* [PATCH 2/4] [NETFILTER]: xt_MARK target revision 2
2007-12-22 2:36 [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
@ 2007-12-22 2:37 ` Jan Engelhardt
2007-12-22 2:37 ` [PATCH 3/4] [NETFILTER]: xt_connmark match revision 1 Jan Engelhardt
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-12-22 2:37 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Introduce the xt_MARK target revision 2. It uses fixed types,
and also uses the more expressive XOR logic.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_MARK.h | 4 ++
net/netfilter/xt_MARK.c | 59 +++++++++++++++++++++++++++-----------
2 files changed, 47 insertions(+), 16 deletions(-)
Index: linux-2.6_nosov/include/linux/netfilter/xt_MARK.h
===================================================================
--- linux-2.6_nosov.orig/include/linux/netfilter/xt_MARK.h
+++ linux-2.6_nosov/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
u_int8_t mode;
};
+struct xt_mark_target_info_v2 {
+ u_int32_t mark, mask;
+};
+
#endif /*_XT_MARK_H_target */
Index: linux-2.6_nosov/net/netfilter/xt_MARK.c
===================================================================
--- linux-2.6_nosov.orig/net/netfilter/xt_MARK.c
+++ linux-2.6_nosov/net/netfilter/xt_MARK.c
@@ -33,9 +33,9 @@ mark_tg_v0(struct sk_buff *skb, const st
}
static unsigned int
-mark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
int mark = 0;
@@ -58,6 +58,17 @@ mark_tg(struct sk_buff *skb, const struc
return XT_CONTINUE;
}
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_mark_target_info_v2 *info = targinfo;
+
+ skb->mark = (skb->mark & ~info->mask) ^ info->mark;
+ return XT_CONTINUE;
+}
+
static bool
mark_tg_check_v0(const char *tablename, const void *entry,
const struct xt_target *target, void *targinfo,
@@ -73,9 +84,9 @@ mark_tg_check_v0(const char *tablename,
}
static bool
-mark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+mark_tg_check_v1(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
@@ -98,7 +109,7 @@ struct compat_xt_mark_target_info {
compat_ulong_t mark;
};
-static void mark_tg_compat_from_user(void *dst, void *src)
+static void mark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_target_info *cm = src;
struct xt_mark_target_info m = {
@@ -107,7 +118,7 @@ static void mark_tg_compat_from_user(voi
memcpy(dst, &m, sizeof(m));
}
-static int mark_tg_compat_to_user(void __user *dst, void *src)
+static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_target_info *m = src;
struct compat_xt_mark_target_info cm = {
@@ -154,8 +165,8 @@ static struct xt_target mark_tg_reg[] __
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user,
- .compat_to_user = mark_tg_compat_to_user,
+ .compat_from_user = mark_tg_compat_from_user_v0,
+ .compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
@@ -164,8 +175,8 @@ static struct xt_target mark_tg_reg[] __
.name = "MARK",
.family = AF_INET,
.revision = 1,
- .checkentry = mark_tg_check,
- .target = mark_tg,
+ .checkentry = mark_tg_check_v1,
+ .target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
@@ -184,8 +195,8 @@ static struct xt_target mark_tg_reg[] __
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user,
- .compat_to_user = mark_tg_compat_to_user,
+ .compat_from_user = mark_tg_compat_from_user_v0,
+ .compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
@@ -194,8 +205,8 @@ static struct xt_target mark_tg_reg[] __
.name = "MARK",
.family = AF_INET6,
.revision = 1,
- .checkentry = mark_tg_check,
- .target = mark_tg,
+ .checkentry = mark_tg_check_v1,
+ .target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
@@ -205,6 +216,22 @@ static struct xt_target mark_tg_reg[] __
.table = "mangle",
.me = THIS_MODULE,
},
+ {
+ .name = "MARK",
+ .revision = 2,
+ .family = AF_INET,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_target_info_v2),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "MARK",
+ .revision = 2,
+ .family = AF_INET6,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_target_info_v2),
+ .me = THIS_MODULE,
+ },
};
static int __init mark_tg_init(void)
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH 3/4] [NETFILTER]: xt_connmark match revision 1
2007-12-22 2:36 [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
2007-12-22 2:37 ` [PATCH 2/4] [NETFILTER]: xt_MARK target revision 2 Jan Engelhardt
@ 2007-12-22 2:37 ` Jan Engelhardt
2007-12-22 2:37 ` [PATCH 1/4] [NETFILTER]: xt_CONNMARK target " Jan Engelhardt
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-12-22 2:37 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Introduce the xt_connmark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
Documentation/feature-removal-schedule.txt | 7 ++
include/linux/netfilter/xt_connmark.h | 5 +
net/netfilter/xt_connmark.c | 74 ++++++++++++++++++++++++-----
3 files changed, 75 insertions(+), 11 deletions(-)
Index: linux-2.6/include/linux/netfilter/xt_connmark.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_connmark.h
+++ linux-2.6/include/linux/netfilter/xt_connmark.h
@@ -15,4 +15,9 @@ struct xt_connmark_info {
u_int8_t invert;
};
+struct xt_connmark_match_info {
+ u_int32_t mark, mask;
+ u_int8_t invert;
+};
+
#endif /*_XT_CONNMARK_H*/
Index: linux-2.6/net/netfilter/xt_connmark.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connmark.c
+++ linux-2.6/net/netfilter/xt_connmark.c
@@ -37,6 +37,23 @@ connmark_mt(const struct sk_buff *skb, c
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
+ const struct xt_connmark_match_info *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return false;
+
+ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
+connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
const struct xt_connmark_info *info = matchinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -49,9 +66,9 @@ connmark_mt(const struct sk_buff *skb, c
}
static bool
-connmark_mt_check(const char *tablename, const void *ip,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+connmark_mt_check_v0(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_info *cm = matchinfo;
@@ -67,6 +84,19 @@ connmark_mt_check(const char *tablename,
return true;
}
+static bool
+connmark_mt_check(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", match->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_mt_destroy(const struct xt_match *match, void *matchinfo)
{
@@ -81,7 +111,7 @@ struct compat_xt_connmark_info {
u_int16_t __pad2;
};
-static void connmark_mt_compat_from_user(void *dst, void *src)
+static void connmark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_info *cm = src;
struct xt_connmark_info m = {
@@ -92,7 +122,7 @@ static void connmark_mt_compat_from_user
memcpy(dst, &m, sizeof(m));
}
-static int connmark_mt_compat_to_user(void __user *dst, void *src)
+static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_info *m = src;
struct compat_xt_connmark_info cm = {
@@ -107,23 +137,25 @@ static int connmark_mt_compat_to_user(vo
static struct xt_match connmark_mt_reg[] __read_mostly = {
{
.name = "connmark",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
+ .checkentry = connmark_mt_check_v0,
+ .match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_info),
- .compat_from_user = connmark_mt_compat_from_user,
- .compat_to_user = connmark_mt_compat_to_user,
+ .compat_from_user = connmark_mt_compat_from_user_v0,
+ .compat_to_user = connmark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "connmark",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
+ .checkentry = connmark_mt_check_v0,
+ .match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
@@ -133,6 +165,26 @@ static struct xt_match connmark_mt_reg[]
#endif
.me = THIS_MODULE
},
+ {
+ .name = "connmark",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_match_info),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "connmark",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_match_info),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_mt_init(void)
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH 1/4] [NETFILTER]: xt_CONNMARK target revision 1
2007-12-22 2:36 [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
2007-12-22 2:37 ` [PATCH 2/4] [NETFILTER]: xt_MARK target revision 2 Jan Engelhardt
2007-12-22 2:37 ` [PATCH 3/4] [NETFILTER]: xt_connmark match revision 1 Jan Engelhardt
@ 2007-12-22 2:37 ` Jan Engelhardt
2007-12-22 2:37 ` [PATCH 1/4] [NETFILTER]: xt_mark match " Jan Engelhardt
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-12-22 2:37 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Introduce the xt_CONNMARK target revision 1. It uses fixed types, and
also uses the more expressive XOR logic. Futhermore, it allows to
selectively pick bits from both the ctmark and the nfmark in the SAVE
and RESTORE operations.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_CONNMARK.h | 5 +
net/netfilter/xt_CONNMARK.c | 107 ++++++++++++++++++++++++++++------
2 files changed, 96 insertions(+), 16 deletions(-)
Index: linux-2.6_nosov/include/linux/netfilter/xt_CONNMARK.h
===================================================================
--- linux-2.6_nosov.orig/include/linux/netfilter/xt_CONNMARK.h
+++ linux-2.6_nosov/include/linux/netfilter/xt_CONNMARK.h
@@ -22,4 +22,9 @@ struct xt_connmark_target_info {
u_int8_t mode;
};
+struct xt_connmark_target_info_v1 {
+ u_int32_t ctmark, ctmask, nfmask;
+ u_int8_t mode;
+};
+
#endif /*_XT_CONNMARK_H_target*/
Index: linux-2.6_nosov/net/netfilter/xt_CONNMARK.c
===================================================================
--- linux-2.6_nosov.orig/net/netfilter/xt_CONNMARK.c
+++ linux-2.6_nosov/net/netfilter/xt_CONNMARK.c
@@ -34,9 +34,9 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
-connmark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_connmark_target_info *markinfo = targinfo;
struct nf_conn *ct;
@@ -74,10 +74,50 @@ connmark_tg(struct sk_buff *skb, const s
return XT_CONTINUE;
}
+static unsigned int
+connmark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_connmark_target_info_v1 *info = targinfo;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+ u_int32_t newmark;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return XT_CONTINUE;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_SAVE:
+ newmark = (ct->mark & ~info->ctmask) ^
+ (skb->mark & info->nfmask);
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_RESTORE:
+ newmark = (skb->mark & ~info->nfmask) ^
+ (ct->mark & info->ctmask);
+ skb->mark = newmark;
+ break;
+ }
+
+ return XT_CONTINUE;
+}
+
static bool
-connmark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+connmark_tg_check_v0(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_target_info *matchinfo = targinfo;
@@ -101,6 +141,19 @@ connmark_tg_check(const char *tablename,
return true;
}
+static bool
+connmark_tg_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(target->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", target->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_tg_destroy(const struct xt_target *target, void *targinfo)
{
@@ -115,7 +168,7 @@ struct compat_xt_connmark_target_info {
u_int16_t __pad2;
};
-static void connmark_tg_compat_from_user(void *dst, void *src)
+static void connmark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_target_info *cm = src;
struct xt_connmark_target_info m = {
@@ -126,7 +179,7 @@ static void connmark_tg_compat_from_user
memcpy(dst, &m, sizeof(m));
}
-static int connmark_tg_compat_to_user(void __user *dst, void *src)
+static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_target_info *m = src;
struct compat_xt_connmark_target_info cm = {
@@ -141,32 +194,54 @@ static int connmark_tg_compat_to_user(vo
static struct xt_target connmark_tg_reg[] __read_mostly = {
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_target_info_v1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_target_info_v1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_tg_init(void)
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH 1/4] [NETFILTER]: xt_mark match revision 1
2007-12-22 2:36 [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
` (2 preceding siblings ...)
2007-12-22 2:37 ` [PATCH 1/4] [NETFILTER]: xt_CONNMARK target " Jan Engelhardt
@ 2007-12-22 2:37 ` Jan Engelhardt
2007-12-22 2:37 ` [PATCH 4/4] [NETFILTER]: xt_CONNMARK target " Jan Engelhardt
2007-12-28 15:51 ` [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
5 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-12-22 2:37 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Introduce the xt_mark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
Documentation/feature-removal-schedule.txt | 5 ++
include/linux/netfilter/xt_mark.h | 5 ++
net/netfilter/xt_mark.c | 49 +++++++++++++++++++++++------
3 files changed, 49 insertions(+), 10 deletions(-)
Index: linux-2.6/include/linux/netfilter/xt_mark.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_mark.h
+++ linux-2.6/include/linux/netfilter/xt_mark.h
@@ -6,4 +6,9 @@ struct xt_mark_info {
u_int8_t invert;
};
+struct xt_mark_match_info {
+ u_int32_t mark, mask;
+ u_int8_t invert;
+};
+
#endif /*_XT_MARK_H*/
Index: linux-2.6/net/netfilter/xt_mark.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_mark.c
+++ linux-2.6/net/netfilter/xt_mark.c
@@ -20,19 +20,30 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
+mark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_mark_info *info = matchinfo;
+
+ return ((skb->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
mark_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- const struct xt_mark_info *info = matchinfo;
+ const struct xt_mark_match_info *info = matchinfo;
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
static bool
-mark_mt_check(const char *tablename, const void *entry,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+mark_mt_check_v0(const char *tablename, const void *entry,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
const struct xt_mark_info *minfo = matchinfo;
@@ -51,7 +62,7 @@ struct compat_xt_mark_info {
u_int16_t __pad2;
};
-static void mark_mt_compat_from_user(void *dst, void *src)
+static void mark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_info *cm = src;
struct xt_mark_info m = {
@@ -62,7 +73,7 @@ static void mark_mt_compat_from_user(voi
memcpy(dst, &m, sizeof(m));
}
-static int mark_mt_compat_to_user(void __user *dst, void *src)
+static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_info *m = src;
struct compat_xt_mark_info cm = {
@@ -77,9 +88,10 @@ static int mark_mt_compat_to_user(void _
static struct xt_match mark_mt_reg[] __read_mostly = {
{
.name = "mark",
+ .revision = 0,
.family = AF_INET,
- .checkentry = mark_mt_check,
- .match = mark_mt,
+ .checkentry = mark_mt_check_v0,
+ .match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
@@ -90,9 +102,10 @@ static struct xt_match mark_mt_reg[] __r
},
{
.name = "mark",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = mark_mt_check,
- .match = mark_mt,
+ .checkentry = mark_mt_check_v0,
+ .match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
@@ -101,6 +114,22 @@ static struct xt_match mark_mt_reg[] __r
#endif
.me = THIS_MODULE,
},
+ {
+ .name = "mark",
+ .revision = 1,
+ .family = AF_INET,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_match_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "mark",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_match_info),
+ .me = THIS_MODULE,
+ },
};
static int __init mark_mt_init(void)
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH 4/4] [NETFILTER]: xt_CONNMARK target revision 1
2007-12-22 2:36 [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
` (3 preceding siblings ...)
2007-12-22 2:37 ` [PATCH 1/4] [NETFILTER]: xt_mark match " Jan Engelhardt
@ 2007-12-22 2:37 ` Jan Engelhardt
2007-12-28 15:51 ` [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
5 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-12-22 2:37 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Introduce the xt_CONNMARK target revision 1. It uses fixed types, and
also uses the more expressive XOR logic. Futhermore, it allows to
selectively pick bits from both the ctmark and the nfmark in the SAVE
and RESTORE operations.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_CONNMARK.h | 5 +
net/netfilter/xt_CONNMARK.c | 107 ++++++++++++++++++++++++++++------
2 files changed, 96 insertions(+), 16 deletions(-)
Index: linux-2.6_nosov/include/linux/netfilter/xt_CONNMARK.h
===================================================================
--- linux-2.6_nosov.orig/include/linux/netfilter/xt_CONNMARK.h
+++ linux-2.6_nosov/include/linux/netfilter/xt_CONNMARK.h
@@ -22,4 +22,9 @@ struct xt_connmark_target_info {
u_int8_t mode;
};
+struct xt_connmark_target_info_v1 {
+ u_int32_t ctmark, ctmask, nfmask;
+ u_int8_t mode;
+};
+
#endif /*_XT_CONNMARK_H_target*/
Index: linux-2.6_nosov/net/netfilter/xt_CONNMARK.c
===================================================================
--- linux-2.6_nosov.orig/net/netfilter/xt_CONNMARK.c
+++ linux-2.6_nosov/net/netfilter/xt_CONNMARK.c
@@ -34,9 +34,9 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
-connmark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_connmark_target_info *markinfo = targinfo;
struct nf_conn *ct;
@@ -74,10 +74,50 @@ connmark_tg(struct sk_buff *skb, const s
return XT_CONTINUE;
}
+static unsigned int
+connmark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_connmark_target_info_v1 *info = targinfo;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+ u_int32_t newmark;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return XT_CONTINUE;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_SAVE:
+ newmark = (ct->mark & ~info->ctmask) ^
+ (skb->mark & info->nfmask);
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_RESTORE:
+ newmark = (skb->mark & ~info->nfmask) ^
+ (ct->mark & info->ctmask);
+ skb->mark = newmark;
+ break;
+ }
+
+ return XT_CONTINUE;
+}
+
static bool
-connmark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+connmark_tg_check_v0(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_target_info *matchinfo = targinfo;
@@ -101,6 +141,19 @@ connmark_tg_check(const char *tablename,
return true;
}
+static bool
+connmark_tg_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(target->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", target->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_tg_destroy(const struct xt_target *target, void *targinfo)
{
@@ -115,7 +168,7 @@ struct compat_xt_connmark_target_info {
u_int16_t __pad2;
};
-static void connmark_tg_compat_from_user(void *dst, void *src)
+static void connmark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_target_info *cm = src;
struct xt_connmark_target_info m = {
@@ -126,7 +179,7 @@ static void connmark_tg_compat_from_user
memcpy(dst, &m, sizeof(m));
}
-static int connmark_tg_compat_to_user(void __user *dst, void *src)
+static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_target_info *m = src;
struct compat_xt_connmark_target_info cm = {
@@ -141,32 +194,54 @@ static int connmark_tg_compat_to_user(vo
static struct xt_target connmark_tg_reg[] __read_mostly = {
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_target_info_v1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_target_info_v1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_tg_init(void)
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH 1/4] [NETFILTER]: xt_mark rev. 1
2007-12-22 2:36 [PATCH 1/4] [NETFILTER]: xt_mark rev. 1 Jan Engelhardt
` (4 preceding siblings ...)
2007-12-22 2:37 ` [PATCH 4/4] [NETFILTER]: xt_CONNMARK target " Jan Engelhardt
@ 2007-12-28 15:51 ` Jan Engelhardt
2007-12-28 16:15 ` Patrick McHardy
5 siblings, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2007-12-28 15:51 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
On Dec 22 2007 03:36, Jan Engelhardt wrote:
>
>Subject: [PATCH 1/4] [NETFILTER]: xt_mark rev. 1
>[lots of patches]
Will resend with updated versions.
^ permalink raw reply [flat|nested] 8+ messages in thread