[NETFILTER]: ctnetlink: add support for secmark

This patch adds support for James Morris' connsecmark.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 19747e8f71cf0b4210098b81fb10bdde8503f802..bad1eb760f615b8ffbc925fe1b8f2fb215e1bfa3 100644 (file)
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -133,6 +133,10 @@ enum ip_conntrack_events
        /* NAT sequence adjustment */
        IPCT_NATSEQADJ_BIT = 13,
        IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
+
+       /* Secmark is set */
+       IPCT_SECMARK_BIT = 14,
+       IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
 };
 
 enum ip_conntrack_expect_events {

diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index c19d976b1b75f64d30aa1a7b38977e84f34675c4..e3e1533aba2d9656ce6fed4282a9589494c006e2 100644 (file)
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -39,6 +39,7 @@ enum ctattr_type {
        CTA_TUPLE_MASTER,
        CTA_NAT_SEQ_ADJ_ORIG,
        CTA_NAT_SEQ_ADJ_REPLY,
+       CTA_SECMARK,
        __CTA_MAX
 };
 #define CTA_MAX (__CTA_MAX - 1)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 94027c84be5259ee7ac882934715a5493e38c23a..d4eedc68cc76d19642754dd678cbf57433ecb4c6 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -254,6 +254,22 @@ nla_put_failure:
 #define ctnetlink_dump_mark(a, b) (0)
 #endif
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline int
+ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
+{
+       __be32 mark = htonl(ct->secmark);
+
+       NLA_PUT(skb, CTA_SECMARK, sizeof(u_int32_t), &mark);
+       return 0;
+
+nla_put_failure:
+       return -1;
+}
+#else
+#define ctnetlink_dump_secmark(a, b) (0)
+#endif
+
 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
 
 static inline int
@@ -392,6 +408,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
            ctnetlink_dump_protoinfo(skb, ct) < 0 ||
            ctnetlink_dump_helpinfo(skb, ct) < 0 ||
            ctnetlink_dump_mark(skb, ct) < 0 ||
+           ctnetlink_dump_secmark(skb, ct) < 0 ||
            ctnetlink_dump_id(skb, ct) < 0 ||
            ctnetlink_dump_use(skb, ct) < 0 ||
            ctnetlink_dump_master(skb, ct) < 0 ||
@@ -493,6 +510,11 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
                    && ctnetlink_dump_mark(skb, ct) < 0)
                        goto nla_put_failure;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+               if ((events & IPCT_SECMARK || ct->secmark)
+                   && ctnetlink_dump_secmark(skb, ct) < 0)
+                       goto nla_put_failure;
+#endif
 
                if (events & IPCT_COUNTER_FILLING &&
                    (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 2c265e87f39655ba2e87a7799cc9006a6d5c4189..2333f7e29bc94368f7dc57e86ee0894fe794f538 100644 (file)
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -20,6 +20,7 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CONNSECMARK.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 
 #define PFX "CONNSECMARK: "
 
@@ -40,8 +41,10 @@ static void secmark_save(const struct sk_buff *skb)
                enum ip_conntrack_info ctinfo;
 
                ct = nf_ct_get(skb, &ctinfo);
-               if (ct && !ct->secmark)
+               if (ct && !ct->secmark) {
                        ct->secmark = skb->secmark;
+                       nf_conntrack_event_cache(IPCT_SECMARK, skb);
+               }
        }
 }