commit 2dee4f29f447ed446610b9a8e6e8385ce721e457 Author: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> Date: Sun Jan 20 13:15:08 2008 +0100 [NETFILTER]: xt_socket: allow matching UID/GID ranges Range matching makes it possible to reduce the number of rules required for some setups. Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h index 5d7abb0..70913d9 100644 --- a/include/linux/netfilter/xt_socket.h +++ b/include/linux/netfilter/xt_socket.h @@ -8,8 +8,8 @@ enum { }; struct xt_socket_mtinfo { - u_int32_t uid; - u_int32_t gid; + u_int32_t uid_min, uid_max; + u_int32_t gid_min, gid_max; u_int8_t match, invert; }; diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index de5116f..07d681c 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -102,12 +102,14 @@ socket_mt(const struct sk_buff *skb, const struct net_device *in, (XT_SOCKET_UID | XT_SOCKET_GID)) == 0; if (info->match & XT_SOCKET_UID) - if ((filp->f_uid != info->uid) ^ + if ((filp->f_uid >= info->uid_min && + filp->f_uid <= info->uid_max) ^ !!(info->invert & XT_SOCKET_UID)) return false; if (info->match & XT_SOCKET_GID) - if ((filp->f_gid != info->gid) ^ + if ((filp->f_gid >= info->gid_min && + filp->f_gid <= info->gid_max) ^ !!(info->invert & XT_SOCKET_GID)) return false; - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html