[PATCH] xt_owner

[PATCH] xt_owner

[Jan Engelhardt]

Convert ipt_owner to xt_owner, adding support for IPv6.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_owner.h |   15 ++++++
 net/netfilter/Kconfig              |    7 +++
 net/netfilter/Makefile             |    1 
 net/netfilter/xt_owner.c           |   82 +++++++++++++++++++++++++++++++++++++
 4 files changed, 105 insertions(+)

Index: gitone/include/linux/netfilter/xt_owner.h
===================================================================
--- /dev/null
+++ gitone/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,15 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+enum {
+	XT_OWNER_UID = 1 << 0,
+	XT_OWNER_GID = 1 << 1,
+};
+
+struct xt_owner_info {
+	u_int32_t uid;
+	u_int32_t gid;
+	u_int8_t match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
Index: gitone/net/netfilter/Kconfig
===================================================================
--- gitone.orig/net/netfilter/Kconfig
+++ gitone/net/netfilter/Kconfig
@@ -554,6 +554,13 @@ config NETFILTER_XT_MATCH_MARK
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_MATCH_OWNER
+	tristate '"owner" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	Socket owner matching allows you to match locally-generated packets
+	based on who created the socket: the user, group, process or session.
+
 config NETFILTER_XT_MATCH_POLICY
 	tristate 'IPsec "policy" match support'
 	depends on NETFILTER_XTABLES && XFRM
Index: gitone/net/netfilter/Makefile
===================================================================
--- gitone.orig/net/netfilter/Makefile
+++ gitone/net/netfilter/Makefile
@@ -67,6 +67,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) +
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
Index: gitone/net/netfilter/xt_owner.c
===================================================================
--- /dev/null
+++ gitone/net/netfilter/xt_owner.c
@@ -0,0 +1,82 @@
+/* Kernel module to match various things tied to sockets associated with
+   locally generated outgoing packets. */
+
+/*
+ * (C) 2000 Marc Boucher <marc@mbsi.ca>
+ * © 2007 CC Computer Consultants GmbH <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_owner.h>
+
+static bool
+xt_owner_match(const struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, const struct xt_match *match,
+               const void *matchinfo, int offset, unsigned int protoff,
+               bool *hotdrop)
+{
+	const struct xt_owner_info *info = matchinfo;
+
+	if (skb->sk == NULL || skb->sk->sk_socket == NULL ||
+	    skb->sk->sk_socket->file == NULL)
+		return false;
+
+	if (info->match & XT_OWNER_UID)
+		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
+		    !!(info->invert & XT_OWNER_UID))
+			return false;
+
+	if (info->match & XT_OWNER_GID)
+		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
+		    !!(info->invert & XT_OWNER_GID))
+			return false;
+
+	return true;
+}
+
+static struct xt_match xt_owner_reg[] __read_mostly = {
+	{
+		.name       = "owner",
+		.family     = AF_INET,
+		.match      = xt_owner_match,
+		.matchsize  = sizeof(struct xt_owner_info),
+		.hooks      = (1 << NF_IP_LOCAL_OUT) |
+		              (1 << NF_IP_POST_ROUTING),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "owner",
+		.family     = AF_INET6,
+		.match      = xt_owner_match,
+		.matchsize  = sizeof(struct xt_owner_info),
+		.hooks      = (1 << NF_IP_LOCAL_OUT) |
+		              (1 << NF_IP_POST_ROUTING),
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init xt_owner_init(void)
+{
+	return xt_register_matches(xt_owner_reg, ARRAY_SIZE(xt_owner_reg));
+}
+
+static void __exit xt_owner_exit(void)
+{
+	xt_unregister_matches(xt_owner_reg, ARRAY_SIZE(xt_owner_reg));
+}
+
+module_init(xt_owner_init);
+module_exit(xt_owner_exit);
+MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
+MODULE_DESCRIPTION("iptables owner match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_owner");
+MODULE_ALIAS("ip6t_owner");

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] xt_owner

[Patrick McHardy]

Jan Engelhardt wrote:
> Convert ipt_owner to xt_owner, adding support for IPv6.
>
> +struct xt_owner_info {
> +	u_int32_t uid;
> +	u_int32_t gid;
> +	u_int8_t match, invert;
> +};

Unfortunately this also breaks compatiblity, we currently have:

struct ipt_owner_info {
    uid_t uid;
    gid_t gid;
    pid_t pid;
    pid_t sid;
    char comm[16];
    u_int8_t match, invert;     /* flags */
};

and

struct ip6t_owner_info {
    uid_t uid;
    gid_t gid;
    pid_t pid;
    pid_t sid;
    u_int8_t match, invert;     /* flags */
};

This is compatible with neither one.