[mirror_ubuntu-jammy-kernel.git] / net / ipv4 / netfilter / ipt_CONNMARK.c

/* This kernel module is used to modify the connection mark values, or
 * to optionally restore the skb nfmark from the connection mark
 *
 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
 * by Henrik Nordstrom <hno@marasystems.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/checksum.h>

MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
MODULE_DESCRIPTION("IP tables CONNMARK matching module");
MODULE_LICENSE("GPL");

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
#include <net/netfilter/nf_conntrack_compat.h>

static unsigned int
target(struct sk_buff **pskb,
       const struct net_device *in,
       const struct net_device *out,
       unsigned int hooknum,
       const void *targinfo,
       void *userinfo)
{
	const struct ipt_connmark_target_info *markinfo = targinfo;
	u_int32_t diff;
	u_int32_t nfmark;
	u_int32_t newmark;
	u_int32_t ctinfo;
	u_int32_t *ctmark = nf_ct_get_mark(*pskb, &ctinfo);

	if (ctmark) {
	    switch(markinfo->mode) {
	    case IPT_CONNMARK_SET:
		newmark = (*ctmark & ~markinfo->mask) | markinfo->mark;
		if (newmark != *ctmark)
		    *ctmark = newmark;
		break;
	    case IPT_CONNMARK_SAVE:
		newmark = (*ctmark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
		if (*ctmark != newmark)
		    *ctmark = newmark;
		break;
	    case IPT_CONNMARK_RESTORE:
		nfmark = (*pskb)->nfmark;
		diff = (*ctmark ^ nfmark) & markinfo->mask;
		if (diff != 0)
		    (*pskb)->nfmark = nfmark ^ diff;
		break;
	    }
	}

	return IPT_CONTINUE;
}

static int
checkentry(const char *tablename,
	   const struct ipt_entry *e,
	   void *targinfo,
	   unsigned int targinfosize,
	   unsigned int hook_mask)
{
	struct ipt_connmark_target_info *matchinfo = targinfo;
	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
		printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
		       targinfosize,
		       IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
		return 0;
	}

	if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
	    if (strcmp(tablename, "mangle") != 0) {
		    printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
		    return 0;
	    }
	}

	if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
		printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
		return 0;
	}

	return 1;
}

static struct ipt_target ipt_connmark_reg = {
	.name = "CONNMARK",
	.target = &target,
	.checkentry = &checkentry,
	.me = THIS_MODULE
};

static int __init init(void)
{
	need_ip_conntrack();
	return ipt_register_target(&ipt_connmark_reg);
}

static void __exit fini(void)
{
	ipt_unregister_target(&ipt_connmark_reg);
}

module_init(init);
module_exit(fini);
Commit	Line	Data
1da177e4 LT	1	/* This kernel module is used to modify the connection mark values, or
	2	* to optionally restore the skb nfmark from the connection mark
	3	*
	4	* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
	5	* by Henrik Nordstrom <hno@marasystems.com>
	6	*
	7	* This program is free software; you can redistribute it and/or modify
	8	* it under the terms of the GNU General Public License as published by
	9	* the Free Software Foundation; either version 2 of the License, or
	10	* (at your option) any later version.
	11	*
	12	* This program is distributed in the hope that it will be useful,
	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	* GNU General Public License for more details.
	16	*
	17	* You should have received a copy of the GNU General Public License
	18	* along with this program; if not, write to the Free Software
	19	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	20	*/
	21	#include <linux/module.h>
	22	#include <linux/skbuff.h>
	23	#include <linux/ip.h>
	24	#include <net/checksum.h>
	25
	26	MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
	27	MODULE_DESCRIPTION("IP tables CONNMARK matching module");
	28	MODULE_LICENSE("GPL");
	29
	30	#include <linux/netfilter_ipv4/ip_tables.h>
	31	#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
9fb9cbb1	32	#include <net/netfilter/nf_conntrack_compat.h>
1da177e4 LT	33
	34	static unsigned int
	35	target(struct sk_buff **pskb,
	36	const struct net_device *in,
	37	const struct net_device *out,
	38	unsigned int hooknum,
	39	const void *targinfo,
	40	void *userinfo)
	41	{
	42	const struct ipt_connmark_target_info *markinfo = targinfo;
bf3a46aa HW	43	u_int32_t diff;
	44	u_int32_t nfmark;
	45	u_int32_t newmark;
9fb9cbb1 YK	46	u_int32_t ctinfo;
9fb9cbb1 YK	47	u_int32_t ctmark = nf_ct_get_mark(pskb, &ctinfo);
1da177e4	48
9fb9cbb1	49	if (ctmark) {
1da177e4 LT	50	switch(markinfo->mode) {
1da177e4 LT	51	case IPT_CONNMARK_SET:
9fb9cbb1 YK	52	newmark = (*ctmark & ~markinfo->mask) \| markinfo->mark;
	53	if (newmark != *ctmark)
	54	*ctmark = newmark;
1da177e4 LT	55	break;
1da177e4 LT	56	case IPT_CONNMARK_SAVE:
9fb9cbb1 YK	57	newmark = (ctmark & ~markinfo->mask) \| ((pskb)->nfmark & markinfo->mask);
	58	if (*ctmark != newmark)
	59	*ctmark = newmark;
1da177e4 LT	60	break;
	61	case IPT_CONNMARK_RESTORE:
	62	nfmark = (*pskb)->nfmark;
9fb9cbb1	63	diff = (*ctmark ^ nfmark) & markinfo->mask;
6869c4d8	64	if (diff != 0)
1da177e4	65	(*pskb)->nfmark = nfmark ^ diff;
1da177e4 LT	66	break;
	67	}
	68	}
	69
	70	return IPT_CONTINUE;
	71	}
	72
	73	static int
	74	checkentry(const char *tablename,
	75	const struct ipt_entry *e,
	76	void *targinfo,
	77	unsigned int targinfosize,
	78	unsigned int hook_mask)
	79	{
	80	struct ipt_connmark_target_info *matchinfo = targinfo;
	81	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
	82	printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
	83	targinfosize,
	84	IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
	85	return 0;
	86	}
	87
	88	if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
	89	if (strcmp(tablename, "mangle") != 0) {
	90	printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
	91	return 0;
	92	}
	93	}
	94
bf3a46aa HW	95	if (matchinfo->mark > 0xffffffff \|\| matchinfo->mask > 0xffffffff) {
	96	printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
	97	return 0;
	98	}
	99
1da177e4 LT	100	return 1;
	101	}
	102
	103	static struct ipt_target ipt_connmark_reg = {
	104	.name = "CONNMARK",
	105	.target = &target,
	106	.checkentry = &checkentry,
	107	.me = THIS_MODULE
	108	};
	109
	110	static int __init init(void)
	111	{
433a4d3b	112	need_ip_conntrack();
1da177e4 LT	113	return ipt_register_target(&ipt_connmark_reg);
	114	}
	115
	116	static void __exit fini(void)
	117	{
	118	ipt_unregister_target(&ipt_connmark_reg);
	119	}
	120
	121	module_init(init);
	122	module_exit(fini);