Socket match with transparent option, take 2

Socket match with transparent option, take 2

[Laszlo Attila Toth]

Hi,

this is the latest version of the new socket match option, '--transparent':
if this option is used, only sockets with enabled transparent socket option
are matched.

As I wrote earlier, the original, default behaviour of the match is unwanted,
because not only a transparent socket, but also any socket can be matched,
such as a simple SSH or web server's.

The kernel part is on the top net-next-2.6.

The match info is type contains the revision of the socket match,
struct xt_socket_match_info1 which was missing from the previous patches.

Regards,
Attila

[net-next] socket: Added 'transparent' option

[Laszlo Attila Toth]

Added new revision of the 'socket' match. If its new option is set,
enabled 'transparent' socket option is required for the socket to be matched.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_socket.h |    8 +++++
 net/netfilter/xt_socket.c           |   57 +++++++++++++++++++++++++++++-----
 2 files changed, 56 insertions(+), 9 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..8b2b2f0
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info1 {
+	__u8 transparent:1;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..f31f3db 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
+#include <linux/netfilter/xt_socket.h>
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #define XT_SOCKET_HAVE_CONNTRACK 1
 #include <net/netfilter/nf_conntrack.h>
@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
 
 
 static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+	     bool check_transparent)
 {
 	const struct iphdr *iph = ip_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
@@ -142,10 +145,22 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 				   saddr, daddr, sport, dport, par->in, false);
 	if (sk != NULL) {
 		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+		bool transparent = (sk->sk_state != TCP_TIME_WAIT &&
+					inet_sk(sk)->transparent) ||
+				   (sk->sk_state == TCP_TIME_WAIT &&
+					inet_twsk(sk)->tw_transparent);
+		const struct xt_socket_match_info1 *info = NULL;
+
+		if (check_transparent);
+			info = par->matchinfo;
 
 		nf_tproxy_put_sock(sk);
+
 		if (wildcard)
 			sk = NULL;
+		else if (check_transparent && info->transparent &&
+			 !transparent)
+			sk = NULL;
 	}
 
 	pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
@@ -157,23 +172,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return (sk != NULL);
 }
 
-static struct xt_match socket_mt_reg __read_mostly = {
-	.name		= "socket",
-	.family		= AF_INET,
-	.match		= socket_mt,
-	.hooks		= 1 << NF_INET_PRE_ROUTING,
-	.me		= THIS_MODULE,
+static bool
+socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, false);
+}
+
+static bool
+socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, true);
+}
+
+static struct xt_match socket_mt_reg[] __read_mostly = {
+	{
+		.name		= "socket",
+		.revision	= 0,
+		.family		= AF_INET,
+		.match		= socket_mt_v0,
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "socket",
+		.revision	= 1,
+		.family		= AF_INET,
+		.match		= socket_mt_v1,
+		.matchsize	= sizeof(struct xt_socket_match_info1),
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init socket_mt_init(void)
 {
 	nf_defrag_ipv4_enable();
-	return xt_register_match(&socket_mt_reg);
+	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 static void __exit socket_mt_exit(void)
 {
-	xt_unregister_match(&socket_mt_reg);
+	xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 module_init(socket_mt_init);
-- 
1.6.2.2.404.ge96f3

[iptables] socket match: new revision, match transparent sockets

[Laszlo Attila Toth]

Added new revision of the socket match.

if the '--transparent' parameter is specified, the sockets,
which transparent socket option is not set, are ignored.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 extensions/libxt_socket.c           |   95 +++++++++++++++++++++++++++++-----
 extensions/libxt_socket.man         |    6 ++-
 include/linux/netfilter/xt_socket.h |    8 +++
 3 files changed, 94 insertions(+), 15 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index eebc7c5..e071c20 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -6,34 +6,101 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
 
-static void socket_mt_help(void)
+static void socket_mt_help_v0(void)
 {
-	printf("socket v%s has no options\n\n", XTABLES_VERSION);
+	printf("socket match has no options.\n\n");
 }
 
-static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
-			const void *entry, struct xt_entry_match **match)
+static void socket_mt_help_v1(void)
+{
+	printf("socket match options:\n"
+"--transparent      Matches only if the socket's transparent option is set\n");
+}
+
+static const struct option socket_opts_v1[] = {
+	{ "transparent", 0, NULL, '1' },
+	{ }
+};
+
+static int socket_mt_parse_v0(int c, char **argv, int invert,
+			      unsigned int *flags, const void *entry,
+			      struct xt_entry_match **match)
 {
 	return 0;
 }
 
+static int socket_mt_parse_v1(int c, char **argv, int invert,
+			      unsigned int *flags, const void *entry,
+			      struct xt_entry_match **match)
+{
+	struct xt_socket_match_info1 *info = (void *) (*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Can't specify multiple --transparent");
+		info->transparent = 1;
+		*flags = 1;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
 static void socket_mt_check(unsigned int flags)
 {
 }
 
-static struct xtables_match socket_mt_reg = {
-	.name	       = "socket",
-	.version       = XTABLES_VERSION,
-	.family	       = NFPROTO_IPV4,
-	.size	       = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
-	.parse	       = socket_mt_parse,
-	.final_check   = socket_mt_check,
-	.help	       = socket_mt_help,
+static void socket_mt_print_v1(const void *ip,
+			       const struct xt_entry_match *match,
+			       int numeric)
+{
+	const struct xt_socket_match_info1 *info = (const void *)match->data;
+	printf("socket ");
+	if (info->transparent)
+		printf("transparent ");
+}
+
+static void socket_mt_save_v1(const void *ip,
+			      const struct xt_entry_match *match)
+{
+	const struct xt_socket_match_info1 *info = (const void *)match->data;
+
+	if (info->transparent)
+		printf("--transparent ");
+}
+
+static struct xtables_match socket_mt_reg_v0 = {
+	.name		= "socket",
+	.revision	= 0,
+	.version	= XTABLES_VERSION,
+	.family		= NFPROTO_IPV4,
+	.parse		= socket_mt_parse_v0,
+	.final_check	= socket_mt_check,
+	.help		= socket_mt_help_v0,
+};
+
+static struct xtables_match socket_mt_reg_v1 = {
+	.name		= "socket",
+	.version	= XTABLES_VERSION,
+	.revision	= 1,
+	.family		= NFPROTO_IPV4,
+	.size		= XT_ALIGN(sizeof(struct xt_socket_match_info1)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_socket_match_info1)),
+	.parse		= socket_mt_parse_v1,
+	.print		= socket_mt_print_v1,
+	.save		= socket_mt_save_v1,
+	.final_check	= socket_mt_check,
+	.help		= socket_mt_help_v1,
+	.extra_opts	= socket_opts_v1,
 };
 
 void _init(void)
 {
-	xtables_register_match(&socket_mt_reg);
+	xtables_register_match(&socket_mt_reg_v0);
+	xtables_register_match(&socket_mt_reg_v1);
 }
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c8854..edc9d75 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,6 @@
 This matches if an open socket can be found by doing a socket lookup on the
-packet.
+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0).
+.TP
+.BI "\-\-transparent"
+Enables additional check, that the actual socket's transparent socket option
+has to be set.
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..8b2b2f0
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info1 {
+	__u8 transparent:1;
+};
+
+#endif /* _XT_SOCKET_H_match */
-- 
1.6.2.2.404.ge96f3

Re: [net-next] socket: Added 'transparent' option

[Jan Engelhardt]

On Thursday 2009-06-04 14:37, Laszlo Attila Toth wrote:

>Added new revision of the 'socket' match. If its new option is set,
>enabled 'transparent' socket option is required for the socket to be matched.
>
>Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>

>+++ b/include/linux/netfilter/xt_socket.h
>@@ -0,0 +1,8 @@
>+#ifndef _XT_SOCKET_H_match
>+#define _XT_SOCKET_H_match
>+
>+struct xt_socket_match_info1 {
>+	__u8 transparent:1;
>+};
>+
>+#endif /* _XT_SOCKET_H_match */

Compiler-level bitfields are not portable, so let's not use them.

>@@ -142,10 +145,22 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
> 				   saddr, daddr, sport, dport, par->in, false);
> 	if (sk != NULL) {
> 		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
>+		bool transparent = (sk->sk_state != TCP_TIME_WAIT &&
>+					inet_sk(sk)->transparent) ||
>+				   (sk->sk_state == TCP_TIME_WAIT &&
>+					inet_twsk(sk)->tw_transparent);
>+		const struct xt_socket_match_info1 *info = NULL;
>+
>+		if (check_transparent);
>+			info = par->matchinfo;

That's a definite “whoops in coding” there with that trailing ;.
Wanna buy a `make C=1`? :-)

>+static struct xt_match socket_mt_reg[] __read_mostly = {
>+	{
>+		.name		= "socket",
>+		.revision	= 0,
>+		.family		= AF_INET,

NFPROTO_IPV4

>+		.match		= socket_mt_v0,
>+		.hooks		= 1 << NF_INET_PRE_ROUTING,
>+		.me		= THIS_MODULE,
>+	},
>+	{
>+		.name		= "socket",
>+		.revision	= 1,
>+		.family		= AF_INET,

^
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [net-next] socket: Added 'transparent' option

[Laszlo Attila Toth]

Jan Engelhardt wrote:
> On Thursday 2009-06-04 14:37, Laszlo Attila Toth wrote:
>> +
>> +		if (check_transparent);
>> +			info = par->matchinfo;
> 
> That's a definite “whoops in coding” there with that trailing ;.
> Wanna buy a `make C=1`? :-)

Thanks. I tried make C=1 but this mistake wasn't noticed by sparse...


-- 
Attila
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html