From patchwork Mon Jun  3 22:57:29 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 248439
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3A6F12C0099
	for <incoming@patchwork.ozlabs.org>;
	Tue,  4 Jun 2013 08:57:35 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758621Ab3FCW5d (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Mon, 3 Jun 2013 18:57:33 -0400
Received: from mail-ob0-f182.google.com ([209.85.214.182]:63641 "EHLO
	mail-ob0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1757635Ab3FCW5c (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Mon, 3 Jun 2013 18:57:32 -0400
Received: by mail-ob0-f182.google.com with SMTP id va7so8185013obc.41
	for <multiple recipients>; Mon, 03 Jun 2013 15:57:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=message-id:subject:from:to:cc:date:content-type:x-mailer
	:content-transfer-encoding:mime-version;
	bh=E4ohStCfqSgNAZosq8+ru1vh5dHrgSTyQIDJd0z3TJU=;
	b=biV/d1W9Zby5vKaLKFoIWmJvSKsdbzQJS9lOomKvlia3L8p9SsmVOtHhinb37C7E1f
	iUOni7r+BqrnP/SxM4DQXL1qwr2VQFGsrpSuN75/dV246sZh2M++iON5q9QgxggPIGhy
	zTV5sZmSI6lrzRSE2mdifm7Md3w4Vkayui+jaFmqHyq/e1o2reM8wNPb9scgCuIs0TEb
	92pzJIxsO8mmb9kT9ywE5L7XrOsfPnRDWaWqVuoWiBKe+yMZ0fetsbCG8RIkYosXnbCj
	ubmF3xsiIL6+HL17Wz7XVJIyQziOtyHpCUZUlN2U+Ff8UIxqoiXdZJ6zMKXK0focfhTm
	MC5g==
X-Received: by 10.60.124.18 with SMTP id me18mr11041393oeb.100.1370300251810;
	Mon, 03 Jun 2013 15:57:31 -0700 (PDT)
Received: from ?IPv6:2620:0:1000:3304:e06b:7d9d:8ff0:df1a?
	([2620:0:1000:3304:e06b:7d9d:8ff0:df1a])
	by mx.google.com with ESMTPSA id l4sm2316670obh.7.2013.06.03.15.57.30
	for <multiple recipients>
	(version=SSLv3 cipher=RC4-SHA bits=128/128);
	Mon, 03 Jun 2013 15:57:31 -0700 (PDT)
Message-ID: <1370300249.24311.190.camel@edumazet-glaptop>
Subject: [PATCH nf-next] netfilter: xt_socket: add XT_SOCKET_NOWILDCARD flag
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netdev <netdev@vger.kernel.org>, netfilter-devel@vger.kernel.org,
	Jesper Dangaard Brouer <brouer@redhat.com>,
	Patrick McHardy <kaber@trash.net>
Date: Mon, 03 Jun 2013 15:57:29 -0700
X-Mailer: Evolution 3.2.3-0ubuntu6 
Mime-Version: 1.0
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)

But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).

Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism

iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT


Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
---
 include/uapi/linux/netfilter/xt_socket.h |    1 +
 net/netfilter/xt_socket.c                |   14 ++++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
index 26d7217..be1994fb 100644
--- a/include/uapi/linux/netfilter/xt_socket.h
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -5,6 +5,7 @@
 
 enum {
 	XT_SOCKET_TRANSPARENT = 1 << 0,
+	XT_SOCKET_NOWILDCARD = 1 << 1,
 };
 
 struct xt_socket_mtinfo1 {
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 0270424..9843314 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -163,8 +163,11 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
 		bool wildcard;
 		bool transparent = true;
 
-		/* Ignore sockets listening on INADDR_ANY */
-		wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+		/* Ignore sockets listening on INADDR_ANY,
+		 * unless XT_SOCKET_NOWILDCARD is set
+		 */
+		wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
+			    sk->sk_state != TCP_TIME_WAIT &&
 			    inet_sk(sk)->inet_rcv_saddr == 0);
 
 		/* Ignore non-transparent sockets,
@@ -302,8 +305,11 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
 		bool wildcard;
 		bool transparent = true;
 
-		/* Ignore sockets listening on INADDR_ANY */
-		wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+		/* Ignore sockets listening on INADDR_ANY
+		 * unless XT_SOCKET_NOWILDCARD is set
+		 */
+		wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
+			    sk->sk_state != TCP_TIME_WAIT &&
 			    ipv6_addr_any(&inet6_sk(sk)->rcv_saddr));
 
 		/* Ignore non-transparent sockets,