Convert ipt_owner to xt_owner, adding support for IPv6.
Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
---
include/linux/netfilter/xt_owner.h | 15 ++++++
net/netfilter/Kconfig | 7 +++
net/netfilter/Makefile | 1
net/netfilter/xt_owner.c | 82 +++++++++++++++++++++++++++++++++++++
4 files changed, 105 insertions(+)
Index: gitone/include/linux/netfilter/xt_owner.h
===================================================================
--- /dev/null
+++ gitone/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,15 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+enum {
+ XT_OWNER_UID = 1 << 0,
+ XT_OWNER_GID = 1 << 1,
+};
+
+struct xt_owner_info {
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int8_t match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
Index: gitone/net/netfilter/Kconfig
===================================================================
--- gitone.orig/net/netfilter/Kconfig
+++ gitone/net/netfilter/Kconfig
@@ -554,6 +554,13 @@ config NETFILTER_XT_MATCH_MARK
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_OWNER
+ tristate '"owner" match support'
+ depends on NETFILTER_XTABLES
+ ---help---
+ Socket owner matching allows you to match locally-generated packets
+ based on who created the socket: the user, group, process or session.
+
config NETFILTER_XT_MATCH_POLICY
tristate 'IPsec "policy" match support'
depends on NETFILTER_XTABLES && XFRM
Index: gitone/net/netfilter/Makefile
===================================================================
--- gitone.orig/net/netfilter/Makefile
+++ gitone/net/netfilter/Makefile
@@ -67,6 +67,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) +
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
Index: gitone/net/netfilter/xt_owner.c
===================================================================
--- /dev/null
+++ gitone/net/netfilter/xt_owner.c
@@ -0,0 +1,82 @@
+/* Kernel module to match various things tied to sockets associated with
+ locally generated outgoing packets. */
+
+/*
+ * (C) 2000 Marc Boucher <marc@xxxxxxx>
+ * © 2007 CC Computer Consultants GmbH <jengelh@xxxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_owner.h>
+
+static bool
+xt_owner_match(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_owner_info *info = matchinfo;
+
+ if (skb->sk == NULL || skb->sk->sk_socket == NULL ||
+ skb->sk->sk_socket->file == NULL)
+ return false;
+
+ if (info->match & XT_OWNER_UID)
+ if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
+ !!(info->invert & XT_OWNER_UID))
+ return false;
+
+ if (info->match & XT_OWNER_GID)
+ if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
+ !!(info->invert & XT_OWNER_GID))
+ return false;
+
+ return true;
+}
+
+static struct xt_match xt_owner_reg[] __read_mostly = {
+ {
+ .name = "owner",
+ .family = AF_INET,
+ .match = xt_owner_match,
+ .matchsize = sizeof(struct xt_owner_info),
+ .hooks = (1 << NF_IP_LOCAL_OUT) |
+ (1 << NF_IP_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "owner",
+ .family = AF_INET6,
+ .match = xt_owner_match,
+ .matchsize = sizeof(struct xt_owner_info),
+ .hooks = (1 << NF_IP_LOCAL_OUT) |
+ (1 << NF_IP_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
+};
+
+static int __init xt_owner_init(void)
+{
+ return xt_register_matches(xt_owner_reg, ARRAY_SIZE(xt_owner_reg));
+}
+
+static void __exit xt_owner_exit(void)
+{
+ xt_unregister_matches(xt_owner_reg, ARRAY_SIZE(xt_owner_reg));
+}
+
+module_init(xt_owner_init);
+module_exit(xt_owner_exit);
+MODULE_AUTHOR("Marc Boucher <marc@xxxxxxx>");
+MODULE_DESCRIPTION("iptables owner match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_owner");
+MODULE_ALIAS("ip6t_owner");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
