1 diff -Nurb linux-2.6.22-521/include/linux/netfilter/xt_MARK.h linux-2.6.22-522/include/linux/netfilter/xt_MARK.h
2 --- linux-2.6.22-521/include/linux/netfilter/xt_MARK.h 2007-07-08 19:32:17.000000000 -0400
3 +++ linux-2.6.22-522/include/linux/netfilter/xt_MARK.h 2008-07-28 16:36:24.000000000 -0400
11 struct xt_mark_target_info_v1 {
12 diff -Nurb linux-2.6.22-521/include/linux/netfilter/xt_SETXID.h linux-2.6.22-522/include/linux/netfilter/xt_SETXID.h
13 --- linux-2.6.22-521/include/linux/netfilter/xt_SETXID.h 1969-12-31 19:00:00.000000000 -0500
14 +++ linux-2.6.22-522/include/linux/netfilter/xt_SETXID.h 2008-07-28 16:36:24.000000000 -0400
16 +#ifndef _XT_SETXID_H_target
17 +#define _XT_SETXID_H_target
24 +struct xt_setxid_target_info_v1 {
29 +#endif /*_XT_SETXID_H_target*/
30 diff -Nurb linux-2.6.22-521/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.6.22-522/include/linux/netfilter_ipv4/ipt_MARK.h
31 --- linux-2.6.22-521/include/linux/netfilter_ipv4/ipt_MARK.h 2007-07-08 19:32:17.000000000 -0400
32 +++ linux-2.6.22-522/include/linux/netfilter_ipv4/ipt_MARK.h 2008-07-28 16:36:24.000000000 -0400
34 #define IPT_MARK_SET XT_MARK_SET
35 #define IPT_MARK_AND XT_MARK_AND
36 #define IPT_MARK_OR XT_MARK_OR
37 +#define IPT_MARK_COPYXID XT_MARK_COPYXID
39 #define ipt_mark_target_info_v1 xt_mark_target_info_v1
41 diff -Nurb linux-2.6.22-521/include/linux/netfilter_ipv4/ipt_SETXID.h linux-2.6.22-522/include/linux/netfilter_ipv4/ipt_SETXID.h
42 --- linux-2.6.22-521/include/linux/netfilter_ipv4/ipt_SETXID.h 1969-12-31 19:00:00.000000000 -0500
43 +++ linux-2.6.22-522/include/linux/netfilter_ipv4/ipt_SETXID.h 2008-07-28 16:36:24.000000000 -0400
45 +#ifndef _IPT_SETXID_H_target
46 +#define _IPT_SETXID_H_target
48 +/* Backwards compatibility for old userspace */
50 +#include <linux/netfilter/xt_SETXID.h>
53 +#define IPT_SET_PACKET_XID XT_SET_PACKET_XID
55 +#define ipt_setxid_target_info_v1 xt_setxid_target_info_v1
57 +#endif /*_IPT_SETXID_H_target*/
58 diff -Nurb linux-2.6.22-521/include/net/netfilter/nf_conntrack.h linux-2.6.22-522/include/net/netfilter/nf_conntrack.h
59 --- linux-2.6.22-521/include/net/netfilter/nf_conntrack.h 2007-07-08 19:32:17.000000000 -0400
60 +++ linux-2.6.22-522/include/net/netfilter/nf_conntrack.h 2008-07-28 16:36:24.000000000 -0400
62 /* Storage reserved for other modules: */
63 union nf_conntrack_proto proto;
65 + /* PLANETLAB. VNET-specific */
66 + int xid[IP_CT_DIR_MAX];
68 /* features dynamically at the end: helper, nat (both optional) */
71 diff -Nurb linux-2.6.22-521/net/netfilter/Kconfig linux-2.6.22-522/net/netfilter/Kconfig
72 --- linux-2.6.22-521/net/netfilter/Kconfig 2007-07-08 19:32:17.000000000 -0400
73 +++ linux-2.6.22-522/net/netfilter/Kconfig 2008-07-28 16:36:24.000000000 -0400
76 To compile it as a module, choose M here. If unsure, say N.
78 +config NETFILTER_XT_TARGET_SETXID
79 + tristate '"SETXID" target support'
80 + depends on NETFILTER_XTABLES
82 + This option adds a `SETXID' target, which allows you to alter the
85 config NETFILTER_XT_MATCH_COMMENT
86 tristate '"comment" match support'
87 depends on NETFILTER_XTABLES
88 diff -Nurb linux-2.6.22-521/net/netfilter/Makefile linux-2.6.22-522/net/netfilter/Makefile
89 --- linux-2.6.22-521/net/netfilter/Makefile 2007-07-08 19:32:17.000000000 -0400
90 +++ linux-2.6.22-522/net/netfilter/Makefile 2008-07-28 16:36:24.000000000 -0400
92 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
95 +obj-$(CONFIG_NETFILTER_XT_TARGET_SETXID) += xt_SETXID.o
96 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
97 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
98 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
99 diff -Nurb linux-2.6.22-521/net/netfilter/nf_conntrack_core.c linux-2.6.22-522/net/netfilter/nf_conntrack_core.c
100 --- linux-2.6.22-521/net/netfilter/nf_conntrack_core.c 2007-07-08 19:32:17.000000000 -0400
101 +++ linux-2.6.22-522/net/netfilter/nf_conntrack_core.c 2008-07-28 16:36:24.000000000 -0400
104 /* Overload tuple linked list to put us in unconfirmed list. */
105 list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
106 + conntrack->xid[IP_CT_DIR_ORIGINAL] = -1;
107 + conntrack->xid[IP_CT_DIR_REPLY] = -1;
109 write_unlock_bh(&nf_conntrack_lock);
111 diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilter/xt_MARK.c
112 --- linux-2.6.22-521/net/netfilter/xt_MARK.c 2007-07-08 19:32:17.000000000 -0400
113 +++ linux-2.6.22-522/net/netfilter/xt_MARK.c 2008-09-14 16:50:22.000000000 -0400
115 * This program is free software; you can redistribute it and/or modify
116 * it under the terms of the GNU General Public License version 2 as
117 * published by the Free Software Foundation.
121 #include <linux/module.h>
122 +#include <linux/version.h>
123 #include <linux/skbuff.h>
124 #include <linux/ip.h>
125 #include <net/checksum.h>
126 +#include <net/route.h>
127 +#include <net/inet_hashtables.h>
129 +#include <net/netfilter/nf_conntrack.h>
130 #include <linux/netfilter/x_tables.h>
131 #include <linux/netfilter/xt_MARK.h>
134 MODULE_ALIAS("ipt_MARK");
135 MODULE_ALIAS("ip6t_MARK");
137 +#define PEERCRED_SET(x) ((x!=0) && (x!=(unsigned int)-1))
139 +static inline u_int16_t
140 +get_dst_port(struct nf_conntrack_tuple *tuple)
142 + switch (tuple->dst.protonum) {
144 + /* XXX Truncate 32-bit GRE key to 16 bits */
145 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,11)
146 + return tuple->dst.u.gre.key;
148 + return htons(ntohl(tuple->dst.u.gre.key));
151 + /* Bind on ICMP echo ID */
152 + return tuple->src.u.icmp.id;
154 + return tuple->dst.u.tcp.port;
156 + return tuple->dst.u.udp.port;
158 + return tuple->dst.u.all;
162 +static inline u_int16_t
163 +get_src_port(struct nf_conntrack_tuple *tuple)
165 + switch (tuple->dst.protonum) {
167 + /* XXX Truncate 32-bit GRE key to 16 bits */
168 + return htons(ntohl(tuple->src.u.gre.key));
170 + /* Bind on ICMP echo ID */
171 + return tuple->src.u.icmp.id;
173 + return tuple->src.u.tcp.port;
175 + return tuple->src.u.udp.port;
177 + return tuple->src.u.all;
182 target_v0(struct sk_buff **pskb,
183 const struct net_device *in,
188 +extern DEFINE_PER_CPU(int, sknid_elevator);
190 +#define related(ct) (ct==(IP_CT_IS_REPLY + IP_CT_RELATED))
193 target_v1(struct sk_buff **pskb,
194 const struct net_device *in,
196 const void *targinfo)
198 const struct xt_mark_target_info_v1 *markinfo = targinfo;
200 + enum ip_conntrack_info ctinfo;
201 + struct sock *connection_sk;
203 + struct nf_conn *ct;
204 + extern struct inet_hashinfo tcp_hashinfo;
205 + enum ip_conntrack_dir dir;
209 + u_int16_t proto, src_port;
215 switch (markinfo->mode) {
217 @@ -58,13 +124,107 @@
219 mark = (*pskb)->mark | markinfo->mark;
222 + case XT_MARK_COPYXID:
223 + dif = ((struct rtable *)(*pskb)->dst)->rt_iif;
225 + ct = nf_ct_get((*pskb), &ctinfo);
229 + dir = CTINFO2DIR(ctinfo);
230 + src_ip = ct->tuplehash[dir].tuple.src.u3.ip;
231 + dst_ip = ct->tuplehash[dir].tuple.dst.u3.ip;
232 + src_port = get_src_port(&ct->tuplehash[dir].tuple);
233 + proto = ct->tuplehash[dir].tuple.dst.protonum;
235 + ip = ct->tuplehash[dir].tuple.dst.u3.ip;
236 + port = get_dst_port(&ct->tuplehash[dir].tuple);
238 + if (proto == 1 || proto == 17) {
239 + if ((*pskb)->mark>0) /* The packet is marked, it's going out */
241 + ct->xid[0]=(*pskb)->mark;
244 + if (ct->xid[0] > 0) {
249 + else if (proto == 6) /* TCP */{
250 + int sockettype=0; /* Established socket */
251 + /* Looks for an established socket or a listening socket corresponding to the 4-tuple, in
252 + * that order. The order is important for Codemux connections to be handled properly */
254 + connection_sk = inet_lookup_established(&tcp_hashinfo, src_ip, src_port, ip, port, dif);
256 + if (!connection_sk) {
257 + connection_sk = inet_lookup_listener(&tcp_hashinfo, ip, port, dif);
258 + sockettype=1; /* Listening socket */
261 + if (connection_sk) {
262 + /* The peercred is not set. We set it if the other side has an xid. */
263 + if (!PEERCRED_SET(connection_sk->sk_peercred.uid)
264 + && ct->xid[!dir]>0 && (sockettype==0)) {
265 + connection_sk->sk_peercred.gid = connection_sk->sk_peercred.uid = ct->xid[!dir];
268 + /* The peercred is set, and is not equal to the XID of 'the other side' */
269 + else if (PEERCRED_SET(connection_sk->sk_peercred.uid) && (connection_sk->sk_peercred.uid != ct->xid[!dir]) && (sockettype==0)) {
270 + mark = connection_sk->sk_peercred.uid;
273 + /* Has this connection already been tagged? */
274 + if (ct->xid[dir] < 1) {
275 + /* No - let's tag it */
276 + ct->xid[dir]=connection_sk->sk_nid;
280 + if (mark==-1 && (ct->xid[dir]!= 0))
281 + mark = ct->xid[dir];
283 + if (connection_sk->sk_state == TCP_TIME_WAIT) {
284 + inet_twsk_put(inet_twsk(connection_sk));
288 + sock_put(connection_sk);
291 + /* All else failed. Is this a connection over raw sockets? That explains
292 + * why we couldn't get anything out of skb->sk, or look up a "real" connection.*/
293 + if (ct->xid[dir]<1) {
294 + if ((*pskb)->skb_tag) {
295 + ct->xid[dir]=(*pskb)->skb_tag;
299 + /* Covers CoDemux case */
300 + if (mark < 1 && (ct->xid[dir]>0)) {
301 + mark = ct->xid[dir];
304 + if (mark < 1 && (ct->xid[!dir]>0)) {
305 + mark = ct->xid[!dir];
311 (*pskb)->mark = mark;
314 + curtag=&__get_cpu_var(sknid_elevator);
315 + if (mark > 0 && *curtag==-2 && hooknum==NF_IP_LOCAL_IN)
324 checkentry_v0(const char *tablename,
328 if (markinfo->mode != XT_MARK_SET
329 && markinfo->mode != XT_MARK_AND
330 - && markinfo->mode != XT_MARK_OR) {
331 + && markinfo->mode != XT_MARK_OR
332 + && markinfo->mode != XT_MARK_COPYXID) {
333 printk(KERN_WARNING "MARK: unknown mode %u\n",
336 diff -Nurb linux-2.6.22-521/net/netfilter/xt_SETXID.c linux-2.6.22-522/net/netfilter/xt_SETXID.c
337 --- linux-2.6.22-521/net/netfilter/xt_SETXID.c 1969-12-31 19:00:00.000000000 -0500
338 +++ linux-2.6.22-522/net/netfilter/xt_SETXID.c 2008-07-28 16:36:24.000000000 -0400
340 +#include <linux/module.h>
341 +#include <linux/skbuff.h>
342 +#include <linux/ip.h>
343 +#include <net/checksum.h>
344 +#include <linux/vs_network.h>
346 +#include <linux/netfilter/x_tables.h>
347 +#include <linux/netfilter/xt_SETXID.h>
349 +MODULE_LICENSE("GPL");
351 +MODULE_DESCRIPTION("");
352 +MODULE_ALIAS("ipt_SETXID");
355 +target_v1(struct sk_buff **pskb,
356 + const struct net_device *in,
357 + const struct net_device *out,
358 + unsigned int hooknum,
359 + const struct xt_target *target,
360 + const void *targinfo)
362 + const struct xt_setxid_target_info_v1 *setxidinfo = targinfo;
364 + switch (setxidinfo->mode) {
365 + case XT_SET_PACKET_XID:
366 + (*pskb)->skb_tag = setxidinfo->mark;
369 + return XT_CONTINUE;
374 +checkentry_v1(const char *tablename,
376 + const struct xt_target *target,
378 + unsigned int hook_mask)
380 + struct xt_setxid_target_info_v1 *setxidinfo = targinfo;
382 + if (setxidinfo->mode != XT_SET_PACKET_XID) {
383 + printk(KERN_WARNING "SETXID: unknown mode %u\n",
391 +static struct xt_target xt_setxid_target[] = {
396 + .checkentry = checkentry_v1,
397 + .target = target_v1,
398 + .targetsize = sizeof(struct xt_setxid_target_info_v1),
404 +static int __init init(void)
408 + err = xt_register_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target));
412 +static void __exit fini(void)
414 + xt_unregister_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target));