On Sunday 2010-07-25 16:50, Nepenthes Development Team wrote: >iptables-socket-match-add-transparent-option.diff > - apply patch to add the --transparent option from > http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/30246 > >Added new revision of the socket match. > >if the '--transparent' parameter is specified, the sockets without >set transparent socket option are ignored. > >Signed-off-by: Laszlo Attila Toth <panther <at> balabit.hu> This needs your own SOB. >diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c >index eebc7c5..2230a93 100644 >--- a/extensions/libxt_socket.c >+++ b/extensions/libxt_socket.c >@@ -6,34 +6,101 @@ > #include <stdio.h> > #include <getopt.h> > #include <xtables.h> >+#include <linux/netfilter/xt_socket.h> > >-static void socket_mt_help(void) >+static void socket_mt_help_v0(void) > { >- printf("socket v%s has no options\n\n", XTABLES_VERSION); >+ printf("socket match has no options.\n\n"); > } Since the function is not essential, I see no point in adding it in the first place - the "has no options" text is autogenerated. > >-static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, >- const void *entry, struct xt_entry_match **match) >+static void socket_mt_help_v1(void) >+{ >+ printf("socket match options:\n" >+"--transparent Matches only if the socket's transparent option is set\n"); >+} >+ >+static const struct option socket_opts_v1[] = { >+ { "transparent", 0, NULL, '1' }, >+ { } >+}; Try to use the C99 version. >+ >+static int socket_mt_parse_v0(int c, char **argv, int invert, >+ unsigned int *flags, const void *entry, >+ struct xt_entry_match **match) > { > return 0; > } Similarly pointless. >+static int socket_mt_parse_v1(int c, char **argv, int invert, >+ unsigned int *flags, const void *entry, >+ struct xt_entry_match **match) >+{ >+ struct xt_socket_mtinfo1 *info = (void *) (*match)->data; >+ >+ switch (c) { >+ case '1': >+ if (*flags) >+ xtables_error(PARAMETER_PROBLEM, >+ "Can't specify multiple --transparent"); See existing code for xtables_param_act(..) >+ info->flags |= XT_SOCKET_TRANSPARENT; >+ *flags = 1; >+ break; >+ default: >+ return 0; >+ } >+ return 1; >+} >+ > static void socket_mt_check(unsigned int flags) > { > } This one is not needed either >+ .name = "socket", >+ .revision = 0, >+ .version = XTABLES_VERSION, >+ .family = NFPROTO_IPV4, >+ .parse = socket_mt_parse_v0, >+ .final_check = socket_mt_check, >+ .help = socket_mt_help_v0, >+}; >+ >+static struct xtables_match socket_mt_reg_v1 = { >+ .name = "socket", >+ .version = XTABLES_VERSION, >+ .revision = 1, >+ .family = NFPROTO_IPV4, >+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), >+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), >+ .parse = socket_mt_parse_v1, >+ .print = socket_mt_print_v1, >+ .save = socket_mt_save_v1, >+ .final_check = socket_mt_check, >+ .help = socket_mt_help_v1, >+ .extra_opts = socket_opts_v1, Actually, xt_socket should be NFPROTO_UNSPEC. > }; > > void _init(void) > { >- xtables_register_match(&socket_mt_reg); >+ xtables_register_match(&socket_mt_reg_v0); >+ xtables_register_match(&socket_mt_reg_v1); xtables_register_matches > } >diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man >index 50c8854..edc9d75 100644 >--- a/extensions/libxt_socket.man >+++ b/extensions/libxt_socket.man >@@ -1,2 +1,6 @@ > This matches if an open socket can be found by doing a socket lookup on the >-packet. >+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0). >+.TP >+.BI "\-\-transparent" >+Enables additional check, that the actual socket's transparent socket option >+has to be set. ' does not need to be escaped, to my knowledge. >diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h >new file mode 100644 >index 0000000..f6ba866 >--- /dev/null >+++ b/include/linux/netfilter/xt_socket.h >@@ -0,0 +1,12 @@ >+#ifndef _XT_SOCKET_H_match >+#define _XT_SOCKET_H_match >+ >+enum { >+ XT_SOCKET_TRANSPARENT = 1 << 0, >+}; >+ >+struct xt_socket_mtinfo1 { >+ __u8 flags; >+}; I'm sure Eric Dumazet will remind us that u32 is a better idea. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
