On Sun, 18 Jan 2004, Harald Welte wrote: > yup. Please submit your changes against pom-ng (and patch-o-matic if you > want, but as of now I don't think we'll see another pom-old release). Attached you find iptables userspace patch - manpage additions - mask options - copyright & license - C99 struct initializers iptables pom-ng patch - mask operations - copyright & license - C99 struct initializers iptables pom patch - identical to the pom-ng patch > well, we could do some semi-automated mechanism, like splitting it up in > one file per extension, and then concatenate the whole manpage from > those snippets depending on PF_EXT_LIBS / PF6_EXT_LIBS during the > iptables userspace make process. Good idea. Should be pretty trivial except for the sorting (may need to fight a little with locale) Regards Henrik
Index: extra/CONNMARK.patch =================================================================== RCS file: /cvspublic/netfilter/patch-o-matic/extra/CONNMARK.patch,v retrieving revision 1.4 diff -u -p -r1.4 CONNMARK.patch --- extra/CONNMARK.patch 23 Aug 2003 22:17:08 -0000 1.4 +++ extra/CONNMARK.patch 18 Jan 2004 17:03:29 -0000 @@ -36,27 +36,60 @@ diff -uN --exclude .* --exclude *.o linu LIST_DELETE(&ip_conntrack_expect_list, expected); expected->expectant->expecting--; nf_conntrack_get(&master_ct(conntrack)->infos[0]); -diff -uN linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_connmark.h ---- linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_connmark.h Thu Jan 1 01:00:00 1970 -+++ linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_connmark.h Wed Mar 21 11:38:46 2001 -@@ -0,0 +1,9 @@ +diff -ruN --exclude CVS linux-orig/include/linux/netfilter_ipv4/ipt_connmark.h linux/include/linux/netfilter_ipv4/ipt_connmark.h +--- linux-orig/include/linux/netfilter_ipv4/ipt_connmark.h Thu Jan 1 01:00:00 1970 ++++ linux/include/linux/netfilter_ipv4/ipt_connmark.h Sun Jan 18 17:33:42 2004 +@@ -0,0 +1,18 @@ +#ifndef _IPT_CONNMARK_H +#define _IPT_CONNMARK_H + ++/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> ++ * by Henrik Nordstrom <hno@marasystems.com> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ */ ++ +struct ipt_connmark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + +#endif /*_IPT_CONNMARK_H*/ -diff -uN --exclude .* --exclude *.o linux-2.4.3-pre3/net/ipv4/netfilter/ipt_connmark.c linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_connmark.c ---- linux-2.4.3-pre3/net/ipv4/netfilter/ipt_connmark.c Thu Jan 1 01:00:00 1970 -+++ linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_connmark.c Wed Mar 21 13:23:33 2001 -@@ -0,0 +1,55 @@ -+/* Kernel module to match connection mark values. */ +diff -ruN --exclude CVS linux-orig/net/ipv4/netfilter/ipt_connmark.c linux/net/ipv4/netfilter/ipt_connmark.c +--- linux-orig/net/ipv4/netfilter/ipt_connmark.c Thu Jan 1 01:00:00 1970 ++++ linux/net/ipv4/netfilter/ipt_connmark.c Sun Jan 18 17:57:58 2004 +@@ -0,0 +1,83 @@ ++/* This kernel module matches connection mark values set by the ++ * CONNMARK target ++ * ++ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> ++ * by Henrik Nordstrom <hno@marasystems.com> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ */ ++ +#include <linux/module.h> +#include <linux/skbuff.h> + ++MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); ++MODULE_DESCRIPTION("IP tables connmark match module"); ++MODULE_LICENSE("GPL"); ++ +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_connmark.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> @@ -82,10 +115,10 @@ diff -uN --exclude .* --exclude *.o linu + +static int +checkentry(const char *tablename, -+ const struct ipt_ip *ip, -+ void *matchinfo, -+ unsigned int matchsize, -+ unsigned int hook_mask) ++ const struct ipt_ip *ip, ++ void *matchinfo, ++ unsigned int matchsize, ++ unsigned int hook_mask) +{ + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) + return 0; @@ -93,8 +126,12 @@ diff -uN --exclude .* --exclude *.o linu + return 1; +} + -+static struct ipt_match connmark_match -+= { { NULL, NULL }, "connmark", &match, &checkentry, NULL, THIS_MODULE }; ++static struct ipt_match connmark_match = { ++ .name = "connmark", ++ .match = &match, ++ .checkentry = &checkentry, ++ .me = THIS_MODULE ++}; + +static int __init init(void) +{ @@ -108,37 +145,68 @@ diff -uN --exclude .* --exclude *.o linu + +module_init(init); +module_exit(fini); -diff -uN linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_CONNMARK.h ---- linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_CONNMARK.h Thu Jan 1 01:00:00 1970 -+++ linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_CONNMARK.h Wed Mar 21 12:25:20 2001 -@@ -0,0 +1,15 @@ +diff -ruN --exclude CVS linux-orig/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h +--- linux-orig/include/linux/netfilter_ipv4/ipt_CONNMARK.h Thu Jan 1 01:00:00 1970 ++++ linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h Sun Jan 18 17:58:43 2004 +@@ -0,0 +1,25 @@ +#ifndef _IPT_CONNMARK_H_target +#define _IPT_CONNMARK_H_target + ++/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> ++ * by Henrik Nordstrom <hno@marasystems.com> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ */ ++ +enum { -+ IPT_CONNMARK_SET = 0, -+ IPT_CONNMARK_SAVE, -+ IPT_CONNMARK_RESTORE ++ IPT_CONNMARK_SET = 0, ++ IPT_CONNMARK_SAVE, ++ IPT_CONNMARK_RESTORE +}; + +struct ipt_connmark_target_info { + unsigned long mark; ++ unsigned long mask; + u_int8_t mode; +}; + +#endif /*_IPT_CONNMARK_H_target*/ -diff -uN --exclude .* --exclude *.o linux-2.4.3-pre3/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_CONNMARK.c ---- linux-2.4.3-pre3/net/ipv4/netfilter/ipt_CONNMARK.c Thu Jan 1 01:00:00 1970 -+++ linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_CONNMARK.c Wed May 20 17:49:10 2001 -@@ -0,0 +1,87 @@ -+/* This is a module which is used for setting/remembering the mark field of -+ * an connection, or optionally restore it to the skb +diff -ruN --exclude CVS linux-orig/net/ipv4/netfilter/ipt_CONNMARK.c linux/net/ipv4/netfilter/ipt_CONNMARK.c +--- linux-orig/net/ipv4/netfilter/ipt_CONNMARK.c Thu Jan 1 01:00:00 1970 ++++ linux/net/ipv4/netfilter/ipt_CONNMARK.c Sun Jan 18 17:58:15 2004 +@@ -0,0 +1,118 @@ ++/* This kernel module is used to modify the connection mark values, or ++ * to optionally restore the skb nfmark from the connection mark ++ * ++ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> ++ * by Henrik Nordstrom <hno@marasystems.com> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/ip.h> +#include <net/checksum.h> + ++MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); ++MODULE_DESCRIPTION("IP tables CONNMARK matching module"); ++MODULE_LICENSE("GPL"); ++ +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_CONNMARK.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> @@ -152,20 +220,29 @@ diff -uN --exclude .* --exclude *.o linu + void *userinfo) +{ + const struct ipt_connmark_target_info *markinfo = targinfo; ++ unsigned long diff; ++ unsigned long nfmark; ++ unsigned long newmark; + + enum ip_conntrack_info ctinfo; + struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo); + if (ct) { + switch(markinfo->mode) { + case IPT_CONNMARK_SET: -+ ct->mark = markinfo->mark; ++ newmark = (ct->mark & ~markinfo->mask) | markinfo->mark; ++ if (newmark != ct->mark) ++ ct->mark = newmark; + break; + case IPT_CONNMARK_SAVE: -+ ct->mark = (*pskb)->nfmark; ++ newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask); ++ if (ct->mark != newmark) ++ ct->mark = newmark; + break; + case IPT_CONNMARK_RESTORE: -+ if (ct->mark != (*pskb)->nfmark) { -+ (*pskb)->nfmark = ct->mark; ++ nfmark = (*pskb)->nfmark; ++ diff = (ct->mark ^ nfmark & markinfo->mask); ++ if (diff != 0) { ++ (*pskb)->nfmark = nfmark ^ diff; + (*pskb)->nfcache |= NFC_ALTERED; + } + break; @@ -178,9 +255,9 @@ diff -uN --exclude .* --exclude *.o linu +static int +checkentry(const char *tablename, + const struct ipt_entry *e, -+ void *targinfo, -+ unsigned int targinfosize, -+ unsigned int hook_mask) ++ void *targinfo, ++ unsigned int targinfosize, ++ unsigned int hook_mask) +{ + struct ipt_connmark_target_info *matchinfo = targinfo; + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) { @@ -200,15 +277,16 @@ diff -uN --exclude .* --exclude *.o linu + return 1; +} + -+static struct ipt_target ipt_connmark_reg -+= { { NULL, NULL }, "CONNMARK", target, checkentry, NULL, THIS_MODULE }; ++static struct ipt_target ipt_connmark_reg = { ++ .name = "CONNMARK", ++ .target = &target, ++ .checkentry = &checkentry, ++ .me = THIS_MODULE ++}; + +static int __init init(void) +{ -+ if (ipt_register_target(&ipt_connmark_reg)) -+ return -EINVAL; -+ -+ return 0; ++ return ipt_register_target(&ipt_connmark_reg); +} + +static void __exit fini(void) Index: extra/CONNMARK.patch.configure.help =================================================================== RCS file: /cvspublic/netfilter/patch-o-matic/extra/CONNMARK.patch.configure.help,v retrieving revision 1.1 diff -u -p -r1.1 CONNMARK.patch.configure.help --- extra/CONNMARK.patch.configure.help 21 May 2002 17:49:14 -0000 1.1 +++ extra/CONNMARK.patch.configure.help 18 Jan 2004 17:03:29 -0000 @@ -20,3 +20,8 @@ connmark match support CONFIP_IP_NF_MATCH_CONNMARK This option adds a `connmark' match, which allows you to match the connection mark value previously set for the session by `CONNMARK'. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. The module will be called + ipt_connmark.o. If unsure, say `N'. +
Index: CONNMARK//configure.help =================================================================== RCS file: /cvspublic/patch-o-matic-ng/CONNMARK/configure.help,v retrieving revision 1.1 diff -u -p -r1.1 configure.help --- CONNMARK//configure.help 18 Dec 2003 18:55:59 -0000 1.1 +++ CONNMARK//configure.help 18 Jan 2004 17:04:01 -0000 @@ -20,3 +20,8 @@ connmark match support CONFIP_IP_NF_MATCH_CONNMARK This option adds a `connmark' match, which allows you to match the connection mark value previously set for the session by `CONNMARK'. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. The module will be called + ipt_connmark.o. If unsure, say `N'. + Index: CONNMARK//linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h =================================================================== RCS file: /cvspublic/patch-o-matic-ng/CONNMARK/linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h,v retrieving revision 1.1 diff -u -p -r1.1 ipt_CONNMARK.h --- CONNMARK//linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h 18 Dec 2003 18:47:53 -0000 1.1 +++ CONNMARK//linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h 18 Jan 2004 17:04:01 -0000 @@ -1,14 +1,24 @@ #ifndef _IPT_CONNMARK_H_target #define _IPT_CONNMARK_H_target +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> + * by Henrik Nordstrom <hno@marasystems.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + enum { - IPT_CONNMARK_SET = 0, - IPT_CONNMARK_SAVE, - IPT_CONNMARK_RESTORE + IPT_CONNMARK_SET = 0, + IPT_CONNMARK_SAVE, + IPT_CONNMARK_RESTORE }; struct ipt_connmark_target_info { unsigned long mark; + unsigned long mask; u_int8_t mode; }; Index: CONNMARK//linux/include/linux/netfilter_ipv4/ipt_connmark.h =================================================================== RCS file: /cvspublic/patch-o-matic-ng/CONNMARK/linux/include/linux/netfilter_ipv4/ipt_connmark.h,v retrieving revision 1.1 diff -u -p -r1.1 ipt_connmark.h --- CONNMARK//linux/include/linux/netfilter_ipv4/ipt_connmark.h 18 Dec 2003 18:47:53 -0000 1.1 +++ CONNMARK//linux/include/linux/netfilter_ipv4/ipt_connmark.h 18 Jan 2004 17:04:01 -0000 @@ -1,6 +1,15 @@ #ifndef _IPT_CONNMARK_H #define _IPT_CONNMARK_H +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> + * by Henrik Nordstrom <hno@marasystems.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + struct ipt_connmark_info { unsigned long mark, mask; u_int8_t invert; Index: CONNMARK//linux/net/ipv4/netfilter/ipt_CONNMARK.c =================================================================== RCS file: /cvspublic/patch-o-matic-ng/CONNMARK/linux/net/ipv4/netfilter/ipt_CONNMARK.c,v retrieving revision 1.1 diff -u -p -r1.1 ipt_CONNMARK.c --- CONNMARK//linux/net/ipv4/netfilter/ipt_CONNMARK.c 18 Dec 2003 18:47:53 -0000 1.1 +++ CONNMARK//linux/net/ipv4/netfilter/ipt_CONNMARK.c 18 Jan 2004 17:04:01 -0000 @@ -1,11 +1,32 @@ -/* This is a module which is used for setting/remembering the mark field of - * an connection, or optionally restore it to the skb +/* This kernel module is used to modify the connection mark values, or + * to optionally restore the skb nfmark from the connection mark + * + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> + * by Henrik Nordstrom <hno@marasystems.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <linux/module.h> #include <linux/skbuff.h> #include <linux/ip.h> #include <net/checksum.h> +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); +MODULE_DESCRIPTION("IP tables CONNMARK matching module"); +MODULE_LICENSE("GPL"); + #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv4/ipt_CONNMARK.h> #include <linux/netfilter_ipv4/ip_conntrack.h> @@ -19,20 +40,29 @@ target(struct sk_buff **pskb, void *userinfo) { const struct ipt_connmark_target_info *markinfo = targinfo; + unsigned long diff; + unsigned long nfmark; + unsigned long newmark; enum ip_conntrack_info ctinfo; struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo); if (ct) { switch(markinfo->mode) { case IPT_CONNMARK_SET: - ct->mark = markinfo->mark; + newmark = (ct->mark & ~markinfo->mask) | markinfo->mark; + if (newmark != ct->mark) + ct->mark = newmark; break; case IPT_CONNMARK_SAVE: - ct->mark = (*pskb)->nfmark; + newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask); + if (ct->mark != newmark) + ct->mark = newmark; break; case IPT_CONNMARK_RESTORE: - if (ct->mark != (*pskb)->nfmark) { - (*pskb)->nfmark = ct->mark; + nfmark = (*pskb)->nfmark; + diff = (ct->mark ^ nfmark & markinfo->mask); + if (diff != 0) { + (*pskb)->nfmark = nfmark ^ diff; (*pskb)->nfcache |= NFC_ALTERED; } break; @@ -45,9 +75,9 @@ target(struct sk_buff **pskb, static int checkentry(const char *tablename, const struct ipt_entry *e, - void *targinfo, - unsigned int targinfosize, - unsigned int hook_mask) + void *targinfo, + unsigned int targinfosize, + unsigned int hook_mask) { struct ipt_connmark_target_info *matchinfo = targinfo; if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) { @@ -67,15 +97,16 @@ checkentry(const char *tablename, return 1; } -static struct ipt_target ipt_connmark_reg -= { { NULL, NULL }, "CONNMARK", target, checkentry, NULL, THIS_MODULE }; +static struct ipt_target ipt_connmark_reg = { + .name = "CONNMARK", + .target = &target, + .checkentry = &checkentry, + .me = THIS_MODULE +}; static int __init init(void) { - if (ipt_register_target(&ipt_connmark_reg)) - return -EINVAL; - - return 0; + return ipt_register_target(&ipt_connmark_reg); } static void __exit fini(void) Index: CONNMARK//linux/net/ipv4/netfilter/ipt_connmark.c =================================================================== RCS file: /cvspublic/patch-o-matic-ng/CONNMARK/linux/net/ipv4/netfilter/ipt_connmark.c,v retrieving revision 1.1 diff -u -p -r1.1 ipt_connmark.c --- CONNMARK//linux/net/ipv4/netfilter/ipt_connmark.c 18 Dec 2003 18:47:53 -0000 1.1 +++ CONNMARK//linux/net/ipv4/netfilter/ipt_connmark.c 18 Jan 2004 17:04:01 -0000 @@ -1,7 +1,31 @@ -/* Kernel module to match connection mark values. */ +/* This kernel module matches connection mark values set by the + * CONNMARK target + * + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> + * by Henrik Nordstrom <hno@marasystems.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + #include <linux/module.h> #include <linux/skbuff.h> +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); +MODULE_DESCRIPTION("IP tables connmark match module"); +MODULE_LICENSE("GPL"); + #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv4/ipt_connmark.h> #include <linux/netfilter_ipv4/ip_conntrack.h> @@ -27,10 +51,10 @@ match(const struct sk_buff *skb, static int checkentry(const char *tablename, - const struct ipt_ip *ip, - void *matchinfo, - unsigned int matchsize, - unsigned int hook_mask) + const struct ipt_ip *ip, + void *matchinfo, + unsigned int matchsize, + unsigned int hook_mask) { if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) return 0; @@ -38,8 +62,12 @@ checkentry(const char *tablename, return 1; } -static struct ipt_match connmark_match -= { { NULL, NULL }, "connmark", &match, &checkentry, NULL, THIS_MODULE }; +static struct ipt_match connmark_match = { + .name = "connmark", + .match = &match, + .checkentry = &checkentry, + .me = THIS_MODULE +}; static int __init init(void) {
Index: iptables.8 =================================================================== RCS file: /cvspublic/iptables/iptables.8,v retrieving revision 1.38 diff -u -p -r1.38 iptables.8 --- iptables.8 29 Jun 2003 18:00:08 -0000 1.38 +++ iptables.8 18 Jan 2004 17:03:14 -0000 @@ -382,6 +382,16 @@ to invert the sense of the match. This module matches the SPIs in AH header of IPSec packets. .TP .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" +.SS connmark +This module matches the netfilter mark field associated with a connection +(which can be set using the +.B CONNMARK +target below). +.TP +.BI "--mark " "value[/mask]" +Matches packets in connections with the given mark value (if a mask is +specified, this is logically ANDed with the mark before the +comparison). .SS conntrack This module, when combined with connection tracking, allows access to more connection tracking information than the "state" match. @@ -713,6 +723,23 @@ malformed or unusual. This is regarded .SH TARGET EXTENSIONS iptables can use extended target modules: the following are included in the standard distribution. +.SS CONNMARK +This is used to set the netfilter mark value associated with the +connection +.TP +.B --set-mark mark[/mask] +Set connection mark. If a mask is specified then only those bits set in the +mask is modified. +.TP +.B --save-mark [--mask mask] +Copy the netfilter packet mark value to the connection mark. If a mask +is specified then only those bits are copied. +.TP +.B --restore-mark [--mask mask] +Copy the connection mark value to the packet. If a mask is specified +then only those bits are copied. This is only valid in the +.B mangle +table. .SS DNAT This target is only valid in the .B nat Index: extensions/libipt_connmark.c =================================================================== RCS file: /cvspublic/iptables/extensions/libipt_connmark.c,v retrieving revision 1.5 diff -u -p -r1.5 libipt_connmark.c --- extensions/libipt_connmark.c 20 Sep 2002 15:25:13 -0000 1.5 +++ extensions/libipt_connmark.c 18 Jan 2004 17:03:14 -0000 @@ -1,4 +1,24 @@ -/* Shared library add-on to iptables to add CONNMARK matching support. */ +/* Shared library add-on to iptables to add connmark matching support. + * + * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> + * by Henrik Nordstrom <hno@marasystems.com> + * + * Version 1.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ #include <stdio.h> #include <netdb.h> #include <string.h> @@ -50,7 +70,7 @@ parse(int c, char **argv, int invert, un if (*end == '/') { markinfo->mask = strtoul(end+1, &end, 0); } else - markinfo->mask = 0xffffffff; + markinfo->mask = ~0; if (*end != '\0' || end == optarg) exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); if (invert) @@ -67,7 +87,7 @@ parse(int c, char **argv, int invert, un static void print_mark(unsigned long mark, unsigned long mask, int numeric) { - if(mask != 0xffffffff) + if(mask != ~0) printf("0x%lx/0x%lx ", mark, mask); else printf("0x%lx ", mark); @@ -96,7 +116,7 @@ print(const struct ipt_ip *ip, print_mark(info->mark, info->mask, numeric); } -/* Saves the union ipt_matchinfo in parsable form to stdout. */ +/* Saves the matchinfo in parsable form to stdout. */ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) { @@ -109,23 +129,21 @@ save(const struct ipt_ip *ip, const stru print_mark(info->mark, info->mask, 0); } -static -struct iptables_match mark -= { NULL, - "connmark", - IPTABLES_VERSION, - IPT_ALIGN(sizeof(struct ipt_connmark_info)), - IPT_ALIGN(sizeof(struct ipt_connmark_info)), - &help, - &init, - &parse, - &final_check, - &print, - &save, - opts +static struct iptables_match connmark_match = { + .name = "connmark", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct ipt_connmark_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_connmark_info)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts }; void _init(void) { - register_match(&mark); + register_match(&connmark_match); } Index: extensions/libipt_CONNMARK.c =================================================================== RCS file: /cvspublic/iptables/extensions/libipt_CONNMARK.c,v retrieving revision 1.3 diff -u -p -r1.3 libipt_CONNMARK.c --- extensions/libipt_CONNMARK.c 4 Jun 2002 07:46:30 -0000 1.3 +++ extensions/libipt_CONNMARK.c 18 Jan 2004 17:03:14 -0000 @@ -1,4 +1,24 @@ -/* Shared library add-on to iptables to add CONNMARK target support. */ +/* Shared library add-on to iptables to add CONNMARK target support. + * + * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> + * by Henrik Nordstrom <hno@marasystems.com> + * + * Version 1.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -21,9 +41,9 @@ help(void) { printf( "CONNMARK target v%s options:\n" -" --set-mark value Set conntrack mark value\n" -" --save-mark Save the packet nfmark on the connection\n" -" --restore-mark Restore saved nfmark value\n" +" --set-mark value[/mask] Set conntrack mark value\n" +" --save-mark [--mask mask] Save the packet nfmark in the connection\n" +" --restore-mark [--mask mask] Restore saved nfmark value\n" "\n", IPTABLES_VERSION); } @@ -32,6 +52,7 @@ static struct option opts[] = { { "set-mark", 1, 0, '1' }, { "save-mark", 0, 0, '2' }, { "restore-mark", 0, 0, '3' }, + { "mask", 1, 0, '4' }, { 0 } }; @@ -55,7 +76,10 @@ parse(int c, char **argv, int invert, un char *end; case '1': markinfo->mode = IPT_CONNMARK_SET; + markinfo->mask = ~0; markinfo->mark = strtoul(optarg, &end, 0); + if (*end == '/' && end[1] != '\0') + markinfo->mask = strtoul(end+1, &end, 0); if (*end != '\0' || end == optarg) exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); if (*flags) @@ -65,6 +89,7 @@ parse(int c, char **argv, int invert, un break; case '2': markinfo->mode = IPT_CONNMARK_SAVE; + markinfo->mask = ~0; if (*flags) exit_error(PARAMETER_PROBLEM, "CONNMARK target: Can't specify --save-mark twice"); @@ -72,11 +97,20 @@ parse(int c, char **argv, int invert, un break; case '3': markinfo->mode = IPT_CONNMARK_RESTORE; + markinfo->mask = ~0; if (*flags) exit_error(PARAMETER_PROBLEM, "CONNMARK target: Can't specify --restore-mark twice"); *flags = 1; break; + case '4': + if (!*flags) + exit_error(PARAMETER_PROBLEM, + "CONNMARK target: Can't specify --mask without a operation"); + markinfo->mark = strtoul(optarg, &end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); + break; default: return 0; } @@ -89,16 +123,10 @@ final_check(unsigned int flags) { if (!flags) exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Parameter --set-mark is required"); -} - -static void -print_mark(unsigned long mark, int numeric) -{ - printf("0x%lx ", mark); + "CONNMARK target: No operation specified"); } -/* Prints out the targinfo. */ +/* Prints out the target info. */ static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, @@ -108,14 +136,21 @@ print(const struct ipt_ip *ip, (const struct ipt_connmark_target_info *)target->data; switch (markinfo->mode) { case IPT_CONNMARK_SET: - printf("CONNMARK set "); - print_mark(markinfo->mark, numeric); + printf("CONNMARK set 0x%lx", markinfo->mark); + if (markinfo->mask != ~0) + printf("/0x%lx", markinfo->mask); + printf(" "); break; case IPT_CONNMARK_SAVE: printf("CONNMARK save "); + if (markinfo->mask != ~0) + printf("mask 0x%lx", markinfo->mask); + printf(" "); break; case IPT_CONNMARK_RESTORE: printf("CONNMARK restore "); + if (markinfo->mask != ~0) + printf("mask 0x%lx", markinfo->mask); break; default: printf("ERROR: UNKNOWN CONNMARK MODE "); @@ -123,7 +158,7 @@ print(const struct ipt_ip *ip, } } -/* Saves the union ipt_targinfo in parsable form to stdout. */ +/* Saves the target into in parsable form to stdout. */ static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) { @@ -132,13 +167,20 @@ save(const struct ipt_ip *ip, const stru switch (markinfo->mode) { case IPT_CONNMARK_SET: - printf("--set-mark 0x%lx ", markinfo->mark); + printf("--set-mark 0x%lx", markinfo->mark); + if (markinfo->mask != ~0) + printf("/0x%lx", markinfo->mask); + printf(" "); break; case IPT_CONNMARK_SAVE: printf("--save-mark "); + if (markinfo->mask != ~0) + printf("--mask 0x%lx", markinfo->mask); break; case IPT_CONNMARK_RESTORE: printf("--restore-mark "); + if (markinfo->mask != ~0) + printf("--mask 0x%lx", markinfo->mask); break; default: printf("ERROR: UNKNOWN CONNMARK MODE "); @@ -146,23 +188,21 @@ save(const struct ipt_ip *ip, const stru } } -static -struct iptables_target mark -= { NULL, - "CONNMARK", - IPTABLES_VERSION, - IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), - IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), - &help, - &init, - &parse, - &final_check, - &print, - &save, - opts +static struct iptables_target connmark_target = { + .name = "CONNMARK", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts }; void _init(void) { - register_target(&mark); + register_target(&connmark_target); }
