[resend net-next] socket: Added 'transparent' option

[resend net-next] socket: Added 'transparent' option

[Laszlo Attila Toth]

Added new revision of the 'socket' match. If its new option is set,
enabled 'transparent' socket option is required for the socket to be matched.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_socket.h |    8 +++++
 net/netfilter/xt_socket.c           |   57 +++++++++++++++++++++++++++++-----
 2 files changed, 56 insertions(+), 9 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..71acb54
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info1 {
+	__u8 transparent;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..6a2453d 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
+#include <linux/netfilter/xt_socket.h>
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #define XT_SOCKET_HAVE_CONNTRACK 1
 #include <net/netfilter/nf_conntrack.h>
@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
 
 
 static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+	     bool check_transparent)
 {
 	const struct iphdr *iph = ip_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
@@ -142,10 +145,22 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 				   saddr, daddr, sport, dport, par->in, false);
 	if (sk != NULL) {
 		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+		bool transparent = (sk->sk_state != TCP_TIME_WAIT &&
+					inet_sk(sk)->transparent) ||
+				   (sk->sk_state == TCP_TIME_WAIT &&
+					inet_twsk(sk)->tw_transparent);
+		const struct xt_socket_match_info1 *info = NULL;
+
+		if (check_transparent)
+			info = par->matchinfo;
 
 		nf_tproxy_put_sock(sk);
+
 		if (wildcard)
 			sk = NULL;
+		else if (check_transparent && info->transparent &&
+			 !transparent)
+			sk = NULL;
 	}
 
 	pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
@@ -157,23 +172,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return (sk != NULL);
 }
 
-static struct xt_match socket_mt_reg __read_mostly = {
-	.name		= "socket",
-	.family		= AF_INET,
-	.match		= socket_mt,
-	.hooks		= 1 << NF_INET_PRE_ROUTING,
-	.me		= THIS_MODULE,
+static bool
+socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, false);
+}
+
+static bool
+socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, true);
+}
+
+static struct xt_match socket_mt_reg[] __read_mostly = {
+	{
+		.name		= "socket",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.match		= socket_mt_v0,
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "socket",
+		.revision	= 1,
+		.family		= AF_INET,
+		.match		= socket_mt_v1,
+		.matchsize	= sizeof(struct xt_socket_match_info1),
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init socket_mt_init(void)
 {
 	nf_defrag_ipv4_enable();
-	return xt_register_match(&socket_mt_reg);
+	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 static void __exit socket_mt_exit(void)
 {
-	xt_unregister_match(&socket_mt_reg);
+	xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 module_init(socket_mt_init);
-- 
1.6.2.2.404.ge96f3

[resend iptables] socket: Added 'transparent' option

[Laszlo Attila Toth]

Added new revision of the 'socket' match. If its new option is set,
enabled 'transparent' socket option is required for the socket to be matched.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_socket.h |    8 +++++
 net/netfilter/xt_socket.c           |   57 +++++++++++++++++++++++++++++-----
 2 files changed, 56 insertions(+), 9 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..71acb54
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info1 {
+	__u8 transparent;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..6a2453d 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
+#include <linux/netfilter/xt_socket.h>
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #define XT_SOCKET_HAVE_CONNTRACK 1
 #include <net/netfilter/nf_conntrack.h>
@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
 
 
 static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+	     bool check_transparent)
 {
 	const struct iphdr *iph = ip_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
@@ -142,10 +145,22 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 				   saddr, daddr, sport, dport, par->in, false);
 	if (sk != NULL) {
 		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+		bool transparent = (sk->sk_state != TCP_TIME_WAIT &&
+					inet_sk(sk)->transparent) ||
+				   (sk->sk_state == TCP_TIME_WAIT &&
+					inet_twsk(sk)->tw_transparent);
+		const struct xt_socket_match_info1 *info = NULL;
+
+		if (check_transparent)
+			info = par->matchinfo;
 
 		nf_tproxy_put_sock(sk);
+
 		if (wildcard)
 			sk = NULL;
+		else if (check_transparent && info->transparent &&
+			 !transparent)
+			sk = NULL;
 	}
 
 	pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
@@ -157,23 +172,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return (sk != NULL);
 }
 
-static struct xt_match socket_mt_reg __read_mostly = {
-	.name		= "socket",
-	.family		= AF_INET,
-	.match		= socket_mt,
-	.hooks		= 1 << NF_INET_PRE_ROUTING,
-	.me		= THIS_MODULE,
+static bool
+socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, false);
+}
+
+static bool
+socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, true);
+}
+
+static struct xt_match socket_mt_reg[] __read_mostly = {
+	{
+		.name		= "socket",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.match		= socket_mt_v0,
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "socket",
+		.revision	= 1,
+		.family		= AF_INET,
+		.match		= socket_mt_v1,
+		.matchsize	= sizeof(struct xt_socket_match_info1),
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init socket_mt_init(void)
 {
 	nf_defrag_ipv4_enable();
-	return xt_register_match(&socket_mt_reg);
+	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 static void __exit socket_mt_exit(void)
 {
-	xt_unregister_match(&socket_mt_reg);
+	xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 module_init(socket_mt_init);
-- 
1.6.2.2.404.ge96f3

Re: [resend net-next] socket: Added 'transparent' option

[Patrick McHardy]

Laszlo Attila Toth wrote:
> +++ b/include/linux/netfilter/xt_socket.h
> @@ -0,0 +1,8 @@
> +#ifndef _XT_SOCKET_H_match
> +#define _XT_SOCKET_H_match
> +
> +struct xt_socket_match_info1 {
> +	__u8 transparent;
> +};

Please use a bitmask.

>  static bool
> -socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
> +socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
> +	     bool check_transparent)
>  {
>  	const struct iphdr *iph = ip_hdr(skb);
>  	struct udphdr _hdr, *hp = NULL;
> @@ -142,10 +145,22 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>  				   saddr, daddr, sport, dport, par->in, false);
>  	if (sk != NULL) {
>  		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
> +		bool transparent = (sk->sk_state != TCP_TIME_WAIT &&
> +					inet_sk(sk)->transparent) ||
> +				   (sk->sk_state == TCP_TIME_WAIT &&
> +					inet_twsk(sk)->tw_transparent);
> +		const struct xt_socket_match_info1 *info = NULL;

This is not particulary well readable. Please do the initializations
seperately from the definitions.

> +
> +		if (check_transparent)
> +			info = par->matchinfo;

How about just passing par->matchinfo to socket_match()?

>  		nf_tproxy_put_sock(sk);
> +
>  		if (wildcard)
>  			sk = NULL;
> +		else if (check_transparent && info->transparent &&
> +			 !transparent)
> +			sk = NULL;

Please add a comment what this is doing exactly. And why do the lookup
at all in this case?

Re: [resend net-next] socket: Added 'transparent' option

[Jan Engelhardt]

On Thursday 2009-06-04 15:34, Patrick McHardy wrote:
> Laszlo Attila Toth wrote:
>> +++ b/include/linux/netfilter/xt_socket.h
>> @@ -0,0 +1,8 @@
>> +#ifndef _XT_SOCKET_H_match
>> +#define _XT_SOCKET_H_match
>> +
>> +struct xt_socket_match_info1 {
>> +	__u8 transparent;
>> +};
>
> Please use a bitmask.

enum {
	XT_SOCKET_TRANSPARENT = 1 << 0,
};

struct xt_socket_mtinfo1 {
	__u8 flags;
};

Re: [resend net-next] socket: Added 'transparent' option

[Laszlo Attila Toth]

Jan Engelhardt írta:
> On Thursday 2009-06-04 15:34, Patrick McHardy wrote:
>> Laszlo Attila Toth wrote:
>>> +++ b/include/linux/netfilter/xt_socket.h
>>> @@ -0,0 +1,8 @@
>>> +#ifndef _XT_SOCKET_H_match
>>> +#define _XT_SOCKET_H_match
>>> +
>>> +struct xt_socket_match_info1 {
>>> +	__u8 transparent;
>>> +};
>> Please use a bitmask.
> 
> enum {
> 	XT_SOCKET_TRANSPARENT = 1 << 0,
> };
> 
> struct xt_socket_mtinfo1 {
> 	__u8 flags;
> };
> 

Thanks.

My first thought was simply: = 1, without offset (and of course = 2 ...).

I'm also working on a newer revision of the limit match, which is almost 
done. It can be inverted (! --limit ...). I think in this case a 
bitfield can be used, but it is probably not necessary, the following 
extra member is enogh:

	u_int32_t invert;

(I wouldn't like to resend the patch it if it is not the best choice).

-- 
Attila
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [resend net-next] socket: Added 'transparent' option

[Jan Engelhardt]

On Thursday 2009-06-04 17:27, Laszlo Attila Toth wrote:
>
> I'm also working on a newer revision of the limit match, which is almost done.
> It can be inverted (! --limit ...).

Take a look at hashlimit, where for the userspace interaction, the
use of ambiguous negations is avoided: --hashlimit-above /
--hashlimit-below; only behind the curtain is it encoded into a
negation. I wish that this logic be kept for future developments.

>I think in this case a bitfield can be
> used, but it is probably not necessary, the following extra member is enogh:
>
> 	u_int32_t invert;

That is pretty large for a single inversion. Again, make it a "flags"
variable, maybe there will be more flags in future, who knows.

Also, if possible, try combining all the TBF implementations; limit
and hashlimit are so close to each other, the latter would only need
a "--hashlimit-mode notuple" (from a userspace pov) , and xt_limit
could be obsoleted.
Furthermore, we have xt_rateest now, so is the work on the TBF
limiters really justified?

Re: [resend net-next] socket: Added 'transparent' option

[Patrick McHardy]

Jan Engelhardt wrote:
> On Thursday 2009-06-04 17:27, Laszlo Attila Toth wrote:
> Also, if possible, try combining all the TBF implementations; limit
> and hashlimit are so close to each other, the latter would only need
> a "--hashlimit-mode notuple" (from a userspace pov) , and xt_limit
> could be obsoleted.

If we're going to touch the ABI and add a new revision, we should
at the same time try to get rid of the resolution problems so we
don't need yet another reversion when someone finally fixes this.

Re: [resend net-next] socket: Added 'transparent' option

[Laszlo Attila Toth]

Patrick McHardy wrote:
> Laszlo Attila Toth wrote:
>>          nf_tproxy_put_sock(sk);
>> +
>>          if (wildcard)
>>              sk = NULL;
>> +        else if (check_transparent && info->transparent &&
>> +             !transparent)
>> +            sk = NULL;
> 
> Please add a comment what this is doing exactly. And why do the lookup
> at all in this case?
> 

We need a socket lookup because without it we can't know the listening 
address and the socket's transparent state (socket option). After all of 
these pieces of information is gathered, the socket can be put back.

-- 
Attila

[resend2] Socket match with transparent option, take 2

[Laszlo Attila Toth]

Hi Patrick,

I updated the code as you and Jan suggested: added flags,
more readable and documented conditions within xt_socket.c

--
Attila

[resend2 net-next] socket: added mtinfo with 'transparent' flag

[Laszlo Attila Toth]

Added new revision of the 'socket' match supporting flags.

If the XT_SOCKET_TRANSPARENT flag is set, enabled 'transparent'
socket option is required for the socket to be matched.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 net/netfilter/xt_socket.c |   63 +++++++++++++++++++++++++++++++++++++--------
 1 files changed, 52 insertions(+), 11 deletions(-)

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..f97270c 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
+#include <linux/netfilter/xt_socket.h>
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #define XT_SOCKET_HAVE_CONNTRACK 1
 #include <net/netfilter/nf_conntrack.h>
@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
 
 
 static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+	     const struct xt_socket_mtinfo1 *info)
 {
 	const struct iphdr *iph = ip_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
@@ -141,10 +144,24 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
 				   saddr, daddr, sport, dport, par->in, false);
 	if (sk != NULL) {
-		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+		bool wildcard;
+		bool transparent = true;
+
+		/* Ignore sockets listening on INADDR_ANY */
+		wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+			    inet_sk(sk)->rcv_saddr == 0);
+
+		/* Ignore non-transparent sockets,
+		   if XT_SOCKET_TRANSPARENT is used */
+		if (info && info->flags & XT_SOCKET_TRANSPARENT)
+			transparent = ((sk->sk_state != TCP_TIME_WAIT &&
+					inet_sk(sk)->transparent) ||
+				       (sk->sk_state == TCP_TIME_WAIT &&
+					inet_twsk(sk)->tw_transparent));
 
 		nf_tproxy_put_sock(sk);
-		if (wildcard)
+
+		if (wildcard || !transparent)
 			sk = NULL;
 	}
 
@@ -157,23 +174,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return (sk != NULL);
 }
 
-static struct xt_match socket_mt_reg __read_mostly = {
-	.name		= "socket",
-	.family		= AF_INET,
-	.match		= socket_mt,
-	.hooks		= 1 << NF_INET_PRE_ROUTING,
-	.me		= THIS_MODULE,
+static bool
+socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, NULL);
+}
+
+static bool
+socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, par->matchinfo);
+}
+
+static struct xt_match socket_mt_reg[] __read_mostly = {
+	{
+		.name		= "socket",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.match		= socket_mt_v0,
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "socket",
+		.revision	= 1,
+		.family		= AF_INET,
+		.match		= socket_mt_v1,
+		.matchsize	= sizeof(struct xt_socket_mtinfo1),
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init socket_mt_init(void)
 {
 	nf_defrag_ipv4_enable();
-	return xt_register_match(&socket_mt_reg);
+	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 static void __exit socket_mt_exit(void)
 {
-	xt_unregister_match(&socket_mt_reg);
+	xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 module_init(socket_mt_init);
-- 
1.6.2.2.404.ge96f3

[resend2 iptables] socket match: new revision, match transparent sockets

[Laszlo Attila Toth]

Added new revision of the socket match.

if the '--transparent' parameter is specified, the sockets without
set transparent socket option are ignored.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 extensions/libxt_socket.c           |   95 +++++++++++++++++++++++++++++-----
 extensions/libxt_socket.man         |    6 ++-
 include/linux/netfilter/xt_socket.h |   12 ++++
 3 files changed, 98 insertions(+), 15 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index eebc7c5..2230a93 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -6,34 +6,101 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
 
-static void socket_mt_help(void)
+static void socket_mt_help_v0(void)
 {
-	printf("socket v%s has no options\n\n", XTABLES_VERSION);
+	printf("socket match has no options.\n\n");
 }
 
-static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
-			const void *entry, struct xt_entry_match **match)
+static void socket_mt_help_v1(void)
+{
+	printf("socket match options:\n"
+"--transparent      Matches only if the socket's transparent option is set\n");
+}
+
+static const struct option socket_opts_v1[] = {
+	{ "transparent", 0, NULL, '1' },
+	{ }
+};
+
+static int socket_mt_parse_v0(int c, char **argv, int invert,
+			      unsigned int *flags, const void *entry,
+			      struct xt_entry_match **match)
 {
 	return 0;
 }
 
+static int socket_mt_parse_v1(int c, char **argv, int invert,
+			      unsigned int *flags, const void *entry,
+			      struct xt_entry_match **match)
+{
+	struct xt_socket_mtinfo1 *info = (void *) (*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Can't specify multiple --transparent");
+		info->flags |= XT_SOCKET_TRANSPARENT;
+		*flags = 1;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
 static void socket_mt_check(unsigned int flags)
 {
 }
 
-static struct xtables_match socket_mt_reg = {
-	.name	       = "socket",
-	.version       = XTABLES_VERSION,
-	.family	       = NFPROTO_IPV4,
-	.size	       = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
-	.parse	       = socket_mt_parse,
-	.final_check   = socket_mt_check,
-	.help	       = socket_mt_help,
+static void socket_mt_print_v1(const void *ip,
+			       const struct xt_entry_match *match,
+			       int numeric)
+{
+	const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+	printf("socket ");
+	if (info->flags & XT_SOCKET_TRANSPARENT)
+		printf("transparent ");
+}
+
+static void socket_mt_save_v1(const void *ip,
+			      const struct xt_entry_match *match)
+{
+	const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+
+	if (info->flags & XT_SOCKET_TRANSPARENT)
+		printf("--transparent ");
+}
+
+static struct xtables_match socket_mt_reg_v0 = {
+	.name		= "socket",
+	.revision	= 0,
+	.version	= XTABLES_VERSION,
+	.family		= NFPROTO_IPV4,
+	.parse		= socket_mt_parse_v0,
+	.final_check	= socket_mt_check,
+	.help		= socket_mt_help_v0,
+};
+
+static struct xtables_match socket_mt_reg_v1 = {
+	.name		= "socket",
+	.version	= XTABLES_VERSION,
+	.revision	= 1,
+	.family		= NFPROTO_IPV4,
+	.size		= XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+	.parse		= socket_mt_parse_v1,
+	.print		= socket_mt_print_v1,
+	.save		= socket_mt_save_v1,
+	.final_check	= socket_mt_check,
+	.help		= socket_mt_help_v1,
+	.extra_opts	= socket_opts_v1,
 };
 
 void _init(void)
 {
-	xtables_register_match(&socket_mt_reg);
+	xtables_register_match(&socket_mt_reg_v0);
+	xtables_register_match(&socket_mt_reg_v1);
 }
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c8854..edc9d75 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,6 @@
 This matches if an open socket can be found by doing a socket lookup on the
-packet.
+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0).
+.TP
+.BI "\-\-transparent"
+Enables additional check, that the actual socket's transparent socket option
+has to be set.
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..f6ba866
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,12 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+enum {
+	XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+	__u8 flags;
+};
+
+#endif /* _XT_SOCKET_H_match */
-- 
1.6.2.2.404.ge96f3

Re: [resend2 net-next] socket: added mtinfo with 'transparent' flag

[Patrick McHardy]

Laszlo Attila Toth wrote:
>  net/netfilter/xt_socket.c |   63 +++++++++++++++++++++++++++++++++++++--------

> +#include <linux/netfilter/xt_socket.h>

-ENOCOMPILE

> +	{
> +		.name		= "socket",
> +		.revision	= 1,
> +		.family		= AF_INET,

NFPROTO_IPV4 please.

> +		.match		= socket_mt_v1,
> +		.matchsize	= sizeof(struct xt_socket_mtinfo1),
> +		.hooks		= 1 << NF_INET_PRE_ROUTING,
> +		.me		= THIS_MODULE,
> +	},

[net-next] socket: added mtinfo with 'transparent' flag

[Laszlo Attila Toth]

Added new revision of the 'socket' match supporting flags.

If the XT_SOCKET_TRANSPARENT flag is set, enabled 'transparent'
socket option is required for the socket to be matched.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_socket.h |   12 +++++++
 net/netfilter/xt_socket.c           |   63 ++++++++++++++++++++++++++++------
 2 files changed, 64 insertions(+), 11 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..f6ba866
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,12 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+enum {
+	XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+	__u8 flags;
+};
+
+#endif /* _XT_SOCKET_H_match */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1acc089..ebf00ad 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
+#include <linux/netfilter/xt_socket.h>
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #define XT_SOCKET_HAVE_CONNTRACK 1
 #include <net/netfilter/nf_conntrack.h>
@@ -86,7 +88,8 @@ extract_icmp_fields(const struct sk_buff *skb,
 
 
 static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+	     const struct xt_socket_mtinfo1 *info)
 {
 	const struct iphdr *iph = ip_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
@@ -141,10 +144,24 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
 				   saddr, daddr, sport, dport, par->in, false);
 	if (sk != NULL) {
-		bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+		bool wildcard;
+		bool transparent = true;
+
+		/* Ignore sockets listening on INADDR_ANY */
+		wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+			    inet_sk(sk)->rcv_saddr == 0);
+
+		/* Ignore non-transparent sockets,
+		   if XT_SOCKET_TRANSPARENT is used */
+		if (info && info->flags & XT_SOCKET_TRANSPARENT)
+			transparent = ((sk->sk_state != TCP_TIME_WAIT &&
+					inet_sk(sk)->transparent) ||
+				       (sk->sk_state == TCP_TIME_WAIT &&
+					inet_twsk(sk)->tw_transparent));
 
 		nf_tproxy_put_sock(sk);
-		if (wildcard)
+
+		if (wildcard || !transparent)
 			sk = NULL;
 	}
 
@@ -157,23 +174,47 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return (sk != NULL);
 }
 
-static struct xt_match socket_mt_reg __read_mostly = {
-	.name		= "socket",
-	.family		= AF_INET,
-	.match		= socket_mt,
-	.hooks		= 1 << NF_INET_PRE_ROUTING,
-	.me		= THIS_MODULE,
+static bool
+socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, NULL);
+}
+
+static bool
+socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	return socket_match(skb, par, par->matchinfo);
+}
+
+static struct xt_match socket_mt_reg[] __read_mostly = {
+	{
+		.name		= "socket",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.match		= socket_mt_v0,
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "socket",
+		.revision	= 1,
+		.family		= NFPROTO_IPV4,
+		.match		= socket_mt_v1,
+		.matchsize	= sizeof(struct xt_socket_mtinfo1),
+		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init socket_mt_init(void)
 {
 	nf_defrag_ipv4_enable();
-	return xt_register_match(&socket_mt_reg);
+	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 static void __exit socket_mt_exit(void)
 {
-	xt_unregister_match(&socket_mt_reg);
+	xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 
 module_init(socket_mt_init);
-- 
1.6.2.2.404.ge96f3

Re: [net-next] socket: added mtinfo with 'transparent' flag

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Added new revision of the 'socket' match supporting flags.
> 
> If the XT_SOCKET_TRANSPARENT flag is set, enabled 'transparent'
> socket option is required for the socket to be matched.

Applied, thanks.

> +#ifndef _XT_SOCKET_H_match
> +#define _XT_SOCKET_H_match

and removed _match.