can you post the URL to the sourcecode of this animal?
I'm afraid all I can do is cut n'paste the relevant sections below.
to be honest I wonder why they sort of seem to duplicate firewall rules,
and aren't using the firewall engine which provides hooks in all the
right places...
That's a very good question. I'll try to an answer on that.
also you really shouldn't call setsockopt() in the kernel, it highly
depends on the arguments being in userspace....
Right, I figured that much. So how can I do the equivalent in kernel space?
In the code below, I'm trying to replace the call to 'route_lookup' with
something that will find the destination address in the incoming data. The
code snippet with simplifications:
int my_recvmsg(struct socket *sock, struct msghdr *msg, int size,
int flags, struct scm_cookie *scm)
{
int bytes = 0, proto = sock->sk->protocol;
int udp = proto == IPPROTO_UDP;
// only veto UDP/TCP
if(!udp && proto != IPPROTO_TCP)
return (*orig_ops.tdi_tcp_ops.recvmsg)(sock, msg, size, flags, scm);
if(udp) {
bytes = (*orig_ops.tdi_tcp_ops.recvmsg)(sock, msg, size, flags, scm);
struct sock *sk = sock->sk;
uint8_t raddr[4], laddr[4];
struct sockaddr_in *sin;
sin = (struct sockaddr_in *) msg->msg_name;
memcpy(raddr, sin->sin_addr, 4);
// Retrieve local addr from "reverse" routing table lookup
// This does not work with aliases (e.g. eth0:1)
// Should replace this with addr in payload, somehow
route_lookup((unsigned char *) &laddr, (unsigned char *) &raddr, 4);
}
<snip>...</snip>
if (allowedBySecurityEngine(msg, raddr, laddr, ...))
return -EACCESS;
<snip>...</snip>
}
Hopefully this makes some sense.
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
