提交 7c9728c3 编写于 作者: J James Morris 提交者: David S. Miller

[SECMARK]: Add secmark support to conntrack

Add a secmark field to IP and NF conntracks, so that security markings
on packets can be copied to their associated connections, and also
copied back to packets as required.  This is similar to the network
mark field currently used with conntrack, although it is intended for
enforcement of security policy rather than network policy.
Signed-off-by: NJames Morris <jmorris@namei.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 5e6874cd
...@@ -121,6 +121,10 @@ struct ip_conntrack ...@@ -121,6 +121,10 @@ struct ip_conntrack
u_int32_t mark; u_int32_t mark;
#endif #endif
#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
u_int32_t secmark;
#endif
/* Traversed often, so hopefully in different cacheline to top */ /* Traversed often, so hopefully in different cacheline to top */
/* These are my tuples; original and reply */ /* These are my tuples; original and reply */
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
......
...@@ -114,6 +114,10 @@ struct nf_conn ...@@ -114,6 +114,10 @@ struct nf_conn
u_int32_t mark; u_int32_t mark;
#endif #endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
u_int32_t secmark;
#endif
/* Storage reserved for other modules: */ /* Storage reserved for other modules: */
union nf_conntrack_proto proto; union nf_conntrack_proto proto;
......
...@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, ...@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
} }
#endif /* CONFIG_IP_NF_CONNTRACK_MARK */ #endif /* CONFIG_IP_NF_CONNTRACK_MARK */
#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
u_int32_t *ctinfo)
{
struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
if (ct)
return &ct->secmark;
else
return NULL;
}
#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
#ifdef CONFIG_IP_NF_CT_ACCT #ifdef CONFIG_IP_NF_CT_ACCT
static inline struct ip_conntrack_counter * static inline struct ip_conntrack_counter *
nf_ct_get_counters(const struct sk_buff *skb) nf_ct_get_counters(const struct sk_buff *skb)
...@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, ...@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
} }
#endif /* CONFIG_NF_CONNTRACK_MARK */ #endif /* CONFIG_NF_CONNTRACK_MARK */
#ifdef CONFIG_NF_CONNTRACK_SECMARK
static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
u_int32_t *ctinfo)
{
struct nf_conn *ct = nf_ct_get(skb, ctinfo);
if (ct)
return &ct->secmark;
else
return NULL;
}
#endif /* CONFIG_NF_CONNTRACK_MARK */
#ifdef CONFIG_NF_CT_ACCT #ifdef CONFIG_NF_CT_ACCT
static inline struct ip_conntrack_counter * static inline struct ip_conntrack_counter *
nf_ct_get_counters(const struct sk_buff *skb) nf_ct_get_counters(const struct sk_buff *skb)
......
...@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK ...@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK
of packets, but this mark value is kept in the conntrack session of packets, but this mark value is kept in the conntrack session
instead of the individual packets. instead of the individual packets.
config IP_NF_CONNTRACK_SECMARK
bool 'Connection tracking security mark support'
depends on IP_NF_CONNTRACK && NETWORK_SECMARK
help
This option enables security markings to be applied to
connections. Typically they are copied to connections from
packets using the CONNSECMARK target and copied back from
connections to packets with the same target, with the packets
being originally labeled via SECMARK.
If unsure, say 'N'.
config IP_NF_CONNTRACK_EVENTS config IP_NF_CONNTRACK_EVENTS
bool "Connection tracking events (EXPERIMENTAL)" bool "Connection tracking events (EXPERIMENTAL)"
depends on EXPERIMENTAL && IP_NF_CONNTRACK depends on EXPERIMENTAL && IP_NF_CONNTRACK
......
...@@ -723,6 +723,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple, ...@@ -723,6 +723,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple,
defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
/* this is ugly, but there is no other place where to put it */ /* this is ugly, but there is no other place where to put it */
conntrack->nat.masq_index = exp->master->nat.masq_index; conntrack->nat.masq_index = exp->master->nat.masq_index;
#endif
#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
conntrack->secmark = exp->master->secmark;
#endif #endif
nf_conntrack_get(&conntrack->master->ct_general); nf_conntrack_get(&conntrack->master->ct_general);
CONNTRACK_STAT_INC(expect_new); CONNTRACK_STAT_INC(expect_new);
......
...@@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file *s, void *v) ...@@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
return -ENOSPC; return -ENOSPC;
#endif #endif
#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
if (seq_printf(s, "secmark=%u ", conntrack->secmark))
return -ENOSPC;
#endif
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
return -ENOSPC; return -ENOSPC;
......
...@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK ...@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
of packets, but this mark value is kept in the conntrack session of packets, but this mark value is kept in the conntrack session
instead of the individual packets. instead of the individual packets.
config NF_CONNTRACK_SECMARK
bool 'Connection tracking security mark support'
depends on NF_CONNTRACK && NETWORK_SECMARK
help
This option enables security markings to be applied to
connections. Typically they are copied to connections from
packets using the CONNSECMARK target and copied back from
connections to packets with the same target, with the packets
being originally labeled via SECMARK.
If unsure, say 'N'.
config NF_CONNTRACK_EVENTS config NF_CONNTRACK_EVENTS
bool "Connection tracking events (EXPERIMENTAL)" bool "Connection tracking events (EXPERIMENTAL)"
depends on EXPERIMENTAL && NF_CONNTRACK depends on EXPERIMENTAL && NF_CONNTRACK
......
...@@ -989,6 +989,9 @@ init_conntrack(const struct nf_conntrack_tuple *tuple, ...@@ -989,6 +989,9 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
conntrack->master = exp->master; conntrack->master = exp->master;
#ifdef CONFIG_NF_CONNTRACK_MARK #ifdef CONFIG_NF_CONNTRACK_MARK
conntrack->mark = exp->master->mark; conntrack->mark = exp->master->mark;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
conntrack->secmark = exp->master->secmark;
#endif #endif
nf_conntrack_get(&conntrack->master->ct_general); nf_conntrack_get(&conntrack->master->ct_general);
NF_CT_STAT_INC(expect_new); NF_CT_STAT_INC(expect_new);
......
...@@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file *s, void *v) ...@@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
return -ENOSPC; return -ENOSPC;
#endif #endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if (seq_printf(s, "secmark=%u ", conntrack->secmark))
return -ENOSPC;
#endif
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
return -ENOSPC; return -ENOSPC;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册