Fixed proken MARK target in POM.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Anders Fugmann <afu@fugmann.dhs.org>
To: netfilter-devel@lists.netfilter.org
Subject: Fixed proken MARK target in POM.
Date: Thu, 09 Jan 2003 14:07:37 +0100	[thread overview]
Message-ID: <3E1D7419.1060502@fugmann.dhs.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 833 bytes --]

Hi.

As I require the BIT-operations provided by the MARK target in POM,
attached is a fixed version of this.

The patch extends the MARK target in mangle chains to allow:

# iptables -t mangle -A PRERPUTING -j MARK --set-mark 0x01
# iptables -t mangle -A PRERPUTING -j MARK --and-mark 0x01
# iptables -t mangle -A PRERPUTING -j MARK --or-mark 0x01

The version is widly based on the current one with only minor code 
fixes. The kernel patch applies cleanly to 2.4.20 and 2.5.54. The 
userspace patch is against 1.2.7a. The patch has been tested on 2.5.54.

The patch maintains backward compability, and I request that this patch 
is applied to mainstream (and pushed to the Andrea for kernel 
inclusion), as I as a software developer of a firewall cannot ask users 
of the software to appliy patches to POM.

Regards
Anders Fugmann

[-- Attachment #2: MARK_TARGET.patch --]
[-- Type: text/plain, Size: 1559 bytes --]

diff -r -u linux-2.4.20/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.4.20-new/include/linux/netfilter_ipv4/ipt_MARK.h
--- linux-2.4.20/include/linux/netfilter_ipv4/ipt_MARK.h	2000-03-17 19:56:20.000000000 +0100
+++ linux-2.4.20-new/include/linux/netfilter_ipv4/ipt_MARK.h	2003-01-09 11:15:06.000000000 +0100
@@ -1,8 +1,15 @@
 #ifndef _IPT_MARK_H_target
 #define _IPT_MARK_H_target
 
+enum {
+        IPT_MARK_SET=0,
+        IPT_MARK_AND,
+        IPT_MARK_OR
+};
+
 struct ipt_mark_target_info {
 	unsigned long mark;
+	u_int8_t mode;
 };
 
 #endif /*_IPT_MARK_H_target*/
diff -r -u linux-2.4.20/net/ipv4/netfilter/ipt_MARK.c linux-2.4.20-new/net/ipv4/netfilter/ipt_MARK.c
--- linux-2.4.20/net/ipv4/netfilter/ipt_MARK.c	2001-09-30 21:26:08.000000000 +0200
+++ linux-2.4.20-new/net/ipv4/netfilter/ipt_MARK.c	2003-01-09 11:22:53.000000000 +0100
@@ -16,11 +16,31 @@
        void *userinfo)
 {
 	const struct ipt_mark_target_info *markinfo = targinfo;
+	int newmark;
+	
+	switch (markinfo->mode) {
+	case IPT_MARK_SET:
+		newmark = markinfo->mark;
+		break;
+		
+	case IPT_MARK_AND:
+		newmark = (*pskb)->nfmark & markinfo->mark;
+		break;
+		
+	case IPT_MARK_OR:
+		newmark = (*pskb)->nfmark | markinfo->mark;
+		break;
+
+	default:
+                newmark = (*pskb)->nfmark;
+		break;
+	}
 
-	if((*pskb)->nfmark != markinfo->mark) {
-		(*pskb)->nfmark = markinfo->mark;
-		(*pskb)->nfcache |= NFC_ALTERED;
+	if ((*pskb)->nfmark != newmark) {
+	        (*pskb)->nfmark = newmark;
+	        (*pskb)->nfcache |= NFC_ALTERED;
 	}
+
 	return IPT_CONTINUE;
 }
 

[-- Attachment #3: MARK_operations.patch.userspace --]
[-- Type: text/plain, Size: 3546 bytes --]

diff -u -r iptables-1.2.7a/extensions/libipt_MARK.c iptables-1.2.7a-new/extensions/libipt_MARK.c
--- iptables-1.2.7a/extensions/libipt_MARK.c	2002-08-05 16:26:47.000000000 +0200
+++ iptables-1.2.7a-new/extensions/libipt_MARK.c	2003-01-09 13:29:47.000000000 +0100
@@ -20,12 +20,16 @@
 	printf(
 "MARK target v%s options:\n"
 "  --set-mark value                   Set nfmark value\n"
+"  --and-mark value                   Binary AND the nfmark with value\n"
+"  --or-mark  value                   Binary OR  the nfmark with value\n"
 "\n",
 IPTABLES_VERSION);
 }
 
 static struct option opts[] = {
 	{ "set-mark", 1, 0, '1' },
+	{ "and-mark", 1, 0, '2' },
+	{ "or-mark", 1, 0, '3' },
 	{ 0 }
 };
 
@@ -45,17 +49,29 @@
 	struct ipt_mark_target_info *markinfo
 		= (struct ipt_mark_target_info *)(*target)->data;
 
-	switch (c) {
-	case '1':
-		if (string_to_number(optarg, 0, 0xffffffff, 
+	/* Do generic stuff */
+	if (c=='1' || c=='2' || c=='3') {
+	        if (string_to_number(optarg, 0, 0xffffffff, 
 				     (unsigned int *)&markinfo->mark))
-			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+		        exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+
 		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
-			           "MARK target: Can't specify --set-mark twice");
+		        exit_error(PARAMETER_PROBLEM,
+				   "MARK target: Can't specify --set-mark twice");
 		*flags = 1;
-		break;
 
+	}
+		
+	switch (c) {
+	case '1':
+	        markinfo->mode = IPT_MARK_SET;
+		break;
+	case '2':
+	        markinfo->mode = IPT_MARK_AND;
+		break;
+	case '3':
+	        markinfo->mode = IPT_MARK_OR;
+		break;
 	default:
 		return 0;
 	}
@@ -68,7 +84,7 @@
 {
 	if (!flags)
 		exit_error(PARAMETER_PROBLEM,
-		           "MARK target: Parameter --set-mark is required");
+		           "MARK target: Additional parameter required");
 }
 
 static void
@@ -85,7 +101,17 @@
 {
 	const struct ipt_mark_target_info *markinfo =
 		(const struct ipt_mark_target_info *)target->data;
-	printf("MARK set ");
+	switch (markinfo->mode) {
+	case IPT_MARK_SET:
+	        printf("MARK set ");
+	        break;
+	case IPT_MARK_AND:
+	        printf("MARK and ");
+	        break;
+	case IPT_MARK_OR: 
+	        printf("MARK or ");
+	        break;
+	}
 	print_mark(markinfo->mark, numeric);
 }
 
@@ -95,8 +121,19 @@
 {
 	const struct ipt_mark_target_info *markinfo =
 		(const struct ipt_mark_target_info *)target->data;
+	switch (markinfo->mode) {
+	case IPT_MARK_SET:
+	        printf("--set-mark");
+	        break;
+	case IPT_MARK_AND:
+	        printf("--and-mark");
+	        break;
+	case IPT_MARK_OR: 
+	        printf("--or-mark");
+	        break;
+	}
 
-	printf("--set-mark 0x%lx ", markinfo->mark);
+	printf(" 0x%lx ", markinfo->mark);
 }
 
 static
diff -u -r iptables-1.2.7a/iptables.8 iptables-1.2.7a-new/iptables.8
--- iptables-1.2.7a/iptables.8	2002-08-07 11:37:40.000000000 +0200
+++ iptables-1.2.7a-new/iptables.8	2003-01-09 12:25:13.000000000 +0100
@@ -690,6 +690,20 @@
 table.  It can for example be used in conjunction with iproute2.
 .TP
 .BI "--set-mark " "mark"
+Sets the marking of the packet to 
+.I mark
+regardless of the current mark value of the packet.
+.TP
+.BI "--and-mark " "mark"
+Binary AND the current mark value of the packet with the supplied
+.I mark 
+value.
+.TP
+.BI "--or-mark " "mark"
+Binary OR the current mark value of the packet with the supplied
+.I mark 
+value.
+
 .SS REJECT
 This is used to send back an error packet in response to the matched
 packet: otherwise it is equivalent to

next             reply	other threads:[~2003-01-09 13:07 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-01-09 13:07 Anders Fugmann [this message]
2003-01-10 14:00 ` Fixed proken MARK target in POM Harald Welte
2003-01-10 15:28   ` Anders Fugmann
2003-01-10 16:38     ` Anders Fugmann
2003-01-11 19:16       ` Harald Welte
2003-01-12 19:58         ` Anders Fugmann
2003-01-11 19:23     ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E1D7419.1060502@fugmann.dhs.org \
    --to=afu@fugmann.dhs.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.