Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

[NETFILTER]: merge ipt_owner/ip6t_owner in xt_owner 

xt_owner merges ipt_owner and ip6t_owner, and adds a flag to match
on socket (non-)existence.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Jan Engelhardt 2007-12-04 23:27:38 -08:00 committed by David S. Miller
parent 9e67d5a739
commit 0265ab44ba
11 changed files with 237 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/linux/netfilter/Kbuild
View File

@ -26,6 +26,7 @@ header-y += xt_limit.h
header-y += xt_mac.h
header-y += xt_mark.h
header-y += xt_multiport.h
header-y += xt_owner.h
header-y += xt_pkttype.h
header-y += xt_policy.h
header-y += xt_realm.h

16
include/linux/netfilter/xt_owner.h Normal file
View File

@ -0,0 +1,16 @@
#ifndef _XT_OWNER_MATCH_H
#define _XT_OWNER_MATCH_H
enum {
XT_OWNER_UID = 1 << 0,
XT_OWNER_GID = 1 << 1,
XT_OWNER_SOCKET = 1 << 2,
};
struct xt_owner_match_info {
u_int32_t uid;
u_int32_t gid;
u_int8_t match, invert;
};
#endif /* _XT_OWNER_MATCH_H */

9
net/ipv4/netfilter/Kconfig
View File

@ -111,15 +111,6 @@ config IP_NF_MATCH_TTL
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_OWNER
tristate "Owner match support"
depends on IP_NF_IPTABLES
help
Packet owner matching allows you to match locally-generated packets
based on who created them: the user, group, process or session.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_ADDRTYPE
tristate 'address type match support'
depends on IP_NF_IPTABLES

1
net/ipv4/netfilter/Makefile
View File

@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o

87
net/ipv4/netfilter/ipt_owner.c
View File

@ -1,87 +0,0 @@
/* Kernel module to match various things tied to sockets associated with
locally generated outgoing packets. */
/* (C) 2000 Marc Boucher <marc@mbsi.ca>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/file.h>
#include <linux/rcupdate.h>
#include <net/sock.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter/x_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("iptables owner match");
static bool
owner_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
const struct ipt_owner_info *info = matchinfo;
if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
return false;
if(info->match & IPT_OWNER_UID) {
if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
!!(info->invert & IPT_OWNER_UID))
return false;
}
if(info->match & IPT_OWNER_GID) {
if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
!!(info->invert & IPT_OWNER_GID))
return false;
}
return true;
}
static bool
owner_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
const struct ipt_owner_info *info = matchinfo;
if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
printk("ipt_owner: pid, sid and command matching "
"not supported anymore\n");
return false;
}
return true;
}
static struct xt_match owner_mt_reg __read_mostly = {
.name = "owner",
.family = AF_INET,
.match = owner_mt,
.matchsize = sizeof(struct ipt_owner_info),
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.checkentry = owner_mt_check,
.me = THIS_MODULE,
};
static int __init owner_mt_init(void)
{
return xt_register_match(&owner_mt_reg);
}
static void __exit owner_mt_exit(void)
{
xt_unregister_match(&owner_mt_reg);
}
module_init(owner_mt_init);
module_exit(owner_mt_exit);

9
net/ipv6/netfilter/Kconfig
View File

@ -89,15 +89,6 @@ config IP6_NF_MATCH_HL
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_OWNER
tristate "Owner match support"
depends on IP6_NF_IPTABLES
help
Packet owner matching allows you to match locally-generated packets
based on who created them: the user, group, process or session.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_IPV6HEADER
tristate "IPv6 Extension Headers Match"
depends on IP6_NF_IPTABLES

1
net/ipv6/netfilter/Makefile
View File

@ -23,7 +23,6 @@ obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
# targets

87
net/ipv6/netfilter/ip6t_owner.c
View File

@ -1,87 +0,0 @@
/* Kernel module to match various things tied to sockets associated with
locally generated outgoing packets. */
/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/file.h>
#include <linux/rcupdate.h>
#include <net/sock.h>
#include <linux/netfilter_ipv6/ip6t_owner.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("IP6 tables owner matching module");
MODULE_LICENSE("GPL");
static bool
owner_mt6(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
const struct ip6t_owner_info *info = matchinfo;
if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
return false;
if (info->match & IP6T_OWNER_UID)
if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
!!(info->invert & IP6T_OWNER_UID))
return false;
if (info->match & IP6T_OWNER_GID)
if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
!!(info->invert & IP6T_OWNER_GID))
return false;
return true;
}
static bool
owner_mt6_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
const struct ip6t_owner_info *info = matchinfo;
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
printk("ipt_owner: pid and sid matching "
"not supported anymore\n");
return false;
}
return true;
}
static struct xt_match owner_mt6_reg __read_mostly = {
.name = "owner",
.family = AF_INET6,
.match = owner_mt6,
.matchsize = sizeof(struct ip6t_owner_info),
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.checkentry = owner_mt6_check,
.me = THIS_MODULE,
};
static int __init owner_mt6_init(void)
{
return xt_register_match(&owner_mt6_reg);
}
static void __exit owner_mt6_exit(void)
{
xt_unregister_match(&owner_mt6_reg);
}
module_init(owner_mt6_init);
module_exit(owner_mt6_exit);

8
net/netfilter/Kconfig
View File

@ -554,6 +554,14 @@ config NETFILTER_XT_MATCH_MARK
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_OWNER
tristate '"owner" match support'
depends on NETFILTER_XTABLES
---help---
Socket owner matching allows you to match locally-generated packets
based on who created the socket: the user or group. It is also
possible to check whether a socket actually exists.
config NETFILTER_XT_MATCH_POLICY
tristate 'IPsec "policy" match support'
depends on NETFILTER_XTABLES && XFRM

1
net/netfilter/Makefile
View File

@ -67,6 +67,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o

211
net/netfilter/xt_owner.c Normal file
View File

@ -0,0 +1,211 @@
/*
* Kernel module to match various things tied to sockets associated with
* locally generated outgoing packets.
*
* (C) 2000 Marc Boucher <marc@mbsi.ca>
*
* Copyright © CC Computer Consultants GmbH, 2007
* Contact: <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/file.h>
#include <net/sock.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_owner.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter_ipv6/ip6t_owner.h>
static bool
owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
const struct ipt_owner_info *info = matchinfo;
const struct file *filp;
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
return false;
filp = skb->sk->sk_socket->file;
if (filp == NULL)
return false;
if (info->match & IPT_OWNER_UID)
if ((filp->f_uid != info->uid) ^
!!(info->invert & IPT_OWNER_UID))
return false;
if (info->match & IPT_OWNER_GID)
if ((filp->f_gid != info->gid) ^
!!(info->invert & IPT_OWNER_GID))
return false;
return true;
}
static bool
owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
const struct ip6t_owner_info *info = matchinfo;
const struct file *filp;
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
return false;
filp = skb->sk->sk_socket->file;
if (filp == NULL)
return false;
if (info->match & IP6T_OWNER_UID)
if ((filp->f_uid != info->uid) ^
!!(info->invert & IP6T_OWNER_UID))
return false;
if (info->match & IP6T_OWNER_GID)
if ((filp->f_gid != info->gid) ^
!!(info->invert & IP6T_OWNER_GID))
return false;
return true;
}
static bool
owner_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
const struct xt_owner_match_info *info = matchinfo;
const struct file *filp;
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
return (info->match ^ info->invert) == 0;
else if (info->match & info->invert & XT_OWNER_SOCKET)
/*
* Socket exists but user wanted ! --socket-exists.
* (Single ampersands intended.)
*/
return false;
filp = skb->sk->sk_socket->file;
if (filp == NULL)
return ((info->match ^ info->invert) &
(XT_OWNER_UID | XT_OWNER_GID)) == 0;
if (info->match & XT_OWNER_UID)
if ((filp->f_uid != info->uid) ^
!!(info->invert & XT_OWNER_UID))
return false;
if (info->match & XT_OWNER_GID)
if ((filp->f_gid != info->gid) ^
!!(info->invert & XT_OWNER_GID))
return false;
return true;
}
static bool
owner_mt_check_v0(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
const struct ipt_owner_info *info = matchinfo;
if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
printk(KERN_WARNING KBUILD_MODNAME
": PID, SID and command matching is not "
"supported anymore\n");
return false;
}
return true;
}
static bool
owner_mt6_check_v0(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
const struct ip6t_owner_info *info = matchinfo;
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
printk(KERN_WARNING KBUILD_MODNAME
": PID and SID matching is not supported anymore\n");
return false;
}
return true;
}
static struct xt_match owner_mt_reg[] __read_mostly = {
{
.name = "owner",
.revision = 0,
.family = AF_INET,
.match = owner_mt_v0,
.matchsize = sizeof(struct ipt_owner_info),
.checkentry = owner_mt_check_v0,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
{
.name = "owner",
.revision = 0,
.family = AF_INET6,
.match = owner_mt6_v0,
.matchsize = sizeof(struct ip6t_owner_info),
.checkentry = owner_mt6_check_v0,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
{
.name = "owner",
.revision = 1,
.family = AF_INET,
.match = owner_mt,
.matchsize = sizeof(struct xt_owner_match_info),
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
{
.name = "owner",
.revision = 1,
.family = AF_INET6,
.match = owner_mt,
.matchsize = sizeof(struct xt_owner_match_info),
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
};
static int __init owner_mt_init(void)
{
return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
static void __exit owner_mt_exit(void)
{
xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
module_init(owner_mt_init);
module_exit(owner_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("netfilter \"owner\" match module");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
MODULE_ALIAS("ip6t_owner");