-commit 39e1cee3184d275fa3ec4122de39b90d0d8e9bf4
-Author: root <root@rhel6.(none)>
-Date: Thu Apr 29 19:59:33 2010 -0400
+From 1d251758b9daeb60cc5afa5ce5aa725cf5ca84a7 Mon Sep 17 00:00:00 2001
+From: S.Çağlar Onur <caglar@cs.princeton.edu>
+Date: Tue, 7 Dec 2010 11:06:57 -0500
+Subject: [PATCH] linux-2.6-522-iptables-connection-tagging.patch
- linux-2.6-522-iptables-connection-tagging.patch
+---
+ include/linux/netfilter/xt_SETXID.h | 13 ++
+ include/net/netfilter/nf_conntrack.h | 3 +
+ net/netfilter/Kconfig | 7 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 3 +
+ net/netfilter/xt_MARK.c | 267 +++++++++++++++++++++++++++++++++-
+ net/netfilter/xt_SETXID.c | 77 ++++++++++
+ 7 files changed, 364 insertions(+), 7 deletions(-)
+ create mode 100644 include/linux/netfilter/xt_SETXID.h
+ create mode 100644 net/netfilter/xt_SETXID.c
diff --git a/include/linux/netfilter/xt_SETXID.h b/include/linux/netfilter/xt_SETXID.h
new file mode 100644
struct nf_ct_ext *ext;
#ifdef CONFIG_NET_NS
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
-index 634d14a..a2872f5 100644
+index 7bee9d4..ad362a5 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
-@@ -543,6 +543,13 @@ config NETFILTER_XT_MATCH_CLUSTER
+@@ -567,6 +567,13 @@ config NETFILTER_XT_MATCH_CLUSTER
If you say Y or M here, try `iptables -m cluster --help` for
more information.
tristate '"comment" match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
-index 49f62ee..820655e 100644
+index da71137..adfbdea 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
-@@ -41,6 +41,7 @@ obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
+@@ -44,6 +44,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
# targets
+ obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_SETXID) += xt_SETXID.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) += xt_CHECKSUM.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 1e1df20..144e131 100644
+index 1374179..0f9464c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
-@@ -673,6 +673,9 @@ init_conntrack(struct net *net,
+@@ -677,6 +677,9 @@ init_conntrack(struct net *net,
hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode,
&net->ct.unconfirmed);
if (exp) {
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
-index 225f8d1..7513997 100644
+index 225f8d1..6cb5101 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -13,7 +13,13 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_MARK.h>
-@@ -24,22 +30,267 @@ MODULE_DESCRIPTION("Xtables: packet mark modification");
+@@ -24,22 +30,269 @@ MODULE_DESCRIPTION("Xtables: packet mark modification");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
+
+static struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr,
+ __be16 sport, __be32 daddr, __be16 dport,
-+ int dif, struct hlist_head udptable[])
++ int dif, struct udp_table *udptable)
+{
+ struct sock *sk, *result = NULL;
-+ struct hlist_node *node;
++ struct hlist_nulls_node *node;
+ unsigned short hnum = ntohs(dport);
++ unsigned int hash = udp_hashfn(net, hnum);
++ struct udp_hslot *hslot = &udptable->hash[hash];
+ int badness = -1;
+
+ rcu_read_lock();
-+ sk_for_each_rcu(sk, node, &udptable[udp_hashfn(net, hnum)]) {
++ sk_nulls_for_each_rcu(sk, node, &hslot->head) {
+ struct inet_sock *inet = inet_sk(sk);
+
+ if (net_eq(sock_net(sk), net) && sk->sk_hash == hnum &&
+ }
+
+ /* copy-xid */
-+ dif = ((struct rtable *)(skb->dst))->rt_iif;
++ dif = ((struct rtable *)(skb_dst(skb)))->rt_iif;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (!ct)
+ struct sock *sk;
+ if (!skb->mark) {
+ sk = __udp4_lib_lookup(net, src_ip, src_port,
-+ ip, port, dif, udp_hash);
++ ip, port, dif, &udp_table);
+
-+ if (sk && hooknum == NF_INET_LOCAL_IN)
++ if (sk && par->hooknum == NF_INET_LOCAL_IN)
+ mark = sk->sk_nid;
+
+ if (sk)
+ skb->mark = mark;
+
+ curtag = &__get_cpu_var(sknid_elevator);
-+ if (mark > 0 && *curtag == -2 && hooknum == NF_INET_LOCAL_IN)
++ if (mark > 0 && *curtag == -2 && par->hooknum == NF_INET_LOCAL_IN)
+ *curtag = mark;
- skb->mark = (skb->mark & ~info->mask) ^ info->mark;
static int __init mark_tg_init(void)
diff --git a/net/netfilter/xt_SETXID.c b/net/netfilter/xt_SETXID.c
new file mode 100644
-index 0000000..f8553c5
+index 0000000..4f25a19
--- /dev/null
+++ b/net/netfilter/xt_SETXID.c
@@ -0,0 +1,77 @@
+MODULE_ALIAS("ipt_SETXID");
+
+static unsigned int
-+target_v2(struct sk_buff **pskb,
-+ const struct net_device *in,
-+ const struct net_device *out,
-+ unsigned int hooknum,
-+ const struct xt_target *target, const void *targinfo)
++target_v2(struct sk_buff *skb,
++ const struct xt_target_param *par)
++
++
++
+{
-+ const struct xt_setxid_target_info_v2 *setxidinfo = targinfo;
++ const struct xt_setxid_target_info_v2 *setxidinfo = par->targinfo;
+
+ switch (setxidinfo->mode) {
+ case XT_SET_PACKET_XID:
-+ (*pskb)->skb_tag = setxidinfo->mark;
++ skb->skb_tag = setxidinfo->mark;
+ break;
+ }
+ return XT_CONTINUE;
+}
+
-+static int
-+checkentry_v2(const char *tablename,
-+ const void *entry,
-+ const struct xt_target *target,
-+ void *targinfo, unsigned int hook_mask)
++static bool
++checkentry_v2(const struct xt_tgchk_param *par)
++
++
++
+{
-+ struct xt_setxid_target_info_v2 *setxidinfo = targinfo;
++ struct xt_setxid_target_info_v2 *setxidinfo = par->targinfo;
+
+ if (setxidinfo->mode != XT_SET_PACKET_XID) {
+ printk(KERN_WARNING "SETXID: unknown mode %u\n",