summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--kernel/linux/include/linux/netfilter_bridge/ebt_mark_m.h11
-rw-r--r--kernel/linux/include/linux/netfilter_bridge/ebt_mark_t.h12
-rw-r--r--kernel/linux/net/bridge/netfilter/ebt_mark.c69
-rw-r--r--kernel/linux/net/bridge/netfilter/ebt_mark_m.c54
-rw-r--r--userspace/ebtables2/ChangeLog2
-rw-r--r--userspace/ebtables2/extensions/ebt_mark.c121
-rw-r--r--userspace/ebtables2/extensions/ebt_mark_m.c115
7 files changed, 384 insertions, 0 deletions
diff --git a/kernel/linux/include/linux/netfilter_bridge/ebt_mark_m.h b/kernel/linux/include/linux/netfilter_bridge/ebt_mark_m.h
new file mode 100644
index 0000000..576d33b
--- /dev/null
+++ b/kernel/linux/include/linux/netfilter_bridge/ebt_mark_m.h
@@ -0,0 +1,11 @@
+#ifndef __LINUX_BRIDGE_EBT_MARK_M_H
+#define __LINUX_BRIDGE_EBT_MARK_M_H
+
+struct ebt_mark_m_info
+{
+ unsigned long mark, mask;
+ __u8 invert;
+};
+#define EBT_MARK_MATCH "mark_m"
+
+#endif
diff --git a/kernel/linux/include/linux/netfilter_bridge/ebt_mark_t.h b/kernel/linux/include/linux/netfilter_bridge/ebt_mark_t.h
new file mode 100644
index 0000000..f84d2ad
--- /dev/null
+++ b/kernel/linux/include/linux/netfilter_bridge/ebt_mark_t.h
@@ -0,0 +1,12 @@
+#ifndef __LINUX_BRIDGE_EBT_MARK_T_H
+#define __LINUX_BRIDGE_EBT_MARK_T_H
+
+struct ebt_mark_t_info
+{
+ unsigned long mark;
+ // EBT_ACCEPT, EBT_DROP or EBT_CONTINUE or EBT_RETURN
+ int target;
+};
+#define EBT_MARK_TARGET "mark"
+
+#endif
diff --git a/kernel/linux/net/bridge/netfilter/ebt_mark.c b/kernel/linux/net/bridge/netfilter/ebt_mark.c
new file mode 100644
index 0000000..1e4d98b
--- /dev/null
+++ b/kernel/linux/net/bridge/netfilter/ebt_mark.c
@@ -0,0 +1,69 @@
+/*
+ * ebt_mark_t
+ *
+ * Authors:
+ * Bart De Schuymer <bart.de.schuymer@pandora.be>
+ *
+ * July, 2002
+ *
+ */
+
+// The mark target can be used in any chain
+// I believe adding a mangle table just for marking is total overkill
+// Marking a frame doesn't really change anything in the frame anyway
+// The target member of the struct ebt_vlan_info provides the same
+// functionality as a separate table
+
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_mark_t.h>
+#include <linux/netfilter_bridge.h>
+#include <linux/skbuff.h>
+#include <linux/module.h>
+#include <net/sock.h>
+#include "../br_private.h"
+
+static int ebt_target_mark(struct sk_buff **pskb, unsigned int hooknr,
+ const struct net_device *in, const struct net_device *out,
+ const void *data, unsigned int datalen)
+{
+ struct ebt_mark_t_info *infostuff = (struct ebt_mark_t_info *) data;
+
+ if ((*pskb)->nfmark != infostuff->mark) {
+ (*pskb)->nfmark = infostuff->mark;
+ (*pskb)->nfcache |= NFC_ALTERED;
+ }
+ return infostuff->target;
+}
+
+static int ebt_target_mark_check(const char *tablename, unsigned int hookmask,
+ const struct ebt_entry *e, void *data, unsigned int datalen)
+{
+ struct ebt_mark_t_info *infostuff = (struct ebt_mark_t_info *) data;
+
+ if (datalen != sizeof(struct ebt_mark_t_info))
+ return -EINVAL;
+ if (infostuff->target < -NUM_STANDARD_TARGETS || infostuff->target >= 0)
+ return -EINVAL;
+ return 0;
+}
+
+static struct ebt_target mark_target =
+{
+ {NULL, NULL}, EBT_MARK_TARGET, ebt_target_mark,
+ ebt_target_mark_check, NULL, THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ebt_register_target(&mark_target);
+}
+
+static void __exit fini(void)
+{
+ ebt_unregister_target(&mark_target);
+}
+
+module_init(init);
+module_exit(fini);
+EXPORT_NO_SYMBOLS;
+MODULE_LICENSE("GPL");
diff --git a/kernel/linux/net/bridge/netfilter/ebt_mark_m.c b/kernel/linux/net/bridge/netfilter/ebt_mark_m.c
new file mode 100644
index 0000000..4972b09
--- /dev/null
+++ b/kernel/linux/net/bridge/netfilter/ebt_mark_m.c
@@ -0,0 +1,54 @@
+/*
+ * ebt_mark_m
+ *
+ * Authors:
+ * Bart De Schuymer <bart.de.schuymer@pandora.be>
+ *
+ * July, 2002
+ *
+ */
+
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_mark_m.h>
+#include <linux/module.h>
+
+static int ebt_filter_mark(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *data,
+ unsigned int datalen, const struct ebt_counter *c)
+{
+ struct ebt_mark_m_info *info = (struct ebt_mark_m_info *) data;
+
+ return !(((skb->nfmark & info->mask) == info->mark) ^ info->invert);
+}
+
+static int ebt_mark_check(const char *tablename, unsigned int hookmask,
+ const struct ebt_entry *e, void *data, unsigned int datalen)
+{
+ if (datalen != sizeof(struct ebt_mark_m_info)) {
+ return -EINVAL;
+ }
+ return 0;
+}
+
+static struct ebt_match filter_mark =
+{
+ {NULL, NULL}, EBT_MARK_MATCH, ebt_filter_mark, ebt_mark_check, NULL,
+ THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ebt_register_match(&filter_mark);
+}
+
+static void __exit fini(void)
+{
+ ebt_unregister_match(&filter_mark);
+}
+
+module_init(init);
+module_exit(fini);
+EXPORT_NO_SYMBOLS;
+MODULE_LICENSE("GPL");
diff --git a/userspace/ebtables2/ChangeLog b/userspace/ebtables2/ChangeLog
index 0e3e27a..20bb3f1 100644
--- a/userspace/ebtables2/ChangeLog
+++ b/userspace/ebtables2/ChangeLog
@@ -1,3 +1,5 @@
+20020720
+ * added mark target+match
20020714
* added --atomic options
20020710
diff --git a/userspace/ebtables2/extensions/ebt_mark.c b/userspace/ebtables2/extensions/ebt_mark.c
new file mode 100644
index 0000000..318e2b6
--- /dev/null
+++ b/userspace/ebtables2/extensions/ebt_mark.c
@@ -0,0 +1,121 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_mark_t.h>
+
+extern char *standard_targets[NUM_STANDARD_TARGETS];
+
+#define MARK_TARGET '1'
+#define MARK_SETMARK '2'
+static struct option opts[] =
+{
+ { "mark-target" , required_argument, 0, MARK_TARGET },
+ { "set-mark" , required_argument, 0, MARK_SETMARK },
+ { 0 }
+};
+
+static void print_help()
+{
+ printf(
+ "mark target options:\n"
+ " --set-mark value : Set nfmark value\n"
+ " --mark-target target : ACCEPT, DROP or CONTINUE\n");
+}
+
+static void init(struct ebt_entry_target *target)
+{
+ struct ebt_mark_t_info *markinfo =
+ (struct ebt_mark_t_info *)target->data;
+
+ markinfo->target = EBT_ACCEPT;
+ markinfo->mark = 0;
+ return;
+}
+
+#define OPT_MARK_TARGET 0x01
+#define OPT_MARK_SETMARK 0x02
+static int parse(int c, char **argv, int argc,
+ const struct ebt_u_entry *entry, unsigned int *flags,
+ struct ebt_entry_target **target)
+{
+ int i;
+ struct ebt_mark_t_info *markinfo =
+ (struct ebt_mark_t_info *)(*target)->data;
+ char *end;
+
+ switch (c) {
+ case MARK_TARGET:
+ check_option(flags, OPT_MARK_TARGET);
+ for (i = 0; i < NUM_STANDARD_TARGETS; i++)
+ if (!strcmp(optarg, standard_targets[i])) {
+ markinfo->target = -i - 1;
+ break;
+ }
+ if (i == NUM_STANDARD_TARGETS)
+ print_error("Illegal --mark-target target");
+ break;
+ case MARK_SETMARK:
+ check_option(flags, OPT_MARK_SETMARK);
+ markinfo->mark = strtoul(optarg, &end, 0);
+ if (*end != '\0' || end == optarg)
+ print_error("Bad MARK value `%s'", optarg);
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target, const char *name,
+ unsigned int hook_mask, unsigned int time)
+{
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target)
+{
+ struct ebt_mark_t_info *markinfo =
+ (struct ebt_mark_t_info *)target->data;
+
+ printf("--set-mark 0x%lx", markinfo->mark);
+ if (markinfo->target == EBT_ACCEPT)
+ return;
+ printf(" --mark-target %s",
+ standard_targets[-markinfo->target - 1]);
+}
+
+static int compare(const struct ebt_entry_target *t1,
+ const struct ebt_entry_target *t2)
+{
+ struct ebt_mark_t_info *markinfo1 =
+ (struct ebt_mark_t_info *)t1->data;
+ struct ebt_mark_t_info *markinfo2 =
+ (struct ebt_mark_t_info *)t2->data;
+
+ return (markinfo1->target == markinfo2->target &&
+ markinfo1->mark == markinfo2->mark);
+}
+
+static struct ebt_u_target mark_target =
+{
+ EBT_MARK_TARGET,
+ sizeof(struct ebt_mark_t_info),
+ print_help,
+ init,
+ parse,
+ final_check,
+ print,
+ compare,
+ opts,
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+ register_target(&mark_target);
+}
diff --git a/userspace/ebtables2/extensions/ebt_mark_m.c b/userspace/ebtables2/extensions/ebt_mark_m.c
new file mode 100644
index 0000000..16caec5
--- /dev/null
+++ b/userspace/ebtables2/extensions/ebt_mark_m.c
@@ -0,0 +1,115 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_mark_m.h>
+
+#define MARK '1'
+
+static struct option opts[] =
+{
+ { "mark" , required_argument, 0, MARK },
+ { 0 }
+};
+
+static void print_help()
+{
+ printf(
+"mark option:\n"
+"--mark [!] value[/mask]: Match nfmask value with optional mask\n");
+}
+
+static void init(struct ebt_entry_match *match)
+{
+ struct ebt_mark_m_info *markinfo = (struct ebt_mark_m_info *)match->data;
+
+ markinfo->mark = 0;
+ markinfo->mask = 0;
+ markinfo->invert = 0;
+}
+
+#define OPT_MARK 0x01
+static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
+ unsigned int *flags, struct ebt_entry_match **match)
+{
+ struct ebt_mark_m_info *markinfo = (struct ebt_mark_m_info *)
+ (*match)->data;
+ char *end;
+
+ switch (c) {
+ case MARK:
+ check_option(flags, MARK);
+ if (check_inverse(optarg))
+ markinfo->invert = 1;
+ if (optind > argc)
+ print_error("No mark specified");
+ markinfo->mark = strtoul(argv[optind - 1], &end, 0);
+ if (*end == '/')
+ markinfo->mask = strtoul(end+1, &end, 0);
+ else
+ markinfo->mask = 0xffffffff;
+ if ( *end != '\0' || end == argv[optind - 1])
+ print_error("Bad mark value '%s'", argv[optind - 1]);
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match, const char *name,
+ unsigned int hook_mask, unsigned int time)
+{
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match)
+{
+ struct ebt_mark_m_info *markinfo =
+ (struct ebt_mark_m_info *)match->data;
+
+ printf("--mark ");
+ if (markinfo->invert)
+ printf("! ");
+ if(markinfo->mask != 0xffffffff)
+ printf("0x%lx/0x%lx ", markinfo->mark, markinfo->mask);
+ else
+ printf("0x%lx ", markinfo->mark);
+}
+
+static int compare(const struct ebt_entry_match *m1,
+ const struct ebt_entry_match *m2)
+{
+ struct ebt_mark_m_info *markinfo1 = (struct ebt_mark_m_info *)m1->data;
+ struct ebt_mark_m_info *markinfo2 = (struct ebt_mark_m_info *)m2->data;
+
+ if (markinfo1->invert != markinfo2->invert)
+ return 0;
+ if (markinfo1->mark != markinfo2->mark)
+ return 0;
+ if (markinfo1->mask != markinfo2->mask)
+ return 0;
+ return 1;
+}
+
+static struct ebt_u_match mark_match =
+{
+ EBT_MARK_MATCH,
+ sizeof(struct ebt_mark_m_info),
+ print_help,
+ init,
+ parse,
+ final_check,
+ print,
+ compare,
+ opts,
+};
+
+static void _init(void) __attribute((constructor));
+static void _init(void)
+{
+ register_match(&mark_match);
+}