1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * xt_connmark - Netfilter module to operate on connection marks
4 *
5 * Copyright (C) 2002,2004 MARA Systems AB <https://www.marasystems.com>
6 * by Henrik Nordstrom <hno@marasystems.com>
7 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
8 * Jan Engelhardt <jengelh@medozas.de>
9 */
10
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <net/netfilter/nf_conntrack.h>
14 #include <net/netfilter/nf_conntrack_ecache.h>
15 #include <linux/netfilter/x_tables.h>
16 #include <linux/netfilter/xt_connmark.h>
17
18 MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
19 MODULE_DESCRIPTION("Xtables: connection mark operations");
20 MODULE_LICENSE("GPL");
21 MODULE_ALIAS("ipt_CONNMARK");
22 MODULE_ALIAS("ip6t_CONNMARK");
23 MODULE_ALIAS("ipt_connmark");
24 MODULE_ALIAS("ip6t_connmark");
25
26 static unsigned int
27 connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
28 {
29 enum ip_conntrack_info ctinfo;
30 u_int32_t new_targetmark;
31 struct nf_conn *ct;
32 u_int32_t newmark;
33 u_int32_t oldmark;
34
35 ct = nf_ct_get(skb, &ctinfo);
36 if (ct == NULL)
37 return XT_CONTINUE;
38
39 switch (info->mode) {
40 case XT_CONNMARK_SET:
41 oldmark = READ_ONCE(ct->mark);
42 newmark = (oldmark & ~info->ctmask) ^ info->ctmark;
43 if (info->shift_dir == D_SHIFT_RIGHT)
44 newmark >>= info->shift_bits;
45 else
46 newmark <<= info->shift_bits;
47
48 if (READ_ONCE(ct->mark) != newmark) {
49 WRITE_ONCE(ct->mark, newmark);
50 nf_conntrack_event_cache(IPCT_MARK, ct);
51 }
52 break;
53 case XT_CONNMARK_SAVE:
54 new_targetmark = (skb->mark & info->nfmask);
55 if (info->shift_dir == D_SHIFT_RIGHT)
56 new_targetmark >>= info->shift_bits;
57 else
58 new_targetmark <<= info->shift_bits;
59
60 newmark = (READ_ONCE(ct->mark) & ~info->ctmask) ^
61 new_targetmark;
62 if (READ_ONCE(ct->mark) != newmark) {
63 WRITE_ONCE(ct->mark, newmark);
64 nf_conntrack_event_cache(IPCT_MARK, ct);
65 }
66 break;
67 case XT_CONNMARK_RESTORE:
68 new_targetmark = (READ_ONCE(ct->mark) & info->ctmask);
69 if (info->shift_dir == D_SHIFT_RIGHT)
70 new_targetmark >>= info->shift_bits;
71 else
72 new_targetmark <<= info->shift_bits;
73
74 newmark = (skb->mark & ~info->nfmask) ^
75 new_targetmark;
76 skb->mark = newmark;
77 break;
78 }
79 return XT_CONTINUE;
80 }
81
82 static unsigned int
83 connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
84 {
85 const struct xt_connmark_tginfo1 *info = par->targinfo;
86 const struct xt_connmark_tginfo2 info2 = {
87 .ctmark = info->ctmark,
88 .ctmask = info->ctmask,
89 .nfmask = info->nfmask,
90 .mode = info->mode,
91 };
92
93 return connmark_tg_shift(skb, &info2);
94 }
95
96 static unsigned int
97 connmark_tg_v2(struct sk_buff *skb, const struct xt_action_param *par)
98 {
99 const struct xt_connmark_tginfo2 *info = par->targinfo;
100
101 return connmark_tg_shift(skb, info);
102 }
103
104 static int connmark_tg_check(const struct xt_tgchk_param *par)
105 {
106 int ret;
107
108 ret = nf_ct_netns_get(par->net, par->family);
109 if (ret < 0)
110 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
111 par->family);
112 return ret;
113 }
114
115 static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
116 {
117 nf_ct_netns_put(par->net, par->family);
118 }
119
120 static bool
121 connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
122 {
123 const struct xt_connmark_mtinfo1 *info = par->matchinfo;
124 enum ip_conntrack_info ctinfo;
125 const struct nf_conn *ct;
126
127 ct = nf_ct_get(skb, &ctinfo);
128 if (ct == NULL)
129 return false;
130
131 return ((READ_ONCE(ct->mark) & info->mask) == info->mark) ^ info->invert;
132 }
133
134 static int connmark_mt_check(const struct xt_mtchk_param *par)
135 {
136 int ret;
137
138 ret = nf_ct_netns_get(par->net, par->family);
139 if (ret < 0)
140 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
141 par->family);
142 return ret;
143 }
144
145 static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
146 {
147 nf_ct_netns_put(par->net, par->family);
148 }
149
150 static struct xt_target connmark_tg_reg[] __read_mostly = {
151 {
152 .name = "CONNMARK",
153 .revision = 1,
154 .family = NFPROTO_UNSPEC,
155 .checkentry = connmark_tg_check,
156 .target = connmark_tg,
157 .targetsize = sizeof(struct xt_connmark_tginfo1),
158 .destroy = connmark_tg_destroy,
159 .me = THIS_MODULE,
160 },
161 {
162 .name = "CONNMARK",
163 .revision = 2,
164 .family = NFPROTO_UNSPEC,
165 .checkentry = connmark_tg_check,
166 .target = connmark_tg_v2,
167 .targetsize = sizeof(struct xt_connmark_tginfo2),
168 .destroy = connmark_tg_destroy,
169 .me = THIS_MODULE,
170 }
171 };
172
173 static struct xt_match connmark_mt_reg __read_mostly = {
174 .name = "connmark",
175 .revision = 1,
176 .family = NFPROTO_UNSPEC,
177 .checkentry = connmark_mt_check,
178 .match = connmark_mt,
179 .matchsize = sizeof(struct xt_connmark_mtinfo1),
180 .destroy = connmark_mt_destroy,
181 .me = THIS_MODULE,
182 };
183
184 static int __init connmark_mt_init(void)
185 {
186 int ret;
187
188 ret = xt_register_targets(connmark_tg_reg,
189 ARRAY_SIZE(connmark_tg_reg));
190 if (ret < 0)
191 return ret;
192 ret = xt_register_match(&connmark_mt_reg);
193 if (ret < 0) {
194 xt_unregister_targets(connmark_tg_reg,
195 ARRAY_SIZE(connmark_tg_reg));
196 return ret;
197 }
198 return 0;
199 }
200
201 static void __exit connmark_mt_exit(void)
202 {
203 xt_unregister_match(&connmark_mt_reg);
204 xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
205 }
206
207 module_init(connmark_mt_init);
208 module_exit(connmark_mt_exit);
209
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.