Re: [PATCH/RFC 09/10] iptables TPROXY target

Wed, 10 Jan 2007 04:45:28 -0800 

KOVACS Krisztian wrote:

> diff --git a/net/ipv4/netfilter/ipt_TPROXY.c b/net/ipv4/netfilter/ipt_TPROXY.c
> new file mode 100644
> index 0000000..6f64717
> --- /dev/null
> +++ b/net/ipv4/netfilter/ipt_TPROXY.c

> +static unsigned int
> +target(struct sk_buff **pskb,
> +       const struct net_device *in,
> +       const struct net_device *out,
> +       unsigned int hooknum,
> +       const struct xt_target *target,
> +       const void *targinfo)
> +{
> +     const struct iphdr *iph = (*pskb)->nh.iph;
> +     unsigned int verdict = NF_ACCEPT;
> +     struct sk_buff *skb = *pskb;
> +     struct udphdr _hdr, *hp;
> +     struct sock *sk;
> +
> +     /* TCP/UDP only */
> +     if ((iph->protocol != IPPROTO_TCP) &&
> +         (iph->protocol != IPPROTO_UDP))
> +             return NF_ACCEPT;
> +
> +     if (in == NULL)
> +             return NF_ACCEPT;
> +
> +     if ((skb->dst != NULL) || (skb->ip_tproxy == 1))
> +             return NF_ACCEPT;
> +
> +     hp = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_hdr), &_hdr);
> +     if (hp == NULL)
> +             return NF_DROP;
> +
> +     sk = ip_tproxy_get_sock(iph->protocol,
> +                             iph->saddr, iph->daddr,
> +                             hp->source, hp->dest, in);
> +     if (sk != NULL) {
> +             if (ip_tproxy_do_divert(skb, sk, 0, in) < 0)
> +                     verdict = NF_DROP;
> +             sock_put(sk);

Missing time wait socket handling.

> +     }
> +
> +     return verdict;
> +}
> +
> +static int
> +checkentry(const char *tablename,
> +        const void *e,
> +        const struct xt_target *target,
> +           void *targinfo,
> +           unsigned int hook_mask)
> +{
> +     /* checks are now done by the x_tables core based on
> +      * information specified in the ipt_target structure */
> +     return 1;
> +}

The function is optional, you can simply delete it.

> +
> +static struct ipt_target ipt_tproxy_reg = {
> +     .name           = "TPROXY",
> +     .target         = target,
> +     .targetsize     = sizeof(struct ipt_tproxy_target_info),
> +     .table          = "tproxy",
> +     .checkentry     = checkentry,
> +     .me             = THIS_MODULE,
> +};
> +
> +static int __init init(void)
> +{
> +     if (ipt_register_target(&ipt_tproxy_reg))
> +             return -EINVAL;

This should return the result of ipt_register_target.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to