Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx> --- extensions/libxt_socket.c | 76 +++++++++++++++++++++++++++++++++++++++---- extensions/libxt_socket.man | 3 ++ 2 files changed, 72 insertions(+), 7 deletions(-) diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 1490473..e4dff78 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -3,17 +3,79 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ +#include <getopt.h> +#include <stdbool.h> +#include <stdio.h> #include <xtables.h> +#include <linux/netfilter/xt_socket.h> -static struct xtables_match socket_mt_reg = { - .name = "socket", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), +static const struct option socket_mt_opts[] = { + {.name = "transparent", .has_arg = false, .val = 't'}, + XT_GETOPT_TABLEEND, +}; + +static void socket_mt_help(void) +{ + printf( + "socket match options:\n" + " --transparent Ignore non-transparent sockets\n\n"); +} + +static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_socket_mtinfo1 *info = (void *)(*match)->data; + + switch (c) { + case 't': + info->flags |= XT_SOCKET_TRANSPARENT; + return true; + } + return false; +} + +static void +socket_mt_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("--transparent "); +} + +static void +socket_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf("socket "); + socket_mt_save(ip, match); +} + +static struct xtables_match socket_mt_reg[] = { + { + .name = "socket", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + }, + { + .name = "socket", + .revision = 1, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .help = socket_mt_help, + .parse = socket_mt_parse, + .print = socket_mt_print, + .save = socket_mt_save, + .extra_opts = socket_mt_opts, + }, }; void _init(void) { - xtables_register_match(&socket_mt_reg); + xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); } diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 50c8854..41e8d67 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,2 +1,5 @@ This matches if an open socket can be found by doing a socket lookup on the packet. +.TP +\fB\-\-transparent\fP +Ignore non-transparent sockets. -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html