From: Laszlo Attila Toth <panther@balabit.hu>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net, Laszlo Attila Toth <panther@balabit.hu>
Subject: [resend2 net-next] socket: added mtinfo with 'transparent' flag
Date: Mon, 8 Jun 2009 14:30:23 +0200 [thread overview]
Message-ID: <1244464224-30692-2-git-send-email-panther@balabit.hu> (raw)
In-Reply-To: <1244464224-30692-1-git-send-email-panther@balabit.hu>
Added new revision of the 'socket' match supporting flags.
If the XT_SOCKET_TRANSPARENT flag is set, enabled 'transparent'
socket option is required for the socket to be matched.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
net/netfilter/xt_socket.c | 63 +++++++++++++++++++++++++++++++++++++--------
1 files changed, 52 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..f97270c 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
#include <net/netfilter/nf_tproxy_core.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <linux/netfilter/xt_socket.h>
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#define XT_SOCKET_HAVE_CONNTRACK 1
#include <net/netfilter/nf_conntrack.h>
@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+ const struct xt_socket_mtinfo1 *info)
{
const struct iphdr *iph = ip_hdr(skb);
struct udphdr _hdr, *hp = NULL;
@@ -141,10 +144,24 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
saddr, daddr, sport, dport, par->in, false);
if (sk != NULL) {
- bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+ bool wildcard;
+ bool transparent = true;
+
+ /* Ignore sockets listening on INADDR_ANY */
+ wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+ inet_sk(sk)->rcv_saddr == 0);
+
+ /* Ignore non-transparent sockets,
+ if XT_SOCKET_TRANSPARENT is used */
+ if (info && info->flags & XT_SOCKET_TRANSPARENT)
+ transparent = ((sk->sk_state != TCP_TIME_WAIT &&
+ inet_sk(sk)->transparent) ||
+ (sk->sk_state == TCP_TIME_WAIT &&
+ inet_twsk(sk)->tw_transparent));
nf_tproxy_put_sock(sk);
- if (wildcard)
+
+ if (wildcard || !transparent)
sk = NULL;
}
@@ -157,23 +174,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return (sk != NULL);
}
-static struct xt_match socket_mt_reg __read_mostly = {
- .name = "socket",
- .family = AF_INET,
- .match = socket_mt,
- .hooks = 1 << NF_INET_PRE_ROUTING,
- .me = THIS_MODULE,
+static bool
+socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+ return socket_match(skb, par, NULL);
+}
+
+static bool
+socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+ return socket_match(skb, par, par->matchinfo);
+}
+
+static struct xt_match socket_mt_reg[] __read_mostly = {
+ {
+ .name = "socket",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .match = socket_mt_v0,
+ .hooks = 1 << NF_INET_PRE_ROUTING,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "socket",
+ .revision = 1,
+ .family = AF_INET,
+ .match = socket_mt_v1,
+ .matchsize = sizeof(struct xt_socket_mtinfo1),
+ .hooks = 1 << NF_INET_PRE_ROUTING,
+ .me = THIS_MODULE,
+ },
};
static int __init socket_mt_init(void)
{
nf_defrag_ipv4_enable();
- return xt_register_match(&socket_mt_reg);
+ return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
static void __exit socket_mt_exit(void)
{
- xt_unregister_match(&socket_mt_reg);
+ xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
module_init(socket_mt_init);
--
1.6.2.2.404.ge96f3
next prev parent reply other threads:[~2009-06-08 12:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-04 13:26 [resend net-next] socket: Added 'transparent' option Laszlo Attila Toth
2009-06-04 13:26 ` [resend iptables] " Laszlo Attila Toth
2009-06-04 13:34 ` [resend net-next] " Patrick McHardy
2009-06-04 14:55 ` Jan Engelhardt
2009-06-04 15:27 ` Laszlo Attila Toth
2009-06-04 16:03 ` Jan Engelhardt
2009-06-04 16:08 ` Patrick McHardy
2009-06-05 13:06 ` Laszlo Attila Toth
2009-06-08 12:30 ` [resend2] Socket match with transparent option, take 2 Laszlo Attila Toth
2009-06-08 12:30 ` Laszlo Attila Toth [this message]
2009-06-08 12:30 ` [resend2 iptables] socket match: new revision, match transparent sockets Laszlo Attila Toth
2009-06-09 12:50 ` [resend2 net-next] socket: added mtinfo with 'transparent' flag Patrick McHardy
2009-06-09 13:11 ` [net-next] " Laszlo Attila Toth
2009-06-09 13:18 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1244464224-30692-2-git-send-email-panther@balabit.hu \
--to=panther@balabit.hu \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).