Re: [PATCH 3/3] xt_owner match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jan Engelhardt wrote:
As with xt_tos and xt_TOS, the old header files are kept for the time,
and we define a revision 0 which is compatible with ipt_tos/ipt_TOS -
same for xt_owner.

--- net-2.6.25.orig/include/linux/netfilter_ipv4/Kbuild
+++ net-2.6.25/include/linux/netfilter_ipv4/Kbuild
@@ -29,7 +29,6 @@ header-y += ipt_limit.h
 header-y += ipt_mac.h
 header-y += ipt_mark.h
 header-y += ipt_multiport.h
-header-y += ipt_owner.h
 header-y += ipt_physdev.h
 header-y += ipt_pkttype.h
 header-y += ipt_policy.h
Index: net-2.6.25/include/linux/netfilter_ipv6/Kbuild
===================================================================
--- net-2.6.25.orig/include/linux/netfilter_ipv6/Kbuild
+++ net-2.6.25/include/linux/netfilter_ipv6/Kbuild
@@ -13,7 +13,6 @@ header-y += ip6t_mac.h
 header-y += ip6t_mark.h
 header-y += ip6t_multiport.h
 header-y += ip6t_opts.h
-header-y += ip6t_owner.h
 header-y += ip6t_physdev.h
 header-y += ip6t_policy.h
 header-y += ip6t_rt.h

Please keep both.

+config NETFILTER_XT_MATCH_OWNER
+	tristate '"owner" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	Socket owner matching allows you to match locally-generated packets
+	based on who created the socket: the user, group, process or session.

Only user and group are supported.

+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_owner.h>
+#include <linux/netfilter_ipv4/ipt_owner.h>
+#include <linux/netfilter_ipv6/ip6t_owner.h>
+
+static bool
+owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, const struct xt_match *match,
+            const void *matchinfo, int offset, unsigned int protoff,
+            bool *hotdrop)
+{
+	const struct ipt_owner_info *info = matchinfo;
+	const struct file *filp;
+
+	if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+		return false;
+
+	filp = skb->sk->sk_socket->file;
+	if (filp == NULL)
+		return false;

What would be nice is to allow matching whether a socket exists,
without UID/GID. I had a patch for this for a long time, but
lost it somewhere.

+
+	if (info->match & IPT_OWNER_UID)
+		if ((filp->f_uid != info->uid) ^
+		    !!(info->invert & IPT_OWNER_UID))
+			return false;
+
+	if (info->match & IPT_OWNER_GID)
+		if ((filp->f_gid != info->gid) ^
+		    !!(info->invert & IPT_OWNER_GID))
+			return false;
+
+	return true;
+}
+
+static struct xt_match owner_mt_reg[] __read_mostly = {
+	{
+		.name       = "owner",
+		.revision   = 0,
+		.family     = AF_INET,
+		.match      = owner_mt_v0,
+		.matchsize  = sizeof(struct ipt_owner_info),
+		.checkentry = owner_mt_check_v0,
+		.hooks      = (1 << NF_IP_LOCAL_OUT) |
+		              (1 << NF_IP_POST_ROUTING),

This needs to use NF_INET_...

Please resend all your patches when you want me to apply them.
Thanks.

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux