1 diff -Nurb linux-2.6.27-521/include/linux/netfilter/xt_MARK.h linux-2.6.27-522/include/linux/netfilter/xt_MARK.h
2 --- linux-2.6.27-521/include/linux/netfilter/xt_MARK.h 2008-10-09 18:13:53.000000000 -0400
3 +++ linux-2.6.27-522/include/linux/netfilter/xt_MARK.h 2009-12-10 12:09:35.000000000 -0500
11 struct xt_mark_target_info_v1 {
12 diff -Nurb linux-2.6.27-521/include/linux/netfilter/xt_SETXID.h linux-2.6.27-522/include/linux/netfilter/xt_SETXID.h
13 --- linux-2.6.27-521/include/linux/netfilter/xt_SETXID.h 1969-12-31 19:00:00.000000000 -0500
14 +++ linux-2.6.27-522/include/linux/netfilter/xt_SETXID.h 2009-12-10 12:09:35.000000000 -0500
16 +#ifndef _XT_SETXID_H_target
17 +#define _XT_SETXID_H_target
24 +struct xt_setxid_target_info_v1 {
29 +#endif /*_XT_SETXID_H_target*/
30 diff -Nurb linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_MARK.h
31 --- linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_MARK.h 2008-10-09 18:13:53.000000000 -0400
32 +++ linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_MARK.h 2009-12-10 12:09:35.000000000 -0500
34 #define IPT_MARK_SET XT_MARK_SET
35 #define IPT_MARK_AND XT_MARK_AND
36 #define IPT_MARK_OR XT_MARK_OR
37 +#define IPT_MARK_COPYXID XT_MARK_COPYXID
39 #define ipt_mark_target_info_v1 xt_mark_target_info_v1
41 diff -Nurb linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_SETXID.h linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_SETXID.h
42 --- linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_SETXID.h 1969-12-31 19:00:00.000000000 -0500
43 +++ linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_SETXID.h 2009-12-10 12:09:35.000000000 -0500
45 +#ifndef _IPT_SETXID_H_target
46 +#define _IPT_SETXID_H_target
48 +/* Backwards compatibility for old userspace */
50 +#include <linux/netfilter/xt_SETXID.h>
53 +#define IPT_SET_PACKET_XID XT_SET_PACKET_XID
55 +#define ipt_setxid_target_info_v1 xt_setxid_target_info_v1
57 +#endif /*_IPT_SETXID_H_target*/
58 diff -Nurb linux-2.6.27-521/include/net/netfilter/nf_conntrack.h linux-2.6.27-522/include/net/netfilter/nf_conntrack.h
59 --- linux-2.6.27-521/include/net/netfilter/nf_conntrack.h 2008-10-09 18:13:53.000000000 -0400
60 +++ linux-2.6.27-522/include/net/netfilter/nf_conntrack.h 2009-12-10 12:09:35.000000000 -0500
62 /* Storage reserved for other modules: */
63 union nf_conntrack_proto proto;
65 + /* PLANETLAB. VNET-specific */
66 + int xid[IP_CT_DIR_MAX];
69 struct nf_ct_ext *ext;
71 diff -Nurb linux-2.6.27-521/net/netfilter/Kconfig linux-2.6.27-522/net/netfilter/Kconfig
72 --- linux-2.6.27-521/net/netfilter/Kconfig 2008-10-09 18:13:53.000000000 -0400
73 +++ linux-2.6.27-522/net/netfilter/Kconfig 2009-12-10 12:09:35.000000000 -0500
75 This option adds a "TCPOPTSTRIP" target, which allows you to strip
76 TCP options from TCP packets.
78 +config NETFILTER_XT_TARGET_SETXID
79 + tristate '"SETXID" target support'
80 + depends on NETFILTER_XTABLES
82 + This option adds a `SETXID' target, which allows you to alter the
85 config NETFILTER_XT_MATCH_COMMENT
86 tristate '"comment" match support'
87 depends on NETFILTER_XTABLES
88 diff -Nurb linux-2.6.27-521/net/netfilter/Makefile linux-2.6.27-522/net/netfilter/Makefile
89 --- linux-2.6.27-521/net/netfilter/Makefile 2008-10-09 18:13:53.000000000 -0400
90 +++ linux-2.6.27-522/net/netfilter/Makefile 2009-12-10 12:09:35.000000000 -0500
92 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
95 +obj-$(CONFIG_NETFILTER_XT_TARGET_SETXID) += xt_SETXID.o
96 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
97 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
98 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
99 diff -Nurb linux-2.6.27-521/net/netfilter/nf_conntrack_core.c linux-2.6.27-522/net/netfilter/nf_conntrack_core.c
100 --- linux-2.6.27-521/net/netfilter/nf_conntrack_core.c 2008-10-09 18:13:53.000000000 -0400
101 +++ linux-2.6.27-522/net/netfilter/nf_conntrack_core.c 2009-12-10 12:09:35.000000000 -0500
103 /* Overload tuple linked list to put us in unconfirmed list. */
104 hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed);
106 + ct->xid[IP_CT_DIR_ORIGINAL] = -1;
107 + ct->xid[IP_CT_DIR_REPLY] = -1;
109 spin_unlock_bh(&nf_conntrack_lock);
112 diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilter/xt_MARK.c
113 --- linux-2.6.27-521/net/netfilter/xt_MARK.c 2008-10-09 18:13:53.000000000 -0400
114 +++ linux-2.6.27-522/net/netfilter/xt_MARK.c 2009-12-16 01:39:55.000000000 -0500
116 #include <linux/module.h>
117 #include <linux/skbuff.h>
118 #include <linux/ip.h>
119 +#include <net/udp.h>
120 #include <net/checksum.h>
121 +#include <net/route.h>
122 +#include <net/inet_hashtables.h>
123 +#include <net/net_namespace.h>
125 +#include <net/netfilter/nf_conntrack.h>
127 #include <linux/netfilter/x_tables.h>
128 #include <linux/netfilter/xt_MARK.h>
130 MODULE_ALIAS("ipt_MARK");
131 MODULE_ALIAS("ip6t_MARK");
133 +extern DEFINE_PER_CPU(int, sknid_elevator);
136 mark_tg_v0(struct sk_buff *skb, const struct net_device *in,
137 const struct net_device *out, unsigned int hooknum,
142 +#define PEERCRED_SET(x) ((x!=0) && (x!=(unsigned int)-1))
145 +static inline u_int16_t
146 +get_dst_port(struct nf_conntrack_tuple *tuple)
148 + switch (tuple->dst.protonum) {
150 + /* XXX Truncate 32-bit GRE key to 16 bits */
151 + return tuple->dst.u.gre.key;
153 + /* Bind on ICMP echo ID */
154 + return tuple->src.u.icmp.id;
156 + return tuple->dst.u.tcp.port;
158 + return tuple->dst.u.udp.port;
160 + return tuple->dst.u.all;
164 +static inline u_int16_t
165 +get_src_port(struct nf_conntrack_tuple *tuple)
167 + switch (tuple->dst.protonum) {
169 + /* XXX Truncate 32-bit GRE key to 16 bits */
170 + return htons(ntohl(tuple->src.u.gre.key));
172 + /* Bind on ICMP echo ID */
173 + return tuple->src.u.icmp.id;
175 + return tuple->src.u.tcp.port;
177 + return tuple->src.u.udp.port;
179 + return tuple->src.u.all;
183 +static struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr,
184 + __be16 sport, __be32 daddr, __be16 dport,
185 + int dif, struct hlist_head udptable[])
187 + struct sock *sk, *result = NULL;
188 + struct hlist_node *node;
189 + unsigned short hnum = ntohs(dport);
192 + read_lock(&udp_hash_lock);
193 + sk_for_each(sk, node, &udptable[udp_hashfn(net, hnum)]) {
194 + struct inet_sock *inet = inet_sk(sk);
196 + if (net_eq(sock_net(sk), net) && sk->sk_hash == hnum &&
197 + !ipv6_only_sock(sk)) {
198 + int score = (sk->sk_family == PF_INET ? 1 : 0);
200 + if (inet->rcv_saddr) {
201 + if (inet->rcv_saddr != daddr)
205 + /* block non nx_info ips */
206 + if (!v4_addr_in_nx_info(sk->sk_nx_info,
207 + daddr, NXA_MASK_BIND))
211 + if (inet->daddr != saddr)
216 + if (inet->dport != sport)
220 + if (sk->sk_bound_dev_if) {
221 + if (sk->sk_bound_dev_if != dif)
228 + } else if (score > badness) {
237 + read_unlock(&udp_hash_lock);
244 mark_tg(struct sk_buff *skb, const struct net_device *in,
245 const struct net_device *out, unsigned int hooknum,
246 const struct xt_target *target, const void *targinfo)
248 const struct xt_mark_tginfo2 *info = targinfo;
250 + enum ip_conntrack_info ctinfo;
251 + struct sock *connection_sk;
253 + struct nf_conn *ct;
254 + extern struct inet_hashinfo tcp_hashinfo;
255 + enum ip_conntrack_dir dir;
259 + u_int16_t proto, src_port;
264 + if (info->mark == ~0U) {
265 + // As of 2.6.27.39, Dec 8 2009,
266 + // NetNS + VNET = Trouble
267 + // Let's handle this as a special case
268 + struct net *net = dev_net(skb->dev);
269 + if (!net_eq(net, &init_net)) {
272 + return XT_CONTINUE;
276 + dif = ((struct rtable *)(skb->dst))->rt_iif;
278 + ct = nf_ct_get(skb, &ctinfo);
280 + goto out_mark_finish;
282 + dir = CTINFO2DIR(ctinfo);
283 + src_ip = ct->tuplehash[dir].tuple.src.u3.ip;
284 + dst_ip = ct->tuplehash[dir].tuple.dst.u3.ip;
285 + src_port = get_src_port(&ct->tuplehash[dir].tuple);
286 + proto = ct->tuplehash[dir].tuple.dst.protonum;
288 + ip = ct->tuplehash[dir].tuple.dst.u3.ip;
289 + port = get_dst_port(&ct->tuplehash[dir].tuple);
293 + /* The packet is marked, it's going out */
294 + ct->xid[0] = skb->mark;
296 + if (ct->xid[0] > 0)
299 + else if (proto == 17) {
302 + sk = __udp4_lib_lookup(net,src_ip, src_port,
303 + ip, port, dif, udp_hash);
305 + if (sk && hooknum == NF_INET_LOCAL_IN)
311 + else if (skb->mark > 0)
312 + /* The packet is marked, it's going out */
313 + ct->xid[0] = skb->mark;
315 + else if (proto == 6) /* TCP */{
316 + int sockettype = 0; /* Established socket */
318 + /* Looks for an established socket or a listening
319 + socket corresponding to the 4-tuple, in that order.
320 + The order is important for Codemux connections
321 + to be handled properly */
323 + connection_sk = inet_lookup_established(net,
324 + &tcp_hashinfo, src_ip, src_port, ip, port, dif);
326 + if (!connection_sk) {
327 + connection_sk = inet_lookup_listener(net,
328 + &tcp_hashinfo, ip, port, dif);
329 + sockettype = 1; /* Listening socket */
332 + if (connection_sk) {
333 + if (connection_sk->sk_state == TCP_TIME_WAIT) {
334 + inet_twsk_put(inet_twsk(connection_sk));
335 + goto out_mark_finish;
338 + /* The peercred is not set. We set it if the other side has an xid. */
339 + if (!PEERCRED_SET(connection_sk->sk_peercred.uid)
340 + && ct->xid[!dir] > 0 && (sockettype == 0)) {
341 + connection_sk->sk_peercred.gid =
342 + connection_sk->sk_peercred.uid = ct->xid[!dir];
345 + /* The peercred is set, and is not equal to the XID of 'the other side' */
346 + else if (PEERCRED_SET(connection_sk->sk_peercred.uid) &&
347 + (connection_sk->sk_peercred.uid != ct->xid[!dir]) &&
348 + (sockettype == 0)) {
349 + mark = connection_sk->sk_peercred.uid;
352 + /* Has this connection already been tagged? */
353 + if (ct->xid[dir] < 1) {
354 + /* No - let's tag it */
355 + ct->xid[dir]=connection_sk->sk_nid;
358 + if (mark == -1 && (ct->xid[dir] != 0))
359 + mark = ct->xid[dir];
361 + sock_put(connection_sk);
364 + /* All else failed. Is this a connection over raw sockets?
365 + That explains why we couldn't get anything out of skb->sk,
366 + or look up a "real" connection. */
367 + if (ct->xid[dir] < 1) {
369 + ct->xid[dir] = skb->skb_tag;
372 + /* Covers CoDemux case */
373 + if (mark < 1 && (ct->xid[dir] > 0))
374 + mark = ct->xid[dir];
376 + if (mark < 1 && (ct->xid[!dir] > 0))
377 + mark = ct->xid[!dir];
378 + goto out_mark_finish;
382 + mark = (skb->mark & ~info->mask) ^ info->mark;
388 + curtag = &__get_cpu_var(sknid_elevator);
389 + if (mark > 0 && *curtag == -2 && hooknum == NF_INET_LOCAL_IN)
392 - skb->mark = (skb->mark & ~info->mask) ^ info->mark;
396 diff -Nurb linux-2.6.27-521/net/netfilter/xt_SETXID.c linux-2.6.27-522/net/netfilter/xt_SETXID.c
397 --- linux-2.6.27-521/net/netfilter/xt_SETXID.c 1969-12-31 19:00:00.000000000 -0500
398 +++ linux-2.6.27-522/net/netfilter/xt_SETXID.c 2009-12-10 12:09:35.000000000 -0500
400 +#include <linux/module.h>
401 +#include <linux/skbuff.h>
402 +#include <linux/ip.h>
403 +#include <net/checksum.h>
404 +#include <linux/vs_network.h>
406 +#include <linux/netfilter/x_tables.h>
407 +#include <linux/netfilter/xt_SETXID.h>
409 +MODULE_LICENSE("GPL");
411 +MODULE_DESCRIPTION("");
412 +MODULE_ALIAS("ipt_SETXID");
415 +target_v1(struct sk_buff **pskb,
416 + const struct net_device *in,
417 + const struct net_device *out,
418 + unsigned int hooknum,
419 + const struct xt_target *target,
420 + const void *targinfo)
422 + const struct xt_setxid_target_info_v1 *setxidinfo = targinfo;
424 + switch (setxidinfo->mode) {
425 + case XT_SET_PACKET_XID:
426 + (*pskb)->skb_tag = setxidinfo->mark;
429 + return XT_CONTINUE;
434 +checkentry_v1(const char *tablename,
436 + const struct xt_target *target,
438 + unsigned int hook_mask)
440 + struct xt_setxid_target_info_v1 *setxidinfo = targinfo;
442 + if (setxidinfo->mode != XT_SET_PACKET_XID) {
443 + printk(KERN_WARNING "SETXID: unknown mode %u\n",
451 +static struct xt_target xt_setxid_target[] = {
456 + .checkentry = checkentry_v1,
457 + .target = target_v1,
458 + .targetsize = sizeof(struct xt_setxid_target_info_v1),
464 +static int __init init(void)
468 + err = xt_register_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target));
472 +static void __exit fini(void)
474 + xt_unregister_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target));