11 files changed, 237 insertions, 194 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index b87e83a5e070..1e6900278318 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -26,6 +26,7 @@ header-y += xt_limit.h
 header-y += xt_mac.h
 header-y += xt_mark.h
 header-y += xt_multiport.h
+header-y += xt_owner.h
 header-y += xt_pkttype.h
 header-y += xt_policy.h
 header-y += xt_realm.h
diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h
new file mode 100644
index 000000000000..eacd34efebd5
--- /dev/null
+++ b/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,16 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+enum {
+        XT_OWNER_UID    = 1 << 0,
+        XT_OWNER_GID    = 1 << 1,
+        XT_OWNER_SOCKET = 1 << 2,
+};
+struct xt_owner_match_info {
+        u_int32_t uid;
+        u_int32_t gid;
+        u_int8_t match, invert;
+};
+#endif /* _XT_OWNER_MATCH_H */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9aca9c55687c..6c563d908c78 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -111,15 +111,6 @@ config IP_NF_MATCH_TTL
          To compile it as a module, choose M here.  If unsure, say N.
-config IP_NF_MATCH_OWNER
-        tristate "Owner match support"
-        depends on IP_NF_IPTABLES
-        help
-          Packet owner matching allows you to match locally-generated packets
-          based on who created them: the user, group, process or session.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_MATCH_ADDRTYPE
        tristate  'address type match support'
        depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 7456833d6ade..42199e93b86c 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
-obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c
deleted file mode 100644
index 4f1aa897d4b0..000000000000
--- a/net/ipv4/netfilter/ipt_owner.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* Kernel module to match various things tied to sockets associated with
-   locally generated outgoing packets. */
-/* (C) 2000 Marc Boucher <marc@mbsi.ca>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/file.h>
-#include <linux/rcupdate.h>
-#include <net/sock.h>
-#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter/x_tables.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables owner match");
-static bool
-owner_mt(const struct sk_buff *skb, const struct net_device *in,
-         const struct net_device *out, const struct xt_match *match,
-         const void *matchinfo, int offset, unsigned int protoff,
-         bool *hotdrop)
-{
-        const struct ipt_owner_info *info = matchinfo;
-        if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
-                return false;
-        if(info->match & IPT_OWNER_UID) {
-                if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
-                    !!(info->invert & IPT_OWNER_UID))
-                        return false;
-        }
-        if(info->match & IPT_OWNER_GID) {
-                if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
-                    !!(info->invert & IPT_OWNER_GID))
-                        return false;
-        }
-        return true;
-}
-static bool
-owner_mt_check(const char *tablename, const void *ip,
-               const struct xt_match *match, void *matchinfo,
-               unsigned int hook_mask)
-{
-        const struct ipt_owner_info *info = matchinfo;
-        if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
-                printk("ipt_owner: pid, sid and command matching "
-                       "not supported anymore\n");
-                return false;
-        }
-        return true;
-}
-static struct xt_match owner_mt_reg __read_mostly = {
-        .name           = "owner",
-        .family         = AF_INET,
-        .match          = owner_mt,
-        .matchsize      = sizeof(struct ipt_owner_info),
-        .hooks          = (1 << NF_INET_LOCAL_OUT) |
-                          (1 << NF_INET_POST_ROUTING),
-        .checkentry     = owner_mt_check,
-        .me             = THIS_MODULE,
-};
-static int __init owner_mt_init(void)
-{
-        return xt_register_match(&owner_mt_reg);
-}
-static void __exit owner_mt_exit(void)
-{
-        xt_unregister_match(&owner_mt_reg);
-}
-module_init(owner_mt_init);
-module_exit(owner_mt_exit);
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 838b8ddee8c0..30d48529d988 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -89,15 +89,6 @@ config IP6_NF_MATCH_HL
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_MATCH_OWNER
-        tristate "Owner match support"
-        depends on IP6_NF_IPTABLES
-        help
-          Packet owner matching allows you to match locally-generated packets
-          based on who created them: the user, group, process or session.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_MATCH_IPV6HEADER
        tristate "IPv6 Extension Headers Match"
        depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index e789ec44d23b..fbf2c14ed887 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -23,7 +23,6 @@ obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
-obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
 obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
 # targets
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c
deleted file mode 100644
index 6a52ed985166..000000000000
--- a/net/ipv6/netfilter/ip6t_owner.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* Kernel module to match various things tied to sockets associated with
-   locally generated outgoing packets. */
-/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/file.h>
-#include <linux/rcupdate.h>
-#include <net/sock.h>
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter/x_tables.h>
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("IP6 tables owner matching module");
-MODULE_LICENSE("GPL");
-static bool
-owner_mt6(const struct sk_buff *skb, const struct net_device *in,
-          const struct net_device *out, const struct xt_match *match,
-          const void *matchinfo, int offset, unsigned int protoff,
-          bool *hotdrop)
-{
-        const struct ip6t_owner_info *info = matchinfo;
-        if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
-                return false;
-        if (info->match & IP6T_OWNER_UID)
-                if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
-                    !!(info->invert & IP6T_OWNER_UID))
-                        return false;
-        if (info->match & IP6T_OWNER_GID)
-                if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
-                    !!(info->invert & IP6T_OWNER_GID))
-                        return false;
-        return true;
-}
-static bool
-owner_mt6_check(const char *tablename, const void *ip,
-                const struct xt_match *match, void *matchinfo,
-                unsigned int hook_mask)
-{
-        const struct ip6t_owner_info *info = matchinfo;
-        if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
-                printk("ipt_owner: pid and sid matching "
-                       "not supported anymore\n");
-                return false;
-        }
-        return true;
-}
-static struct xt_match owner_mt6_reg __read_mostly = {
-        .name           = "owner",
-        .family         = AF_INET6,
-        .match          = owner_mt6,
-        .matchsize      = sizeof(struct ip6t_owner_info),
-        .hooks          = (1 << NF_INET_LOCAL_OUT) |
-                          (1 << NF_INET_POST_ROUTING),
-        .checkentry     = owner_mt6_check,
-        .me             = THIS_MODULE,
-};
-static int __init owner_mt6_init(void)
-{
-        return xt_register_match(&owner_mt6_reg);
-}
-static void __exit owner_mt6_exit(void)
-{
-        xt_unregister_match(&owner_mt6_reg);
-}
-module_init(owner_mt6_init);
-module_exit(owner_mt6_exit);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 693f861a03b4..4bc0552b75fd 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -554,6 +554,14 @@ config NETFILTER_XT_MATCH_MARK
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_MATCH_OWNER
+        tristate '"owner" match support'
+        depends on NETFILTER_XTABLES
+        ---help---
+        Socket owner matching allows you to match locally-generated packets
+        based on who created the socket: the user or group. It is also
+        possible to check whether a socket actually exists.
 config NETFILTER_XT_MATCH_POLICY
        tristate 'IPsec "policy" match support'
        depends on NETFILTER_XTABLES && XFRM
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 7763dea17be4..28f59a35aeef 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -67,6 +67,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
new file mode 100644
index 000000000000..4222fa2c1b14
--- /dev/null
+++ b/net/netfilter/xt_owner.c
@@ -0,0 +1,211 @@
+/*
+ * Kernel module to match various things tied to sockets associated with
+ * locally generated outgoing packets.
+ *
+ * (C) 2000 Marc Boucher <marc@mbsi.ca>
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_owner.h>
+#include <linux/netfilter_ipv4/ipt_owner.h>
+#include <linux/netfilter_ipv6/ip6t_owner.h>
+static bool
+owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, const struct xt_match *match,
+            const void *matchinfo, int offset, unsigned int protoff,
+            bool *hotdrop)
+{
+        const struct ipt_owner_info *info = matchinfo;
+        const struct file *filp;
+        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+                return false;
+        filp = skb->sk->sk_socket->file;
+        if (filp == NULL)
+                return false;
+        if (info->match & IPT_OWNER_UID)
+                if ((filp->f_uid != info->uid) ^
+                    !!(info->invert & IPT_OWNER_UID))
+                        return false;
+        if (info->match & IPT_OWNER_GID)
+                if ((filp->f_gid != info->gid) ^
+                    !!(info->invert & IPT_OWNER_GID))
+                        return false;
+        return true;
+}
+static bool
+owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
+             const struct net_device *out, const struct xt_match *match,
+             const void *matchinfo, int offset, unsigned int protoff,
+             bool *hotdrop)
+{
+        const struct ip6t_owner_info *info = matchinfo;
+        const struct file *filp;
+        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+                return false;
+        filp = skb->sk->sk_socket->file;
+        if (filp == NULL)
+                return false;
+        if (info->match & IP6T_OWNER_UID)
+                if ((filp->f_uid != info->uid) ^
+                    !!(info->invert & IP6T_OWNER_UID))
+                        return false;
+        if (info->match & IP6T_OWNER_GID)
+                if ((filp->f_gid != info->gid) ^
+                    !!(info->invert & IP6T_OWNER_GID))
+                        return false;
+        return true;
+}
+static bool
+owner_mt(const struct sk_buff *skb, const struct net_device *in,
+         const struct net_device *out, const struct xt_match *match,
+         const void *matchinfo, int offset, unsigned int protoff,
+         bool *hotdrop)
+{
+        const struct xt_owner_match_info *info = matchinfo;
+        const struct file *filp;
+        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+                return (info->match ^ info->invert) == 0;
+        else if (info->match & info->invert & XT_OWNER_SOCKET)
+                /*
+                 * Socket exists but user wanted ! --socket-exists.
+                 * (Single ampersands intended.)
+                 */
+                return false;
+        filp = skb->sk->sk_socket->file;
+        if (filp == NULL)
+                return ((info->match ^ info->invert) &
+                       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
+        if (info->match & XT_OWNER_UID)
+                if ((filp->f_uid != info->uid) ^
+                    !!(info->invert & XT_OWNER_UID))
+                        return false;
+        if (info->match & XT_OWNER_GID)
+                if ((filp->f_gid != info->gid) ^
+                    !!(info->invert & XT_OWNER_GID))
+                        return false;
+        return true;
+}
+static bool
+owner_mt_check_v0(const char *tablename, const void *ip,
+                  const struct xt_match *match, void *matchinfo,
+                  unsigned int hook_mask)
+{
+        const struct ipt_owner_info *info = matchinfo;
+        if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
+                printk(KERN_WARNING KBUILD_MODNAME
+                       ": PID, SID and command matching is not "
+                       "supported anymore\n");
+                return false;
+        }
+        return true;
+}
+static bool
+owner_mt6_check_v0(const char *tablename, const void *ip,
+                   const struct xt_match *match, void *matchinfo,
+                   unsigned int hook_mask)
+{
+        const struct ip6t_owner_info *info = matchinfo;
+        if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
+                printk(KERN_WARNING KBUILD_MODNAME
+                       ": PID and SID matching is not supported anymore\n");
+                return false;
+        }
+        return true;
+}
+static struct xt_match owner_mt_reg[] __read_mostly = {
+        {
+                .name       = "owner",
+                .revision   = 0,
+                .family     = AF_INET,
+                .match      = owner_mt_v0,
+                .matchsize  = sizeof(struct ipt_owner_info),
+                .checkentry = owner_mt_check_v0,
+                .hooks      = (1 << NF_INET_LOCAL_OUT) |
+                              (1 << NF_INET_POST_ROUTING),
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "owner",
+                .revision   = 0,
+                .family     = AF_INET6,
+                .match      = owner_mt6_v0,
+                .matchsize  = sizeof(struct ip6t_owner_info),
+                .checkentry = owner_mt6_check_v0,
+                .hooks      = (1 << NF_INET_LOCAL_OUT) |
+                              (1 << NF_INET_POST_ROUTING),
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "owner",
+                .revision   = 1,
+                .family     = AF_INET,
+                .match      = owner_mt,
+                .matchsize  = sizeof(struct xt_owner_match_info),
+                .hooks      = (1 << NF_INET_LOCAL_OUT) |
+                              (1 << NF_INET_POST_ROUTING),
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "owner",
+                .revision   = 1,
+                .family     = AF_INET6,
+                .match      = owner_mt,
+                .matchsize  = sizeof(struct xt_owner_match_info),
+                .hooks      = (1 << NF_INET_LOCAL_OUT) |
+                              (1 << NF_INET_POST_ROUTING),
+                .me         = THIS_MODULE,
+        },
+};
+static int __init owner_mt_init(void)
+{
+        return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+}
+static void __exit owner_mt_exit(void)
+{
+        xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+}
+module_init(owner_mt_init);
+module_exit(owner_mt_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_DESCRIPTION("netfilter \"owner\" match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_owner");
+MODULE_ALIAS("ip6t_owner");

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index b87e83a5e070..1e6900278318 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild
@@ -26,6 +26,7 @@ header-y += xt_limit.h
26	header-y += xt_mac.h	26	header-y += xt_mac.h
27	header-y += xt_mark.h	27	header-y += xt_mark.h
28	header-y += xt_multiport.h	28	header-y += xt_multiport.h
		29	header-y += xt_owner.h
29	header-y += xt_pkttype.h	30	header-y += xt_pkttype.h
30	header-y += xt_policy.h	31	header-y += xt_policy.h
31	header-y += xt_realm.h	32	header-y += xt_realm.h


diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h new file mode 100644 index 000000000000..eacd34efebd5 --- /dev/null +++ b/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,16 @@
		1	#ifndef _XT_OWNER_MATCH_H
		2	#define _XT_OWNER_MATCH_H
		3
		4	enum {
		5	XT_OWNER_UID = 1 << 0,
		6	XT_OWNER_GID = 1 << 1,
		7	XT_OWNER_SOCKET = 1 << 2,
		8	};
		9
		10	struct xt_owner_match_info {
		11	u_int32_t uid;
		12	u_int32_t gid;
		13	u_int8_t match, invert;
		14	};
		15
		16	#endif /* _XT_OWNER_MATCH_H */


diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 9aca9c55687c..6c563d908c78 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -111,15 +111,6 @@ config IP_NF_MATCH_TTL
111		111
112	To compile it as a module, choose M here. If unsure, say N.	112	To compile it as a module, choose M here. If unsure, say N.
113		113
114	config IP_NF_MATCH_OWNER
115	tristate "Owner match support"
116	depends on IP_NF_IPTABLES
117	help
118	Packet owner matching allows you to match locally-generated packets
119	based on who created them: the user, group, process or session.
120
121	To compile it as a module, choose M here. If unsure, say N.
122
123	config IP_NF_MATCH_ADDRTYPE	114	config IP_NF_MATCH_ADDRTYPE
124	tristate 'address type match support'	115	tristate 'address type match support'
125	depends on IP_NF_IPTABLES	116	depends on IP_NF_IPTABLES


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 7456833d6ade..42199e93b86c 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
45	obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o	45	obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
46	obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o	46	obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
47	obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o	47	obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
48	obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
49	obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o	48	obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
50	obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o	49	obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
51	obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o	50	obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o


diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c deleted file mode 100644 index 4f1aa897d4b0..000000000000 --- a/net/ipv4/netfilter/ipt_owner.c +++ /dev/null
@@ -1,87 +0,0 @@
1	/* Kernel module to match various things tied to sockets associated with
2	locally generated outgoing packets. */
3
4	/* (C) 2000 Marc Boucher <marc@mbsi.ca>
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License version 2 as
8	* published by the Free Software Foundation.
9	*/
10
11	#include <linux/module.h>
12	#include <linux/skbuff.h>
13	#include <linux/file.h>
14	#include <linux/rcupdate.h>
15	#include <net/sock.h>
16
17	#include <linux/netfilter_ipv4/ipt_owner.h>
18	#include <linux/netfilter/x_tables.h>
19
20	MODULE_LICENSE("GPL");
21	MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
22	MODULE_DESCRIPTION("iptables owner match");
23
24	static bool
25	owner_mt(const struct sk_buff skb, const struct net_device in,
26	const struct net_device out, const struct xt_match match,
27	const void *matchinfo, int offset, unsigned int protoff,
28	bool *hotdrop)
29	{
30	const struct ipt_owner_info *info = matchinfo;
31
32	if (!skb->sk \|\| !skb->sk->sk_socket \|\| !skb->sk->sk_socket->file)
33	return false;
34
35	if(info->match & IPT_OWNER_UID) {
36	if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
37	!!(info->invert & IPT_OWNER_UID))
38	return false;
39	}
40
41	if(info->match & IPT_OWNER_GID) {
42	if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
43	!!(info->invert & IPT_OWNER_GID))
44	return false;
45	}
46
47	return true;
48	}
49
50	static bool
51	owner_mt_check(const char tablename, const void ip,
52	const struct xt_match match, void matchinfo,
53	unsigned int hook_mask)
54	{
55	const struct ipt_owner_info *info = matchinfo;
56
57	if (info->match & (IPT_OWNER_PID\|IPT_OWNER_SID\|IPT_OWNER_COMM)) {
58	printk("ipt_owner: pid, sid and command matching "
59	"not supported anymore\n");
60	return false;
61	}
62	return true;
63	}
64
65	static struct xt_match owner_mt_reg __read_mostly = {
66	.name = "owner",
67	.family = AF_INET,
68	.match = owner_mt,
69	.matchsize = sizeof(struct ipt_owner_info),
70	.hooks = (1 << NF_INET_LOCAL_OUT) \|
71	(1 << NF_INET_POST_ROUTING),
72	.checkentry = owner_mt_check,
73	.me = THIS_MODULE,
74	};
75
76	static int __init owner_mt_init(void)
77	{
78	return xt_register_match(&owner_mt_reg);
79	}
80
81	static void __exit owner_mt_exit(void)
82	{
83	xt_unregister_match(&owner_mt_reg);
84	}
85
86	module_init(owner_mt_init);
87	module_exit(owner_mt_exit);


diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 838b8ddee8c0..30d48529d988 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -89,15 +89,6 @@ config IP6_NF_MATCH_HL
89		89
90	To compile it as a module, choose M here. If unsure, say N.	90	To compile it as a module, choose M here. If unsure, say N.
91		91
92	config IP6_NF_MATCH_OWNER
93	tristate "Owner match support"
94	depends on IP6_NF_IPTABLES
95	help
96	Packet owner matching allows you to match locally-generated packets
97	based on who created them: the user, group, process or session.
98
99	To compile it as a module, choose M here. If unsure, say N.
100
101	config IP6_NF_MATCH_IPV6HEADER	92	config IP6_NF_MATCH_IPV6HEADER
102	tristate "IPv6 Extension Headers Match"	93	tristate "IPv6 Extension Headers Match"
103	depends on IP6_NF_IPTABLES	94	depends on IP6_NF_IPTABLES


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index e789ec44d23b..fbf2c14ed887 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -23,7 +23,6 @@ obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
23	obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o	23	obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
24	obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o	24	obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
25	obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o	25	obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
26	obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
27	obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o	26	obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
28		27
29	# targets	28	# targets


diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c deleted file mode 100644 index 6a52ed985166..000000000000 --- a/net/ipv6/netfilter/ip6t_owner.c +++ /dev/null
@@ -1,87 +0,0 @@
1	/* Kernel module to match various things tied to sockets associated with
2	locally generated outgoing packets. */
3
4	/* (C) 2000-2001 Marc Boucher <marc@mbsi.ca>
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License version 2 as
8	* published by the Free Software Foundation.
9	*/
10
11	#include <linux/module.h>
12	#include <linux/skbuff.h>
13	#include <linux/file.h>
14	#include <linux/rcupdate.h>
15	#include <net/sock.h>
16
17	#include <linux/netfilter_ipv6/ip6t_owner.h>
18	#include <linux/netfilter_ipv6/ip6_tables.h>
19	#include <linux/netfilter/x_tables.h>
20
21	MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
22	MODULE_DESCRIPTION("IP6 tables owner matching module");
23	MODULE_LICENSE("GPL");
24
25
26	static bool
27	owner_mt6(const struct sk_buff skb, const struct net_device in,
28	const struct net_device out, const struct xt_match match,
29	const void *matchinfo, int offset, unsigned int protoff,
30	bool *hotdrop)
31	{
32	const struct ip6t_owner_info *info = matchinfo;
33
34	if (!skb->sk \|\| !skb->sk->sk_socket \|\| !skb->sk->sk_socket->file)
35	return false;
36
37	if (info->match & IP6T_OWNER_UID)
38	if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
39	!!(info->invert & IP6T_OWNER_UID))
40	return false;
41
42	if (info->match & IP6T_OWNER_GID)
43	if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
44	!!(info->invert & IP6T_OWNER_GID))
45	return false;
46
47	return true;
48	}
49
50	static bool
51	owner_mt6_check(const char tablename, const void ip,
52	const struct xt_match match, void matchinfo,
53	unsigned int hook_mask)
54	{
55	const struct ip6t_owner_info *info = matchinfo;
56
57	if (info->match & (IP6T_OWNER_PID \| IP6T_OWNER_SID)) {
58	printk("ipt_owner: pid and sid matching "
59	"not supported anymore\n");
60	return false;
61	}
62	return true;
63	}
64
65	static struct xt_match owner_mt6_reg __read_mostly = {
66	.name = "owner",
67	.family = AF_INET6,
68	.match = owner_mt6,
69	.matchsize = sizeof(struct ip6t_owner_info),
70	.hooks = (1 << NF_INET_LOCAL_OUT) \|
71	(1 << NF_INET_POST_ROUTING),
72	.checkentry = owner_mt6_check,
73	.me = THIS_MODULE,
74	};
75
76	static int __init owner_mt6_init(void)
77	{
78	return xt_register_match(&owner_mt6_reg);
79	}
80
81	static void __exit owner_mt6_exit(void)
82	{
83	xt_unregister_match(&owner_mt6_reg);
84	}
85
86	module_init(owner_mt6_init);
87	module_exit(owner_mt6_exit);


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 693f861a03b4..4bc0552b75fd 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -554,6 +554,14 @@ config NETFILTER_XT_MATCH_MARK
554		554
555	To compile it as a module, choose M here. If unsure, say N.	555	To compile it as a module, choose M here. If unsure, say N.
556		556
		557	config NETFILTER_XT_MATCH_OWNER
		558	tristate '"owner" match support'
		559	depends on NETFILTER_XTABLES
		560	---help---
		561	Socket owner matching allows you to match locally-generated packets
		562	based on who created the socket: the user or group. It is also
		563	possible to check whether a socket actually exists.
		564
557	config NETFILTER_XT_MATCH_POLICY	565	config NETFILTER_XT_MATCH_POLICY
558	tristate 'IPsec "policy" match support'	566	tristate 'IPsec "policy" match support'
559	depends on NETFILTER_XTABLES && XFRM	567	depends on NETFILTER_XTABLES && XFRM


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 7763dea17be4..28f59a35aeef 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -67,6 +67,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
67	obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o	67	obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
68	obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o	68	obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
69	obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o	69	obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
		70	obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
70	obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o	71	obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
71	obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o	72	obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
72	obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o	73	obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o


diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c new file mode 100644 index 000000000000..4222fa2c1b14 --- /dev/null +++ b/net/netfilter/xt_owner.c
@@ -0,0 +1,211 @@
		1	/*
		2	* Kernel module to match various things tied to sockets associated with
		3	* locally generated outgoing packets.
		4	*
		5	* (C) 2000 Marc Boucher <marc@mbsi.ca>
		6	*
		7	* Copyright © CC Computer Consultants GmbH, 2007
		8	* Contact: <jengelh@computergmbh.de>
		9	*
		10	* This program is free software; you can redistribute it and/or modify
		11	* it under the terms of the GNU General Public License version 2 as
		12	* published by the Free Software Foundation.
		13	*/
		14	#include <linux/module.h>
		15	#include <linux/skbuff.h>
		16	#include <linux/file.h>
		17	#include <net/sock.h>
		18	#include <linux/netfilter/x_tables.h>
		19	#include <linux/netfilter/xt_owner.h>
		20	#include <linux/netfilter_ipv4/ipt_owner.h>
		21	#include <linux/netfilter_ipv6/ip6t_owner.h>
		22
		23	static bool
		24	owner_mt_v0(const struct sk_buff skb, const struct net_device in,
		25	const struct net_device out, const struct xt_match match,
		26	const void *matchinfo, int offset, unsigned int protoff,
		27	bool *hotdrop)
		28	{
		29	const struct ipt_owner_info *info = matchinfo;
		30	const struct file *filp;
		31
		32	if (skb->sk == NULL \|\| skb->sk->sk_socket == NULL)
		33	return false;
		34
		35	filp = skb->sk->sk_socket->file;
		36	if (filp == NULL)
		37	return false;
		38
		39	if (info->match & IPT_OWNER_UID)
		40	if ((filp->f_uid != info->uid) ^
		41	!!(info->invert & IPT_OWNER_UID))
		42	return false;
		43
		44	if (info->match & IPT_OWNER_GID)
		45	if ((filp->f_gid != info->gid) ^
		46	!!(info->invert & IPT_OWNER_GID))
		47	return false;
		48
		49	return true;
		50	}
		51
		52	static bool
		53	owner_mt6_v0(const struct sk_buff skb, const struct net_device in,
		54	const struct net_device out, const struct xt_match match,
		55	const void *matchinfo, int offset, unsigned int protoff,
		56	bool *hotdrop)
		57	{
		58	const struct ip6t_owner_info *info = matchinfo;
		59	const struct file *filp;
		60
		61	if (skb->sk == NULL \|\| skb->sk->sk_socket == NULL)
		62	return false;
		63
		64	filp = skb->sk->sk_socket->file;
		65	if (filp == NULL)
		66	return false;
		67
		68	if (info->match & IP6T_OWNER_UID)
		69	if ((filp->f_uid != info->uid) ^
		70	!!(info->invert & IP6T_OWNER_UID))
		71	return false;
		72
		73	if (info->match & IP6T_OWNER_GID)
		74	if ((filp->f_gid != info->gid) ^
		75	!!(info->invert & IP6T_OWNER_GID))
		76	return false;
		77
		78	return true;
		79	}
		80
		81	static bool
		82	owner_mt(const struct sk_buff skb, const struct net_device in,
		83	const struct net_device out, const struct xt_match match,
		84	const void *matchinfo, int offset, unsigned int protoff,
		85	bool *hotdrop)
		86	{
		87	const struct xt_owner_match_info *info = matchinfo;
		88	const struct file *filp;
		89
		90	if (skb->sk == NULL \|\| skb->sk->sk_socket == NULL)
		91	return (info->match ^ info->invert) == 0;
		92	else if (info->match & info->invert & XT_OWNER_SOCKET)
		93	/*
		94	* Socket exists but user wanted ! --socket-exists.
		95	* (Single ampersands intended.)
		96	*/
		97	return false;
		98
		99	filp = skb->sk->sk_socket->file;
		100	if (filp == NULL)
		101	return ((info->match ^ info->invert) &
		102	(XT_OWNER_UID \| XT_OWNER_GID)) == 0;
		103
		104	if (info->match & XT_OWNER_UID)
		105	if ((filp->f_uid != info->uid) ^
		106	!!(info->invert & XT_OWNER_UID))
		107	return false;
		108
		109	if (info->match & XT_OWNER_GID)
		110	if ((filp->f_gid != info->gid) ^
		111	!!(info->invert & XT_OWNER_GID))
		112	return false;
		113
		114	return true;
		115	}
		116
		117	static bool
		118	owner_mt_check_v0(const char tablename, const void ip,
		119	const struct xt_match match, void matchinfo,
		120	unsigned int hook_mask)
		121	{
		122	const struct ipt_owner_info *info = matchinfo;
		123
		124	if (info->match & (IPT_OWNER_PID \| IPT_OWNER_SID \| IPT_OWNER_COMM)) {
		125	printk(KERN_WARNING KBUILD_MODNAME
		126	": PID, SID and command matching is not "
		127	"supported anymore\n");
		128	return false;
		129	}
		130
		131	return true;
		132	}
		133
		134	static bool
		135	owner_mt6_check_v0(const char tablename, const void ip,
		136	const struct xt_match match, void matchinfo,
		137	unsigned int hook_mask)
		138	{
		139	const struct ip6t_owner_info *info = matchinfo;
		140
		141	if (info->match & (IP6T_OWNER_PID \| IP6T_OWNER_SID)) {
		142	printk(KERN_WARNING KBUILD_MODNAME
		143	": PID and SID matching is not supported anymore\n");
		144	return false;
		145	}
		146
		147	return true;
		148	}
		149
		150	static struct xt_match owner_mt_reg[] __read_mostly = {
		151	{
		152	.name = "owner",
		153	.revision = 0,
		154	.family = AF_INET,
		155	.match = owner_mt_v0,
		156	.matchsize = sizeof(struct ipt_owner_info),
		157	.checkentry = owner_mt_check_v0,
		158	.hooks = (1 << NF_INET_LOCAL_OUT) \|
		159	(1 << NF_INET_POST_ROUTING),
		160	.me = THIS_MODULE,
		161	},
		162	{
		163	.name = "owner",
		164	.revision = 0,
		165	.family = AF_INET6,
		166	.match = owner_mt6_v0,
		167	.matchsize = sizeof(struct ip6t_owner_info),
		168	.checkentry = owner_mt6_check_v0,
		169	.hooks = (1 << NF_INET_LOCAL_OUT) \|
		170	(1 << NF_INET_POST_ROUTING),
		171	.me = THIS_MODULE,
		172	},
		173	{
		174	.name = "owner",
		175	.revision = 1,
		176	.family = AF_INET,
		177	.match = owner_mt,
		178	.matchsize = sizeof(struct xt_owner_match_info),
		179	.hooks = (1 << NF_INET_LOCAL_OUT) \|
		180	(1 << NF_INET_POST_ROUTING),
		181	.me = THIS_MODULE,
		182	},
		183	{
		184	.name = "owner",
		185	.revision = 1,
		186	.family = AF_INET6,
		187	.match = owner_mt,
		188	.matchsize = sizeof(struct xt_owner_match_info),
		189	.hooks = (1 << NF_INET_LOCAL_OUT) \|
		190	(1 << NF_INET_POST_ROUTING),
		191	.me = THIS_MODULE,
		192	},
		193	};
		194
		195	static int __init owner_mt_init(void)
		196	{
		197	return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
		198	}
		199
		200	static void __exit owner_mt_exit(void)
		201	{
		202	xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
		203	}
		204
		205	module_init(owner_mt_init);
		206	module_exit(owner_mt_exit);
		207	MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
		208	MODULE_DESCRIPTION("netfilter \"owner\" match module");
		209	MODULE_LICENSE("GPL");
		210	MODULE_ALIAS("ipt_owner");
		211	MODULE_ALIAS("ip6t_owner");