1/* 2 * This module is used to copy security markings from packets 3 * to connections, and restore security markings from connections 4 * back to packets. This would normally be performed in conjunction 5 * with the SECMARK target and state match. 6 * 7 * Based somewhat on CONNMARK: 8 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> 9 * by Henrik Nordstrom <hno@marasystems.com> 10 * 11 * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 12 * 13 * This program is free software; you can redistribute it and/or modify 14 * it under the terms of the GNU General Public License version 2 as 15 * published by the Free Software Foundation. 16 * 17 */ 18#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 19#include <linux/module.h> 20#include <linux/skbuff.h> 21#include <linux/netfilter/x_tables.h> 22#include <linux/netfilter/xt_CONNSECMARK.h> 23#include <net/netfilter/nf_conntrack.h> 24#include <net/netfilter/nf_conntrack_ecache.h> 25 26MODULE_LICENSE("GPL"); 27MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); 28MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark"); 29MODULE_ALIAS("ipt_CONNSECMARK"); 30MODULE_ALIAS("ip6t_CONNSECMARK"); 31 32/* 33 * If the packet has a security mark and the connection does not, copy 34 * the security mark from the packet to the connection. 35 */ 36static void secmark_save(const struct sk_buff *skb) 37{ 38 if (skb->secmark) { 39 struct nf_conn *ct; 40 enum ip_conntrack_info ctinfo; 41 42 ct = nf_ct_get(skb, &ctinfo); 43 if (ct && !ct->secmark) { 44 ct->secmark = skb->secmark; 45 nf_conntrack_event_cache(IPCT_SECMARK, ct); 46 } 47 } 48} 49 50/* 51 * If packet has no security mark, and the connection does, restore the 52 * security mark from the connection to the packet. 53 */ 54static void secmark_restore(struct sk_buff *skb) 55{ 56 if (!skb->secmark) { 57 const struct nf_conn *ct; 58 enum ip_conntrack_info ctinfo; 59 60 ct = nf_ct_get(skb, &ctinfo); 61 if (ct && ct->secmark) 62 skb->secmark = ct->secmark; 63 } 64} 65 66static unsigned int 67connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par) 68{ 69 const struct xt_connsecmark_target_info *info = par->targinfo; 70 71 switch (info->mode) { 72 case CONNSECMARK_SAVE: 73 secmark_save(skb); 74 break; 75 76 case CONNSECMARK_RESTORE: 77 secmark_restore(skb); 78 break; 79 80 default: 81 BUG(); 82 } 83 84 return XT_CONTINUE; 85} 86 87static int connsecmark_tg_check(const struct xt_tgchk_param *par) 88{ 89 const struct xt_connsecmark_target_info *info = par->targinfo; 90 int ret; 91 92 if (strcmp(par->table, "mangle") != 0 && 93 strcmp(par->table, "security") != 0) { 94 pr_info("target only valid in the \'mangle\' " 95 "or \'security\' tables, not \'%s\'.\n", par->table); 96 return -EINVAL; 97 } 98 99 switch (info->mode) { 100 case CONNSECMARK_SAVE: 101 case CONNSECMARK_RESTORE: 102 break; 103 104 default: 105 pr_info("invalid mode: %hu\n", info->mode); 106 return -EINVAL; 107 } 108 109 ret = nf_ct_l3proto_try_module_get(par->family); 110 if (ret < 0) 111 pr_info("cannot load conntrack support for proto=%u\n", 112 par->family); 113 return ret; 114} 115 116static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) 117{ 118 nf_ct_l3proto_module_put(par->family); 119} 120 121static struct xt_target connsecmark_tg_reg __read_mostly = { 122 .name = "CONNSECMARK", 123 .revision = 0, 124 .family = NFPROTO_UNSPEC, 125 .checkentry = connsecmark_tg_check, 126 .destroy = connsecmark_tg_destroy, 127 .target = connsecmark_tg, 128 .targetsize = sizeof(struct xt_connsecmark_target_info), 129 .me = THIS_MODULE, 130}; 131 132static int __init connsecmark_tg_init(void) 133{ 134 return xt_register_target(&connsecmark_tg_reg); 135} 136 137static void __exit connsecmark_tg_exit(void) 138{ 139 xt_unregister_target(&connsecmark_tg_reg); 140} 141 142module_init(connsecmark_tg_init); 143module_exit(connsecmark_tg_exit); 144