[packages/iptables.git] / iptables-1.3.5-owner-xid.patch

diff -Nurp iptables-1.3.5.orig/extensions/libip6t_owner.c iptables-1.3.5.owner-xid/extensions/libip6t_owner.c
--- iptables-1.3.5.orig/extensions/libip6t_owner.c	2005-06-29 18:39:54.000000000 +0200
+++ iptables-1.3.5.owner-xid/extensions/libip6t_owner.c	2006-09-05 20:00:31.000000000 +0200
@@ -22,6 +22,8 @@ help(void)
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
 "[!] --cmd-owner name       Match local command name\n"
+"[!] --nid-owner nid        Match local nid\n"
+"[!] --xid-owner xid        Match local xid\n"
 "\n",
 IPTABLES_VERSION);
 #else
@@ -31,6 +33,8 @@ IPTABLES_VERSION);
 "[!] --gid-owner groupid    Match local gid\n"
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
+"[!] --nid-owner nid        Match local nid\n"
+"[!] --xid-owner xid        Match local xid\n"
 "\n",
 IPTABLES_VERSION);
 #endif /* IP6T_OWNER_COMM */
@@ -44,6 +48,8 @@ static struct option opts[] = {
 #ifdef IP6T_OWNER_COMM
 	{ "cmd-owner", 1, NULL, '5' },
 #endif
+	{ "nid-owner", 1, NULL, '6' },
+	{ "xid-owner", 1, NULL, '7' },
 	{ }
 };
 
@@ -129,6 +135,28 @@ parse(int c, char **argv, int invert, un
 		*flags = 1;
 		break;
 #endif
+
+	case '6':
+		check_inverse(optarg, &invert, &optind, 0);
+		ownerinfo->nid = strtoul(optarg, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER NID value `%s'", optarg);
+		if (invert)
+			ownerinfo->invert |= IP6T_OWNER_NID;
+		ownerinfo->match |= IP6T_OWNER_NID;
+		*flags = 1;
+		break;
+		
+	case '7':
+		check_inverse(optarg, &invert, &optind, 0);
+		ownerinfo->xid = strtoul(optarg, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER XID value `%s'", optarg);
+		if (invert)
+			ownerinfo->invert |= IP6T_OWNER_XID;
+		ownerinfo->match |= IP6T_OWNER_XID;
+		*flags = 1;
+		break;
 		
 	default:
 		return 0;
@@ -182,6 +210,12 @@ print_item(struct ip6t_owner_info *info,
 			printf("%.*s ", (int)sizeof(info->comm), info->comm);
 			break;
 #endif
+		case IP6T_OWNER_NID:
+			printf("%u ", info->nid);
+			break;
+		case IP6T_OWNER_XID:
+			printf("%u ", info->xid);
+			break;
 		default:
 			break;
 		}
@@ -212,6 +246,8 @@ print(const struct ip6t_ip6 *ip,
 #ifdef IP6T_OWNER_COMM
 	print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
 #endif
+	print_item(info, IP6T_OWNER_NID, numeric, "OWNER NID match ");
+	print_item(info, IP6T_OWNER_XID, numeric, "OWNER XID match ");
 }
 
 /* Saves the union ip6t_matchinfo in parsable form to stdout. */
@@ -227,6 +263,8 @@ save(const struct ip6t_ip6 *ip, const st
 #ifdef IP6T_OWNER_COMM
 	print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
 #endif
+	print_item(info, IP6T_OWNER_NID, 0, "--nid-owner ");
+	print_item(info, IP6T_OWNER_XID, 0, "--xid-owner ");
 }
 
 static struct ip6tables_match owner = {
diff -Nurp iptables-1.3.5.orig/extensions/libip6t_owner.man iptables-1.3.5.owner-xid/extensions/libip6t_owner.man
--- iptables-1.3.5.orig/extensions/libip6t_owner.man	2006-01-30 09:41:00.000000000 +0100
+++ iptables-1.3.5.owner-xid/extensions/libip6t_owner.man	2006-09-05 19:54:47.000000000 +0200
@@ -20,4 +20,12 @@ process id.
 Matches if the packet was created by a process in the given session
 group.
 .TP
+.BI "--nid-owner " "network context id"
+Matches if the packet was created by a process with the given
+network context id.
+.TP
+.BI "--xid-owner " "context id"
+Matches if the packet was created by a process with the given
+context id.
+.TP
 .B NOTE: pid, sid and command matching are broken on SMP
diff -Nurp iptables-1.3.5.orig/extensions/libipt_owner.c iptables-1.3.5.owner-xid/extensions/libipt_owner.c
--- iptables-1.3.5.orig/extensions/libipt_owner.c	2006-01-30 09:43:10.000000000 +0100
+++ iptables-1.3.5.owner-xid/extensions/libipt_owner.c	2006-09-05 20:02:30.000000000 +0200
@@ -22,6 +22,8 @@ help(void)
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
 "[!] --cmd-owner name       Match local command name\n"
+"[!] --nid-owner nid        Match local nid\n"
+"[!] --xid-owner xid        Match local xid\n"
 "NOTE: pid, sid and command matching are broken on SMP\n"
 "\n",
 IPTABLES_VERSION);
@@ -32,6 +34,8 @@ IPTABLES_VERSION);
 "[!] --gid-owner groupid    Match local gid\n"
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
+"[!] --nid-owner nid        Match local nid\n"
+"[!] --xid-owner xid        Match local xid\n"
 "NOTE: pid and sid matching are broken on SMP\n"
 "\n",
 IPTABLES_VERSION);
@@ -46,6 +50,8 @@ static struct option opts[] = {
 #ifdef IPT_OWNER_COMM
 	{ "cmd-owner", 1, NULL, '5' },
 #endif
+	{ "nid-owner", 1, NULL, '6' },
+	{ "xid-owner", 1, NULL, '7' },
 	{ }
 };
 
@@ -131,6 +137,28 @@ parse(int c, char **argv, int invert, un
 		break;
 #endif
 
+	case '6':
+		check_inverse(optarg, &invert, &optind, 0);
+		ownerinfo->nid = strtoul(optarg, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER NID value `%s'", optarg);
+		if (invert)
+			ownerinfo->invert |= IPT_OWNER_NID;
+		ownerinfo->match |= IPT_OWNER_NID;
+		*flags = 1;
+		break;
+
+	case '7':
+		check_inverse(optarg, &invert, &optind, 0);
+		ownerinfo->xid = strtoul(optarg, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER XID value `%s'", optarg);
+		if (invert)
+			ownerinfo->invert |= IPT_OWNER_XID;
+		ownerinfo->match |= IPT_OWNER_XID;
+		*flags = 1;
+		break;
+
 	default:
 		return 0;
 	}
@@ -183,6 +211,12 @@ print_item(struct ipt_owner_info *info, 
 			printf("%.*s ", (int)sizeof(info->comm), info->comm);
 			break;
 #endif
+		case IPT_OWNER_NID:
+			printf("%u ", info->nid);
+			break;
+		case IPT_OWNER_XID:
+			printf("%u ", info->xid);
+			break;
 		default:
 			break;
 		}
@@ -213,6 +247,8 @@ print(const struct ipt_ip *ip,
 #ifdef IPT_OWNER_COMM
 	print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
 #endif
+	print_item(info, IPT_OWNER_NID, numeric, "OWNER NID match ");
+	print_item(info, IPT_OWNER_XID, numeric, "OWNER XID match ");
 }
 
 /* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -228,6 +264,8 @@ save(const struct ipt_ip *ip, const stru
 #ifdef IPT_OWNER_COMM
 	print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
 #endif
+	print_item(info, IPT_OWNER_NID, 0, "--nid-owner ");
+	print_item(info, IPT_OWNER_XID, 0, "--xid-owner ");
 }
 
 static struct iptables_match owner = { 
diff -Nurp iptables-1.3.5.orig/extensions/libipt_owner.man iptables-1.3.5.owner-xid/extensions/libipt_owner.man
--- iptables-1.3.5.orig/extensions/libipt_owner.man	2004-10-10 11:56:26.000000000 +0200
+++ iptables-1.3.5.owner-xid/extensions/libipt_owner.man	2006-09-05 19:54:53.000000000 +0200
@@ -25,4 +25,12 @@ Matches if the packet was created by a p
 (this option is present only if iptables was compiled under a kernel
 supporting this feature)
 .TP
+.BI "--nid-owner " "network context id"
+Matches if the packet was created by a process with the given
+network context id.
+.TP
+.BI "--xid-owner " "context id"
+Matches if the packet was created by a process with the given
+context id.
+.TP
 .B NOTE: pid, sid and command matching are broken on SMP
diff -Nurp iptables-1.3.5.orig/include/linux/netfilter_ipv6/ip6t_owner.h iptables-1.3.5.owner-xid/include/linux/netfilter_ipv6/ip6t_owner.h
--- iptables-1.3.5.orig/include/linux/netfilter_ipv6/ip6t_owner.h	2004-10-10 11:56:23.000000000 +0200
+++ iptables-1.3.5.owner-xid/include/linux/netfilter_ipv6/ip6t_owner.h	2006-09-05 19:52:12.000000000 +0200
@@ -1,11 +1,15 @@
 #ifndef _IP6T_OWNER_H
 #define _IP6T_OWNER_H
 
+#include <linux/types.h>
+
 /* match and invert flags */
 #define IP6T_OWNER_UID	0x01
 #define IP6T_OWNER_GID	0x02
 #define IP6T_OWNER_PID	0x04
 #define IP6T_OWNER_SID	0x08
+#define IP6T_OWNER_NID	0x20
+#define IP6T_OWNER_XID	0x40
 
 struct ip6t_owner_info {
     uid_t uid;
@@ -13,6 +17,8 @@ struct ip6t_owner_info {
     pid_t pid;
     pid_t sid;
     u_int8_t match, invert;	/* flags */
+    u_int32_t nid;
+    u_int32_t xid;
 };
 
 #endif /*_IPT_OWNER_H*/
Commit	Line	Data
78d5658d	1	diff -Nurp iptables-1.3.5.orig/extensions/libip6t_owner.c iptables-1.3.5.owner-xid/extensions/libip6t_owner.c
	2	--- iptables-1.3.5.orig/extensions/libip6t_owner.c 2005-06-29 18:39:54.000000000 +0200
	3	+++ iptables-1.3.5.owner-xid/extensions/libip6t_owner.c 2006-09-05 20:00:31.000000000 +0200
	4	@@ -22,6 +22,8 @@ help(void)
	5	"[!] --pid-owner processid Match local pid\n"
	6	"[!] --sid-owner sessionid Match local sid\n"
	7	"[!] --cmd-owner name Match local command name\n"
	8	+"[!] --nid-owner nid Match local nid\n"
	9	+"[!] --xid-owner xid Match local xid\n"
	10	"\n",
	11	IPTABLES_VERSION);
	12	#else
	13	@@ -31,6 +33,8 @@ IPTABLES_VERSION);
	14	"[!] --gid-owner groupid Match local gid\n"
	15	"[!] --pid-owner processid Match local pid\n"
	16	"[!] --sid-owner sessionid Match local sid\n"
	17	+"[!] --nid-owner nid Match local nid\n"
	18	+"[!] --xid-owner xid Match local xid\n"
	19	"\n",
	20	IPTABLES_VERSION);
	21	#endif /* IP6T_OWNER_COMM */
	22	@@ -44,6 +48,8 @@ static struct option opts[] = {
	23	#ifdef IP6T_OWNER_COMM
22e747c8	24	{ "cmd-owner", 1, NULL, '5' },
78d5658d	25	#endif
22e747c8 AM	26	+ { "nid-owner", 1, NULL, '6' },
	27	+ { "xid-owner", 1, NULL, '7' },
	28	{ }
78d5658d	29	};
	30
	31	@@ -129,6 +135,28 @@ parse(int c, char **argv, int invert, un
	32	*flags = 1;
	33	break;
	34	#endif
	35	+
	36	+ case '6':
	37	+ check_inverse(optarg, &invert, &optind, 0);
	38	+ ownerinfo->nid = strtoul(optarg, &end, 0);
	39	+ if (*end != '\0' \|\| end == optarg)
	40	+ exit_error(PARAMETER_PROBLEM, "Bad OWNER NID value `%s'", optarg);
	41	+ if (invert)
	42	+ ownerinfo->invert \|= IP6T_OWNER_NID;
	43	+ ownerinfo->match \|= IP6T_OWNER_NID;
	44	+ *flags = 1;
	45	+ break;
	46	+
	47	+ case '7':
	48	+ check_inverse(optarg, &invert, &optind, 0);
	49	+ ownerinfo->xid = strtoul(optarg, &end, 0);
	50	+ if (*end != '\0' \|\| end == optarg)
	51	+ exit_error(PARAMETER_PROBLEM, "Bad OWNER XID value `%s'", optarg);
	52	+ if (invert)
	53	+ ownerinfo->invert \|= IP6T_OWNER_XID;
	54	+ ownerinfo->match \|= IP6T_OWNER_XID;
	55	+ *flags = 1;
	56	+ break;
	57
	58	default:
	59	return 0;
	60	@@ -182,6 +210,12 @@ print_item(struct ip6t_owner_info *info,
	61	printf("%.*s ", (int)sizeof(info->comm), info->comm);
	62	break;
	63	#endif
	64	+ case IP6T_OWNER_NID:
	65	+ printf("%u ", info->nid);
	66	+ break;
	67	+ case IP6T_OWNER_XID:
	68	+ printf("%u ", info->xid);
	69	+ break;
	70	default:
	71	break;
	72	}
	73	@@ -212,6 +246,8 @@ print(const struct ip6t_ip6 *ip,
	74	#ifdef IP6T_OWNER_COMM
	75	print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
	76	#endif
	77	+ print_item(info, IP6T_OWNER_NID, numeric, "OWNER NID match ");
	78	+ print_item(info, IP6T_OWNER_XID, numeric, "OWNER XID match ");
	79	}
	80
	81	/* Saves the union ip6t_matchinfo in parsable form to stdout. */
	82	@@ -227,6 +263,8 @@ save(const struct ip6t_ip6 *ip, const st
	83	#ifdef IP6T_OWNER_COMM
	84	print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
	85	#endif
	86	+ print_item(info, IP6T_OWNER_NID, 0, "--nid-owner ");
	87	+ print_item(info, IP6T_OWNER_XID, 0, "--xid-owner ");
	88	}
	89
	90	static struct ip6tables_match owner = {
	91	diff -Nurp iptables-1.3.5.orig/extensions/libip6t_owner.man iptables-1.3.5.owner-xid/extensions/libip6t_owner.man
	92	--- iptables-1.3.5.orig/extensions/libip6t_owner.man 2006-01-30 09:41:00.000000000 +0100
93	+++ iptables-1.3.5.owner-xid/extensions/libip6t_owner.man 2006-09-05 19:54:47.000000000 +0200
94	@@ -20,4 +20,12 @@ process id.
95	Matches if the packet was created by a process in the given session
96	group.
97	.TP
98	+.BI "--nid-owner " "network context id"
99	+Matches if the packet was created by a process with the given
100	+network context id.
101	+.TP
102	+.BI "--xid-owner " "context id"
103	+Matches if the packet was created by a process with the given
104	+context id.
105	+.TP
106	.B NOTE: pid, sid and command matching are broken on SMP
107	diff -Nurp iptables-1.3.5.orig/extensions/libipt_owner.c iptables-1.3.5.owner-xid/extensions/libipt_owner.c
108	--- iptables-1.3.5.orig/extensions/libipt_owner.c 2006-01-30 09:43:10.000000000 +0100
109	+++ iptables-1.3.5.owner-xid/extensions/libipt_owner.c 2006-09-05 20:02:30.000000000 +0200
110	@@ -22,6 +22,8 @@ help(void)
111	"[!] --pid-owner processid Match local pid\n"
112	"[!] --sid-owner sessionid Match local sid\n"
113	"[!] --cmd-owner name Match local command name\n"
114	+"[!] --nid-owner nid Match local nid\n"
115	+"[!] --xid-owner xid Match local xid\n"
116	"NOTE: pid, sid and command matching are broken on SMP\n"
117	"\n",
118	IPTABLES_VERSION);
119	@@ -32,6 +34,8 @@ IPTABLES_VERSION);
120	"[!] --gid-owner groupid Match local gid\n"
121	"[!] --pid-owner processid Match local pid\n"
122	"[!] --sid-owner sessionid Match local sid\n"
123	+"[!] --nid-owner nid Match local nid\n"
124	+"[!] --xid-owner xid Match local xid\n"
125	"NOTE: pid and sid matching are broken on SMP\n"
126	"\n",
127	IPTABLES_VERSION);
128	@@ -46,6 +50,8 @@ static struct option opts[] = {
129	#ifdef IPT_OWNER_COMM
22e747c8	130	{ "cmd-owner", 1, NULL, '5' },
78d5658d	131	#endif
22e747c8 AM	132	+ { "nid-owner", 1, NULL, '6' },
	133	+ { "xid-owner", 1, NULL, '7' },
	134	{ }
78d5658d	135	};
	136
	137	@@ -131,6 +137,28 @@ parse(int c, char **argv, int invert, un
	138	break;
	139	#endif
	140
	141	+ case '6':
	142	+ check_inverse(optarg, &invert, &optind, 0);
	143	+ ownerinfo->nid = strtoul(optarg, &end, 0);
	144	+ if (*end != '\0' \|\| end == optarg)
	145	+ exit_error(PARAMETER_PROBLEM, "Bad OWNER NID value `%s'", optarg);
	146	+ if (invert)
	147	+ ownerinfo->invert \|= IPT_OWNER_NID;
	148	+ ownerinfo->match \|= IPT_OWNER_NID;
	149	+ *flags = 1;
	150	+ break;
	151	+
	152	+ case '7':
	153	+ check_inverse(optarg, &invert, &optind, 0);
	154	+ ownerinfo->xid = strtoul(optarg, &end, 0);
	155	+ if (*end != '\0' \|\| end == optarg)
	156	+ exit_error(PARAMETER_PROBLEM, "Bad OWNER XID value `%s'", optarg);
	157	+ if (invert)
	158	+ ownerinfo->invert \|= IPT_OWNER_XID;
	159	+ ownerinfo->match \|= IPT_OWNER_XID;
	160	+ *flags = 1;
	161	+ break;
	162	+
	163	default:
	164	return 0;
	165	}
	166	@@ -183,6 +211,12 @@ print_item(struct ipt_owner_info *info,
	167	printf("%.*s ", (int)sizeof(info->comm), info->comm);
	168	break;
	169	#endif
	170	+ case IPT_OWNER_NID:
	171	+ printf("%u ", info->nid);
	172	+ break;
	173	+ case IPT_OWNER_XID:
	174	+ printf("%u ", info->xid);
	175	+ break;
	176	default:
	177	break;
	178	}
	179	@@ -213,6 +247,8 @@ print(const struct ipt_ip *ip,
	180	#ifdef IPT_OWNER_COMM
	181	print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
	182	#endif
	183	+ print_item(info, IPT_OWNER_NID, numeric, "OWNER NID match ");
	184	+ print_item(info, IPT_OWNER_XID, numeric, "OWNER XID match ");
	185	}
	186
	187	/* Saves the union ipt_matchinfo in parsable form to stdout. */
	188	@@ -228,6 +264,8 @@ save(const struct ipt_ip *ip, const stru
	189	#ifdef IPT_OWNER_COMM
	190	print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
	191	#endif
	192	+ print_item(info, IPT_OWNER_NID, 0, "--nid-owner ");
	193	+ print_item(info, IPT_OWNER_XID, 0, "--xid-owner ");
	194	}
	195
	196	static struct iptables_match owner = {
	197	diff -Nurp iptables-1.3.5.orig/extensions/libipt_owner.man iptables-1.3.5.owner-xid/extensions/libipt_owner.man
	198	--- iptables-1.3.5.orig/extensions/libipt_owner.man 2004-10-10 11:56:26.000000000 +0200
199	+++ iptables-1.3.5.owner-xid/extensions/libipt_owner.man 2006-09-05 19:54:53.000000000 +0200
200	@@ -25,4 +25,12 @@ Matches if the packet was created by a p
201	(this option is present only if iptables was compiled under a kernel
202	supporting this feature)
203	.TP
204	+.BI "--nid-owner " "network context id"
205	+Matches if the packet was created by a process with the given
206	+network context id.
207	+.TP
208	+.BI "--xid-owner " "context id"
209	+Matches if the packet was created by a process with the given
210	+context id.
211	+.TP
212	.B NOTE: pid, sid and command matching are broken on SMP
213	diff -Nurp iptables-1.3.5.orig/include/linux/netfilter_ipv6/ip6t_owner.h iptables-1.3.5.owner-xid/include/linux/netfilter_ipv6/ip6t_owner.h
214	--- iptables-1.3.5.orig/include/linux/netfilter_ipv6/ip6t_owner.h 2004-10-10 11:56:23.000000000 +0200
215	+++ iptables-1.3.5.owner-xid/include/linux/netfilter_ipv6/ip6t_owner.h 2006-09-05 19:52:12.000000000 +0200
216	@@ -1,11 +1,15 @@
217	#ifndef _IP6T_OWNER_H
218	#define _IP6T_OWNER_H
219
220	+#include <linux/types.h>
221	+
222	/* match and invert flags */
223	#define IP6T_OWNER_UID 0x01
224	#define IP6T_OWNER_GID 0x02
225	#define IP6T_OWNER_PID 0x04
226	#define IP6T_OWNER_SID 0x08
227	+#define IP6T_OWNER_NID 0x20
228	+#define IP6T_OWNER_XID 0x40
229
230	struct ip6t_owner_info {
231	uid_t uid;
232	@@ -13,6 +17,8 @@ struct ip6t_owner_info {
233	pid_t pid;
234	pid_t sid;
235	u_int8_t match, invert; /* flags */
236	+ u_int32_t nid;
237	+ u_int32_t xid;
238	};
239
240	#endif /_IPT_OWNER_H/