From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
netfilter-devel@vger.kernel.org
Subject: netfilter 10/31: xtables: remove xt_owner v0
Date: Thu, 10 Sep 2009 18:11:59 +0200 (MEST) [thread overview]
Message-ID: <20090910161155.31179.99399.sendpatchset@x2.localnet> (raw)
In-Reply-To: <20090910161142.31179.5256.sendpatchset@x2.localnet>
commit 6461caed83412ae3e9a16785ffa64396fb66c6a6
Author: Jan Engelhardt <jengelh@medozas.de>
Date: Fri Jun 12 19:46:26 2009 +0200
netfilter: xtables: remove xt_owner v0
Superseded by xt_owner v1 (v2.6.24-2388-g0265ab4).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 5e361ef..5413005 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -28,7 +28,6 @@ header-y += ipt_limit.h
header-y += ipt_mac.h
header-y += ipt_mark.h
header-y += ipt_multiport.h
-header-y += ipt_owner.h
header-y += ipt_physdev.h
header-y += ipt_pkttype.h
header-y += ipt_policy.h
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
deleted file mode 100644
index a78445b..0000000
--- a/include/linux/netfilter_ipv4/ipt_owner.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _IPT_OWNER_H
-#define _IPT_OWNER_H
-
-/* match and invert flags */
-#define IPT_OWNER_UID 0x01
-#define IPT_OWNER_GID 0x02
-#define IPT_OWNER_PID 0x04
-#define IPT_OWNER_SID 0x08
-#define IPT_OWNER_COMM 0x10
-
-struct ipt_owner_info {
- __kernel_uid32_t uid;
- __kernel_gid32_t gid;
- __kernel_pid_t pid;
- __kernel_pid_t sid;
- char comm[16];
- u_int8_t match, invert; /* flags */
-};
-
-#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild
index aca4bd1..4610a16 100644
--- a/include/linux/netfilter_ipv6/Kbuild
+++ b/include/linux/netfilter_ipv6/Kbuild
@@ -14,7 +14,6 @@ header-y += ip6t_mark.h
header-y += ip6t_mh.h
header-y += ip6t_multiport.h
header-y += ip6t_opts.h
-header-y += ip6t_owner.h
header-y += ip6t_physdev.h
header-y += ip6t_policy.h
header-y += ip6t_rt.h
diff --git a/include/linux/netfilter_ipv6/ip6t_owner.h b/include/linux/netfilter_ipv6/ip6t_owner.h
deleted file mode 100644
index ec5cc7a..0000000
--- a/include/linux/netfilter_ipv6/ip6t_owner.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IP6T_OWNER_H
-#define _IP6T_OWNER_H
-
-/* match and invert flags */
-#define IP6T_OWNER_UID 0x01
-#define IP6T_OWNER_GID 0x02
-#define IP6T_OWNER_PID 0x04
-#define IP6T_OWNER_SID 0x08
-
-struct ip6t_owner_info {
- __kernel_uid32_t uid;
- __kernel_gid32_t gid;
- __kernel_pid_t pid;
- __kernel_pid_t sid;
- u_int8_t match, invert; /* flags */
-};
-
-#endif /*_IPT_OWNER_H*/
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 22b2a5e..d24c76d 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -5,7 +5,6 @@
* (C) 2000 Marc Boucher <marc@mbsi.ca>
*
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
- * <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -17,60 +16,6 @@
#include <net/sock.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_owner.h>
-#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-
-static bool
-owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct ipt_owner_info *info = par->matchinfo;
- const struct file *filp;
-
- if (skb->sk == NULL || skb->sk->sk_socket == NULL)
- return false;
-
- filp = skb->sk->sk_socket->file;
- if (filp == NULL)
- return false;
-
- if (info->match & IPT_OWNER_UID)
- if ((filp->f_cred->fsuid != info->uid) ^
- !!(info->invert & IPT_OWNER_UID))
- return false;
-
- if (info->match & IPT_OWNER_GID)
- if ((filp->f_cred->fsgid != info->gid) ^
- !!(info->invert & IPT_OWNER_GID))
- return false;
-
- return true;
-}
-
-static bool
-owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct ip6t_owner_info *info = par->matchinfo;
- const struct file *filp;
-
- if (skb->sk == NULL || skb->sk->sk_socket == NULL)
- return false;
-
- filp = skb->sk->sk_socket->file;
- if (filp == NULL)
- return false;
-
- if (info->match & IP6T_OWNER_UID)
- if ((filp->f_cred->fsuid != info->uid) ^
- !!(info->invert & IP6T_OWNER_UID))
- return false;
-
- if (info->match & IP6T_OWNER_GID)
- if ((filp->f_cred->fsgid != info->gid) ^
- !!(info->invert & IP6T_OWNER_GID))
- return false;
-
- return true;
-}
static bool
owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
-{
- const struct ipt_owner_info *info = par->matchinfo;
-
- if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
- printk(KERN_WARNING KBUILD_MODNAME
- ": PID, SID and command matching is not "
- "supported anymore\n");
- return false;
- }
-
- return true;
-}
-
-static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
-{
- const struct ip6t_owner_info *info = par->matchinfo;
-
- if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
- printk(KERN_WARNING KBUILD_MODNAME
- ": PID and SID matching is not supported anymore\n");
- return false;
- }
-
- return true;
-}
-
-static struct xt_match owner_mt_reg[] __read_mostly = {
- {
- .name = "owner",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .match = owner_mt_v0,
- .matchsize = sizeof(struct ipt_owner_info),
- .checkentry = owner_mt_check_v0,
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
- {
- .name = "owner",
- .revision = 0,
- .family = NFPROTO_IPV6,
- .match = owner_mt6_v0,
- .matchsize = sizeof(struct ip6t_owner_info),
- .checkentry = owner_mt6_check_v0,
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
- {
- .name = "owner",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
+static struct xt_match owner_mt_reg __read_mostly = {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
};
static int __init owner_mt_init(void)
{
- return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+ return xt_register_match(&owner_mt_reg);
}
static void __exit owner_mt_exit(void)
{
- xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+ xt_unregister_match(&owner_mt_reg);
}
module_init(owner_mt_init);
module_exit(owner_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
next prev parent reply other threads:[~2009-09-10 16:11 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-10 16:11 netfilter 00/31: netfilter 2.6.32 update Patrick McHardy
2009-09-10 16:11 ` netfilter 01/31: nf_conntrack: add SCTP support for SO_ORIGINAL_DST Patrick McHardy
2009-09-10 16:11 ` netfilter 02/31: ebtables: Use %pM conversion specifier Patrick McHardy
2009-09-10 16:11 ` netfilter 03/31: xtables: remove xt_TOS v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 04/31: xtables: remove xt_CONNMARK v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 05/31: xtables: remove xt_MARK v0, v1 Patrick McHardy
2009-09-10 16:11 ` netfilter 06/31: xtables: remove xt_connmark v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 07/31: xtables: remove xt_conntrack v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 08/31: xtables: remove xt_iprange v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 09/31: xtables: remove xt_mark v0 Patrick McHardy
2009-09-10 16:11 ` Patrick McHardy [this message]
2009-09-10 16:12 ` netfilter 11/31: xtables: remove redirecting header files Patrick McHardy
2009-09-10 16:12 ` netfilter 12/31: conntrack: switch hook PFs to nfproto Patrick McHardy
2009-09-10 16:12 ` netfilter 13/31: xtables: " Patrick McHardy
2009-09-10 16:12 ` netfilter 14/31: xtables: switch table AFs " Patrick McHardy
2009-09-10 16:12 ` netfilter 15/31: xtables: realign struct xt_target_param Patrick McHardy
2009-09-10 16:12 ` netfilter 16/31: iptables: remove unused datalen variable Patrick McHardy
2009-09-10 16:12 ` netfilter 17/31: xtables: use memcmp in unconditional check Patrick McHardy
2009-09-10 16:12 ` netfilter 18/31: xtables: ignore unassigned hooks in check_entry_size_and_hooks Patrick McHardy
2009-09-10 16:12 ` netfilter 19/31: xtables: check for unconditionality of policies Patrick McHardy
2009-09-10 16:12 ` netfilter 20/31: xtables: check for standard verdicts in policies Patrick McHardy
2009-09-10 16:12 ` netfilter 21/31: xtables: mark initial tables constant Patrick McHardy
2009-09-10 16:12 ` netfilter 22/31: nf_nat: fix inverted logic for persistent NAT mappings Patrick McHardy
2009-09-10 16:12 ` netfilter 23/31: bridge: refcount fix Patrick McHardy
2009-09-10 16:12 ` netfilter 24/31: nf_conntrack: log packets dropped by helpers Patrick McHardy
2009-09-10 16:12 ` netlink 25/31: constify nlmsghdr arguments Patrick McHardy
2009-09-10 16:12 ` netfilter 26/31: nfnetlink: constify message attributes and headers Patrick McHardy
2009-09-10 16:12 ` ipvs 27/31: Use atomic operations atomicly Patrick McHardy
2009-09-10 16:12 ` netfilter 28/31: nf_conntrack: netns fix re reliable conntrack event delivery Patrick McHardy
2009-09-10 16:12 ` netfilter 29/31: ip6t_eui: fix read outside array bounds Patrick McHardy
2009-09-10 16:12 ` IPVS 30/31: Add handling of incoming ICMPV6 messages Patrick McHardy
2009-09-10 16:12 ` netfilter 31/31: ebt_ulog: fix checkentry return value Patrick McHardy
2009-09-11 1:25 ` netfilter 00/31: netfilter 2.6.32 update David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090910161155.31179.99399.sendpatchset@x2.localnet \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.