netfilter: xtables: merge xt_CONNMARK into xt_connmark

#ifndef _XT_CONNMARK_H_target

#define _XT_CONNMARK_H_target

#include <linux/types.h>

/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>

 * by Henrik Nordstrom <hno@marasystems.com>

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 */

enum {

	XT_CONNMARK_SET = 0,

	XT_CONNMARK_SAVE,

	XT_CONNMARK_RESTORE

};

struct xt_connmark_tginfo1 {

	__u32 ctmark, ctmask, nfmask;

	__u8 mode;

};

#include <linux/netfilter/xt_connmark.h>

#endif /*_XT_CONNMARK_H_target*/

 * (at your option) any later version.

 */

enum {

	XT_CONNMARK_SET = 0,

	XT_CONNMARK_SAVE,

	XT_CONNMARK_RESTORE

};

struct xt_connmark_tginfo1 {

	__u32 ctmark, ctmask, nfmask;

	__u8 mode;

};

struct xt_connmark_mtinfo1 {

	__u32 mark, mask;

	__u8 invert;

	"Use netfilter MARK value as routing key") and can also be used by

	other subsystems to change their behavior.

config NETFILTER_XT_CONNMARK

	tristate 'ctmark target and match support'

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_MARK

	---help---

	This option adds the "CONNMARK" target and "connmark" match.

	Netfilter allows you to store a mark value per connection (a.k.a.

	ctmark), similarly to the packet mark (nfmark). Using this

	target and match, you can set and match on this mark.

# alphabetically ordered list of targets

comment "Xtables targets"

	tristate  '"CONNMARK" target support'

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_MARK

	help

	  This option adds a `CONNMARK' target, which allows one to manipulate

	  the connection mark value.  Similar to the MARK target, but

	  affects the connection mark value rather than the packet mark value.

	  If you want to compile it as a module, say M here and read

	  <file:Documentation/kbuild/modules.txt>.  The module will be called

	  ipt_CONNMARK.  If unsure, say `N'.

	select NETFILTER_XT_CONNMARK

	---help---

	This is a backwards-compat option for the user's convenience

	(e.g. when running oldconfig). It selects

	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).

config NETFILTER_XT_TARGET_CONNSECMARK

	tristate '"CONNSECMARK" target support'

	tristate  '"connmark" connection mark match support'

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_MARK

	help

	  This option adds a `connmark' match, which allows you to match the

	  connection mark value previously set for the session by `CONNMARK'. 

	  If you want to compile it as a module, say M here and read

	  <file:Documentation/kbuild/modules.txt>.  The module will be called

	  ipt_connmark.  If unsure, say `N'.

	select NETFILTER_XT_CONNMARK

	---help---

	This is a backwards-compat option for the user's convenience

	(e.g. when running oldconfig). It selects

	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).

config NETFILTER_XT_MATCH_CONNTRACK

	tristate '"conntrack" connection tracking match support'

# combos

obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o

obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o

# targets

obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o

obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o

obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o

obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o

obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o

obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o

obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o

obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o

obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o

obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o

obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o

obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o

/*

 *	xt_CONNMARK - Netfilter module to modify the connection mark values

 *

 *	Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>

 *	by Henrik Nordstrom <hno@marasystems.com>

 *	Copyright © CC Computer Consultants GmbH, 2007 - 2008

 *	Jan Engelhardt <jengelh@computergmbh.de>

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

 */

#include <linux/module.h>

#include <linux/skbuff.h>

#include <linux/ip.h>

#include <net/checksum.h>

MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");

MODULE_DESCRIPTION("Xtables: connection mark modification");

MODULE_LICENSE("GPL");

MODULE_ALIAS("ipt_CONNMARK");

MODULE_ALIAS("ip6t_CONNMARK");

#include <linux/netfilter/x_tables.h>

#include <linux/netfilter/xt_CONNMARK.h>

#include <net/netfilter/nf_conntrack_ecache.h>

static unsigned int

connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)

{

	const struct xt_connmark_tginfo1 *info = par->targinfo;

	enum ip_conntrack_info ctinfo;

	struct nf_conn *ct;

	u_int32_t newmark;

	ct = nf_ct_get(skb, &ctinfo);

	if (ct == NULL)

		return XT_CONTINUE;

	switch (info->mode) {

	case XT_CONNMARK_SET:

		newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;

		if (ct->mark != newmark) {

			ct->mark = newmark;

			nf_conntrack_event_cache(IPCT_MARK, ct);

		}

		break;

	case XT_CONNMARK_SAVE:

		newmark = (ct->mark & ~info->ctmask) ^

		          (skb->mark & info->nfmask);

		if (ct->mark != newmark) {

			ct->mark = newmark;

			nf_conntrack_event_cache(IPCT_MARK, ct);

		}

		break;

	case XT_CONNMARK_RESTORE:

		newmark = (skb->mark & ~info->nfmask) ^

		          (ct->mark & info->ctmask);

		skb->mark = newmark;

		break;

	}

	return XT_CONTINUE;

}

static bool connmark_tg_check(const struct xt_tgchk_param *par)

{

	if (nf_ct_l3proto_try_module_get(par->family) < 0) {

		printk(KERN_WARNING "cannot load conntrack support for "

		       "proto=%u\n", par->family);

		return false;

	}

	return true;

}

static void connmark_tg_destroy(const struct xt_tgdtor_param *par)

{

	nf_ct_l3proto_module_put(par->family);

}

static struct xt_target connmark_tg_reg __read_mostly = {

	.name           = "CONNMARK",

	.revision       = 1,

	.family         = NFPROTO_UNSPEC,

	.checkentry     = connmark_tg_check,

	.target         = connmark_tg,

	.targetsize     = sizeof(struct xt_connmark_tginfo1),

	.destroy        = connmark_tg_destroy,

	.me             = THIS_MODULE,

};

static int __init connmark_tg_init(void)

{

	return xt_register_target(&connmark_tg_reg);

}

static void __exit connmark_tg_exit(void)

{

	xt_unregister_target(&connmark_tg_reg);

}

module_init(connmark_tg_init);

module_exit(connmark_tg_exit);