| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | /* This kernel module matches connection mark values set by the |
| 2 | * CONNMARK target |
| 3 | * |
| 4 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> |
| 5 | * by Henrik Nordstrom <hno@marasystems.com> |
| 6 | * |
| 7 | * This program is free software; you can redistribute it and/or modify |
| 8 | * it under the terms of the GNU General Public License as published by |
| 9 | * the Free Software Foundation; either version 2 of the License, or |
| 10 | * (at your option) any later version. |
| 11 | * |
| 12 | * This program is distributed in the hope that it will be useful, |
| 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | * GNU General Public License for more details. |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License |
| 18 | * along with this program; if not, write to the Free Software |
| 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 20 | */ |
| 21 | |
| 22 | #include <linux/module.h> |
| 23 | #include <linux/skbuff.h> |
| 24 | |
| 25 | MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); |
| 26 | MODULE_DESCRIPTION("IP tables connmark match module"); |
| 27 | MODULE_LICENSE("GPL"); |
| 28 | |
| 29 | #include <linux/netfilter_ipv4/ip_tables.h> |
| 30 | #include <linux/netfilter_ipv4/ipt_connmark.h> |
| Yasuyuki Kozakai | 9fb9cbb | 2005-11-09 16:38:16 -0800 | [diff] [blame^] | 31 | #include <net/netfilter/nf_conntrack_compat.h> |
| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 32 | |
| 33 | static int |
| 34 | match(const struct sk_buff *skb, |
| 35 | const struct net_device *in, |
| 36 | const struct net_device *out, |
| 37 | const void *matchinfo, |
| 38 | int offset, |
| 39 | int *hotdrop) |
| 40 | { |
| 41 | const struct ipt_connmark_info *info = matchinfo; |
| Yasuyuki Kozakai | 9fb9cbb | 2005-11-09 16:38:16 -0800 | [diff] [blame^] | 42 | u_int32_t ctinfo; |
| 43 | const u_int32_t *ctmark = nf_ct_get_mark(skb, &ctinfo); |
| 44 | if (!ctmark) |
| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 45 | return 0; |
| 46 | |
| Yasuyuki Kozakai | 9fb9cbb | 2005-11-09 16:38:16 -0800 | [diff] [blame^] | 47 | return (((*ctmark) & info->mask) == info->mark) ^ info->invert; |
| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 48 | } |
| 49 | |
| 50 | static int |
| 51 | checkentry(const char *tablename, |
| 52 | const struct ipt_ip *ip, |
| 53 | void *matchinfo, |
| 54 | unsigned int matchsize, |
| 55 | unsigned int hook_mask) |
| 56 | { |
| Harald Welte | bf3a46a | 2005-08-09 19:22:01 -0700 | [diff] [blame] | 57 | struct ipt_connmark_info *cm = |
| 58 | (struct ipt_connmark_info *)matchinfo; |
| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 59 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) |
| 60 | return 0; |
| 61 | |
| Harald Welte | bf3a46a | 2005-08-09 19:22:01 -0700 | [diff] [blame] | 62 | if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { |
| 63 | printk(KERN_WARNING "connmark: only support 32bit mark\n"); |
| 64 | return 0; |
| 65 | } |
| 66 | |
| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 67 | return 1; |
| 68 | } |
| 69 | |
| 70 | static struct ipt_match connmark_match = { |
| 71 | .name = "connmark", |
| 72 | .match = &match, |
| 73 | .checkentry = &checkentry, |
| 74 | .me = THIS_MODULE |
| 75 | }; |
| 76 | |
| 77 | static int __init init(void) |
| 78 | { |
| 79 | return ipt_register_match(&connmark_match); |
| 80 | } |
| 81 | |
| 82 | static void __exit fini(void) |
| 83 | { |
| 84 | ipt_unregister_match(&connmark_match); |
| 85 | } |
| 86 | |
| 87 | module_init(init); |
| 88 | module_exit(fini); |