ia64/linux-2.6.18-xen.hg

annotate net/netfilter/xt_CONNSECMARK.c @ 871:9cbcc9008446

xen/x86: don't initialize cpu_data[]'s apicid field on generic code

Afaict, this is not only redundant with the intialization done in
drivers/xen/core/smpboot.c, but actually results - at least for
secondary CPUs - in the Xen-specific value written to be later
overwritten with whatever the generic code determines (with no
guarantee that the two values are identical).

Signed-off-by: Jan Beulich <jbeulich@novell.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu May 14 10:09:15 2009 +0100 (2009-05-14)
parents 831230e53067
children
rev   line source
ian@0 1 /*
ian@0 2 * This module is used to copy security markings from packets
ian@0 3 * to connections, and restore security markings from connections
ian@0 4 * back to packets. This would normally be performed in conjunction
ian@0 5 * with the SECMARK target and state match.
ian@0 6 *
ian@0 7 * Based somewhat on CONNMARK:
ian@0 8 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
ian@0 9 * by Henrik Nordstrom <hno@marasystems.com>
ian@0 10 *
ian@0 11 * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
ian@0 12 *
ian@0 13 * This program is free software; you can redistribute it and/or modify
ian@0 14 * it under the terms of the GNU General Public License version 2 as
ian@0 15 * published by the Free Software Foundation.
ian@0 16 *
ian@0 17 */
ian@0 18 #include <linux/module.h>
ian@0 19 #include <linux/skbuff.h>
ian@0 20 #include <linux/netfilter/x_tables.h>
ian@0 21 #include <linux/netfilter/xt_CONNSECMARK.h>
ian@0 22 #include <net/netfilter/nf_conntrack_compat.h>
ian@0 23
ian@0 24 #define PFX "CONNSECMARK: "
ian@0 25
ian@0 26 MODULE_LICENSE("GPL");
ian@0 27 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
ian@0 28 MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
ian@0 29 MODULE_ALIAS("ipt_CONNSECMARK");
ian@0 30 MODULE_ALIAS("ip6t_CONNSECMARK");
ian@0 31
ian@0 32 /*
ian@0 33 * If the packet has a security mark and the connection does not, copy
ian@0 34 * the security mark from the packet to the connection.
ian@0 35 */
ian@0 36 static void secmark_save(struct sk_buff *skb)
ian@0 37 {
ian@0 38 if (skb->secmark) {
ian@0 39 u32 *connsecmark;
ian@0 40 enum ip_conntrack_info ctinfo;
ian@0 41
ian@0 42 connsecmark = nf_ct_get_secmark(skb, &ctinfo);
ian@0 43 if (connsecmark && !*connsecmark)
ian@0 44 if (*connsecmark != skb->secmark)
ian@0 45 *connsecmark = skb->secmark;
ian@0 46 }
ian@0 47 }
ian@0 48
ian@0 49 /*
ian@0 50 * If packet has no security mark, and the connection does, restore the
ian@0 51 * security mark from the connection to the packet.
ian@0 52 */
ian@0 53 static void secmark_restore(struct sk_buff *skb)
ian@0 54 {
ian@0 55 if (!skb->secmark) {
ian@0 56 u32 *connsecmark;
ian@0 57 enum ip_conntrack_info ctinfo;
ian@0 58
ian@0 59 connsecmark = nf_ct_get_secmark(skb, &ctinfo);
ian@0 60 if (connsecmark && *connsecmark)
ian@0 61 if (skb->secmark != *connsecmark)
ian@0 62 skb->secmark = *connsecmark;
ian@0 63 }
ian@0 64 }
ian@0 65
ian@0 66 static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
ian@0 67 const struct net_device *out, unsigned int hooknum,
ian@0 68 const struct xt_target *target,
ian@0 69 const void *targinfo, void *userinfo)
ian@0 70 {
ian@0 71 struct sk_buff *skb = *pskb;
ian@0 72 const struct xt_connsecmark_target_info *info = targinfo;
ian@0 73
ian@0 74 switch (info->mode) {
ian@0 75 case CONNSECMARK_SAVE:
ian@0 76 secmark_save(skb);
ian@0 77 break;
ian@0 78
ian@0 79 case CONNSECMARK_RESTORE:
ian@0 80 secmark_restore(skb);
ian@0 81 break;
ian@0 82
ian@0 83 default:
ian@0 84 BUG();
ian@0 85 }
ian@0 86
ian@0 87 return XT_CONTINUE;
ian@0 88 }
ian@0 89
ian@0 90 static int checkentry(const char *tablename, const void *entry,
ian@0 91 const struct xt_target *target, void *targinfo,
ian@0 92 unsigned int targinfosize, unsigned int hook_mask)
ian@0 93 {
ian@0 94 struct xt_connsecmark_target_info *info = targinfo;
ian@0 95
ian@0 96 switch (info->mode) {
ian@0 97 case CONNSECMARK_SAVE:
ian@0 98 case CONNSECMARK_RESTORE:
ian@0 99 break;
ian@0 100
ian@0 101 default:
ian@0 102 printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
ian@0 103 return 0;
ian@0 104 }
ian@0 105
ian@0 106 return 1;
ian@0 107 }
ian@0 108
ian@0 109 static struct xt_target ipt_connsecmark_reg = {
ian@0 110 .name = "CONNSECMARK",
ian@0 111 .target = target,
ian@0 112 .targetsize = sizeof(struct xt_connsecmark_target_info),
ian@0 113 .table = "mangle",
ian@0 114 .checkentry = checkentry,
ian@0 115 .me = THIS_MODULE,
ian@0 116 .family = AF_INET,
ian@0 117 .revision = 0,
ian@0 118 };
ian@0 119
ian@0 120 static struct xt_target ip6t_connsecmark_reg = {
ian@0 121 .name = "CONNSECMARK",
ian@0 122 .target = target,
ian@0 123 .targetsize = sizeof(struct xt_connsecmark_target_info),
ian@0 124 .table = "mangle",
ian@0 125 .checkentry = checkentry,
ian@0 126 .me = THIS_MODULE,
ian@0 127 .family = AF_INET6,
ian@0 128 .revision = 0,
ian@0 129 };
ian@0 130
ian@0 131 static int __init xt_connsecmark_init(void)
ian@0 132 {
ian@0 133 int err;
ian@0 134
ian@0 135 need_conntrack();
ian@0 136
ian@0 137 err = xt_register_target(&ipt_connsecmark_reg);
ian@0 138 if (err)
ian@0 139 return err;
ian@0 140
ian@0 141 err = xt_register_target(&ip6t_connsecmark_reg);
ian@0 142 if (err)
ian@0 143 xt_unregister_target(&ipt_connsecmark_reg);
ian@0 144
ian@0 145 return err;
ian@0 146 }
ian@0 147
ian@0 148 static void __exit xt_connsecmark_fini(void)
ian@0 149 {
ian@0 150 xt_unregister_target(&ip6t_connsecmark_reg);
ian@0 151 xt_unregister_target(&ipt_connsecmark_reg);
ian@0 152 }
ian@0 153
ian@0 154 module_init(xt_connsecmark_init);
ian@0 155 module_exit(xt_connsecmark_fini);