1 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter/xt_MARK.h linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter/xt_MARK.h
2 --- linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter/xt_MARK.h 2008-07-13 23:51:29.000000000 +0200
3 +++ linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter/xt_MARK.h 2009-01-12 01:18:23.000000000 +0100
4 @@ -11,6 +11,7 @@ enum {
11 struct xt_mark_target_info_v1 {
12 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter/xt_SETXID.h linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter/xt_SETXID.h
13 --- linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter/xt_SETXID.h 1970-01-01 01:00:00.000000000 +0100
14 +++ linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter/xt_SETXID.h 2009-01-12 01:18:23.000000000 +0100
16 +#ifndef _XT_SETXID_H_target
17 +#define _XT_SETXID_H_target
24 +struct xt_setxid_target_info_v1 {
29 +#endif /*_XT_SETXID_H_target*/
30 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter_ipv4/ipt_MARK.h
31 --- linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter_ipv4/ipt_MARK.h 2008-07-13 23:51:29.000000000 +0200
32 +++ linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter_ipv4/ipt_MARK.h 2009-01-12 01:18:23.000000000 +0100
34 #define IPT_MARK_SET XT_MARK_SET
35 #define IPT_MARK_AND XT_MARK_AND
36 #define IPT_MARK_OR XT_MARK_OR
37 +#define IPT_MARK_COPYXID XT_MARK_COPYXID
39 #define ipt_mark_target_info_v1 xt_mark_target_info_v1
41 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter_ipv4/ipt_SETXID.h linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter_ipv4/ipt_SETXID.h
42 --- linux-2.6.27.10-vs2.3.x-P/include/linux/netfilter_ipv4/ipt_SETXID.h 1970-01-01 01:00:00.000000000 +0100
43 +++ linux-2.6.27.10-vs2.3.x-P522/include/linux/netfilter_ipv4/ipt_SETXID.h 2009-01-12 01:18:23.000000000 +0100
45 +#ifndef _IPT_SETXID_H_target
46 +#define _IPT_SETXID_H_target
48 +/* Backwards compatibility for old userspace */
50 +#include <linux/netfilter/xt_SETXID.h>
53 +#define IPT_SET_PACKET_XID XT_SET_PACKET_XID
55 +#define ipt_setxid_target_info_v1 xt_setxid_target_info_v1
57 +#endif /*_IPT_SETXID_H_target*/
58 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/include/net/netfilter/nf_conntrack.h linux-2.6.27.10-vs2.3.x-P522/include/net/netfilter/nf_conntrack.h
59 --- linux-2.6.27.10-vs2.3.x-P/include/net/netfilter/nf_conntrack.h 2008-10-13 14:52:09.000000000 +0200
60 +++ linux-2.6.27.10-vs2.3.x-P522/include/net/netfilter/nf_conntrack.h 2009-01-12 01:59:20.000000000 +0100
61 @@ -121,6 +121,9 @@ struct nf_conn
62 /* Storage reserved for other modules: */
63 union nf_conntrack_proto proto;
65 + /* PLANETLAB. VNET-specific */
66 + int xid[IP_CT_DIR_MAX];
69 struct nf_ct_ext *ext;
71 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/net/netfilter/Kconfig linux-2.6.27.10-vs2.3.x-P522/net/netfilter/Kconfig
72 --- linux-2.6.27.10-vs2.3.x-P/net/netfilter/Kconfig 2008-10-13 14:52:09.000000000 +0200
73 +++ linux-2.6.27.10-vs2.3.x-P522/net/netfilter/Kconfig 2009-01-12 01:18:23.000000000 +0100
74 @@ -477,6 +477,13 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
75 This option adds a "TCPOPTSTRIP" target, which allows you to strip
76 TCP options from TCP packets.
78 +config NETFILTER_XT_TARGET_SETXID
79 + tristate '"SETXID" target support'
80 + depends on NETFILTER_XTABLES
82 + This option adds a `SETXID' target, which allows you to alter the
85 config NETFILTER_XT_MATCH_COMMENT
86 tristate '"comment" match support'
87 depends on NETFILTER_XTABLES
88 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/net/netfilter/Makefile linux-2.6.27.10-vs2.3.x-P522/net/netfilter/Makefile
89 --- linux-2.6.27.10-vs2.3.x-P/net/netfilter/Makefile 2008-10-13 14:52:09.000000000 +0200
90 +++ linux-2.6.27.10-vs2.3.x-P522/net/netfilter/Makefile 2009-01-12 01:18:23.000000000 +0100
91 @@ -38,6 +38,7 @@ obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_co
92 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
95 +obj-$(CONFIG_NETFILTER_XT_TARGET_SETXID) += xt_SETXID.o
96 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
97 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
98 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
99 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/net/netfilter/nf_conntrack_core.c linux-2.6.27.10-vs2.3.x-P522/net/netfilter/nf_conntrack_core.c
100 --- linux-2.6.27.10-vs2.3.x-P/net/netfilter/nf_conntrack_core.c 2008-10-13 14:52:09.000000000 +0200
101 +++ linux-2.6.27.10-vs2.3.x-P522/net/netfilter/nf_conntrack_core.c 2009-01-12 02:01:55.000000000 +0100
102 @@ -595,6 +595,9 @@ init_conntrack(const struct nf_conntrack
103 /* Overload tuple linked list to put us in unconfirmed list. */
104 hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed);
106 + conntrack->xid[IP_CT_DIR_ORIGINAL] = -1;
107 + conntrack->xid[IP_CT_DIR_REPLY] = -1;
109 spin_unlock_bh(&nf_conntrack_lock);
112 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/net/netfilter/xt_MARK.c linux-2.6.27.10-vs2.3.x-P522/net/netfilter/xt_MARK.c
113 --- linux-2.6.27.10-vs2.3.x-P/net/netfilter/xt_MARK.c 2008-07-13 23:51:29.000000000 +0200
114 +++ linux-2.6.27.10-vs2.3.x-P522/net/netfilter/xt_MARK.c 2009-01-12 02:20:38.000000000 +0100
116 * This program is free software; you can redistribute it and/or modify
117 * it under the terms of the GNU General Public License version 2 as
118 * published by the Free Software Foundation.
122 #include <linux/module.h>
123 +#include <linux/version.h>
124 #include <linux/skbuff.h>
125 #include <linux/ip.h>
126 +#include <net/udp.h>
127 #include <net/checksum.h>
128 +#include <net/route.h>
129 +#include <net/inet_hashtables.h>
131 +#include <net/netfilter/nf_conntrack.h>
132 #include <linux/netfilter/x_tables.h>
133 #include <linux/netfilter/xt_MARK.h>
135 @@ -24,6 +30,50 @@ MODULE_DESCRIPTION("Xtables: packet mark
136 MODULE_ALIAS("ipt_MARK");
137 MODULE_ALIAS("ip6t_MARK");
139 +#define PEERCRED_SET(x) ((x!=0) && (x!=(unsigned int)-1))
141 +static inline u_int16_t
142 +get_dst_port(struct nf_conntrack_tuple *tuple)
144 + switch (tuple->dst.protonum) {
146 + /* XXX Truncate 32-bit GRE key to 16 bits */
147 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,11)
148 + return tuple->dst.u.gre.key;
150 + return htons(ntohl(tuple->dst.u.gre.key));
153 + /* Bind on ICMP echo ID */
154 + return tuple->src.u.icmp.id;
156 + return tuple->dst.u.tcp.port;
158 + return tuple->dst.u.udp.port;
160 + return tuple->dst.u.all;
164 +static inline u_int16_t
165 +get_src_port(struct nf_conntrack_tuple *tuple)
167 + switch (tuple->dst.protonum) {
169 + /* XXX Truncate 32-bit GRE key to 16 bits */
170 + return htons(ntohl(tuple->src.u.gre.key));
172 + /* Bind on ICMP echo ID */
173 + return tuple->src.u.icmp.id;
175 + return tuple->src.u.tcp.port;
177 + return tuple->src.u.udp.port;
179 + return tuple->src.u.all;
184 mark_tg_v0(struct sk_buff *skb, const struct net_device *in,
185 const struct net_device *out, unsigned int hooknum,
186 @@ -35,13 +85,88 @@ mark_tg_v0(struct sk_buff *skb, const st
190 +extern DEFINE_PER_CPU(int, sknid_elevator);
192 +static struct sock *__udp4_lib_lookup(__be32 saddr, __be16 sport,
193 + __be32 daddr, __be16 dport,
194 + int dif, struct hlist_head udptable[])
196 + struct sock *sk, *result = NULL;
197 + struct hlist_node *node;
198 + unsigned short hnum = ntohs(dport);
201 + read_lock(&udp_hash_lock);
203 + sk_for_each(sk, node, &udptable[hnum & (UDP_HTABLE_SIZE - 1)]) {
204 + struct inet_sock *inet = inet_sk(sk);
206 + if (sk->sk_hash == hnum && !ipv6_only_sock(sk)) {
207 + int score = (sk->sk_family == PF_INET ? 1 : 0);
209 + if (inet->rcv_saddr) {
210 + if (inet->rcv_saddr != daddr)
214 + /* block non nx_info ips */
215 + if (!v4_addr_in_nx_info(sk->sk_nx_info,
216 + daddr, NXA_MASK_BIND))
220 + if (inet->daddr != saddr)
225 + if (inet->dport != sport)
229 + if (sk->sk_bound_dev_if) {
230 + if (sk->sk_bound_dev_if != dif)
237 + } else if (score > badness) {
246 + read_unlock(&udp_hash_lock);
250 +#define related(ct) (ct==(IP_CT_IS_REPLY + IP_CT_RELATED))
253 mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
254 const struct net_device *out, unsigned int hooknum,
255 const struct xt_target *target, const void *targinfo)
257 const struct xt_mark_target_info_v1 *markinfo = targinfo;
259 + enum ip_conntrack_info ctinfo;
260 + struct sock *connection_sk;
262 + struct nf_conn *ct;
263 + extern struct inet_hashinfo tcp_hashinfo;
264 + enum ip_conntrack_dir dir;
268 + u_int16_t proto, src_port;
274 switch (markinfo->mode) {
276 @@ -55,9 +180,119 @@ mark_tg_v1(struct sk_buff *skb, const st
278 mark = skb->mark | markinfo->mark;
281 + case XT_MARK_COPYXID:
282 + dif = ((struct rtable *)(*pskb)->dst)->rt_iif;
284 + ct = nf_ct_get((*pskb), &ctinfo);
288 + dir = CTINFO2DIR(ctinfo);
289 + src_ip = ct->tuplehash[dir].tuple.src.u3.ip;
290 + dst_ip = ct->tuplehash[dir].tuple.dst.u3.ip;
291 + src_port = get_src_port(&ct->tuplehash[dir].tuple);
292 + proto = ct->tuplehash[dir].tuple.dst.protonum;
294 + ip = ct->tuplehash[dir].tuple.dst.u3.ip;
295 + port = get_dst_port(&ct->tuplehash[dir].tuple);
298 + if ((*pskb)->mark > 0)
299 + /* The packet is marked, it's going out */
300 + ct->xid[0] = (*pskb)->mark;
302 + if (ct->xid[0] > 0)
305 + else if (proto == 17) {
307 + if (!(*pskb)->mark) {
308 + sk = __udp4_lib_lookup(src_ip, src_port,
309 + ip, port, dif, udp_hash);
311 + if (sk && hooknum == NF_IP_LOCAL_IN)
317 + else if ((*pskb)->mark > 0)
318 + /* The packet is marked, it's going out */
319 + ct->xid[0] = (*pskb)->mark;
321 + else if (proto == 6) /* TCP */{
322 + int sockettype = 0; /* Established socket */
324 + /* Looks for an established socket or a listening
325 + socket corresponding to the 4-tuple, in that order.
326 + The order is important for Codemux connections
327 + to be handled properly */
329 + connection_sk = inet_lookup_established(&tcp_hashinfo,
330 + src_ip, src_port, ip, port, dif);
332 + if (!connection_sk) {
333 + connection_sk = inet_lookup_listener(&tcp_hashinfo,
335 + sockettype = 1; /* Listening socket */
338 + if (connection_sk) {
339 + /* The peercred is not set. We set it if the other side has an xid. */
340 + if (!PEERCRED_SET(connection_sk->sk_peercred.uid)
341 + && ct->xid[!dir] > 0 && (sockettype == 0)) {
342 + connection_sk->sk_peercred.gid =
343 + connection_sk->sk_peercred.uid = ct->xid[!dir];
346 + /* The peercred is set, and is not equal to the XID of 'the other side' */
347 + else if (PEERCRED_SET(connection_sk->sk_peercred.uid) &&
348 + (connection_sk->sk_peercred.uid != ct->xid[!dir]) &&
349 + (sockettype == 0)) {
350 + mark = connection_sk->sk_peercred.uid;
353 + /* Has this connection already been tagged? */
354 + if (ct->xid[dir] < 1) {
355 + /* No - let's tag it */
356 + ct->xid[dir]=connection_sk->sk_nid;
359 + if (mark == -1 && (ct->xid[dir] != 0))
360 + mark = ct->xid[dir];
362 + if (connection_sk->sk_state == TCP_TIME_WAIT) {
363 + inet_twsk_put(inet_twsk(connection_sk));
366 + sock_put(connection_sk);
369 + /* All else failed. Is this a connection over raw sockets?
370 + That explains why we couldn't get anything out of skb->sk,
371 + or look up a "real" connection. */
372 + if (ct->xid[dir] < 1) {
373 + if ((*pskb)->skb_tag)
374 + ct->xid[dir] = (*pskb)->skb_tag;
377 + /* Covers CoDemux case */
378 + if (mark < 1 && (ct->xid[dir] > 0))
379 + mark = ct->xid[dir];
381 + if (mark < 1 && (ct->xid[!dir] > 0))
382 + mark = ct->xid[!dir];
389 + curtag = &__get_cpu_var(sknid_elevator);
390 + if (mark > 0 && *curtag == -2 && hooknum == NF_IP_LOCAL_IN)
397 @@ -95,7 +330,8 @@ mark_tg_check_v1(const char *tablename,
399 if (markinfo->mode != XT_MARK_SET
400 && markinfo->mode != XT_MARK_AND
401 - && markinfo->mode != XT_MARK_OR) {
402 + && markinfo->mode != XT_MARK_OR
403 + && markinfo->mode != XT_MARK_COPYXID) {
404 printk(KERN_WARNING "MARK: unknown mode %u\n",
407 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-P/net/netfilter/xt_SETXID.c linux-2.6.27.10-vs2.3.x-P522/net/netfilter/xt_SETXID.c
408 --- linux-2.6.27.10-vs2.3.x-P/net/netfilter/xt_SETXID.c 1970-01-01 01:00:00.000000000 +0100
409 +++ linux-2.6.27.10-vs2.3.x-P522/net/netfilter/xt_SETXID.c 2009-01-12 01:18:23.000000000 +0100
411 +#include <linux/module.h>
412 +#include <linux/skbuff.h>
413 +#include <linux/ip.h>
414 +#include <net/checksum.h>
415 +#include <linux/vs_network.h>
417 +#include <linux/netfilter/x_tables.h>
418 +#include <linux/netfilter/xt_SETXID.h>
420 +MODULE_LICENSE("GPL");
422 +MODULE_DESCRIPTION("");
423 +MODULE_ALIAS("ipt_SETXID");
426 +target_v1(struct sk_buff **pskb,
427 + const struct net_device *in,
428 + const struct net_device *out,
429 + unsigned int hooknum,
430 + const struct xt_target *target,
431 + const void *targinfo)
433 + const struct xt_setxid_target_info_v1 *setxidinfo = targinfo;
435 + switch (setxidinfo->mode) {
436 + case XT_SET_PACKET_XID:
437 + (*pskb)->skb_tag = setxidinfo->mark;
440 + return XT_CONTINUE;
445 +checkentry_v1(const char *tablename,
447 + const struct xt_target *target,
449 + unsigned int hook_mask)
451 + struct xt_setxid_target_info_v1 *setxidinfo = targinfo;
453 + if (setxidinfo->mode != XT_SET_PACKET_XID) {
454 + printk(KERN_WARNING "SETXID: unknown mode %u\n",
462 +static struct xt_target xt_setxid_target[] = {
467 + .checkentry = checkentry_v1,
468 + .target = target_v1,
469 + .targetsize = sizeof(struct xt_setxid_target_info_v1),
475 +static int __init init(void)
479 + err = xt_register_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target));
483 +static void __exit fini(void)
485 + xt_unregister_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target));
492 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-02.0/net/netfilter/nf_conntrack_core.c linux-2.6.27.10-vs2.3.x-PS-02.1/net/netfilter/nf_conntrack_core.c
493 --- linux-2.6.27.10-vs2.3.x-PS-02.0/net/netfilter/nf_conntrack_core.c 2009-01-25 02:29:31.000000000 +0100
494 +++ linux-2.6.27.10-vs2.3.x-PS-02.1/net/netfilter/nf_conntrack_core.c 2009-01-24 23:22:04.000000000 +0100
495 @@ -595,8 +595,8 @@ init_conntrack(const struct nf_conntrack
496 /* Overload tuple linked list to put us in unconfirmed list. */
497 hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed);
499 - conntrack->xid[IP_CT_DIR_ORIGINAL] = -1;
500 - conntrack->xid[IP_CT_DIR_REPLY] = -1;
501 + ct->xid[IP_CT_DIR_ORIGINAL] = -1;
502 + ct->xid[IP_CT_DIR_REPLY] = -1;
504 spin_unlock_bh(&nf_conntrack_lock);
506 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-02.0/net/netfilter/xt_MARK.c linux-2.6.27.10-vs2.3.x-PS-02.1/net/netfilter/xt_MARK.c
507 --- linux-2.6.27.10-vs2.3.x-PS-02.0/net/netfilter/xt_MARK.c 2009-01-25 02:29:31.000000000 +0100
508 +++ linux-2.6.27.10-vs2.3.x-PS-02.1/net/netfilter/xt_MARK.c 2009-01-25 00:06:34.000000000 +0100
510 #include <net/checksum.h>
511 #include <net/route.h>
512 #include <net/inet_hashtables.h>
513 +#include <net/net_namespace.h>
515 #include <net/netfilter/nf_conntrack.h>
516 #include <linux/netfilter/x_tables.h>
517 @@ -182,9 +183,9 @@ mark_tg_v1(struct sk_buff *skb, const st
520 case XT_MARK_COPYXID:
521 - dif = ((struct rtable *)(*pskb)->dst)->rt_iif;
522 + dif = ((struct rtable *)(skb->dst))->rt_iif;
524 - ct = nf_ct_get((*pskb), &ctinfo);
525 + ct = nf_ct_get(skb, &ctinfo);
529 @@ -198,43 +199,44 @@ mark_tg_v1(struct sk_buff *skb, const st
530 port = get_dst_port(&ct->tuplehash[dir].tuple);
533 - if ((*pskb)->mark > 0)
535 /* The packet is marked, it's going out */
536 - ct->xid[0] = (*pskb)->mark;
537 + ct->xid[0] = skb->mark;
542 else if (proto == 17) {
544 - if (!(*pskb)->mark) {
546 sk = __udp4_lib_lookup(src_ip, src_port,
547 ip, port, dif, udp_hash);
549 - if (sk && hooknum == NF_IP_LOCAL_IN)
550 + if (sk && hooknum == NF_INET_LOCAL_IN)
556 - else if ((*pskb)->mark > 0)
557 + else if (skb->mark > 0)
558 /* The packet is marked, it's going out */
559 - ct->xid[0] = (*pskb)->mark;
560 + ct->xid[0] = skb->mark;
562 else if (proto == 6) /* TCP */{
563 int sockettype = 0; /* Established socket */
564 + struct net *net = &init_net;
566 /* Looks for an established socket or a listening
567 socket corresponding to the 4-tuple, in that order.
568 The order is important for Codemux connections
569 to be handled properly */
571 - connection_sk = inet_lookup_established(&tcp_hashinfo,
572 - src_ip, src_port, ip, port, dif);
573 + connection_sk = inet_lookup_established(net,
574 + &tcp_hashinfo, src_ip, src_port, ip, port, dif);
576 if (!connection_sk) {
577 - connection_sk = inet_lookup_listener(&tcp_hashinfo,
579 + connection_sk = inet_lookup_listener(net,
580 + &tcp_hashinfo, ip, port, dif);
581 sockettype = 1; /* Listening socket */
584 @@ -273,8 +275,8 @@ mark_tg_v1(struct sk_buff *skb, const st
585 That explains why we couldn't get anything out of skb->sk,
586 or look up a "real" connection. */
587 if (ct->xid[dir] < 1) {
588 - if ((*pskb)->skb_tag)
589 - ct->xid[dir] = (*pskb)->skb_tag;
591 + ct->xid[dir] = skb->skb_tag;
594 /* Covers CoDemux case */
595 @@ -290,7 +292,7 @@ mark_tg_v1(struct sk_buff *skb, const st
598 curtag = &__get_cpu_var(sknid_elevator);
599 - if (mark > 0 && *curtag == -2 && hooknum == NF_IP_LOCAL_IN)
600 + if (mark > 0 && *curtag == -2 && hooknum == NF_INET_LOCAL_IN)
git://git.onelab.eu / linux-2.6.git / blob