[PATCH 3/7] Add conntrack marking support from userspace

[PATCH 3/7] Add conntrack marking support from userspace

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

This patch adds support for conntrack marking from user space.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

[-- Attachment #2: 06-set-mark.patch --]
[-- Type: text/plain, Size: 1030 bytes --]

This patch adds support for conntrack marking from user space.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Index: net-2.6.git/net/ipv4/netfilter/ip_conntrack_netlink.c
===================================================================
--- net-2.6.git.orig/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-11-04 17:45:21.000000000 +0100
+++ net-2.6.git/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-11-04 18:31:06.000000000 +0100
@@ -979,6 +979,11 @@ ctnetlink_change_conntrack(struct ip_con
 			return err;
 	}
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	if (cda[CTA_MARK-1])
+		ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
+#endif
+
 	DEBUGP("all done\n");
 	return 0;
 }
@@ -1022,6 +1027,11 @@ ctnetlink_create_conntrack(struct nfattr
 	if (ct->helper)
 		ip_conntrack_helper_put(ct->helper);
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	if (cda[CTA_MARK-1])
+		ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
+#endif
+
 	DEBUGP("conntrack with id %u inserted\n", ct->id);
 	return 0;
 

Re: [PATCH 3/7] Add conntrack marking support from userspace

[Patrick McHardy]

Pablo Neira wrote:
> This patch adds support for conntrack marking from user space.

This seems to be missing sizechecks. Looking at ip_conntrack_netlink,
they seem to be missing a few other places too.