Commit 7c9728c3 authored by James Morris's avatar James Morris Committed by David S. Miller
Browse files

[SECMARK]: Add secmark support to conntrack 



Add a secmark field to IP and NF conntracks, so that security markings
on packets can be copied to their associated connections, and also
copied back to packets as required.  This is similar to the network
mark field currently used with conntrack, although it is intended for
enforcement of security policy rather than network policy.

Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5e6874cd

include/linux/netfilter_ipv4/ip_conntrack.h

+4 −0
Original line number Diff line number Diff line
@@ -121,6 +121,10 @@ struct ip_conntrack 
	u_int32_t mark;

#endif



#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK

	u_int32_t secmark;

#endif



	/* Traversed often, so hopefully in different cacheline to top */

	/* These are my tuples; original and reply */

	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];

include/net/netfilter/nf_conntrack.h

+4 −0
Original line number Diff line number Diff line
@@ -114,6 +114,10 @@ struct nf_conn 
	u_int32_t mark;

#endif



#ifdef CONFIG_NF_CONNTRACK_SECMARK

	u_int32_t secmark;

#endif



	/* Storage reserved for other modules: */

	union nf_conntrack_proto proto;

include/net/netfilter/nf_conntrack_compat.h

+26 −0
Original line number Diff line number Diff line
@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, 
}

#endif /* CONFIG_IP_NF_CONNTRACK_MARK */



#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK

static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,

					   u_int32_t *ctinfo)

{

	struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);



	if (ct)

		return &ct->secmark;

	else

		return NULL;

}

#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */



#ifdef CONFIG_IP_NF_CT_ACCT

static inline struct ip_conntrack_counter *

nf_ct_get_counters(const struct sk_buff *skb)
@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, 
}

#endif /* CONFIG_NF_CONNTRACK_MARK */



#ifdef CONFIG_NF_CONNTRACK_SECMARK

static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,

					   u_int32_t *ctinfo)

{

	struct nf_conn *ct = nf_ct_get(skb, ctinfo);



	if (ct)

		return &ct->secmark;

	else

		return NULL;

}

#endif /* CONFIG_NF_CONNTRACK_MARK */



#ifdef CONFIG_NF_CT_ACCT

static inline struct ip_conntrack_counter *

nf_ct_get_counters(const struct sk_buff *skb)

net/ipv4/netfilter/Kconfig

+12 −0
Original line number Diff line number Diff line
@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK 
	  of packets, but this mark value is kept in the conntrack session

	  instead of the individual packets.

	

config IP_NF_CONNTRACK_SECMARK

	bool  'Connection tracking security mark support'

	depends on IP_NF_CONNTRACK && NETWORK_SECMARK

	help

	  This option enables security markings to be applied to

	  connections.  Typically they are copied to connections from

	  packets using the CONNSECMARK target and copied back from

	  connections to packets with the same target, with the packets

	  being originally labeled via SECMARK.



	  If unsure, say 'N'.



config IP_NF_CONNTRACK_EVENTS

	bool "Connection tracking events (EXPERIMENTAL)"

	depends on EXPERIMENTAL && IP_NF_CONNTRACK

net/ipv4/netfilter/ip_conntrack_core.c

+3 −0
Original line number Diff line number Diff line
@@ -723,6 +723,9 @@ init_conntrack(struct ip_conntrack_tuple *tuple, 
    defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)

		/* this is ugly, but there is no other place where to put it */

		conntrack->nat.masq_index = exp->master->nat.masq_index;

#endif

#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK

		conntrack->secmark = exp->master->secmark;

#endif

		nf_conntrack_get(&conntrack->master->ct_general);

		CONNTRACK_STAT_INC(expect_new);

CRA Git | Maintained and supported by SUSTech CRA and CCSE