source-git / iptables

Clone
Source Code
GIT

Blame extensions/libxt_socket.c

c8 c8s master
  1.   1e30ff5a0d44d4a9529f0a6af9303e9ef8c2663c
  2.   extensions
  3.   libxt_socket.c
Blob History Raw
Packit 7b22a4 
/*
Packit 7b22a4 
 * Shared library add-on to iptables to add early socket matching support.
Packit 7b22a4 
 *
Packit 7b22a4 
 * Copyright (C) 2007 BalaBit IT Ltd.
Packit 7b22a4 
 */
Packit 7b22a4 
#include <stdio.h>
Packit 7b22a4 
#include <xtables.h>
Packit 7b22a4 
#include <linux/netfilter/xt_socket.h>
Packit 7b22a4
Packit 7b22a4 
enum {
Packit 7b22a4 
	O_TRANSPARENT = 0,
Packit 7b22a4 
	O_NOWILDCARD = 1,
Packit 7b22a4 
	O_RESTORESKMARK = 2,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static const struct xt_option_entry socket_mt_opts[] = {
Packit 7b22a4 
	{.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
Packit 7b22a4 
	XTOPT_TABLEEND,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static const struct xt_option_entry socket_mt_opts_v2[] = {
Packit 7b22a4 
	{.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
Packit 7b22a4 
	{.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE},
Packit 7b22a4 
	XTOPT_TABLEEND,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static const struct xt_option_entry socket_mt_opts_v3[] = {
Packit 7b22a4 
	{.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
Packit 7b22a4 
	{.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE},
Packit 7b22a4 
	{.name = "restore-skmark", .id = O_RESTORESKMARK, .type = XTTYPE_NONE},
Packit 7b22a4 
	XTOPT_TABLEEND,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static void socket_mt_help(void)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(
Packit 7b22a4 
		"socket match options:\n"
Packit 7b22a4 
		"  --transparent    Ignore non-transparent sockets\n\n");
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void socket_mt_help_v2(void)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(
Packit 7b22a4 
		"socket match options:\n"
Packit 7b22a4 
		"  --nowildcard     Do not ignore LISTEN sockets bound on INADDR_ANY\n"
Packit 7b22a4 
		"  --transparent    Ignore non-transparent sockets\n\n");
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void socket_mt_help_v3(void)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(
Packit 7b22a4 
		"socket match options:\n"
Packit 7b22a4 
		"  --nowildcard     Do not ignore LISTEN sockets bound on INADDR_ANY\n"
Packit 7b22a4 
		"  --transparent    Ignore non-transparent sockets\n"
Packit 7b22a4 
		"  --restore-skmark Set the packet mark to the socket mark if\n"
Packit 7b22a4 
		"                   the socket matches and transparent / \n"
Packit 7b22a4 
		"                   nowildcard conditions are satisfied\n\n");
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void socket_mt_parse(struct xt_option_call *cb)
Packit 7b22a4 
{
Packit 7b22a4 
	struct xt_socket_mtinfo1 *info = cb->data;
Packit 7b22a4
Packit 7b22a4 
	xtables_option_parse(cb);
Packit 7b22a4 
	switch (cb->entry->id) {
Packit 7b22a4 
	case O_TRANSPARENT:
Packit 7b22a4 
		info->flags |= XT_SOCKET_TRANSPARENT;
Packit 7b22a4 
		break;
Packit 7b22a4 
	}
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void socket_mt_parse_v2(struct xt_option_call *cb)
Packit 7b22a4 
{
Packit 7b22a4 
	struct xt_socket_mtinfo2 *info = cb->data;
Packit 7b22a4
Packit 7b22a4 
	xtables_option_parse(cb);
Packit 7b22a4 
	switch (cb->entry->id) {
Packit 7b22a4 
	case O_TRANSPARENT:
Packit 7b22a4 
		info->flags |= XT_SOCKET_TRANSPARENT;
Packit 7b22a4 
		break;
Packit 7b22a4 
	case O_NOWILDCARD:
Packit 7b22a4 
		info->flags |= XT_SOCKET_NOWILDCARD;
Packit 7b22a4 
		break;
Packit 7b22a4 
	}
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void socket_mt_parse_v3(struct xt_option_call *cb)
Packit 7b22a4 
{
Packit 7b22a4 
	struct xt_socket_mtinfo2 *info = cb->data;
Packit 7b22a4
Packit 7b22a4 
	xtables_option_parse(cb);
Packit 7b22a4 
	switch (cb->entry->id) {
Packit 7b22a4 
	case O_TRANSPARENT:
Packit 7b22a4 
		info->flags |= XT_SOCKET_TRANSPARENT;
Packit 7b22a4 
		break;
Packit 7b22a4 
	case O_NOWILDCARD:
Packit 7b22a4 
		info->flags |= XT_SOCKET_NOWILDCARD;
Packit 7b22a4 
		break;
Packit 7b22a4 
	case O_RESTORESKMARK:
Packit 7b22a4 
		info->flags |= XT_SOCKET_RESTORESKMARK;
Packit 7b22a4 
		break;
Packit 7b22a4 
	}
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
socket_mt_save(const void *ip, const struct xt_entry_match *match)
Packit 7b22a4 
{
Packit 7b22a4 
	const struct xt_socket_mtinfo1 *info = (const void *)match->data;
Packit 7b22a4
Packit 7b22a4 
	if (info->flags & XT_SOCKET_TRANSPARENT)
Packit 7b22a4 
		printf(" --transparent");
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
socket_mt_print(const void *ip, const struct xt_entry_match *match,
Packit 7b22a4 
		int numeric)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(" socket");
Packit 7b22a4 
	socket_mt_save(ip, match);
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
socket_mt_save_v2(const void *ip, const struct xt_entry_match *match)
Packit 7b22a4 
{
Packit 7b22a4 
	const struct xt_socket_mtinfo2 *info = (const void *)match->data;
Packit 7b22a4
Packit 7b22a4 
	if (info->flags & XT_SOCKET_TRANSPARENT)
Packit 7b22a4 
		printf(" --transparent");
Packit 7b22a4 
	if (info->flags & XT_SOCKET_NOWILDCARD)
Packit 7b22a4 
		printf(" --nowildcard");
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
socket_mt_print_v2(const void *ip, const struct xt_entry_match *match,
Packit 7b22a4 
		   int numeric)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(" socket");
Packit 7b22a4 
	socket_mt_save_v2(ip, match);
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
socket_mt_save_v3(const void *ip, const struct xt_entry_match *match)
Packit 7b22a4 
{
Packit 7b22a4 
	const struct xt_socket_mtinfo3 *info = (const void *)match->data;
Packit 7b22a4
Packit 7b22a4 
	if (info->flags & XT_SOCKET_TRANSPARENT)
Packit 7b22a4 
		printf(" --transparent");
Packit 7b22a4 
	if (info->flags & XT_SOCKET_NOWILDCARD)
Packit 7b22a4 
		printf(" --nowildcard");
Packit 7b22a4 
	if (info->flags & XT_SOCKET_RESTORESKMARK)
Packit 7b22a4 
		printf(" --restore-skmark");
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
socket_mt_print_v3(const void *ip, const struct xt_entry_match *match,
Packit 7b22a4 
		   int numeric)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(" socket");
Packit 7b22a4 
	socket_mt_save_v3(ip, match);
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static struct xtables_match socket_mt_reg[] = {
Packit 7b22a4 
	{
Packit 7b22a4 
		.name          = "socket",
Packit 7b22a4 
		.revision      = 0,
Packit 7b22a4 
		.family        = NFPROTO_IPV4,
Packit 7b22a4 
		.version       = XTABLES_VERSION,
Packit 7b22a4 
		.size          = XT_ALIGN(0),
Packit 7b22a4 
		.userspacesize = XT_ALIGN(0),
Packit 7b22a4 
	},
Packit 7b22a4 
	{
Packit 7b22a4 
		.name          = "socket",
Packit 7b22a4 
		.revision      = 1,
Packit 7b22a4 
		.family        = NFPROTO_UNSPEC,
Packit 7b22a4 
		.version       = XTABLES_VERSION,
Packit 7b22a4 
		.size          = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
Packit 7b22a4 
		.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
Packit 7b22a4 
		.help          = socket_mt_help,
Packit 7b22a4 
		.print         = socket_mt_print,
Packit 7b22a4 
		.save          = socket_mt_save,
Packit 7b22a4 
		.x6_parse      = socket_mt_parse,
Packit 7b22a4 
		.x6_options    = socket_mt_opts,
Packit 7b22a4 
	},
Packit 7b22a4 
	{
Packit 7b22a4 
		.name          = "socket",
Packit 7b22a4 
		.revision      = 2,
Packit 7b22a4 
		.family        = NFPROTO_UNSPEC,
Packit 7b22a4 
		.version       = XTABLES_VERSION,
Packit 7b22a4 
		.size          = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
Packit 7b22a4 
		.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
Packit 7b22a4 
		.help          = socket_mt_help_v2,
Packit 7b22a4 
		.print         = socket_mt_print_v2,
Packit 7b22a4 
		.save          = socket_mt_save_v2,
Packit 7b22a4 
		.x6_parse      = socket_mt_parse_v2,
Packit 7b22a4 
		.x6_options    = socket_mt_opts_v2,
Packit 7b22a4 
	},
Packit 7b22a4 
	{
Packit 7b22a4 
		.name          = "socket",
Packit 7b22a4 
		.revision      = 3,
Packit 7b22a4 
		.family        = NFPROTO_UNSPEC,
Packit 7b22a4 
		.version       = XTABLES_VERSION,
Packit 7b22a4 
		.size          = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
Packit 7b22a4 
		.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
Packit 7b22a4 
		.help          = socket_mt_help_v3,
Packit 7b22a4 
		.print         = socket_mt_print_v3,
Packit 7b22a4 
		.save          = socket_mt_save_v3,
Packit 7b22a4 
		.x6_parse      = socket_mt_parse_v3,
Packit 7b22a4 
		.x6_options    = socket_mt_opts_v3,
Packit 7b22a4 
	},
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
void _init(void)
Packit 7b22a4 
{
Packit 7b22a4 
	xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
Packit 7b22a4 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation