[PATCH] ownercmd for ip6tables

[PATCH] ownercmd for ip6tables

[Patrick McHardy]

This patch adds support for the --owner-cmd option to ip6t_owner.
I have this lying around for about 9 month and i can not remember
if i ever tested it and i have no ipv6 network available (sorry).

Bye,
Patrick

Re: [PATCH] ownercmd for ip6tables

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

forgot to attach it.

Patrick McHardy wrote:

> This patch adds support for the --owner-cmd option to ip6t_owner.
> I have this lying around for about 9 month and i can not remember
> if i ever tested it and i have no ipv6 network available (sorry).
>
> Bye,
> Patrick


[-- Attachment #2: owner6cmd-pom.diff --]
[-- Type: text/plain, Size: 6084 bytes --]

diff -urN a/userspace/ownercmd.patch.ipv6 b/userspace/ownercmd.patch.ipv6
--- a/userspace/ownercmd.patch.ipv6	1970-01-01 01:00:00.000000000 +0100
+++ b/userspace/ownercmd.patch.ipv6	2003-04-07 23:59:48.000000000 +0200
@@ -0,0 +1,73 @@
+diff -urN ../../kernel/linux-2.4.20-pre4/include/linux/netfilter_ipv6/ip6t_owner.h linux-2.4.20-pre4/include/linux/netfilter_ipv6/ip6t_owner.h
+--- ../../kernel/linux-2.4.20-pre4/include/linux/netfilter_ipv6/ip6t_owner.h	2000-06-20 23:32:27.000000000 +0200
++++ linux-2.4.20-pre4/include/linux/netfilter_ipv6/ip6t_owner.h	2002-08-30 02:05:19.000000000 +0200
+@@ -6,12 +6,14 @@
+ #define IP6T_OWNER_GID	0x02
+ #define IP6T_OWNER_PID	0x04
+ #define IP6T_OWNER_SID	0x08
++#define IP6T_OWNER_COMM 0x10
+ 
+ struct ip6t_owner_info {
+     uid_t uid;
+     gid_t gid;
+     pid_t pid;
+     pid_t sid;
++    char comm[16];
+     u_int8_t match, invert;	/* flags */
+ };
+ 
+diff -urN ../../kernel/linux-2.4.20-pre4/net/ipv6/netfilter/ip6t_owner.c linux-2.4.20-pre4/net/ipv6/netfilter/ip6t_owner.c
+--- ../../kernel/linux-2.4.20-pre4/net/ipv6/netfilter/ip6t_owner.c	2001-10-31 00:08:12.000000000 +0100
++++ linux-2.4.20-pre4/net/ipv6/netfilter/ip6t_owner.c	2002-08-30 02:04:04.000000000 +0200
+@@ -16,6 +16,38 @@
+ MODULE_LICENSE("GPL");
+ 
+ static int
++match_comm(const struct sk_buff *skb, const char *comm)
++{
++	struct task_struct *p;
++	struct files_struct *files;
++	int i;
++
++	read_lock(&tasklist_lock);
++	for_each_task(p) {
++		if(strncmp(p->comm, comm, sizeof(p->comm)))
++			continue;
++
++		task_lock(p);
++		files = p->files;
++		if(files) {
++			read_lock(&files->file_lock);
++			for (i=0; i < files->max_fds; i++) {
++				if (fcheck_files(files, i) == skb->sk->socket->file) {
++					read_unlock(&files->file_lock);
++					task_unlock(p);
++					read_unlock(&tasklist_lock);
++					return 1;
++				}
++			}
++			read_unlock(&files->file_lock);
++		}
++		task_unlock(p);
++	}
++	read_unlock(&tasklist_lock);
++	return 0;
++}
++
++static int
+ match_pid(const struct sk_buff *skb, pid_t pid)
+ {
+ 	struct task_struct *p;
+@@ -119,6 +151,12 @@
+ 			return 0;
+ 	}
+ 
++	if(info->match & IP6T_OWNER_COMM) {
++		if (!match_comm(skb, info->comm) ^
++		    !!(info->invert & IP6T_OWNER_COMM))
++			return 0;
++	}
++
+ 	return 1;
+ }
+ 
diff -urN a/userspace/ownercmd.patch.ipv6.help b/userspace/ownercmd.patch.ipv6.help
--- a/userspace/ownercmd.patch.ipv6.help	1970-01-01 01:00:00.000000000 +0100
+++ b/userspace/ownercmd.patch.ipv6.help	2003-04-08 00:00:52.000000000 +0200
@@ -0,0 +1,18 @@
+Author: Patrich McHardy <kaber@trash.net>
+	Ported from Marc Boucher's ipv4 version
+Status: Untested, help text stolen from original version, feedback is welcome!
+
+This patch adds support for local process name matching
+to the owner match (--cmd-owner option).
+
+You can use this feature to filter connections forwarded by
+your ssh daemon with rules like:
+
+ip6tables -N CheckSSHSyns
+# allow forwarded connections to rsync port on 192.168.1.1
+ip6tables -A CheckSSHSyns -p tcp -d 192.168.1.1 --dport 873 -j RETURN
+# refuse everything else
+ip6tables -A CheckSSHSyns -j REJECT --reject-with tcp-reset
+
+ip6tables -I OUTPUT -p tcp --syn -m owner --cmd-owner sshd -j CheckSSHSyns
+
diff -urN a/userspace/ownercmd.patch.ipv6.userspace b/userspace/ownercmd.patch.ipv6.userspace
--- a/userspace/ownercmd.patch.ipv6.userspace	1970-01-01 01:00:00.000000000 +0100
+++ b/userspace/ownercmd.patch.ipv6.userspace	2003-04-07 23:59:48.000000000 +0200
@@ -0,0 +1,93 @@
+--- userspace/extensions/libip6t_owner.c	2002-05-29 15:08:16.000000000 +0200
++++ userspace/extensions/libip6t_owner.c	2002-08-30 02:43:43.000000000 +0200
+@@ -14,14 +14,26 @@
+ static void
+ help(void)
+ {
++#ifdef IP6T_OWNER_COMM
+ 	printf(
+ "OWNER match v%s options:\n"
+ "[!] --uid-owner userid     Match local uid\n"
+ "[!] --gid-owner groupid    Match local gid\n"
+ "[!] --pid-owner processid  Match local pid\n"
+ "[!] --sid-owner sessionid  Match local sid\n"
++"[!] --cmd-owner name       Match local command name\n"
+ "\n",
+ IPTABLES_VERSION);
++#else
++	printf(
++"OWNER match v%s options:\n"
++"[!] --uid-owner userid     Match local uid\n"
++"[!] --gid-owner groupid    Match local gid\n"
++"[!] --pid-owner processid  Match local pid\n"
++"[!] --sid-owner sessionid  Match local sid\n"
++"\n",
++IPTABLES_VERSION);
++#endif /* IP6T_OWNER_COMM */
+ }
+ 
+ static struct option opts[] = {
+@@ -29,6 +41,9 @@
+ 	{ "gid-owner", 1, 0, '2' },
+ 	{ "pid-owner", 1, 0, '3' },
+ 	{ "sid-owner", 1, 0, '4' },
++#ifdef IP6T_OWNER_COMM
++	{ "cmd-owner", 1, 0, '5' },
++#endif
+ 	{0}
+ };
+ 
+@@ -107,6 +122,21 @@
+ 		*flags = 1;
+ 		break;
+ 
++#ifdef IP6T_OWNER_COMM
++	case '5':
++		check_inverse(optarg, &invert, &optind, 0);
++		if(strlen(optarg) > sizeof(ownerinfo->comm))
++			exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
++		
++		strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
++
++		if (invert)
++			ownerinfo->invert |= IP6T_OWNER_COMM;
++		ownerinfo->match |= IP6T_OWNER_COMM;
++		*flags = 1;
++		break;
++#endif
++		
+ 	default:
+ 		return 0;
+ 	}
+@@ -154,6 +184,11 @@
+ 		case IP6T_OWNER_SID:
+ 			printf("%u ", info->sid);
+ 			break;
++#ifdef IP6T_OWNER_COMM
++		case IP6T_OWNER_COMM:
++			printf("%.*s ", (int)sizeof(info->comm), info->comm);
++			break;
++#endif
+ 		default:
+ 			break;
+ 		}
+@@ -181,6 +216,9 @@
+ 	print_item(info, IP6T_OWNER_GID, numeric, "OWNER GID match ");
+ 	print_item(info, IP6T_OWNER_PID, numeric, "OWNER PID match ");
+ 	print_item(info, IP6T_OWNER_SID, numeric, "OWNER SID match ");
++#ifdef IP6T_OWNER_COMM
++	print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
++#endif
+ }
+ 
+ /* Saves the union ip6t_matchinfo in parsable form to stdout. */
+@@ -193,6 +231,9 @@
+ 	print_item(info, IP6T_OWNER_GID, 0, "--gid-owner ");
+ 	print_item(info, IP6T_OWNER_PID, 0, "--pid-owner ");
+ 	print_item(info, IP6T_OWNER_SID, 0, "--sid-owner ");
++#ifdef IP6T_OWNER_COMM
++	print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
++#endif
+ }
+ 
+ static

Re: [PATCH] ownercmd for ip6tables

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 892 bytes --]

On Tue, Apr 08, 2003 at 06:07:32PM +0200, Patrick McHardy wrote:
> This patch adds support for the --owner-cmd option to ip6t_owner.
> I have this lying around for about 9 month and i can not remember
> if i ever tested it and i have no ipv6 network available (sorry).

I'm applying it to CVS now, since iptables-1.2.8 has been released now.
There's plenty of time left to test the ownercmd before another
iptables-release.

Please note that I am applying the userspace part immediately.

> Bye,
> Patrick

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]