Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4ecfac31 authored by Lorenzo Colitti's avatar Lorenzo Colitti Committed by Ian Maund
Browse files

net: add a sysctl to reflect the fwmark on replies 



Kernel-originated IP packets that have no user socket associated
with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
are emitted with a mark of zero. Add a sysctl to make them have
the same mark as the packet they are replying to.

This allows an administrator that wishes to do so to use
mark-based routing, firewalling, etc. for these replies by
marking the original packets inbound.

Tested using user-mode linux:
 - ICMP/ICMPv6 echo replies and errors.
 - TCP RST packets (IPv4 and IPv6).

Change-Id: I6873d973196797bcf32e2e91976df647c7e8b85a
Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
Git-commit: 5a87fa6a43733e241406e8d62fe28fdc0735bf93
Git-repo: https://android.googlesource.com/kernel/common.git


[imaund@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: default avatarIan Maund <imaund@codeaurora.org>
parent 93686b25

Documentation/networking/ip-sysctl.txt

+14 −0
Original line number Diff line number Diff line
@@ -22,6 +22,13 @@ ip_no_pmtu_disc - BOOLEAN 
min_pmtu - INTEGER

	default 552 - minimum discovered Path MTU



fwmark_reflect - BOOLEAN

	Controls the fwmark of kernel-generated IPv4 reply packets that are not

	associated with a socket for example, TCP RSTs or ICMP echo replies).

	If unset, these packets have a fwmark of zero. If set, they have the

	fwmark of the packet they are replying to.

	Default: 0



route/max_size - INTEGER

	Maximum number of routes allowed in the kernel.  Increase

	this when using large numbers of interfaces and/or routes.
@@ -1099,6 +1106,13 @@ proxy_ndp - INTEGER 
		2 NDP packets are sent to userspace, where a userspace proxy

                  can be implemented



fwmark_reflect - BOOLEAN

	Controls the fwmark of kernel-generated IPv6 reply packets that are not

	associated with a socket for example, TCP RSTs or ICMPv6 echo replies).

	If unset, these packets have a fwmark of zero. If set, they have the

	fwmark of the packet they are replying to.

	Default: 0



conf/interface/*:

	Change special settings per interface.

include/net/ip.h

+3 −0
Original line number Diff line number Diff line
@@ -225,6 +225,9 @@ extern void ipfrag_init(void); 


extern void ip_static_sysctl_init(void);



#define IP4_REPLY_MARK(net, mark) \

	((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0)



static inline bool ip_is_fragment(const struct iphdr *iph)

{

	return (iph->frag_off & htons(IP_MF | IP_OFFSET)) != 0;

include/net/ipv6.h

+3 −0
Original line number Diff line number Diff line
@@ -111,6 +111,9 @@ struct frag_hdr { 


#define	IP6_MF	0x0001



#define IP6_REPLY_MARK(net, mark) \

	((net)->ipv6.sysctl.fwmark_reflect ? (mark) : 0)



#include <net/sock.h>



/* sysctls */

include/net/netns/ipv4.h

+2 −0
Original line number Diff line number Diff line
@@ -64,6 +64,8 @@ struct netns_ipv4 { 


	int sysctl_tcp_ecn;



	int sysctl_fwmark_reflect;



	kgid_t sysctl_ping_group_range[2];

	long sysctl_tcp_mem[3];

include/net/netns/ipv6.h

+1 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ struct netns_sysctl_ipv6 { 
	int ip6_rt_mtu_expires;

	int ip6_rt_min_advmss;

	int icmpv6_time;

	int fwmark_reflect;

};



struct netns_ipv6 {