[packages/iptables.git] / iptables-owner-xid.patch

--- iptables-1.6.0/extensions/libxt_owner.c.orig	2016-04-09 22:02:13.847585590 +0900
+++ iptables-1.6.0/extensions/libxt_owner.c	2016-04-09 22:24:01.855632355 +0900
@@ -64,6 +64,8 @@
 	O_SESSION,
 	O_COMM,
 	O_SUPPL_GROUPS,
+	O_NID,
+	O_XID,
 };
 
 static void owner_mt_help_v0(void)
@@ -75,6 +77,8 @@
 "[!] --pid-owner processid    Match local PID\n"
 "[!] --sid-owner sessionid    Match local SID\n"
 "[!] --cmd-owner name         Match local command name\n"
+"[!] --nid-owner nid          Match local nid\n"
+"[!] --xid-owner xid          Match local xid\n"
 "NOTE: PID, SID and command matching are broken on SMP\n");
 }
 
@@ -86,6 +90,8 @@
 "[!] --gid-owner groupid      Match local GID\n"
 "[!] --pid-owner processid    Match local PID\n"
 "[!] --sid-owner sessionid    Match local SID\n"
+"[!] --nid-owner nid          Match local nid\n"
+"[!] --xid-owner xid          Match local xid\n"
 "NOTE: PID and SID matching are broken on SMP\n");
 }
 
@@ -112,6 +118,12 @@
 	 .max = INT_MAX},
 	{.name = "cmd-owner", .id = O_COMM, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, comm)},
+	{.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
+	 .max = INT_MAX},
+	{.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
+	 .max = INT_MAX},
 	XTOPT_TABLEEND,
 };
 #undef s
@@ -128,10 +140,17 @@
 	{.name = "sid-owner", .id = O_SESSION, .type = XTTYPE_UINT32,
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, sid),
 	 .max = INT_MAX},
+	{.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
+	 .max = INT_MAX},
+	{.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
+	 .max = INT_MAX},
 	XTOPT_TABLEEND,
 };
 #undef s
 
+#define s struct xt_owner_match_info
 static const struct xt_option_entry owner_mt_opts[] = {
 	{.name = "uid-owner", .id = O_USER, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
@@ -139,8 +157,15 @@
 	{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
 	 .flags = XTOPT_INVERT},
 	{.name = "suppl-groups", .id = O_SUPPL_GROUPS, .type = XTTYPE_NONE},
+	{.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
+	 .max = INT_MAX},
+	{.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
+	 .max = INT_MAX},
 	XTOPT_TABLEEND,
 };
+#undef s
 
 static void owner_mt_parse_v0(struct xt_option_call *cb)
 {
@@ -186,6 +210,16 @@
 			info->invert |= IPT_OWNER_COMM;
 		info->match |= IPT_OWNER_COMM;
 		break;
+	case O_NID:
+		if (cb->invert)
+			info->invert |= IPT_OWNER_NID;
+		info->match |= IPT_OWNER_NID;
+		break;
+	case O_XID:
+		if (cb->invert)
+			info->invert |= IPT_OWNER_XID;
+		info->match |= IPT_OWNER_XID;
+		break;
 	}
 }
 
@@ -228,6 +262,16 @@
 			info->invert |= IP6T_OWNER_SID;
 		info->match |= IP6T_OWNER_SID;
 		break;
+	case O_NID:
+		if (cb->invert)
+			info->invert |= IPT_OWNER_NID;
+		info->match |= IPT_OWNER_NID;
+		break;
+	case O_XID:
+		if (cb->invert)
+			info->invert |= IPT_OWNER_XID;
+		info->match |= IPT_OWNER_XID;
+		break;
 	}
 }
 
@@ -283,6 +327,16 @@
 			xtables_param_act(XTF_BAD_VALUE, "owner", "--suppl-groups", "you need to use --gid-owner first");
 		info->match |= XT_OWNER_SUPPL_GROUPS;
 		break;
+	case O_NID:
+		if (cb->invert)
+			info->invert |= IPT_OWNER_NID;
+		info->match |= IPT_OWNER_NID;
+		break;
+	case O_XID:
+		if (cb->invert)
+			info->invert |= IPT_OWNER_XID;
+		info->match |= IPT_OWNER_XID;
+		break;
 	}
 }
 
@@ -340,6 +394,12 @@
 	case IPT_OWNER_COMM:
 		printf(" %.*s", (int)sizeof(info->comm), info->comm);
 		break;
+	case IPT_OWNER_NID:
+		printf("%u ", info->nid);
+		break;
+	case IPT_OWNER_XID:
+		printf("%u ", info->xid);
+		break;
 	}
 }
 
@@ -385,6 +445,12 @@
 	case IP6T_OWNER_SID:
 		printf(" %u", (unsigned int)info->sid);
 		break;
+	case IP6T_OWNER_NID:
+		printf("%u ", info->nid);
+		break;
+	case IP6T_OWNER_XID:
+		printf("%u ", info->xid);
+		break;
 	}
 }
 
@@ -430,6 +496,12 @@
 		}
 		printf(" %u", (unsigned int)info->gid_min);
 		break;
+	case XT_OWNER_NID:
+		printf("%u ", info->nid);
+		break;
+	case XT_OWNER_XID:
+		printf("%u ", info->xid);
+		break;
 	}
 }
 
@@ -444,6 +516,8 @@
 	owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
 	owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
 	owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric);
+	owner_mt_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
+	owner_mt_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
 }
 
 static void
@@ -456,6 +530,8 @@
 	owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
 	owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
 	owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
+	owner_mt6_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
+	owner_mt6_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
 }
 
 static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
@@ -466,6 +542,8 @@
 	owner_mt_print_item(info, "owner UID match",     XT_OWNER_UID,          numeric);
 	owner_mt_print_item(info, "owner GID match",     XT_OWNER_GID,          numeric);
 	owner_mt_print_item(info, "incl. suppl. groups", XT_OWNER_SUPPL_GROUPS, numeric);
+	owner_mt_print_item(info, "owner NID match",     XT_OWNER_NID,          numeric);
+	owner_mt_print_item(info, "owner XID match",     XT_OWNER_XID,          numeric);
 }
 
 static void
@@ -478,6 +556,8 @@
 	owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
 	owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
 	owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true);
+	owner_mt_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
+	owner_mt_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
 }
 
 static void
@@ -489,6 +569,8 @@
 	owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
 	owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
 	owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
+	owner_mt6_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
+	owner_mt6_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
 }
 
 static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
@@ -498,6 +580,8 @@
 	owner_mt_print_item(info, "--uid-owner",      XT_OWNER_UID,          true);
 	owner_mt_print_item(info, "--gid-owner",      XT_OWNER_GID,          true);
 	owner_mt_print_item(info, "--suppl-groups",   XT_OWNER_SUPPL_GROUPS, true);
+	owner_mt_print_item(info, "--nid-owner",      XT_OWNER_NID,          true);
+	owner_mt_print_item(info, "--xid-owner",      XT_OWNER_XID,          true);
 }
 
 static int
Commit	Line	Data
52cee3e3 JR	1	--- iptables-1.6.0/extensions/libxt_owner.c.orig 2016-04-09 22:02:13.847585590 +0900
	2	+++ iptables-1.6.0/extensions/libxt_owner.c 2016-04-09 22:24:01.855632355 +0900
	3	@@ -64,6 +64,8 @@
52cee3e3 JR	4	O_SESSION,
52cee3e3 JR	5	O_COMM,
f52fa132	6	O_SUPPL_GROUPS,
52cee3e3 JR	7	+ O_NID,
	8	+ O_XID,
	9	};
	10
	11	static void owner_mt_help_v0(void)
	12	@@ -75,6 +77,8 @@
	13	"[!] --pid-owner processid Match local PID\n"
	14	"[!] --sid-owner sessionid Match local SID\n"
	15	"[!] --cmd-owner name Match local command name\n"
	16	+"[!] --nid-owner nid Match local nid\n"
	17	+"[!] --xid-owner xid Match local xid\n"
	18	"NOTE: PID, SID and command matching are broken on SMP\n");
	19	}
	20
	21	@@ -86,6 +90,8 @@
	22	"[!] --gid-owner groupid Match local GID\n"
	23	"[!] --pid-owner processid Match local PID\n"
	24	"[!] --sid-owner sessionid Match local SID\n"
	25	+"[!] --nid-owner nid Match local nid\n"
	26	+"[!] --xid-owner xid Match local xid\n"
	27	"NOTE: PID and SID matching are broken on SMP\n");
	28	}
	29
	30	@@ -112,6 +118,12 @@
	31	.max = INT_MAX},
	32	{.name = "cmd-owner", .id = O_COMM, .type = XTTYPE_STRING,
	33	.flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, comm)},
	34	+ {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
	35	+ .flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, nid),
	36	+ .max = INT_MAX},
	37	+ {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
	38	+ .flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, xid),
	39	+ .max = INT_MAX},
	40	XTOPT_TABLEEND,
	41	};
	42	#undef s
	43	@@ -128,10 +140,17 @@
	44	{.name = "sid-owner", .id = O_SESSION, .type = XTTYPE_UINT32,
	45	.flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, sid),
	46	.max = INT_MAX},
	47	+ {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
	48	+ .flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, nid),
	49	+ .max = INT_MAX},
	50	+ {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
	51	+ .flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, xid),
	52	+ .max = INT_MAX},
	53	XTOPT_TABLEEND,
	54	};
	55	#undef s
	56
	57	+#define s struct xt_owner_match_info
	58	static const struct xt_option_entry owner_mt_opts[] = {
	59	{.name = "uid-owner", .id = O_USER, .type = XTTYPE_STRING,
	60	.flags = XTOPT_INVERT},
	61	@@ -139,8 +157,15 @@
52cee3e3 JR	62	{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
52cee3e3 JR	63	.flags = XTOPT_INVERT},
f52fa132	64	{.name = "suppl-groups", .id = O_SUPPL_GROUPS, .type = XTTYPE_NONE},
52cee3e3 JR	65	+ {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
	66	+ .flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, nid),
	67	+ .max = INT_MAX},
	68	+ {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
	69	+ .flags = XTOPT_INVERT \| XTOPT_PUT, XTOPT_POINTER(s, xid),
	70	+ .max = INT_MAX},
	71	XTOPT_TABLEEND,
	72	};
	73	+#undef s
	74
	75	static void owner_mt_parse_v0(struct xt_option_call *cb)
	76	{
	77	@@ -186,6 +210,16 @@
	78	info->invert \|= IPT_OWNER_COMM;
	79	info->match \|= IPT_OWNER_COMM;
	80	break;
	81	+ case O_NID:
	82	+ if (cb->invert)
	83	+ info->invert \|= IPT_OWNER_NID;
	84	+ info->match \|= IPT_OWNER_NID;
	85	+ break;
	86	+ case O_XID:
	87	+ if (cb->invert)
	88	+ info->invert \|= IPT_OWNER_XID;
	89	+ info->match \|= IPT_OWNER_XID;
	90	+ break;
	91	}
	92	}
	93
	94	@@ -228,6 +262,16 @@
	95	info->invert \|= IP6T_OWNER_SID;
	96	info->match \|= IP6T_OWNER_SID;
	97	break;
	98	+ case O_NID:
	99	+ if (cb->invert)
	100	+ info->invert \|= IPT_OWNER_NID;
	101	+ info->match \|= IPT_OWNER_NID;
	102	+ break;
	103	+ case O_XID:
	104	+ if (cb->invert)
	105	+ info->invert \|= IPT_OWNER_XID;
	106	+ info->match \|= IPT_OWNER_XID;
	107	+ break;
	108	}
	109	}
	110
	111	@@ -283,6 +327,16 @@
f52fa132 JR	112	xtables_param_act(XTF_BAD_VALUE, "owner", "--suppl-groups", "you need to use --gid-owner first");
f52fa132 JR	113	info->match \|= XT_OWNER_SUPPL_GROUPS;
52cee3e3 JR	114	break;
	115	+ case O_NID:
	116	+ if (cb->invert)
	117	+ info->invert \|= IPT_OWNER_NID;
	118	+ info->match \|= IPT_OWNER_NID;
	119	+ break;
	120	+ case O_XID:
	121	+ if (cb->invert)
	122	+ info->invert \|= IPT_OWNER_XID;
	123	+ info->match \|= IPT_OWNER_XID;
	124	+ break;
	125	}
	126	}
	127
	128	@@ -340,6 +394,12 @@
	129	case IPT_OWNER_COMM:
	130	printf(" %.*s", (int)sizeof(info->comm), info->comm);
	131	break;
	132	+ case IPT_OWNER_NID:
	133	+ printf("%u ", info->nid);
	134	+ break;
	135	+ case IPT_OWNER_XID:
	136	+ printf("%u ", info->xid);
	137	+ break;
	138	}
	139	}
	140
	141	@@ -385,6 +445,12 @@
	142	case IP6T_OWNER_SID:
	143	printf(" %u", (unsigned int)info->sid);
	144	break;
	145	+ case IP6T_OWNER_NID:
	146	+ printf("%u ", info->nid);
	147	+ break;
	148	+ case IP6T_OWNER_XID:
	149	+ printf("%u ", info->xid);
	150	+ break;
	151	}
	152	}
	153
	154	@@ -430,6 +496,12 @@
	155	}
	156	printf(" %u", (unsigned int)info->gid_min);
	157	break;
	158	+ case XT_OWNER_NID:
	159	+ printf("%u ", info->nid);
	160	+ break;
	161	+ case XT_OWNER_XID:
	162	+ printf("%u ", info->xid);
	163	+ break;
	164	}
	165	}
	166
	167	@@ -444,6 +516,8 @@
	168	owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
	169	owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
	170	owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric);
	171	+ owner_mt_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
	172	+ owner_mt_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
	173	}
	174
	175	static void
	176	@@ -456,6 +530,8 @@
	177	owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
178	owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
179	owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
180	+ owner_mt6_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
181	+ owner_mt6_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
182	}
183
184	static void owner_mt_print(const void ip, const struct xt_entry_match match,
185	@@ -466,6 +542,8 @@
f52fa132 JR	186	owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric);
	187	owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric);
	188	owner_mt_print_item(info, "incl. suppl. groups", XT_OWNER_SUPPL_GROUPS, numeric);
	189	+ owner_mt_print_item(info, "owner NID match", XT_OWNER_NID, numeric);
	190	+ owner_mt_print_item(info, "owner XID match", XT_OWNER_XID, numeric);
52cee3e3 JR	191	}
	192
	193	static void
	194	@@ -478,6 +556,8 @@
	195	owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
	196	owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
	197	owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true);
	198	+ owner_mt_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
	199	+ owner_mt_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
	200	}
	201
	202	static void
	203	@@ -489,6 +569,8 @@
	204	owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
	205	owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
	206	owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
	207	+ owner_mt6_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
	208	+ owner_mt6_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
	209	}
	210
	211	static void owner_mt_save(const void ip, const struct xt_entry_match match)
	212	@@ -498,6 +580,8 @@
f52fa132 JR	213	owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true);
	214	owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true);
	215	owner_mt_print_item(info, "--suppl-groups", XT_OWNER_SUPPL_GROUPS, true);
	216	+ owner_mt_print_item(info, "--nid-owner", XT_OWNER_NID, true);
	217	+ owner_mt_print_item(info, "--xid-owner", XT_OWNER_XID, true);
52cee3e3 JR	218	}
52cee3e3 JR	219
f52fa132	220	static int