[packages/kernel.git] / 2.6.5-patch-o-matic-ng-extra-20040330.patch

diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h	2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ip_conntrack.h	2004-03-30 20:37:46.505753064 +0200
@@ -206,6 +206,10 @@
 	} nat;
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	unsigned long mark;
+#endif
+
 };
 
 /* get master conntrack via master expectation */
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_connmark.h
--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_connmark.h	2004-03-30 20:37:46.488755648 +0200
@@ -0,0 +1,18 @@
+#ifndef _IPT_CONNMARK_H
+#define _IPT_CONNMARK_H
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+struct ipt_connmark_info {
+	unsigned long mark, mask;
+	u_int8_t invert;
+};
+
+#endif /*_IPT_CONNMARK_H*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h
--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h	2004-03-30 20:37:46.474757776 +0200
@@ -0,0 +1,25 @@
+#ifndef _IPT_CONNMARK_H_target
+#define _IPT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+	IPT_CONNMARK_SET = 0,
+	IPT_CONNMARK_SAVE,
+	IPT_CONNMARK_RESTORE
+};
+
+struct ipt_connmark_target_info {
+	unsigned long mark;
+	unsigned long mask;
+	u_int8_t mode;
+};
+
+#endif /*_IPT_CONNMARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c	2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_core.c	2004-03-30 20:37:46.513751848 +0200
@@ -717,6 +717,9 @@
                 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
                 conntrack->master = expected;
                 expected->sibling = conntrack;
+#if CONFIG_IP_NF_CONNTRACK_MARK
+		conntrack->mark = expected->expectant->mark;
+#endif
                 LIST_DELETE(&ip_conntrack_expect_list, expected);
                 expected->expectant->expecting--;
                 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-30 20:37:46.512752000 +0200
@@ -110,6 +110,9 @@
 		len += sprintf(buffer + len, "[ASSURED] ");
 	len += sprintf(buffer + len, "use=%u ",
 		       atomic_read(&conntrack->ct_general.use));
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
+#endif
 	len += sprintf(buffer + len, "\n");
 
 	return len;
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_connmark.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_connmark.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_connmark.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_connmark.c	2004-03-30 20:37:46.501753672 +0200
@@ -0,0 +1,81 @@
+/* This kernel module matches connection mark values set by the
+ * CONNMARK target
+ *
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
+MODULE_DESCRIPTION("IP tables connmark match module");
+MODULE_LICENSE("GPL");
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connmark.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+	const struct ipt_connmark_info *info = matchinfo;
+	enum ip_conntrack_info ctinfo;
+	struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (!ct)
+		return 0;
+
+	return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_ip *ip,
+	   void *matchinfo,
+	   unsigned int matchsize,
+	   unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ipt_match connmark_match = {
+	.name = "connmark",
+	.match = &match,
+	.checkentry = &checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&connmark_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connmark_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_CONNMARK.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_CONNMARK.c	2004-03-30 20:37:46.500753824 +0200
@@ -0,0 +1,118 @@
+/* This kernel module is used to modify the connection mark values, or
+ * to optionally restore the skb nfmark from the connection mark
+ *
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
+MODULE_DESCRIPTION("IP tables CONNMARK matching module");
+MODULE_LICENSE("GPL");
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	const struct ipt_connmark_target_info *markinfo = targinfo;
+	unsigned long diff;
+	unsigned long nfmark;
+	unsigned long newmark;
+
+	enum ip_conntrack_info ctinfo;
+	struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
+	if (ct) {
+	    switch(markinfo->mode) {
+	    case IPT_CONNMARK_SET:
+		newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
+		if (newmark != ct->mark)
+		    ct->mark = newmark;
+		break;
+	    case IPT_CONNMARK_SAVE:
+		newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
+		if (ct->mark != newmark)
+		    ct->mark = newmark;
+		break;
+	    case IPT_CONNMARK_RESTORE:
+		nfmark = (*pskb)->nfmark;
+		diff = (ct->mark ^ nfmark & markinfo->mask);
+		if (diff != 0) {
+		    (*pskb)->nfmark = nfmark ^ diff;
+		    (*pskb)->nfcache |= NFC_ALTERED;
+		}
+		break;
+	    }
+	}
+
+	return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+	   void *targinfo,
+	   unsigned int targinfosize,
+	   unsigned int hook_mask)
+{
+	struct ipt_connmark_target_info *matchinfo = targinfo;
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
+		printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
+		       targinfosize,
+		       IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
+		return 0;
+	}
+
+	if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
+	    if (strcmp(tablename, "mangle") != 0) {
+		    printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		    return 0;
+	    }
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_connmark_reg = {
+	.name = "CONNMARK",
+	.target = &target,
+	.checkentry = &checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_connmark_reg);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_connmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_helper.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_helper.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_helper.c	2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_helper.c	2004-03-30 20:38:09.307286704 +0200
@@ -71,8 +71,11 @@
 	DEBUGP("master's name = %s , info->name = %s\n", 
 		exp->expectant->helper->name, info->name);
 
-	ret ^= !strncmp(exp->expectant->helper->name, info->name, 
-	                strlen(exp->expectant->helper->name));
+	if (info->name[0] == '\0')
+		ret ^= 1;
+	else
+		ret ^= !strncmp(exp->expectant->helper->name, info->name, 
+		                strlen(exp->expectant->helper->name));
 out_unlock:
 	READ_UNLOCK(&ip_conntrack_lock);
 	return ret;
@@ -92,10 +95,6 @@
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_helper_info)))
 		return 0;
 
-	/* verify that we actually should match anything */
-	if ( strlen(info->name) == 0 )
-		return 0;
-	
 	return 1;
 }
 
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/Kconfig linux-2.6.5-rc3/net/ipv4/netfilter/Kconfig
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/Kconfig	2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/Kconfig	2004-03-30 20:37:46.503753368 +0200
@@ -706,5 +706,15 @@
 	depends on IP_NF_IPTABLES
 	  help
 
+config IP_NF_CONNTRACK_MARK
+	bool  'Connection mark tracking support'
+config IP_NF_TARGET_CONNMARK
+	tristate  'CONNMARK target support'
+	depends on IP_NF_MANGLE
+config IP_NF_MATCH_CONNMARK
+	tristate  ' Connection mark match support'
+	depends on IP_NF_IPTABLES
+	  help
+
 endmenu
 
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/Makefile linux-2.6.5-rc3/net/ipv4/netfilter/Makefile
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/Makefile	2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/Makefile	2004-03-30 20:37:46.507752760 +0200
@@ -89,6 +89,7 @@
 
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
 obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
@@ -110,6 +111,7 @@
 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_NETLINK) += ipt_NETLINK.o
 obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
Commit	Line	Data
8cc4a74e	1	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ip_conntrack.h
4867a0a7	2	--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h 2004-03-30 20:32:42.000000000 +0200
	3	+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ip_conntrack.h 2004-03-30 20:37:46.505753064 +0200
	4	@@ -206,6 +206,10 @@
8cc4a74e	5	} nat;
	6	#endif /* CONFIG_IP_NF_NAT_NEEDED */
	7
	8	+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
	9	+ unsigned long mark;
	10	+#endif
	11	+
	12	};
	13
	14	/* get master conntrack via master expectation */
4867a0a7	15	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_connmark.h
	16	--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h 1970-01-01 01:00:00.000000000 +0100
	17	+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_connmark.h 2004-03-30 20:37:46.488755648 +0200
	18	@@ -0,0 +1,18 @@
	19	+#ifndef _IPT_CONNMARK_H
	20	+#define _IPT_CONNMARK_H
8cc4a74e	21	+
4867a0a7	22	+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
4867a0a7	23	+ * by Henrik Nordstrom <hno@marasystems.com>
8cc4a74e	24	+ *
4867a0a7	25	+ * This program is free software; you can redistribute it and/or modify
	26	+ * it under the terms of the GNU General Public License as published by
	27	+ * the Free Software Foundation; either version 2 of the License, or
	28	+ * (at your option) any later version.
8cc4a74e	29	+ */
8cc4a74e	30	+
4867a0a7	31	+struct ipt_connmark_info {
	32	+ unsigned long mark, mask;
	33	+ u_int8_t invert;
8cc4a74e	34	+};
8cc4a74e	35	+
4867a0a7	36	+#endif /_IPT_CONNMARK_H/
8cc4a74e	37	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h
8cc4a74e	38	--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h 1970-01-01 01:00:00.000000000 +0100
4867a0a7	39	+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-03-30 20:37:46.474757776 +0200
8cc4a74e	40	@@ -0,0 +1,25 @@
	41	+#ifndef _IPT_CONNMARK_H_target
	42	+#define _IPT_CONNMARK_H_target
	43	+
	44	+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
	45	+ * by Henrik Nordstrom <hno@marasystems.com>
	46	+ *
	47	+ * This program is free software; you can redistribute it and/or modify
	48	+ * it under the terms of the GNU General Public License as published by
	49	+ * the Free Software Foundation; either version 2 of the License, or
	50	+ * (at your option) any later version.
	51	+ */
	52	+
	53	+enum {
	54	+ IPT_CONNMARK_SET = 0,
	55	+ IPT_CONNMARK_SAVE,
	56	+ IPT_CONNMARK_RESTORE
	57	+};
	58	+
	59	+struct ipt_connmark_target_info {
	60	+ unsigned long mark;
	61	+ unsigned long mask;
	62	+ u_int8_t mode;
	63	+};
	64	+
	65	+#endif /_IPT_CONNMARK_H_target/
4867a0a7	66	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_core.c
	67	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c 2004-03-30 20:32:42.000000000 +0200
	68	+++ linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_core.c 2004-03-30 20:37:46.513751848 +0200
	69	@@ -717,6 +717,9 @@
	70	__set_bit(IPS_EXPECTED_BIT, &conntrack->status);
	71	conntrack->master = expected;
	72	expected->sibling = conntrack;
	73	+#if CONFIG_IP_NF_CONNTRACK_MARK
	74	+ conntrack->mark = expected->expectant->mark;
8cc4a74e	75	+#endif
4867a0a7	76	LIST_DELETE(&ip_conntrack_expect_list, expected);
	77	expected->expectant->expecting--;
	78	nf_conntrack_get(&master_ct(conntrack)->infos[0]);
	79	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c
	80	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-03-30 20:32:42.000000000 +0200
	81	+++ linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-03-30 20:37:46.512752000 +0200
	82	@@ -110,6 +110,9 @@
	83	len += sprintf(buffer + len, "[ASSURED] ");
	84	len += sprintf(buffer + len, "use=%u ",
	85	atomic_read(&conntrack->ct_general.use));
	86	+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
	87	+ len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
8cc4a74e	88	+#endif
4867a0a7	89	len += sprintf(buffer + len, "\n");
	90
	91	return len;
	92	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_connmark.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_connmark.c
	93	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_connmark.c 1970-01-01 01:00:00.000000000 +0100
	94	+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_connmark.c 2004-03-30 20:37:46.501753672 +0200
	95	@@ -0,0 +1,81 @@
	96	+/* This kernel module matches connection mark values set by the
	97	+ * CONNMARK target
	98	+ *
	99	+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
8cc4a74e	100	+ * by Henrik Nordstrom <hno@marasystems.com>
	101	+ *
	102	+ * This program is free software; you can redistribute it and/or modify
	103	+ * it under the terms of the GNU General Public License as published by
	104	+ * the Free Software Foundation; either version 2 of the License, or
	105	+ * (at your option) any later version.
4867a0a7	106	+ *
	107	+ * This program is distributed in the hope that it will be useful,
	108	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	109	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	110	+ * GNU General Public License for more details.
	111	+ *
	112	+ * You should have received a copy of the GNU General Public License
	113	+ * along with this program; if not, write to the Free Software
	114	+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
8cc4a74e	115	+ */
8cc4a74e	116	+
4867a0a7	117	+#include <linux/module.h>
4867a0a7	118	+#include <linux/skbuff.h>
8cc4a74e	119	+
4867a0a7	120	+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
	121	+MODULE_DESCRIPTION("IP tables connmark match module");
	122	+MODULE_LICENSE("GPL");
8cc4a74e	123	+
4867a0a7	124	+#include <linux/netfilter_ipv4/ip_tables.h>
	125	+#include <linux/netfilter_ipv4/ipt_connmark.h>
	126	+#include <linux/netfilter_ipv4/ip_conntrack.h>
8cc4a74e	127	+
4867a0a7	128	+static int
	129	+match(const struct sk_buff *skb,
	130	+ const struct net_device *in,
	131	+ const struct net_device *out,
	132	+ const void *matchinfo,
	133	+ int offset,
	134	+ int *hotdrop)
8cc4a74e	135	+{
4867a0a7	136	+ const struct ipt_connmark_info *info = matchinfo;
	137	+ enum ip_conntrack_info ctinfo;
	138	+ struct ip_conntrack ct = ip_conntrack_get((struct sk_buff )skb, &ctinfo);
	139	+ if (!ct)
	140	+ return 0;
8cc4a74e	141	+
4867a0a7	142	+ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
4867a0a7	143	+}
8cc4a74e	144	+
4867a0a7	145	+static int
	146	+checkentry(const char *tablename,
	147	+ const struct ipt_ip *ip,
	148	+ void *matchinfo,
	149	+ unsigned int matchsize,
	150	+ unsigned int hook_mask)
8cc4a74e	151	+{
4867a0a7	152	+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
4867a0a7	153	+ return 0;
8cc4a74e	154	+
4867a0a7	155	+ return 1;
4867a0a7	156	+}
8cc4a74e	157	+
4867a0a7	158	+static struct ipt_match connmark_match = {
	159	+ .name = "connmark",
	160	+ .match = &match,
	161	+ .checkentry = &checkentry,
	162	+ .me = THIS_MODULE
8cc4a74e	163	+};
8cc4a74e	164	+
4867a0a7	165	+static int __init init(void)
8cc4a74e	166	+{
4867a0a7	167	+ return ipt_register_match(&connmark_match);
	168	+}
	169	+
	170	+static void __exit fini(void)
	171	+{
	172	+ ipt_unregister_match(&connmark_match);
	173	+}
8cc4a74e	174	+
4867a0a7	175	+module_init(init);
	176	+module_exit(fini);
	177	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_CONNMARK.c
	178	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c 1970-01-01 01:00:00.000000000 +0100
	179	+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_CONNMARK.c 2004-03-30 20:37:46.500753824 +0200
	180	@@ -0,0 +1,118 @@
	181	+/* This kernel module is used to modify the connection mark values, or
	182	+ * to optionally restore the skb nfmark from the connection mark
8cc4a74e	183	+ *
4867a0a7	184	+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
4867a0a7	185	+ * by Henrik Nordstrom <hno@marasystems.com>
8cc4a74e	186	+ *
4867a0a7	187	+ * This program is free software; you can redistribute it and/or modify
	188	+ * it under the terms of the GNU General Public License as published by
	189	+ * the Free Software Foundation; either version 2 of the License, or
	190	+ * (at your option) any later version.
8cc4a74e	191	+ *
4867a0a7	192	+ * This program is distributed in the hope that it will be useful,
	193	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	194	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	195	+ * GNU General Public License for more details.
8cc4a74e	196	+ *
4867a0a7	197	+ * You should have received a copy of the GNU General Public License
	198	+ * along with this program; if not, write to the Free Software
	199	+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
8cc4a74e	200	+ */
4867a0a7	201	+#include <linux/module.h>
	202	+#include <linux/skbuff.h>
	203	+#include <linux/ip.h>
	204	+#include <net/checksum.h>
8cc4a74e	205	+
4867a0a7	206	+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
	207	+MODULE_DESCRIPTION("IP tables CONNMARK matching module");
	208	+MODULE_LICENSE("GPL");
8cc4a74e	209	+
4867a0a7	210	+#include <linux/netfilter_ipv4/ip_tables.h>
	211	+#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
	212	+#include <linux/netfilter_ipv4/ip_conntrack.h>
8cc4a74e	213	+
4867a0a7	214	+static unsigned int
	215	+target(struct sk_buff **pskb,
	216	+ const struct net_device *in,
	217	+ const struct net_device *out,
	218	+ unsigned int hooknum,
	219	+ const void *targinfo,
	220	+ void *userinfo)
	221	+{
	222	+ const struct ipt_connmark_target_info *markinfo = targinfo;
	223	+ unsigned long diff;
	224	+ unsigned long nfmark;
	225	+ unsigned long newmark;
8cc4a74e	226	+
4867a0a7	227	+ enum ip_conntrack_info ctinfo;
	228	+ struct ip_conntrack ct = ip_conntrack_get((pskb), &ctinfo);
	229	+ if (ct) {
	230	+ switch(markinfo->mode) {
	231	+ case IPT_CONNMARK_SET:
	232	+ newmark = (ct->mark & ~markinfo->mask) \| markinfo->mark;
	233	+ if (newmark != ct->mark)
	234	+ ct->mark = newmark;
	235	+ break;
	236	+ case IPT_CONNMARK_SAVE:
	237	+ newmark = (ct->mark & ~markinfo->mask) \| ((*pskb)->nfmark & markinfo->mask);
	238	+ if (ct->mark != newmark)
	239	+ ct->mark = newmark;
	240	+ break;
	241	+ case IPT_CONNMARK_RESTORE:
	242	+ nfmark = (*pskb)->nfmark;
	243	+ diff = (ct->mark ^ nfmark & markinfo->mask);
	244	+ if (diff != 0) {
	245	+ (*pskb)->nfmark = nfmark ^ diff;
	246	+ (*pskb)->nfcache \|= NFC_ALTERED;
	247	+ }
	248	+ break;
	249	+ }
	250	+ }
8cc4a74e	251	+
4867a0a7	252	+ return IPT_CONTINUE;
4867a0a7	253	+}
8cc4a74e	254	+
4867a0a7	255	+static int
	256	+checkentry(const char *tablename,
	257	+ const struct ipt_entry *e,
	258	+ void *targinfo,
	259	+ unsigned int targinfosize,
	260	+ unsigned int hook_mask)
	261	+{
	262	+ struct ipt_connmark_target_info *matchinfo = targinfo;
	263	+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
	264	+ printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
	265	+ targinfosize,
	266	+ IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
	267	+ return 0;
	268	+ }
8cc4a74e	269	+
4867a0a7	270	+ if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
	271	+ if (strcmp(tablename, "mangle") != 0) {
	272	+ printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
	273	+ return 0;
	274	+ }
	275	+ }
8cc4a74e	276	+
4867a0a7	277	+ return 1;
4867a0a7	278	+}
8cc4a74e	279	+
4867a0a7	280	+static struct ipt_target ipt_connmark_reg = {
	281	+ .name = "CONNMARK",
	282	+ .target = &target,
	283	+ .checkentry = &checkentry,
	284	+ .me = THIS_MODULE
8cc4a74e	285	+};
8cc4a74e	286	+
4867a0a7	287	+static int __init init(void)
	288	+{
	289	+ return ipt_register_target(&ipt_connmark_reg);
	290	+}
8cc4a74e	291	+
4867a0a7	292	+static void __exit fini(void)
	293	+{
	294	+ ipt_unregister_target(&ipt_connmark_reg);
	295	+}
8cc4a74e	296	+
4867a0a7	297	+module_init(init);
	298	+module_exit(fini);
	299	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_helper.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_helper.c
	300	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_helper.c 2004-03-30 20:32:42.000000000 +0200
	301	+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_helper.c 2004-03-30 20:38:09.307286704 +0200
	302	@@ -71,8 +71,11 @@
	303	DEBUGP("master's name = %s , info->name = %s\n",
	304	exp->expectant->helper->name, info->name);
	305
	306	- ret ^= !strncmp(exp->expectant->helper->name, info->name,
	307	- strlen(exp->expectant->helper->name));
	308	+ if (info->name[0] == '\0')
	309	+ ret ^= 1;
	310	+ else
	311	+ ret ^= !strncmp(exp->expectant->helper->name, info->name,
	312	+ strlen(exp->expectant->helper->name));
	313	out_unlock:
	314	READ_UNLOCK(&ip_conntrack_lock);
8cc4a74e	315	return ret;
4867a0a7	316	@@ -92,10 +95,6 @@
	317	if (matchsize != IPT_ALIGN(sizeof(struct ipt_helper_info)))
	318	return 0;
8cc4a74e	319
4867a0a7	320	- /* verify that we actually should match anything */
	321	- if ( strlen(info->name) == 0 )
	322	- return 0;
	323	-
	324	return 1;
8cc4a74e	325	}
8cc4a74e	326
8cc4a74e	327	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/Kconfig linux-2.6.5-rc3/net/ipv4/netfilter/Kconfig
4867a0a7	328	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/Kconfig 2004-03-30 20:32:42.000000000 +0200
	329	+++ linux-2.6.5-rc3/net/ipv4/netfilter/Kconfig 2004-03-30 20:37:46.503753368 +0200
	330	@@ -706,5 +706,15 @@
8cc4a74e	331	depends on IP_NF_IPTABLES
	332	help
	333
	334	+config IP_NF_CONNTRACK_MARK
	335	+ bool 'Connection mark tracking support'
8cc4a74e	336	+config IP_NF_TARGET_CONNMARK
	337	+ tristate 'CONNMARK target support'
	338	+ depends on IP_NF_MANGLE
8cc4a74e	339	+config IP_NF_MATCH_CONNMARK
	340	+ tristate ' Connection mark match support'
	341	+ depends on IP_NF_IPTABLES
	342	+ help
8cc4a74e	343	+
	344	endmenu
	345
	346	diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/Makefile linux-2.6.5-rc3/net/ipv4/netfilter/Makefile
4867a0a7	347	--- linux-2.6.5-rc3.org/net/ipv4/netfilter/Makefile 2004-03-30 20:32:42.000000000 +0200
	348	+++ linux-2.6.5-rc3/net/ipv4/netfilter/Makefile 2004-03-30 20:37:46.507752760 +0200
	349	@@ -89,6 +89,7 @@
8cc4a74e	350
	351	obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
	352	obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
	353	+obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
	354	obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
	355	obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
	356	obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
4867a0a7	357	@@ -110,6 +111,7 @@
8cc4a74e	358	obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
	359	obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
	360	obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
8cc4a74e	361	+obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
	362	obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
	363	obj-$(CONFIG_IP_NF_TARGET_NETLINK) += ipt_NETLINK.o
	364	obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o