diff -purN -X dontdiff iptables-1.3.3-20051019.p/extensions/libip6t_owner.c iptables-1.3.3-20051019.w/extensions/libip6t_owner.c --- iptables-1.3.3-20051019.p/extensions/libip6t_owner.c 2005-06-29 12:54:16.000000000 -0400 +++ iptables-1.3.3-20051019.w/extensions/libip6t_owner.c 2005-10-25 01:03:22.000000000 -0400 @@ -8,6 +8,7 @@ #include #include +#include #include /* Function which prints out usage message. */ @@ -22,6 +23,7 @@ help(void) "[!] --pid-owner processid Match local pid\n" "[!] --sid-owner sessionid Match local sid\n" "[!] --cmd-owner name Match local command name\n" +"[!] --ctx-owner context Match SELinux security context (SELinux must be enabled in kernel)\n" "\n", IPTABLES_VERSION); #else @@ -31,6 +33,7 @@ IPTABLES_VERSION); "[!] --gid-owner groupid Match local gid\n" "[!] --pid-owner processid Match local pid\n" "[!] --sid-owner sessionid Match local sid\n" +"[!] --ctx-owner context Match SELinux security context (SELinux must be enabled in kernel)\n" "\n", IPTABLES_VERSION); #endif /* IP6T_OWNER_COMM */ @@ -44,6 +47,7 @@ static struct option opts[] = { #ifdef IP6T_OWNER_COMM { "cmd-owner", 1, 0, '5' }, #endif + { "ctx-owner", 1, 0, '6' }, {0} }; @@ -129,6 +133,20 @@ parse(int c, char **argv, int invert, un *flags = 1; break; #endif + case '6': + if (!is_selinux_enabled()) + exit_error(PARAMETER_PROBLEM, "OWNER CTX is invalid because SELinux is disabled in the kernel. Having a bad day?"); + + check_inverse(optarg, &invert, &optind, 0); + if(strlen(optarg) > sizeof(ownerinfo->ctx)) + exit_error(PARAMETER_PROBLEM, "OWNER CTX `%s' too long, max %u characters", optarg, (unsigned int)sizeof(ownerinfo->ctx)); + strncpy(ownerinfo->ctx, optarg, sizeof(ownerinfo->ctx)); + ownerinfo->ctx[sizeof(ownerinfo->ctx)-1] = '\0'; + if (invert) + ownerinfo->invert |= IP6T_OWNER_CTX; + ownerinfo->match |= IP6T_OWNER_CTX; + *flags = 1; + break; default: return 0; @@ -182,6 +200,9 @@ print_item(struct ip6t_owner_info *info, printf("%.*s ", (int)sizeof(info->comm), info->comm); break; #endif + case IP6T_OWNER_CTX: + printf("%.*s ", (int)sizeof(info->ctx), info->ctx); + break; default: break; } @@ -212,6 +233,7 @@ print(const struct ip6t_ip6 *ip, #ifdef IP6T_OWNER_COMM print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match "); #endif + print_item(info, IP6T_OWNER_CTX, numeric, "OWNER CTX match "); } /* Saves the union ip6t_matchinfo in parsable form to stdout. */ @@ -227,6 +249,7 @@ save(const struct ip6t_ip6 *ip, const st #ifdef IP6T_OWNER_COMM print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner "); #endif + print_item(info, IP6T_OWNER_CTX, 0, "--ctx-owner "); } static struct ip6tables_match owner = { diff -purN -X dontdiff iptables-1.3.3-20051019.p/extensions/Makefile iptables-1.3.3-20051019.w/extensions/Makefile --- iptables-1.3.3-20051019.p/extensions/Makefile 2005-10-25 00:57:03.000000000 -0400 +++ iptables-1.3.3-20051019.w/extensions/Makefile 2005-10-25 01:02:01.000000000 -0400 @@ -6,9 +6,9 @@ # package (HW) # PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG -PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL NFQUEUE MARK TRACE +PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport physdev standard tcp udp HL NFQUEUE MARK TRACE PF_EXT_SE_SLIB:=LOG owner -PF6_EXT_SE_SLIB:=LOG +PF6_EXT_SE_SLIB:=LOG owner # Optionals PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))