OpenWrt XBurst

OpenWrt XBurst Git Source Tree

Root/target/linux/generic-2.4/patches/607-netfilter_connmark.patch

1	--- a/include/linux/netfilter_ipv4/ip_conntrack.h
2	+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
3	@@ -218,6 +218,9 @@ struct ip_conntrack
4	unsigned int app_data_len;
5	} layer7;
6	#endif
7	+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
8	+ unsigned long mark;
9	+#endif
10	};
11
12	/* get master conntrack via master expectation */
13	--- /dev/null
14	+++ b/include/linux/netfilter_ipv4/ipt_CONNMARK.h
15	@@ -0,0 +1,25 @@
16	+#ifndef _IPT_CONNMARK_H_target
17	+#define _IPT_CONNMARK_H_target
18	+
19	+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
20	+ * by Henrik Nordstrom <hno@marasystems.com>
21	+ *
22	+ * This program is free software; you can redistribute it and/or modify
23	+ * it under the terms of the GNU General Public License as published by
24	+ * the Free Software Foundation; either version 2 of the License, or
25	+ * (at your option) any later version.
26	+ */
27	+
28	+enum {
29	+ IPT_CONNMARK_SET = 0,
30	+ IPT_CONNMARK_SAVE,
31	+ IPT_CONNMARK_RESTORE
32	+};
33	+
34	+struct ipt_connmark_target_info {
35	+ unsigned long mark;
36	+ unsigned long mask;
37	+ u_int8_t mode;
38	+};
39	+
40	+#endif /_IPT_CONNMARK_H_target/
41	--- /dev/null
42	+++ b/include/linux/netfilter_ipv4/ipt_connmark.h
43	@@ -0,0 +1,18 @@
44	+#ifndef _IPT_CONNMARK_H
45	+#define _IPT_CONNMARK_H
46	+
47	+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
48	+ * by Henrik Nordstrom <hno@marasystems.com>
49	+ *
50	+ * This program is free software; you can redistribute it and/or modify
51	+ * it under the terms of the GNU General Public License as published by
52	+ * the Free Software Foundation; either version 2 of the License, or
53	+ * (at your option) any later version.
54	+ */
55	+
56	+struct ipt_connmark_info {
57	+ unsigned long mark, mask;
58	+ u_int8_t invert;
59	+};
60	+
61	+#endif /_IPT_CONNMARK_H/
62	--- a/net/ipv4/netfilter/Config.in
63	+++ b/net/ipv4/netfilter/Config.in
64	@@ -6,6 +6,7 @@ comment ' IP: Netfilter Configuration'
65
66	tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
67	if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
68	+ bool ' Connection mark tracking support' CONFIG_IP_NF_CONNTRACK_MARK
69	dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
70	dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
71	dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
72	@@ -40,6 +41,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
73	if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
74	dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
75	dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
76	+ if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
77	+ dep_tristate ' Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
78	+ fi
79	fi
80	if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
81	dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
82	@@ -110,6 +114,9 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
83	dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
84	dep_tristate ' CLASSIFY target support (EXPERIMENTAL)' CONFIG_IP_NF_TARGET_CLASSIFY $CONFIG_IP_NF_MANGLE
85	fi
86	+ if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
87	+ dep_tristate ' CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
88	+ fi
89	dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
90	dep_tristate ' TTL target support' CONFIG_IP_NF_TARGET_TTL $CONFIG_IP_NF_IPTABLES
91	dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
92	--- a/net/ipv4/netfilter/Makefile
93	+++ b/net/ipv4/netfilter/Makefile
94	@@ -84,6 +84,7 @@ obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_
95
96	obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
97	obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
98	+obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
99	obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
100	obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
101	obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
102	@@ -102,6 +103,7 @@ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += i
103	obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
104	obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
105	obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
106	+obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
107	obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
108	obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
109	obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
110	--- a/net/ipv4/netfilter/ip_conntrack_core.c
111	+++ b/net/ipv4/netfilter/ip_conntrack_core.c
112	@@ -750,6 +750,9 @@ init_conntrack(const struct ip_conntrack
113	__set_bit(IPS_EXPECTED_BIT, &conntrack->status);
114	conntrack->master = expected;
115	expected->sibling = conntrack;
116	+#ifdef CONFIG_IP_NF_CONNTRACK_MARK
117	+ conntrack->mark = expected->expectant->mark;
118	+#endif
119	LIST_DELETE(&ip_conntrack_expect_list, expected);
120	expected->expectant->expecting--;
121	nf_conntrack_get(&master_ct(conntrack)->infos[0]);
122	--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
123	+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
124	@@ -107,6 +107,9 @@ print_conntrack(char *buffer, struct ip_
125	len += sprintf(buffer + len, "[ASSURED] ");
126	len += sprintf(buffer + len, "use=%u ",
127	atomic_read(&conntrack->ct_general.use));
128	+ #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
129	+ len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
130	+ #endif
131
132	#if defined(CONFIG_IP_NF_MATCH_LAYER7) \|\| defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
133	if(conntrack->layer7.app_proto)
134	--- /dev/null
135	+++ b/net/ipv4/netfilter/ipt_CONNMARK.c
136	@@ -0,0 +1,118 @@
137	+/* This kernel module is used to modify the connection mark values, or
138	+ * to optionally restore the skb nfmark from the connection mark
139	+ *
140	+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
141	+ * by Henrik Nordstrom <hno@marasystems.com>
142	+ *
143	+ * This program is free software; you can redistribute it and/or modify
144	+ * it under the terms of the GNU General Public License as published by
145	+ * the Free Software Foundation; either version 2 of the License, or
146	+ * (at your option) any later version.
147	+ *
148	+ * This program is distributed in the hope that it will be useful,
149	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
150	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
151	+ * GNU General Public License for more details.
152	+ *
153	+ * You should have received a copy of the GNU General Public License
154	+ * along with this program; if not, write to the Free Software
155	+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
156	+ */
157	+#include <linux/module.h>
158	+#include <linux/skbuff.h>
159	+#include <linux/ip.h>
160	+#include <net/checksum.h>
161	+
162	+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
163	+MODULE_DESCRIPTION("IP tables CONNMARK matching module");
164	+MODULE_LICENSE("GPL");
165	+
166	+#include <linux/netfilter_ipv4/ip_tables.h>
167	+#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
168	+#include <linux/netfilter_ipv4/ip_conntrack.h>
169	+
170	+static unsigned int
171	+target(struct sk_buff **pskb,
172	+ unsigned int hooknum,
173	+ const struct net_device *in,
174	+ const struct net_device *out,
175	+ const void *targinfo,
176	+ void *userinfo)
177	+{
178	+ const struct ipt_connmark_target_info *markinfo = targinfo;
179	+ unsigned long diff;
180	+ unsigned long nfmark;
181	+ unsigned long newmark;
182	+
183	+ enum ip_conntrack_info ctinfo;
184	+ struct ip_conntrack ct = ip_conntrack_get((pskb), &ctinfo);
185	+ if (ct) {
186	+ switch(markinfo->mode) {
187	+ case IPT_CONNMARK_SET:
188	+ newmark = (ct->mark & ~markinfo->mask) \| markinfo->mark;
189	+ if (newmark != ct->mark)
190	+ ct->mark = newmark;
191	+ break;
192	+ case IPT_CONNMARK_SAVE:
193	+ newmark = (ct->mark & ~markinfo->mask) \| ((*pskb)->nfmark & markinfo->mask);
194	+ if (ct->mark != newmark)
195	+ ct->mark = newmark;
196	+ break;
197	+ case IPT_CONNMARK_RESTORE:
198	+ nfmark = (*pskb)->nfmark;
199	+ diff = (ct->mark ^ nfmark & markinfo->mask);
200	+ if (diff != 0) {
201	+ (*pskb)->nfmark = nfmark ^ diff;
202	+ (*pskb)->nfcache \|= NFC_ALTERED;
203	+ }
204	+ break;
205	+ }
206	+ }
207	+
208	+ return IPT_CONTINUE;
209	+}
210	+
211	+static int
212	+checkentry(const char *tablename,
213	+ const struct ipt_entry *e,
214	+ void *targinfo,
215	+ unsigned int targinfosize,
216	+ unsigned int hook_mask)
217	+{
218	+ struct ipt_connmark_target_info *matchinfo = targinfo;
219	+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
220	+ printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
221	+ targinfosize,
222	+ IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
223	+ return 0;
224	+ }
225	+
226	+ if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
227	+ if (strcmp(tablename, "mangle") != 0) {
228	+ printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
229	+ return 0;
230	+ }
231	+ }
232	+
233	+ return 1;
234	+}
235	+
236	+static struct ipt_target ipt_connmark_reg = {
237	+ .name = "CONNMARK",
238	+ .target = &target,
239	+ .checkentry = &checkentry,
240	+ .me = THIS_MODULE
241	+};
242	+
243	+static int __init init(void)
244	+{
245	+ return ipt_register_target(&ipt_connmark_reg);
246	+}
247	+
248	+static void __exit fini(void)
249	+{
250	+ ipt_unregister_target(&ipt_connmark_reg);
251	+}
252	+
253	+module_init(init);
254	+module_exit(fini);
255	--- /dev/null
256	+++ b/net/ipv4/netfilter/ipt_connmark.c
257	@@ -0,0 +1,83 @@
258	+/* This kernel module matches connection mark values set by the
259	+ * CONNMARK target
260	+ *
261	+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
262	+ * by Henrik Nordstrom <hno@marasystems.com>
263	+ *
264	+ * This program is free software; you can redistribute it and/or modify
265	+ * it under the terms of the GNU General Public License as published by
266	+ * the Free Software Foundation; either version 2 of the License, or
267	+ * (at your option) any later version.
268	+ *
269	+ * This program is distributed in the hope that it will be useful,
270	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
271	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
272	+ * GNU General Public License for more details.
273	+ *
274	+ * You should have received a copy of the GNU General Public License
275	+ * along with this program; if not, write to the Free Software
276	+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
277	+ */
278	+
279	+#include <linux/module.h>
280	+#include <linux/skbuff.h>
281	+
282	+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
283	+MODULE_DESCRIPTION("IP tables connmark match module");
284	+MODULE_LICENSE("GPL");
285	+
286	+#include <linux/netfilter_ipv4/ip_tables.h>
287	+#include <linux/netfilter_ipv4/ipt_connmark.h>
288	+#include <linux/netfilter_ipv4/ip_conntrack.h>
289	+
290	+static int
291	+match(const struct sk_buff *skb,
292	+ const struct net_device *in,
293	+ const struct net_device *out,
294	+ const void *matchinfo,
295	+ int offset,
296	+ const void *hdr,
297	+ u_int16_t datalen,
298	+ int *hotdrop)
299	+{
300	+ const struct ipt_connmark_info *info = matchinfo;
301	+ enum ip_conntrack_info ctinfo;
302	+ struct ip_conntrack ct = ip_conntrack_get((struct sk_buff )skb, &ctinfo);
303	+ if (!ct)
304	+ return 0;
305	+
306	+ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
307	+}
308	+
309	+static int
310	+checkentry(const char *tablename,
311	+ const struct ipt_ip *ip,
312	+ void *matchinfo,
313	+ unsigned int matchsize,
314	+ unsigned int hook_mask)
315	+{
316	+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
317	+ return 0;
318	+
319	+ return 1;
320	+}
321	+
322	+static struct ipt_match connmark_match = {
323	+ .name = "connmark",
324	+ .match = &match,
325	+ .checkentry = &checkentry,
326	+ .me = THIS_MODULE
327	+};
328	+
329	+static int __init init(void)
330	+{
331	+ return ipt_register_match(&connmark_match);
332	+}
333	+
334	+static void __exit fini(void)
335	+{
336	+ ipt_unregister_match(&connmark_match);
337	+}
338	+
339	+module_init(init);
340	+module_exit(fini);
341

Download this file

Branches:
backfire
history
master
release_2010-11-17
release_2010-12-14
release_2011-02-23
release_2011-05-28
release_2011-08-27
release_2011-11-13
release_2012-03-18
release_2012-04-09
release_2012-10-11
uclibc_nptl

OpenWrt XBurst

OpenWrt XBurst Git Source Tree

Root/target/linux/generic-2.4/patches/607-netfilter_connmark.patch

interactive