lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 10 Jan 2007 13:45:12 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	KOVACS Krisztian <hidden@...abit.hu>
CC:	netfilter-devel@...ts.netfilter.org, netdev@...r.kernel.org
Subject: Re: [PATCH/RFC 09/10] iptables TPROXY target

KOVACS Krisztian wrote:

> diff --git a/net/ipv4/netfilter/ipt_TPROXY.c b/net/ipv4/netfilter/ipt_TPROXY.c
> new file mode 100644
> index 0000000..6f64717
> --- /dev/null
> +++ b/net/ipv4/netfilter/ipt_TPROXY.c

> +static unsigned int
> +target(struct sk_buff **pskb,
> +       const struct net_device *in,
> +       const struct net_device *out,
> +       unsigned int hooknum,
> +       const struct xt_target *target,
> +       const void *targinfo)
> +{
> +	const struct iphdr *iph = (*pskb)->nh.iph;
> +	unsigned int verdict = NF_ACCEPT;
> +	struct sk_buff *skb = *pskb;
> +	struct udphdr _hdr, *hp;
> +	struct sock *sk;
> +
> +	/* TCP/UDP only */
> +	if ((iph->protocol != IPPROTO_TCP) &&
> +	    (iph->protocol != IPPROTO_UDP))
> +		return NF_ACCEPT;
> +
> +	if (in == NULL)
> +		return NF_ACCEPT;
> +
> +	if ((skb->dst != NULL) || (skb->ip_tproxy == 1))
> +		return NF_ACCEPT;
> +
> +	hp = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_hdr), &_hdr);
> +	if (hp == NULL)
> +		return NF_DROP;
> +
> +	sk = ip_tproxy_get_sock(iph->protocol,
> +				iph->saddr, iph->daddr,
> +				hp->source, hp->dest, in);
> +	if (sk != NULL) {
> +		if (ip_tproxy_do_divert(skb, sk, 0, in) < 0)
> +			verdict = NF_DROP;
> +		sock_put(sk);

Missing time wait socket handling.

> +	}
> +
> +	return verdict;
> +}
> +
> +static int
> +checkentry(const char *tablename,
> +	   const void *e,
> +	   const struct xt_target *target,
> +           void *targinfo,
> +           unsigned int hook_mask)
> +{
> +	/* checks are now done by the x_tables core based on
> +	 * information specified in the ipt_target structure */
> +	return 1;
> +}

The function is optional, you can simply delete it.

> +
> +static struct ipt_target ipt_tproxy_reg = {
> +	.name		= "TPROXY",
> +	.target		= target,
> +	.targetsize	= sizeof(struct ipt_tproxy_target_info),
> +	.table		= "tproxy",
> +	.checkentry	= checkentry,
> +	.me		= THIS_MODULE,
> +};
> +
> +static int __init init(void)
> +{
> +	if (ipt_register_target(&ipt_tproxy_reg))
> +		return -EINVAL;

This should return the result of ipt_register_target.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ