Eric Lee / smarc-fsl-linux-kernel

Blame view

net/netfilter/xt_CONNSECMARK.c 3.58 KB

100468e9c James Morris [SECMARK]: Add CO...	1 2 3 4 5 6 7 8 9 10	/* * This module is used to copy security markings from packets * to connections, and restore security markings from connections * back to packets. This would normally be performed in conjunction * with the SECMARK target and state match. * * Based somewhat on CONNMARK: * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> * by Henrik Nordstrom <hno@marasystems.com> *
560ee653b James Morris netfilter: ip_tab...	11	* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
100468e9c James Morris [SECMARK]: Add CO...	12 13 14 15 16 17	* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * */
8bee4bad0 Jan Engelhardt netfilter: xt ext...	18	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
100468e9c James Morris [SECMARK]: Add CO...	19 20 21 22	#include <linux/module.h> #include <linux/skbuff.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_CONNSECMARK.h>
587aa6416 Patrick McHardy [NETFILTER]: Remo...	23	#include <net/netfilter/nf_conntrack.h>
37fccd857 Pablo Neira Ayuso [NETFILTER]: ctne...	24	#include <net/netfilter/nf_conntrack_ecache.h>
100468e9c James Morris [SECMARK]: Add CO...	25
100468e9c James Morris [SECMARK]: Add CO...	26 27	MODULE_LICENSE("GPL"); MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
2ae15b64e Jan Engelhardt [NETFILTER]: Upda...	28	MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark");
100468e9c James Morris [SECMARK]: Add CO...	29 30 31 32 33 34 35	MODULE_ALIAS("ipt_CONNSECMARK"); MODULE_ALIAS("ip6t_CONNSECMARK"); /* * If the packet has a security mark and the connection does not, copy * the security mark from the packet to the connection. */
a47362a22 Jan Engelhardt [NETFILTER]: add ...	36	static void secmark_save(const struct sk_buff *skb)
100468e9c James Morris [SECMARK]: Add CO...	37 38	{ if (skb->secmark) {
587aa6416 Patrick McHardy [NETFILTER]: Remo...	39	struct nf_conn *ct;
100468e9c James Morris [SECMARK]: Add CO...	40	enum ip_conntrack_info ctinfo;
587aa6416 Patrick McHardy [NETFILTER]: Remo...	41	ct = nf_ct_get(skb, &ctinfo);
37fccd857 Pablo Neira Ayuso [NETFILTER]: ctne...	42	if (ct && !ct->secmark) {
587aa6416 Patrick McHardy [NETFILTER]: Remo...	43	ct->secmark = skb->secmark;
a71996fcc Alexey Dobriyan netfilter: netns ...	44	nf_conntrack_event_cache(IPCT_SECMARK, ct);
37fccd857 Pablo Neira Ayuso [NETFILTER]: ctne...	45	}
100468e9c James Morris [SECMARK]: Add CO...	46 47 48 49 50 51 52 53 54 55	} } /* * If packet has no security mark, and the connection does, restore the * security mark from the connection to the packet. / static void secmark_restore(struct sk_buff skb) { if (!skb->secmark) {
3cf93c96a Jan Engelhardt [NETFILTER]: anno...	56	const struct nf_conn *ct;
100468e9c James Morris [SECMARK]: Add CO...	57	enum ip_conntrack_info ctinfo;
587aa6416 Patrick McHardy [NETFILTER]: Remo...	58 59 60	ct = nf_ct_get(skb, &ctinfo); if (ct && ct->secmark) skb->secmark = ct->secmark;
100468e9c James Morris [SECMARK]: Add CO...	61 62	} }
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	63	static unsigned int
4b560b447 Jan Engelhardt netfilter: xtable...	64	connsecmark_tg(struct sk_buff skb, const struct xt_action_param par)
100468e9c James Morris [SECMARK]: Add CO...	65	{
7eb355865 Jan Engelhardt netfilter: xtable...	66	const struct xt_connsecmark_target_info *info = par->targinfo;
100468e9c James Morris [SECMARK]: Add CO...	67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82	switch (info->mode) { case CONNSECMARK_SAVE: secmark_save(skb); break; case CONNSECMARK_RESTORE: secmark_restore(skb); break; default: BUG(); } return XT_CONTINUE; }
135367b8f Jan Engelhardt netfilter: xtable...	83	static int connsecmark_tg_check(const struct xt_tgchk_param *par)
100468e9c James Morris [SECMARK]: Add CO...	84	{
af5d6dc20 Jan Engelhardt netfilter: xtable...	85	const struct xt_connsecmark_target_info *info = par->targinfo;
4a5a5c73b Jan Engelhardt netfilter: xtable...	86	int ret;
100468e9c James Morris [SECMARK]: Add CO...	87
af5d6dc20 Jan Engelhardt netfilter: xtable...	88 89	if (strcmp(par->table, "mangle") != 0 && strcmp(par->table, "security") != 0) {
8bee4bad0 Jan Engelhardt netfilter: xt ext...	90 91 92	pr_info("target only valid in the \'mangle\' " "or \'security\' tables, not \'%s\'. ", par->table);
d6b00a534 Jan Engelhardt netfilter: xtable...	93	return -EINVAL;
560ee653b James Morris netfilter: ip_tab...	94	}
100468e9c James Morris [SECMARK]: Add CO...	95 96 97 98 99 100	switch (info->mode) { case CONNSECMARK_SAVE: case CONNSECMARK_RESTORE: break; default:
8bee4bad0 Jan Engelhardt netfilter: xt ext...	101 102	pr_info("invalid mode: %hu ", info->mode);
4a5a5c73b Jan Engelhardt netfilter: xtable...	103	return -EINVAL;
100468e9c James Morris [SECMARK]: Add CO...	104	}
4a5a5c73b Jan Engelhardt netfilter: xtable...	105	ret = nf_ct_l3proto_try_module_get(par->family);
f95c74e33 Jan Engelhardt netfilter: xtable...	106	if (ret < 0)
8bee4bad0 Jan Engelhardt netfilter: xt ext...	107 108 109	pr_info("cannot load conntrack support for proto=%u ", par->family);
f95c74e33 Jan Engelhardt netfilter: xtable...	110	return ret;
100468e9c James Morris [SECMARK]: Add CO...	111	}
a2df1648b Jan Engelhardt netfilter: xtable...	112	static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
11078c371 Yasuyuki Kozakai [NETFILTER]: x_ta...	113	{
92f3b2b1b Jan Engelhardt netfilter: xtable...	114	nf_ct_l3proto_module_put(par->family);
11078c371 Yasuyuki Kozakai [NETFILTER]: x_ta...	115	}
92f3b2b1b Jan Engelhardt netfilter: xtable...	116 117 118 119 120 121 122 123 124	static struct xt_target connsecmark_tg_reg __read_mostly = { .name = "CONNSECMARK", .revision = 0, .family = NFPROTO_UNSPEC, .checkentry = connsecmark_tg_check, .destroy = connsecmark_tg_destroy, .target = connsecmark_tg, .targetsize = sizeof(struct xt_connsecmark_target_info), .me = THIS_MODULE,
100468e9c James Morris [SECMARK]: Add CO...	125	};
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	126	static int __init connsecmark_tg_init(void)
100468e9c James Morris [SECMARK]: Add CO...	127	{
92f3b2b1b Jan Engelhardt netfilter: xtable...	128	return xt_register_target(&connsecmark_tg_reg);
100468e9c James Morris [SECMARK]: Add CO...	129	}
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	130	static void __exit connsecmark_tg_exit(void)
100468e9c James Morris [SECMARK]: Add CO...	131	{
92f3b2b1b Jan Engelhardt netfilter: xtable...	132	xt_unregister_target(&connsecmark_tg_reg);
100468e9c James Morris [SECMARK]: Add CO...	133	}
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	134 135	module_init(connsecmark_tg_init); module_exit(connsecmark_tg_exit);