[10/10] [IPTABLES]: Split code into libxt_socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Split out the new code into libxt_socket.

Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>

---
 extensions/libxt_owner.c            |  182 -----------------------------
 extensions/libxt_owner.man          |   19 ---
 extensions/libxt_socket.c           |  220 ++++++++++++++++++++++++++++++++++++
 extensions/libxt_socket.man         |   19 +++
 include/linux/netfilter/xt_owner.h  |   16 --
 include/linux/netfilter/xt_socket.h |   16 ++
 6 files changed, 255 insertions(+), 217 deletions(-)

Index: iptables/extensions/libxt_owner.c
===================================================================
--- iptables.orig/extensions/libxt_owner.c
+++ iptables/extensions/libxt_owner.c
@@ -14,7 +14,6 @@
 #include <string.h>
 
 #include <xtables.h>
-#include <linux/netfilter/xt_owner.h>
 #include <linux/netfilter_ipv4/ipt_owner.h>
 #include <linux/netfilter_ipv6/ip6t_owner.h>
 
@@ -63,16 +62,6 @@ static void owner_mt6_help_v0(void)
 "\n");
 }
 
-static void owner_mt_help(void)
-{
-	printf(
-"owner match options:\n"
-"[!] --uid-owner userid[-userid]      Match local UID\n"
-"[!] --gid-owner groupid[-groupid]    Match local GID\n"
-"[!] --socket-exists                  Match if socket exists\n"
-"\n");
-}
-
 static const struct option owner_mt_opts_v0[] = {
 	{.name = "uid-owner", .has_arg = true, .val = 'u'},
 	{.name = "gid-owner", .has_arg = true, .val = 'g'},
@@ -92,13 +81,6 @@ static const struct option owner_mt6_opt
 	{},
 };
 
-static const struct option owner_mt_opts[] = {
-	{.name = "uid-owner",     .has_arg = true,  .val = 'u'},
-	{.name = "gid-owner",     .has_arg = true,  .val = 'g'},
-	{.name = "socket-exists", .has_arg = false, .val = 'k'},
-	{},
-};
-
 static int
 owner_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
                   const void *entry, struct xt_entry_match **match)
@@ -243,74 +225,6 @@ owner_mt6_parse_v0(int c, char **argv, i
 	return false;
 }
 
-static void owner_parse_range(const char *s, unsigned int *from,
-                              unsigned int *to, const char *opt)
-{
-	char *end;
-
-	/* 4294967295 is reserved, so subtract one from ~0 */
-	if (!strtonum(s, &end, from, 0, (~(uid_t)0) - 1))
-		param_act(P_BAD_VALUE, "owner", opt, s);
-	*to = *from;
-	if (*end == '-' || *end == ':')
-		if (!strtonum(end + 1, &end, to, 0, (~(uid_t)0) - 1))
-			param_act(P_BAD_VALUE, "owner", opt, s);
-	if (*end != '\0')
-		param_act(P_BAD_VALUE, "owner", opt, s);
-}
-
-static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
-                          const void *entry, struct xt_entry_match **match)
-{
-	struct xt_owner_match_info *info = (void *)(*match)->data;
-	struct passwd *pwd;
-	struct group *grp;
-	unsigned int from, to;
-
-	switch (c) {
-	case 'u':
-		param_act(P_ONLY_ONCE, "owner", "--uid-owner",
-		          *flags & FLAG_UID_OWNER);
-		if ((pwd = getpwnam(optarg)) != NULL)
-			from = to = pwd->pw_uid;
-		else
-			owner_parse_range(optarg, &from, &to, "--uid-owner");
-		if (invert)
-			info->invert |= XT_OWNER_UID;
-		info->match  |= XT_OWNER_UID;
-		info->uid_min = from;
-		info->uid_max = to;
-		*flags       |= FLAG_UID_OWNER;
-		return true;
-
-	case 'g':
-		param_act(P_ONLY_ONCE, "owner", "--gid-owner",
-		          *flags & FLAG_GID_OWNER);
-		if ((grp = getgrnam(optarg)) != NULL)
-			from = to = grp->gr_gid;
-		else
-			owner_parse_range(optarg, &from, &to, "--gid-owner");
-		if (invert)
-			info->invert |= XT_OWNER_GID;
-		info->match  |= XT_OWNER_GID;
-		info->gid_min = from;
-		info->gid_max = to;
-		*flags      |= FLAG_GID_OWNER;
-		return true;
-
-	case 'k':
-		param_act(P_ONLY_ONCE, "owner", "--socket-exists",
-		          *flags & FLAG_SOCKET_EXISTS);
-		if (invert)
-			info->invert |= XT_OWNER_SOCKET;
-		info->match |= XT_OWNER_SOCKET;
-		*flags |= FLAG_SOCKET_EXISTS;
-		return true;
-
-	}
-	return false;
-}
-
 static void owner_mt_check(unsigned int flags)
 {
 	if (flags == 0)
@@ -416,51 +330,6 @@ owner_mt6_print_item_v0(const struct ip6
 }
 
 static void
-owner_mt_print_item(const struct xt_owner_match_info *info, const char *label,
-                    u_int8_t flag, bool numeric)
-{
-	if (!(info->match & flag))
-		return;
-	if (info->invert & flag)
-		printf("! ");
-	printf(label);
-
-	switch (info->match & flag) {
-	case XT_OWNER_UID:
-		if (info->uid_min != info->uid_max) {
-			printf("%u-%u ", (unsigned int)info->uid_min,
-			       (unsigned int)info->uid_max);
-			break;
-		} else if (!numeric) {
-			const struct passwd *pwd = getpwuid(info->uid_min);
-
-			if (pwd != NULL && pwd->pw_name != NULL) {
-				printf("%s ", pwd->pw_name);
-				break;
-			}
-		}
-		printf("%u ", (unsigned int)info->uid_min);
-		break;
-
-	case XT_OWNER_GID:
-		if (info->gid_min != info->gid_max) {
-			printf("%u-%u ", (unsigned int)info->gid_min,
-			       (unsigned int)info->gid_max);
-			break;
-		} else if (!numeric) {
-			const struct group *grp = getgrgid(info->gid_min);
-
-			if (grp != NULL && grp->gr_name != NULL) {
-				printf("%s ", grp->gr_name);
-				break;
-			}
-		}
-		printf("%u ", (unsigned int)info->gid_min);
-		break;
-	}
-}
-
-static void
 owner_mt_print_v0(const void *ip, const struct xt_entry_match *match,
                   int numeric)
 {
@@ -487,16 +356,6 @@ owner_mt6_print_v0(const void *ip, const
 	owner_mt6_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, numeric);
 }
 
-static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
-                           int numeric)
-{
-	const struct xt_owner_match_info *info = (void *)match->data;
-
-	owner_mt_print_item(info, "owner socket exists ", XT_OWNER_SOCKET, numeric);
-	owner_mt_print_item(info, "owner UID match ",     XT_OWNER_UID,    numeric);
-	owner_mt_print_item(info, "owner GID match ",     XT_OWNER_GID,    numeric);
-}
-
 static void
 owner_mt_save_v0(const void *ip, const struct xt_entry_match *match)
 {
@@ -522,15 +381,6 @@ owner_mt6_save_v0(const void *ip, const 
 	owner_mt6_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, true);
 }
 
-static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct xt_owner_match_info *info = (void *)match->data;
-
-	owner_mt_print_item(info, "--socket-exists ", XT_OWNER_SOCKET, false);
-	owner_mt_print_item(info, "--uid-owner",      XT_OWNER_UID,    false);
-	owner_mt_print_item(info, "--gid-owner",      XT_OWNER_GID,    false);
-}
-
 static struct xtables_match owner_mt_reg_v0 = {
 	.version       = IPTABLES_VERSION,
 	.name          = "owner",
@@ -561,41 +411,9 @@ static struct xtables_match owner_mt6_re
 	.extra_opts    = owner_mt6_opts_v0,
 };
 
-static struct xtables_match owner_mt_reg = {
-	.version       = IPTABLES_VERSION,
-	.name          = "owner",
-	.revision      = 1,
-	.family        = AF_INET,
-	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
-	.help          = owner_mt_help,
-	.parse         = owner_mt_parse,
-	.final_check   = owner_mt_check,
-	.print         = owner_mt_print,
-	.save          = owner_mt_save,
-	.extra_opts    = owner_mt_opts,
-};
-
-static struct xtables_match owner_mt6_reg = {
-	.version       = IPTABLES_VERSION,
-	.name          = "owner",
-	.revision      = 1,
-	.family        = AF_INET6,
-	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
-	.help          = owner_mt_help,
-	.parse         = owner_mt_parse,
-	.final_check   = owner_mt_check,
-	.print         = owner_mt_print,
-	.save          = owner_mt_save,
-	.extra_opts    = owner_mt_opts,
-};
-
 void _init(void);
 void _init(void)
 {
 	xtables_register_match(&owner_mt_reg_v0);
 	xtables_register_match(&owner_mt6_reg_v0);
-	xtables_register_match(&owner_mt_reg);
-	xtables_register_match(&owner_mt6_reg);
 }
Index: iptables/extensions/libxt_owner.man
===================================================================
--- iptables.orig/extensions/libxt_owner.man
+++ /dev/null
@@ -1,19 +0,0 @@
-This module attempts to match various characteristics of the packet creator,
-for locally generated packets. This match is only valid in the OUTPUT and
-POSTROUTING chains. Forwarded packets do not have any socket associated with
-them. Packets from kernel threads do have a socket, but usually no owner.
-.TP
-\fB--uid-owner\fR \fIusername\fR
-.TP
-\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
-Matches if the packet socket's file structure (if it has one) is owned by the
-given user. You may also specify a numerical UID, or an UID range.
-.TP
-\fB--gid-owner\fR \fIgroupname\fR
-.TP
-\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
-Matches if the packet socket's file structure is owned by the given group.
-You may also specify a numerical GID, or a GID range.
-.TP
-\fB--socket-exists\fR
-Matches if the packet is associated with a socket.
Index: iptables/extensions/libxt_socket.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_socket.c
@@ -0,0 +1,220 @@
+/*
+ *	libxt_socket - iptables addon for xt_socket
+ *
+ *	Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ *	Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
+
+enum {
+	FLAG_UID_OWNER     = 1 << 0,
+	FLAG_GID_OWNER     = 1 << 1,
+	FLAG_SOCKET_EXISTS = 1 << 2,
+};
+
+static void socket_mt_help(void)
+{
+	printf(
+"owner match options:\n"
+"[!] --uid-owner userid[-userid]      Match local UID\n"
+"[!] --gid-owner groupid[-groupid]    Match local GID\n"
+"[!] --socket-exists                  Match if socket exists\n"
+"\n");
+}
+
+static const struct option socket_mt_opts[] = {
+	{.name = "uid-owner",     .has_arg = true,  .val = 'u'},
+	{.name = "gid-owner",     .has_arg = true,  .val = 'g'},
+	{.name = "socket-exists", .has_arg = false, .val = 'k'},
+	{},
+};
+
+static void owner_parse_range(const char *s, unsigned int *from,
+                              unsigned int *to, const char *opt)
+{
+	char *end;
+
+	/* 4294967295 is reserved, so subtract one from ~0 */
+	if (!strtonum(s, &end, from, 0, (~(uid_t)0) - 1))
+		param_act(P_BAD_VALUE, "owner", opt, s);
+	*to = *from;
+	if (*end == '-' || *end == ':')
+		if (!strtonum(end + 1, &end, to, 0, (~(uid_t)0) - 1))
+			param_act(P_BAD_VALUE, "owner", opt, s);
+	if (*end != '\0')
+		param_act(P_BAD_VALUE, "owner", opt, s);
+}
+
+static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_match **match)
+{
+	struct xt_socket_mtinfo *info = (void *)(*match)->data;
+	struct passwd *pwd;
+	struct group *grp;
+	unsigned int from, to;
+
+	switch (c) {
+	case 'u':
+		param_act(P_ONLY_ONCE, "owner", "--uid-owner",
+		          *flags & FLAG_UID_OWNER);
+		if ((pwd = getpwnam(optarg)) != NULL)
+			from = to = pwd->pw_uid;
+		else
+			owner_parse_range(optarg, &from, &to, "--uid-owner");
+		if (invert)
+			info->invert |= XT_SOCKET_UID;
+		info->match  |= XT_SOCKET_UID;
+		info->uid_min = from;
+		info->uid_max = to;
+		*flags       |= FLAG_UID_OWNER;
+		return true;
+
+	case 'g':
+		param_act(P_ONLY_ONCE, "owner", "--gid-owner",
+		          *flags & FLAG_GID_OWNER);
+		if ((grp = getgrnam(optarg)) != NULL)
+			from = to = grp->gr_gid;
+		else
+			owner_parse_range(optarg, &from, &to, "--gid-owner");
+		if (invert)
+			info->invert |= XT_SOCKET_GID;
+		info->match  |= XT_SOCKET_GID;
+		info->gid_min = from;
+		info->gid_max = to;
+		*flags      |= FLAG_GID_OWNER;
+		return true;
+
+	case 'k':
+		param_act(P_ONLY_ONCE, "owner", "--socket-exists",
+		          *flags & FLAG_SOCKET_EXISTS);
+		if (invert)
+			info->invert |= XT_SOCKET_EXISTS;
+		info->match |= XT_SOCKET_EXISTS;
+		*flags |= FLAG_SOCKET_EXISTS;
+		return true;
+
+	}
+	return false;
+}
+
+static void socket_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM, "owner: At least one of "
+		           "--uid-owner, --gid-owner or --socket-exists "
+		           "is required");
+}
+
+static void
+socket_mt_print_item(const struct xt_socket_mtinfo *info, const char *label,
+                     u_int8_t flag, bool numeric)
+{
+	if (!(info->match & flag))
+		return;
+	if (info->invert & flag)
+		printf("! ");
+	printf(label);
+
+	switch (info->match & flag) {
+	case XT_SOCKET_UID:
+		if (info->uid_min != info->uid_max) {
+			printf("%u-%u ", (unsigned int)info->uid_min,
+			       (unsigned int)info->uid_max);
+			break;
+		} else if (!numeric) {
+			const struct passwd *pwd = getpwuid(info->uid_min);
+
+			if (pwd != NULL && pwd->pw_name != NULL) {
+				printf("%s ", pwd->pw_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->uid_min);
+		break;
+
+	case XT_SOCKET_GID:
+		if (info->gid_min != info->gid_max) {
+			printf("%u-%u ", (unsigned int)info->gid_min,
+			       (unsigned int)info->gid_max);
+			break;
+		} else if (!numeric) {
+			const struct group *grp = getgrgid(info->gid_min);
+
+			if (grp != NULL && grp->gr_name != NULL) {
+				printf("%s ", grp->gr_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->gid_min);
+		break;
+	}
+}
+
+static void socket_mt_print(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	const struct xt_socket_mtinfo *info = (void *)match->data;
+
+	socket_mt_print_item(info, "owner socket exists ",
+	                     XT_SOCKET_EXISTS, numeric);
+	socket_mt_print_item(info, "owner UID match ",
+	                     XT_SOCKET_UID, numeric);
+	socket_mt_print_item(info, "owner GID match ",
+	                     XT_SOCKET_GID, numeric);
+}
+
+static void socket_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_socket_mtinfo *info = (void *)match->data;
+
+	socket_mt_print_item(info, "--socket-exists ", XT_SOCKET_EXISTS, false);
+	socket_mt_print_item(info, "--uid-owner",      XT_SOCKET_UID,    false);
+	socket_mt_print_item(info, "--gid-owner",      XT_SOCKET_GID,    false);
+}
+
+static struct xtables_match socket_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "socket",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+	.help          = socket_mt_help,
+	.parse         = socket_mt_parse,
+	.final_check   = socket_mt_check,
+	.print         = socket_mt_print,
+	.save          = socket_mt_save,
+	.extra_opts    = socket_mt_opts,
+};
+
+static struct xtables_match socket_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "socket",
+	.revision      = 0,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+	.help          = socket_mt_help,
+	.parse         = socket_mt_parse,
+	.final_check   = socket_mt_check,
+	.print         = socket_mt_print,
+	.save          = socket_mt_save,
+	.extra_opts    = socket_mt_opts,
+};
+
+void _init(void);
+void _init(void)
+{
+	xtables_register_match(&socket_mt_reg);
+	xtables_register_match(&socket_mt6_reg);
+}
Index: iptables/extensions/libxt_socket.man
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_socket.man
@@ -0,0 +1,19 @@
+This module attempts to match various characteristics of the packet creator,
+for locally generated packets. This match is currently only valid in the OUTPUT
+and POSTROUTING chains. Forwarded packets do not have any socket associated
+with them. Packets from kernel threads do have a socket, but usually no owner.
+.TP
+\fB--uid-owner\fR \fIusername\fR
+.TP
+\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
+Matches if the packet socket's file structure (if it has one) is owned by the
+given user. You may also specify a numerical UID, or an UID range.
+.TP
+\fB--gid-owner\fR \fIgroupname\fR
+.TP
+\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+Matches if the packet socket's file structure is owned by the given group.
+You may also specify a numerical GID, or a GID range.
+.TP
+\fB--socket-exists\fR
+Matches if the packet is associated with a socket.
Index: iptables/include/linux/netfilter/xt_owner.h
===================================================================
--- iptables.orig/include/linux/netfilter/xt_owner.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef _XT_OWNER_MATCH_H
-#define _XT_OWNER_MATCH_H
-
-enum {
-	XT_OWNER_UID    = 1 << 0,
-	XT_OWNER_GID    = 1 << 1,
-	XT_OWNER_SOCKET = 1 << 2,
-};
-
-struct xt_owner_match_info {
-	u_int32_t uid_min, uid_max;
-	u_int32_t gid_min, gid_max;
-	u_int8_t match, invert;
-};
-
-#endif /* _XT_OWNER_MATCH_H */
Index: iptables/include/linux/netfilter/xt_socket.h
===================================================================
--- /dev/null
+++ iptables/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,16 @@
+#ifndef _XT_SOCKET_MATCH_H
+#define _XT_SOCKET_MATCH_H
+
+enum {
+	XT_SOCKET_UID    = 1 << 0,
+	XT_SOCKET_GID    = 1 << 1,
+	XT_SOCKET_EXISTS = 1 << 2,
+};
+
+struct xt_socket_mtinfo {
+	u_int32_t uid_min, uid_max;
+	u_int32_t gid_min, gid_max;
+	u_int8_t match, invert;
+};
+
+#endif /* _XT_SOCKET_MATCH_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux