/*
 *      xt_CONNMARK - Netfilter module to modify the connection mark values
 *
 *      Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
 *      by Henrik Nordstrom <hno@marasystems.com>
 *      Copyright © CC Computer Consultants GmbH, 2007 - 2008
 *      Jan Engelhardt <jengelh@computergmbh.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/checksum.h>

MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
MODULE_DESCRIPTION("Xtables: connection mark modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CONNMARK");
MODULE_ALIAS("ip6t_CONNMARK");

#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNMARK.h>
#include <net/netfilter/nf_conntrack_ecache.h>

static unsigned int
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
        const struct xt_connmark_tginfo1 *info = par->targinfo;
        enum ip_conntrack_info ctinfo;
        struct nf_conn *ct;
        u_int32_t newmark;

        ct = nf_ct_get(skb, &ctinfo);
        if (ct == NULL)
                return XT_CONTINUE;

        switch (info->mode) {
        case XT_CONNMARK_SET:
                newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
                if (ct->mark != newmark) {
                        ct->mark = newmark;
                        nf_conntrack_event_cache(IPCT_MARK, ct);
                }
                break;
        case XT_CONNMARK_SAVE:
                newmark = (ct->mark & ~info->ctmask) ^
                          (skb->mark & info->nfmask);
                if (ct->mark != newmark) {
                        ct->mark = newmark;
                        nf_conntrack_event_cache(IPCT_MARK, ct);
                }
                break;
        case XT_CONNMARK_RESTORE:
                newmark = (skb->mark & ~info->nfmask) ^
                          (ct->mark & info->ctmask);
                skb->mark = newmark;
                break;
        }

        return XT_CONTINUE;
}

static bool connmark_tg_check(const struct xt_tgchk_param *par)
{
        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
                printk(KERN_WARNING "cannot load conntrack support for "
                       "proto=%u\n", par->family);
                return false;
        }
        return true;
}

static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
{
        nf_ct_l3proto_module_put(par->family);
}

static struct xt_target connmark_tg_reg __read_mostly = {
        .name           = "CONNMARK",
        .revision       = 1,
        .family         = NFPROTO_UNSPEC,
        .checkentry     = connmark_tg_check,
        .target         = connmark_tg,
        .targetsize     = sizeof(struct xt_connmark_tginfo1),
        .destroy        = connmark_tg_destroy,
        .me             = THIS_MODULE,
};

static int __init connmark_tg_init(void)
{
        return xt_register_target(&connmark_tg_reg);
}

static void __exit connmark_tg_exit(void)
{
        xt_unregister_target(&connmark_tg_reg);
}

module_init(connmark_tg_init);
module_exit(connmark_tg_exit);