[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter-devel
Subject: [PATCH]: /proc/net/ip_tables_{targets, matches}
From: Patrick McHardy <kaber () the ! brain ! uni-freiburg ! de>
Date: 2002-08-29 18:48:13
[Download RAW message or body]
Hi Core Team,
i took an item off the "Nice to have"-list: the attached patch creates two
new proc entries, /proc/net/ip_tables_targets and
/proc/net/ip_tables_matches. Please have a look at it.
Since it seems my previous mail (pom owner-patch) didn't made it to the
list that one is attached too.
Bye
Patrick
["owner-pom.diff" (TEXT/plain)]
diff -urN patch-o-matic/extra/owner-socketlookup.patch \
patch-o-matic-owner/extra/owner-socketlookup.patch
--- patch-o-matic/extra/owner-socketlookup.patch 1970-01-01 01:00:00.000000000 +0100
+++ patch-o-matic-owner/extra/owner-socketlookup.patch 2002-08-29 14:32:02.000000000 \
+0200 @@ -0,0 +1,182 @@
+diff -urN linux-2.4.20-pre4/include/net/tcp.h \
linux-2.4.20-pre4-owner/include/net/tcp.h +--- \
linux-2.4.20-pre4/include/net/tcp.h 2002-08-28 23:33:03.000000000 +0200 ++++ \
linux-2.4.20-pre4-owner/include/net/tcp.h 2002-08-28 23:33:03.000000000 +0200 +@@ \
-140,6 +140,7 @@ + extern void tcp_bucket_unlock(struct sock *sk);
+ extern int tcp_port_rover;
+ extern struct sock *tcp_v4_lookup_listener(u32 addr, unsigned short hnum, int dif);
++extern struct sock *tcp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 hnum, int \
dif); +
+ /* These are AF independent. */
+ static __inline__ int tcp_bhashfn(__u16 lport)
+diff -urN linux-2.4.20-pre4/include/net/udp.h \
linux-2.4.20-pre4-owner/include/net/udp.h +--- \
linux-2.4.20-pre4/include/net/udp.h 2002-08-28 23:33:03.000000000 +0200 ++++ \
linux-2.4.20-pre4-owner/include/net/udp.h 2002-08-28 23:33:03.000000000 +0200 +@@ \
-69,6 +69,8 @@ + extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
+ extern int udp_disconnect(struct sock *sk, int flags);
+
++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int \
dif); ++
+ extern struct udp_mib udp_statistics[NR_CPUS*2];
+ #define UDP_INC_STATS(field) SNMP_INC_STATS(udp_statistics, field)
+ #define UDP_INC_STATS_BH(field) SNMP_INC_STATS_BH(udp_statistics, field)
+diff -urN linux-2.4.20-pre4/net/ipv4/netfilter/ipt_owner.c \
linux-2.4.20-pre4-owner/net/ipv4/netfilter/ipt_owner.c +--- \
linux-2.4.20-pre4/net/ipv4/netfilter/ipt_owner.c 2002-08-28 23:33:03.000000000 +0200 \
++++ linux-2.4.20-pre4-owner/net/ipv4/netfilter/ipt_owner.c 2002-08-28 \
23:33:03.000000000 +0200 +@@ -2,17 +2,26 @@
+ locally generated outgoing packets.
+
+ Copyright (C) 2000 Marc Boucher
++
++ 08/28/2002 Patrick McHardy <kaber@trash.net>
++ - Modified to also match properties of receiving sockets
+ */
+ #include <linux/module.h>
+ #include <linux/skbuff.h>
+ #include <linux/file.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/udp.h>
+ #include <net/sock.h>
++#include <net/tcp.h>
++#include <net/udp.h>
++#include <net/route.h>
+
+ #include <linux/netfilter_ipv4/ipt_owner.h>
+ #include <linux/netfilter_ipv4/ip_tables.h>
+
+ static int
+-match_comm(const struct sk_buff *skb, const char *comm)
++match_comm(const struct sock *sk, const char *comm)
+ {
+ struct task_struct *p;
+ struct files_struct *files;
+@@ -28,7 +37,7 @@
+ if(files) {
+ read_lock(&files->file_lock);
+ for (i=0; i < files->max_fds; i++) {
+- if (fcheck_files(files, i) == skb->sk->socket->file) {
++ if (fcheck_files(files, i) == sk->socket->file) {
+ read_unlock(&files->file_lock);
+ task_unlock(p);
+ read_unlock(&tasklist_lock);
+@@ -44,7 +53,7 @@
+ }
+
+ static int
+-match_pid(const struct sk_buff *skb, pid_t pid)
++match_pid(const struct sock *sk, pid_t pid)
+ {
+ struct task_struct *p;
+ struct files_struct *files;
+@@ -59,7 +68,7 @@
+ if(files) {
+ read_lock(&files->file_lock);
+ for (i=0; i < files->max_fds; i++) {
+- if (fcheck_files(files, i) == skb->sk->socket->file) {
++ if (fcheck_files(files, i) == sk->socket->file) {
+ read_unlock(&files->file_lock);
+ task_unlock(p);
+ read_unlock(&tasklist_lock);
+@@ -75,10 +84,10 @@
+ }
+
+ static int
+-match_sid(const struct sk_buff *skb, pid_t sid)
++match_sid(const struct sock *sk, pid_t sid)
+ {
+ struct task_struct *p;
+- struct file *file = skb->sk->socket->file;
++ struct file *file = sk->socket->file;
+ int i, found=0;
+
+ read_lock(&tasklist_lock);
+@@ -119,36 +128,55 @@
+ int *hotdrop)
+ {
+ const struct ipt_owner_info *info = matchinfo;
++ struct sock *sk = NULL;
+
+- if (!skb->sk || !skb->sk->socket || !skb->sk->socket->file)
++ if (out) {
++ sk = skb->sk;
++ } else {
++ struct iphdr *iph = skb->nh.iph;
++ if (iph->protocol == IPPROTO_TCP) {
++ struct tcphdr *tcph =
++ (struct tcphdr*)((u_int32_t*)iph + iph->ihl);
++ sk = tcp_v4_lookup(iph->saddr, tcph->source,
++ iph->daddr, tcph->dest,
++ ((struct rtable*)skb->dst)->rt_iif);
++ } else if (iph->protocol == IPPROTO_UDP) {
++ struct udphdr *udph =
++ (struct udphdr*)((u_int32_t*)iph + iph->ihl);
++ sk = udp_v4_lookup(iph->daddr, udph->dest, iph->saddr,
++ udph->source, skb->dev->ifindex);
++ }
++ }
++
++ if (!sk || !sk->socket || !sk->socket->file)
+ return 0;
+
+ if(info->match & IPT_OWNER_UID) {
+- if((skb->sk->socket->file->f_uid != info->uid) ^
++ if((sk->socket->file->f_uid != info->uid) ^
+ !!(info->invert & IPT_OWNER_UID))
+ return 0;
+ }
+
+ if(info->match & IPT_OWNER_GID) {
+- if((skb->sk->socket->file->f_gid != info->gid) ^
++ if((sk->socket->file->f_gid != info->gid) ^
+ !!(info->invert & IPT_OWNER_GID))
+ return 0;
+ }
+
+ if(info->match & IPT_OWNER_PID) {
+- if (!match_pid(skb, info->pid) ^
++ if (!match_pid(sk, info->pid) ^
+ !!(info->invert & IPT_OWNER_PID))
+ return 0;
+ }
+
+ if(info->match & IPT_OWNER_SID) {
+- if (!match_sid(skb, info->sid) ^
++ if (!match_sid(sk, info->sid) ^
+ !!(info->invert & IPT_OWNER_SID))
+ return 0;
+ }
+
+ if(info->match & IPT_OWNER_COMM) {
+- if (!match_comm(skb, info->comm) ^
++ if (!match_comm(sk, info->comm) ^
+ !!(info->invert & IPT_OWNER_COMM))
+ return 0;
+ }
+@@ -164,8 +192,10 @@
+ unsigned int hook_mask)
+ {
+ if (hook_mask
+- & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
+- printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
++ & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING) |
++ (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_PRE_ROUTING))) {
++ printk("ipt_owner: only valid for LOCAL_OUT, LOCAL_IN, "
++ "POST_ROUTING or PRE_ROUTING.\n");
+ return 0;
+ }
+
+diff -urN linux-2.4.20-pre4/net/netsyms.c linux-2.4.20-pre4-owner/net/netsyms.c
+--- linux-2.4.20-pre4/net/netsyms.c 2002-08-28 23:33:03.000000000 +0200
++++ linux-2.4.20-pre4-owner/net/netsyms.c 2002-08-28 23:33:03.000000000 +0200
+@@ -597,4 +597,9 @@
+ EXPORT_SYMBOL(wireless_send_event);
+ #endif /* CONFIG_NET_RADIO || CONFIG_NET_PCMCIA_RADIO */
+
++#if defined(CONFIG_IP_NF_MATCH_OWNER)||defined(CONFIG_IP_NF_MATCH_OWNER_MODULE)
++EXPORT_SYMBOL(tcp_v4_lookup);
++EXPORT_SYMBOL(udp_v4_lookup);
++#endif /* CONFIG_IP_NF_MATCH_OWNER */
++
+ #endif /* CONFIG_NET */
diff -urN patch-o-matic/extra/owner-socketlookup.patch.help \
patch-o-matic-owner/extra/owner-socketlookup.patch.help
--- patch-o-matic/extra/owner-socketlookup.patch.help 1970-01-01 01:00:00.000000000 \
+0100
+++ patch-o-matic-owner/extra/owner-socketlookup.patch.help 2002-08-29 \
14:43:25.000000000 +0200 @@ -0,0 +1,13 @@
+Author: Patrick McHardy <kaber@trash.net>
+Status: working
+
+The patch allows you to use the owner match in the INPUT/PREROUTING chains to
+match properties of the receiving socket.
+
+Example:
+
+ # Allow packets coming in on eth0 to sockets owned be local user
+ # kaber
+
+ iptables -A INPUT -i eth0 -m owner --uid-owner kaber -j ACCEPT
+
["proc-pom.diff" (TEXT/plain)]
diff -urN patch-o-matic-clean/extra/ip_tables-proc.patch \
patch-o-matic/extra/ip_tables-proc.patch
--- patch-o-matic-clean/extra/ip_tables-proc.patch 1970-01-01 01:00:00.000000000 \
+0100
+++ patch-o-matic/extra/ip_tables-proc.patch 2002-08-29 20:37:30.000000000 +0200
@@ -0,0 +1,114 @@
+--- ../kernel/linux-2.4.20-pre4/net/ipv4/netfilter/ip_tables.c 2002-08-29 \
01:56:13.000000000 +0200 ++++ \
linux-2.4.20-pre4/net/ipv4/netfilter/ip_tables.c 2002-08-29 20:30:37.000000000 +0200 \
+@@ -1699,14 +1699,15 @@ + = { { NULL, NULL }, "icmp", &icmp_match, &icmp_checkentry, \
NULL }; +
+ #ifdef CONFIG_PROC_FS
+-static inline int print_name(const struct ipt_table *t,
++static inline int print_name(const char *i,
+ off_t start_offset, char *buffer, int length,
+ off_t *pos, unsigned int *count)
+ {
+ if ((*count)++ >= start_offset) {
+ unsigned int namelen;
+
+- namelen = sprintf(buffer + *pos, "%s\n", t->name);
++ namelen = sprintf(buffer + *pos, "%s\n",
++ i + sizeof(struct list_head));
+ if (*pos + namelen > length) {
+ /* Stop iterating */
+ return 1;
+@@ -1724,7 +1725,7 @@
+ if (down_interruptible(&ipt_mutex) != 0)
+ return 0;
+
+- LIST_FIND(&ipt_tables, print_name, struct ipt_table *,
++ LIST_FIND(&ipt_tables, print_name, void *,
+ offset, buffer, length, &pos, &count);
+
+ up(&ipt_mutex);
+@@ -1733,6 +1734,46 @@
+ *start=(char *)((unsigned long)count-offset);
+ return pos;
+ }
++
++static int ipt_get_targets(char *buffer, char **start, off_t offset, int length)
++{
++ off_t pos = 0;
++ unsigned int count = 0;
++
++ if (down_interruptible(&ipt_mutex) != 0)
++ return 0;
++
++ LIST_FIND(&ipt_target, print_name, void *,
++ offset, buffer, length, &pos, &count);
++
++ up(&ipt_mutex);
++
++ *start = (char *)((unsigned long)count - offset);
++ return pos;
++}
++
++static int ipt_get_matches(char *buffer, char **start, off_t offset, int length)
++{
++ off_t pos = 0;
++ unsigned int count = 0;
++
++ if (down_interruptible(&ipt_mutex) != 0)
++ return 0;
++
++ LIST_FIND(&ipt_match, print_name, void *,
++ offset, buffer, length, &pos, &count);
++
++ up(&ipt_mutex);
++
++ *start = (char *)((unsigned long)count - offset);
++ return pos;
++}
++
++static struct { char *name; get_info_t *get_info; } ipt_proc_entry[] =
++{ { "ip_tables_names", ipt_get_tables },
++ { "ip_tables_targets", ipt_get_targets },
++ { "ip_tables_matches", ipt_get_matches },
++ { NULL, NULL} };
+ #endif /*CONFIG_PROC_FS*/
+
+ static int __init init(void)
+@@ -1758,13 +1799,19 @@
+ #ifdef CONFIG_PROC_FS
+ {
+ struct proc_dir_entry *proc;
++ int i;
+
+- proc = proc_net_create("ip_tables_names", 0, ipt_get_tables);
+- if (!proc) {
+- nf_unregister_sockopt(&ipt_sockopts);
+- return -ENOMEM;
++ for (i = 0; ipt_proc_entry[i].name; i++) {
++ proc = proc_net_create(ipt_proc_entry[i].name, 0,
++ ipt_proc_entry[i].get_info);
++ if (!proc) {
++ while (--i >= 0)
++ proc_net_remove(ipt_proc_entry[i].name);
++ nf_unregister_sockopt(&ipt_sockopts);
++ return -ENOMEM;
++ }
++ proc->owner = THIS_MODULE;
+ }
+- proc->owner = THIS_MODULE;
+ }
+ #endif
+
+@@ -1776,7 +1823,11 @@
+ {
+ nf_unregister_sockopt(&ipt_sockopts);
+ #ifdef CONFIG_PROC_FS
+- proc_net_remove("ip_tables_names");
++ {
++ int i;
++ for (i = 0; ipt_proc_entry[i].name; i++)
++ proc_net_remove(ipt_proc_entry[i].name);
++ }
+ #endif
+ }
+
diff -urN patch-o-matic-clean/extra/ip_tables-proc.patch.help \
patch-o-matic/extra/ip_tables-proc.patch.help
--- patch-o-matic-clean/extra/ip_tables-proc.patch.help 1970-01-01 01:00:00.000000000 \
+0100
+++ patch-o-matic/extra/ip_tables-proc.patch.help 2002-08-29 20:39:42.000000000 +0200
@@ -0,0 +1,6 @@
+Author: Patrick McHardy
+Status: Working
+
+This patch creates two new files in /proc/net, "ip_tables_matches" and
+"iptables_targets" which contain the names of all loaded matches/targets
+like the file ip_tables_names already does with loaded tables.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic