[PATCH 1/2] socket: Added 'transparent' option

Laszlo Attila Toth <panther@xxxxxxxxxx> · Fri, 24 Apr 2009 15:30:19 +0200

The socket match has an own matchinfo structure, with one boolean field,
transparent, which is true when only transparent sockets can be matched.

Signed-off-by: Laszlo Attila Toth <panther@xxxxxxxxxx>
---
 include/linux/netfilter/xt_socket.h |    8 ++++++++
 net/netfilter/xt_socket.c           |    8 ++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..2222d63
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info {
+	__u8 transparent:1;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..b894a10 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
+#include <linux/netfilter/xt_socket.h>
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #define XT_SOCKET_HAVE_CONNTRACK 1
 #include <net/netfilter/nf_conntrack.h>
@@ -94,6 +96,7 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	__be32 daddr, saddr;
 	__be16 dport, sport;
 	u8 protocol;
+	const struct xt_socket_match_info *info = par->matchinfo;
 #ifdef XT_SOCKET_HAVE_CONNTRACK
 	struct nf_conn const *ct;
 	enum ip_conntrack_info ctinfo;
@@ -142,10 +145,14 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 				   saddr, daddr, sport, dport, par->in, false);
 	if (sk != NULL) {
 		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+		bool transparent = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->transparent) ||
+				   (sk->sk_state == TCP_TIME_WAIT && inet_twsk(sk)->tw_transparent);
 
 		nf_tproxy_put_sock(sk);
 		if (wildcard)
 			sk = NULL;
+		else if (info->transparent && !transparent)
+			sk = NULL;
 	}
 
 	pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
@@ -161,6 +168,7 @@ static struct xt_match socket_mt_reg __read_mostly = {
 	.name		= "socket",
 	.family		= AF_INET,
 	.match		= socket_mt,
+	.matchsize	= sizeof(struct xt_socket_match_info),
 	.hooks		= 1 << NF_INET_PRE_ROUTING,
 	.me		= THIS_MODULE,
 };
-- 
1.6.2.2.404.ge96f3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




