[netfilter-cvslog] r3716 - trunk/patch-o-matic-ng/owner-socketlookup

laforge at netfilter.org laforge at netfilter.org
Wed Feb 16 14:42:36 CET 2005 

Author: laforge at netfilter.org
Date: 2005-02-16 14:42:35 +0100 (Wed, 16 Feb 2005)
New Revision: 3716

Added:
   trunk/patch-o-matic-ng/owner-socketlookup/linux-2.6.10.patch
Log:
2.6.10 merge (Jonas Berlin)


Added: trunk/patch-o-matic-ng/owner-socketlookup/linux-2.6.10.patch
===================================================================
--- trunk/patch-o-matic-ng/owner-socketlookup/linux-2.6.10.patch	2005-02-15 13:49:13 UTC (rev 3715)
+++ trunk/patch-o-matic-ng/owner-socketlookup/linux-2.6.10.patch	2005-02-16 13:42:35 UTC (rev 3716)
@@ -0,0 +1,216 @@
+diff -ur --exclude-from=/tmp/srcdiff.excludes.PySd63 --new-file orig-linux-2.6.10/include/net/tcp.h linux-2.6.10/include/net/tcp.h
+--- orig-linux-2.6.10/include/net/tcp.h	2004-12-24 23:34:00.000000000 +0200
++++ linux-2.6.10/include/net/tcp.h	2005-02-15 15:08:11.058007978 +0200
+@@ -159,6 +159,7 @@
+ extern void tcp_bucket_destroy(struct tcp_bind_bucket *tb);
+ extern void tcp_bucket_unlock(struct sock *sk);
+ extern int tcp_port_rover;
++extern struct sock *tcp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 hnum, int dif);
+ 
+ /* These are AF independent. */
+ static __inline__ int tcp_bhashfn(__u16 lport)
+diff -ur --exclude-from=/tmp/srcdiff.excludes.PySd63 --new-file orig-linux-2.6.10/include/net/udp.h linux-2.6.10/include/net/udp.h
+--- orig-linux-2.6.10/include/net/udp.h	2004-12-24 23:35:24.000000000 +0200
++++ linux-2.6.10/include/net/udp.h	2005-02-15 15:06:06.695143766 +0200
+@@ -74,6 +74,8 @@
+ extern unsigned int udp_poll(struct file *file, struct socket *sock,
+ 			     poll_table *wait);
+ 
++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
++
+ DECLARE_SNMP_STAT(struct udp_mib, udp_statistics);
+ #define UDP_INC_STATS(field)		SNMP_INC_STATS(udp_statistics, field)
+ #define UDP_INC_STATS_BH(field)		SNMP_INC_STATS_BH(udp_statistics, field)
+diff -ur --exclude-from=/tmp/srcdiff.excludes.PySd63 --new-file orig-linux-2.6.10/net/ipv4/netfilter/ipt_owner.c linux-2.6.10/net/ipv4/netfilter/ipt_owner.c
+--- orig-linux-2.6.10/net/ipv4/netfilter/ipt_owner.c	2004-12-24 23:35:28.000000000 +0200
++++ linux-2.6.10/net/ipv4/netfilter/ipt_owner.c	2005-02-15 15:06:06.697143458 +0200
+@@ -6,12 +6,19 @@
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+  * published by the Free Software Foundation.
++ *
++ * 03/26/2003 Patrick McHardy <kaber at trash.net>	: LOCAL_IN support
+  */
+ 
+ #include <linux/module.h>
+ #include <linux/skbuff.h>
+ #include <linux/file.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/udp.h>
+ #include <net/sock.h>
++#include <net/tcp.h>
++#include <net/udp.h>
+ 
+ #include <linux/netfilter_ipv4/ipt_owner.h>
+ #include <linux/netfilter_ipv4/ip_tables.h>
+@@ -21,7 +28,7 @@
+ MODULE_DESCRIPTION("iptables owner match");
+ 
+ static int
+-match_comm(const struct sk_buff *skb, const char *comm)
++match_comm(const struct sock *sk, const char *comm)
+ {
+ 	struct task_struct *g, *p;
+ 	struct files_struct *files;
+@@ -38,7 +45,7 @@
+ 			spin_lock(&files->file_lock);
+ 			for (i=0; i < files->max_fds; i++) {
+ 				if (fcheck_files(files, i) ==
+-				    skb->sk->sk_socket->file) {
++				    sk->sk_socket->file) {
+ 					spin_unlock(&files->file_lock);
+ 					task_unlock(p);
+ 					read_unlock(&tasklist_lock);
+@@ -54,7 +61,7 @@
+ }
+ 
+ static int
+-match_pid(const struct sk_buff *skb, pid_t pid)
++match_pid(const struct sock *sk, pid_t pid)
+ {
+ 	struct task_struct *p;
+ 	struct files_struct *files;
+@@ -70,7 +77,7 @@
+ 		spin_lock(&files->file_lock);
+ 		for (i=0; i < files->max_fds; i++) {
+ 			if (fcheck_files(files, i) ==
+-			    skb->sk->sk_socket->file) {
++			    sk->sk_socket->file) {
+ 				spin_unlock(&files->file_lock);
+ 				task_unlock(p);
+ 				read_unlock(&tasklist_lock);
+@@ -86,10 +93,10 @@
+ }
+ 
+ static int
+-match_sid(const struct sk_buff *skb, pid_t sid)
++match_sid(const struct sock *sk, pid_t sid)
+ {
+ 	struct task_struct *g, *p;
+-	struct file *file = skb->sk->sk_socket->file;
++	struct file *file = sk->sk_socket->file;
+ 	int i, found=0;
+ 
+ 	read_lock(&tasklist_lock);
+@@ -129,41 +136,71 @@
+       int *hotdrop)
+ {
+ 	const struct ipt_owner_info *info = matchinfo;
++	struct iphdr *iph = skb->nh.iph;
++	struct sock *sk = NULL;
++	int ret = 0;
++
++	if (out) {
++		sk = skb->sk;
++	} else {
++		if (iph->protocol == IPPROTO_TCP) {
++			struct tcphdr *tcph =
++				(struct tcphdr *)((u_int32_t *)iph + iph->ihl);
++			sk = tcp_v4_lookup(iph->saddr, tcph->source,
++			                   iph->daddr, tcph->dest,
++			                   skb->dev->ifindex);
++			if (sk && sk->sk_state == TCP_TIME_WAIT) {
++				tcp_tw_put((struct tcp_tw_bucket *)sk);
++				return ret;
++			}
++		} else if (iph->protocol == IPPROTO_UDP) {
++			struct udphdr *udph =
++				(struct udphdr *)((u_int32_t *)iph + iph->ihl);
++			sk = udp_v4_lookup(iph->saddr, udph->source, iph->daddr,
++			                   udph->dest, skb->dev->ifindex);
++		}
++	}
+ 
+-	if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
+-		return 0;
++	if (!sk || !sk->sk_socket || !sk->sk_socket->file)
++		goto out;
+ 
+ 	if(info->match & IPT_OWNER_UID) {
+-		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
++		if ((sk->sk_socket->file->f_uid != info->uid) ^
+ 		    !!(info->invert & IPT_OWNER_UID))
+-			return 0;
++			goto out;
+ 	}
+ 
+ 	if(info->match & IPT_OWNER_GID) {
+-		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
++		if ((sk->sk_socket->file->f_gid != info->gid) ^
+ 		    !!(info->invert & IPT_OWNER_GID))
+-			return 0;
++			goto out;
+ 	}
+ 
+ 	if(info->match & IPT_OWNER_PID) {
+-		if (!match_pid(skb, info->pid) ^
++		if (!match_pid(sk, info->pid) ^
+ 		    !!(info->invert & IPT_OWNER_PID))
+-			return 0;
++			goto out;
+ 	}
+ 
+ 	if(info->match & IPT_OWNER_SID) {
+-		if (!match_sid(skb, info->sid) ^
++		if (!match_sid(sk, info->sid) ^
+ 		    !!(info->invert & IPT_OWNER_SID))
+-			return 0;
++			goto out;
+ 	}
+ 
+ 	if(info->match & IPT_OWNER_COMM) {
+-		if (!match_comm(skb, info->comm) ^
++		if (!match_comm(sk, info->comm) ^
+ 		    !!(info->invert & IPT_OWNER_COMM))
+-			return 0;
++			goto out;
+ 	}
+ 
+-	return 1;
++	ret = 1;
++
++out:
++	if (in && sk)
++		sock_put(sk);
++
++	return ret;
+ }
+ 
+ static int
+@@ -173,11 +210,19 @@
+            unsigned int matchsize,
+            unsigned int hook_mask)
+ {
+-        if (hook_mask
+-            & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
+-                printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
+-                return 0;
+-        }
++	if (hook_mask
++	    & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING) |
++	    (1 << NF_IP_LOCAL_IN))) {
++		printk("ipt_owner: only valid for LOCAL_IN, LOCAL_OUT "
++		       "or POST_ROUTING.\n");
++		return 0;
++	}
++
++	if ((hook_mask & (1 << NF_IP_LOCAL_IN))
++	    && ip->proto != IPPROTO_TCP && ip->proto != IPPROTO_UDP) {
++		printk("ipt_owner: only TCP or UDP can be used in LOCAL_IN\n");
++		return 0;
++	}
+ 
+ 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
+ 		printk("Matchsize %u != %Zu\n", matchsize,
+diff -ur --exclude-from=/tmp/srcdiff.excludes.PySd63 --new-file orig-linux-2.6.10/net/ipv4/udp.c linux-2.6.10/net/ipv4/udp.c
+--- orig-linux-2.6.10/net/ipv4/udp.c	2004-12-24 23:34:01.000000000 +0200
++++ linux-2.6.10/net/ipv4/udp.c	2005-02-15 15:06:36.329583897 +0200
+@@ -1564,6 +1564,7 @@
+ EXPORT_SYMBOL(udp_prot);
+ EXPORT_SYMBOL(udp_sendmsg);
+ EXPORT_SYMBOL(udp_poll);
++EXPORT_SYMBOL(udp_v4_lookup);
+ 
+ #ifdef CONFIG_PROC_FS
+ EXPORT_SYMBOL(udp_proc_register);

More information about the netfilter-cvslog mailing list