diff options
| author |   James Morris <jmorris@namei.org> | 2006-06-09 00:31:46 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@sunset.davemloft.net> | 2006-06-17 21:30:01 -0700 |
| commit | 7c9728c393dceb724d66d696cfabce82151a78e5 (patch) | |
| tree | af2b67ff7c579d669d01f28af33929f780b9c1b3 /include/linux/netfilter_ipv4 | |
| parent | [SECMARK]: Add xtables SECMARK target (diff) | |
| download | linux-dev-7c9728c393dceb724d66d696cfabce82151a78e5.tar.xz linux-dev-7c9728c393dceb724d66d696cfabce82151a78e5.zip | |
[SECMARK]: Add secmark support to conntrack
Add a secmark field to IP and NF conntracks, so that security markings
on packets can be copied to their associated connections, and also
copied back to packets as required. This is similar to the network
mark field currently used with conntrack, although it is intended for
enforcement of security policy rather than network policy.
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/netfilter_ipv4')
| -rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 17d7ef938a09..e0e9951eb8c3 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h @@ -121,6 +121,10 @@ struct ip_conntrack u_int32_t mark; #endif +#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK + u_int32_t secmark; +#endif + /* Traversed often, so hopefully in different cacheline to top */ /* These are my tuples; original and reply */ struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; |