diff options
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/libxt_NFQUEUE.man | 13 | ||||
-rw-r--r-- | extensions/libxt_socket.c | 62 | ||||
-rw-r--r-- | extensions/libxt_socket.man | 21 |
3 files changed, 88 insertions, 8 deletions
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man index 7a991291..1bfb7b84 100644 --- a/extensions/libxt_NFQUEUE.man +++ b/extensions/libxt_NFQUEUE.man @@ -1,11 +1,12 @@ -This target is an extension of the QUEUE target. As opposed to QUEUE, it allows -you to put a packet into any specific queue, identified by its 16-bit queue -number. -It can only be used with Kernel versions 2.6.14 or later, since it requires -the +This target passes the packet to userspace using the +\fBnfnetlink_queue\fP handler. The packet is put into the queue +identified by its 16-bit queue number. Userspace can inspect +and modify the packet if desired. Userspace must then drop or +reinject the packet into the kernel. Please see libnetfilter_queue +for details. .B nfnetlink_queue -kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31, +was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31, \fBqueue-bypass\fP in 2.6.39. .TP \fB\-\-queue\-num\fP \fIvalue\fP diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 39016493..f19c2804 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -9,6 +9,7 @@ enum { O_TRANSPARENT = 0, + O_NOWILDCARD = 1, }; static const struct xt_option_entry socket_mt_opts[] = { @@ -16,6 +17,12 @@ static const struct xt_option_entry socket_mt_opts[] = { XTOPT_TABLEEND, }; +static const struct xt_option_entry socket_mt_opts_v2[] = { + {.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE}, + {.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + static void socket_mt_help(void) { printf( @@ -23,6 +30,14 @@ static void socket_mt_help(void) " --transparent Ignore non-transparent sockets\n\n"); } +static void socket_mt_help_v2(void) +{ + printf( + "socket match options:\n" + " --nowildcard Do not ignore LISTEN sockets bound on INADDR_ANY\n" + " --transparent Ignore non-transparent sockets\n\n"); +} + static void socket_mt_parse(struct xt_option_call *cb) { struct xt_socket_mtinfo1 *info = cb->data; @@ -35,6 +50,21 @@ static void socket_mt_parse(struct xt_option_call *cb) } } +static void socket_mt_parse_v2(struct xt_option_call *cb) +{ + struct xt_socket_mtinfo2 *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TRANSPARENT: + info->flags |= XT_SOCKET_TRANSPARENT; + break; + case O_NOWILDCARD: + info->flags |= XT_SOCKET_NOWILDCARD; + break; + } +} + static void socket_mt_save(const void *ip, const struct xt_entry_match *match) { @@ -52,6 +82,25 @@ socket_mt_print(const void *ip, const struct xt_entry_match *match, socket_mt_save(ip, match); } +static void +socket_mt_save_v2(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo2 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf(" --transparent"); + if (info->flags & XT_SOCKET_NOWILDCARD) + printf(" --nowildcard"); +} + +static void +socket_mt_print_v2(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf(" socket"); + socket_mt_save_v2(ip, match); +} + static struct xtables_match socket_mt_reg[] = { { .name = "socket", @@ -74,6 +123,19 @@ static struct xtables_match socket_mt_reg[] = { .x6_parse = socket_mt_parse, .x6_options = socket_mt_opts, }, + { + .name = "socket", + .revision = 2, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)), + .help = socket_mt_help_v2, + .print = socket_mt_print_v2, + .save = socket_mt_save_v2, + .x6_parse = socket_mt_parse_v2, + .x6_options = socket_mt_opts_v2, + }, }; void _init(void) diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 41e8d674..2ef32cec 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,5 +1,22 @@ -This matches if an open socket can be found by doing a socket lookup on the -packet. +This matches if an open TCP/UDP socket can be found by doing a socket lookup on the +packet. It matches if there is an established or non\-zero bound listening +socket (possibly with a non\-local address). The lookup is performed using +the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header +\fBembedded\fP in an ICMP/ICPMv6 error packet. .TP \fB\-\-transparent\fP Ignore non-transparent sockets. +.TP +\fB\-\-nowildcard\fP +Do not ignore sockets bound to 'any' address. +The socket match won't accept zero\-bound listeners by default, since +then local services could intercept traffic that would otherwise be forwarded. +This option therefore has security implications when used to match traffic being +forwarded to redirect such packets to local machine with policy routing. +When using the socket match to implement fully transparent +proxies bound to non\-local addresses it is recommended to use the \-\-transparent +option instead. +.PP +Example (assuming packets with mark 1 are delivered locally): +.IP +\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 |