|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Shared library add-on to iptables to add early socket matching support.
|
|
Packit Service |
d1fe03 |
*
|
|
Packit Service |
d1fe03 |
* Copyright (C) 2007 BalaBit IT Ltd.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
#include <stdio.h>
|
|
Packit Service |
d1fe03 |
#include <xtables.h>
|
|
Packit Service |
d1fe03 |
#include <linux/netfilter/xt_socket.h>
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
enum {
|
|
Packit Service |
d1fe03 |
O_TRANSPARENT = 0,
|
|
Packit Service |
d1fe03 |
O_NOWILDCARD = 1,
|
|
Packit Service |
d1fe03 |
O_RESTORESKMARK = 2,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static const struct xt_option_entry socket_mt_opts[] = {
|
|
Packit Service |
d1fe03 |
{.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
|
|
Packit Service |
d1fe03 |
XTOPT_TABLEEND,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static const struct xt_option_entry socket_mt_opts_v2[] = {
|
|
Packit Service |
d1fe03 |
{.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
|
|
Packit Service |
d1fe03 |
{.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE},
|
|
Packit Service |
d1fe03 |
XTOPT_TABLEEND,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static const struct xt_option_entry socket_mt_opts_v3[] = {
|
|
Packit Service |
d1fe03 |
{.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
|
|
Packit Service |
d1fe03 |
{.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE},
|
|
Packit Service |
d1fe03 |
{.name = "restore-skmark", .id = O_RESTORESKMARK, .type = XTTYPE_NONE},
|
|
Packit Service |
d1fe03 |
XTOPT_TABLEEND,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void socket_mt_help(void)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf(
|
|
Packit Service |
d1fe03 |
"socket match options:\n"
|
|
Packit Service |
d1fe03 |
" --transparent Ignore non-transparent sockets\n\n");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void socket_mt_help_v2(void)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf(
|
|
Packit Service |
d1fe03 |
"socket match options:\n"
|
|
Packit Service |
d1fe03 |
" --nowildcard Do not ignore LISTEN sockets bound on INADDR_ANY\n"
|
|
Packit Service |
d1fe03 |
" --transparent Ignore non-transparent sockets\n\n");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void socket_mt_help_v3(void)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf(
|
|
Packit Service |
d1fe03 |
"socket match options:\n"
|
|
Packit Service |
d1fe03 |
" --nowildcard Do not ignore LISTEN sockets bound on INADDR_ANY\n"
|
|
Packit Service |
d1fe03 |
" --transparent Ignore non-transparent sockets\n"
|
|
Packit Service |
d1fe03 |
" --restore-skmark Set the packet mark to the socket mark if\n"
|
|
Packit Service |
d1fe03 |
" the socket matches and transparent / \n"
|
|
Packit Service |
d1fe03 |
" nowildcard conditions are satisfied\n\n");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void socket_mt_parse(struct xt_option_call *cb)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
struct xt_socket_mtinfo1 *info = cb->data;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
xtables_option_parse(cb);
|
|
Packit Service |
d1fe03 |
switch (cb->entry->id) {
|
|
Packit Service |
d1fe03 |
case O_TRANSPARENT:
|
|
Packit Service |
d1fe03 |
info->flags |= XT_SOCKET_TRANSPARENT;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void socket_mt_parse_v2(struct xt_option_call *cb)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
struct xt_socket_mtinfo2 *info = cb->data;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
xtables_option_parse(cb);
|
|
Packit Service |
d1fe03 |
switch (cb->entry->id) {
|
|
Packit Service |
d1fe03 |
case O_TRANSPARENT:
|
|
Packit Service |
d1fe03 |
info->flags |= XT_SOCKET_TRANSPARENT;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case O_NOWILDCARD:
|
|
Packit Service |
d1fe03 |
info->flags |= XT_SOCKET_NOWILDCARD;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void socket_mt_parse_v3(struct xt_option_call *cb)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
struct xt_socket_mtinfo2 *info = cb->data;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
xtables_option_parse(cb);
|
|
Packit Service |
d1fe03 |
switch (cb->entry->id) {
|
|
Packit Service |
d1fe03 |
case O_TRANSPARENT:
|
|
Packit Service |
d1fe03 |
info->flags |= XT_SOCKET_TRANSPARENT;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case O_NOWILDCARD:
|
|
Packit Service |
d1fe03 |
info->flags |= XT_SOCKET_NOWILDCARD;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case O_RESTORESKMARK:
|
|
Packit Service |
d1fe03 |
info->flags |= XT_SOCKET_RESTORESKMARK;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
socket_mt_save(const void *ip, const struct xt_entry_match *match)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
const struct xt_socket_mtinfo1 *info = (const void *)match->data;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (info->flags & XT_SOCKET_TRANSPARENT)
|
|
Packit Service |
d1fe03 |
printf(" --transparent");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
socket_mt_print(const void *ip, const struct xt_entry_match *match,
|
|
Packit Service |
d1fe03 |
int numeric)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf(" socket");
|
|
Packit Service |
d1fe03 |
socket_mt_save(ip, match);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
socket_mt_save_v2(const void *ip, const struct xt_entry_match *match)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
const struct xt_socket_mtinfo2 *info = (const void *)match->data;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (info->flags & XT_SOCKET_TRANSPARENT)
|
|
Packit Service |
d1fe03 |
printf(" --transparent");
|
|
Packit Service |
d1fe03 |
if (info->flags & XT_SOCKET_NOWILDCARD)
|
|
Packit Service |
d1fe03 |
printf(" --nowildcard");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
socket_mt_print_v2(const void *ip, const struct xt_entry_match *match,
|
|
Packit Service |
d1fe03 |
int numeric)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf(" socket");
|
|
Packit Service |
d1fe03 |
socket_mt_save_v2(ip, match);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
socket_mt_save_v3(const void *ip, const struct xt_entry_match *match)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
const struct xt_socket_mtinfo3 *info = (const void *)match->data;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (info->flags & XT_SOCKET_TRANSPARENT)
|
|
Packit Service |
d1fe03 |
printf(" --transparent");
|
|
Packit Service |
d1fe03 |
if (info->flags & XT_SOCKET_NOWILDCARD)
|
|
Packit Service |
d1fe03 |
printf(" --nowildcard");
|
|
Packit Service |
d1fe03 |
if (info->flags & XT_SOCKET_RESTORESKMARK)
|
|
Packit Service |
d1fe03 |
printf(" --restore-skmark");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
socket_mt_print_v3(const void *ip, const struct xt_entry_match *match,
|
|
Packit Service |
d1fe03 |
int numeric)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf(" socket");
|
|
Packit Service |
d1fe03 |
socket_mt_save_v3(ip, match);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static struct xtables_match socket_mt_reg[] = {
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
.name = "socket",
|
|
Packit Service |
d1fe03 |
.revision = 0,
|
|
Packit Service |
d1fe03 |
.family = NFPROTO_IPV4,
|
|
Packit Service |
d1fe03 |
.version = XTABLES_VERSION,
|
|
Packit Service |
d1fe03 |
.size = XT_ALIGN(0),
|
|
Packit Service |
d1fe03 |
.userspacesize = XT_ALIGN(0),
|
|
Packit Service |
d1fe03 |
},
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
.name = "socket",
|
|
Packit Service |
d1fe03 |
.revision = 1,
|
|
Packit Service |
d1fe03 |
.family = NFPROTO_UNSPEC,
|
|
Packit Service |
d1fe03 |
.version = XTABLES_VERSION,
|
|
Packit Service |
d1fe03 |
.size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
|
|
Packit Service |
d1fe03 |
.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
|
|
Packit Service |
d1fe03 |
.help = socket_mt_help,
|
|
Packit Service |
d1fe03 |
.print = socket_mt_print,
|
|
Packit Service |
d1fe03 |
.save = socket_mt_save,
|
|
Packit Service |
d1fe03 |
.x6_parse = socket_mt_parse,
|
|
Packit Service |
d1fe03 |
.x6_options = socket_mt_opts,
|
|
Packit Service |
d1fe03 |
},
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
.name = "socket",
|
|
Packit Service |
d1fe03 |
.revision = 2,
|
|
Packit Service |
d1fe03 |
.family = NFPROTO_UNSPEC,
|
|
Packit Service |
d1fe03 |
.version = XTABLES_VERSION,
|
|
Packit Service |
d1fe03 |
.size = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
|
|
Packit Service |
d1fe03 |
.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
|
|
Packit Service |
d1fe03 |
.help = socket_mt_help_v2,
|
|
Packit Service |
d1fe03 |
.print = socket_mt_print_v2,
|
|
Packit Service |
d1fe03 |
.save = socket_mt_save_v2,
|
|
Packit Service |
d1fe03 |
.x6_parse = socket_mt_parse_v2,
|
|
Packit Service |
d1fe03 |
.x6_options = socket_mt_opts_v2,
|
|
Packit Service |
d1fe03 |
},
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
.name = "socket",
|
|
Packit Service |
d1fe03 |
.revision = 3,
|
|
Packit Service |
d1fe03 |
.family = NFPROTO_UNSPEC,
|
|
Packit Service |
d1fe03 |
.version = XTABLES_VERSION,
|
|
Packit Service |
d1fe03 |
.size = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
|
|
Packit Service |
d1fe03 |
.userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
|
|
Packit Service |
d1fe03 |
.help = socket_mt_help_v3,
|
|
Packit Service |
d1fe03 |
.print = socket_mt_print_v3,
|
|
Packit Service |
d1fe03 |
.save = socket_mt_save_v3,
|
|
Packit Service |
d1fe03 |
.x6_parse = socket_mt_parse_v3,
|
|
Packit Service |
d1fe03 |
.x6_options = socket_mt_opts_v3,
|
|
Packit Service |
d1fe03 |
},
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
void _init(void)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
|
|
Packit Service |
d1fe03 |
}
|