1/* Kernel module to match various things tied to sockets associated with
2   locally generated outgoing packets. */
3
4/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 */
10
11#include <linux/module.h>
12#include <linux/skbuff.h>
13#include <linux/file.h>
14#include <linux/rcupdate.h>
15#include <net/sock.h>
16
17#include <linux/netfilter_ipv6/ip6t_owner.h>
18#include <linux/netfilter_ipv6/ip6_tables.h>
19#include <linux/netfilter/x_tables.h>
20
21MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
22MODULE_DESCRIPTION("IP6 tables owner matching module");
23MODULE_LICENSE("GPL");
24
25
26static int
27match(const struct sk_buff *skb,
28      const struct net_device *in,
29      const struct net_device *out,
30      const struct xt_match *match,
31      const void *matchinfo,
32      int offset,
33      unsigned int protoff,
34      int *hotdrop)
35{
36	const struct ip6t_owner_info *info = matchinfo;
37
38	if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
39		return 0;
40
41	if (info->match & IP6T_OWNER_UID) {
42		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
43		    !!(info->invert & IP6T_OWNER_UID))
44			return 0;
45	}
46
47	if (info->match & IP6T_OWNER_GID) {
48		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
49		    !!(info->invert & IP6T_OWNER_GID))
50			return 0;
51	}
52
53	return 1;
54}
55
56static int
57checkentry(const char *tablename,
58	   const void *ip,
59	   const struct xt_match *match,
60	   void *matchinfo,
61	   unsigned int hook_mask)
62{
63	const struct ip6t_owner_info *info = matchinfo;
64
65	if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
66		printk("ipt_owner: pid and sid matching "
67		       "not supported anymore\n");
68		return 0;
69	}
70	return 1;
71}
72
73static struct xt_match owner_match = {
74	.name		= "owner",
75	.family		= AF_INET6,
76	.match		= match,
77	.matchsize	= sizeof(struct ip6t_owner_info),
78	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
79	.checkentry	= checkentry,
80	.me		= THIS_MODULE,
81};
82
83static int __init ip6t_owner_init(void)
84{
85	return xt_register_match(&owner_match);
86}
87
88static void __exit ip6t_owner_fini(void)
89{
90	xt_unregister_match(&owner_match);
91}
92
93module_init(ip6t_owner_init);
94module_exit(ip6t_owner_fini);
95