• Lorenzo Colitti's avatar
    net: support marking accepting TCP sockets · 84f39b08
    Lorenzo Colitti authored
    When using mark-based routing, sockets returned from accept()
    may need to be marked differently depending on the incoming
    connection request.
    
    This is the case, for example, if different socket marks identify
    different networks: a listening socket may want to accept
    connections from all networks, but each connection should be
    marked with the network that the request came in on, so that
    subsequent packets are sent on the correct network.
    
    This patch adds a sysctl to mark TCP sockets based on the fwmark
    of the incoming SYN packet. If enabled, and an unmarked socket
    receives a SYN, then the SYN packet's fwmark is written to the
    connection's inet_request_sock, and later written back to the
    accepted socket when the connection is established.  If the
    socket already has a nonzero mark, then the behaviour is the same
    as it is today, i.e., the listening socket's fwmark is used.
    
    Black-box tested using user-mode linux:
    
    - IPv4/IPv6 SYN+ACK, FIN, etc. packets are routed based on the
      mark of the incoming SYN packet.
    - The socket returned by accept() is marked with the mark of the
      incoming SYN packet.
    - Tested with syncookies=1 and syncookies=2.
    Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    84f39b08
sysctl_net_ipv4.c 21.8 KB