summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
Diffstat (limited to 'extensions')
-rw-r--r--extensions/libxt_NFQUEUE.man13
-rw-r--r--extensions/libxt_socket.c62
-rw-r--r--extensions/libxt_socket.man21
3 files changed, 88 insertions, 8 deletions
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 7a991291..1bfb7b84 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -1,11 +1,12 @@
-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
-you to put a packet into any specific queue, identified by its 16-bit queue
-number.
-It can only be used with Kernel versions 2.6.14 or later, since it requires
-the
+This target passes the packet to userspace using the
+\fBnfnetlink_queue\fP handler. The packet is put into the queue
+identified by its 16-bit queue number. Userspace can inspect
+and modify the packet if desired. Userspace must then drop or
+reinject the packet into the kernel. Please see libnetfilter_queue
+for details.
.B
nfnetlink_queue
-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
+was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
\fBqueue-bypass\fP in 2.6.39.
.TP
\fB\-\-queue\-num\fP \fIvalue\fP
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index 39016493..f19c2804 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -9,6 +9,7 @@
enum {
O_TRANSPARENT = 0,
+ O_NOWILDCARD = 1,
};
static const struct xt_option_entry socket_mt_opts[] = {
@@ -16,6 +17,12 @@ static const struct xt_option_entry socket_mt_opts[] = {
XTOPT_TABLEEND,
};
+static const struct xt_option_entry socket_mt_opts_v2[] = {
+ {.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
+ {.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
static void socket_mt_help(void)
{
printf(
@@ -23,6 +30,14 @@ static void socket_mt_help(void)
" --transparent Ignore non-transparent sockets\n\n");
}
+static void socket_mt_help_v2(void)
+{
+ printf(
+ "socket match options:\n"
+ " --nowildcard Do not ignore LISTEN sockets bound on INADDR_ANY\n"
+ " --transparent Ignore non-transparent sockets\n\n");
+}
+
static void socket_mt_parse(struct xt_option_call *cb)
{
struct xt_socket_mtinfo1 *info = cb->data;
@@ -35,6 +50,21 @@ static void socket_mt_parse(struct xt_option_call *cb)
}
}
+static void socket_mt_parse_v2(struct xt_option_call *cb)
+{
+ struct xt_socket_mtinfo2 *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TRANSPARENT:
+ info->flags |= XT_SOCKET_TRANSPARENT;
+ break;
+ case O_NOWILDCARD:
+ info->flags |= XT_SOCKET_NOWILDCARD;
+ break;
+ }
+}
+
static void
socket_mt_save(const void *ip, const struct xt_entry_match *match)
{
@@ -52,6 +82,25 @@ socket_mt_print(const void *ip, const struct xt_entry_match *match,
socket_mt_save(ip, match);
}
+static void
+socket_mt_save_v2(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_socket_mtinfo2 *info = (const void *)match->data;
+
+ if (info->flags & XT_SOCKET_TRANSPARENT)
+ printf(" --transparent");
+ if (info->flags & XT_SOCKET_NOWILDCARD)
+ printf(" --nowildcard");
+}
+
+static void
+socket_mt_print_v2(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ printf(" socket");
+ socket_mt_save_v2(ip, match);
+}
+
static struct xtables_match socket_mt_reg[] = {
{
.name = "socket",
@@ -74,6 +123,19 @@ static struct xtables_match socket_mt_reg[] = {
.x6_parse = socket_mt_parse,
.x6_options = socket_mt_opts,
},
+ {
+ .name = "socket",
+ .revision = 2,
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
+ .help = socket_mt_help_v2,
+ .print = socket_mt_print_v2,
+ .save = socket_mt_save_v2,
+ .x6_parse = socket_mt_parse_v2,
+ .x6_options = socket_mt_opts_v2,
+ },
};
void _init(void)
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 41e8d674..2ef32cec 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,5 +1,22 @@
-This matches if an open socket can be found by doing a socket lookup on the
-packet.
+This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
+packet. It matches if there is an established or non\-zero bound listening
+socket (possibly with a non\-local address). The lookup is performed using
+the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
+\fBembedded\fP in an ICMP/ICPMv6 error packet.
.TP
\fB\-\-transparent\fP
Ignore non-transparent sockets.
+.TP
+\fB\-\-nowildcard\fP
+Do not ignore sockets bound to 'any' address.
+The socket match won't accept zero\-bound listeners by default, since
+then local services could intercept traffic that would otherwise be forwarded.
+This option therefore has security implications when used to match traffic being
+forwarded to redirect such packets to local machine with policy routing.
+When using the socket match to implement fully transparent
+proxies bound to non\-local addresses it is recommended to use the \-\-transparent
+option instead.
+.PP
+Example (assuming packets with mark 1 are delivered locally):
+.IP
+\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1