1/* Kernel module to match various things tied to sockets associated with 2 locally generated outgoing packets. */ 3 4/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca> 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 2 as 8 * published by the Free Software Foundation. 9 */ 10 11#include <linux/module.h> 12#include <linux/skbuff.h> 13#include <linux/file.h> 14#include <linux/rcupdate.h> 15#include <net/sock.h> 16 17#include <linux/netfilter_ipv6/ip6t_owner.h> 18#include <linux/netfilter_ipv6/ip6_tables.h> 19#include <linux/netfilter/x_tables.h> 20 21MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); 22MODULE_DESCRIPTION("IP6 tables owner matching module"); 23MODULE_LICENSE("GPL"); 24 25 26static int 27match(const struct sk_buff *skb, 28 const struct net_device *in, 29 const struct net_device *out, 30 const struct xt_match *match, 31 const void *matchinfo, 32 int offset, 33 unsigned int protoff, 34 int *hotdrop) 35{ 36 const struct ip6t_owner_info *info = matchinfo; 37 38 if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) 39 return 0; 40 41 if (info->match & IP6T_OWNER_UID) { 42 if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ 43 !!(info->invert & IP6T_OWNER_UID)) 44 return 0; 45 } 46 47 if (info->match & IP6T_OWNER_GID) { 48 if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ 49 !!(info->invert & IP6T_OWNER_GID)) 50 return 0; 51 } 52 53 return 1; 54} 55 56static int 57checkentry(const char *tablename, 58 const void *ip, 59 const struct xt_match *match, 60 void *matchinfo, 61 unsigned int hook_mask) 62{ 63 const struct ip6t_owner_info *info = matchinfo; 64 65 if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) { 66 printk("ipt_owner: pid and sid matching " 67 "not supported anymore\n"); 68 return 0; 69 } 70 return 1; 71} 72 73static struct xt_match owner_match = { 74 .name = "owner", 75 .family = AF_INET6, 76 .match = match, 77 .matchsize = sizeof(struct ip6t_owner_info), 78 .hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING), 79 .checkentry = checkentry, 80 .me = THIS_MODULE, 81}; 82 83static int __init ip6t_owner_init(void) 84{ 85 return xt_register_match(&owner_match); 86} 87 88static void __exit ip6t_owner_fini(void) 89{ 90 xt_unregister_match(&owner_match); 91} 92 93module_init(ip6t_owner_init); 94module_exit(ip6t_owner_fini); 95