Re: socket match - add wildcard option [2/4]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

current version attached,
c99, \', info->invert, xtables_param_act(NO_INVERT) got incorporated/adjusted.

for the u8, may I use it for info->invert, or just create 2 u32 for
flags and invert, bump the revision number to 2?

As invert changes the mtinfo1 struct, changing the revision is required anyway.


Markus
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index 1490473..d921655 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -3,17 +3,108 @@
  *
  * Copyright (C) 2007 BalaBit IT Ltd.
  */
+#include <stdio.h>
+#include <getopt.h>
 #include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
 
-static struct xtables_match socket_mt_reg = {
-	.name	       = "socket",
-	.version       = XTABLES_VERSION,
-	.family	       = NFPROTO_IPV4,
-	.size	       = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+static void socket_mt_help_v1(void)
+{
+	printf("socket match options:\n"
+"--transparent      Matches only if the socket's transparent option is set\n"
+"--wildcard         Match wildcard socket's too\n"
+"[!] --exists       Match if socket exists (optional), allows inversion\n"
+	);
+}
+
+static const struct option socket_opts_v1[] = {
+	{ .name = "transparent", .has_arg = false, .flag = NULL, .val = '1' },
+	{ .name = "wildcard",    .has_arg = false, .flag = NULL, .val = '2' },
+	{ .name = "exists",      .has_arg = false, .flag = NULL, .val = '3' },
+	{ }
+};
+
+static int socket_mt_parse_v1(int c, char **argv, int invert,
+			      unsigned int *flags, const void *entry,
+			      struct xt_entry_match **match)
+{
+	struct xt_socket_mtinfo1 *info = (void *) (*match)->data;
+
+	switch (c) {
+	case '1':
+		xtables_param_act(XTF_ONLY_ONCE, "socket", "--transparent", *flags & XT_SOCKET_TRANSPARENT);
+		xtables_param_act(XTF_NO_INVERT, "socket", "--transparent", invert);
+		info->flags |= XT_SOCKET_TRANSPARENT;
+		*flags |= XT_SOCKET_TRANSPARENT;
+		break;
+	case '2':
+		xtables_param_act(XTF_ONLY_ONCE, "socket", "--wildcard", *flags & XT_SOCKET_WILDCARD);
+		xtables_param_act(XTF_NO_INVERT, "socket", "--wildcard", invert);
+		info->flags |= XT_SOCKET_WILDCARD;
+		*flags |= XT_SOCKET_WILDCARD;
+		break;
+	case '3':
+		xtables_param_act(XTF_ONLY_ONCE, "socket", "--exists", *flags & XT_SOCKET_EXISTS);
+		if (invert)
+			info->invert = true;
+		*flags |= XT_SOCKET_EXISTS;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void socket_mt_print_v1(const void *ip,
+			       const struct xt_entry_match *match,
+			       int numeric)
+{
+	const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+	printf("socket ");
+	if (info->flags & XT_SOCKET_TRANSPARENT)
+		printf("transparent ");
+	if (info->flags & XT_SOCKET_WILDCARD)
+		printf("wildcard ");
+	printf("%sexists ", info->invert ? "! " : "");
+}
+
+static void socket_mt_save_v1(const void *ip,
+			      const struct xt_entry_match *match)
+{
+	const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+
+	if (info->flags & XT_SOCKET_TRANSPARENT)
+		printf("--transparent ");
+
+	if (info->flags & XT_SOCKET_WILDCARD)
+		printf("--wildcard ");
+
+	printf("%s--exists ", info->invert ? "! " : "");
+}
+
+static struct xtables_match socket_mt_reg[] = {
+	{
+		.name		= "socket",
+		.revision	= 0,
+		.version	= XTABLES_VERSION,
+		.family		= NFPROTO_UNSPEC,
+	},
+	{
+		.name		= "socket",
+		.version	= XTABLES_VERSION,
+		.revision	= 1,
+		.family		= NFPROTO_UNSPEC,
+		.size		= XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+		.parse		= socket_mt_parse_v1,
+		.print		= socket_mt_print_v1,
+		.save		= socket_mt_save_v1,
+		.help		= socket_mt_help_v1,
+		.extra_opts	= socket_opts_v1,
+	}
 };
 
 void _init(void)
 {
-	xtables_register_match(&socket_mt_reg);
+	xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c8854..98244f5 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,14 @@
 This matches if an open socket can be found by doing a socket lookup on the
-packet.
+packet which doesn't listen on the 'any' IP address (0.0.0.0).
+.TP
+.BI "\-\-transparent"
+Enables additional check, that the actual socket's transparent socket option
+has to be set.
+.TP
+.BI "\-\-wildcard"
+Matches sockets listening on the 'any' IP address (0.0.0.0) too.
+.TP
+.BI "[!] \-\-exists"
+Optional, allows inversion of the match.
+
+
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..4ee6e7d
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,15 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+enum {
+	XT_SOCKET_TRANSPARENT = 1 << 0,
+	XT_SOCKET_WILDCARD = 1 << 1,
+	XT_SOCKET_EXISTS = 1 << 2,
+};
+
+struct xt_socket_mtinfo1 {
+	__u8 invert;
+	__u8 flags;
+};
+
+#endif /* _XT_SOCKET_H_match */

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux