* [PATCH 5/5] Add support for secmark
@ 2007-12-09 18:13 Pablo Neira Ayuso
2007-12-09 18:24 ` Pablo Neira Ayuso
2007-12-12 8:33 ` Patrick McHardy
0 siblings, 2 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2007-12-09 18:13 UTC (permalink / raw)
To: Netfilter Development Mailinglist; +Cc: Patrick McHardy, James Morris
[-- Attachment #1: Type: text/plain, Size: 172 bytes --]
This patch adds support for James Morris' connsecmark.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
--
"Los honestos son inadaptados sociales" -- Les Luthiers
[-- Attachment #2: 05.patch --]
[-- Type: text/x-patch, Size: 3671 bytes --]
[PATCH][CTNETLINK] Add support for secmark
This patch adds support for James Morris' connsecmark.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Index: net-2.6.git/include/linux/netfilter/nf_conntrack_common.h
===================================================================
--- net-2.6.git.orig/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 19:56:12.000000000 +0100
+++ net-2.6.git/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 20:04:37.000000000 +0100
@@ -133,6 +133,10 @@ enum ip_conntrack_events
/* NAT sequence adjustment */
IPCT_NATSEQADJ_BIT = 13,
IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
+
+ /* Secmark is set */
+ IPCT_SECMARK_BIT = 12,
+ IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
};
enum ip_conntrack_expect_events {
Index: net-2.6.git/net/netfilter/nf_conntrack_netlink.c
===================================================================
--- net-2.6.git.orig/net/netfilter/nf_conntrack_netlink.c 2007-12-08 20:04:36.000000000 +0100
+++ net-2.6.git/net/netfilter/nf_conntrack_netlink.c 2007-12-08 20:04:37.000000000 +0100
@@ -254,6 +254,22 @@ nla_put_failure:
#define ctnetlink_dump_mark(a, b) (0)
#endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline int
+ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
+{
+ __be32 mark = htonl(ct->secmark);
+
+ NLA_PUT(skb, CTA_SECMARK, sizeof(u_int32_t), &mark);
+ return 0;
+
+nla_put_failure:
+ return -1;
+}
+#else
+#define ctnetlink_dump_secmark(a, b) (0)
+#endif
+
#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
static inline int
@@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb,
ctnetlink_dump_protoinfo(skb, ct) < 0 ||
ctnetlink_dump_helpinfo(skb, ct) < 0 ||
ctnetlink_dump_mark(skb, ct) < 0 ||
+ ctnetlink_dump_secmark(skb, ct) < 0 ||
ctnetlink_dump_id(skb, ct) < 0 ||
ctnetlink_dump_use(skb, ct) < 0 ||
ctnetlink_dump_master(skb, ct) < 0 ||
@@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(str
&& ctnetlink_dump_mark(skb, ct) < 0)
goto nla_put_failure;
#endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+ if ((events & IPCT_SECMARK || ct->secmark)
+ && ctnetlink_dump_secmark(skb, ct) < 0)
+ goto nla_put_failure;
+#endif
if (events & IPCT_COUNTER_FILLING &&
(ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
Index: net-2.6.git/net/netfilter/xt_CONNSECMARK.c
===================================================================
--- net-2.6.git.orig/net/netfilter/xt_CONNSECMARK.c 2007-12-08 19:56:12.000000000 +0100
+++ net-2.6.git/net/netfilter/xt_CONNSECMARK.c 2007-12-08 20:04:37.000000000 +0100
@@ -20,6 +20,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNSECMARK.h>
#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
#define PFX "CONNSECMARK: "
@@ -40,8 +41,10 @@ static void secmark_save(const struct sk
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
- if (ct && !ct->secmark)
+ if (ct && !ct->secmark) {
ct->secmark = skb->secmark;
+ nf_conntrack_event_cache(IPCT_SECMARK, skb);
+ }
}
}
Index: net-2.6.git/include/linux/netfilter/nfnetlink_conntrack.h
===================================================================
--- net-2.6.git.orig/include/linux/netfilter/nfnetlink_conntrack.h 2007-12-08 20:06:21.000000000 +0100
+++ net-2.6.git/include/linux/netfilter/nfnetlink_conntrack.h 2007-12-08 20:06:33.000000000 +0100
@@ -39,6 +39,7 @@ enum ctattr_type {
CTA_TUPLE_MASTER,
CTA_NAT_SEQ_ADJ_ORIG,
CTA_NAT_SEQ_ADJ_REPLY,
+ CTA_SECMARK,
__CTA_MAX
};
#define CTA_MAX (__CTA_MAX - 1)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5/5] Add support for secmark
2007-12-09 18:13 [PATCH 5/5] Add support for secmark Pablo Neira Ayuso
@ 2007-12-09 18:24 ` Pablo Neira Ayuso
2007-12-09 19:19 ` Patrick McHardy
2007-12-12 8:33 ` Patrick McHardy
1 sibling, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2007-12-09 18:24 UTC (permalink / raw)
To: Netfilter Development Mailinglist; +Cc: Patrick McHardy, James Morris
[-- Attachment #1: Type: text/plain, Size: 736 bytes --]
Pablo Neira Ayuso wrote:
> Index: net-2.6.git/include/linux/netfilter/nf_conntrack_common.h
> ===================================================================
> --- net-2.6.git.orig/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 19:56:12.000000000 +0100
> +++ net-2.6.git/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 20:04:37.000000000 +0100
> @@ -133,6 +133,10 @@ enum ip_conntrack_events
> /* NAT sequence adjustment */
> IPCT_NATSEQADJ_BIT = 13,
> IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
> +
> + /* Secmark is set */
> + IPCT_SECMARK_BIT = 12,
^^^
Also bad patch, this should be 14. New patch attached. Sorry.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
[-- Attachment #2: 05.patch --]
[-- Type: text/x-patch, Size: 3671 bytes --]
[PATCH][CTNETLINK] Add support for secmark
This patch adds support for James Morris' connsecmark.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Index: net-2.6.git/include/linux/netfilter/nf_conntrack_common.h
===================================================================
--- net-2.6.git.orig/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 19:56:12.000000000 +0100
+++ net-2.6.git/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 20:04:37.000000000 +0100
@@ -133,6 +133,10 @@ enum ip_conntrack_events
/* NAT sequence adjustment */
IPCT_NATSEQADJ_BIT = 13,
IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
+
+ /* Secmark is set */
+ IPCT_SECMARK_BIT = 14,
+ IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
};
enum ip_conntrack_expect_events {
Index: net-2.6.git/net/netfilter/nf_conntrack_netlink.c
===================================================================
--- net-2.6.git.orig/net/netfilter/nf_conntrack_netlink.c 2007-12-08 20:04:36.000000000 +0100
+++ net-2.6.git/net/netfilter/nf_conntrack_netlink.c 2007-12-08 20:04:37.000000000 +0100
@@ -254,6 +254,22 @@ nla_put_failure:
#define ctnetlink_dump_mark(a, b) (0)
#endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline int
+ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
+{
+ __be32 mark = htonl(ct->secmark);
+
+ NLA_PUT(skb, CTA_SECMARK, sizeof(u_int32_t), &mark);
+ return 0;
+
+nla_put_failure:
+ return -1;
+}
+#else
+#define ctnetlink_dump_secmark(a, b) (0)
+#endif
+
#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
static inline int
@@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb,
ctnetlink_dump_protoinfo(skb, ct) < 0 ||
ctnetlink_dump_helpinfo(skb, ct) < 0 ||
ctnetlink_dump_mark(skb, ct) < 0 ||
+ ctnetlink_dump_secmark(skb, ct) < 0 ||
ctnetlink_dump_id(skb, ct) < 0 ||
ctnetlink_dump_use(skb, ct) < 0 ||
ctnetlink_dump_master(skb, ct) < 0 ||
@@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(str
&& ctnetlink_dump_mark(skb, ct) < 0)
goto nla_put_failure;
#endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+ if ((events & IPCT_SECMARK || ct->secmark)
+ && ctnetlink_dump_secmark(skb, ct) < 0)
+ goto nla_put_failure;
+#endif
if (events & IPCT_COUNTER_FILLING &&
(ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
Index: net-2.6.git/net/netfilter/xt_CONNSECMARK.c
===================================================================
--- net-2.6.git.orig/net/netfilter/xt_CONNSECMARK.c 2007-12-08 19:56:12.000000000 +0100
+++ net-2.6.git/net/netfilter/xt_CONNSECMARK.c 2007-12-08 20:04:37.000000000 +0100
@@ -20,6 +20,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNSECMARK.h>
#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
#define PFX "CONNSECMARK: "
@@ -40,8 +41,10 @@ static void secmark_save(const struct sk
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
- if (ct && !ct->secmark)
+ if (ct && !ct->secmark) {
ct->secmark = skb->secmark;
+ nf_conntrack_event_cache(IPCT_SECMARK, skb);
+ }
}
}
Index: net-2.6.git/include/linux/netfilter/nfnetlink_conntrack.h
===================================================================
--- net-2.6.git.orig/include/linux/netfilter/nfnetlink_conntrack.h 2007-12-08 20:06:21.000000000 +0100
+++ net-2.6.git/include/linux/netfilter/nfnetlink_conntrack.h 2007-12-08 20:06:33.000000000 +0100
@@ -39,6 +39,7 @@ enum ctattr_type {
CTA_TUPLE_MASTER,
CTA_NAT_SEQ_ADJ_ORIG,
CTA_NAT_SEQ_ADJ_REPLY,
+ CTA_SECMARK,
__CTA_MAX
};
#define CTA_MAX (__CTA_MAX - 1)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5/5] Add support for secmark
2007-12-09 18:24 ` Pablo Neira Ayuso
@ 2007-12-09 19:19 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2007-12-09 19:19 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Netfilter Development Mailinglist, James Morris
Pablo Neira Ayuso wrote:
> Pablo Neira Ayuso wrote:
>
>> Index: net-2.6.git/include/linux/netfilter/nf_conntrack_common.h
>> ===================================================================
>> --- net-2.6.git.orig/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 19:56:12.000000000 +0100
>> +++ net-2.6.git/include/linux/netfilter/nf_conntrack_common.h 2007-12-08 20:04:37.000000000 +0100
>> @@ -133,6 +133,10 @@ enum ip_conntrack_events
>> /* NAT sequence adjustment */
>> IPCT_NATSEQADJ_BIT = 13,
>> IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
>> +
>> + /* Secmark is set */
>> + IPCT_SECMARK_BIT = 12,
>>
> ^^^
> Also bad patch, this should be 14. New patch attached. Sorry
Patch 3 and 5 don't apply without the nat sequence patch, so I'm
holding off on these until I know what the NATSEQADJ bit is meant
for.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5/5] Add support for secmark
2007-12-09 18:13 [PATCH 5/5] Add support for secmark Pablo Neira Ayuso
2007-12-09 18:24 ` Pablo Neira Ayuso
@ 2007-12-12 8:33 ` Patrick McHardy
2007-12-12 8:34 ` Patrick McHardy
1 sibling, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2007-12-12 8:33 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Netfilter Development Mailinglist, James Morris
Pablo Neira Ayuso wrote:
> This patch adds support for James Morris' connsecmark.
Also applied, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5/5] Add support for secmark
2007-12-12 8:33 ` Patrick McHardy
@ 2007-12-12 8:34 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2007-12-12 8:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Netfilter Development Mailinglist, James Morris
Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> This patch adds support for James Morris' connsecmark.
>
> Also applied, thanks.
The fixed one BTW :)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-12-12 8:34 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-09 18:13 [PATCH 5/5] Add support for secmark Pablo Neira Ayuso
2007-12-09 18:24 ` Pablo Neira Ayuso
2007-12-09 19:19 ` Patrick McHardy
2007-12-12 8:33 ` Patrick McHardy
2007-12-12 8:34 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).