From: Patrick McHardy <kaber@trash.net>
To: netfilter-devel@lists.netfilter.org
Cc: juha.heljoranta@evtek.fi, Rusty Russell <rusty@rustcorp.com.au>
Subject: [netfilter socket hooks 5/5]: Add skfilter table
Date: Tue, 10 May 2005 18:01:58 +0200 [thread overview]
Message-ID: <4280DAF6.4050302@trash.net> (raw)
In-Reply-To: <4280DA51.8090201@trash.net>
[-- Attachment #1: 05.diff --]
[-- Type: text/x-patch, Size: 5009 bytes --]
[NETFILTER]: Add skfilter table
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 52c8e9e72ec788e5829c6e3d412ab9d1816d79a0
tree 4919a5761d3ba1c668a54d32a8f028f002c8ff24
parent 3e78de8c1e4b12407299b48cf9f024786415639f
author Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:41:31 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 09 May 2005 18:41:31 +0200
net/ipv4/netfilter/Kconfig | 4
net/ipv4/netfilter/Makefile | 2
net/ipv4/netfilter/iptable_skfilter.c | 140 ++++++++++++++++++++++++++++++++++
3 files changed, 146 insertions(+)
Index: net/ipv4/netfilter/Kconfig
===================================================================
--- a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/Kconfig (mode:100644)
+++ 4919a5761d3ba1c668a54d32a8f028f002c8ff24/net/ipv4/netfilter/Kconfig (mode:100644)
@@ -386,6 +386,10 @@
To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_SK_FILTER
+ tristate "Socket packet filtering"
+ depends on IP_NF_IPTABLES
+
config IP_NF_TARGET_REJECT
tristate "REJECT target support"
depends on IP_NF_FILTER
Index: net/ipv4/netfilter/Makefile
===================================================================
--- a24014694fc1a7ed32010fe4524b2601c6516eaf/net/ipv4/netfilter/Makefile (mode:100644)
+++ 4919a5761d3ba1c668a54d32a8f028f002c8ff24/net/ipv4/netfilter/Makefile (mode:100644)
@@ -33,6 +33,8 @@
obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
+obj-$(CONFIG_IP_NF_SK_FILTER) += iptable_skfilter.o
+
# matches
obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
Index: net/ipv4/netfilter/iptable_skfilter.c
===================================================================
--- /dev/null (tree:a24014694fc1a7ed32010fe4524b2601c6516eaf)
+++ 4919a5761d3ba1c668a54d32a8f028f002c8ff24/net/ipv4/netfilter/iptable_skfilter.c (mode:100644)
@@ -0,0 +1,140 @@
+/*
+ * iptables 'skfilter' table
+ *
+ * Copyright (C) 2005 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#define SKFILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN))
+
+static struct
+{
+ struct ipt_replace repl;
+ struct ipt_standard entries[1];
+ struct ipt_error term;
+} initial_table __initdata = {
+ .repl = {
+ .name = "skfilter",
+ .valid_hooks = SKFILTER_VALID_HOOKS,
+ .num_entries = 2,
+ .size = sizeof(struct ipt_standard) * 1 + sizeof(struct ipt_error),
+ .hook_entry = {
+ [NF_IP_LOCAL_IN] = 0,
+ },
+ .underflow = {
+ [NF_IP_LOCAL_IN] = 0,
+ },
+ },
+ .entries = {
+ /* LOCAL_IN */
+ {
+ .entry = {
+ .target_offset = sizeof(struct ipt_entry),
+ .next_offset = sizeof(struct ipt_standard),
+ },
+ .target = {
+ .target = {
+ .u = {
+ .target_size = IPT_ALIGN(sizeof(struct ipt_standard_target)),
+ },
+ },
+ .verdict = -NF_ACCEPT - 1,
+ },
+ },
+ },
+ /* ERROR */
+ .term = {
+ .entry = {
+ .target_offset = sizeof(struct ipt_entry),
+ .next_offset = sizeof(struct ipt_error),
+ },
+ .target = {
+ .target = {
+ .u = {
+ .user = {
+ .target_size = IPT_ALIGN(sizeof(struct ipt_error_target)),
+ .name = IPT_ERROR_TARGET,
+ },
+ },
+ },
+ .errorname = "ERROR",
+ },
+ }
+};
+
+static struct ipt_table skfilter = {
+ .name = "skfilter",
+ .valid_hooks = SKFILTER_VALID_HOOKS,
+ .lock = RW_LOCK_UNLOCKED,
+ .me = THIS_MODULE
+};
+
+/* The work comes in here from netfilter.c. */
+static unsigned int
+ipt_hook(unsigned int hook,
+ struct sock *sk,
+ struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sock *, struct sk_buff *))
+{
+ unsigned int ret;
+ int pull = 0;
+
+ if ((*pskb)->data != (*pskb)->nh.raw) {
+ __skb_push(*pskb, (*pskb)->data - (*pskb)->nh.raw);
+ pull = 1;
+ }
+ ret = ipt_do_table(NULL, pskb, hook, in, out, &skfilter, NULL);
+ if (pull)
+ __skb_pull(*pskb, (*pskb)->nh.iph->ihl * 4);
+ return ret;
+}
+
+static struct nf_sk_hook_ops ipt_ops[] = {
+ {
+ .hook = ipt_hook,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_IP_LOCAL_IN,
+ .priority = NF_IP_PRI_FILTER,
+ },
+};
+
+static int __init init(void)
+{
+ int ret;
+
+ /* Register table */
+ ret = ipt_register_table(&skfilter, &initial_table.repl);
+ if (ret < 0)
+ return ret;
+
+ /* Register hooks */
+ ret = nf_register_sk_hook(&ipt_ops[0]);
+ if (ret < 0)
+ goto cleanup_table;
+
+ return ret;
+
+ cleanup_table:
+ ipt_unregister_table(&skfilter);
+
+ return ret;
+}
+
+static void __exit fini(void)
+{
+ nf_unregister_sk_hook(&ipt_ops[0]);
+ ipt_unregister_table(&skfilter);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");
next prev parent reply other threads:[~2005-05-10 16:01 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-27 4:22 Status of owner-socketlookup James Morris
2005-04-27 4:22 ` David S. Miller
2005-04-27 4:44 ` James Morris
2005-04-27 10:09 ` Patrick McHardy
2005-04-27 13:59 ` James Morris
2005-04-27 14:04 ` Patrick McHardy
2005-04-27 18:47 ` David S. Miller
2005-04-27 14:40 ` Juha Heljoranta
2005-04-27 14:52 ` Patrick McHardy
2005-04-27 18:49 ` David S. Miller
2005-04-27 19:37 ` Patrick McHardy
2005-04-27 22:43 ` James Morris
2005-05-10 15:59 ` Netfilter socket hooks (was: Re: Status of owner-socketlookup) Patrick McHardy
2005-05-10 16:00 ` [netfilter socket hooks 1/5]: Add socket hook infrastructure Patrick McHardy
2005-05-11 23:22 ` James Morris
2005-05-11 23:27 ` James Morris
2005-05-11 23:27 ` Patrick McHardy
2005-05-10 16:00 ` [netfilter socket hooks 2/5]: Add protocol hooks Patrick McHardy
2005-05-10 16:01 ` [netfilter socket hooks 3/5]: Add struct sock * argument to ipt_do_table() Patrick McHardy
2005-05-10 16:01 ` [netfilter socket hooks 4/5]: Add struct sock * argument to match functions Patrick McHardy
2005-05-10 16:01 ` Patrick McHardy [this message]
2005-05-10 18:26 ` Netfilter socket hooks (was: Re: Status of owner-socketlookup) James Morris
2005-05-10 20:37 ` Netfilter socket hooks Jonas Berlin
2005-05-11 0:04 ` David S. Miller
2005-05-11 23:57 ` Netfilter socket hooks (was: Re: Status of owner-socketlookup) James Morris
2005-05-12 0:12 ` Netfilter socket hooks Patrick McHardy
2005-04-27 6:04 ` [PATCH] owner-socketlookup update for 2.6.12-rc3 James Morris
2005-04-27 6:13 ` David S. Miller
2005-04-27 6:43 ` Patrick Schaaf
2005-04-27 6:55 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4280DAF6.4050302@trash.net \
--to=kaber@trash.net \
--cc=juha.heljoranta@evtek.fi \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.