In some cases(Policy routing), it is expected that all the sub-connections
share the same mark with their master.
Signed-off-by: Changli Gao <xiaosuo@xxxxxxxxx>
---
include/linux/netfilter/xt_connmark.h | 3 ++-
net/netfilter/xt_connmark.c | 15 +++++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index efc17a8..4b513f8 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -15,7 +15,8 @@
enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
- XT_CONNMARK_RESTORE
+ XT_CONNMARK_RESTORE,
+ XT_CONNMARK_SAVE_MASTER,
};
struct xt_connmark_tginfo1 {
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 7278145..4207bb6 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -69,6 +69,21 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
(ct->mark & info->ctmask);
skb->mark = newmark;
break;
+ case XT_CONNMARK_SAVE_MASTER:
+ if (ct->master) {
+ struct nf_conn *master;
+
+ master = ct->master;
+ while (master->master)
+ master = master->master;
+ newmark = (ct->mark & ~info->ctmask) ^
+ (master->mark & info->nfmask);
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, ct);
+ }
+ }
+ break;
}
return XT_CONTINUE;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
