* [PATCH 1/2] socket: Added 'transparent' option
@ 2009-04-24 13:30 Laszlo Attila Toth
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
2009-04-24 14:54 ` [PATCH 1/2] socket: Added 'transparent' option Patrick McHardy
0 siblings, 2 replies; 4+ messages in thread
From: Laszlo Attila Toth @ 2009-04-24 13:30 UTC (permalink / raw)
To: Patrick McHardy, netfilter-devel; +Cc: Laszlo Attila Toth
The socket match has an own matchinfo structure, with one boolean field,
transparent, which is true when only transparent sockets can be matched.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
include/linux/netfilter/xt_socket.h | 8 ++++++++
net/netfilter/xt_socket.c | 8 ++++++++
2 files changed, 16 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_socket.h
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..2222d63
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info {
+ __u8 transparent:1;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..b894a10 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
#include <net/netfilter/nf_tproxy_core.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <linux/netfilter/xt_socket.h>
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#define XT_SOCKET_HAVE_CONNTRACK 1
#include <net/netfilter/nf_conntrack.h>
@@ -94,6 +96,7 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
__be32 daddr, saddr;
__be16 dport, sport;
u8 protocol;
+ const struct xt_socket_match_info *info = par->matchinfo;
#ifdef XT_SOCKET_HAVE_CONNTRACK
struct nf_conn const *ct;
enum ip_conntrack_info ctinfo;
@@ -142,10 +145,14 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
saddr, daddr, sport, dport, par->in, false);
if (sk != NULL) {
bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+ bool transparent = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->transparent) ||
+ (sk->sk_state == TCP_TIME_WAIT && inet_twsk(sk)->tw_transparent);
nf_tproxy_put_sock(sk);
if (wildcard)
sk = NULL;
+ else if (info->transparent && !transparent)
+ sk = NULL;
}
pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
@@ -161,6 +168,7 @@ static struct xt_match socket_mt_reg __read_mostly = {
.name = "socket",
.family = AF_INET,
.match = socket_mt,
+ .matchsize = sizeof(struct xt_socket_match_info),
.hooks = 1 << NF_INET_PRE_ROUTING,
.me = THIS_MODULE,
};
--
1.6.2.2.404.ge96f3
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK
2009-04-24 13:30 [PATCH 1/2] socket: Added 'transparent' option Laszlo Attila Toth
@ 2009-04-24 13:30 ` Laszlo Attila Toth
2009-04-24 14:55 ` Patrick McHardy
2009-04-24 14:54 ` [PATCH 1/2] socket: Added 'transparent' option Patrick McHardy
1 sibling, 1 reply; 4+ messages in thread
From: Laszlo Attila Toth @ 2009-04-24 13:30 UTC (permalink / raw)
To: Patrick McHardy, netfilter-devel; +Cc: Laszlo Attila Toth
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
net/netfilter/Kconfig | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 2329c5f..881203c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -275,6 +275,8 @@ config NF_CT_NETLINK
help
This option enables support for a netlink-based userspace interface
+endif # NF_CONNTRACK
+
# transparent proxy support
config NETFILTER_TPROXY
tristate "Transparent proxying support (EXPERIMENTAL)"
@@ -290,8 +292,6 @@ config NETFILTER_TPROXY
To compile it as a module, choose M here. If unsure, say N.
-endif # NF_CONNTRACK
-
config NETFILTER_XTABLES
tristate "Netfilter Xtables support (required for ip_tables)"
default m if NETFILTER_ADVANCED=n
--
1.6.2.2.404.ge96f3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] socket: Added 'transparent' option
2009-04-24 13:30 [PATCH 1/2] socket: Added 'transparent' option Laszlo Attila Toth
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
@ 2009-04-24 14:54 ` Patrick McHardy
1 sibling, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-04-24 14:54 UTC (permalink / raw)
To: Laszlo Attila Toth; +Cc: netfilter-devel
Laszlo Attila Toth wrote:
> The socket match has an own matchinfo structure, with one boolean field,
> transparent, which is true when only transparent sockets can be matched.
>
> @@ -161,6 +168,7 @@ static struct xt_match socket_mt_reg __read_mostly = {
> .name = "socket",
> .family = AF_INET,
> .match = socket_mt,
> + .matchsize = sizeof(struct xt_socket_match_info),
This will break compatibility with old iptables binaries. You need
to add a new revision for this.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-04-24 14:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-24 13:30 [PATCH 1/2] socket: Added 'transparent' option Laszlo Attila Toth
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
2009-04-24 14:55 ` Patrick McHardy
2009-04-24 14:54 ` [PATCH 1/2] socket: Added 'transparent' option Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.