Re: [PATCH 3/3] xt_owner match

[Patrick McHardy <kaber@xxxxxxxxx>]

Jan Engelhardt wrote:
> As with xt_tos and xt_TOS, the old header files are kept for the time,
> and we define a revision 0 which is compatible with ipt_tos/ipt_TOS -
> same for xt_owner.
>
> --- net-2.6.25.orig/include/linux/netfilter_ipv4/Kbuild
> +++ net-2.6.25/include/linux/netfilter_ipv4/Kbuild
> @@ -29,7 +29,6 @@ header-y += ipt_limit.h
>  header-y += ipt_mac.h
>  header-y += ipt_mark.h
>  header-y += ipt_multiport.h
> -header-y += ipt_owner.h
>  header-y += ipt_physdev.h
>  header-y += ipt_pkttype.h
>  header-y += ipt_policy.h
> Index: net-2.6.25/include/linux/netfilter_ipv6/Kbuild
> ===================================================================
> --- net-2.6.25.orig/include/linux/netfilter_ipv6/Kbuild
> +++ net-2.6.25/include/linux/netfilter_ipv6/Kbuild
> @@ -13,7 +13,6 @@ header-y += ip6t_mac.h
>  header-y += ip6t_mark.h
>  header-y += ip6t_multiport.h
>  header-y += ip6t_opts.h
> -header-y += ip6t_owner.h
>  header-y += ip6t_physdev.h
>  header-y += ip6t_policy.h
>  header-y += ip6t_rt.h

Please keep both.

> +config NETFILTER_XT_MATCH_OWNER
> +	tristate '"owner" match support'
> +	depends on NETFILTER_XTABLES
> +	---help---
> +	Socket owner matching allows you to match locally-generated packets
> +	based on who created the socket: the user, group, process or session.

Only user and group are supported.

> +#include <linux/module.h>
> +#include <linux/skbuff.h>
> +#include <linux/file.h>
> +#include <net/sock.h>
> +#include <linux/netfilter/x_tables.h>
> +#include <linux/netfilter/xt_owner.h>
> +#include <linux/netfilter_ipv4/ipt_owner.h>
> +#include <linux/netfilter_ipv6/ip6t_owner.h>
> +
> +static bool
> +owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
> +            const struct net_device *out, const struct xt_match *match,
> +            const void *matchinfo, int offset, unsigned int protoff,
> +            bool *hotdrop)
> +{
> +	const struct ipt_owner_info *info = matchinfo;
> +	const struct file *filp;
> +
> +	if (skb->sk == NULL || skb->sk->sk_socket == NULL)
> +		return false;
> +
> +	filp = skb->sk->sk_socket->file;
> +	if (filp == NULL)
> +		return false;

What would be nice is to allow matching whether a socket exists,
without UID/GID. I had a patch for this for a long time, but
lost it somewhere.

> +
> +	if (info->match & IPT_OWNER_UID)
> +		if ((filp->f_uid != info->uid) ^
> +		    !!(info->invert & IPT_OWNER_UID))
> +			return false;
> +
> +	if (info->match & IPT_OWNER_GID)
> +		if ((filp->f_gid != info->gid) ^
> +		    !!(info->invert & IPT_OWNER_GID))
> +			return false;
> +
> +	return true;
> +}
> +
> +static struct xt_match owner_mt_reg[] __read_mostly = {
> +	{
> +		.name       = "owner",
> +		.revision   = 0,
> +		.family     = AF_INET,
> +		.match      = owner_mt_v0,
> +		.matchsize  = sizeof(struct ipt_owner_info),
> +		.checkentry = owner_mt_check_v0,
> +		.hooks      = (1 << NF_IP_LOCAL_OUT) |
> +		              (1 << NF_IP_POST_ROUTING),

This needs to use NF_INET_...

Please resend all your patches when you want me to apply them.
Thanks.

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html