- _rel 1.19,

[packages/kernel.git] / 2.6.5-patch-o-matic-ng-extra-20040330.patch

diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h     2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ip_conntrack.h 2004-03-30 20:37:46.505753064 +0200
@@ -206,6 +206,10 @@
        } nat;
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+       unsigned long mark;
+#endif
+
 };
 
 /* get master conntrack via master expectation */
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_connmark.h
--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h     1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_connmark.h 2004-03-30 20:37:46.488755648 +0200
@@ -0,0 +1,18 @@
+#ifndef _IPT_CONNMARK_H
+#define _IPT_CONNMARK_H
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+struct ipt_connmark_info {
+       unsigned long mark, mask;
+       u_int8_t invert;
+};
+
+#endif /*_IPT_CONNMARK_H*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h
--- linux-2.6.5-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h     1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-03-30 20:37:46.474757776 +0200
@@ -0,0 +1,25 @@
+#ifndef _IPT_CONNMARK_H_target
+#define _IPT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+       IPT_CONNMARK_SET = 0,
+       IPT_CONNMARK_SAVE,
+       IPT_CONNMARK_RESTORE
+};
+
+struct ipt_connmark_target_info {
+       unsigned long mark;
+       unsigned long mask;
+       u_int8_t mode;
+};
+
+#endif /*_IPT_CONNMARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c  2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_core.c      2004-03-30 20:37:46.513751848 +0200
@@ -717,6 +717,9 @@
                 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
                 conntrack->master = expected;
                 expected->sibling = conntrack;
+#if CONFIG_IP_NF_CONNTRACK_MARK
+               conntrack->mark = expected->expectant->mark;
+#endif
                 LIST_DELETE(&ip_conntrack_expect_list, expected);
                 expected->expectant->expecting--;
                 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c    2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c        2004-03-30 20:37:46.512752000 +0200
@@ -110,6 +110,9 @@
                len += sprintf(buffer + len, "[ASSURED] ");
        len += sprintf(buffer + len, "use=%u ",
                       atomic_read(&conntrack->ct_general.use));
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+       len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
+#endif
        len += sprintf(buffer + len, "\n");
 
        return len;
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_connmark.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_connmark.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_connmark.c       1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_connmark.c   2004-03-30 20:37:46.501753672 +0200
@@ -0,0 +1,81 @@
+/* This kernel module matches connection mark values set by the
+ * CONNMARK target
+ *
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
+MODULE_DESCRIPTION("IP tables connmark match module");
+MODULE_LICENSE("GPL");
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connmark.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+       const struct ipt_connmark_info *info = matchinfo;
+       enum ip_conntrack_info ctinfo;
+       struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+       if (!ct)
+               return 0;
+
+       return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+          const struct ipt_ip *ip,
+          void *matchinfo,
+          unsigned int matchsize,
+          unsigned int hook_mask)
+{
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
+               return 0;
+
+       return 1;
+}
+
+static struct ipt_match connmark_match = {
+       .name = "connmark",
+       .match = &match,
+       .checkentry = &checkentry,
+       .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+       return ipt_register_match(&connmark_match);
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_match(&connmark_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_CONNMARK.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c       1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_CONNMARK.c   2004-03-30 20:37:46.500753824 +0200
@@ -0,0 +1,118 @@
+/* This kernel module is used to modify the connection mark values, or
+ * to optionally restore the skb nfmark from the connection mark
+ *
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
+MODULE_DESCRIPTION("IP tables CONNMARK matching module");
+MODULE_LICENSE("GPL");
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+       const struct ipt_connmark_target_info *markinfo = targinfo;
+       unsigned long diff;
+       unsigned long nfmark;
+       unsigned long newmark;
+
+       enum ip_conntrack_info ctinfo;
+       struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
+       if (ct) {
+           switch(markinfo->mode) {
+           case IPT_CONNMARK_SET:
+               newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
+               if (newmark != ct->mark)
+                   ct->mark = newmark;
+               break;
+           case IPT_CONNMARK_SAVE:
+               newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
+               if (ct->mark != newmark)
+                   ct->mark = newmark;
+               break;
+           case IPT_CONNMARK_RESTORE:
+               nfmark = (*pskb)->nfmark;
+               diff = (ct->mark ^ nfmark & markinfo->mask);
+               if (diff != 0) {
+                   (*pskb)->nfmark = nfmark ^ diff;
+                   (*pskb)->nfcache |= NFC_ALTERED;
+               }
+               break;
+           }
+       }
+
+       return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+          const struct ipt_entry *e,
+          void *targinfo,
+          unsigned int targinfosize,
+          unsigned int hook_mask)
+{
+       struct ipt_connmark_target_info *matchinfo = targinfo;
+       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
+               printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
+                      targinfosize,
+                      IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
+               return 0;
+       }
+
+       if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
+           if (strcmp(tablename, "mangle") != 0) {
+                   printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+                   return 0;
+           }
+       }
+
+       return 1;
+}
+
+static struct ipt_target ipt_connmark_reg = {
+       .name = "CONNMARK",
+       .target = &target,
+       .checkentry = &checkentry,
+       .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+       return ipt_register_target(&ipt_connmark_reg);
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_target(&ipt_connmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_helper.c linux-2.6.5-rc3/net/ipv4/netfilter/ipt_helper.c
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/ipt_helper.c 2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/ipt_helper.c     2004-03-30 20:38:09.307286704 +0200
@@ -71,8 +71,11 @@
        DEBUGP("master's name = %s , info->name = %s\n", 
                exp->expectant->helper->name, info->name);
 
-       ret ^= !strncmp(exp->expectant->helper->name, info->name, 
-                       strlen(exp->expectant->helper->name));
+       if (info->name[0] == '\0')
+               ret ^= 1;
+       else
+               ret ^= !strncmp(exp->expectant->helper->name, info->name, 
+                               strlen(exp->expectant->helper->name));
 out_unlock:
        READ_UNLOCK(&ip_conntrack_lock);
        return ret;
@@ -92,10 +95,6 @@
        if (matchsize != IPT_ALIGN(sizeof(struct ipt_helper_info)))
                return 0;
 
-       /* verify that we actually should match anything */
-       if ( strlen(info->name) == 0 )
-               return 0;
-       
        return 1;
 }
 
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/Kconfig linux-2.6.5-rc3/net/ipv4/netfilter/Kconfig
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/Kconfig      2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/Kconfig  2004-03-30 20:37:46.503753368 +0200
@@ -706,5 +706,15 @@
        depends on IP_NF_IPTABLES
          help
 
+config IP_NF_CONNTRACK_MARK
+       bool  'Connection mark tracking support'
+config IP_NF_TARGET_CONNMARK
+       tristate  'CONNMARK target support'
+       depends on IP_NF_MANGLE
+config IP_NF_MATCH_CONNMARK
+       tristate  ' Connection mark match support'
+       depends on IP_NF_IPTABLES
+         help
+
 endmenu
 
diff -Nur --exclude '*.orig' linux-2.6.5-rc3.org/net/ipv4/netfilter/Makefile linux-2.6.5-rc3/net/ipv4/netfilter/Makefile
--- linux-2.6.5-rc3.org/net/ipv4/netfilter/Makefile     2004-03-30 20:32:42.000000000 +0200
+++ linux-2.6.5-rc3/net/ipv4/netfilter/Makefile 2004-03-30 20:37:46.507752760 +0200
@@ -89,6 +89,7 @@
 
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
 obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
@@ -110,6 +111,7 @@
 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_NETLINK) += ipt_NETLINK.o
 obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o