8 files changed, 38 insertions, 7 deletions

diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 08fe5f7d14..4ed720f0c4 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -171,7 +171,7 @@ struct ip_conntrack
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
-        unsigned long mark;
+        u_int32_t mark;
 #endif
 
         /* Traversed often, so hopefully in different cacheline to top */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 948527e42a..2e40f4c9f7 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -259,7 +259,7 @@ struct sk_buff {
 
         void                    (*destructor)(struct sk_buff *skb);
 #ifdef CONFIG_NETFILTER
-        unsigned long           nfmark;
+        __u32                   nfmark;
         __u32                   nfcache;
         __u32                   nfctinfo;
         struct nf_conntrack     *nfct;
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 61798c46e9..dccd4abab7 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -185,7 +185,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
                         return -ENOSPC;
 
 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
-        if (seq_printf(s, "mark=%lu ", conntrack->mark))
+        if (seq_printf(s, "mark=%u ", conntrack->mark))
                 return -ENOSPC;
 #endif
 
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 6706d3a1bc..2d05cafec2 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -367,7 +367,7 @@ target(struct sk_buff **pskb,
 #ifdef DEBUG_CLUSTERP
         DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
 #endif
-        DEBUGP("hash=%u ct_hash=%lu ", hash, ct->mark);
+        DEBUGP("hash=%u ct_hash=%u ", hash, ct->mark);
         if (!clusterip_responsible(cipinfo->config, hash)) {
                 DEBUGP("not responsible\n");
                 return NF_DROP;
diff --git a/net/ipv4/netfilter/ipt_CONNMARK.c b/net/ipv4/netfilter/ipt_CONNMARK.c
index 30ddd3e18e..8ed744157b 100644
--- a/net/ipv4/netfilter/ipt_CONNMARK.c
+++ b/net/ipv4/netfilter/ipt_CONNMARK.c
@@ -40,9 +40,9 @@ target(struct sk_buff **pskb,
        void *userinfo)
 {
         const struct ipt_connmark_target_info *markinfo = targinfo;
-        unsigned long diff;
-        unsigned long nfmark;
-        unsigned long newmark;
+        u_int32_t diff;
+        u_int32_t nfmark;
+        u_int32_t newmark;
 
         enum ip_conntrack_info ctinfo;
         struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
@@ -94,6 +94,11 @@ checkentry(const char *tablename,
             }
         }
 
+        if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
+                printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
+                return 0;
+        }
+
         return 1;
 }
 
diff --git a/net/ipv4/netfilter/ipt_MARK.c b/net/ipv4/netfilter/ipt_MARK.c
index 33c6f9b63b..8526398346 100644
--- a/net/ipv4/netfilter/ipt_MARK.c
+++ b/net/ipv4/netfilter/ipt_MARK.c
@@ -76,6 +76,8 @@ checkentry_v0(const char *tablename,
               unsigned int targinfosize,
               unsigned int hook_mask)
 {
+        struct ipt_mark_target_info *markinfo = targinfo;
+
         if (targinfosize != IPT_ALIGN(sizeof(struct ipt_mark_target_info))) {
                 printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
                        targinfosize,
@@ -88,6 +90,11 @@ checkentry_v0(const char *tablename,
                 return 0;
         }
 
+        if (markinfo->mark > 0xffffffff) {
+                printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
+                return 0;
+        }
+
         return 1;
 }
 
@@ -120,6 +127,11 @@ checkentry_v1(const char *tablename,
                 return 0;
         }
 
+        if (markinfo->mark > 0xffffffff) {
+                printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
+                return 0;
+        }
+
         return 1;
 }
 
diff --git a/net/ipv4/netfilter/ipt_connmark.c b/net/ipv4/netfilter/ipt_connmark.c
index 2706f96cea..bf8de47ce0 100644
--- a/net/ipv4/netfilter/ipt_connmark.c
+++ b/net/ipv4/netfilter/ipt_connmark.c
@@ -54,9 +54,16 @@ checkentry(const char *tablename,
            unsigned int matchsize,
            unsigned int hook_mask)
 {
+        struct ipt_connmark_info *cm = 
+                                (struct ipt_connmark_info *)matchinfo;
         if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
                 return 0;
 
+        if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
+                printk(KERN_WARNING "connmark: only support 32bit mark\n");
+                return 0;
+        }
+
         return 1;
 }
 
diff --git a/net/ipv4/netfilter/ipt_mark.c b/net/ipv4/netfilter/ipt_mark.c
index 8955728127..00bef6cdd3 100644
--- a/net/ipv4/netfilter/ipt_mark.c
+++ b/net/ipv4/netfilter/ipt_mark.c
@@ -37,9 +37,16 @@ checkentry(const char *tablename,
            unsigned int matchsize,
            unsigned int hook_mask)
 {
+        struct ipt_mark_info *minfo = (struct ipt_mark_info *) matchinfo;
+
         if (matchsize != IPT_ALIGN(sizeof(struct ipt_mark_info)))
                 return 0;
 
+        if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
+                printk(KERN_WARNING "mark: only supports 32bit mark\n");
+                return 0;
+        }
+
         return 1;
 }