netfilter: xtables: merge xt_CONNMARK into xt_connmark

+1 -21

include/linux/netfilter/xt_CONNMARK.h

··· 1 1 #ifndef _XT_CONNMARK_H_target 2 2 #define _XT_CONNMARK_H_target 3 3 4 - #include <linux/types.h> 5 - 6 - /* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> 7 - * by Henrik Nordstrom <hno@marasystems.com> 8 - * 9 - * This program is free software; you can redistribute it and/or modify 10 - * it under the terms of the GNU General Public License as published by 11 - * the Free Software Foundation; either version 2 of the License, or 12 - * (at your option) any later version. 13 - */ 14 - 15 - enum { 16 - XT_CONNMARK_SET = 0, 17 - XT_CONNMARK_SAVE, 18 - XT_CONNMARK_RESTORE 19 - }; 20 - 21 - struct xt_connmark_tginfo1 { 22 - __u32 ctmark, ctmask, nfmask; 23 - __u8 mode; 24 - }; 4 + #include <linux/netfilter/xt_connmark.h> 25 5 26 6 #endif /*_XT_CONNMARK_H_target*/

+11

include/linux/netfilter/xt_connmark.h

··· 12 12 * (at your option) any later version. 13 13 */ 14 14 15 + enum { 16 + XT_CONNMARK_SET = 0, 17 + XT_CONNMARK_SAVE, 18 + XT_CONNMARK_RESTORE 19 + }; 20 + 21 + struct xt_connmark_tginfo1 { 22 + __u32 ctmark, ctmask, nfmask; 23 + __u8 mode; 24 + }; 25 + 15 26 struct xt_connmark_mtinfo1 { 16 27 __u32 mark, mask; 17 28 __u8 invert;

+22 -17

net/netfilter/Kconfig

··· 331 331 "Use netfilter MARK value as routing key") and can also be used by 332 332 other subsystems to change their behavior. 333 333 334 + config NETFILTER_XT_CONNMARK 335 + tristate 'ctmark target and match support' 336 + depends on NF_CONNTRACK 337 + depends on NETFILTER_ADVANCED 338 + select NF_CONNTRACK_MARK 339 + ---help--- 340 + This option adds the "CONNMARK" target and "connmark" match. 341 + 342 + Netfilter allows you to store a mark value per connection (a.k.a. 343 + ctmark), similarly to the packet mark (nfmark). Using this 344 + target and match, you can set and match on this mark. 345 + 334 346 # alphabetically ordered list of targets 335 347 336 348 comment "Xtables targets" ··· 363 351 tristate '"CONNMARK" target support' 364 352 depends on NF_CONNTRACK 365 353 depends on NETFILTER_ADVANCED 366 - select NF_CONNTRACK_MARK 367 - help 368 - This option adds a `CONNMARK' target, which allows one to manipulate 369 - the connection mark value. Similar to the MARK target, but 370 - affects the connection mark value rather than the packet mark value. 371 - 372 - If you want to compile it as a module, say M here and read 373 - <file:Documentation/kbuild/modules.txt>. The module will be called 374 - ipt_CONNMARK. If unsure, say `N'. 354 + select NETFILTER_XT_CONNMARK 355 + ---help--- 356 + This is a backwards-compat option for the user's convenience 357 + (e.g. when running oldconfig). It selects 358 + CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 375 359 376 360 config NETFILTER_XT_TARGET_CONNSECMARK 377 361 tristate '"CONNSECMARK" target support' ··· 629 621 tristate '"connmark" connection mark match support' 630 622 depends on NF_CONNTRACK 631 623 depends on NETFILTER_ADVANCED 632 - select NF_CONNTRACK_MARK 633 - help 634 - This option adds a `connmark' match, which allows you to match the 635 - connection mark value previously set for the session by `CONNMARK'. 636 - 637 - If you want to compile it as a module, say M here and read 638 - <file:Documentation/kbuild/modules.txt>. The module will be called 639 - ipt_connmark. If unsure, say `N'. 624 + select NETFILTER_XT_CONNMARK 625 + ---help--- 626 + This is a backwards-compat option for the user's convenience 627 + (e.g. when running oldconfig). It selects 628 + CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 640 629 641 630 config NETFILTER_XT_MATCH_CONNTRACK 642 631 tristate '"conntrack" connection tracking match support'

+1 -2

net/netfilter/Makefile

··· 42 42 43 43 # combos 44 44 obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o 45 + obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o 45 46 46 47 # targets 47 48 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o 48 - obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o 49 49 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o 50 50 obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o 51 51 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o ··· 66 66 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o 67 67 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o 68 68 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o 69 - obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o 70 69 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o 71 70 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o 72 71 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o

-113

net/netfilter/xt_CONNMARK.c

··· 1 - /* 2 - * xt_CONNMARK - Netfilter module to modify the connection mark values 3 - * 4 - * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> 5 - * by Henrik Nordstrom <hno@marasystems.com> 6 - * Copyright © CC Computer Consultants GmbH, 2007 - 2008 7 - * Jan Engelhardt <jengelh@computergmbh.de> 8 - * 9 - * This program is free software; you can redistribute it and/or modify 10 - * it under the terms of the GNU General Public License as published by 11 - * the Free Software Foundation; either version 2 of the License, or 12 - * (at your option) any later version. 13 - * 14 - * This program is distributed in the hope that it will be useful, 15 - * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 - * GNU General Public License for more details. 18 - * 19 - * You should have received a copy of the GNU General Public License 20 - * along with this program; if not, write to the Free Software 21 - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 - */ 23 - #include <linux/module.h> 24 - #include <linux/skbuff.h> 25 - #include <linux/ip.h> 26 - #include <net/checksum.h> 27 - 28 - MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); 29 - MODULE_DESCRIPTION("Xtables: connection mark modification"); 30 - MODULE_LICENSE("GPL"); 31 - MODULE_ALIAS("ipt_CONNMARK"); 32 - MODULE_ALIAS("ip6t_CONNMARK"); 33 - 34 - #include <linux/netfilter/x_tables.h> 35 - #include <linux/netfilter/xt_CONNMARK.h> 36 - #include <net/netfilter/nf_conntrack_ecache.h> 37 - 38 - static unsigned int 39 - connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 40 - { 41 - const struct xt_connmark_tginfo1 *info = par->targinfo; 42 - enum ip_conntrack_info ctinfo; 43 - struct nf_conn *ct; 44 - u_int32_t newmark; 45 - 46 - ct = nf_ct_get(skb, &ctinfo); 47 - if (ct == NULL) 48 - return XT_CONTINUE; 49 - 50 - switch (info->mode) { 51 - case XT_CONNMARK_SET: 52 - newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; 53 - if (ct->mark != newmark) { 54 - ct->mark = newmark; 55 - nf_conntrack_event_cache(IPCT_MARK, ct); 56 - } 57 - break; 58 - case XT_CONNMARK_SAVE: 59 - newmark = (ct->mark & ~info->ctmask) ^ 60 - (skb->mark & info->nfmask); 61 - if (ct->mark != newmark) { 62 - ct->mark = newmark; 63 - nf_conntrack_event_cache(IPCT_MARK, ct); 64 - } 65 - break; 66 - case XT_CONNMARK_RESTORE: 67 - newmark = (skb->mark & ~info->nfmask) ^ 68 - (ct->mark & info->ctmask); 69 - skb->mark = newmark; 70 - break; 71 - } 72 - 73 - return XT_CONTINUE; 74 - } 75 - 76 - static bool connmark_tg_check(const struct xt_tgchk_param *par) 77 - { 78 - if (nf_ct_l3proto_try_module_get(par->family) < 0) { 79 - printk(KERN_WARNING "cannot load conntrack support for " 80 - "proto=%u\n", par->family); 81 - return false; 82 - } 83 - return true; 84 - } 85 - 86 - static void connmark_tg_destroy(const struct xt_tgdtor_param *par) 87 - { 88 - nf_ct_l3proto_module_put(par->family); 89 - } 90 - 91 - static struct xt_target connmark_tg_reg __read_mostly = { 92 - .name = "CONNMARK", 93 - .revision = 1, 94 - .family = NFPROTO_UNSPEC, 95 - .checkentry = connmark_tg_check, 96 - .target = connmark_tg, 97 - .targetsize = sizeof(struct xt_connmark_tginfo1), 98 - .destroy = connmark_tg_destroy, 99 - .me = THIS_MODULE, 100 - }; 101 - 102 - static int __init connmark_tg_init(void) 103 - { 104 - return xt_register_target(&connmark_tg_reg); 105 - } 106 - 107 - static void __exit connmark_tg_exit(void) 108 - { 109 - xt_unregister_target(&connmark_tg_reg); 110 - } 111 - 112 - module_init(connmark_tg_init); 113 - module_exit(connmark_tg_exit);

+81 -3

net/netfilter/xt_connmark.c

··· 1 1 /* 2 - * xt_connmark - Netfilter module to match connection mark values 2 + * xt_connmark - Netfilter module to operate on connection marks 3 3 * 4 4 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> 5 5 * by Henrik Nordstrom <hno@marasystems.com> ··· 24 24 #include <linux/module.h> 25 25 #include <linux/skbuff.h> 26 26 #include <net/netfilter/nf_conntrack.h> 27 + #include <net/netfilter/nf_conntrack_ecache.h> 27 28 #include <linux/netfilter/x_tables.h> 28 29 #include <linux/netfilter/xt_connmark.h> 29 30 30 31 MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); 31 - MODULE_DESCRIPTION("Xtables: connection mark match"); 32 + MODULE_DESCRIPTION("Xtables: connection mark operations"); 32 33 MODULE_LICENSE("GPL"); 34 + MODULE_ALIAS("ipt_CONNMARK"); 35 + MODULE_ALIAS("ip6t_CONNMARK"); 33 36 MODULE_ALIAS("ipt_connmark"); 34 37 MODULE_ALIAS("ip6t_connmark"); 38 + 39 + static unsigned int 40 + connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 41 + { 42 + const struct xt_connmark_tginfo1 *info = par->targinfo; 43 + enum ip_conntrack_info ctinfo; 44 + struct nf_conn *ct; 45 + u_int32_t newmark; 46 + 47 + ct = nf_ct_get(skb, &ctinfo); 48 + if (ct == NULL) 49 + return XT_CONTINUE; 50 + 51 + switch (info->mode) { 52 + case XT_CONNMARK_SET: 53 + newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; 54 + if (ct->mark != newmark) { 55 + ct->mark = newmark; 56 + nf_conntrack_event_cache(IPCT_MARK, ct); 57 + } 58 + break; 59 + case XT_CONNMARK_SAVE: 60 + newmark = (ct->mark & ~info->ctmask) ^ 61 + (skb->mark & info->nfmask); 62 + if (ct->mark != newmark) { 63 + ct->mark = newmark; 64 + nf_conntrack_event_cache(IPCT_MARK, ct); 65 + } 66 + break; 67 + case XT_CONNMARK_RESTORE: 68 + newmark = (skb->mark & ~info->nfmask) ^ 69 + (ct->mark & info->ctmask); 70 + skb->mark = newmark; 71 + break; 72 + } 73 + 74 + return XT_CONTINUE; 75 + } 76 + 77 + static bool connmark_tg_check(const struct xt_tgchk_param *par) 78 + { 79 + if (nf_ct_l3proto_try_module_get(par->family) < 0) { 80 + printk(KERN_WARNING "cannot load conntrack support for " 81 + "proto=%u\n", par->family); 82 + return false; 83 + } 84 + return true; 85 + } 86 + 87 + static void connmark_tg_destroy(const struct xt_tgdtor_param *par) 88 + { 89 + nf_ct_l3proto_module_put(par->family); 90 + } 35 91 36 92 static bool 37 93 connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) ··· 118 62 nf_ct_l3proto_module_put(par->family); 119 63 } 120 64 65 + static struct xt_target connmark_tg_reg __read_mostly = { 66 + .name = "CONNMARK", 67 + .revision = 1, 68 + .family = NFPROTO_UNSPEC, 69 + .checkentry = connmark_tg_check, 70 + .target = connmark_tg, 71 + .targetsize = sizeof(struct xt_connmark_tginfo1), 72 + .destroy = connmark_tg_destroy, 73 + .me = THIS_MODULE, 74 + }; 75 + 121 76 static struct xt_match connmark_mt_reg __read_mostly = { 122 77 .name = "connmark", 123 78 .revision = 1, ··· 142 75 143 76 static int __init connmark_mt_init(void) 144 77 { 145 - return xt_register_match(&connmark_mt_reg); 78 + int ret; 79 + 80 + ret = xt_register_target(&connmark_tg_reg); 81 + if (ret < 0) 82 + return ret; 83 + ret = xt_register_match(&connmark_mt_reg); 84 + if (ret < 0) { 85 + xt_unregister_target(&connmark_tg_reg); 86 + return ret; 87 + } 88 + return 0; 146 89 } 147 90 148 91 static void __exit connmark_mt_exit(void) 149 92 { 150 93 xt_unregister_match(&connmark_mt_reg); 94 + xt_unregister_target(&connmark_tg_reg); 151 95 } 152 96 153 97 module_init(connmark_mt_init);