From: Sapan Bhatia <sapanb@cs.princeton.edu>
Date: Mon, 28 Jul 2008 01:58:26 +0000 (+0000)
Subject: Same thing. Used the right local tree this time.
X-Git-Tag: linux-2.6-22-15~3
X-Git-Url: http://git.onelab.eu/?p=linux-2.6.git;a=commitdiff_plain;h=83f821f7b41ae69d40a0bfed349153c65129b851

Same thing. Used the right local tree this time.
---

diff --git a/linux-2.6-522-iptables-connection-tagging.patch b/linux-2.6-522-iptables-connection-tagging.patch
index bdf281d4d..f642a2b0d 100644
--- a/linux-2.6-522-iptables-connection-tagging.patch
+++ b/linux-2.6-522-iptables-connection-tagging.patch
@@ -110,7 +110,7 @@ diff -Nurb linux-2.6.22-521/net/netfilter/nf_conntrack_core.c linux-2.6.22-522/n
  
 diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilter/xt_MARK.c
 --- linux-2.6.22-521/net/netfilter/xt_MARK.c	2007-07-08 19:32:17.000000000 -0400
-+++ linux-2.6.22-522/net/netfilter/xt_MARK.c	2008-07-27 21:56:42.000000000 -0400
++++ linux-2.6.22-522/net/netfilter/xt_MARK.c	2008-07-27 22:00:47.000000000 -0400
 @@ -5,13 +5,18 @@
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 as
@@ -179,16 +179,18 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
  static unsigned int
  target_v0(struct sk_buff **pskb,
  	  const struct net_device *in,
-@@ -35,6 +82,8 @@
+@@ -35,6 +82,10 @@
  	return XT_CONTINUE;
  }
  
 +extern DEFINE_PER_CPU(int, sknid_elevator);
++
++#define related(ct) (ct==(IP_CT_IS_REPLY + IP_CT_RELATED))
 +
  static unsigned int
  target_v1(struct sk_buff **pskb,
  	  const struct net_device *in,
-@@ -44,7 +93,20 @@
+@@ -44,7 +95,20 @@
  	  const void *targinfo)
  {
  	const struct xt_mark_target_info_v1 *markinfo = targinfo;
@@ -210,7 +212,7 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
  
  	switch (markinfo->mode) {
  	case XT_MARK_SET:
-@@ -58,13 +120,75 @@
+@@ -58,13 +122,93 @@
  	case XT_MARK_OR:
  		mark = (*pskb)->mark | markinfo->mark;
  		break;
@@ -219,10 +221,8 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
 +	      dif = ((struct rtable *)(*pskb)->dst)->rt_iif;
 +
 +	      ct = nf_ct_get((*pskb), &ctinfo);
-+	      if (!ct) {
++	      if (!ct) 
 +		      break;
- 	}
- 
 +
 +	      dir = CTINFO2DIR(ctinfo);
 +	      src_ip = ct->tuplehash[dir].tuple.src.u3.ip;
@@ -241,23 +241,38 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
 +
 +		      if (ct->xid[0] > 0) {
 +			      mark = ct->xid[0];
-+		      }
-+
+ 	}
+ 
 +	      }
 +	      else if (proto == 6) { 
 +		      if ((*pskb)->sk) {
++			      /* It's a listening socket */
 +			      connection_sk = (*pskb)->sk;
 +			      sock_hold(connection_sk);
 +		      }
-+		      else 
++		      else   /* It might be a connected socket */
 +			      connection_sk = inet_lookup_established(&tcp_hashinfo, src_ip, src_port, ip, port, dif);
-+			      
 +
-+		      if (connection_sk) {
-+			      connection_sk->sk_peercred.gid = connection_sk->sk_peercred.uid = ct->xid[dir];
-+			      ct->xid[!dir]=connection_sk->sk_nid;
-+			      if (connection_sk->sk_nid != 0) 
-+				      mark = connection_sk->sk_nid;
++
++		      if (connection_sk /* Well, some kind of TCP socket */) {
++			      if (connection_sk->sk_peercred.uid < 1) {
++				      /* Normal case - the peercred on the socket is not set */ 
++				      connection_sk->sk_peercred.gid = connection_sk->sk_peercred.uid = ct->xid[!dir];
++			      }
++			      else    /* Exceptional case - the peercred was set using SET_PEERCRED. Somebody wants us
++			      		 to mark packets with some arbitrary value.*/
++				      mark=connection_sk->sk_peercred.uid;
++
++			      /* Has this connection already been tagged? */
++			      if (ct->xid[dir] < 1) {
++				      /* No - let's tag it */ 
++				      ct->xid[dir]=connection_sk->sk_nid;
++			      }
++
++			      if (mark==-1 && (connection_sk->sk_nid != 0))
++				      mark = ct->xid[dir];
++
++			      
 +			      if (connection_sk->sk_state == TCP_TIME_WAIT) {
 +				      inet_twsk_put(inet_twsk(connection_sk));
 +				      break;
@@ -265,8 +280,14 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
 +			      else
 +				      sock_put(connection_sk);
 +		      }
-+		      else 
-+			      mark = -1 ; 
++
++		      if (mark < 1 && (ct->xid[dir]>0) && related(ctinfo)) {
++				mark = ct->xid[dir];
++		      }
++
++		      if (mark < 1 && (ct->xid[!dir]>0) && related(ctinfo)) {
++				mark = ct->xid[!dir];
++		      }
 +	      }
 +	      break;
 +	}
@@ -275,9 +296,8 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
 +	}
 +
 +	curtag=&__get_cpu_var(sknid_elevator);
-+	if (mark > 0 && *curtag==-2) 
++	if (mark > 0 && *curtag==-2 && hooknum==NF_IP_LOCAL_IN) 
 +	{
-+		printk(KERN_CRIT "Setting mark on packet %x\n", *pskb);
 +		*curtag = mark;
 +	}
  	return XT_CONTINUE;
@@ -287,7 +307,7 @@ diff -Nurb linux-2.6.22-521/net/netfilter/xt_MARK.c linux-2.6.22-522/net/netfilt
  static int
  checkentry_v0(const char *tablename,
  	      const void *entry,
-@@ -92,7 +216,8 @@
+@@ -92,7 +236,8 @@
  
  	if (markinfo->mode != XT_MARK_SET
  	    && markinfo->mode != XT_MARK_AND