Blame view
net/netfilter/xt_CONNSECMARK.c
3.58 KB
100468e9c [SECMARK]: Add CO... |
1 2 3 4 5 6 7 8 9 10 |
/* * This module is used to copy security markings from packets * to connections, and restore security markings from connections * back to packets. This would normally be performed in conjunction * with the SECMARK target and state match. * * Based somewhat on CONNMARK: * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> * by Henrik Nordstrom <hno@marasystems.com> * |
560ee653b netfilter: ip_tab... |
11 |
* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> |
100468e9c [SECMARK]: Add CO... |
12 13 14 15 16 17 |
* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * */ |
8bee4bad0 netfilter: xt ext... |
18 |
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
100468e9c [SECMARK]: Add CO... |
19 20 21 22 |
#include <linux/module.h> #include <linux/skbuff.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_CONNSECMARK.h> |
587aa6416 [NETFILTER]: Remo... |
23 |
#include <net/netfilter/nf_conntrack.h> |
37fccd857 [NETFILTER]: ctne... |
24 |
#include <net/netfilter/nf_conntrack_ecache.h> |
100468e9c [SECMARK]: Add CO... |
25 |
|
100468e9c [SECMARK]: Add CO... |
26 27 |
MODULE_LICENSE("GPL"); MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); |
2ae15b64e [NETFILTER]: Upda... |
28 |
MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark"); |
100468e9c [SECMARK]: Add CO... |
29 30 31 32 33 34 35 |
MODULE_ALIAS("ipt_CONNSECMARK"); MODULE_ALIAS("ip6t_CONNSECMARK"); /* * If the packet has a security mark and the connection does not, copy * the security mark from the packet to the connection. */ |
a47362a22 [NETFILTER]: add ... |
36 |
static void secmark_save(const struct sk_buff *skb) |
100468e9c [SECMARK]: Add CO... |
37 38 |
{ if (skb->secmark) { |
587aa6416 [NETFILTER]: Remo... |
39 |
struct nf_conn *ct; |
100468e9c [SECMARK]: Add CO... |
40 |
enum ip_conntrack_info ctinfo; |
587aa6416 [NETFILTER]: Remo... |
41 |
ct = nf_ct_get(skb, &ctinfo); |
37fccd857 [NETFILTER]: ctne... |
42 |
if (ct && !ct->secmark) { |
587aa6416 [NETFILTER]: Remo... |
43 |
ct->secmark = skb->secmark; |
a71996fcc netfilter: netns ... |
44 |
nf_conntrack_event_cache(IPCT_SECMARK, ct); |
37fccd857 [NETFILTER]: ctne... |
45 |
} |
100468e9c [SECMARK]: Add CO... |
46 47 48 49 50 51 52 53 54 55 |
} } /* * If packet has no security mark, and the connection does, restore the * security mark from the connection to the packet. */ static void secmark_restore(struct sk_buff *skb) { if (!skb->secmark) { |
3cf93c96a [NETFILTER]: anno... |
56 |
const struct nf_conn *ct; |
100468e9c [SECMARK]: Add CO... |
57 |
enum ip_conntrack_info ctinfo; |
587aa6416 [NETFILTER]: Remo... |
58 59 60 |
ct = nf_ct_get(skb, &ctinfo); if (ct && ct->secmark) skb->secmark = ct->secmark; |
100468e9c [SECMARK]: Add CO... |
61 62 |
} } |
d3c5ee6d5 [NETFILTER]: x_ta... |
63 |
static unsigned int |
4b560b447 netfilter: xtable... |
64 |
connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par) |
100468e9c [SECMARK]: Add CO... |
65 |
{ |
7eb355865 netfilter: xtable... |
66 |
const struct xt_connsecmark_target_info *info = par->targinfo; |
100468e9c [SECMARK]: Add CO... |
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
switch (info->mode) { case CONNSECMARK_SAVE: secmark_save(skb); break; case CONNSECMARK_RESTORE: secmark_restore(skb); break; default: BUG(); } return XT_CONTINUE; } |
135367b8f netfilter: xtable... |
83 |
static int connsecmark_tg_check(const struct xt_tgchk_param *par) |
100468e9c [SECMARK]: Add CO... |
84 |
{ |
af5d6dc20 netfilter: xtable... |
85 |
const struct xt_connsecmark_target_info *info = par->targinfo; |
4a5a5c73b netfilter: xtable... |
86 |
int ret; |
100468e9c [SECMARK]: Add CO... |
87 |
|
af5d6dc20 netfilter: xtable... |
88 89 |
if (strcmp(par->table, "mangle") != 0 && strcmp(par->table, "security") != 0) { |
8bee4bad0 netfilter: xt ext... |
90 91 92 |
pr_info("target only valid in the \'mangle\' " "or \'security\' tables, not \'%s\'. ", par->table); |
d6b00a534 netfilter: xtable... |
93 |
return -EINVAL; |
560ee653b netfilter: ip_tab... |
94 |
} |
100468e9c [SECMARK]: Add CO... |
95 96 97 98 99 100 |
switch (info->mode) { case CONNSECMARK_SAVE: case CONNSECMARK_RESTORE: break; default: |
8bee4bad0 netfilter: xt ext... |
101 102 |
pr_info("invalid mode: %hu ", info->mode); |
4a5a5c73b netfilter: xtable... |
103 |
return -EINVAL; |
100468e9c [SECMARK]: Add CO... |
104 |
} |
4a5a5c73b netfilter: xtable... |
105 |
ret = nf_ct_l3proto_try_module_get(par->family); |
f95c74e33 netfilter: xtable... |
106 |
if (ret < 0) |
8bee4bad0 netfilter: xt ext... |
107 108 109 |
pr_info("cannot load conntrack support for proto=%u ", par->family); |
f95c74e33 netfilter: xtable... |
110 |
return ret; |
100468e9c [SECMARK]: Add CO... |
111 |
} |
a2df1648b netfilter: xtable... |
112 |
static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) |
11078c371 [NETFILTER]: x_ta... |
113 |
{ |
92f3b2b1b netfilter: xtable... |
114 |
nf_ct_l3proto_module_put(par->family); |
11078c371 [NETFILTER]: x_ta... |
115 |
} |
92f3b2b1b netfilter: xtable... |
116 117 118 119 120 121 122 123 124 |
static struct xt_target connsecmark_tg_reg __read_mostly = { .name = "CONNSECMARK", .revision = 0, .family = NFPROTO_UNSPEC, .checkentry = connsecmark_tg_check, .destroy = connsecmark_tg_destroy, .target = connsecmark_tg, .targetsize = sizeof(struct xt_connsecmark_target_info), .me = THIS_MODULE, |
100468e9c [SECMARK]: Add CO... |
125 |
}; |
d3c5ee6d5 [NETFILTER]: x_ta... |
126 |
static int __init connsecmark_tg_init(void) |
100468e9c [SECMARK]: Add CO... |
127 |
{ |
92f3b2b1b netfilter: xtable... |
128 |
return xt_register_target(&connsecmark_tg_reg); |
100468e9c [SECMARK]: Add CO... |
129 |
} |
d3c5ee6d5 [NETFILTER]: x_ta... |
130 |
static void __exit connsecmark_tg_exit(void) |
100468e9c [SECMARK]: Add CO... |
131 |
{ |
92f3b2b1b netfilter: xtable... |
132 |
xt_unregister_target(&connsecmark_tg_reg); |
100468e9c [SECMARK]: Add CO... |
133 |
} |
d3c5ee6d5 [NETFILTER]: x_ta... |
134 135 |
module_init(connsecmark_tg_init); module_exit(connsecmark_tg_exit); |