Status of owner-socketlookup

Status of owner-socketlookup

[James Morris]

What's the status of this patch, are there any plans to submit it 
upstream?


- James
-- 
James Morris
<jmorris@redhat.com>

Re: Status of owner-socketlookup

[David S. Miller]

On Wed, 27 Apr 2005 00:22:16 -0400 (EDT)
James Morris <jmorris@redhat.com> wrote:

> What's the status of this patch, are there any plans to submit it 
> upstream?

If this is the patch I think it is, I believe I told Patrick
it was too ugly to live :)

Re: Status of owner-socketlookup

[James Morris]

On Tue, 26 Apr 2005, David S. Miller wrote:

> On Wed, 27 Apr 2005 00:22:16 -0400 (EDT)
> James Morris <jmorris@redhat.com> wrote:
> 
> > What's the status of this patch, are there any plans to submit it 
> > upstream?
> 
> If this is the patch I think it is, I believe I told Patrick
> it was too ugly to live :)

It probably is.  I'd like to find a clean way to get at the destination
sock via iptables for locally arriving packets, for SELinux.  i.e. match
incoming packets against a destination security context.

There's already an LSM hook via sk_filter(), but I also need the iptables
framework to make use of matches, targets, chains etc.

I've had one idea for this but it's too ugly to even describe :-)


- James
-- 
James Morris
<jmorris@redhat.com>

Re: Status of owner-socketlookup

[Patrick McHardy]

James Morris wrote:
> It probably is.  I'd like to find a clean way to get at the destination
> sock via iptables for locally arriving packets, for SELinux.  i.e. match
> incoming packets against a destination security context.
> 
> There's already an LSM hook via sk_filter(), but I also need the iptables
> framework to make use of matches, targets, chains etc.

I also need a clean way for work, so I started with Dave's suggestion of
putting new hooks in the protocols that get the socket as new argument.
The ->rcv functions are split after the socket lookup and netfilter is
called:

         return NF_SK_HOOK(AF_INET, NF_IP_LOCAL_IN, sk, skb, skb->dev, NULL,
                           udp_rcv_finish);

I still need to convert parts of iptables to handle the new argument,
I'll post a patch in a few days. Unfortunately, this doesn't solve
the other problems of the owner match, for properly working pid and
command matching we need at least the pid of the sending process to
look it up. Any ideas for solving this are welcome.

Regards
Patrick

Re: Status of owner-socketlookup

[James Morris]

Also, I wonder, if we're doing the socket lookup early (in Netfilter), 
perhaps there's some way of caching this so we don't have to do it again 
later.

If this is racy, then the initial lookup is also racy :-)


- James
-- 
James Morris
<jmorris@redhat.com>

Re: Status of owner-socketlookup

[Patrick McHardy]

James Morris wrote:
> Also, I wonder, if we're doing the socket lookup early (in Netfilter), 
> perhaps there's some way of caching this so we don't have to do it again 
> later.

With NF_SK_HOOK(), filtering would happen in socket context, so
there is no need to cache it. Otherwise it makes sense I guess.

Regards
Patrick

Re: Status of owner-socketlookup

[David S. Miller]

On Wed, 27 Apr 2005 16:04:48 +0200
Patrick McHardy <kaber@trash.net> wrote:

> James Morris wrote:
> > Also, I wonder, if we're doing the socket lookup early (in Netfilter), 
> > perhaps there's some way of caching this so we don't have to do it again 
> > later.
> 
> With NF_SK_HOOK(), filtering would happen in socket context, so
> there is no need to cache it. Otherwise it makes sense I guess.

The TCP socket can be reset between when netfilter looks up
the socket on input and when TCP input processing does the
same.

You aren't locking the socket in this new netfilter input
socket code, so nothing prevents incoming packets from
being delivered to that socket on another cpu and thus
causing the aforementioned resets.

This is why such caching would be illegal.

Re: Status of owner-socketlookup

[Juha Heljoranta]

Patrick McHardy wrote:
> I still need to convert parts of iptables to handle the new argument,
> I'll post a patch in a few days. Unfortunately, this doesn't solve
> the other problems of the owner match, for properly working pid and
> command matching we need at least the pid of the sending process to
> look it up. Any ideas for solving this are welcome.

I am working on the other issues you mentioned. Or at least doing some
research.

To authenticate _receiving_ process reliably I created a socket usage
surveillance module. It keeps track of the processes that access PF_INET
sockets. If the accessing process is not already in the surveillance
list then the absolute path and stat(2) of the process image is stored.
plus some other relevant information like pid.

When a packet is received the socket is located by using
tcp/udp_v4_lookup functions. After the socket is found the modified
version of sock_def_readable is used to get information about the
receiving tasks that are stored into surveillance module. After this I
just compare data to e.g. ipt_owner_info. Works great!

Ideas how to identify sending process are indeed needed. How about
adding sender information (pid) into skb?

I am working on thesis about process network access control in Linux. I
will make announcement (hopefully) within a week.

Regards,
Juha Heljoranta

Re: Status of owner-socketlookup

[Patrick McHardy]

Juha Heljoranta wrote:
> Ideas how to identify sending process are indeed needed. How about
> adding sender information (pid) into skb?

Well, it seems the whole concept of associating sockets with processes
is flawed, a socket can be owned by any number of processes, and even a
single packet can be created by multiple processes. For outgoing packets
it would be possible to store the pid in the skb and handle the unlikely
case of a packet created by multiple processes somehow, but for incoming
packets we really don't know which process is going to receive a packet
until it calls recvmsg(). This is too late for filtering with netfilter
because multiple references (device, conntrack, ..) need to be dropped
earlier.

Regards
Patrick

Re: Status of owner-socketlookup

[David S. Miller]

On Wed, 27 Apr 2005 16:52:46 +0200
Patrick McHardy <kaber@trash.net> wrote:

> for incoming packets we really don't know which process is going to
> receive a packet until it calls recvmsg().

Good point.  It does mean that the best thing you can do is
block reception at recvmsg() time, nothing more.  You can't
drop the packet at recvmsg() time because TCP has ACK'd
the thing already etc.

Re: Status of owner-socketlookup

[Patrick McHardy]

David S. Miller wrote:
> Good point.  It does mean that the best thing you can do is
> block reception at recvmsg() time, nothing more.  You can't
> drop the packet at recvmsg() time because TCP has ACK'd
> the thing already etc.

I think what it comes down to is that we can filter in socket
context, but the only useable attributes in both input- and
output-path for owner-matching are
sk->sk_socket->file->f_{uid,gid}. This should still be enough
for many usage cases (and for mine), so I'm going to finish the
patch.

@james: Out of interest, what are the requirements for selinux?

Regards
Patrick

Re: Status of owner-socketlookup

[James Morris]

On Wed, 27 Apr 2005, Patrick McHardy wrote:

> I think what it comes down to is that we can filter in socket
> context, but the only useable attributes in both input- and
> output-path for owner-matching are
> sk->sk_socket->file->f_{uid,gid}. This should still be enough
> for many usage cases (and for mine), so I'm going to finish the
> patch.
> 
> @james: Out of interest, what are the requirements for selinux?

We only need to get at the inode associated with the receiving sk, which 
has security info already attached.

SELinux currently does this via an LSM hook in sk_filter() (see 
selinux_socket_sock_rcv_skb()).


- James
-- 
James Morris
<jmorris@redhat.com>

Netfilter socket hooks (was: Re: Status of owner-socketlookup)

[Patrick McHardy]

Patrick McHardy wrote:
> I think what it comes down to is that we can filter in socket
> context, but the only useable attributes in both input- and
> output-path for owner-matching are
> sk->sk_socket->file->f_{uid,gid}. This should still be enough
> for many usage cases (and for mine), so I'm going to finish the
> patch.

Here is a first shot at socket hooks. Nothing uses them yet,
and at least two things are still missing:

- conntrack reference should not be dropped before socket hooks
- conntrack should be confirmed in socket hooks

Comments?

[netfilter socket hooks 1/5]: Add socket hook infrastructure

[Patrick McHardy]

[-- Attachment #1: 01.diff --]
[-- Type: text/x-patch, Size: 7679 bytes --]

[NETFILTER]: Add socket hook infrastructure

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4ca9ffc0b58dd44e91cbaaa2de3c27faa220e047
tree e97143c76936d02bb1817a1e109e36707202a6bb
parent e8108c98dd6d65613fa0ec9d2300f89c48d554bf
author Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 16:47:43 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 16:47:43 +0200

 include/linux/netfilter.h |   44 +++++++++++++++++++++
 net/core/netfilter.c      |   96 +++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 139 insertions(+), 1 deletion(-)

Index: include/linux/netfilter.h
===================================================================
--- 3608de2fc88b062070a9d197eda9cac1fb9635d3/include/linux/netfilter.h  (mode:100644)
+++ e97143c76936d02bb1817a1e109e36707202a6bb/include/linux/netfilter.h  (mode:100644)
@@ -57,6 +57,25 @@
 	int priority;
 };
 
+typedef unsigned int nf_sk_hookfn(unsigned int hooknum,
+                                  struct sock *sk, struct sk_buff **skb,
+                                  const struct net_device *in,
+                                  const struct net_device *out,
+                                  int (*okfn)(struct sock *sk, struct sk_buff *));
+
+struct nf_sk_hook_ops
+{
+	struct list_head list;
+
+	/* User fills in from here down. */
+	nf_sk_hookfn *hook;
+	struct module *owner;
+	unsigned int pf;
+	unsigned int hooknum;
+	/* Hooks are ordered in ascending priority. */
+	int priority;
+};
+
 struct nf_sockopt_ops
 {
 	struct list_head list;
@@ -94,12 +113,16 @@
 int nf_register_hook(struct nf_hook_ops *reg);
 void nf_unregister_hook(struct nf_hook_ops *reg);
 
+int nf_register_sk_hook(struct nf_sk_hook_ops *reg);
+void nf_unregister_sk_hook(struct nf_sk_hook_ops *reg);
+
 /* Functions to register get/setsockopt ranges (non-inclusive).  You
    need to check permissions yourself! */
 int nf_register_sockopt(struct nf_sockopt_ops *reg);
 void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
 
 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
+extern struct list_head nf_sk_hooks[NPROTO][NF_MAX_HOOKS];
 
 typedef void nf_logfn(unsigned int hooknum,
 		      const struct sk_buff *skb,
@@ -149,6 +172,13 @@
 if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1)  \
 	__ret = (okfn)(skb);						       \
 __ret;})
+#define NF_SK_HOOK(pf, hook, sk, skb, indev, outdev, okfn, skputfn)	       \
+({int __ret;								       \
+if ((__ret=nf_sk_hook_slow(pf, hook, sk, &(skb), indev, outdev, okfn)) == 0)   \
+	__ret = (okfn)(sk, skb);					       \
+else if (sk && skputfn)							       \
+	((void (*)(struct sock *))skputfn)(sk);				       \
+__ret;})
 #else
 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn)			       \
 ({int __ret;								       \
@@ -162,12 +192,25 @@
     (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1)  \
 	__ret = (okfn)(skb);						       \
 __ret;})
+#define NF_SK_HOOK(pf, hook, sk, skb, indev, outdev, okfn, skputfn)	       \
+({int __ret;								       \
+if (list_empty(&nf_sk_hooks[pf][hook]) ||				       \
+    (__ret=nf_sk_hook_slow(pf, hook, sk, &(skb), indev, outdev, okfn)) == 0)   \
+	__ret = (okfn)(sk, skb);					       \
+else if (sk && skputfn)							       \
+	((void (*)(struct sock *))skputfn)(sk);				       \
+__ret;})
 #endif
 
 int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb,
 		 struct net_device *indev, struct net_device *outdev,
 		 int (*okfn)(struct sk_buff *), int thresh);
 
+int nf_sk_hook_slow(int pf, unsigned int hook,
+                    struct sock *sk, struct sk_buff **pskb,
+                    struct net_device *indev, struct net_device *outdev,
+                    int (*okfn)(struct sock *, struct sk_buff *));
+
 /* Call setsockopt() */
 int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, 
 		  int len);
@@ -192,6 +235,7 @@
 
 #else /* !CONFIG_NETFILTER */
 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#define NF_SK_HOOK(pf, hook, sk, skb, indev, outdev, okfn, skputfn) (okfn)(sk, skb)
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 #endif /*CONFIG_NETFILTER*/
 
Index: net/core/netfilter.c
===================================================================
--- 3608de2fc88b062070a9d197eda9cac1fb9635d3/net/core/netfilter.c  (mode:100644)
+++ e97143c76936d02bb1817a1e109e36707202a6bb/net/core/netfilter.c  (mode:100644)
@@ -46,6 +46,7 @@
 static DECLARE_MUTEX(nf_sockopt_mutex);
 
 struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
+struct list_head nf_sk_hooks[NPROTO][NF_MAX_HOOKS];
 static LIST_HEAD(nf_sockopts);
 static DEFINE_SPINLOCK(nf_hook_lock);
 
@@ -598,6 +599,97 @@
 	return;
 }
 
+static unsigned int
+nf_sk_iterate(unsigned int hook, struct list_head *head,
+              struct sock *sk, struct sk_buff **skb,
+              const struct net_device *indev,
+              const struct net_device *outdev, struct list_head **i,
+              int (*okfn)(struct sock *sk, struct sk_buff *))
+{
+	unsigned int verdict;
+
+	/*
+	 * The caller must not block between calls to this
+	 * function because of risk of continuing from deleted element.
+	 */
+	list_for_each_continue_rcu(*i, head) {
+		struct nf_sk_hook_ops *elem = (struct nf_sk_hook_ops *)*i;
+		/* Optimization: we don't need to hold module
+                   reference here, since function can't sleep. --RR */
+		verdict = elem->hook(hook, sk, skb, indev, outdev, okfn);
+		if (verdict != NF_ACCEPT) {
+#ifdef CONFIG_NETFILTER_DEBUG
+			if (unlikely(verdict > NF_MAX_VERDICT)) {
+				NFDEBUG("Evil return from %p(%u).\n",
+				        elem->hook, hook);
+				continue;
+			}
+#endif
+			if (verdict != NF_REPEAT)
+				return verdict;
+			*i = (*i)->prev;
+		}
+	}
+	return NF_ACCEPT;
+}
+
+int nf_sk_hook_slow(int pf, unsigned int hook,
+                    struct sock *sk, struct sk_buff **pskb,
+                    struct net_device *indev, struct net_device *outdev,
+                    int (*okfn)(struct sock *sk, struct sk_buff *))
+{
+	struct list_head *elem;
+	unsigned int verdict;
+	int ret = 1;
+
+	/* We may already have this, but read-locks nest anyway */
+	rcu_read_lock();
+
+	elem = &nf_sk_hooks[pf][hook];
+	verdict = nf_sk_iterate(hook, &nf_sk_hooks[pf][hook], sk, pskb,
+	                        indev, outdev, &elem, okfn);
+	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
+		ret = 0;
+		goto unlock;
+	} else if (verdict == NF_DROP) {
+		kfree_skb(*pskb);
+		/* Don't trigger retransmit in ip_local_deliver_finish() */
+		if (indev == NULL)
+			ret = -EPERM;
+	}
+unlock:
+	rcu_read_unlock();
+	return ret;
+}
+EXPORT_SYMBOL(nf_sk_hook_slow);
+
+int nf_register_sk_hook(struct nf_sk_hook_ops *reg)
+{
+	struct list_head *i;
+
+	spin_lock_bh(&nf_hook_lock);
+	list_for_each(i, &nf_sk_hooks[reg->pf][reg->hooknum]) {
+		if (reg->priority < ((struct nf_sk_hook_ops *)i)->priority)
+			break;
+	}
+	list_add_rcu(&reg->list, i->prev);
+	spin_unlock_bh(&nf_hook_lock);
+
+	synchronize_net();
+	return 0;
+}
+EXPORT_SYMBOL(nf_register_sk_hook);
+
+void nf_unregister_sk_hook(struct nf_sk_hook_ops *reg)
+{
+	spin_lock_bh(&nf_hook_lock);
+	list_del_rcu(&reg->list);
+	spin_unlock_bh(&nf_hook_lock);
+
+	synchronize_net();
+}
+EXPORT_SYMBOL(nf_unregister_sk_hook);
+
 #ifdef CONFIG_INET
 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
 int ip_route_me_harder(struct sk_buff **pskb)
@@ -779,8 +871,10 @@
 	int i, h;
 
 	for (i = 0; i < NPROTO; i++) {
-		for (h = 0; h < NF_MAX_HOOKS; h++)
+		for (h = 0; h < NF_MAX_HOOKS; h++) {
 			INIT_LIST_HEAD(&nf_hooks[i][h]);
+			INIT_LIST_HEAD(&nf_sk_hooks[i][h]);
+		}
 	}
 }
 

Re: [netfilter socket hooks 1/5]: Add socket hook infrastructure

[James Morris]

On Tue, 10 May 2005, Patrick McHardy wrote:

> +struct nf_sk_hook_ops
> +{
> +	struct list_head list;
> +
> +	/* User fills in from here down. */
> +	nf_sk_hookfn *hook;
> +	struct module *owner;
> +	unsigned int pf;
> +	unsigned int hooknum;
> +	/* Hooks are ordered in ascending priority. */
> +	int priority;
> +};

Do you need to add this struct?  It's the same as nf_hook_ops.



- James
-- 
James Morris
<jmorris@redhat.com>

Re: [netfilter socket hooks 1/5]: Add socket hook infrastructure

[James Morris]

On Wed, 11 May 2005, James Morris wrote:

> Do you need to add this struct?  It's the same as nf_hook_ops.

Don't worry, I can see nf_sk_hookfn is differnt.


- James
-- 
James Morris
<jmorris@redhat.com>

Re: [netfilter socket hooks 1/5]: Add socket hook infrastructure

[Patrick McHardy]

James Morris wrote:
> On Tue, 10 May 2005, Patrick McHardy wrote:
> 
> 
>>+struct nf_sk_hook_ops
>>+{
>>+	struct list_head list;
>>+
>>+	/* User fills in from here down. */
>>+	nf_sk_hookfn *hook;
>>+	struct module *owner;
>>+	unsigned int pf;
>>+	unsigned int hooknum;
>>+	/* Hooks are ordered in ascending priority. */
>>+	int priority;
>>+};
> 
> 
> Do you need to add this struct?  It's the same as nf_hook_ops.

Unfortunately yes, the hook functions have different prototypes.

Regards
Patrick

[netfilter socket hooks 2/5]: Add protocol hooks

[Patrick McHardy]

[-- Attachment #1: 02.diff --]
[-- Type: text/x-patch, Size: 9709 bytes --]

[NETFILTER]: Add protocol hooks

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 03a2e97e71c3c9bfbfc3d357544348d393551658
tree b53df6f327c03ec282a1b75326db321dbd2f0bc0
parent 4ca9ffc0b58dd44e91cbaaa2de3c27faa220e047
author Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:34:53 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:34:53 +0200

 net/ipv4/raw.c      |    8 ++-
 net/ipv4/tcp_ipv4.c |  123 +++++++++++++++++++++++++++++++++-------------------
 net/ipv4/udp.c      |  109 +++++++++++++++++++++++++++-------------------
 3 files changed, 151 insertions(+), 89 deletions(-)

Index: net/ipv4/raw.c
===================================================================
--- e97143c76936d02bb1817a1e109e36707202a6bb/net/ipv4/raw.c  (mode:100644)
+++ b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/raw.c  (mode:100644)
@@ -246,7 +246,7 @@
 	return NET_RX_SUCCESS;
 }
 
-int raw_rcv(struct sock *sk, struct sk_buff *skb)
+static inline int raw_rcv_finish(struct sock *sk, struct sk_buff *skb)
 {
 	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
 		kfree_skb(skb);
@@ -259,6 +259,12 @@
 	return 0;
 }
 
+int raw_rcv(struct sock *sk, struct sk_buff *skb)
+{
+	return NF_SK_HOOK(AF_INET, NF_IP_LOCAL_IN, sk, skb, skb->dev, NULL,
+	                  raw_rcv_finish, NULL);
+}
+
 static int raw_send_hdrinc(struct sock *sk, void *from, int length,
 			struct rtable *rt, 
 			unsigned int flags)
Index: net/ipv4/tcp_ipv4.c
===================================================================
--- e97143c76936d02bb1817a1e109e36707202a6bb/net/ipv4/tcp_ipv4.c  (mode:100644)
+++ b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/tcp_ipv4.c  (mode:100644)
@@ -62,6 +62,8 @@
 #include <linux/jhash.h>
 #include <linux/init.h>
 #include <linux/times.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
 
 #include <net/icmp.h>
 #include <net/tcp.h>
@@ -1713,52 +1715,24 @@
 	goto discard;
 }
 
-/*
- *	From tcp_input.c
- */
-
-int tcp_v4_rcv(struct sk_buff *skb)
+/* Dummy outfn for netfilter - caller still owns the skb */
+static inline int tcp_v4_rcv_finish2(struct sock *sk, struct sk_buff *skb)
 {
-	struct tcphdr *th;
-	struct sock *sk;
-	int ret;
-
-	if (skb->pkt_type != PACKET_HOST)
-		goto discard_it;
-
-	/* Count it even if it's bad */
-	TCP_INC_STATS_BH(TCP_MIB_INSEGS);
-
-	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
-		goto discard_it;
-
-	th = skb->h.th;
-
-	if (th->doff < sizeof(struct tcphdr) / 4)
-		goto bad_packet;
-	if (!pskb_may_pull(skb, th->doff * 4))
-		goto discard_it;
-
-	/* An explanation is required here, I think.
-	 * Packet length and doff are validated by header prediction,
-	 * provided case of th->doff==0 is elimineted.
-	 * So, we defer the checks. */
-	if ((skb->ip_summed != CHECKSUM_UNNECESSARY &&
-	     tcp_v4_checksum_init(skb) < 0))
-		goto bad_packet;
+	return 0;
+}
 
-	th = skb->h.th;
-	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
-	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
-				    skb->len - th->doff * 4);
-	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
-	TCP_SKB_CB(skb)->when	 = 0;
-	TCP_SKB_CB(skb)->flags	 = skb->nh.iph->tos;
-	TCP_SKB_CB(skb)->sacked	 = 0;
+static inline void tcp_sock_put(struct sock *sk)
+{
+	if (sk->sk_state == TCP_TIME_WAIT)
+		tcp_tw_put((struct tcp_tw_bucket *)sk);
+	else
+		sock_put(sk);
+}
 
-	sk = __tcp_v4_lookup(skb->nh.iph->saddr, th->source,
-			     skb->nh.iph->daddr, ntohs(th->dest),
-			     tcp_v4_iif(skb));
+static inline int tcp_v4_rcv_finish(struct sock *sk, struct sk_buff *skb)
+{
+	struct tcphdr *th = skb->h.th;
+	int ret;
 
 	if (!sk)
 		goto no_tcp_socket;
@@ -1793,7 +1767,6 @@
 		goto discard_it;
 
 	if (skb->len < (th->doff << 2) || tcp_checksum_complete(skb)) {
-bad_packet:
 		TCP_INC_STATS_BH(TCP_MIB_INERRS);
 	} else {
 		tcp_v4_send_reset(skb);
@@ -1829,6 +1802,11 @@
 			tcp_tw_deschedule((struct tcp_tw_bucket *)sk);
 			tcp_tw_put((struct tcp_tw_bucket *)sk);
 			sk = sk2;
+			ret = NF_SK_HOOK(AF_INET, NF_IP_LOCAL_IN, sk, skb,
+			                 skb->dev, NULL, tcp_v4_rcv_finish2,
+			                 tcp_sock_put);
+			if (ret)
+				return ret;
 			goto process;
 		}
 		/* Fall through to ACK */
@@ -1843,6 +1821,63 @@
 	goto discard_it;
 }
 
+/*
+ *	From tcp_input.c
+ */
+
+int tcp_v4_rcv(struct sk_buff *skb)
+{
+	struct tcphdr *th;
+	struct sock *sk;
+
+	if (skb->pkt_type != PACKET_HOST)
+		goto discard_it;
+
+	/* Count it even if it's bad */
+	TCP_INC_STATS_BH(TCP_MIB_INSEGS);
+
+	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
+		goto discard_it;
+
+	th = skb->h.th;
+
+	if (th->doff < sizeof(struct tcphdr) / 4)
+		goto bad_packet;
+	if (!pskb_may_pull(skb, th->doff * 4))
+		goto discard_it;
+
+	/* An explanation is required here, I think.
+	 * Packet length and doff are validated by header prediction,
+	 * provided case of th->doff==0 is elimineted.
+	 * So, we defer the checks. */
+	if ((skb->ip_summed != CHECKSUM_UNNECESSARY &&
+	     tcp_v4_checksum_init(skb) < 0))
+		goto bad_packet;
+
+	th = skb->h.th;
+	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
+	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
+				    skb->len - th->doff * 4);
+	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
+	TCP_SKB_CB(skb)->when	 = 0;
+	TCP_SKB_CB(skb)->flags	 = skb->nh.iph->tos;
+	TCP_SKB_CB(skb)->sacked	 = 0;
+
+	sk = __tcp_v4_lookup(skb->nh.iph->saddr, th->source,
+			     skb->nh.iph->daddr, ntohs(th->dest),
+			     tcp_v4_iif(skb));
+
+	return NF_SK_HOOK(AF_INET, NF_IP_LOCAL_IN, sk, skb, skb->dev, NULL,
+	                  tcp_v4_rcv_finish, tcp_sock_put);
+
+bad_packet:
+	TCP_INC_STATS_BH(TCP_MIB_INERRS);
+discard_it:
+	/* Discard frame. */
+	kfree_skb(skb);
+  	return 0;
+}
+
 /* With per-bucket locks this operation is not-atomic, so that
  * this version is not worse.
  */
Index: net/ipv4/udp.c
===================================================================
--- e97143c76936d02bb1817a1e109e36707202a6bb/net/ipv4/udp.c  (mode:100644)
+++ b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/udp.c  (mode:100644)
@@ -94,6 +94,8 @@
 #include <linux/inet.h>
 #include <linux/ipv6.h>
 #include <linux/netdevice.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
 #include <net/snmp.h>
 #include <net/tcp.h>
 #include <net/protocol.h>
@@ -1113,6 +1115,55 @@
 	return 0;
 }
 
+static inline int udp_rcv_finish(struct sock *sk, struct sk_buff *skb)
+{
+	if (sk != NULL) {
+		int ret = udp_queue_rcv_skb(sk, skb);
+		sock_put(sk);
+
+		/* a return value > 0 means to resubmit the input, but
+		 * it it wants the return to be -protocol, or 0
+		 */
+		if (ret > 0)
+			return -ret;
+		return 0;
+	}
+
+	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+		goto drop;
+
+	/* No socket. Drop packet silently, if checksum is wrong */
+	if (udp_checksum_complete(skb))
+		goto csum_error;
+
+	UDP_INC_STATS_BH(UDP_MIB_NOPORTS);
+	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+
+	/*
+	 * Hmm.  We got an UDP packet to a port to which we
+	 * don't wanna listen.  Ignore it.
+	 */
+	kfree_skb(skb);
+	return(0);
+
+csum_error:
+	/* 
+	 * RFC1122: OK.  Discards the bad packet silently (as far as 
+	 * the network is concerned, anyway) as per 4.1.3.4 (MUST). 
+	 */
+	NETDEBUG(if (net_ratelimit())
+		 printk(KERN_DEBUG "UDP: bad checksum. From %d.%d.%d.%d:%d to %d.%d.%d.%d:%d ulen %d\n",
+			NIPQUAD(skb->nh.iph->saddr),
+			ntohs(skb->h.uh->source),
+			NIPQUAD(skb->nh.iph->daddr),
+			ntohs(skb->h.uh->dest),
+			ntohs(skb->h.uh->len)));
+drop:
+	UDP_INC_STATS_BH(UDP_MIB_INERRORS);
+	kfree_skb(skb);
+	return(0);
+}
+
 /*
  *	All we need to do is get the socket, and then do a checksum. 
  */
@@ -1151,35 +1202,21 @@
 
 	sk = udp_v4_lookup(saddr, uh->source, daddr, uh->dest, skb->dev->ifindex);
 
-	if (sk != NULL) {
-		int ret = udp_queue_rcv_skb(sk, skb);
-		sock_put(sk);
-
-		/* a return value > 0 means to resubmit the input, but
-		 * it it wants the return to be -protocol, or 0
-		 */
-		if (ret > 0)
-			return -ret;
-		return 0;
-	}
-
-	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
-		goto drop;
-
-	/* No socket. Drop packet silently, if checksum is wrong */
-	if (udp_checksum_complete(skb))
-		goto csum_error;
-
-	UDP_INC_STATS_BH(UDP_MIB_NOPORTS);
-	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
-
-	/*
-	 * Hmm.  We got an UDP packet to a port to which we
-	 * don't wanna listen.  Ignore it.
+	return NF_SK_HOOK(AF_INET, NF_IP_LOCAL_IN, sk, skb, skb->dev, NULL,
+	                  udp_rcv_finish, sock_put);
+csum_error:
+	/* 
+	 * RFC1122: OK.  Discards the bad packet silently (as far as 
+	 * the network is concerned, anyway) as per 4.1.3.4 (MUST). 
 	 */
-	kfree_skb(skb);
-	return(0);
-
+	NETDEBUG(if (net_ratelimit())
+		 printk(KERN_DEBUG "UDP: bad checksum. From %d.%d.%d.%d:%d to %d.%d.%d.%d:%d ulen %d\n",
+			NIPQUAD(skb->nh.iph->saddr),
+			ntohs(skb->h.uh->source),
+			NIPQUAD(skb->nh.iph->daddr),
+			ntohs(skb->h.uh->dest),
+			ntohs(skb->h.uh->len)));
+	goto drop;
 short_packet:
 	NETDEBUG(if (net_ratelimit())
 		printk(KERN_DEBUG "UDP: short packet: From %u.%u.%u.%u:%u %d/%d to %u.%u.%u.%u:%u\n",
@@ -1191,23 +1228,7 @@
 			ntohs(uh->dest)));
 no_header:
 	UDP_INC_STATS_BH(UDP_MIB_INERRORS);
-	kfree_skb(skb);
-	return(0);
-
-csum_error:
-	/* 
-	 * RFC1122: OK.  Discards the bad packet silently (as far as 
-	 * the network is concerned, anyway) as per 4.1.3.4 (MUST). 
-	 */
-	NETDEBUG(if (net_ratelimit())
-		 printk(KERN_DEBUG "UDP: bad checksum. From %d.%d.%d.%d:%d to %d.%d.%d.%d:%d ulen %d\n",
-			NIPQUAD(saddr),
-			ntohs(uh->source),
-			NIPQUAD(daddr),
-			ntohs(uh->dest),
-			ulen));
 drop:
-	UDP_INC_STATS_BH(UDP_MIB_INERRORS);
 	kfree_skb(skb);
 	return(0);
 }

[netfilter socket hooks 3/5]: Add struct sock * argument to ipt_do_table()

[Patrick McHardy]

[-- Attachment #1: 03.diff --]
[-- Type: text/x-patch, Size: 4900 bytes --]

[NETFILTER]: Add struct sock * argument to ipt_do_table()

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2816668ea745b16e1da608bf4d7b638a75389bd6
tree 8bd69ddefbecc96b2253453c6b4da15bbff92988
parent 03a2e97e71c3c9bfbfc3d357544348d393551658
author Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:36:10 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:36:10 +0200

 include/linux/netfilter_ipv4/ip_tables.h |    3 ++-
 net/ipv4/netfilter/ip_nat_rule.c         |    2 +-
 net/ipv4/netfilter/ip_tables.c           |    3 ++-
 net/ipv4/netfilter/iptable_filter.c      |    4 ++--
 net/ipv4/netfilter/iptable_mangle.c      |    4 ++--
 net/ipv4/netfilter/iptable_raw.c         |    2 +-
 6 files changed, 10 insertions(+), 8 deletions(-)

Index: include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- b53df6f327c03ec282a1b75326db321dbd2f0bc0/include/linux/netfilter_ipv4/ip_tables.h  (mode:100644)
+++ 8bd69ddefbecc96b2253453c6b4da15bbff92988/include/linux/netfilter_ipv4/ip_tables.h  (mode:100644)
@@ -478,7 +478,8 @@
 extern int ipt_register_table(struct ipt_table *table,
 			      const struct ipt_replace *repl);
 extern void ipt_unregister_table(struct ipt_table *table);
-extern unsigned int ipt_do_table(struct sk_buff **pskb,
+extern unsigned int ipt_do_table(struct sock *sk,
+				 struct sk_buff **pskb,
 				 unsigned int hook,
 				 const struct net_device *in,
 				 const struct net_device *out,
Index: net/ipv4/netfilter/ip_nat_rule.c
===================================================================
--- b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/netfilter/ip_nat_rule.c  (mode:100644)
+++ 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ip_nat_rule.c  (mode:100644)
@@ -264,7 +264,7 @@
 {
 	int ret;
 
-	ret = ipt_do_table(pskb, hooknum, in, out, &nat_table, NULL);
+	ret = ipt_do_table(NULL, pskb, hooknum, in, out, &nat_table, NULL);
 
 	if (ret == NF_ACCEPT) {
 		if (!ip_nat_initialized(ct, HOOK2MANIP(hooknum)))
Index: net/ipv4/netfilter/ip_tables.c
===================================================================
--- b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/netfilter/ip_tables.c  (mode:100644)
+++ 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ip_tables.c  (mode:100644)
@@ -257,7 +257,8 @@
 
 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
 unsigned int
-ipt_do_table(struct sk_buff **pskb,
+ipt_do_table(struct sock *sk,
+	     struct sk_buff **pskb,
 	     unsigned int hook,
 	     const struct net_device *in,
 	     const struct net_device *out,
Index: net/ipv4/netfilter/iptable_filter.c
===================================================================
--- b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/netfilter/iptable_filter.c  (mode:100644)
+++ 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/iptable_filter.c  (mode:100644)
@@ -89,7 +89,7 @@
 	 const struct net_device *out,
 	 int (*okfn)(struct sk_buff *))
 {
-	return ipt_do_table(pskb, hook, in, out, &packet_filter, NULL);
+	return ipt_do_table(NULL, pskb, hook, in, out, &packet_filter, NULL);
 }
 
 static unsigned int
@@ -107,7 +107,7 @@
 		return NF_ACCEPT;
 	}
 
-	return ipt_do_table(pskb, hook, in, out, &packet_filter, NULL);
+	return ipt_do_table(NULL, pskb, hook, in, out, &packet_filter, NULL);
 }
 
 static struct nf_hook_ops ipt_ops[] = {
Index: net/ipv4/netfilter/iptable_mangle.c
===================================================================
--- b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/netfilter/iptable_mangle.c  (mode:100644)
+++ 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/iptable_mangle.c  (mode:100644)
@@ -119,7 +119,7 @@
 	 const struct net_device *out,
 	 int (*okfn)(struct sk_buff *))
 {
-	return ipt_do_table(pskb, hook, in, out, &packet_mangler, NULL);
+	return ipt_do_table(NULL, pskb, hook, in, out, &packet_mangler, NULL);
 }
 
 static unsigned int
@@ -148,7 +148,7 @@
 	daddr = (*pskb)->nh.iph->daddr;
 	tos = (*pskb)->nh.iph->tos;
 
-	ret = ipt_do_table(pskb, hook, in, out, &packet_mangler, NULL);
+	ret = ipt_do_table(NULL, pskb, hook, in, out, &packet_mangler, NULL);
 	/* Reroute for ANY change. */
 	if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE
 	    && ((*pskb)->nh.iph->saddr != saddr
Index: net/ipv4/netfilter/iptable_raw.c
===================================================================
--- b53df6f327c03ec282a1b75326db321dbd2f0bc0/net/ipv4/netfilter/iptable_raw.c  (mode:100644)
+++ 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/iptable_raw.c  (mode:100644)
@@ -94,7 +94,7 @@
 	 const struct net_device *out,
 	 int (*okfn)(struct sk_buff *))
 {
-	return ipt_do_table(pskb, hook, in, out, &packet_raw, NULL);
+	return ipt_do_table(NULL, pskb, hook, in, out, &packet_raw, NULL);
 }
 
 /* 'raw' is the very first table. */

[netfilter socket hooks 4/5]: Add struct sock * argument to match functions

[Patrick McHardy]

[-- Attachment #1: 04.diff --]
[-- Type: text/x-patch, Size: 20978 bytes --]

[NETFILTER]: Add struct sock * argument to match functions

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 3e78de8c1e4b12407299b48cf9f024786415639f
tree a24014694fc1a7ed32010fe4524b2601c6516eaf
parent 2816668ea745b16e1da608bf4d7b638a75389bd6
author Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:37:19 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:37:19 +0200

 include/linux/netfilter_ipv4/ip_tables.h |    3 ++-
 net/ipv4/netfilter/ip_tables.c           |   14 +++++++++-----
 net/ipv4/netfilter/ipt_addrtype.c        |    6 +++---
 net/ipv4/netfilter/ipt_ah.c              |    3 ++-
 net/ipv4/netfilter/ipt_comment.c         |    3 ++-
 net/ipv4/netfilter/ipt_connmark.c        |    3 ++-
 net/ipv4/netfilter/ipt_conntrack.c       |    3 ++-
 net/ipv4/netfilter/ipt_dscp.c            |    6 +++---
 net/ipv4/netfilter/ipt_ecn.c             |    6 +++---
 net/ipv4/netfilter/ipt_esp.c             |    3 ++-
 net/ipv4/netfilter/ipt_hashlimit.c       |    3 ++-
 net/ipv4/netfilter/ipt_helper.c          |    3 ++-
 net/ipv4/netfilter/ipt_iprange.c         |    3 ++-
 net/ipv4/netfilter/ipt_length.c          |    3 ++-
 net/ipv4/netfilter/ipt_limit.c           |    3 ++-
 net/ipv4/netfilter/ipt_mac.c             |    3 ++-
 net/ipv4/netfilter/ipt_mark.c            |    3 ++-
 net/ipv4/netfilter/ipt_multiport.c       |    6 ++++--
 net/ipv4/netfilter/ipt_owner.c           |    3 ++-
 net/ipv4/netfilter/ipt_physdev.c         |    3 ++-
 net/ipv4/netfilter/ipt_pkttype.c         |   13 +++++++------
 net/ipv4/netfilter/ipt_realm.c           |    3 ++-
 net/ipv4/netfilter/ipt_recent.c          |    8 +++++---
 net/ipv4/netfilter/ipt_sctp.c            |    3 ++-
 net/ipv4/netfilter/ipt_state.c           |    3 ++-
 net/ipv4/netfilter/ipt_tcpmss.c          |    3 ++-
 net/ipv4/netfilter/ipt_tos.c             |    3 ++-
 net/ipv4/netfilter/ipt_ttl.c             |    6 +++---
 28 files changed, 77 insertions(+), 48 deletions(-)

Index: include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/include/linux/netfilter_ipv4/ip_tables.h  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/include/linux/netfilter_ipv4/ip_tables.h  (mode:100644)
@@ -368,7 +368,8 @@
 	/* Arguments changed since 2.4, as this must now handle
            non-linear skbs, using skb_copy_bits and
            skb_ip_make_writable. */
-	int (*match)(const struct sk_buff *skb,
+	int (*match)(const struct sock *sk,
+		     const struct sk_buff *skb,
 		     const struct net_device *in,
 		     const struct net_device *out,
 		     const void *matchinfo,
Index: net/ipv4/netfilter/ip_tables.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ip_tables.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ip_tables.c  (mode:100644)
@@ -236,6 +236,7 @@
 
 static inline
 int do_match(struct ipt_entry_match *m,
+             const struct sock *sk,
 	     const struct sk_buff *skb,
 	     const struct net_device *in,
 	     const struct net_device *out,
@@ -243,7 +244,7 @@
 	     int *hotdrop)
 {
 	/* Stop iteration if it doesn't match */
-	if (!m->u.kernel.match->match(skb, in, out, m->data, offset, hotdrop))
+	if (!m->u.kernel.match->match(sk, skb, in, out, m->data, offset, hotdrop))
 		return 1;
 	else
 		return 0;
@@ -319,7 +320,7 @@
 			struct ipt_entry_target *t;
 
 			if (IPT_MATCH_ITERATE(e, do_match,
-					      *pskb, in, out,
+					      sk, *pskb, in, out,
 					      offset, &hotdrop) != 0)
 				goto no_match;
 
@@ -1569,7 +1570,8 @@
 }
 
 static int
-tcp_match(const struct sk_buff *skb,
+tcp_match(const struct sock *sk,
+	  const struct sk_buff *skb,
 	  const struct net_device *in,
 	  const struct net_device *out,
 	  const void *matchinfo,
@@ -1650,7 +1652,8 @@
 }
 
 static int
-udp_match(const struct sk_buff *skb,
+udp_match(const struct sock *sk,
+	  const struct sk_buff *skb,
 	  const struct net_device *in,
 	  const struct net_device *out,
 	  const void *matchinfo,
@@ -1723,7 +1726,8 @@
 }
 
 static int
-icmp_match(const struct sk_buff *skb,
+icmp_match(const struct sock *sk,
+	   const struct sk_buff *skb,
 	   const struct net_device *in,
 	   const struct net_device *out,
 	   const void *matchinfo,
Index: net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_addrtype.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_addrtype.c  (mode:100644)
@@ -27,9 +27,9 @@
 	return !!(mask & (1 << inet_addr_type(addr)));
 }
 
-static int match(const struct sk_buff *skb, const struct net_device *in,
-		 const struct net_device *out, const void *matchinfo,
-		 int offset, int *hotdrop)
+static int match(const struct sock *sk, const struct sk_buff *skb,
+                 const struct net_device *in, const struct net_device *out,
+                 const void *matchinfo, int offset, int *hotdrop)
 {
 	const struct ipt_addrtype_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
Index: net/ipv4/netfilter/ipt_ah.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_ah.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_ah.c  (mode:100644)
@@ -36,7 +36,8 @@
 }
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_comment.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_comment.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_comment.c  (mode:100644)
@@ -14,7 +14,8 @@
 MODULE_LICENSE("GPL");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_connmark.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_connmark.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_connmark.c  (mode:100644)
@@ -31,7 +31,8 @@
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_conntrack.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_conntrack.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_conntrack.c  (mode:100644)
@@ -19,7 +19,8 @@
 MODULE_DESCRIPTION("iptables connection tracking match module");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_dscp.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_dscp.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_dscp.c  (mode:100644)
@@ -19,9 +19,9 @@
 MODULE_DESCRIPTION("iptables DSCP matching module");
 MODULE_LICENSE("GPL");
 
-static int match(const struct sk_buff *skb, const struct net_device *in,
-		 const struct net_device *out, const void *matchinfo,
-		 int offset, int *hotdrop)
+static int match(const struct sock *sk, const struct sk_buff *skb,
+                 const struct net_device *in, const struct net_device *out,
+                 const void *matchinfo, int offset, int *hotdrop)
 {
 	const struct ipt_dscp_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
Index: net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_ecn.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_ecn.c  (mode:100644)
@@ -65,9 +65,9 @@
 	return 1;
 }
 
-static int match(const struct sk_buff *skb, const struct net_device *in,
-		 const struct net_device *out, const void *matchinfo,
-		 int offset, int *hotdrop)
+static int match(const struct sock *sk, const struct sk_buff *skb,
+                 const struct net_device *in, const struct net_device *out,
+                 const void *matchinfo, int offset, int *hotdrop)
 {
 	const struct ipt_ecn_info *info = matchinfo;
 
Index: net/ipv4/netfilter/ipt_esp.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_esp.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_esp.c  (mode:100644)
@@ -37,7 +37,8 @@
 }
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_hashlimit.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_hashlimit.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_hashlimit.c  (mode:100644)
@@ -425,7 +425,8 @@
 
 
 static int
-hashlimit_match(const struct sk_buff *skb,
+hashlimit_match(const struct sock *sk,
+		const struct sk_buff *skb,
 		const struct net_device *in,
 		const struct net_device *out,
 		const void *matchinfo,
Index: net/ipv4/netfilter/ipt_helper.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_helper.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_helper.c  (mode:100644)
@@ -30,7 +30,8 @@
 #endif
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_iprange.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_iprange.c  (mode:100644)
@@ -24,7 +24,8 @@
 #endif
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_length.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_length.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_length.c  (mode:100644)
@@ -17,7 +17,8 @@
 MODULE_LICENSE("GPL");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_limit.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_limit.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_limit.c  (mode:100644)
@@ -63,7 +63,8 @@
 #define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
 
 static int
-ipt_limit_match(const struct sk_buff *skb,
+ipt_limit_match(const struct sock *sk,
+		const struct sk_buff *skb,
 		const struct net_device *in,
 		const struct net_device *out,
 		const void *matchinfo,
Index: net/ipv4/netfilter/ipt_mac.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_mac.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_mac.c  (mode:100644)
@@ -20,7 +20,8 @@
 MODULE_DESCRIPTION("iptables mac matching module");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_mark.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_mark.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_mark.c  (mode:100644)
@@ -18,7 +18,8 @@
 MODULE_DESCRIPTION("iptables mark matching module");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_multiport.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_multiport.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_multiport.c  (mode:100644)
@@ -92,7 +92,8 @@
 }
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
@@ -123,7 +124,8 @@
 }
 
 static int
-match_v1(const struct sk_buff *skb,
+match_v1(const struct sock *sk,
+	 const struct sk_buff *skb,
 	 const struct net_device *in,
 	 const struct net_device *out,
 	 const void *matchinfo,
Index: net/ipv4/netfilter/ipt_owner.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_owner.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_owner.c  (mode:100644)
@@ -121,7 +121,8 @@
 }
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_physdev.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_physdev.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_physdev.c  (mode:100644)
@@ -21,7 +21,8 @@
 MODULE_DESCRIPTION("iptables bridge physical device match module");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_pkttype.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_pkttype.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_pkttype.c  (mode:100644)
@@ -17,12 +17,13 @@
 MODULE_AUTHOR("Michal Ludvig <michal@logix.cz>");
 MODULE_DESCRIPTION("IP tables match to match on linklayer packet type");
 
-static int match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const void *matchinfo,
-      int offset,
-      int *hotdrop)
+static int match(const struct sock *sk,
+                 const struct sk_buff *skb,
+                 const struct net_device *in,
+                 const struct net_device *out,
+                 const void *matchinfo,
+                 int offset,
+                 int *hotdrop)
 {
     const struct ipt_pkttype_info *info = matchinfo;
 
Index: net/ipv4/netfilter/ipt_realm.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_realm.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_realm.c  (mode:100644)
@@ -22,7 +22,8 @@
 MODULE_DESCRIPTION("iptables realm match");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_recent.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_recent.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_recent.c  (mode:100644)
@@ -99,7 +99,8 @@
 
 /* Function declaration for later. */
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
@@ -317,7 +318,7 @@
 	skb->nh.iph->daddr = 0;
 	/* Clear ttl since we have no way of knowing it */
 	skb->nh.iph->ttl = 0;
-	match(skb,NULL,NULL,info,0,NULL);
+	match(NULL,skb,NULL,NULL,info,0,NULL);
 
 	kfree(skb->nh.iph);
 out_free_skb:
@@ -352,7 +353,8 @@
  * --seconds and --hitcount can be combined
  */
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_sctp.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_sctp.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_sctp.c  (mode:100644)
@@ -113,7 +113,8 @@
 }
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_state.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_state.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_state.c  (mode:100644)
@@ -19,7 +19,8 @@
 MODULE_DESCRIPTION("iptables connection tracking state match module");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_tcpmss.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_tcpmss.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_tcpmss.c  (mode:100644)
@@ -74,7 +74,8 @@
 }
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_tos.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_tos.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_tos.c  (mode:100644)
@@ -18,7 +18,8 @@
 MODULE_DESCRIPTION("iptables TOS match module");
 
 static int
-match(const struct sk_buff *skb,
+match(const struct sock *sk,
+      const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
       const void *matchinfo,
Index: net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- 8bd69ddefbecc96b2253453c6b4da15bbff92988/net/ipv4/netfilter/ipt_ttl.c  (mode:100644)
+++ a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/ipt_ttl.c  (mode:100644)
@@ -19,9 +19,9 @@
 MODULE_DESCRIPTION("IP tables TTL matching module");
 MODULE_LICENSE("GPL");
 
-static int match(const struct sk_buff *skb, const struct net_device *in,
-		 const struct net_device *out, const void *matchinfo,
-		 int offset, int *hotdrop)
+static int match(const struct sock *sk, const struct sk_buff *skb,
+                 const struct net_device *in, const struct net_device *out,
+                 const void *matchinfo, int offset, int *hotdrop)
 {
 	const struct ipt_ttl_info *info = matchinfo;
 

[netfilter socket hooks 5/5]: Add skfilter table

[Patrick McHardy]

[-- Attachment #1: 05.diff --]
[-- Type: text/x-patch, Size: 5009 bytes --]

[NETFILTER]: Add skfilter table

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 52c8e9e72ec788e5829c6e3d412ab9d1816d79a0
tree 4919a5761d3ba1c668a54d32a8f028f002c8ff24
parent 3e78de8c1e4b12407299b48cf9f024786415639f
author Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:41:31 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:41:31 +0200

 net/ipv4/netfilter/Kconfig            |    4 
 net/ipv4/netfilter/Makefile           |    2 
 net/ipv4/netfilter/iptable_skfilter.c |  140 ++++++++++++++++++++++++++++++++++
 3 files changed, 146 insertions(+)

Index: net/ipv4/netfilter/Kconfig
===================================================================
--- a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/Kconfig  (mode:100644)
+++ 4919a5761d3ba1c668a54d32a8f028f002c8ff24/net/ipv4/netfilter/Kconfig  (mode:100644)
@@ -386,6 +386,10 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_SK_FILTER
+	tristate "Socket packet filtering"
+	depends on IP_NF_IPTABLES
+
 config IP_NF_TARGET_REJECT
 	tristate "REJECT target support"
 	depends on IP_NF_FILTER
Index: net/ipv4/netfilter/Makefile
===================================================================
--- a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/Makefile  (mode:100644)
+++ 4919a5761d3ba1c668a54d32a8f028f002c8ff24/net/ipv4/netfilter/Makefile  (mode:100644)
@@ -33,6 +33,8 @@
 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
 obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 
+obj-$(CONFIG_IP_NF_SK_FILTER)	+= iptable_skfilter.o
+
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
Index: net/ipv4/netfilter/iptable_skfilter.c
===================================================================
--- /dev/null  (tree:a24014694fc1a7ed32010fe4524b2601c6516eaf)
+++ 4919a5761d3ba1c668a54d32a8f028f002c8ff24/net/ipv4/netfilter/iptable_skfilter.c  (mode:100644)
@@ -0,0 +1,140 @@
+/* 
+ * iptables 'skfilter' table
+ *
+ * Copyright (C) 2005 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#define SKFILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN))
+
+static struct
+{
+	struct ipt_replace repl;
+	struct ipt_standard entries[1];
+	struct ipt_error term;
+} initial_table __initdata = {
+	.repl = {
+		.name = "skfilter", 
+		.valid_hooks = SKFILTER_VALID_HOOKS, 
+		.num_entries = 2,
+		.size = sizeof(struct ipt_standard) * 1 + sizeof(struct ipt_error),
+		.hook_entry = { 
+			[NF_IP_LOCAL_IN] = 0,
+		},
+		.underflow = { 
+			[NF_IP_LOCAL_IN] = 0,
+		},
+	},
+	.entries = {
+	     /* LOCAL_IN */
+	     { 
+		     .entry = { 
+			     .target_offset = sizeof(struct ipt_entry),
+			     .next_offset = sizeof(struct ipt_standard),
+		     },
+		     .target = { 
+			  .target = { 
+				  .u = {
+					  .target_size = IPT_ALIGN(sizeof(struct ipt_standard_target)),
+				  },
+			  },
+			  .verdict = -NF_ACCEPT - 1,
+		     },
+	     },
+	},
+	/* ERROR */
+	.term = {
+		.entry = {
+			.target_offset = sizeof(struct ipt_entry),
+			.next_offset = sizeof(struct ipt_error),
+		},
+		.target = {
+			.target = {
+				.u = {
+					.user = {
+						.target_size = IPT_ALIGN(sizeof(struct ipt_error_target)), 
+						.name = IPT_ERROR_TARGET,
+					},
+				},
+			},
+			.errorname = "ERROR",
+		},
+	}
+};
+
+static struct ipt_table skfilter = { 
+	.name		= "skfilter",
+	.valid_hooks	= SKFILTER_VALID_HOOKS, 
+	.lock		= RW_LOCK_UNLOCKED, 
+	.me		= THIS_MODULE
+};
+
+/* The work comes in here from netfilter.c. */
+static unsigned int
+ipt_hook(unsigned int hook,
+         struct sock *sk,
+	 struct sk_buff **pskb,
+	 const struct net_device *in,
+	 const struct net_device *out,
+	 int (*okfn)(struct sock *, struct sk_buff *))
+{
+	unsigned int ret;
+	int pull = 0;
+
+	if ((*pskb)->data != (*pskb)->nh.raw) {
+		__skb_push(*pskb, (*pskb)->data - (*pskb)->nh.raw);
+		pull = 1;
+	}
+	ret = ipt_do_table(NULL, pskb, hook, in, out, &skfilter, NULL);
+	if (pull)
+		__skb_pull(*pskb, (*pskb)->nh.iph->ihl * 4);
+	return ret;
+}
+
+static struct nf_sk_hook_ops ipt_ops[] = {
+	{
+		.hook		= ipt_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET, 
+		.hooknum	= NF_IP_LOCAL_IN,
+		.priority	= NF_IP_PRI_FILTER,
+	},
+};
+
+static int __init init(void)
+{
+	int ret;
+
+	/* Register table */
+	ret = ipt_register_table(&skfilter, &initial_table.repl);
+	if (ret < 0)
+		return ret;
+
+	/* Register hooks */
+	ret = nf_register_sk_hook(&ipt_ops[0]);
+	if (ret < 0)
+		goto cleanup_table;
+
+	return ret;
+
+ cleanup_table:
+	ipt_unregister_table(&skfilter);
+
+	return ret;
+}
+
+static void __exit fini(void)
+{
+	nf_unregister_sk_hook(&ipt_ops[0]);
+	ipt_unregister_table(&skfilter);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");

Re: Netfilter socket hooks (was: Re: Status of owner-socketlookup)

[James Morris]

On Tue, 10 May 2005, Patrick McHardy wrote:

> Here is a first shot at socket hooks.

Cool, I'll try and get them working with the SELinux/iptables code I've 
been working on:

http://people.redhat.com/jmorris/selinux/selipt/



- James
-- 
James Morris
<jmorris@redhat.com>

Re: Netfilter socket hooks

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Patrick McHardy on 2005-05-10 15:59 UTC:
> Here is a first shot at socket hooks.

Great :)

> Comments?

On what level will this be.. would one be able to filter what userspace
programs do in addition to filtering what internet clients are allowed
to do?

I.e. would one be able to filter userspace socket calls like accept(),
connect(), bind(), recv(), send(), and maybe even setsockopt() etc?

Isn't it almost as important to protect the internet from malicious
users as to protect users from the internet ?-) SELinux could maybe add
features to base web access policies on SELinux's normal mechanism that
currently grants/restricts access.

Example: If wget tryes to access the internet as a child of process A
(which has been granted all web access), then wget would be allowed to
do whatever it wants. Otherwise, wget's connect() call (when connecting
to a http server) would fail with some Exxxx errno code..

It would also be nice if this skfilter provided something similar to the
 QUEUE target to allow users yet another level to hook in.. This could
possibly allow quite clean implementations of interactive firewall clients..

//

I would also be interested if you could give some idea of what kind of
commands you were thinking of that would be used to control skfilter..

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCgRt0xyF48ZTvn+4RAr3iAJ9Hl3TNHKn6wlBQNXUCgBtK7LY3tQCfWsM3
6TfPFQaGf02SD9XZVHOmmd0=
=n1tg
-----END PGP SIGNATURE-----

Re: Netfilter socket hooks

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Subject: Netfilter socket hooks (was: Re: Status of owner-socketlookup)
Date: Tue, 10 May 2005 17:59:13 +0200

> Here is a first shot at socket hooks. Nothing uses them yet,
> and at least two things are still missing:
> 
> - conntrack reference should not be dropped before socket hooks
> - conntrack should be confirmed in socket hooks
> 
> Comments?

No major objections here, in fact it's actually kind of nice.  :-)

I'd like to go over the TCP input changes with a very fine toothed
comb before integration, but that's it.

Re: Netfilter socket hooks (was: Re: Status of owner-socketlookup)

[James Morris]

What about adding an output hook to the table?  This would make it much 
easier to manage rules.

Something like:

diff -purN -X dontdiff linux-2.6.12-rc4-sk.o/net/ipv4/netfilter/iptable_skfilter.c linux-2.6.12-rc4-sk.w/net/ipv4/netfilter/iptable_skfilter.c
--- linux-2.6.12-rc4-sk.o/net/ipv4/netfilter/iptable_skfilter.c	2005-05-11 18:57:17.000000000 -0400
+++ linux-2.6.12-rc4-sk.w/net/ipv4/netfilter/iptable_skfilter.c	2005-05-11 19:30:44.000000000 -0400
@@ -11,24 +11,26 @@
 #include <linux/module.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
-#define SKFILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN))
+#define SKFILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_LOCAL_OUT))
 
 static struct
 {
 	struct ipt_replace repl;
-	struct ipt_standard entries[1];
+	struct ipt_standard entries[2];
 	struct ipt_error term;
 } initial_table __initdata = {
 	.repl = {
 		.name = "skfilter", 
 		.valid_hooks = SKFILTER_VALID_HOOKS, 
-		.num_entries = 2,
-		.size = sizeof(struct ipt_standard) * 1 + sizeof(struct ipt_error),
+		.num_entries = 3,
+		.size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
 		.hook_entry = { 
-			[NF_IP_LOCAL_IN] = 0,
+			[NF_IP_LOCAL_IN]	= 0,
+			[NF_IP_LOCAL_OUT]	= sizeof(struct ipt_standard),
 		},
 		.underflow = { 
-			[NF_IP_LOCAL_IN] = 0,
+			[NF_IP_LOCAL_IN]	= 0,
+			[NF_IP_LOCAL_OUT]       = sizeof(struct ipt_standard),
 		},
 	},
 	.entries = {
@@ -47,6 +49,21 @@ static struct
 			  .verdict = -NF_ACCEPT - 1,
 		     },
 	     },
+	     /* LOCAL_OUT */
+	     { 
+		     .entry = { 
+			     .target_offset = sizeof(struct ipt_entry),
+			     .next_offset = sizeof(struct ipt_standard),
+		     },
+		     .target = { 
+			  .target = { 
+				  .u = {
+					  .target_size = IPT_ALIGN(sizeof(struct ipt_standard_target)),
+				  },
+			  },
+			  .verdict = -NF_ACCEPT - 1,
+		     },
+	     },
 	},
 	/* ERROR */
 	.term = {
@@ -77,12 +94,12 @@ static struct ipt_table skfilter = { 
 
 /* The work comes in here from netfilter.c. */
 static unsigned int
-ipt_hook(unsigned int hook,
-         struct sock *sk,
-	 struct sk_buff **pskb,
-	 const struct net_device *in,
-	 const struct net_device *out,
-	 int (*okfn)(struct sock *, struct sk_buff *))
+ipt_sk_hook(unsigned int hook,
+            struct sock *sk,
+            struct sk_buff **pskb,
+            const struct net_device *in,
+            const struct net_device *out,
+            int (*okfn)(struct sock *, struct sk_buff *))
 {
 	unsigned int ret;
 	int pull = 0;
@@ -97,9 +114,19 @@ ipt_hook(unsigned int hook,
 	return ret;
 }
 
-static struct nf_sk_hook_ops ipt_ops[] = {
+static unsigned int
+ipt_hook(unsigned int hook,
+         struct sk_buff **pskb,
+         const struct net_device *in,
+         const struct net_device *out,
+         int (*okfn)(struct sk_buff *))
+{
+	return ipt_do_table(NULL, pskb, hook, in, out, &skfilter, NULL);
+}
+
+static struct nf_sk_hook_ops ipt_sk_ops[] = {
 	{
-		.hook		= ipt_hook,
+		.hook		= ipt_sk_hook,
 		.owner		= THIS_MODULE,
 		.pf		= PF_INET, 
 		.hooknum	= NF_IP_LOCAL_IN,
@@ -107,6 +134,16 @@ static struct nf_sk_hook_ops ipt_ops[] =
 	},
 };
 
+static struct nf_hook_ops ipt_ops[] = {
+	{
+		.hook		= ipt_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET, 
+		.hooknum	= NF_IP_LOCAL_OUT,
+		.priority	= NF_IP_PRI_FILTER,
+	},
+};
+
 static int __init init(void)
 {
 	int ret;
@@ -117,12 +154,18 @@ static int __init init(void)
 		return ret;
 
 	/* Register hooks */
-	ret = nf_register_sk_hook(&ipt_ops[0]);
+	ret = nf_register_sk_hook(&ipt_sk_ops[0]);
 	if (ret < 0)
 		goto cleanup_table;
 
+	ret = nf_register_hook(&ipt_ops[0]);
+	if (ret < 0)
+		goto cleanup_hook0;
+
 	return ret;
 
+ cleanup_hook0:
+	nf_unregister_sk_hook(&ipt_sk_ops[0]);
  cleanup_table:
 	ipt_unregister_table(&skfilter);
 
@@ -131,7 +174,8 @@ static int __init init(void)
 
 static void __exit fini(void)
 {
-	nf_unregister_sk_hook(&ipt_ops[0]);
+	nf_unregister_hook(&ipt_ops[0]);
+	nf_unregister_sk_hook(&ipt_sk_ops[0]);
 	ipt_unregister_table(&skfilter);
 }
 

Re: Netfilter socket hooks

[Patrick McHardy]

James Morris wrote:
> What about adding an output hook to the table?  This would make it much 
> easier to manage rules.

Sure. For symetry, I would prefer only to pass packets with
skb->sk != NULL through OUTPUT and use skb->sk as socket argument
to ipt_do_table(). But rule mangement is still tricky since
only protocols which use sockets can be handled in the skfilter
table. A more radical approach would be to use the socket hooks
for filter/INPUT for all protocols with hooks - but I haven't
thought much about this yet.

Regards
Patrick

[PATCH] owner-socketlookup update for 2.6.12-rc3

[James Morris]

Here's an updated version of the patch (based on the latest pom-ng patch), 
had to uninline udp_v4_lookup().

---

diff -purN -X dontdiff linux-2.6.12-rc3.s/include/net/tcp.h linux-2.6.12-rc3.w/include/net/tcp.h
--- linux-2.6.12-rc3.s/include/net/tcp.h	2005-04-21 14:53:46.000000000 -0400
+++ linux-2.6.12-rc3.w/include/net/tcp.h	2005-04-27 00:55:47.000000000 -0400
@@ -159,6 +159,7 @@ extern struct tcp_bind_bucket *tcp_bucke
 extern void tcp_bucket_destroy(struct tcp_bind_bucket *tb);
 extern void tcp_bucket_unlock(struct sock *sk);
 extern int tcp_port_rover;
+extern struct sock *tcp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 hnum, int dif);
 
 /* These are AF independent. */
 static __inline__ int tcp_bhashfn(__u16 lport)
diff -purN -X dontdiff linux-2.6.12-rc3.s/include/net/udp.h linux-2.6.12-rc3.w/include/net/udp.h
--- linux-2.6.12-rc3.s/include/net/udp.h	2005-03-02 02:38:18.000000000 -0500
+++ linux-2.6.12-rc3.w/include/net/udp.h	2005-04-27 00:55:47.000000000 -0400
@@ -74,6 +74,8 @@ extern int	udp_disconnect(struct sock *s
 extern unsigned int udp_poll(struct file *file, struct socket *sock,
 			     poll_table *wait);
 
+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
+
 DECLARE_SNMP_STAT(struct udp_mib, udp_statistics);
 #define UDP_INC_STATS(field)		SNMP_INC_STATS(udp_statistics, field)
 #define UDP_INC_STATS_BH(field)		SNMP_INC_STATS_BH(udp_statistics, field)
diff -purN -X dontdiff linux-2.6.12-rc3.s/net/ipv4/netfilter/ipt_owner.c linux-2.6.12-rc3.w/net/ipv4/netfilter/ipt_owner.c
--- linux-2.6.12-rc3.s/net/ipv4/netfilter/ipt_owner.c	2005-03-02 02:38:26.000000000 -0500
+++ linux-2.6.12-rc3.w/net/ipv4/netfilter/ipt_owner.c	2005-04-27 00:55:47.000000000 -0400
@@ -6,12 +6,19 @@
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
+ *
+ * 03/26/2003 Patrick McHardy <kaber@trash.net>	: LOCAL_IN support
  */
 
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/file.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
 #include <net/sock.h>
+#include <net/tcp.h>
+#include <net/udp.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -21,7 +28,7 @@ MODULE_AUTHOR("Marc Boucher <marc@mbsi.c
 MODULE_DESCRIPTION("iptables owner match");
 
 static int
-match_comm(const struct sk_buff *skb, const char *comm)
+match_comm(const struct sock *sk, const char *comm)
 {
 	struct task_struct *g, *p;
 	struct files_struct *files;
@@ -38,7 +45,7 @@ match_comm(const struct sk_buff *skb, co
 			spin_lock(&files->file_lock);
 			for (i=0; i < files->max_fds; i++) {
 				if (fcheck_files(files, i) ==
-				    skb->sk->sk_socket->file) {
+				    sk->sk_socket->file) {
 					spin_unlock(&files->file_lock);
 					task_unlock(p);
 					read_unlock(&tasklist_lock);
@@ -54,7 +61,7 @@ match_comm(const struct sk_buff *skb, co
 }
 
 static int
-match_pid(const struct sk_buff *skb, pid_t pid)
+match_pid(const struct sock *sk, pid_t pid)
 {
 	struct task_struct *p;
 	struct files_struct *files;
@@ -70,7 +77,7 @@ match_pid(const struct sk_buff *skb, pid
 		spin_lock(&files->file_lock);
 		for (i=0; i < files->max_fds; i++) {
 			if (fcheck_files(files, i) ==
-			    skb->sk->sk_socket->file) {
+			    sk->sk_socket->file) {
 				spin_unlock(&files->file_lock);
 				task_unlock(p);
 				read_unlock(&tasklist_lock);
@@ -86,10 +93,10 @@ out:
 }
 
 static int
-match_sid(const struct sk_buff *skb, pid_t sid)
+match_sid(const struct sock *sk, pid_t sid)
 {
 	struct task_struct *g, *p;
-	struct file *file = skb->sk->sk_socket->file;
+	struct file *file = sk->sk_socket->file;
 	int i, found=0;
 
 	read_lock(&tasklist_lock);
@@ -129,41 +136,71 @@ match(const struct sk_buff *skb,
       int *hotdrop)
 {
 	const struct ipt_owner_info *info = matchinfo;
+	struct iphdr *iph = skb->nh.iph;
+	struct sock *sk = NULL;
+	int ret = 0;
+
+	if (out) {
+		sk = skb->sk;
+	} else {
+		if (iph->protocol == IPPROTO_TCP) {
+			struct tcphdr *tcph =
+				(struct tcphdr *)((u_int32_t *)iph + iph->ihl);
+			sk = tcp_v4_lookup(iph->saddr, tcph->source,
+			                   iph->daddr, tcph->dest,
+			                   skb->dev->ifindex);
+			if (sk && sk->sk_state == TCP_TIME_WAIT) {
+				tcp_tw_put((struct tcp_tw_bucket *)sk);
+				return ret;
+			}
+		} else if (iph->protocol == IPPROTO_UDP) {
+			struct udphdr *udph =
+				(struct udphdr *)((u_int32_t *)iph + iph->ihl);
+			sk = udp_v4_lookup(iph->saddr, udph->source, iph->daddr,
+			                   udph->dest, skb->dev->ifindex);
+		}
+	}
 
-	if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
-		return 0;
+	if (!sk || !sk->sk_socket || !sk->sk_socket->file)
+		goto out;
 
 	if(info->match & IPT_OWNER_UID) {
-		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
+		if ((sk->sk_socket->file->f_uid != info->uid) ^
 		    !!(info->invert & IPT_OWNER_UID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_GID) {
-		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
+		if ((sk->sk_socket->file->f_gid != info->gid) ^
 		    !!(info->invert & IPT_OWNER_GID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_PID) {
-		if (!match_pid(skb, info->pid) ^
+		if (!match_pid(sk, info->pid) ^
 		    !!(info->invert & IPT_OWNER_PID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_SID) {
-		if (!match_sid(skb, info->sid) ^
+		if (!match_sid(sk, info->sid) ^
 		    !!(info->invert & IPT_OWNER_SID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_COMM) {
-		if (!match_comm(skb, info->comm) ^
+		if (!match_comm(sk, info->comm) ^
 		    !!(info->invert & IPT_OWNER_COMM))
-			return 0;
+			goto out;
 	}
 
-	return 1;
+	ret = 1;
+
+out:
+	if (in && sk)
+		sock_put(sk);
+
+	return ret;
 }
 
 static int
@@ -173,11 +210,19 @@ checkentry(const char *tablename,
            unsigned int matchsize,
            unsigned int hook_mask)
 {
-        if (hook_mask
-            & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
-                printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
-                return 0;
-        }
+	if (hook_mask
+	    & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING) |
+	    (1 << NF_IP_LOCAL_IN))) {
+		printk("ipt_owner: only valid for LOCAL_IN, LOCAL_OUT "
+		       "or POST_ROUTING.\n");
+		return 0;
+	}
+
+	if ((hook_mask & (1 << NF_IP_LOCAL_IN))
+	    && ip->proto != IPPROTO_TCP && ip->proto != IPPROTO_UDP) {
+		printk("ipt_owner: only TCP or UDP can be used in LOCAL_IN\n");
+		return 0;
+	}
 
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
 		printk("Matchsize %u != %Zu\n", matchsize,
diff -purN -X dontdiff linux-2.6.12-rc3.s/net/ipv4/udp.c linux-2.6.12-rc3.w/net/ipv4/udp.c
--- linux-2.6.12-rc3.s/net/ipv4/udp.c	2005-04-21 14:53:47.000000000 -0400
+++ linux-2.6.12-rc3.w/net/ipv4/udp.c	2005-04-27 00:58:04.000000000 -0400
@@ -264,8 +264,7 @@ static struct sock *udp_v4_lookup_longwa
 	return result;
 }
 
-static __inline__ struct sock *udp_v4_lookup(u32 saddr, u16 sport,
-					     u32 daddr, u16 dport, int dif)
+struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif)
 {
 	struct sock *sk;
 
@@ -1570,6 +1569,7 @@ EXPORT_SYMBOL(udp_port_rover);
 EXPORT_SYMBOL(udp_prot);
 EXPORT_SYMBOL(udp_sendmsg);
 EXPORT_SYMBOL(udp_poll);
+EXPORT_SYMBOL(udp_v4_lookup);
 
 #ifdef CONFIG_PROC_FS
 EXPORT_SYMBOL(udp_proc_register);

Re: [PATCH] owner-socketlookup update for 2.6.12-rc3

[David S. Miller]

On Wed, 27 Apr 2005 02:04:04 -0400 (EDT)
James Morris <jmorris@redhat.com> wrote:

> Here's an updated version of the patch (based on the latest pom-ng patch), 
> had to uninline udp_v4_lookup().

If you really want to do this, can we at least export it via some
of the proto_ops infrastructure?  We already have "hash" and
"unhash", a "lookup" method could thus be added.

It still hurts my eyes to see the tcp_tw_bucket internals being
referenced in netfilter code :-)

Or even:

extern struct sock *ip_lookup_socket(saddr, sport, daddr, dport);

And this new function knows TCP internals and does not return
time-wait sockets and stuff like that.

What about an idea like that?

Re: [PATCH] owner-socketlookup update for 2.6.12-rc3

[Patrick Schaaf]

> It still hurts my eyes to see the tcp_tw_bucket internals being
> referenced in netfilter code :-)

Is it even correct to make an exception (return 0, i.e. do not match)
when a TW socket is hit? Conceptually, a TW socket is the same logical
entity as its former "established and owned" socket - wouldn't one
expect a rule accepting the established socket, to also match that
socket in the TW phase?

> Or even:
> 
> extern struct sock *ip_lookup_socket(saddr, sport, daddr, dport);
> 
> And this new function knows TCP internals and does not return
> time-wait sockets and stuff like that.

Hmm. In the light of the above, what about this:

int ip_socket_owner(struct sockowner *so, prot, src, sport, dst, dport) {}

with the 'struct sockowner *' an OUT parameter that is to be filled,
and boolean found/notfound return.

struct sockowner {
	... contains whatever the owner match needs to look at
};

This way, no sock internals need to be visible to the owner match.

To solve the mentioned conceptional TW problem, the tw sock must
be extended
	struct sockowner *tw_ownerinfo;
and, for performance reasons, the normal sock would probably need
a single DID_OWNER state bit, which would be set whenever the normal
sock is queried by ip_socket_owner(). Finally, when the normal sock
morphs into the tw sock, set
	tw_ownerinfo = sk->DID_OWNER ? X(sk) : 0
with X(sk) kmalloc()ing a struct sockowner, and initializing it like
a call to ip_socket_owner() would.

Very convoluted, but what good is a matching feature that only
sometimes works?

(or maybe I'm just silly?)

best regards
  Patrick

Re: [PATCH] owner-socketlookup update for 2.6.12-rc3

[Patrick Schaaf]

Completely different question re semantics: what about listening sockets,
and the incoming connection requests to them?

How would the initial SYN be classified by a LOCAL_IN owner match?
Consider the case that a uid:0 process created the listening socket,
then dropped to uid:1234 and execed a different binary.

best regards
  Patrick