1/* 2 * Shared library add-on to iptables to add early socket matching support. 3 * 4 * Copyright (C) 2007 BalaBit IT Ltd. 5 */ 6#include <stdio.h> 7#include <xtables.h> 8#include <linux/netfilter/xt_socket.h> 9 10enum { 11 O_TRANSPARENT = 0, 12}; 13 14static const struct xt_option_entry socket_mt_opts[] = { 15 {.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE}, 16 XTOPT_TABLEEND, 17}; 18 19static void socket_mt_help(void) 20{ 21 printf( 22 "socket match options:\n" 23 " --transparent Ignore non-transparent sockets\n\n"); 24} 25 26static void socket_mt_parse(struct xt_option_call *cb) 27{ 28 struct xt_socket_mtinfo1 *info = cb->data; 29 30 xtables_option_parse(cb); 31 switch (cb->entry->id) { 32 case O_TRANSPARENT: 33 info->flags |= XT_SOCKET_TRANSPARENT; 34 break; 35 } 36} 37 38static void 39socket_mt_save(const void *ip, const struct xt_entry_match *match) 40{ 41 const struct xt_socket_mtinfo1 *info = (const void *)match->data; 42 43 if (info->flags & XT_SOCKET_TRANSPARENT) 44 printf(" --transparent"); 45} 46 47static void 48socket_mt_print(const void *ip, const struct xt_entry_match *match, 49 int numeric) 50{ 51 printf(" socket"); 52 socket_mt_save(ip, match); 53} 54 55static struct xtables_match socket_mt_reg[] = { 56 { 57 .name = "socket", 58 .revision = 0, 59 .family = NFPROTO_IPV4, 60 .version = XTABLES_VERSION, 61 .size = XT_ALIGN(0), 62 .userspacesize = XT_ALIGN(0), 63 }, 64 { 65 .name = "socket", 66 .revision = 1, 67 .family = NFPROTO_UNSPEC, 68 .version = XTABLES_VERSION, 69 .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), 70 .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), 71 .help = socket_mt_help, 72 .print = socket_mt_print, 73 .save = socket_mt_save, 74 .x6_parse = socket_mt_parse, 75 .x6_options = socket_mt_opts, 76 }, 77}; 78 79void _init(void) 80{ 81 xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); 82} 83