* socket match - add wildcard option [2/4] @ 2010-07-25 14:50 Nepenthes Development Team 2010-07-25 15:13 ` Jan Engelhardt 0 siblings, 1 reply; 7+ messages in thread From: Nepenthes Development Team @ 2010-07-25 14:50 UTC (permalink / raw) To: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 185 bytes --] iptables-socket-match-add-transparent-option.diff - apply patch to add the --transparent option from http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/30246 [-- Attachment #2: iptables-socket-match-add-transparent-option.diff --] [-- Type: text/x-diff, Size: 4625 bytes --] Added new revision of the socket match. if the '--transparent' parameter is specified, the sockets without set transparent socket option are ignored. Signed-off-by: Laszlo Attila Toth <panther <at> balabit.hu> --- extensions/libxt_socket.c | 95 +++++++++++++++++++++++++++++----- extensions/libxt_socket.man | 6 ++- include/linux/netfilter/xt_socket.h | 12 ++++ 3 files changed, 98 insertions(+), 15 deletions(-) create mode 100644 include/linux/netfilter/xt_socket.h diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index eebc7c5..2230a93 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -6,34 +6,101 @@ #include <stdio.h> #include <getopt.h> #include <xtables.h> +#include <linux/netfilter/xt_socket.h> -static void socket_mt_help(void) +static void socket_mt_help_v0(void) { - printf("socket v%s has no options\n\n", XTABLES_VERSION); + printf("socket match has no options.\n\n"); } -static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) +static void socket_mt_help_v1(void) +{ + printf("socket match options:\n" +"--transparent Matches only if the socket's transparent option is set\n"); +} + +static const struct option socket_opts_v1[] = { + { "transparent", 0, NULL, '1' }, + { } +}; + +static int socket_mt_parse_v0(int c, char **argv, int invert, + unsigned int *flags, const void *entry, + struct xt_entry_match **match) { return 0; } +static int socket_mt_parse_v1(int c, char **argv, int invert, + unsigned int *flags, const void *entry, + struct xt_entry_match **match) +{ + struct xt_socket_mtinfo1 *info = (void *) (*match)->data; + + switch (c) { + case '1': + if (*flags) + xtables_error(PARAMETER_PROBLEM, + "Can't specify multiple --transparent"); + info->flags |= XT_SOCKET_TRANSPARENT; + *flags = 1; + break; + default: + return 0; + } + return 1; +} + static void socket_mt_check(unsigned int flags) { } -static struct xtables_match socket_mt_reg = { - .name = "socket", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), - .parse = socket_mt_parse, - .final_check = socket_mt_check, - .help = socket_mt_help, +static void socket_mt_print_v1(const void *ip, + const struct xt_entry_match *match, + int numeric) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + printf("socket "); + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("transparent "); +} + +static void socket_mt_save_v1(const void *ip, + const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("--transparent "); +} + +static struct xtables_match socket_mt_reg_v0 = { + .name = "socket", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .parse = socket_mt_parse_v0, + .final_check = socket_mt_check, + .help = socket_mt_help_v0, +}; + +static struct xtables_match socket_mt_reg_v1 = { + .name = "socket", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .parse = socket_mt_parse_v1, + .print = socket_mt_print_v1, + .save = socket_mt_save_v1, + .final_check = socket_mt_check, + .help = socket_mt_help_v1, + .extra_opts = socket_opts_v1, }; void _init(void) { - xtables_register_match(&socket_mt_reg); + xtables_register_match(&socket_mt_reg_v0); + xtables_register_match(&socket_mt_reg_v1); } diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 50c8854..edc9d75 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,2 +1,6 @@ This matches if an open socket can be found by doing a socket lookup on the -packet. +packet which doesn\'t listen on the \'any\' IP address (0.0.0.0). +.TP +.BI "\-\-transparent" +Enables additional check, that the actual socket's transparent socket option +has to be set. diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h new file mode 100644 index 0000000..f6ba866 --- /dev/null +++ b/include/linux/netfilter/xt_socket.h @@ -0,0 +1,12 @@ +#ifndef _XT_SOCKET_H_match +#define _XT_SOCKET_H_match + +enum { + XT_SOCKET_TRANSPARENT = 1 << 0, +}; + +struct xt_socket_mtinfo1 { + __u8 flags; +}; + +#endif /* _XT_SOCKET_H_match */ -- 1.6.2.2.404.ge96f3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: socket match - add wildcard option [2/4] 2010-07-25 14:50 socket match - add wildcard option [2/4] Nepenthes Development Team @ 2010-07-25 15:13 ` Jan Engelhardt 2010-07-25 19:10 ` Nepenthes Development Team 0 siblings, 1 reply; 7+ messages in thread From: Jan Engelhardt @ 2010-07-25 15:13 UTC (permalink / raw) To: Nepenthes Development Team; +Cc: netfilter-devel On Sunday 2010-07-25 16:50, Nepenthes Development Team wrote: >iptables-socket-match-add-transparent-option.diff > - apply patch to add the --transparent option from > http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/30246 > >Added new revision of the socket match. > >if the '--transparent' parameter is specified, the sockets without >set transparent socket option are ignored. > >Signed-off-by: Laszlo Attila Toth <panther <at> balabit.hu> This needs your own SOB. >diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c >index eebc7c5..2230a93 100644 >--- a/extensions/libxt_socket.c >+++ b/extensions/libxt_socket.c >@@ -6,34 +6,101 @@ > #include <stdio.h> > #include <getopt.h> > #include <xtables.h> >+#include <linux/netfilter/xt_socket.h> > >-static void socket_mt_help(void) >+static void socket_mt_help_v0(void) > { >- printf("socket v%s has no options\n\n", XTABLES_VERSION); >+ printf("socket match has no options.\n\n"); > } Since the function is not essential, I see no point in adding it in the first place - the "has no options" text is autogenerated. > >-static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, >- const void *entry, struct xt_entry_match **match) >+static void socket_mt_help_v1(void) >+{ >+ printf("socket match options:\n" >+"--transparent Matches only if the socket's transparent option is set\n"); >+} >+ >+static const struct option socket_opts_v1[] = { >+ { "transparent", 0, NULL, '1' }, >+ { } >+}; Try to use the C99 version. >+ >+static int socket_mt_parse_v0(int c, char **argv, int invert, >+ unsigned int *flags, const void *entry, >+ struct xt_entry_match **match) > { > return 0; > } Similarly pointless. >+static int socket_mt_parse_v1(int c, char **argv, int invert, >+ unsigned int *flags, const void *entry, >+ struct xt_entry_match **match) >+{ >+ struct xt_socket_mtinfo1 *info = (void *) (*match)->data; >+ >+ switch (c) { >+ case '1': >+ if (*flags) >+ xtables_error(PARAMETER_PROBLEM, >+ "Can't specify multiple --transparent"); See existing code for xtables_param_act(..) >+ info->flags |= XT_SOCKET_TRANSPARENT; >+ *flags = 1; >+ break; >+ default: >+ return 0; >+ } >+ return 1; >+} >+ > static void socket_mt_check(unsigned int flags) > { > } This one is not needed either >+ .name = "socket", >+ .revision = 0, >+ .version = XTABLES_VERSION, >+ .family = NFPROTO_IPV4, >+ .parse = socket_mt_parse_v0, >+ .final_check = socket_mt_check, >+ .help = socket_mt_help_v0, >+}; >+ >+static struct xtables_match socket_mt_reg_v1 = { >+ .name = "socket", >+ .version = XTABLES_VERSION, >+ .revision = 1, >+ .family = NFPROTO_IPV4, >+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), >+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), >+ .parse = socket_mt_parse_v1, >+ .print = socket_mt_print_v1, >+ .save = socket_mt_save_v1, >+ .final_check = socket_mt_check, >+ .help = socket_mt_help_v1, >+ .extra_opts = socket_opts_v1, Actually, xt_socket should be NFPROTO_UNSPEC. > }; > > void _init(void) > { >- xtables_register_match(&socket_mt_reg); >+ xtables_register_match(&socket_mt_reg_v0); >+ xtables_register_match(&socket_mt_reg_v1); xtables_register_matches > } >diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man >index 50c8854..edc9d75 100644 >--- a/extensions/libxt_socket.man >+++ b/extensions/libxt_socket.man >@@ -1,2 +1,6 @@ > This matches if an open socket can be found by doing a socket lookup on the >-packet. >+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0). >+.TP >+.BI "\-\-transparent" >+Enables additional check, that the actual socket's transparent socket option >+has to be set. ' does not need to be escaped, to my knowledge. >diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h >new file mode 100644 >index 0000000..f6ba866 >--- /dev/null >+++ b/include/linux/netfilter/xt_socket.h >@@ -0,0 +1,12 @@ >+#ifndef _XT_SOCKET_H_match >+#define _XT_SOCKET_H_match >+ >+enum { >+ XT_SOCKET_TRANSPARENT = 1 << 0, >+}; >+ >+struct xt_socket_mtinfo1 { >+ __u8 flags; >+}; I'm sure Eric Dumazet will remind us that u32 is a better idea. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: socket match - add wildcard option [2/4] 2010-07-25 15:13 ` Jan Engelhardt @ 2010-07-25 19:10 ` Nepenthes Development Team 2010-07-25 19:55 ` Jan Engelhardt 0 siblings, 1 reply; 7+ messages in thread From: Nepenthes Development Team @ 2010-07-25 19:10 UTC (permalink / raw) To: jengelh; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 1138 bytes --] Hi, thanks for your reply. >>+static const struct option socket_opts_v1[] = { >>+ { "transparent", 0, NULL, '1' }, >>+ { } >>+}; > > Try to use the C99 version. Not sure what C99 shall mean in this context, > { .name = NULL } ? > ' does not need to be escaped, to my knowledge. I adopted the syntax from the original manpage, which escapes ', shall I remove it altogether? >>+struct xt_socket_mtinfo1 { >>+ __u8 flags; >>+}; > > I'm sure Eric Dumazet will remind us that u32 is a better idea. Adopted, as the kernel already uses __u8 for the socket match flags http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/netfilter/xt_socket.h;h=6f475b8ff34be81caa612bf1a947d3ad627290ab;hb=962400e8fd29981a7b166e463dd143b6ac6a3e76#l8 shall I change it to u32? Attached is current version for iptables, I remembered being able to invert a match would be great, therefore I added the invertible implicit --exists option. So now, this patch covers all changes, adding the options [!] --exists --transparent --wildcard to the socket match. Markus [-- Attachment #2: iptables-socket-match-exists-wildcard-transparent-options.diff --] [-- Type: text/x-diff, Size: 4417 bytes --] diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 1490473..03a4f8f 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -3,17 +3,106 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ +#include <stdio.h> +#include <getopt.h> #include <xtables.h> +#include <linux/netfilter/xt_socket.h> -static struct xtables_match socket_mt_reg = { - .name = "socket", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), +static void socket_mt_help_v1(void) +{ + printf("socket match options:\n" +"--transparent Matches only if the socket's transparent option is set\n" +"--wildcard Match wildcard socket's too\n" +"[!] --exists Match if socket exists (optional), allows inversion\n" + ); +} + +static const struct option socket_opts_v1[] = { + { "transparent", 0, NULL, '1' }, + { "wildcard", 0, NULL, '2' }, + { "exists", 0, NULL, '3' }, + { .name = NULL } +}; + +static int socket_mt_parse_v1(int c, char **argv, int invert, + unsigned int *flags, const void *entry, + struct xt_entry_match **match) +{ + struct xt_socket_mtinfo1 *info = (void *) (*match)->data; + + switch (c) { + case '1': + xtables_param_act(XTF_ONLY_ONCE, "socket", "--transparent", *flags & XT_SOCKET_TRANSPARENT); + info->flags |= XT_SOCKET_TRANSPARENT; + *flags |= XT_SOCKET_TRANSPARENT; + break; + case '2': + xtables_param_act(XTF_ONLY_ONCE, "socket", "--wildcard", *flags & XT_SOCKET_WILDCARD); + info->flags |= XT_SOCKET_WILDCARD; + *flags |= XT_SOCKET_WILDCARD; + break; + case '3': + xtables_param_act(XTF_ONLY_ONCE, "socket", "--exists", *flags & XT_SOCKET_INVERT); + if (invert) + info->flags |= XT_SOCKET_INVERT; + *flags |= XT_SOCKET_INVERT; + break; + default: + return 0; + } + return 1; +} + +static void socket_mt_print_v1(const void *ip, + const struct xt_entry_match *match, + int numeric) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + printf("socket "); + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("transparent "); + if (info->flags & XT_SOCKET_WILDCARD) + printf("wildcard "); + printf("%sexists ", (info->flags & XT_SOCKET_INVERT) ? "! " : ""); +} + +static void socket_mt_save_v1(const void *ip, + const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("--transparent "); + + if (info->flags & XT_SOCKET_WILDCARD) + printf("--wildcard "); + + printf("%s--exists ", info->flags & XT_SOCKET_INVERT ? "! " : ""); +} + +static struct xtables_match socket_mt_reg[] = { + { + .name = "socket", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + }, + { + .name = "socket", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .parse = socket_mt_parse_v1, + .print = socket_mt_print_v1, + .save = socket_mt_save_v1, + .help = socket_mt_help_v1, + .extra_opts = socket_opts_v1, + } }; void _init(void) { - xtables_register_match(&socket_mt_reg); + xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); } diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 50c8854..4acd380 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,2 +1,12 @@ This matches if an open socket can be found by doing a socket lookup on the -packet. +packet which doesn\'t listen on the \'any\' IP address (0.0.0.0). +.TP +.BI "\-\-transparent" +Enables additional check, that the actual socket's transparent socket option +has to be set. +.BI "\-\-wildcard" +Matches sockets listening on the \'any\' IP address (0.0.0.0) too. +.BI "[!] \-\-exists" +Optional, allows inversion of the match. + + diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h new file mode 100644 index 0000000..6f492ed --- /dev/null +++ b/include/linux/netfilter/xt_socket.h @@ -0,0 +1,14 @@ +#ifndef _XT_SOCKET_H_match +#define _XT_SOCKET_H_match + +enum { + XT_SOCKET_TRANSPARENT = 1 << 0, + XT_SOCKET_WILDCARD = 1 << 1, + XT_SOCKET_INVERT = 1 << 2, +}; + +struct xt_socket_mtinfo1 { + __u8 flags; +}; + +#endif /* _XT_SOCKET_H_match */ ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: socket match - add wildcard option [2/4] 2010-07-25 19:10 ` Nepenthes Development Team @ 2010-07-25 19:55 ` Jan Engelhardt 2010-07-25 20:00 ` Jan Engelhardt 0 siblings, 1 reply; 7+ messages in thread From: Jan Engelhardt @ 2010-07-25 19:55 UTC (permalink / raw) To: Nepenthes Development Team; +Cc: netfilter-devel On Sunday 2010-07-25 21:10, Nepenthes Development Team wrote: >Hi, > >thanks for your reply. > >>>+static const struct option socket_opts_v1[] = { >>>+ { "transparent", 0, NULL, '1' }, >>>+ { } >>>+}; >> >> Try to use the C99 version. > >Not sure what C99 shall mean in this context, >> { .name = NULL } {.name = "transparent", .has_arg = false, .val = '1'}, {NULL}, >> ' does not need to be escaped, to my knowledge. > >I adopted the syntax from the original manpage, which escapes ', shall >I remove it altogether? Yes, given no other manpage has it. (And I think ' does not need any escaping, unlike -, but someone feel free to educate me otherwise.) >>>+struct xt_socket_mtinfo1 { >>>+ __u8 flags; >>>+}; >> >> I'm sure Eric Dumazet will remind us that u32 is a better idea. > >Adopted, as the kernel already uses __u8 for the socket match flags >http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/netfilter/xt_socket.h;h=6f475b8ff34be81caa612bf1a947d3ad627290ab;hb=962400e8fd29981a7b166e463dd143b6ac6a3e76#l8 >shall I change it to u32? Pending Eric's comment, I would suggest to include a bump to revision 2 of the existing kernel parts for revision 1 - since there is no libxt_socket.c code for revision 1. >Attached is current version for iptables, I remembered being able to >invert a match would be great, therefore I added the invertible >implicit --exists option. if (invert) info->invert |= foo; or alternatively xtables_param_act(...NO_INVERT...) /* check existing code */ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: socket match - add wildcard option [2/4] 2010-07-25 19:55 ` Jan Engelhardt @ 2010-07-25 20:00 ` Jan Engelhardt 2010-07-26 7:57 ` Nepenthes Development Team 0 siblings, 1 reply; 7+ messages in thread From: Jan Engelhardt @ 2010-07-25 20:00 UTC (permalink / raw) To: Nepenthes Development Team; +Cc: Netfilter Developer Mailing List, Eric Dumazet cc'ing Eric On Sunday 2010-07-25 21:55, Jan Engelhardt wrote: > >On Sunday 2010-07-25 21:10, Nepenthes Development Team wrote: >>Hi, >> >>thanks for your reply. >> >>>>+static const struct option socket_opts_v1[] = { >>>>+ { "transparent", 0, NULL, '1' }, >>>>+ { } >>>>+}; >>> >>> Try to use the C99 version. >> >>Not sure what C99 shall mean in this context, >>> { .name = NULL } > >{.name = "transparent", .has_arg = false, .val = '1'}, >{NULL}, > >>> ' does not need to be escaped, to my knowledge. >> >>I adopted the syntax from the original manpage, which escapes ', shall >>I remove it altogether? > >Yes, given no other manpage has it. (And I think ' does not need any >escaping, unlike -, but someone feel free to educate me otherwise.) > >>>>+struct xt_socket_mtinfo1 { >>>>+ __u8 flags; >>>>+}; >>> >>> I'm sure Eric Dumazet will remind us that u32 is a better idea. >> >>Adopted, as the kernel already uses __u8 for the socket match flags >>http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/netfilter/xt_socket.h;h=6f475b8ff34be81caa612bf1a947d3ad627290ab;hb=962400e8fd29981a7b166e463dd143b6ac6a3e76#l8 >>shall I change it to u32? > >Pending Eric's comment, I would suggest to include a bump to >revision 2 of the existing kernel parts for revision 1 - >since there is no libxt_socket.c code for revision 1. > >>Attached is current version for iptables, I remembered being able to >>invert a match would be great, therefore I added the invertible >>implicit --exists option. > >if (invert) > info->invert |= foo; > >or alternatively > >xtables_param_act(...NO_INVERT...) /* check existing code */ > >-- >To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in >the body of a message to majordomo@vger.kernel.org >More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: socket match - add wildcard option [2/4] 2010-07-25 20:00 ` Jan Engelhardt @ 2010-07-26 7:57 ` Nepenthes Development Team 2010-08-01 10:04 ` Nepenthes Development Team 0 siblings, 1 reply; 7+ messages in thread From: Nepenthes Development Team @ 2010-07-26 7:57 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List, Eric Dumazet [-- Attachment #1: Type: text/plain, Size: 318 bytes --] Hi, current version attached, c99, \', info->invert, xtables_param_act(NO_INVERT) got incorporated/adjusted. for the u8, may I use it for info->invert, or just create 2 u32 for flags and invert, bump the revision number to 2? As invert changes the mtinfo1 struct, changing the revision is required anyway. Markus [-- Attachment #2: iptables-socket-match-exists-wildcard-transparent-options-02.diff --] [-- Type: text/x-diff, Size: 4629 bytes --] diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 1490473..d921655 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -3,17 +3,108 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ +#include <stdio.h> +#include <getopt.h> #include <xtables.h> +#include <linux/netfilter/xt_socket.h> -static struct xtables_match socket_mt_reg = { - .name = "socket", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), +static void socket_mt_help_v1(void) +{ + printf("socket match options:\n" +"--transparent Matches only if the socket's transparent option is set\n" +"--wildcard Match wildcard socket's too\n" +"[!] --exists Match if socket exists (optional), allows inversion\n" + ); +} + +static const struct option socket_opts_v1[] = { + { .name = "transparent", .has_arg = false, .flag = NULL, .val = '1' }, + { .name = "wildcard", .has_arg = false, .flag = NULL, .val = '2' }, + { .name = "exists", .has_arg = false, .flag = NULL, .val = '3' }, + { } +}; + +static int socket_mt_parse_v1(int c, char **argv, int invert, + unsigned int *flags, const void *entry, + struct xt_entry_match **match) +{ + struct xt_socket_mtinfo1 *info = (void *) (*match)->data; + + switch (c) { + case '1': + xtables_param_act(XTF_ONLY_ONCE, "socket", "--transparent", *flags & XT_SOCKET_TRANSPARENT); + xtables_param_act(XTF_NO_INVERT, "socket", "--transparent", invert); + info->flags |= XT_SOCKET_TRANSPARENT; + *flags |= XT_SOCKET_TRANSPARENT; + break; + case '2': + xtables_param_act(XTF_ONLY_ONCE, "socket", "--wildcard", *flags & XT_SOCKET_WILDCARD); + xtables_param_act(XTF_NO_INVERT, "socket", "--wildcard", invert); + info->flags |= XT_SOCKET_WILDCARD; + *flags |= XT_SOCKET_WILDCARD; + break; + case '3': + xtables_param_act(XTF_ONLY_ONCE, "socket", "--exists", *flags & XT_SOCKET_EXISTS); + if (invert) + info->invert = true; + *flags |= XT_SOCKET_EXISTS; + break; + default: + return 0; + } + return 1; +} + +static void socket_mt_print_v1(const void *ip, + const struct xt_entry_match *match, + int numeric) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + printf("socket "); + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("transparent "); + if (info->flags & XT_SOCKET_WILDCARD) + printf("wildcard "); + printf("%sexists ", info->invert ? "! " : ""); +} + +static void socket_mt_save_v1(const void *ip, + const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("--transparent "); + + if (info->flags & XT_SOCKET_WILDCARD) + printf("--wildcard "); + + printf("%s--exists ", info->invert ? "! " : ""); +} + +static struct xtables_match socket_mt_reg[] = { + { + .name = "socket", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + }, + { + .name = "socket", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .parse = socket_mt_parse_v1, + .print = socket_mt_print_v1, + .save = socket_mt_save_v1, + .help = socket_mt_help_v1, + .extra_opts = socket_opts_v1, + } }; void _init(void) { - xtables_register_match(&socket_mt_reg); + xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); } diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 50c8854..98244f5 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,2 +1,14 @@ This matches if an open socket can be found by doing a socket lookup on the -packet. +packet which doesn't listen on the 'any' IP address (0.0.0.0). +.TP +.BI "\-\-transparent" +Enables additional check, that the actual socket's transparent socket option +has to be set. +.TP +.BI "\-\-wildcard" +Matches sockets listening on the 'any' IP address (0.0.0.0) too. +.TP +.BI "[!] \-\-exists" +Optional, allows inversion of the match. + + diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h new file mode 100644 index 0000000..4ee6e7d --- /dev/null +++ b/include/linux/netfilter/xt_socket.h @@ -0,0 +1,15 @@ +#ifndef _XT_SOCKET_H_match +#define _XT_SOCKET_H_match + +enum { + XT_SOCKET_TRANSPARENT = 1 << 0, + XT_SOCKET_WILDCARD = 1 << 1, + XT_SOCKET_EXISTS = 1 << 2, +}; + +struct xt_socket_mtinfo1 { + __u8 invert; + __u8 flags; +}; + +#endif /* _XT_SOCKET_H_match */ ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: socket match - add wildcard option [2/4] 2010-07-26 7:57 ` Nepenthes Development Team @ 2010-08-01 10:04 ` Nepenthes Development Team 0 siblings, 0 replies; 7+ messages in thread From: Nepenthes Development Team @ 2010-08-01 10:04 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List Hi, how to proceed with the new options for the iptables socket match? Markus ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-08-01 10:04 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-07-25 14:50 socket match - add wildcard option [2/4] Nepenthes Development Team 2010-07-25 15:13 ` Jan Engelhardt 2010-07-25 19:10 ` Nepenthes Development Team 2010-07-25 19:55 ` Jan Engelhardt 2010-07-25 20:00 ` Jan Engelhardt 2010-07-26 7:57 ` Nepenthes Development Team 2010-08-01 10:04 ` Nepenthes Development Team
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).