mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-01 10:42:11 +00:00
[NETFILTER]: merge ipt_owner/ip6t_owner in xt_owner
xt_owner merges ipt_owner and ip6t_owner, and adds a flag to match on socket (non-)existence. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
9e67d5a739
commit
0265ab44ba
@ -26,6 +26,7 @@ header-y += xt_limit.h
|
||||
header-y += xt_mac.h
|
||||
header-y += xt_mark.h
|
||||
header-y += xt_multiport.h
|
||||
header-y += xt_owner.h
|
||||
header-y += xt_pkttype.h
|
||||
header-y += xt_policy.h
|
||||
header-y += xt_realm.h
|
||||
|
16
include/linux/netfilter/xt_owner.h
Normal file
16
include/linux/netfilter/xt_owner.h
Normal file
@ -0,0 +1,16 @@
|
||||
#ifndef _XT_OWNER_MATCH_H
|
||||
#define _XT_OWNER_MATCH_H
|
||||
|
||||
enum {
|
||||
XT_OWNER_UID = 1 << 0,
|
||||
XT_OWNER_GID = 1 << 1,
|
||||
XT_OWNER_SOCKET = 1 << 2,
|
||||
};
|
||||
|
||||
struct xt_owner_match_info {
|
||||
u_int32_t uid;
|
||||
u_int32_t gid;
|
||||
u_int8_t match, invert;
|
||||
};
|
||||
|
||||
#endif /* _XT_OWNER_MATCH_H */
|
@ -111,15 +111,6 @@ config IP_NF_MATCH_TTL
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP_NF_MATCH_OWNER
|
||||
tristate "Owner match support"
|
||||
depends on IP_NF_IPTABLES
|
||||
help
|
||||
Packet owner matching allows you to match locally-generated packets
|
||||
based on who created them: the user, group, process or session.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP_NF_MATCH_ADDRTYPE
|
||||
tristate 'address type match support'
|
||||
depends on IP_NF_IPTABLES
|
||||
|
@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
|
||||
|
@ -1,87 +0,0 @@
|
||||
/* Kernel module to match various things tied to sockets associated with
|
||||
locally generated outgoing packets. */
|
||||
|
||||
/* (C) 2000 Marc Boucher <marc@mbsi.ca>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/file.h>
|
||||
#include <linux/rcupdate.h>
|
||||
#include <net/sock.h>
|
||||
|
||||
#include <linux/netfilter_ipv4/ipt_owner.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
|
||||
MODULE_DESCRIPTION("iptables owner match");
|
||||
|
||||
static bool
|
||||
owner_mt(const struct sk_buff *skb, const struct net_device *in,
|
||||
const struct net_device *out, const struct xt_match *match,
|
||||
const void *matchinfo, int offset, unsigned int protoff,
|
||||
bool *hotdrop)
|
||||
{
|
||||
const struct ipt_owner_info *info = matchinfo;
|
||||
|
||||
if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
|
||||
return false;
|
||||
|
||||
if(info->match & IPT_OWNER_UID) {
|
||||
if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
|
||||
!!(info->invert & IPT_OWNER_UID))
|
||||
return false;
|
||||
}
|
||||
|
||||
if(info->match & IPT_OWNER_GID) {
|
||||
if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
|
||||
!!(info->invert & IPT_OWNER_GID))
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt_check(const char *tablename, const void *ip,
|
||||
const struct xt_match *match, void *matchinfo,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
const struct ipt_owner_info *info = matchinfo;
|
||||
|
||||
if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
|
||||
printk("ipt_owner: pid, sid and command matching "
|
||||
"not supported anymore\n");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static struct xt_match owner_mt_reg __read_mostly = {
|
||||
.name = "owner",
|
||||
.family = AF_INET,
|
||||
.match = owner_mt,
|
||||
.matchsize = sizeof(struct ipt_owner_info),
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.checkentry = owner_mt_check,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init owner_mt_init(void)
|
||||
{
|
||||
return xt_register_match(&owner_mt_reg);
|
||||
}
|
||||
|
||||
static void __exit owner_mt_exit(void)
|
||||
{
|
||||
xt_unregister_match(&owner_mt_reg);
|
||||
}
|
||||
|
||||
module_init(owner_mt_init);
|
||||
module_exit(owner_mt_exit);
|
@ -89,15 +89,6 @@ config IP6_NF_MATCH_HL
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP6_NF_MATCH_OWNER
|
||||
tristate "Owner match support"
|
||||
depends on IP6_NF_IPTABLES
|
||||
help
|
||||
Packet owner matching allows you to match locally-generated packets
|
||||
based on who created them: the user, group, process or session.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP6_NF_MATCH_IPV6HEADER
|
||||
tristate "IPv6 Extension Headers Match"
|
||||
depends on IP6_NF_IPTABLES
|
||||
|
@ -23,7 +23,6 @@ obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
|
||||
|
||||
# targets
|
||||
|
@ -1,87 +0,0 @@
|
||||
/* Kernel module to match various things tied to sockets associated with
|
||||
locally generated outgoing packets. */
|
||||
|
||||
/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/file.h>
|
||||
#include <linux/rcupdate.h>
|
||||
#include <net/sock.h>
|
||||
|
||||
#include <linux/netfilter_ipv6/ip6t_owner.h>
|
||||
#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
|
||||
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
|
||||
MODULE_DESCRIPTION("IP6 tables owner matching module");
|
||||
MODULE_LICENSE("GPL");
|
||||
|
||||
|
||||
static bool
|
||||
owner_mt6(const struct sk_buff *skb, const struct net_device *in,
|
||||
const struct net_device *out, const struct xt_match *match,
|
||||
const void *matchinfo, int offset, unsigned int protoff,
|
||||
bool *hotdrop)
|
||||
{
|
||||
const struct ip6t_owner_info *info = matchinfo;
|
||||
|
||||
if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
|
||||
return false;
|
||||
|
||||
if (info->match & IP6T_OWNER_UID)
|
||||
if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
|
||||
!!(info->invert & IP6T_OWNER_UID))
|
||||
return false;
|
||||
|
||||
if (info->match & IP6T_OWNER_GID)
|
||||
if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
|
||||
!!(info->invert & IP6T_OWNER_GID))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt6_check(const char *tablename, const void *ip,
|
||||
const struct xt_match *match, void *matchinfo,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
const struct ip6t_owner_info *info = matchinfo;
|
||||
|
||||
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
|
||||
printk("ipt_owner: pid and sid matching "
|
||||
"not supported anymore\n");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static struct xt_match owner_mt6_reg __read_mostly = {
|
||||
.name = "owner",
|
||||
.family = AF_INET6,
|
||||
.match = owner_mt6,
|
||||
.matchsize = sizeof(struct ip6t_owner_info),
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.checkentry = owner_mt6_check,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init owner_mt6_init(void)
|
||||
{
|
||||
return xt_register_match(&owner_mt6_reg);
|
||||
}
|
||||
|
||||
static void __exit owner_mt6_exit(void)
|
||||
{
|
||||
xt_unregister_match(&owner_mt6_reg);
|
||||
}
|
||||
|
||||
module_init(owner_mt6_init);
|
||||
module_exit(owner_mt6_exit);
|
@ -554,6 +554,14 @@ config NETFILTER_XT_MATCH_MARK
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config NETFILTER_XT_MATCH_OWNER
|
||||
tristate '"owner" match support'
|
||||
depends on NETFILTER_XTABLES
|
||||
---help---
|
||||
Socket owner matching allows you to match locally-generated packets
|
||||
based on who created the socket: the user or group. It is also
|
||||
possible to check whether a socket actually exists.
|
||||
|
||||
config NETFILTER_XT_MATCH_POLICY
|
||||
tristate 'IPsec "policy" match support'
|
||||
depends on NETFILTER_XTABLES && XFRM
|
||||
|
@ -67,6 +67,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
|
||||
|
211
net/netfilter/xt_owner.c
Normal file
211
net/netfilter/xt_owner.c
Normal file
@ -0,0 +1,211 @@
|
||||
/*
|
||||
* Kernel module to match various things tied to sockets associated with
|
||||
* locally generated outgoing packets.
|
||||
*
|
||||
* (C) 2000 Marc Boucher <marc@mbsi.ca>
|
||||
*
|
||||
* Copyright © CC Computer Consultants GmbH, 2007
|
||||
* Contact: <jengelh@computergmbh.de>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/file.h>
|
||||
#include <net/sock.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter/xt_owner.h>
|
||||
#include <linux/netfilter_ipv4/ipt_owner.h>
|
||||
#include <linux/netfilter_ipv6/ip6t_owner.h>
|
||||
|
||||
static bool
|
||||
owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
|
||||
const struct net_device *out, const struct xt_match *match,
|
||||
const void *matchinfo, int offset, unsigned int protoff,
|
||||
bool *hotdrop)
|
||||
{
|
||||
const struct ipt_owner_info *info = matchinfo;
|
||||
const struct file *filp;
|
||||
|
||||
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
|
||||
return false;
|
||||
|
||||
filp = skb->sk->sk_socket->file;
|
||||
if (filp == NULL)
|
||||
return false;
|
||||
|
||||
if (info->match & IPT_OWNER_UID)
|
||||
if ((filp->f_uid != info->uid) ^
|
||||
!!(info->invert & IPT_OWNER_UID))
|
||||
return false;
|
||||
|
||||
if (info->match & IPT_OWNER_GID)
|
||||
if ((filp->f_gid != info->gid) ^
|
||||
!!(info->invert & IPT_OWNER_GID))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
|
||||
const struct net_device *out, const struct xt_match *match,
|
||||
const void *matchinfo, int offset, unsigned int protoff,
|
||||
bool *hotdrop)
|
||||
{
|
||||
const struct ip6t_owner_info *info = matchinfo;
|
||||
const struct file *filp;
|
||||
|
||||
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
|
||||
return false;
|
||||
|
||||
filp = skb->sk->sk_socket->file;
|
||||
if (filp == NULL)
|
||||
return false;
|
||||
|
||||
if (info->match & IP6T_OWNER_UID)
|
||||
if ((filp->f_uid != info->uid) ^
|
||||
!!(info->invert & IP6T_OWNER_UID))
|
||||
return false;
|
||||
|
||||
if (info->match & IP6T_OWNER_GID)
|
||||
if ((filp->f_gid != info->gid) ^
|
||||
!!(info->invert & IP6T_OWNER_GID))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt(const struct sk_buff *skb, const struct net_device *in,
|
||||
const struct net_device *out, const struct xt_match *match,
|
||||
const void *matchinfo, int offset, unsigned int protoff,
|
||||
bool *hotdrop)
|
||||
{
|
||||
const struct xt_owner_match_info *info = matchinfo;
|
||||
const struct file *filp;
|
||||
|
||||
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
|
||||
return (info->match ^ info->invert) == 0;
|
||||
else if (info->match & info->invert & XT_OWNER_SOCKET)
|
||||
/*
|
||||
* Socket exists but user wanted ! --socket-exists.
|
||||
* (Single ampersands intended.)
|
||||
*/
|
||||
return false;
|
||||
|
||||
filp = skb->sk->sk_socket->file;
|
||||
if (filp == NULL)
|
||||
return ((info->match ^ info->invert) &
|
||||
(XT_OWNER_UID | XT_OWNER_GID)) == 0;
|
||||
|
||||
if (info->match & XT_OWNER_UID)
|
||||
if ((filp->f_uid != info->uid) ^
|
||||
!!(info->invert & XT_OWNER_UID))
|
||||
return false;
|
||||
|
||||
if (info->match & XT_OWNER_GID)
|
||||
if ((filp->f_gid != info->gid) ^
|
||||
!!(info->invert & XT_OWNER_GID))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt_check_v0(const char *tablename, const void *ip,
|
||||
const struct xt_match *match, void *matchinfo,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
const struct ipt_owner_info *info = matchinfo;
|
||||
|
||||
if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
|
||||
printk(KERN_WARNING KBUILD_MODNAME
|
||||
": PID, SID and command matching is not "
|
||||
"supported anymore\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt6_check_v0(const char *tablename, const void *ip,
|
||||
const struct xt_match *match, void *matchinfo,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
const struct ip6t_owner_info *info = matchinfo;
|
||||
|
||||
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
|
||||
printk(KERN_WARNING KBUILD_MODNAME
|
||||
": PID and SID matching is not supported anymore\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static struct xt_match owner_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 0,
|
||||
.family = AF_INET,
|
||||
.match = owner_mt_v0,
|
||||
.matchsize = sizeof(struct ipt_owner_info),
|
||||
.checkentry = owner_mt_check_v0,
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 0,
|
||||
.family = AF_INET6,
|
||||
.match = owner_mt6_v0,
|
||||
.matchsize = sizeof(struct ip6t_owner_info),
|
||||
.checkentry = owner_mt6_check_v0,
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 1,
|
||||
.family = AF_INET,
|
||||
.match = owner_mt,
|
||||
.matchsize = sizeof(struct xt_owner_match_info),
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 1,
|
||||
.family = AF_INET6,
|
||||
.match = owner_mt,
|
||||
.matchsize = sizeof(struct xt_owner_match_info),
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
};
|
||||
|
||||
static int __init owner_mt_init(void)
|
||||
{
|
||||
return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
|
||||
}
|
||||
|
||||
static void __exit owner_mt_exit(void)
|
||||
{
|
||||
xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
|
||||
}
|
||||
|
||||
module_init(owner_mt_init);
|
||||
module_exit(owner_mt_exit);
|
||||
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
|
||||
MODULE_DESCRIPTION("netfilter \"owner\" match module");
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_ALIAS("ipt_owner");
|
||||
MODULE_ALIAS("ip6t_owner");
|
Loading…
Reference in New Issue
Block a user