Add translation for module owner to nftables.
Full translation of this match awaits the support for --socket-exists
option.
Examples:
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 0-10 -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner shivani -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx>
---
extensions/libxt_owner.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index d9adc12..d81080a 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -492,6 +492,62 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true);
}
+static void
+owner_mt_print_item_xlate(const struct xt_owner_match_info *info,
+ const char *label, uint8_t flag,
+ struct xt_xlate *xl, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+
+ xt_xlate_add(xl, "%s%s", label, info->invert & flag ? "!= " : "");
+
+ switch (info->match & flag) {
+ case XT_OWNER_UID:
+ if (info->uid_min != info->uid_max) {
+ xt_xlate_add(xl, "%u-%u ", (unsigned int)info->uid_min,
+ (unsigned int)info->uid_max);
+ break;
+ } else if (!numeric) {
+ const struct passwd *pwd = getpwuid(info->uid_min);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ xt_xlate_add(xl, " %s", pwd->pw_name);
+ break;
+ }
+ }
+ xt_xlate_add(xl, "%u ", (unsigned int)info->uid_min);
+ break;
+
+ case XT_OWNER_GID:
+ if (info->gid_min != info->gid_max) {
+ xt_xlate_add(xl, "%u-%u ", (unsigned int)info->gid_min,
+ (unsigned int)info->gid_max);
+ break;
+ } else if (!numeric) {
+ const struct group *grp = getgrgid(info->gid_min);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ xt_xlate_add(xl, "%s ", grp->gr_name);
+ break;
+ }
+ }
+ xt_xlate_add(xl, "%u ", (unsigned int)info->gid_min);
+ break;
+ }
+}
+
+static int owner_mt_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+
+ owner_mt_print_item_xlate(info, "skuid ", XT_OWNER_UID, xl, true);
+ owner_mt_print_item_xlate(info, "skgid ", XT_OWNER_GID, xl, true);
+
+ return 1;
+}
+
static struct xtables_match owner_mt_reg[] = {
{
.version = XTABLES_VERSION,
@@ -534,6 +590,7 @@ static struct xtables_match owner_mt_reg[] = {
.print = owner_mt_print,
.save = owner_mt_save,
.x6_options = owner_mt_opts,
+ .xlate = owner_mt_xlate,
},
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
