On Wednesday 2008-10-08 03:15, KOVACS Krisztian wrote:
>@@ -0,0 +1,39 @@
>+/*
>+ * Shared library add-on to iptables to add early socket matching support.
>+ *
>+ * Copyright (C) 2007 BalaBit IT Ltd.
>+ */
>+#include <stdio.h>
>+#include <getopt.h>
>+#include <iptables.h>
>+
>+static void socket_help(void)
>+{
>+ printf("socket v%s has no options\n\n", XTABLES_VERSION);
>+}
>+
>+static int socket_parse(int c, char **argv, int invert, unsigned int *flags,
>+ const void *entry, struct xt_entry_match **match)
>+{
>+ return 0;
>+}
>+
>+static void socket_check(unsigned int flags)
>+{
>+}
>+
>+static struct xtables_match socket_reg = {
>+ .name = "socket",
>+ .version = XTABLES_VERSION,
>+ .family = AF_INET,
>+ .size = XT_ALIGN(0),
>+ .userspacesize = XT_ALIGN(0),
>+ .parse = socket_parse,
>+ .final_check = socket_check,
>+ .help = socket_help,
>+};
>+
>+void _init(void)
>+{
>+ xtables_register_match(&socket_reg);
>+}
I doubt this trivial code is anything you could copyright.
>--- /dev/null
>+++ b/extensions/libxt_socket.man
>@@ -0,0 +1,2 @@
>+This matches if an open socket can be found by doing a socket lookup on the
>+packet.
I think, while at it, this match should be extended by options to find
only listening sockets. People sometimes want something like this
because they cannot possibly know the used port numbers in advance and
do not want to use port ranges that could possible be too broad (--dport
x:y) that would accidentally match other connections.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
