else
+                return NULL;
+}
+#endif /* CONFIG_NF_CONNTRACK_MARK */
 #ifdef CONFIG_NF_CT_ACCT
 static inline struct ip_conntrack_counter *
 nf_ct_get_counters(const struct sk_buff *skb)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ff4b118f14a9..e1d7f5fbc526 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK
          of packets, but this mark value is kept in the conntrack session
          instead of the individual packets.
        
+config IP_NF_CONNTRACK_SECMARK
+        bool  'Connection tracking security mark support'
+        depends on IP_NF_CONNTRACK && NETWORK_SECMARK
+        help
+          This option enables security markings to be applied to
+          connections.  Typically they are copied to connections from
+          packets using the CONNSECMARK target and copied back from
+          connections to packets with the same target, with the packets
+          being originally labeled via SECMARK.
+          If unsure, say 'N'.
 config IP_NF_CONNTRACK_EVENTS
        bool "Connection tracking events (EXPERIMENTAL)"
        depends on EXPERIMENTAL && IP_NF_CONNTRACK
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 4fe9e69378df..7e4cf9a4d15f 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -724,6 +724,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple,
                /* this is ugly, but there is no other place where to put it */
                conntrack->nat.masq_index = exp->master->nat.masq_index;
 #endif
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+                conntrack->secmark = exp->master->secmark;
+#endif
                nf_conntrack_get(&conntrack->master->ct_general);
                CONNTRACK_STAT_INC(expect_new);
        } else {
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 6cb9b989d14c..88445aac3f28 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
                return -ENOSPC;
 #endif
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+        if (seq_printf(s, "secmark=%u ", conntrack->secmark))
+                return -ENOSPC;
+#endif
        if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
                return -ENOSPC;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 10eccdd4d6ea..023f81e5f96b 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
          of packets, but this mark value is kept in the conntrack session
          instead of the individual packets.
+config NF_CONNTRACK_SECMARK
+        bool  'Connection tracking security mark support'
+        depends on NF_CONNTRACK && NETWORK_SECMARK
+        help
+          This option enables security markings to be applied to
+          connections.  Typically they are copied to connections from
+          packets using the CONNSECMARK target and copied back from
+          connections to packets with the same target, with the packets
+          being originally labeled via SECMARK.
+          If unsure, say 'N'.
 config NF_CONNTRACK_EVENTS
        bool "Connection tracking events (EXPERIMENTAL)"
        depends on EXPERIMENTAL && NF_CONNTRACK
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index bc2bd4c3859e..cd299f4b7db1 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -990,6 +990,9 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
 #ifdef CONFIG_NF_CONNTRACK_MARK
                conntrack->mark = exp->master->mark;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+                conntrack->secmark = exp->master->secmark;
+#endif
                nf_conntrack_get(&conntrack->master->ct_general);
                NF_CT_STAT_INC(expect_new);
        } else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index e01d20d8e287..e34c574f0351 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
                return -ENOSPC;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+        if (seq_printf(s, "secmark=%u ", conntrack->secmark))
+                return -ENOSPC;
+#endif
        if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
                return -ENOSPC;

diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 17d7ef938a09..e0e9951eb8c3 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -121,6 +121,10 @@ struct ip_conntrack
121	u_int32_t mark;	121	u_int32_t mark;
122	#endif	122	#endif
123		123
		124	#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
		125	u_int32_t secmark;
		126	#endif
		127
124	/* Traversed often, so hopefully in different cacheline to top */	128	/* Traversed often, so hopefully in different cacheline to top */
125	/* These are my tuples; original and reply */	129	/* These are my tuples; original and reply */
126	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];	130	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];


diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index dbe7a114d0c5..411117815807 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h
@@ -114,6 +114,10 @@ struct nf_conn
114	u_int32_t mark;	114	u_int32_t mark;
115	#endif	115	#endif
116		116
		117	#ifdef CONFIG_NF_CONNTRACK_SECMARK
		118	u_int32_t secmark;
		119	#endif
		120
117	/* Storage reserved for other modules: */	121	/* Storage reserved for other modules: */
118	union nf_conntrack_proto proto;	122	union nf_conntrack_proto proto;
119		123


diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h index 3cac19fb3648..f1b1482d7200 100644 --- a/include/net/netfilter/nf_conntrack_compat.h +++ b/include/net/netfilter/nf_conntrack_compat.h
@@ -20,6 +20,19 @@ static inline u_int32_t nf_ct_get_mark(const struct sk_buff skb,
20	}	20	}
21	#endif /* CONFIG_IP_NF_CONNTRACK_MARK */	21	#endif /* CONFIG_IP_NF_CONNTRACK_MARK */
22		22
		23	#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
		24	static inline u_int32_t nf_ct_get_secmark(const struct sk_buff skb,
		25	u_int32_t *ctinfo)
		26	{
		27	struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
		28
		29	if (ct)
		30	return &ct->secmark;
		31	else
		32	return NULL;
		33	}
		34	#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
		35
23	#ifdef CONFIG_IP_NF_CT_ACCT	36	#ifdef CONFIG_IP_NF_CT_ACCT
24	static inline struct ip_conntrack_counter *	37	static inline struct ip_conntrack_counter *
25	nf_ct_get_counters(const struct sk_buff *skb)	38	nf_ct_get_counters(const struct sk_buff *skb)
@@ -70,6 +83,19 @@ static inline u_int32_t nf_ct_get_mark(const struct sk_buff skb,
70	}	83	}
71	#endif /* CONFIG_NF_CONNTRACK_MARK */	84	#endif /* CONFIG_NF_CONNTRACK_MARK */
72		85
		86	#ifdef CONFIG_NF_CONNTRACK_SECMARK
		87	static inline u_int32_t nf_ct_get_secmark(const struct sk_buff skb,
		88	u_int32_t *ctinfo)
		89	{
		90	struct nf_conn *ct = nf_ct_get(skb, ctinfo);
		91
		92	if (ct)
		93	return &ct->secmark;
		94	else
		95	return NULL;
		96	}
		97	#endif /* CONFIG_NF_CONNTRACK_MARK */
		98
73	#ifdef CONFIG_NF_CT_ACCT	99	#ifdef CONFIG_NF_CT_ACCT
74	static inline struct ip_conntrack_counter *	100	static inline struct ip_conntrack_counter *
75	nf_ct_get_counters(const struct sk_buff *skb)	101	nf_ct_get_counters(const struct sk_buff *skb)


diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ff4b118f14a9..e1d7f5fbc526 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK
55	of packets, but this mark value is kept in the conntrack session	55	of packets, but this mark value is kept in the conntrack session
56	instead of the individual packets.	56	instead of the individual packets.
57		57
		58	config IP_NF_CONNTRACK_SECMARK
		59	bool 'Connection tracking security mark support'
		60	depends on IP_NF_CONNTRACK && NETWORK_SECMARK
		61	help
		62	This option enables security markings to be applied to
		63	connections. Typically they are copied to connections from
		64	packets using the CONNSECMARK target and copied back from
		65	connections to packets with the same target, with the packets
		66	being originally labeled via SECMARK.
		67
		68	If unsure, say 'N'.
		69
58	config IP_NF_CONNTRACK_EVENTS	70	config IP_NF_CONNTRACK_EVENTS
59	bool "Connection tracking events (EXPERIMENTAL)"	71	bool "Connection tracking events (EXPERIMENTAL)"
60	depends on EXPERIMENTAL && IP_NF_CONNTRACK	72	depends on EXPERIMENTAL && IP_NF_CONNTRACK


diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index 4fe9e69378df..7e4cf9a4d15f 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -724,6 +724,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple,
724	/* this is ugly, but there is no other place where to put it */	724	/* this is ugly, but there is no other place where to put it */
725	conntrack->nat.masq_index = exp->master->nat.masq_index;	725	conntrack->nat.masq_index = exp->master->nat.masq_index;
726	#endif	726	#endif
		727	#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
		728	conntrack->secmark = exp->master->secmark;
		729	#endif
727	nf_conntrack_get(&conntrack->master->ct_general);	730	nf_conntrack_get(&conntrack->master->ct_general);
728	CONNTRACK_STAT_INC(expect_new);	731	CONNTRACK_STAT_INC(expect_new);
729	} else {	732	} else {


diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 6cb9b989d14c..88445aac3f28 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file s, void v)
189	return -ENOSPC;	189	return -ENOSPC;
190	#endif	190	#endif
191		191
		192	#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
		193	if (seq_printf(s, "secmark=%u ", conntrack->secmark))
		194	return -ENOSPC;
		195	#endif
		196
192	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))	197	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
193	return -ENOSPC;	198	return -ENOSPC;
194		199


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 10eccdd4d6ea..023f81e5f96b 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
60	of packets, but this mark value is kept in the conntrack session	60	of packets, but this mark value is kept in the conntrack session
61	instead of the individual packets.	61	instead of the individual packets.
62		62
		63	config NF_CONNTRACK_SECMARK
		64	bool 'Connection tracking security mark support'
		65	depends on NF_CONNTRACK && NETWORK_SECMARK
		66	help
		67	This option enables security markings to be applied to
		68	connections. Typically they are copied to connections from
		69	packets using the CONNSECMARK target and copied back from
		70	connections to packets with the same target, with the packets
		71	being originally labeled via SECMARK.
		72
		73	If unsure, say 'N'.
		74
63	config NF_CONNTRACK_EVENTS	75	config NF_CONNTRACK_EVENTS
64	bool "Connection tracking events (EXPERIMENTAL)"	76	bool "Connection tracking events (EXPERIMENTAL)"
65	depends on EXPERIMENTAL && NF_CONNTRACK	77	depends on EXPERIMENTAL && NF_CONNTRACK


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index bc2bd4c3859e..cd299f4b7db1 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -990,6 +990,9 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
990	#ifdef CONFIG_NF_CONNTRACK_MARK	990	#ifdef CONFIG_NF_CONNTRACK_MARK
991	conntrack->mark = exp->master->mark;	991	conntrack->mark = exp->master->mark;
992	#endif	992	#endif
		993	#ifdef CONFIG_NF_CONNTRACK_SECMARK
		994	conntrack->secmark = exp->master->secmark;
		995	#endif
993	nf_conntrack_get(&conntrack->master->ct_general);	996	nf_conntrack_get(&conntrack->master->ct_general);
994	NF_CT_STAT_INC(expect_new);	997	NF_CT_STAT_INC(expect_new);
995	} else	998	} else


diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index e01d20d8e287..e34c574f0351 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c
@@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file s, void v)
213	return -ENOSPC;	213	return -ENOSPC;
214	#endif	214	#endif
215		215
		216	#ifdef CONFIG_NF_CONNTRACK_SECMARK
		217	if (seq_printf(s, "secmark=%u ", conntrack->secmark))
		218	return -ENOSPC;
		219	#endif
		220
216	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))	221	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
217	return -ENOSPC;	222	return -ENOSPC;
218		223