Jan Engelhardt wrote:
As with xt_tos and xt_TOS, the old header files are kept for the time, and we define a revision 0 which is compatible with ipt_tos/ipt_TOS - same for xt_owner. --- net-2.6.25.orig/include/linux/netfilter_ipv4/Kbuild +++ net-2.6.25/include/linux/netfilter_ipv4/Kbuild @@ -29,7 +29,6 @@ header-y += ipt_limit.h header-y += ipt_mac.h header-y += ipt_mark.h header-y += ipt_multiport.h -header-y += ipt_owner.h header-y += ipt_physdev.h header-y += ipt_pkttype.h header-y += ipt_policy.h Index: net-2.6.25/include/linux/netfilter_ipv6/Kbuild =================================================================== --- net-2.6.25.orig/include/linux/netfilter_ipv6/Kbuild +++ net-2.6.25/include/linux/netfilter_ipv6/Kbuild @@ -13,7 +13,6 @@ header-y += ip6t_mac.h header-y += ip6t_mark.h header-y += ip6t_multiport.h header-y += ip6t_opts.h -header-y += ip6t_owner.h header-y += ip6t_physdev.h header-y += ip6t_policy.h header-y += ip6t_rt.h
Please keep both.
+config NETFILTER_XT_MATCH_OWNER + tristate '"owner" match support' + depends on NETFILTER_XTABLES + ---help--- + Socket owner matching allows you to match locally-generated packets + based on who created the socket: the user, group, process or session.
Only user and group are supported.
+#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/file.h> +#include <net/sock.h> +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter/xt_owner.h> +#include <linux/netfilter_ipv4/ipt_owner.h> +#include <linux/netfilter_ipv6/ip6t_owner.h> + +static bool +owner_mt_v0(const struct sk_buff *skb, const struct net_device *in, + const struct net_device *out, const struct xt_match *match, + const void *matchinfo, int offset, unsigned int protoff, + bool *hotdrop) +{ + const struct ipt_owner_info *info = matchinfo; + const struct file *filp; + + if (skb->sk == NULL || skb->sk->sk_socket == NULL) + return false; + + filp = skb->sk->sk_socket->file; + if (filp == NULL) + return false;
What would be nice is to allow matching whether a socket exists, without UID/GID. I had a patch for this for a long time, but lost it somewhere.
+ + if (info->match & IPT_OWNER_UID) + if ((filp->f_uid != info->uid) ^ + !!(info->invert & IPT_OWNER_UID)) + return false; + + if (info->match & IPT_OWNER_GID) + if ((filp->f_gid != info->gid) ^ + !!(info->invert & IPT_OWNER_GID)) + return false; + + return true; +} + +static struct xt_match owner_mt_reg[] __read_mostly = { + { + .name = "owner", + .revision = 0, + .family = AF_INET, + .match = owner_mt_v0, + .matchsize = sizeof(struct ipt_owner_info), + .checkentry = owner_mt_check_v0, + .hooks = (1 << NF_IP_LOCAL_OUT) | + (1 << NF_IP_POST_ROUTING),
This needs to use NF_INET_... Please resend all your patches when you want me to apply them. Thanks. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html