2 * Shared library add-on to ip6tables to add CONNSECMARK target support.
4 * Based on the MARK and CONNMARK targets.
6 * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
12 #include <ip6tables.h>
13 #include <linux/netfilter/xt_CONNSECMARK.h>
15 #define PFX "CONNSECMARK target: "
17 static void help(void)
20 "CONNSECMARK target v%s options:\n"
21 " --save Copy security mark from packet to conntrack\n"
22 " --restore Copy security mark from connection to packet\n"
27 static struct option opts
[] = {
28 { "save", 0, 0, '1' },
29 { "restore", 0, 0, '2' },
33 static int parse(int c
, char **argv
, int invert
, unsigned int *flags
,
34 const struct ip6t_entry
*entry
, struct ip6t_entry_target
**target
)
36 struct xt_connsecmark_target_info
*info
=
37 (struct xt_connsecmark_target_info
*)(*target
)->data
;
41 if (*flags
& CONNSECMARK_SAVE
)
42 exit_error(PARAMETER_PROBLEM
, PFX
43 "Can't specify --save twice");
44 info
->mode
= CONNSECMARK_SAVE
;
45 *flags
|= CONNSECMARK_SAVE
;
49 if (*flags
& CONNSECMARK_RESTORE
)
50 exit_error(PARAMETER_PROBLEM
, PFX
51 "Can't specify --restore twice");
52 info
->mode
= CONNSECMARK_RESTORE
;
53 *flags
|= CONNSECMARK_RESTORE
;
63 static void final_check(unsigned int flags
)
66 exit_error(PARAMETER_PROBLEM
, PFX
"parameter required");
68 if (flags
== (CONNSECMARK_SAVE
|CONNSECMARK_RESTORE
))
69 exit_error(PARAMETER_PROBLEM
, PFX
"only one flag of --save "
70 "or --restore is allowed");
73 static void print_connsecmark(struct xt_connsecmark_target_info
*info
)
76 case CONNSECMARK_SAVE
:
80 case CONNSECMARK_RESTORE
:
85 exit_error(OTHER_PROBLEM
, PFX
"invalid mode %hhu\n", info
->mode
);
89 static void print(const struct ip6t_ip6
*ip
,
90 const struct ip6t_entry_target
*target
, int numeric
)
92 struct xt_connsecmark_target_info
*info
=
93 (struct xt_connsecmark_target_info
*)(target
)->data
;
95 printf("CONNSECMARK ");
96 print_connsecmark(info
);
99 static void save(const struct ip6t_ip6
*ip
, const struct ip6t_entry_target
*target
)
101 struct xt_connsecmark_target_info
*info
=
102 (struct xt_connsecmark_target_info
*)target
->data
;
105 print_connsecmark(info
);
108 static struct ip6tables_target connsecmark
= {
109 .name
= "CONNSECMARK",
110 .version
= IPTABLES_VERSION
,
111 .size
= IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info
)),
112 .userspacesize
= IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info
)),
115 .final_check
= &final_check
,
123 register_target6(&connsecmark
);