netfilter: nf_tables: add requirements for connsecmark support

Add ability to set the connection tracking secmark value.

Add ability to set the meta secmark value.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index d74afa7..586627c 100644 (file)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -279,7 +279,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
 {
        const struct nft_ct *priv = nft_expr_priv(expr);
        struct sk_buff *skb = pkt->skb;
-#ifdef CONFIG_NF_CONNTRACK_MARK
+#if defined(CONFIG_NF_CONNTRACK_MARK) || defined(CONFIG_NF_CONNTRACK_SECMARK)
        u32 value = regs->data[priv->sreg];
 #endif
        enum ip_conntrack_info ctinfo;
@@ -298,6 +298,14 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
                }
                break;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+       case NFT_CT_SECMARK:
+               if (ct->secmark != value) {
+                       ct->secmark = value;
+                       nf_conntrack_event_cache(IPCT_SECMARK, ct);
+               }
+               break;
+#endif
 #ifdef CONFIG_NF_CONNTRACK_LABELS
        case NFT_CT_LABELS:
                nf_connlabels_replace(ct,
@@ -565,6 +573,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
                len = sizeof(u32);
                break;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+       case NFT_CT_SECMARK:
+               if (tb[NFTA_CT_DIRECTION])
+                       return -EINVAL;
+               len = sizeof(u32);
+               break;
+#endif
        default:
                return -EOPNOTSUPP;
        }

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 91fd6e6..6180626 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -284,6 +284,11 @@ static void nft_meta_set_eval(const struct nft_expr *expr,
 
                skb->nf_trace = !!value8;
                break;
+#ifdef CONFIG_NETWORK_SECMARK
+       case NFT_META_SECMARK:
+               skb->secmark = value;
+               break;
+#endif
        default:
                WARN_ON(1);
        }
@@ -436,6 +441,9 @@ static int nft_meta_set_init(const struct nft_ctx *ctx,
        switch (priv->key) {
        case NFT_META_MARK:
        case NFT_META_PRIORITY:
+#ifdef CONFIG_NETWORK_SECMARK
+       case NFT_META_SECMARK:
+#endif
                len = sizeof(u32);
                break;
        case NFT_META_NFTRACE: