* [PATCH 1/2] socket: Added 'transparent' option
@ 2009-04-24 13:30 Laszlo Attila Toth
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
2009-04-24 14:54 ` [PATCH 1/2] socket: Added 'transparent' option Patrick McHardy
0 siblings, 2 replies; 4+ messages in thread
From: Laszlo Attila Toth @ 2009-04-24 13:30 UTC (permalink / raw)
To: Patrick McHardy, netfilter-devel; +Cc: Laszlo Attila Toth
The socket match has an own matchinfo structure, with one boolean field,
transparent, which is true when only transparent sockets can be matched.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
include/linux/netfilter/xt_socket.h | 8 ++++++++
net/netfilter/xt_socket.c | 8 ++++++++
2 files changed, 16 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_socket.h
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..2222d63
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info {
+ __u8 transparent:1;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..b894a10 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
#include <net/netfilter/nf_tproxy_core.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <linux/netfilter/xt_socket.h>
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#define XT_SOCKET_HAVE_CONNTRACK 1
#include <net/netfilter/nf_conntrack.h>
@@ -94,6 +96,7 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
__be32 daddr, saddr;
__be16 dport, sport;
u8 protocol;
+ const struct xt_socket_match_info *info = par->matchinfo;
#ifdef XT_SOCKET_HAVE_CONNTRACK
struct nf_conn const *ct;
enum ip_conntrack_info ctinfo;
@@ -142,10 +145,14 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
saddr, daddr, sport, dport, par->in, false);
if (sk != NULL) {
bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+ bool transparent = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->transparent) ||
+ (sk->sk_state == TCP_TIME_WAIT && inet_twsk(sk)->tw_transparent);
nf_tproxy_put_sock(sk);
if (wildcard)
sk = NULL;
+ else if (info->transparent && !transparent)
+ sk = NULL;
}
pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
@@ -161,6 +168,7 @@ static struct xt_match socket_mt_reg __read_mostly = {
.name = "socket",
.family = AF_INET,
.match = socket_mt,
+ .matchsize = sizeof(struct xt_socket_match_info),
.hooks = 1 << NF_INET_PRE_ROUTING,
.me = THIS_MODULE,
};
--
1.6.2.2.404.ge96f3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK
2009-04-24 13:30 [PATCH 1/2] socket: Added 'transparent' option Laszlo Attila Toth
@ 2009-04-24 13:30 ` Laszlo Attila Toth
2009-04-24 14:55 ` Patrick McHardy
2009-04-24 14:54 ` [PATCH 1/2] socket: Added 'transparent' option Patrick McHardy
1 sibling, 1 reply; 4+ messages in thread
From: Laszlo Attila Toth @ 2009-04-24 13:30 UTC (permalink / raw)
To: Patrick McHardy, netfilter-devel; +Cc: Laszlo Attila Toth
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
net/netfilter/Kconfig | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 2329c5f..881203c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -275,6 +275,8 @@ config NF_CT_NETLINK
help
This option enables support for a netlink-based userspace interface
+endif # NF_CONNTRACK
+
# transparent proxy support
config NETFILTER_TPROXY
tristate "Transparent proxying support (EXPERIMENTAL)"
@@ -290,8 +292,6 @@ config NETFILTER_TPROXY
To compile it as a module, choose M here. If unsure, say N.
-endif # NF_CONNTRACK
-
config NETFILTER_XTABLES
tristate "Netfilter Xtables support (required for ip_tables)"
default m if NETFILTER_ADVANCED=n
--
1.6.2.2.404.ge96f3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] socket: Added 'transparent' option
2009-04-24 13:30 [PATCH 1/2] socket: Added 'transparent' option Laszlo Attila Toth
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
@ 2009-04-24 14:54 ` Patrick McHardy
1 sibling, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-04-24 14:54 UTC (permalink / raw)
To: Laszlo Attila Toth; +Cc: netfilter-devel
Laszlo Attila Toth wrote:
> The socket match has an own matchinfo structure, with one boolean field,
> transparent, which is true when only transparent sockets can be matched.
>
> @@ -161,6 +168,7 @@ static struct xt_match socket_mt_reg __read_mostly = {
> .name = "socket",
> .family = AF_INET,
> .match = socket_mt,
> + .matchsize = sizeof(struct xt_socket_match_info),
This will break compatibility with old iptables binaries. You need
to add a new revision for this.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
@ 2009-04-24 14:55 ` Patrick McHardy
0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-04-24 14:55 UTC (permalink / raw)
To: Laszlo Attila Toth; +Cc: netfilter-devel
Laszlo Attila Toth wrote:
> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-04-24 14:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-24 13:30 [PATCH 1/2] socket: Added 'transparent' option Laszlo Attila Toth
2009-04-24 13:30 ` [PATCH 2/2] TProxy doesn't depend on NF_CONNTRACK Laszlo Attila Toth
2009-04-24 14:55 ` Patrick McHardy
2009-04-24 14:54 ` [PATCH 1/2] socket: Added 'transparent' option Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).