Commit a31e1ffd authored by Laszlo Attila Toth's avatar Laszlo Attila Toth Committed by Patrick McHardy

netfilter: xt_socket: added new revision of the 'socket' match supporting flags

If the XT_SOCKET_TRANSPARENT flag is set, enabled 'transparent'
socket option is required for the socket to be matched.
Signed-off-by: default avatarLaszlo Attila Toth <panther@balabit.hu>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 11eeef41
#ifndef _XT_SOCKET_H
#define _XT_SOCKET_H
enum {
XT_SOCKET_TRANSPARENT = 1 << 0,
};
struct xt_socket_mtinfo1 {
__u8 flags;
};
#endif /* _XT_SOCKET_H */
...@@ -22,6 +22,8 @@ ...@@ -22,6 +22,8 @@
#include <net/netfilter/nf_tproxy_core.h> #include <net/netfilter/nf_tproxy_core.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h> #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
#include <linux/netfilter/xt_socket.h>
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#define XT_SOCKET_HAVE_CONNTRACK 1 #define XT_SOCKET_HAVE_CONNTRACK 1
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
...@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb, ...@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
static bool static bool
socket_mt(const struct sk_buff *skb, const struct xt_match_param *par) socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
const struct xt_socket_mtinfo1 *info)
{ {
const struct iphdr *iph = ip_hdr(skb); const struct iphdr *iph = ip_hdr(skb);
struct udphdr _hdr, *hp = NULL; struct udphdr _hdr, *hp = NULL;
...@@ -141,10 +144,24 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par) ...@@ -141,10 +144,24 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol, sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
saddr, daddr, sport, dport, par->in, false); saddr, daddr, sport, dport, par->in, false);
if (sk != NULL) { if (sk != NULL) {
bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0); bool wildcard;
bool transparent = true;
/* Ignore sockets listening on INADDR_ANY */
wildcard = (sk->sk_state != TCP_TIME_WAIT &&
inet_sk(sk)->rcv_saddr == 0);
/* Ignore non-transparent sockets,
if XT_SOCKET_TRANSPARENT is used */
if (info && info->flags & XT_SOCKET_TRANSPARENT)
transparent = ((sk->sk_state != TCP_TIME_WAIT &&
inet_sk(sk)->transparent) ||
(sk->sk_state == TCP_TIME_WAIT &&
inet_twsk(sk)->tw_transparent));
nf_tproxy_put_sock(sk); nf_tproxy_put_sock(sk);
if (wildcard)
if (wildcard || !transparent)
sk = NULL; sk = NULL;
} }
...@@ -157,23 +174,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par) ...@@ -157,23 +174,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return (sk != NULL); return (sk != NULL);
} }
static struct xt_match socket_mt_reg __read_mostly = { static bool
socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
return socket_match(skb, par, NULL);
}
static bool
socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
{
return socket_match(skb, par, par->matchinfo);
}
static struct xt_match socket_mt_reg[] __read_mostly = {
{
.name = "socket",
.revision = 0,
.family = NFPROTO_IPV4,
.match = socket_mt_v0,
.hooks = 1 << NF_INET_PRE_ROUTING,
.me = THIS_MODULE,
},
{
.name = "socket", .name = "socket",
.family = AF_INET, .revision = 1,
.match = socket_mt, .family = NFPROTO_IPV4,
.match = socket_mt_v1,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = 1 << NF_INET_PRE_ROUTING, .hooks = 1 << NF_INET_PRE_ROUTING,
.me = THIS_MODULE, .me = THIS_MODULE,
},
}; };
static int __init socket_mt_init(void) static int __init socket_mt_init(void)
{ {
nf_defrag_ipv4_enable(); nf_defrag_ipv4_enable();
return xt_register_match(&socket_mt_reg); return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
} }
static void __exit socket_mt_exit(void) static void __exit socket_mt_exit(void)
{ {
xt_unregister_match(&socket_mt_reg); xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
} }
module_init(socket_mt_init); module_init(socket_mt_init);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment