[iptables PATCH] socket match: added '--transparent' option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If the '--transparent' parameter is specified, the sockets, which
transparent socket option is not set, are ignored.

Signed-off-by: Laszlo Attila Toth <panther@xxxxxxxxxx>
---
 extensions/libxt_socket.c           |   49 ++++++++++++++++++++++++++++++++---
 extensions/libxt_socket.man         |    6 +++-
 include/linux/netfilter/xt_socket.h |    8 +++++
 3 files changed, 58 insertions(+), 5 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index eebc7c5..8d789c3 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -6,31 +6,72 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
 
 static void socket_mt_help(void)
 {
-	printf("socket v%s has no options\n\n", XTABLES_VERSION);
+	printf("socket match options:\n"
+"--transparent      Matches only if the socket's transparent option is set\n");
 }
 
+static const struct option socket_opts[] = {
+	{ "transparent", 0, NULL, '1' },
+	{ }
+};
+
 static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 			const void *entry, struct xt_entry_match **match)
 {
-	return 0;
+	struct xt_socket_match_info *info = (struct xt_socket_match_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Can't specify multiple --transparent");
+		info->transparent = 1;
+		*flags = 1;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
 }
 
 static void socket_mt_check(unsigned int flags)
 {
 }
+static void socket_mt_print(const void *ip,
+			    const struct xt_entry_match *target,
+			    int numeric)
+{
+	const struct xt_socket_match_info *info = (const void *)target->data;
+	printf("socket ");
+	if (info->transparent)
+		printf("transparent ");
+}
+
+static void socket_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_socket_match_info *info =
+	    (const struct xt_socket_match_info*) match->data;
+
+	if (info->transparent)
+		printf("--transparent ");
+}
 
 static struct xtables_match socket_mt_reg = {
 	.name	       = "socket",
 	.version       = XTABLES_VERSION,
 	.family	       = NFPROTO_IPV4,
-	.size	       = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.size	       = XT_ALIGN(sizeof(struct xt_socket_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_socket_match_info)),
 	.parse	       = socket_mt_parse,
+	.print         = socket_mt_print,
+	.save          = socket_mt_save,
 	.final_check   = socket_mt_check,
 	.help	       = socket_mt_help,
+	.extra_opts    = socket_opts,
 };
 
 void _init(void)
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c8854..edc9d75 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,6 @@
 This matches if an open socket can be found by doing a socket lookup on the
-packet.
+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0).
+.TP
+.BI "\-\-transparent"
+Enables additional check, that the actual socket's transparent socket option
+has to be set.
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..2222d63
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info {
+	__u8 transparent:1;
+};
+
+#endif /* _XT_SOCKET_H_match */
-- 
1.6.2.2.404.ge96f3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux