* [PATCH 2.4] Introducing Bidirectional conntrack mark
@ 2005-09-07 9:39 Jesse Peng
2005-09-08 16:10 ` Henrik Nordstrom
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
0 siblings, 2 replies; 9+ messages in thread
From: Jesse Peng @ 2005-09-07 9:39 UTC (permalink / raw)
To: Henrik Nordstrom, Wang Jian; +Cc: netfilter-devel
Greetings all,
This patch fully derive from Henrik Nordstrom's long known connmark patch but is extended to bidirectional solution.
The solution once discussed as the following link:
https://lists.netfilter.org/pipermail/netfilter-devel/2005-March/018784.html
Dear Henrik:
Feel free to give any advice for the work extending your existing famous connmark patch.
Dear Jian:
I got approved for quite a period,but sorry for this late posting this patch after a busy season.Hope this help!
Cheers
Jesse
-------------- next part --------------
diff -Nru a/include/linux/netfilter_ipv4/ipt_ctdirmark.h b/include/linux/netfilter_ipv4/ipt_ctdirmark.h
--- a/include/linux/netfilter_ipv4/ipt_ctdirmark.h Wed Sep 7 16:12:33 2005
+++ b/include/linux/netfilter_ipv4/ipt_ctdirmark.h Wed Sep 7 15:23:40 2005
@@ -0,0 +1,16 @@
+#ifndef _IPT_CTDIRMARK_H
+#define _IPT_CTDIRMARK_H
+
+#define IPT_CTDIRMARK_ORIGINAL 0x01
+#define IPT_CTDIRMARK_REPLY 0x02
+
+#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
+
+struct ipt_ctdirmark_info {
+ u_int8_t bitmask;
+ unsigned long mark[IP_CT_DIR_MAX], mask[IP_CT_DIR_MAX];
+ u_int8_t invert;
+};
+
+#endif /*_IPT_CTDIRMARK_H*/
+
diff -Nru a/net/ipv4/netfilter/Config.in b/net/ipv4/n
etfilter/Config.in
--- a/net/ipv4/netfilter/Config.in Wed Jan 19 22:10:13 2005
+++ b/net/ipv4/netfilter/Config.in Wed Sep 7 16:00:31 2005
@@ -7,6 +7,7 @@
tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
+ bool ' Bidirectional connection mark tracking support' CONFIG_IP_NF_CTDIRMARK
dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
@@ -38,6 +39,9 @@
fi
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+ if [ "$CONFIG_IP_NF_CTDIRMARK" != "n" ]; then
+ dep_tristate ' Bidirectional Connection mark match support' CONFIG_IP_NF_MATCH_CTDIRMARK $CONFIG_IP_NF_IPTABLES
+ fi
dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IP
TABLES
fi
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
@@ -105,6 +109,9 @@
dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
fi
dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
+ if [ "$CONFIG_IP_NF_CTDIRMARK" != "n" ]; then
+ dep_tristate ' Bidirectional Connection mark target support' CONFIG_IP_NF_TARGET_CTDIRMARK $CONFIG_IP_NF_IPTABLES
+ fi
dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
dep_tristate ' TCPMSS target support' CONFIG_IP_NF_TARGET_TCPMSS $CONFIG_IP_NF_IPTABLES
fi
diff -Nru a/net/ipv4/netfilter/Makefile b/net/ipv4/ne
tfilter/Makefile
--- a/net/ipv4/netfilter/Makefile Mon Aug 25 19:44:44 2003
+++ b/net/ipv4/netfilter/Makefile Wed Sep 7 16:24:52 2005
@@ -83,6 +83,7 @@
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CTDIRMARK) += ipt_ctdirmark.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
@@ -98,6 +99,7 @@
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_CTDIRMARK) += ipt_CTDIRMARK.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
diff -Nru a/net/ipv4/netfilter/ipt_ctdirmark.c b/net/ipv4/netfilter/ipt_ctdirmark.c
--- a/net/ipv4/netfilter/ipt_ctdirmark.c Wed Sep 7 16:27:49 2005
+++ b/net/ipv4/netfilter/ipt_ctdirmark.c Wed Sep 7 15:24:48 2005
@@ -0,0 +1,64 @@
+/* Kernel module to match bidirectional connection mark values. */
+#define __KERNEL__
+#define MODULE
+#define MATCH 1
+#define NOMATCH 0
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include "ipt_ctdirmark.h"
+
+static int
+match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ const void *hdr,
+ u_int16_t datalen,
+ int *hotdrop)
+{
+ const struct ipt_ctdirmark_info *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+ if (!ct)
+ return 0;
+ if ((info->bitmask & IPT_CTDIRMARK_ORIGINAL &&
+ (!((ct->mark_dir[IP_CT_DIR_ORIGINAL] & info->mask[IP_CT_DIR_ORIGINAL]) == info->mark[IP_CT_DIR_ORIGINAL]) ^ !!(in
fo->invert & IPT_CTDIRMARK_ORIGINAL))) ||
+ (info->bitmask & IPT_CTDIRMARK_REPLY &&
+ (!((ct->mark_dir[IP_CT_DIR_REPLY] & info->mask[IP_CT_DIR_REPLY]) == info->mark[IP_CT_DIR_REPLY]) ^ !!(info->inver
t & IPT_CTDIRMARK_REPLY))))
+ return NOMATCH;
+ return MATCH;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_ip *ip,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)))
+ return 0;
+
+ return 1;
+}
+
+static struct ipt_match ctdirmark_match
+= { { NULL, NULL }, "ctdirmark", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+ return ipt_register_match(&ctdirmark_match);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&ctdirmark_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nru a/net/ipv4/netfilter/ipt_CTDIRMARK.c b/net/ipv4/netfilter/ipt_CTDIRMARK.c
--- a/net/ipv4/netfilter/ipt_CTDIRMARK.c Wed Sep 7 16:31:08 2005
+++ b/net/ipv4/netfilter/ipt_CTDIRMARK.c Wed Sep 7 15:25:19 2005
@@ -0,0 +1,103 @@
+/* This is a module which is used for setting/remembering the mark field of
+ * an connection, or optionally restore it to the skb
+ */
+#define __KERNEL__
+#define MODULE
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include "ipt_CTDIRMARK.h"
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+ unsigned int hooknum,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *targinfo,
+ void *userinfo)
+{
+ const struct ipt_ctdirmark_target_info *info = targinfo;
+
+ enum ip_conntrack_info ctinfo;
+ struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
+ if (ct) {
+ switch(info->mode) {
+ case IPT_CTDIRMARK_SET:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+ ct->mark_dir[IP_CT_DIR_ORIGINAL] = info->mark[IP_CT_DIR_ORIGINAL];
+ if (info->bitmask & IPT_CTDIRMARK_REPLY)
+ ct->mark_dir[IP_CT_DIR_REPLY] = info->mark[IP_CT_DIR_REPLY];
+ break;
+ case IPT_CTDIRMARK_SAVE:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+ ct->mark_dir[IP_CT_DIR_ORIGINAL] = (*pskb)->nfmark;
+ if (info->bitmask & IPT_CTDIRMARK_REPLY)
+ ct->mark_dir[IP_CT_DIR_REPLY] = (*pskb)->nfmark;
+ break;
+ case IPT_CTDIRMARK_RESTORE:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL){
+ if (ct->mark_dir[IP_CT_DIR_ORIGINAL] != (*pskb)->nfmark) {
+ (*pskb)->nfmark = ct->mark_dir[IP_CT_DIR_ORIGINAL];
+ (*pskb)->nfcache |= NFC_ALTERED;
+ }
+ }else if (info->bitmask & IPT_CTDIRMARK_REPLY){
+ if (ct->mark_dir[IP_CT_DIR_REPLY] != (*pskb)->nfmark) {
+ (*pskb)->nfmark = ct->mark_dir[IP_CT_DIR_REPLY];
+ (*pskb)->nfcache |= NFC_ALTERED;
+ }
+ }
+ break;
+ }
+ }
+
+ return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_entry *e,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ struct ipt_ctdirmark_target_info *info = targinfo;
+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info))) {
+ printk(KERN_WARNING "CTDIRMARK: targinfosize %u != %Zu\n",
+ targinfosize,
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)));
+ return 0;
+ }
+
+ if (info->mode == IPT_CTDIRMARK_RESTORE) {
+ if (strcmp(tablename, "mangle") != 0) {
+ printk(KERN_WARNING "CTDIRMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablenam
e);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static struct ipt_target ipt_ctdirmark_reg
+= { { NULL, NULL }, "CTDIRMARK", target, checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+ if (ipt_register_target(&ipt_ctdirmark_reg))
+ return -EINVAL;
+
+ return 0;
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_target(&ipt_ctdirmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
-------------- next part --------------
diff -Nru a/extensions/Makefile b/extensions/Makefile
--- a/extensions/Makefile Wed Sep 7 16:42:31 2005
+++ b/extensions/Makefile Wed Sep 7 16:40:11 2005
@@ -5,7 +5,7 @@
# header files are present in the include/linux directory of this iptables
# package (HW)
#
-PF_EXT_SLIB:=ah conntrack dscp ecn esp helper icmp iplimit length limit mac mark multiport owner physdev pkttype rpc standar
d state tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS T
TL ULOG
+PF_EXT_SLIB:=ah conntrack dscp ecn esp helper icmp iplimit length limit mac mark multiport owner physdev pkttype rpc standar
d state ctdirmark tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TC
PMSS TOS TTL ULOG CTDIRMARK
PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK
# Optionals
diff -Nru a/extensions/libipt_ctdirmark.c b/extensions/libipt_ctdirmark.c
--- a/extensions/libipt_ctdirmark.c Wed Sep 7 16:46:18 2005
+++ b/extensions/libipt_ctdirmark.c Wed Sep 7 15:28:33 2005
@@ -0,0 +1,171 @@
+/* Shared library add-on to iptables to add CTDIRMARK matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_CTDIRMARK.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"ctdirmark match v%s options:\n"
+"[!] --mark_original value[/mask] Match nfmark in dir original value with optional mask\n"
+"[!] --mark_reply value[/mask] Match nfmark in dir reply value with optional mask\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "mark_original", 1, 0, '1' },
+ { "mark_reply", 1, 0, '2' },
+ {0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+ /* Can't cache this. */
+ *nfcache |= NFC_UNKNOWN;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ unsigned int *nfcache,
+ struct ipt_entry_match **match)
+{
+ struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)(*match)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ if (*flags & IPT_CTDIRMARK_ORIGINAL)
+ goto multiple_use;
+ check_inverse(optarg, &invert, &optind, 0);
+ info->mark[IP_CT_DIR_ORIGINAL] = strtoul(optarg, &end, 0);
+ if (*end == '/') {
+ info->mask[IP_CT_DIR_ORIGINAL] = strtoul(end+1, &end, 0);
+ } else
+ info->mask[IP_CT_DIR_ORIGINAL] = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (invert)
+ info->invert |= IPT_CTDIRMARK_ORIGINAL;
+ info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+ *flags |= IPT_CTDIRMARK_ORIGINAL;
+ break;
+
+ case '2':
+ if (*flags & IPT_CTDIRMARK_REPLY)
+ goto multiple_use;
+ check_inverse(optarg, &invert, &optind, 0);
+ info->mark[IP_CT_DIR_REPLY] = strtoul(optarg, &end, 0);
+ if (*end == '/') {
+ info->mask[IP_CT_DIR_REPLY] = strtoul(end+1, &end, 0);
+ } else
+ info->mask[IP_CT_DIR_REPLY] = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (invert)
+ info->invert |= IPT_CTDIRMARK_REPLY;
+ info->bitmask |= IPT_CTDIRMARK_REPLY;
+ *flags |= IPT_CTDIRMARK_REPLY;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+ multiple_use:
+ exit_error(PARAMETER_PROBLEM,
+ "multiple use of the same ctdirmark option is not allowed");
+}
+
+static void
+print_mark(unsigned long mark, unsigned long mask, int numeric)
+{
+ if(mask != 0xffffffff)
+ printf("0x%lx/0x%lx ", mark, mask);
+ else
+ printf("0x%lx ", mark);
+}
+
+/* Final check; must have specified --mark. */
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "MARK match: You must specify `--mark_original' or `--mark_reply'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+ int numeric)
+{
+ struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)match->data;
+
+ printf("ctdirmark match ");
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL) {
+ if (info->invert & IPT_CTDIRMARK_ORIGINAL)
+ printf("!");
+ printf("--mark_original ");
+ print_mark(info->mark[IP_CT_DIR_ORIGINAL], info->mask[IP_CT_DIR_ORIGINAL], numeric);
+ }
+ if (info->bitmask & IPT_CTDIRMARK_REPLY) {
+ if (info->invert & IPT_CTDIRMARK_REPLY)
+ printf("!");
+ printf("--mark_reply ");
+ print_mark(info->mark[IP_CT_DIR_REPLY], info->mask[IP_CT_DIR_REPLY], numeric);
+ }
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+ struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)match->data;
+
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL) {
+ if (info->invert & IPT_CTDIRMARK_ORIGINAL)
+ printf("!");
+ printf("--mark_original ");
+ print_mark(info->mark[IP_CT_DIR_ORIGINAL], info->mask[IP_CT_DIR_ORIGINAL], 0);
+ }
+ if (info->bitmask & IPT_CTDIRMARK_REPLY) {
+ if (info->invert & IPT_CTDIRMARK_REPLY)
+ printf("!");
+ printf("--mark_reply ");
+ print_mark(info->mark[IP_CT_DIR_REPLY], info->mask[IP_CT_DIR_REPLY], 0);
+ }
+}
+
+static
+struct iptables_match mark
+= { NULL,
+ "ctdirmark",
+ NETFILTER_VERSION,
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)),
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void _init(void)
+{
+ register_match(&mark);
+}
diff -Nru a/extensions/libipt_CTDIRMARK.c b/extensions/libipt_CTDIRMARK.c
--- a/extensions/libipt_CTDIRMARK.c Wed Sep 7 16:48:53 2005
+++ b/extensions/libipt_CTDIRMARK.c Wed Sep 7 15:28:52 2005
@@ -0,0 +1,221 @@
+/* Shared library add-on to iptables to add CTDIRMARK target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CTDIRMARK.h>
+
+/*
+#if 0
+struct markinfo {
+ struct ipt_entry_target t;
+ struct ipt_ctdirmark_target_info mark;
+};
+#endif
+*/
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"CTDIRMARK target v%s options:\n"
+" --set-mark_original value Set ctdirmark mark value in original dir\n"
+" --set-mark_reply value Set ctdirmark mark value in reply dir\n"
+" --save-mark Save the packet nfmark on the connection in the specified dir\n"
+" --restore-mark Restore saved nfmark value\n"
+" --mark_original specify original dir\n"
+" --mark_reply specify reply dir\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "set-mark_original", 1, 0, '1' },
+ { "set-mark_reply", 1, 0, '2' },
+ { "save-mark", 0, 0, '3' },
+ { "restore-mark", 0, 0, '4' },
+ { "mark_original", 0, 0, '5' },
+ { "mark_reply", 0, 0, '6' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ipt_entry_target *t, unsigned int *nfcache)
+{
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ struct ipt_entry_target **target)
+{
+ struct ipt_ctdirmark_target_info *info
+ = (struct ipt_ctdirmark_target_info *)(*target)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ if (*flags & ~IPT_CTDIRMARK_TARGET_SET_REPLY)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_SET;
+ info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+ info->mark[IP_CT_DIR_ORIGINAL] = strtoul(optarg, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ *flags |= IPT_CTDIRMARK_TARGET_SET_ORIGINAL;
+ break;
+ case '2':
+ if (*flags & ~IPT_CTDIRMARK_TARGET_SET_ORIGINAL)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_SET;
+ info->bitmask |= IPT_CTDIRMARK_REPLY;
+ info->mark[IP_CT_DIR_REPLY] = strtoul(optarg, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ *flags |= IPT_CTDIRMARK_TARGET_SET_REPLY;
+ break;
+ case '3':
+ if (*flags)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_SAVE;
+ *flags |= IPT_CTDIRMARK_TARGET_SAVE;
+ break;
+ case '4':
+ if (*flags)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_RESTORE;
+ *flags |= IPT_CTDIRMARK_TARGET_RESTORE;
+ break;
+ case '5':
+ if ((*flags & IPT_CTDIRMARK_TARGET_SET_ORIGINAL) ||
+ (*flags & IPT_CTDIRMARK_TARGET_SET_REPLY) ||
+ (*flags & IPT_CTDIRMARK_TARGET_ORIGINAL))
+ goto multiple_use;
+ if (!(*flags & IPT_CTDIRMARK_TARGET_SAVE) &&
+ !(*flags & IPT_CTDIRMARK_TARGET_RESTORE))
+ goto wrong_use;
+ info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+ *flags |= IPT_CTDIRMARK_TARGET_ORIGINAL;
+ break;
+ case '6':
+ if ((*flags & IPT_CTDIRMARK_TARGET_SET_ORIGINAL) ||
+ (*flags & IPT_CTDIRMARK_TARGET_SET_REPLY) ||
+ (*flags & IPT_CTDIRMARK_TARGET_REPLY))
+ goto multiple_use;
+ if (!(*flags & IPT_CTDIRMARK_TARGET_SAVE) &&
+ !(*flags & IPT_CTDIRMARK_TARGET_RESTORE))
+ goto wrong_use;
+ info->bitmask |= IPT_CTDIRMARK_REPLY;
+ *flags |= IPT_CTDIRMARK_TARGET_REPLY;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+multiple_use:
+ exit_error(PARAMETER_PROBLEM,
+ "multiple use of the same ctdirmark option is not allowed");
+wrong_use:
+ exit_error(PARAMETER_PROBLEM,
+ "without save or restore option in advance is not allowed");
+}
+
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "CTDIRMARK target: Parameter --set-mark_original or --set-mark_reply is required");
+}
+
+static void
+print_mark(unsigned long mark, int numeric)
+{
+ printf("0x%lx ", mark);
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_ctdirmark_target_info *info =
+ (const struct ipt_ctdirmark_target_info *)target->data;
+ switch (info->mode) {
+ case IPT_CTDIRMARK_SET:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL){
+ printf("CTDIRMARK set original");
+ print_mark(info->mark[IP_CT_DIR_ORIGINAL], numeric);
+ }
+ if (info->bitmask & IPT_CTDIRMARK_REPLY){
+ printf("CTDIRMARK set reply");
+ print_mark(info->mark[IP_CT_DIR_REPLY], numeric);
+ }
+ break;
+ case IPT_CTDIRMARK_SAVE:
+ printf("CTDIRMARK save ");
+ break;
+ case IPT_CTDIRMARK_RESTORE:
+ printf("CTDIRMARK restore ");
+ break;
+ default:
+ printf("ERROR: UNKNOWN CTDIRMARK MODE ");
+ break;
+ }
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+ const struct ipt_ctdirmark_target_info *info =
+ (const struct ipt_ctdirmark_target_info *)target->data;
+
+ switch (info->mode) {
+ case IPT_CTDIRMARK_SET:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+ printf("--set-mark_original 0x%lx ", info->mark[IP_CT_DIR_ORIGINAL]);
+ if (info->bitmask & IPT_CTDIRMARK_REPLY)
+ printf("--set-mark_reply 0x%lx ", info->mark[IP_CT_DIR_REPLY]);
+ break;
+ case IPT_CTDIRMARK_SAVE:
+ printf("--save-mark ");
+ break;
+ case IPT_CTDIRMARK_RESTORE:
+ printf("--restore-mark ");
+ break;
+ default:
+ printf("ERROR: UNKNOWN CTDIRMARK MODE ");
+ break;
+ }
+}
+
+static
+struct iptables_target mark
+= { NULL,
+ "CTDIRMARK",
+ NETFILTER_VERSION,
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)),
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void _init(void)
+{
+ register_target(&mark);
+}
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2.4] Introducing Bidirectional conntrack mark
2005-09-07 9:39 [PATCH 2.4] Introducing Bidirectional conntrack mark Jesse Peng
@ 2005-09-08 16:10 ` Henrik Nordstrom
2005-09-09 6:49 ` Jesse Peng
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
1 sibling, 1 reply; 9+ messages in thread
From: Henrik Nordstrom @ 2005-09-08 16:10 UTC (permalink / raw)
To: Jesse Peng; +Cc: netfilter-devel
On Wed, 7 Sep 2005, Jesse Peng wrote:
> Greetings all,
> This patch fully derive from Henrik Nordstrom's long known connmark patch but is extended to bidirectional solution.
> The solution once discussed as the following link:
> https://lists.netfilter.org/pipermail/netfilter-devel/2005-March/018784.html
>
>
> Dear Henrik:
> Feel free to give any advice for the work extending your existing famous connmark patch.
>
> Dear Jian:
> I got approved for quite a period,but sorry for this late posting this patch after a busy season.Hope this help!
Patch seems incomplete. Can not find definition of conntrack->dir_mark
Also as before I still wonder if this relatively big amount of info in
each conntrack is really needed. CONNMARK already declares 32 bits per
conntrack entry free for any use. Perhaps better to extend CONNMARK with
shifting of the value allowing simple save/restore operations based on
direction (where directions is selected by the already existing conntrack
match).
But I do fully agree with the principle of being able to intelligenly keep
conntrack state information/mark direction dependent and that having just
a simple masking of the value is perhaps not sufficient in all situations.
Regards
Henrik
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2.4] Introducing Bidirectional conntrack mark
2005-09-08 16:10 ` Henrik Nordstrom
@ 2005-09-09 6:49 ` Jesse Peng
0 siblings, 0 replies; 9+ messages in thread
From: Jesse Peng @ 2005-09-09 6:49 UTC (permalink / raw)
To: Henrik Nordstrom; +Cc: netfilter-devel
----- Original Message -----
From: "Henrik Nordstrom" <hno@marasystems.com>
To: "Jesse Peng" <Jesse@deansoft.com.tw>
Cc: "Wang Jian" <lark@linux.net.cn>; "netfilter-devel"
<netfilter-devel@lists.netfilter.org>
Sent: Friday, September 09, 2005 12:10 AM
Subject: Re: [PATCH 2.4] Introducing Bidirectional conntrack mark
> Patch seems incomplete. Can not find definition of conntrack->dir_mark
Thanks,post them below.
> Also as before I still wonder if this relatively big amount of info in
> each conntrack is really needed. CONNMARK already declares 32 bits per
> conntrack entry free for any use. Perhaps better to extend CONNMARK with
> shifting of the value allowing simple save/restore operations based on
> direction (where directions is selected by the already existing conntrack
> match).
As only getting them twice as a space,why not treat them easily? :)
Otherwise,I will do things as keeping a private structure and cast the
existing 32 bits to address pointer pointing to it while needed.
>
> But I do fully agree with the principle of being able to intelligenly keep
> conntrack state information/mark direction dependent and that having just
> a simple masking of the value is perhaps not sufficient in all situations.
Yes,you are a wise person! :)
diff -Nur a/include/linux/netfilter_ipv4/ip_conntrack.h
b/include/linux/netfilter_ipv4/ip_conntrack.h
--- a/include/linux/netfilter_ipv4/ip_conntrack.h Mon Apr 4 09:42:20
2005
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h Fri Sep 9 14:20:02
2005
@@ -207,6 +207,9 @@
} nat;
#endif /* CONFIG_IP_NF_NAT_NEEDED */
+#if defined(CONFIG_IP_NF_CTDIRMARK)
+ unsigned long mark_dir[IP_CT_DIR_MAX];
+#endif
};
diff -Nur a/net/ipv4/netfilter/ip_conntrack_standalone.c
b/net/ipv4/netfilter/ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c Mon Apr 4 09:42:20
2005
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c Wed Sep 7 15:43:01
2005
@@ -107,7 +107,13 @@
len += sprintf(buffer + len, "[ASSURED] ");
len += sprintf(buffer + len, "use=%u ",
atomic_read(&conntrack->ct_general.use));
- len += sprintf(buffer + len, "\n");
+
+#if defined(CONFIG_IP_NF_CTDIRMARK)
+ len += sprintf(buffer + len,
+ "ctdirmark_original=%x,ctdirmark_reply=%x",
mark_dir[IP_CT_DIR_ORIGINAL],mark_dir[IP_CT_DIR_REPLY]);
+#endif
+
+ len += sprintf(buffer + len, "\n");
return len;
}
diff -Nur a/net/ipv4/netfilter/ip_conntrack_core.c
b/net/ipv4/netfilter/ip_conntrack_core.c
--- a/net/ipv4/netfilter/ip_conntrack_core.c Mon Apr 4 09:42:20 2005
+++ b/net/ipv4/netfilter/ip_conntrack_core.c Wed Sep 7 15:46:09 2005
@@ -742,7 +742,14 @@
__set_bit(IPS_EXPECTED_BIT, &conntrack->status);
conntrack->master = expected;
expected->sibling = conntrack;
- LIST_DELETE(&ip_conntrack_expect_list, expected);
+
+#if CONFIG_IP_NF_CTDIRMARK
+ conntrack->mark_dir[IP_CT_DIR_ORIGINAL] =
expected->expectant->mark_dir[IP_CT_DIR_ORIGINAL];
+ conntrack->mark_dir[IP_CT_DIR_REPLY] =
expected->expectant->mark_dir[IP_CT_DIR_REPLY];
+#endif
+
+
+ LIST_DELETE(&ip_conntrack_expect_list, expected);
expected->expectant->expecting--;
nf_conntrack_get(&master_ct(conntrack)->infos[0]);
}
^ permalink raw reply [flat|nested] 9+ messages in thread
* Need a method to reset the ip_conntrack_count
2005-09-07 9:39 [PATCH 2.4] Introducing Bidirectional conntrack mark Jesse Peng
2005-09-08 16:10 ` Henrik Nordstrom
@ 2005-10-13 9:32 ` Vincent
2005-10-13 9:55 ` Eric Leblond
2005-10-13 21:48 ` Henrik Nordstrom
1 sibling, 2 replies; 9+ messages in thread
From: Vincent @ 2005-10-13 9:32 UTC (permalink / raw)
To: netfilter
Hello folks,
I have encountered one question. Does it have a way to flush the
conntrack table beside reloading the ip_conntrack module
(because I use the method of building into kernel.
As far as I know, the current conntrack number was recorded in the
/proc/sys/net/ipv4/netfilter/ip_conntrack_count
So I want to know whether it exists a method or not to reset the current
counter of conntrack.
My Enviroment:
Kenel: 2.6.10
Iptables: 1.2.9
Any hint are appreciated.
Vincent
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Need a method to reset the ip_conntrack_count
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
@ 2005-10-13 9:55 ` Eric Leblond
2005-10-13 21:48 ` Henrik Nordstrom
1 sibling, 0 replies; 9+ messages in thread
From: Eric Leblond @ 2005-10-13 9:55 UTC (permalink / raw)
To: netfilter
> Hello folks,
>
> I have encountered one question. Does it have a way to flush the
> My Enviroment:
> Kenel: 2.6.10
> Iptables: 1.2.9
you need to use the upcoming 2.6.14 to be able to do so....
Pablo Neira's conntrack tool can do the job.
>
> Any hint are appreciated.
>
> Vincent
>
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Need a method to reset the ip_conntrack_count
@ 2005-10-13 11:59 ` Vincent
0 siblings, 0 replies; 9+ messages in thread
From: Vincent @ 2005-10-13 11:59 UTC (permalink / raw)
To: netfilter, 'Netfilter Development Mailinglist'
Hi,
Can I use the conntrack tools written by Harald Welte/Pablo Neira Ayuso
to flush the conntrack entries currently.
And then I can reset the ip_conntrack_count which described as the
following problem.
And do we have the individual patch based on kernel 2.6.10 for the teses
contrack packages?
Thanks in advance
Vincent
> -----Original Message-----
> From: Vincent [mailto:cs83152@csie.chu.edu.tw]
> Sent: Thursday, October 13, 2005 5:32 PM
> To: 'netfilter@lists.netfilter.org'
> Subject: Need a method to reset the ip_conntrack_count
>
>
> Hello folks,
>
> I have encountered one question. Does it have a way to flush
> the conntrack table beside reloading the ip_conntrack module
> (because I use the method of building into kernel.
>
> As far as I know, the current conntrack number was recorded
> in the /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> So I want to know whether it exists a method or not to reset
> the current counter of conntrack.
>
> My Enviroment:
> Kenel: 2.6.10
> Iptables: 1.2.9
>
> Any hint are appreciated.
>
> Vincent
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Need a method to reset the ip_conntrack_count
@ 2005-10-13 11:59 ` Vincent
0 siblings, 0 replies; 9+ messages in thread
From: Vincent @ 2005-10-13 11:59 UTC (permalink / raw)
To: netfilter, 'Netfilter Development Mailinglist'
Hi,
Can I use the conntrack tools written by Harald Welte/Pablo Neira Ayuso
to flush the conntrack entries currently.
And then I can reset the ip_conntrack_count which described as the
following problem.
And do we have the individual patch based on kernel 2.6.10 for the teses
contrack packages?
Thanks in advance
Vincent
> -----Original Message-----
> From: Vincent [mailto:cs83152@csie.chu.edu.tw]
> Sent: Thursday, October 13, 2005 5:32 PM
> To: 'netfilter@lists.netfilter.org'
> Subject: Need a method to reset the ip_conntrack_count
>
>
> Hello folks,
>
> I have encountered one question. Does it have a way to flush
> the conntrack table beside reloading the ip_conntrack module
> (because I use the method of building into kernel.
>
> As far as I know, the current conntrack number was recorded
> in the /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> So I want to know whether it exists a method or not to reset
> the current counter of conntrack.
>
> My Enviroment:
> Kenel: 2.6.10
> Iptables: 1.2.9
>
> Any hint are appreciated.
>
> Vincent
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Need a method to reset the ip_conntrack_count
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
2005-10-13 9:55 ` Eric Leblond
@ 2005-10-13 21:48 ` Henrik Nordstrom
1 sibling, 0 replies; 9+ messages in thread
From: Henrik Nordstrom @ 2005-10-13 21:48 UTC (permalink / raw)
To: Vincent; +Cc: netfilter
On Thu, 13 Oct 2005, Vincent wrote:
> I have encountered one question. Does it have a way to flush the
> conntrack table beside reloading the ip_conntrack module
> (because I use the method of building into kernel.
See the conntrack tool announced some time back..
Regards
Henrik
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Need a method to reset the ip_conntrack_count
2005-10-13 11:59 ` Vincent
(?)
@ 2005-10-13 21:49 ` Henrik Nordstrom
-1 siblings, 0 replies; 9+ messages in thread
From: Henrik Nordstrom @ 2005-10-13 21:49 UTC (permalink / raw)
To: Vincent; +Cc: 'Netfilter Development Mailinglist', netfilter
On Thu, 13 Oct 2005, Vincent wrote:
> And do we have the individual patch based on kernel 2.6.10 for the teses
> contrack packages?
It is quite unlikely you will find patches to 2.6.10 for this.
Any reason why you can not upgrade the kernel?
Regards
Henrik
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2005-10-13 21:49 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-07 9:39 [PATCH 2.4] Introducing Bidirectional conntrack mark Jesse Peng
2005-09-08 16:10 ` Henrik Nordstrom
2005-09-09 6:49 ` Jesse Peng
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
2005-10-13 9:55 ` Eric Leblond
2005-10-13 21:48 ` Henrik Nordstrom
-- strict thread matches above, loose matches on Subject: below --
2005-10-13 11:59 Vincent
2005-10-13 11:59 ` Vincent
2005-10-13 21:49 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.