linux-netfilter-socket-wildcard.diff
- extend xt_socket by --wildcard option
Yes, I just noticed each reply to my own mail is a new thread, sorry,
but I did not get my own mail from majordomo to reply to.
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
index 6f475b8..9df8747 100644
--- a/include/linux/netfilter/xt_socket.h
+++ b/include/linux/netfilter/xt_socket.h
@@ -3,6 +3,7 @@
enum {
XT_SOCKET_TRANSPARENT = 1 << 0,
+ XT_SOCKET_WILDCARD = 1 << 1,
};
struct xt_socket_mtinfo1 {
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 3d54c23..6ca4622 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -144,12 +144,14 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
saddr, daddr, sport, dport, par->in, false);
if (sk != NULL) {
- bool wildcard;
+ bool wildcard = false;
bool transparent = true;
- /* Ignore sockets listening on INADDR_ANY */
- wildcard = (sk->sk_state != TCP_TIME_WAIT &&
- inet_sk(sk)->inet_rcv_saddr == 0);
+ /* Ignore sockets listening on INADDR_ANY
+ if not specified otherwise */
+ if (!info || !(info->flags & XT_SOCKET_WILDCARD))
+ wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+ inet_sk(sk)->inet_rcv_saddr == 0);
/* Ignore non-transparent sockets,
if XT_SOCKET_TRANSPARENT is used */
