Re: [PATCH] Add mark to packet from libipq

[Eric Leblond <eric@regit.org>]

[-- Attachment #1.1: Type: text/plain, Size: 532 bytes --]

Le jeu 16/10/2003 à 09:31, Henrik Nordstrom a écrit :
> On Thu, 16 Oct 2003, Eric Leblond wrote:
> It got the mark with the packet in packet_msg->mark, so the userspace
> application can just apply the transformation it likes when setting the
> verdict.

I've done this changes and suppress references to a mask.
I attach the diffs for module and lib.

The code is tested on my box with nufw (CVS version) so it is in state :
Work For Me.

BR,
-- 
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)

[-- Attachment #1.2: ip_queue.diff --]
[-- Type: text/plain, Size: 2510 bytes --]

--- linux.orig/include/linux/netfilter_ipv4/ip_queue.h	2003-10-16 01:47:01.000000000 +0200
+++ linux/include/linux/netfilter_ipv4/ip_queue.h	2003-10-16 23:53:17.000000000 +0200
@@ -47,10 +47,20 @@
 	unsigned char payload[0];	/* Optional replacement packet */
 } ipq_verdict_msg_t;
 
+typedef struct ipq_vwmark_msg {
+	unsigned int value;		/* Verdict to hand to netfilter */
+	unsigned long id;		/* Packet ID for this verdict */
+	size_t data_len;		/* Length of replacement data */
+	unsigned char payload[0];	/* Optional replacement packet */
+	unsigned long nfmark;		/* Mark for the Packet */
+} ipq_vwmark_msg_t;
+
+
 typedef struct ipq_peer_msg {
 	union {
 		ipq_verdict_msg_t verdict;
 		ipq_mode_msg_t mode;
+                ipq_vwmark_msg_t vwmark;
 	} msg;
 } ipq_peer_msg_t;
 
@@ -67,6 +77,7 @@
 #define IPQM_MODE	(IPQM_BASE + 1)		/* Mode request from peer */
 #define IPQM_VERDICT	(IPQM_BASE + 2)		/* Verdict from peer */ 
 #define IPQM_PACKET	(IPQM_BASE + 3)		/* Packet from kernel */
-#define IPQM_MAX	(IPQM_BASE + 4)
+#define IPQM_VWMARK	(IPQM_BASE + 4)		/* Verdict and mark from peer */
+#define IPQM_MAX	(IPQM_BASE + 5)
 
 #endif /*_IP_QUEUE_H*/
--- linux.orig/net/ipv4/netfilter/ip_queue.c	2003-10-16 01:46:27.000000000 +0200
+++ linux/net/ipv4/netfilter/ip_queue.c	2003-10-16 23:54:11.000000000 +0200
@@ -417,6 +417,33 @@
 }
 
 static int
+ipq_set_vwmark(struct ipq_vwmark_msg *vmsg, unsigned int len)
+{
+	struct ipq_queue_entry *entry;
+
+	if (vmsg->value > NF_MAX_VERDICT)
+		return -EINVAL;
+
+	entry = ipq_find_dequeue_entry(id_cmp, vmsg->id);
+	if (entry == NULL)
+		return -ENOENT;
+	else {
+		int verdict = vmsg->value;
+		
+		if (vmsg->data_len && vmsg->data_len == len)
+			if (ipq_mangle_ipv4((ipq_verdict_msg_t *)vmsg, entry) < 0)
+				verdict = NF_DROP;
+
+		/* set mark of associated skb */
+		entry->skb->nfmark = vmsg->nfmark;
+		
+		ipq_issue_verdict(entry, verdict);
+		return 0;
+	}
+}
+
+
+static int
 ipq_receive_peer(struct ipq_peer_msg *pmsg,
                  unsigned char type, unsigned int len)
 {
@@ -438,6 +465,14 @@
 			status = ipq_set_verdict(&pmsg->msg.verdict,
 			                         len - sizeof(*pmsg));
 			break;
+        case IPQM_VWMARK:
+		if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
+			status = -EINVAL;
+		else
+			status = ipq_set_vwmark(&pmsg->msg.vwmark,
+			                         len - sizeof(*pmsg));
+			break;
+
 	default:
 		status = -EINVAL;
 	}

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: libipq.diff --]
[-- Type: text/x-patch; name=libipq.diff; charset=UTF-8, Size: 2475 bytes --]

diff -ru iptables-1.2.8.orig/include/libipq/libipq.h iptables-1.2.8/include/libipq/libipq.h
--- iptables-1.2.8.orig/include/libipq/libipq.h	2003-10-16 01:53:08.000000000 +0200
+++ iptables-1.2.8/include/libipq/libipq.h	2003-10-16 23:47:35.000000000 +0200
@@ -79,6 +79,13 @@
                     size_t data_len,
                     unsigned char *buf);
 
+int ipq_set_vwmark(const struct ipq_handle *h,
+                    ipq_id_t id,
+                    unsigned int verdict,
+                    unsigned long nfmark,
+                    size_t data_len,
+                    unsigned char *buf);
+
 int ipq_ctl(const struct ipq_handle *h, int request, ...);
 
 char *ipq_errstr(void);
Les fichiers binaires iptables-1.2.8.orig/libipq/libipq.a et iptables-1.2.8/libipq/libipq.a sont différents.
diff -ru iptables-1.2.8.orig/libipq/libipq.c iptables-1.2.8/libipq/libipq.c
--- iptables-1.2.8.orig/libipq/libipq.c	2003-10-16 01:58:46.000000000 +0200
+++ iptables-1.2.8/libipq/libipq.c	2003-10-16 23:33:10.000000000 +0200
@@ -348,6 +348,54 @@
 	return ipq_netlink_sendmsg(h, &msg, 0);
 }
 
+int ipq_set_vwmark(const struct ipq_handle *h,
+                    ipq_id_t id,
+                    unsigned int verdict,
+                    unsigned long nfmark,
+                    size_t data_len,
+                    unsigned char *buf)
+{
+	unsigned char nvecs;
+	size_t tlen;
+	struct nlmsghdr nlh;
+	ipq_peer_msg_t pm;
+	struct iovec iov[3];
+	struct msghdr msg;
+
+	memset(&nlh, 0, sizeof(nlh));
+	nlh.nlmsg_flags = NLM_F_REQUEST;
+	nlh.nlmsg_type = IPQM_VWMARK;
+	nlh.nlmsg_pid = h->local.nl_pid;
+	memset(&pm, 0, sizeof(pm));
+	pm.msg.vwmark.value = verdict;
+	pm.msg.vwmark.id = id;
+	pm.msg.vwmark.data_len = data_len;
+	pm.msg.vwmark.nfmark = nfmark;
+	iov[0].iov_base = &nlh;
+	iov[0].iov_len = sizeof(nlh);
+	iov[1].iov_base = &pm;
+	iov[1].iov_len = sizeof(pm);
+	tlen = sizeof(nlh) + sizeof(pm);
+	nvecs = 2;
+	if (data_len && buf) {
+		iov[2].iov_base = buf;
+		iov[2].iov_len = data_len;
+		tlen += data_len;
+		nvecs++;
+	}
+	msg.msg_name = (void *)&h->peer;
+	msg.msg_namelen = sizeof(h->peer);
+	msg.msg_iov = iov;
+	msg.msg_iovlen = nvecs;
+	msg.msg_control = NULL;
+	msg.msg_controllen = 0;
+	msg.msg_flags = 0;
+	nlh.nlmsg_len = tlen;
+	return ipq_netlink_sendmsg(h, &msg, 0);
+}
+
+
+
 /* Not implemented yet */
 int ipq_ctl(const struct ipq_handle *h, int request, ...)
 {

[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]