[PATCH 1/4] iptables: fix check_inverse() call

[PATCH 1/4] iptables: fix check_inverse() call

[Jan Engelhardt]

Fix a typo in call to check_inverse().

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libipt_conntrack.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: iptables/extensions/libipt_conntrack.c
===================================================================
--- iptables.orig/extensions/libipt_conntrack.c
+++ iptables/extensions/libipt_conntrack.c
@@ -204,7 +204,7 @@ static int conntrack_parse(int c, char *
 		break;
 
 	case '3':
-		check_inverse(optarg, &invert, &optind, 9);
+		check_inverse(optarg, &invert, &optind, 0);
 
 		if (invert)
 			sinfo->invflags |= IPT_CONNTRACK_ORIGSRC;

[PATCH 2/4] iptables: move manpage

[Jan Engelhardt]

Rename libipt_{time,u32}.man to libxt_{time,u32}.man to go
in line with the C files.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/lib{ip => x}t_time.man (100% similar)
 extensions/lib{ip => x}t_u32.man (100% similar)
 4 files changed

# This is the patch. You have to do the `svn mv`.

Re: [PATCH 2/4] iptables: move manpage

[Patrick McHardy]

Jan Engelhardt wrote:
> Rename libipt_{time,u32}.man to libxt_{time,u32}.man to go
> in line with the C files.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/lib{ip => x}t_time.man (100% similar)
>  extensions/lib{ip => x}t_u32.man (100% similar)
>  4 files changed
> 
> # This is the patch. You have to do the `svn mv`.

"Applied" :) Thanks.

Re: [PATCH 2/4] iptables: move manpage

[Yasuyuki KOZAKAI]

Hi, Patrick,

The many manual for IPv6 extensions are still missing. But we can
move libipt_*.man to libxt_*.man for them (Great Laszlo, thanks for
introducing libxt_*man) If no objection, I will do that this weekend.
The last missing manual is NFLOG. Sorry, I'm not familiar with
the extension very much. I appreciate if anyone writes the manual for it.

Regards,

-- Yasuyuki Kozakai

From: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sun, 25 Nov 2007 02:06:23 +0100 (CET)

> 
> Rename libipt_{time,u32}.man to libxt_{time,u32}.man to go
> in line with the C files.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/lib{ip => x}t_time.man (100% similar)
>  extensions/lib{ip => x}t_u32.man (100% similar)
>  4 files changed
> 
> # This is the patch. You have to do the `svn mv`.
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/4] iptables: move manpage

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> Hi, Patrick,
> 
> The many manual for IPv6 extensions are still missing. But we can
> move libipt_*.man to libxt_*.man for them (Great Laszlo, thanks for
> introducing libxt_*man) If no objection, I will do that this weekend.
> The last missing manual is NFLOG. Sorry, I'm not familiar with
> the extension very much. I appreciate if anyone writes the manual for it.


IIRC its identical to ULOG. I'll write something up.

[PATCH 3/4] iptables: always print mask in iptables-save

[Jan Engelhardt]

iptables prints the mask as a prefix length if it is valid;
This patch makes iptables-save do the same.

Also, iptables-save will always print "/32" in the "-s addr/32"
case now. This reduces the amount of code external parsing scripts
need to provide to properly parse iptables-save output.

ip6tables-save already does the right thing, so no change there.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 iptables-save.c |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

Index: iptables/iptables-save.c
===================================================================
--- iptables.orig/iptables-save.c
+++ iptables/iptables-save.c
@@ -141,6 +141,9 @@ static int print_match(const struct ipt_
 /* print a given ip including mask if neccessary */
 static void print_ip(char *prefix, u_int32_t ip, u_int32_t mask, int invert)
 {
+	u_int32_t bits, hmask = ntohl(mask);
+	int i;
+
 	if (!mask && !ip && !invert)
 		return;
 
@@ -149,10 +152,19 @@ static void print_ip(char *prefix, u_int
 		invert ? "! " : "",
 		IP_PARTS(ip));
 
-	if (mask != 0xffffffff) 
-		printf("/%u.%u.%u.%u ", IP_PARTS(mask));
+	if (mask == 0xFFFFFFFFU) {
+		printf("/32 ");
+		return;
+	}
+
+	i    = 32;
+	bits = 0xFFFFFFFEU;
+	while (--i >= 0 && hmask != bits)
+		bits <<= 1;
+	if (i >= 0)
+		printf("/%u ", i);
 	else
-		printf(" ");
+		printf("/%u.%u.%u.%u ", IP_PARTS(mask));
 }
 
 /* We want this to be readable, so only print out neccessary fields.

Re: [PATCH 3/4] iptables: always print mask in iptables-save

[Patrick McHardy]

Jan Engelhardt wrote:
> iptables prints the mask as a prefix length if it is valid;
> This patch makes iptables-save do the same.
> 
> Also, iptables-save will always print "/32" in the "-s addr/32"
> case now. This reduces the amount of code external parsing scripts
> need to provide to properly parse iptables-save output.
> 
> ip6tables-save already does the right thing, so no change there.


Applied.

[PATCH 4/4] iptables: libxt_owner

[Jan Engelhardt]

Import libxt_owner


libxt_owner merges libipt_owner and libip6t_owner, and adds support
for the new xt_owner kernel module.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/Makefile                |    6 -
 extensions/libipt_owner.man        |   28 ----
 extensions/libxt_owner.c           |  218 +++++++++++++++++++++++++++++++++++++
 extensions/libxt_owner.man         |   25 ++++
 include/linux/netfilter/xt_owner.h |   17 ++
 5 files changed, 263 insertions(+), 31 deletions(-)

Index: iptables/extensions/Makefile
===================================================================
--- iptables.orig/extensions/Makefile
+++ iptables/extensions/Makefile
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
-PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
+PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh policy rt HL LOG REJECT
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: iptables/extensions/libipt_owner.man
===================================================================
--- iptables.orig/extensions/libipt_owner.man
+++ /dev/null
@@ -1,28 +0,0 @@
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets.  It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.BI "--cmd-owner " "name"
-Matches if the packet was created by a process with the given command name.
-(this option is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.B NOTE: pid, sid and command matching are broken on SMP
Index: iptables/extensions/libxt_owner.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_owner.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_owner.h>
+
+enum {
+	FLAG_UID_OWNER     = 1 << 0,
+	FLAG_GID_OWNER     = 1 << 1,
+	FLAG_SOCKET_EXISTS = 1 << 2,
+	FLAG_FILP_EXISTS   = 1 << 3,
+};
+
+static void owner_mt_help(void)
+{
+	printf(
+"owner match v%s options:\n"
+"[!] --uid-owner userid     Match local UID\n"
+"[!] --gid-owner groupid    Match local GID\n"
+"[!] --socket-exists        Match if socket exists\n"
+"[!] --filp-exists          Match if filp exists\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static const struct option owner_mt_opts[] = {
+	{.name = "uid-owner",     .has_arg = true,  .val = 'u'},
+	{.name = "gid-owner",     .has_arg = true,  .val = 'g'},
+	{.name = "socket-exists", .has_arg = false, .val = 's'},
+	{.name = "filp-exists",   .has_arg = false, .val = 'f'},
+	{},
+};
+
+static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_match **match)
+{
+	struct xt_owner_match_info *info = (void *)(*match)->data;
+	struct passwd *pwd;
+	struct group *grp;
+	unsigned int id;
+
+	switch (c) {
+	case 's':
+		if (*flags & FLAG_SOCKET_EXISTS)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--socket-exists may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			info->invert |= XT_OWNER_SOCKET;
+		info->match |= XT_OWNER_SOCKET;
+		*flags |= FLAG_SOCKET_EXISTS;
+		return true;
+
+	case 'f':
+		if (*flags & FLAG_FILP_EXISTS)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--filp-exists may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			info->invert |= XT_OWNER_FILP;
+		info->match |= XT_OWNER_FILP;
+		*flags |= FLAG_FILP_EXISTS;
+		return true;
+
+	case 'u':
+		if (*flags & FLAG_UID_OWNER)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--uid-owner may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if ((pwd = getpwnam(optarg)) != NULL) {
+			info->uid = pwd->pw_uid;
+		} else {
+			if (!string_to_number(optarg, 0, UINT_MAX, &id))
+				exit_error(PARAMETER_PROBLEM, "owner match: "
+				           "Invalid value for --uid-owner "
+				           "parameter: %s", optarg);
+			info->uid = id;
+		}
+		if (invert)
+			info->invert |= XT_OWNER_UID;
+		info->match |= XT_OWNER_UID;
+		*flags |= FLAG_UID_OWNER;
+		return true;
+
+	case 'g':
+		if (*flags & FLAG_GID_OWNER)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--gid-owner may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if ((grp = getgrnam(optarg)) != NULL) {
+			info->gid = grp->gr_gid;
+		} else {
+			if (!string_to_number(optarg, 0, UINT_MAX, &id))
+				exit_error(PARAMETER_PROBLEM, "owner match: "
+				           "Invalid value for --gid-owner "
+				           "parameter: %s", optarg);
+			info->gid = id;
+		}
+		if (invert)
+			info->invert |= XT_OWNER_GID;
+		info->match |= XT_OWNER_GID;
+		*flags |= FLAG_GID_OWNER;
+		return true;
+	}
+	return false;
+}
+
+static void owner_mt_print_item(const struct xt_owner_match_info *info,
+                                u_int8_t flag, int numeric, const char *label)
+{
+	if (!(info->match & flag))
+		return;
+
+	if (info->invert & flag)
+		printf("! ");
+
+	printf(label);
+
+	switch (info->match & flag) {
+	case XT_OWNER_UID:
+		if (!numeric) {
+			const struct passwd *pwd = getpwuid(info->uid);
+
+			if (pwd != NULL && pwd->pw_name != NULL) {
+				printf("%s ", pwd->pw_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->uid);
+		break;
+
+	case XT_OWNER_GID:
+		if (!numeric) {
+			const struct group *grp = getgrgid(info->gid);
+
+			if (grp != NULL && grp->gr_name != NULL) {
+				printf("%s ", grp->gr_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->gid);
+		break;
+	}
+}
+
+static void owner_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+			   "owner match: One or more parameters are required");
+}
+
+static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+	const struct xt_owner_match_info *info = (void *)match->data;
+
+	owner_mt_print_item(info, XT_OWNER_SOCKET, numeric, "OWNER socket exists ");
+	owner_mt_print_item(info, XT_OWNER_FILP,   numeric, "OWNER filp exists ");
+	owner_mt_print_item(info, XT_OWNER_UID,    numeric, "OWNER UID match ");
+	owner_mt_print_item(info, XT_OWNER_GID,    numeric, "OWNER GID match ");
+}
+
+static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_owner_match_info *info = (void *)match->data;
+
+	owner_mt_print_item(info, XT_OWNER_SOCKET, false, "--socket-exists ");
+	owner_mt_print_item(info, XT_OWNER_FILP,   false, "--filp-exists ");
+	owner_mt_print_item(info, XT_OWNER_UID,    false, "--uid-owner ");
+	owner_mt_print_item(info, XT_OWNER_GID,    false, "--gid-owner ");
+}
+
+static struct xtables_match owner_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.family        = AF_INET,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.help          = owner_mt_help,
+	.parse         = owner_mt_parse,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print,
+	.save          = owner_mt_save,
+	.extra_opts    = owner_mt_opts,
+};
+
+static struct xtables_match owner_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.family        = AF_INET6,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.help          = owner_mt_help,
+	.parse         = owner_mt_parse,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print,
+	.save          = owner_mt_save,
+	.extra_opts    = owner_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&owner_mt_reg);
+	xtables_register_match(&owner_mt6_reg);
+}
Index: iptables/extensions/libxt_owner.man
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_owner.man
@@ -0,0 +1,25 @@
+This module attempts to match various characteristics of the packet creator,
+for locally generated packets. This match is only valid in the OUTPUT and
+POSTROUTING chains. Even then, some packets do not have a socket or filp (see
+below) associated.
+
+Forwarded packets, which will hit POSTROUTING too, do not have any socket
+associated with them. Packets originating from kernel space, e.g. ICMP
+responses and packets from kernel threads or daemons (nfsd, network
+filesystems) have a socket, but often no filp associated with them.
+.TP
+\fB--uid-owner\fR \fIuserid\fR
+Matches if the packet socket's file structure (if it has one) is owned by the
+given user ID. A user name may be specified in place of \fIuserid\fR, in which
+case iptables will try to look it up.
+.TP
+\fB--gid-owner\fR \fIgroupid\fR
+Matches if the packet socket's file structure is owned by the given group ID.
+A group name may be specified in place of \fIgroupid\fR.
+.TP
+\fB--socket-exists\fR
+Matches if the packet is associated with a socket.
+.TP
+\fB--filp-exists\fR
+Matches if the packet is associated with a socket and also a 'file' structure
+(filp).
Index: iptables/include/linux/netfilter/xt_owner.h
===================================================================
--- /dev/null
+++ iptables/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,17 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+enum {
+	XT_OWNER_UID    = 1 << 0,
+	XT_OWNER_GID    = 1 << 1,
+	XT_OWNER_SOCKET = 1 << 2,
+	XT_OWNER_FILE   = 1 << 3,
+};
+
+struct xt_owner_match_info {
+	u_int32_t uid;
+	u_int32_t gid;
+	u_int8_t match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/4] iptables: libxt_owner

[Jan Engelhardt]

Just when you thought everything worked, string_to_number() bites.
I misinterpreted its return value. Update below.

===Patch begins here===

Import libxt_owner


libxt_owner merges libipt_owner and libip6t_owner, and adds support
for the new xt_owner kernel module.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/Makefile                |    6 -
 extensions/libipt_owner.man        |   28 ----
 extensions/libxt_owner.c           |  218 +++++++++++++++++++++++++++++++++++++
 extensions/libxt_owner.man         |   25 ++++
 include/linux/netfilter/xt_owner.h |   17 ++
 5 files changed, 263 insertions(+), 31 deletions(-)

Index: iptables/extensions/Makefile
===================================================================
--- iptables.orig/extensions/Makefile
+++ iptables/extensions/Makefile
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
-PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
+PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh policy rt HL LOG REJECT
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: iptables/extensions/libipt_owner.man
===================================================================
--- iptables.orig/extensions/libipt_owner.man
+++ /dev/null
@@ -1,28 +0,0 @@
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets.  It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.BI "--cmd-owner " "name"
-Matches if the packet was created by a process with the given command name.
-(this option is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.B NOTE: pid, sid and command matching are broken on SMP
Index: iptables/extensions/libxt_owner.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_owner.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_owner.h>
+
+enum {
+	FLAG_UID_OWNER     = 1 << 0,
+	FLAG_GID_OWNER     = 1 << 1,
+	FLAG_SOCKET_EXISTS = 1 << 2,
+	FLAG_FILP_EXISTS   = 1 << 3,
+};
+
+static void owner_mt_help(void)
+{
+	printf(
+"owner match v%s options:\n"
+"[!] --uid-owner userid     Match local UID\n"
+"[!] --gid-owner groupid    Match local GID\n"
+"[!] --socket-exists        Match if socket exists\n"
+"[!] --filp-exists          Match if filp exists\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static const struct option owner_mt_opts[] = {
+	{.name = "uid-owner",     .has_arg = true,  .val = 'u'},
+	{.name = "gid-owner",     .has_arg = true,  .val = 'g'},
+	{.name = "socket-exists", .has_arg = false, .val = 's'},
+	{.name = "filp-exists",   .has_arg = false, .val = 'f'},
+	{},
+};
+
+static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_match **match)
+{
+	struct xt_owner_match_info *info = (void *)(*match)->data;
+	struct passwd *pwd;
+	struct group *grp;
+	unsigned int id;
+
+	switch (c) {
+	case 's':
+		if (*flags & FLAG_SOCKET_EXISTS)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--socket-exists may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			info->invert |= XT_OWNER_SOCKET;
+		info->match |= XT_OWNER_SOCKET;
+		*flags |= FLAG_SOCKET_EXISTS;
+		return true;
+
+	case 'f':
+		if (*flags & FLAG_FILP_EXISTS)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--filp-exists may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			info->invert |= XT_OWNER_FILP;
+		info->match |= XT_OWNER_FILP;
+		*flags |= FLAG_FILP_EXISTS;
+		return true;
+
+	case 'u':
+		if (*flags & FLAG_UID_OWNER)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--uid-owner may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if ((pwd = getpwnam(optarg)) != NULL) {
+			info->uid = pwd->pw_uid;
+		} else {
+			if (string_to_number(optarg, 0, UINT_MAX, &id) < 0)
+				exit_error(PARAMETER_PROBLEM, "owner match: "
+				           "Invalid value for --uid-owner "
+				           "parameter: %s", optarg);
+			info->uid = id;
+		}
+		if (invert)
+			info->invert |= XT_OWNER_UID;
+		info->match |= XT_OWNER_UID;
+		*flags |= FLAG_UID_OWNER;
+		return true;
+
+	case 'g':
+		if (*flags & FLAG_GID_OWNER)
+			exit_error(PARAMETER_PROBLEM, "owner match: "
+			           "--gid-owner may only be given once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if ((grp = getgrnam(optarg)) != NULL) {
+			info->gid = grp->gr_gid;
+		} else {
+			if (string_to_number(optarg, 0, UINT_MAX, &id) < 0)
+				exit_error(PARAMETER_PROBLEM, "owner match: "
+				           "Invalid value for --gid-owner "
+				           "parameter: %s", optarg);
+			info->gid = id;
+		}
+		if (invert)
+			info->invert |= XT_OWNER_GID;
+		info->match |= XT_OWNER_GID;
+		*flags |= FLAG_GID_OWNER;
+		return true;
+	}
+	return false;
+}
+
+static void owner_mt_print_item(const struct xt_owner_match_info *info,
+                                u_int8_t flag, int numeric, const char *label)
+{
+	if (!(info->match & flag))
+		return;
+
+	if (info->invert & flag)
+		printf("! ");
+
+	printf(label);
+
+	switch (info->match & flag) {
+	case XT_OWNER_UID:
+		if (!numeric) {
+			const struct passwd *pwd = getpwuid(info->uid);
+
+			if (pwd != NULL && pwd->pw_name != NULL) {
+				printf("%s ", pwd->pw_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->uid);
+		break;
+
+	case XT_OWNER_GID:
+		if (!numeric) {
+			const struct group *grp = getgrgid(info->gid);
+
+			if (grp != NULL && grp->gr_name != NULL) {
+				printf("%s ", grp->gr_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->gid);
+		break;
+	}
+}
+
+static void owner_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+			   "owner match: One or more parameters are required");
+}
+
+static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+	const struct xt_owner_match_info *info = (void *)match->data;
+
+	owner_mt_print_item(info, XT_OWNER_SOCKET, numeric, "OWNER socket exists ");
+	owner_mt_print_item(info, XT_OWNER_FILP,   numeric, "OWNER filp exists ");
+	owner_mt_print_item(info, XT_OWNER_UID,    numeric, "OWNER UID match ");
+	owner_mt_print_item(info, XT_OWNER_GID,    numeric, "OWNER GID match ");
+}
+
+static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_owner_match_info *info = (void *)match->data;
+
+	owner_mt_print_item(info, XT_OWNER_SOCKET, false, "--socket-exists ");
+	owner_mt_print_item(info, XT_OWNER_FILP,   false, "--filp-exists ");
+	owner_mt_print_item(info, XT_OWNER_UID,    false, "--uid-owner ");
+	owner_mt_print_item(info, XT_OWNER_GID,    false, "--gid-owner ");
+}
+
+static struct xtables_match owner_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.family        = AF_INET,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.help          = owner_mt_help,
+	.parse         = owner_mt_parse,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print,
+	.save          = owner_mt_save,
+	.extra_opts    = owner_mt_opts,
+};
+
+static struct xtables_match owner_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.family        = AF_INET6,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.help          = owner_mt_help,
+	.parse         = owner_mt_parse,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print,
+	.save          = owner_mt_save,
+	.extra_opts    = owner_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&owner_mt_reg);
+	xtables_register_match(&owner_mt6_reg);
+}
Index: iptables/extensions/libxt_owner.man
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_owner.man
@@ -0,0 +1,25 @@
+This module attempts to match various characteristics of the packet creator,
+for locally generated packets. This match is only valid in the OUTPUT and
+POSTROUTING chains. Even then, some packets do not have a socket or filp (see
+below) associated.
+
+Forwarded packets, which will hit POSTROUTING too, do not have any socket
+associated with them. Packets originating from kernel space, e.g. ICMP
+responses and packets from kernel threads or daemons (nfsd, network
+filesystems) have a socket, but often no filp associated with them.
+.TP
+\fB--uid-owner\fR \fIuserid\fR
+Matches if the packet socket's file structure (if it has one) is owned by the
+given user ID. A user name may be specified in place of \fIuserid\fR, in which
+case iptables will try to look it up.
+.TP
+\fB--gid-owner\fR \fIgroupid\fR
+Matches if the packet socket's file structure is owned by the given group ID.
+A group name may be specified in place of \fIgroupid\fR.
+.TP
+\fB--socket-exists\fR
+Matches if the packet is associated with a socket.
+.TP
+\fB--filp-exists\fR
+Matches if the packet is associated with a socket and also a 'file' structure
+(filp).
Index: iptables/include/linux/netfilter/xt_owner.h
===================================================================
--- /dev/null
+++ iptables/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,17 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+enum {
+	XT_OWNER_UID    = 1 << 0,
+	XT_OWNER_GID    = 1 << 1,
+	XT_OWNER_SOCKET = 1 << 2,
+	XT_OWNER_FILE   = 1 << 3,
+};
+
+struct xt_owner_match_info {
+	u_int32_t uid;
+	u_int32_t gid;
+	u_int8_t match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/4] iptables: libxt_owner

[Patrick McHardy]

Jan Engelhardt wrote:
> +static void owner_mt_help(void)
> +{
> +	printf(
> +"owner match v%s options:\n"
> +"[!] --uid-owner userid     Match local UID\n"
> +"[!] --gid-owner groupid    Match local GID\n"
> +"[!] --socket-exists        Match if socket exists\n"
> +"[!] --filp-exists          Match if filp exists\n"
> +"\n",
> +IPTABLES_VERSION);


The filp-exists option strikes me as useless, what would the
use case be? For the socket-exists option, I'd prefer for the
owner match to simply accept no further option, i.e. "-m owner".

Re: [PATCH 4/4] iptables: libxt_owner

[Jan Engelhardt]

On Nov 25 2007 16:22, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> +static void owner_mt_help(void)
>> +{
>> +	printf(
>> +"owner match v%s options:\n"
>> +"[!] --uid-owner userid     Match local UID\n"
>> +"[!] --gid-owner groupid    Match local GID\n"
>> +"[!] --socket-exists        Match if socket exists\n"
>> +"[!] --filp-exists          Match if filp exists\n"
>> +"\n",
>> +IPTABLES_VERSION);
>
> The filp-exists option strikes me as useless, what would the
> use case be? For the socket-exists option, I'd prefer for the
> owner match to simply accept no further option, i.e. "-m owner".
>


hasSocket hasFilp whatCouldItBe
===============================
       0       0  forwarded packet
       1       0  ping, nfs client, nfsd
       1       1  real connection

However, you mentioned that encapsulated (socket=1,filp=1) traffic
will show up without a "socket", but did you actually mean socket
or filp?

I just checked, and xfrm'ed traffic has the same properties as before 
the transformation.

So actually socket-exists is the useless one, as there is always a 
socket in any normal case.

What do you think?

Re: [PATCH 4/4] iptables: libxt_owner

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 25 2007 16:22, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> +static void owner_mt_help(void)
>>> +{
>>> +	printf(
>>> +"owner match v%s options:\n"
>>> +"[!] --uid-owner userid     Match local UID\n"
>>> +"[!] --gid-owner groupid    Match local GID\n"
>>> +"[!] --socket-exists        Match if socket exists\n"
>>> +"[!] --filp-exists          Match if filp exists\n"
>>> +"\n",
>>> +IPTABLES_VERSION);
>> The filp-exists option strikes me as useless, what would the
>> use case be? For the socket-exists option, I'd prefer for the
>> owner match to simply accept no further option, i.e. "-m owner".
>>
> 
> 
> hasSocket hasFilp whatCouldItBe
> ===============================
>        0       0  forwarded packet
>        1       0  ping, nfs client, nfsd
>        1       1  real connection
> 
> However, you mentioned that encapsulated (socket=1,filp=1) traffic
> will show up without a "socket", but did you actually mean socket
> or filp?

No, I was talking about forwarded encapsulated traffic showing
up in the output chain (we were talking about locally outgoing
packets). These packets have neither.

> I just checked, and xfrm'ed traffic has the same properties as before 
> the transformation.
> 
> So actually socket-exists is the useless one, as there is always a 
> socket in any normal case.
> 
> What do you think?

I think both (together) expose too much of the internals and are
not very useful. There is no guarantee that nfsd will behave the
same way tommorrow. The "socket exists" option is IMO useful for
one single purpose, distinguish packets that originate from
local sockets from packets that are forwarded in the OUTPUT
and POSTROUTING chains in cases where the source address can't
be used, like tunneling. But before it gets too ugly I'd
rather not support it.

[PATCH] netfilter: xt_owner

[Jan Engelhardt]

Netfilter: Import xt_owner


xt_owner merges ipt_owner and ip6t_owner, and adds a flag to match
on socket and filp (non-)existence.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/Kbuild     |    1 
 include/linux/netfilter/xt_owner.h |   17 ++
 net/ipv4/netfilter/Kconfig         |    9 -
 net/ipv4/netfilter/Makefile        |    1 
 net/ipv4/netfilter/ipt_owner.c     |   87 ---------------
 net/ipv6/netfilter/Kconfig         |    9 -
 net/ipv6/netfilter/Makefile        |    1 
 net/ipv6/netfilter/ip6t_owner.c    |   87 ---------------
 net/netfilter/Kconfig              |    8 +
 net/netfilter/Makefile             |    1 
 net/netfilter/xt_owner.c           |  214 +++++++++++++++++++++++++++++++++++++
 11 files changed, 241 insertions(+), 194 deletions(-)

Index: linux-2.6/include/linux/netfilter/Kbuild
===================================================================
--- linux-2.6.orig/include/linux/netfilter/Kbuild
+++ linux-2.6/include/linux/netfilter/Kbuild
@@ -26,6 +26,7 @@ header-y += xt_limit.h
 header-y += xt_mac.h
 header-y += xt_mark.h
 header-y += xt_multiport.h
+header-y += xt_owner.h
 header-y += xt_pkttype.h
 header-y += xt_policy.h
 header-y += xt_realm.h
Index: linux-2.6/include/linux/netfilter/xt_owner.h
===================================================================
--- /dev/null
+++ linux-2.6/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,17 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+enum {
+	XT_OWNER_UID    = 1 << 0,
+	XT_OWNER_GID    = 1 << 1,
+	XT_OWNER_SOCKET = 1 << 2,
+	XT_OWNER_FILP   = 1 << 3,
+};
+
+struct xt_owner_match_info {
+	u_int32_t uid;
+	u_int32_t gid;
+	u_int8_t match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
Index: linux-2.6/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6/net/ipv4/netfilter/Kconfig
@@ -111,15 +111,6 @@ config IP_NF_MATCH_TTL
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_MATCH_OWNER
-	tristate "Owner match support"
-	depends on IP_NF_IPTABLES
-	help
-	  Packet owner matching allows you to match locally-generated packets
-	  based on who created them: the user, group, process or session.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_MATCH_ADDRTYPE
 	tristate  'address type match support'
 	depends on IP_NF_IPTABLES
Index: linux-2.6/net/ipv4/netfilter/Makefile
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Makefile
+++ linux-2.6/net/ipv4/netfilter/Makefile
@@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ip
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
-obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
Index: linux-2.6/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/ipt_owner.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* Kernel module to match various things tied to sockets associated with
-   locally generated outgoing packets. */
-
-/* (C) 2000 Marc Boucher <marc@mbsi.ca>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/file.h>
-#include <linux/rcupdate.h>
-#include <net/sock.h>
-
-#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables owner match");
-
-static bool
-owner_mt(const struct sk_buff *skb, const struct net_device *in,
-         const struct net_device *out, const struct xt_match *match,
-         const void *matchinfo, int offset, unsigned int protoff,
-         bool *hotdrop)
-{
-	const struct ipt_owner_info *info = matchinfo;
-
-	if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
-		return false;
-
-	if(info->match & IPT_OWNER_UID) {
-		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
-		    !!(info->invert & IPT_OWNER_UID))
-			return false;
-	}
-
-	if(info->match & IPT_OWNER_GID) {
-		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
-		    !!(info->invert & IPT_OWNER_GID))
-			return false;
-	}
-
-	return true;
-}
-
-static bool
-owner_mt_check(const char *tablename, const void *ip,
-               const struct xt_match *match, void *matchinfo,
-               unsigned int hook_mask)
-{
-	const struct ipt_owner_info *info = matchinfo;
-
-	if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
-		printk("ipt_owner: pid, sid and command matching "
-		       "not supported anymore\n");
-		return false;
-	}
-	return true;
-}
-
-static struct xt_match owner_mt_reg __read_mostly = {
-	.name		= "owner",
-	.family		= AF_INET,
-	.match		= owner_mt,
-	.matchsize	= sizeof(struct ipt_owner_info),
-	.hooks		= (1 << NF_INET_LOCAL_OUT) |
-			  (1 << NF_INET_POST_ROUTING),
-	.checkentry	= owner_mt_check,
-	.me		= THIS_MODULE,
-};
-
-static int __init owner_mt_init(void)
-{
-	return xt_register_match(&owner_mt_reg);
-}
-
-static void __exit owner_mt_exit(void)
-{
-	xt_unregister_match(&owner_mt_reg);
-}
-
-module_init(owner_mt_init);
-module_exit(owner_mt_exit);
Index: linux-2.6/net/ipv6/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv6/netfilter/Kconfig
+++ linux-2.6/net/ipv6/netfilter/Kconfig
@@ -89,15 +89,6 @@ config IP6_NF_MATCH_HL
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP6_NF_MATCH_OWNER
-	tristate "Owner match support"
-	depends on IP6_NF_IPTABLES
-	help
-	  Packet owner matching allows you to match locally-generated packets
-	  based on who created them: the user, group, process or session.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP6_NF_MATCH_IPV6HEADER
 	tristate "IPv6 Extension Headers Match"
 	depends on IP6_NF_IPTABLES
Index: linux-2.6/net/ipv6/netfilter/Makefile
===================================================================
--- linux-2.6.orig/net/ipv6/netfilter/Makefile
+++ linux-2.6/net/ipv6/netfilter/Makefile
@@ -23,7 +23,6 @@ obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl
 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
-obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
 obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
 
 # targets
Index: linux-2.6/net/ipv6/netfilter/ip6t_owner.c
===================================================================
--- linux-2.6.orig/net/ipv6/netfilter/ip6t_owner.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* Kernel module to match various things tied to sockets associated with
-   locally generated outgoing packets. */
-
-/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/file.h>
-#include <linux/rcupdate.h>
-#include <net/sock.h>
-
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("IP6 tables owner matching module");
-MODULE_LICENSE("GPL");
-
-
-static bool
-owner_mt6(const struct sk_buff *skb, const struct net_device *in,
-          const struct net_device *out, const struct xt_match *match,
-          const void *matchinfo, int offset, unsigned int protoff,
-          bool *hotdrop)
-{
-	const struct ip6t_owner_info *info = matchinfo;
-
-	if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
-		return false;
-
-	if (info->match & IP6T_OWNER_UID)
-		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
-		    !!(info->invert & IP6T_OWNER_UID))
-			return false;
-
-	if (info->match & IP6T_OWNER_GID)
-		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
-		    !!(info->invert & IP6T_OWNER_GID))
-			return false;
-
-	return true;
-}
-
-static bool
-owner_mt6_check(const char *tablename, const void *ip,
-                const struct xt_match *match, void *matchinfo,
-                unsigned int hook_mask)
-{
-	const struct ip6t_owner_info *info = matchinfo;
-
-	if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
-		printk("ipt_owner: pid and sid matching "
-		       "not supported anymore\n");
-		return false;
-	}
-	return true;
-}
-
-static struct xt_match owner_mt6_reg __read_mostly = {
-	.name		= "owner",
-	.family		= AF_INET6,
-	.match		= owner_mt6,
-	.matchsize	= sizeof(struct ip6t_owner_info),
-	.hooks		= (1 << NF_INET_LOCAL_OUT) |
-			  (1 << NF_INET_POST_ROUTING),
-	.checkentry	= owner_mt6_check,
-	.me		= THIS_MODULE,
-};
-
-static int __init owner_mt6_init(void)
-{
-	return xt_register_match(&owner_mt6_reg);
-}
-
-static void __exit owner_mt6_exit(void)
-{
-	xt_unregister_match(&owner_mt6_reg);
-}
-
-module_init(owner_mt6_init);
-module_exit(owner_mt6_exit);
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -546,6 +546,14 @@ config NETFILTER_XT_MATCH_MARK
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_MATCH_OWNER
+	tristate '"owner" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	Socket owner matching allows you to match locally-generated packets
+	based on who created the socket: the user or group. It is also
+	possible to check whether a socket actually exists.
+
 config NETFILTER_XT_MATCH_POLICY
 	tristate 'IPsec "policy" match support'
 	depends on NETFILTER_XTABLES && XFRM
Index: linux-2.6/net/netfilter/Makefile
===================================================================
--- linux-2.6.orig/net/netfilter/Makefile
+++ linux-2.6/net/netfilter/Makefile
@@ -66,6 +66,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) +
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
Index: linux-2.6/net/netfilter/xt_owner.c
===================================================================
--- /dev/null
+++ linux-2.6/net/netfilter/xt_owner.c
@@ -0,0 +1,214 @@
+/* Kernel module to match various things tied to sockets associated with
+   locally generated outgoing packets. */
+
+/*
+ * (C) 2000 Marc Boucher <marc@mbsi.ca>
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_owner.h>
+#include <linux/netfilter_ipv4/ipt_owner.h>
+#include <linux/netfilter_ipv6/ip6t_owner.h>
+
+static bool
+owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, const struct xt_match *match,
+            const void *matchinfo, int offset, unsigned int protoff,
+            bool *hotdrop)
+{
+	const struct ipt_owner_info *info = matchinfo;
+	const struct file *filp;
+
+	if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+		return false;
+
+	filp = skb->sk->sk_socket->file;
+	if (filp == NULL)
+		return false;
+
+	if (info->match & IPT_OWNER_UID)
+		if ((filp->f_uid != info->uid) ^
+		    !!(info->invert & IPT_OWNER_UID))
+			return false;
+
+	if (info->match & IPT_OWNER_GID)
+		if ((filp->f_gid != info->gid) ^
+		    !!(info->invert & IPT_OWNER_GID))
+			return false;
+
+	return true;
+}
+
+static bool
+owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
+             const struct net_device *out, const struct xt_match *match,
+             const void *matchinfo, int offset, unsigned int protoff,
+             bool *hotdrop)
+{
+	const struct ip6t_owner_info *info = matchinfo;
+	const struct file *filp;
+
+	if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+		return false;
+
+	filp = skb->sk->sk_socket->file;
+	if (filp == NULL)
+		return false;
+
+	if (info->match & IP6T_OWNER_UID)
+		if ((filp->f_uid != info->uid) ^
+		    !!(info->invert & IP6T_OWNER_UID))
+			return false;
+
+	if (info->match & IP6T_OWNER_GID)
+		if ((filp->f_gid != info->gid) ^
+		    !!(info->invert & IP6T_OWNER_GID))
+			return false;
+
+	return true;
+}
+
+static bool
+owner_mt(const struct sk_buff *skb, const struct net_device *in,
+         const struct net_device *out, const struct xt_match *match,
+         const void *matchinfo, int offset, unsigned int protoff,
+         bool *hotdrop)
+{
+	const struct xt_owner_match_info *info = matchinfo;
+	const struct file *filp;
+
+	if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+		return (info->match ^ info->invert) == 0;
+	else if (info->match & info->invert & XT_OWNER_SOCKET)
+		/*
+		 * Socket exists but user wanted ! --socket-exists.
+		 * (Single ampersands intended.)
+		 */
+		return false;
+
+	filp = skb->sk->sk_socket->file;
+	if (filp == NULL)
+		return ((info->match ^ info->invert) & ~XT_OWNER_SOCKET) == 0;
+	else if (info->match & info->invert & XT_OWNER_FILP)
+		/* filp exists but user wanted ! --filp-exists */
+		return false;
+
+	if (info->match & XT_OWNER_UID)
+		if ((filp->f_uid != info->uid) ^
+		    !!(info->invert & XT_OWNER_UID))
+			return false;
+
+	if (info->match & XT_OWNER_GID)
+		if ((filp->f_gid != info->gid) ^
+		    !!(info->invert & XT_OWNER_GID))
+			return false;
+
+	return true;
+}
+
+static bool
+owner_mt_check_v0(const char *tablename, const void *ip,
+                  const struct xt_match *match, void *matchinfo,
+                  unsigned int hook_mask)
+{
+	const struct ipt_owner_info *info = matchinfo;
+
+	if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
+		printk(KERN_WARNING KBUILD_MODNAME
+		       ": PID, SID and command matching is not "
+		       "supported anymore\n");
+		return false;
+	}
+
+	return true;
+}
+
+static bool
+owner_mt6_check_v0(const char *tablename, const void *ip,
+                   const struct xt_match *match, void *matchinfo,
+                   unsigned int hook_mask)
+{
+	const struct ip6t_owner_info *info = matchinfo;
+
+	if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
+		printk(KERN_WARNING KBUILD_MODNAME
+		       ": PID and SID matching is not supported anymore\n");
+		return false;
+	}
+
+	return true;
+}
+
+static struct xt_match owner_mt_reg[] __read_mostly = {
+	{
+		.name       = "owner",
+		.revision   = 0,
+		.family     = AF_INET,
+		.match      = owner_mt_v0,
+		.matchsize  = sizeof(struct ipt_owner_info),
+		.checkentry = owner_mt_check_v0,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) |
+		              (1 << NF_INET_POST_ROUTING),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "owner",
+		.revision   = 0,
+		.family     = AF_INET6,
+		.match      = owner_mt6_v0,
+		.matchsize  = sizeof(struct ip6t_owner_info),
+		.checkentry = owner_mt6_check_v0,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) |
+		              (1 << NF_INET_POST_ROUTING),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "owner",
+		.revision   = 1,
+		.family     = AF_INET,
+		.match      = owner_mt,
+		.matchsize  = sizeof(struct xt_owner_match_info),
+		.hooks      = (1 << NF_INET_LOCAL_OUT) |
+		              (1 << NF_INET_POST_ROUTING),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "owner",
+		.revision   = 1,
+		.family     = AF_INET6,
+		.match      = owner_mt,
+		.matchsize  = sizeof(struct xt_owner_match_info),
+		.hooks      = (1 << NF_INET_LOCAL_OUT) |
+		              (1 << NF_INET_POST_ROUTING),
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init owner_mt_init(void)
+{
+	return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+}
+
+static void __exit owner_mt_exit(void)
+{
+	xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+}
+
+module_init(owner_mt_init);
+module_exit(owner_mt_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_DESCRIPTION("netfilter \"owner\" match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_owner");
+MODULE_ALIAS("ip6t_owner");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/4] iptables: fix check_inverse() call

[Patrick McHardy]

Jan Engelhardt wrote:
> Fix a typo in call to check_inverse().

Applied, thanks Jan.