1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
/* This kernel module matches connection mark values set by the
* CONNMARK target
*
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <linux/module.h>
#include <linux/skbuff.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
MODULE_DESCRIPTION("IP tables connmark match module");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connmark");
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_connmark.h>
#include <net/netfilter/nf_conntrack_compat.h>
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop)
{
const struct xt_connmark_info *info = matchinfo;
u_int32_t ctinfo;
const u_int32_t *ctmark = nf_ct_get_mark(skb, &ctinfo);
if (!ctmark)
return 0;
return (((*ctmark) & info->mask) == info->mark) ^ info->invert;
}
static int
checkentry(const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask)
{
struct xt_connmark_info *cm = matchinfo;
if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
printk(KERN_WARNING "connmark: only support 32bit mark\n");
return 0;
}
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
printk(KERN_WARNING "can't load nf_conntrack support for "
"proto=%d\n", match->family);
return 0;
}
#endif
return 1;
}
static void
destroy(const struct xt_match *match, void *matchinfo)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_ct_l3proto_module_put(match->family);
#endif
}
#ifdef CONFIG_COMPAT
struct compat_xt_connmark_info {
compat_ulong_t mark, mask;
u_int8_t invert;
u_int8_t __pad1;
u_int16_t __pad2;
};
static void compat_from_user(void *dst, void *src)
{
struct compat_xt_connmark_info *cm = src;
struct xt_connmark_info m = {
.mark = cm->mark,
.mask = cm->mask,
.invert = cm->invert,
};
memcpy(dst, &m, sizeof(m));
}
static int compat_to_user(void __user *dst, void *src)
{
struct xt_connmark_info *m = src;
struct compat_xt_connmark_info cm = {
.mark = m->mark,
.mask = m->mask,
.invert = m->invert,
};
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
#endif /* CONFIG_COMPAT */
static struct xt_match xt_connmark_match[] = {
{
.name = "connmark",
.family = AF_INET,
.checkentry = checkentry,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_info),
.compat_from_user = compat_from_user,
.compat_to_user = compat_to_user,
#endif
.me = THIS_MODULE
},
{
.name = "connmark",
.family = AF_INET6,
.checkentry = checkentry,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_connmark_info),
.me = THIS_MODULE
},
};
static int __init xt_connmark_init(void)
{
need_conntrack();
return xt_register_matches(xt_connmark_match,
ARRAY_SIZE(xt_connmark_match));
}
static void __exit xt_connmark_fini(void)
{
xt_unregister_matches(xt_connmark_match, ARRAY_SIZE(xt_connmark_match));
}
module_init(xt_connmark_init);
module_exit(xt_connmark_fini);
|