Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- unsigned int FirewallExtensionHook (const struct nf_hook_ops *ops, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
- {
- struct tcphdr *tcp;
- struct tcphdr _tcph;
- struct mm_struct *mm;
- struct sock *sk;
- struct path path;
- pid_t mod_pid;
- struct dentry *procDentry;
- char cmdlineFile[BUFFERSIZE];
- int res;
- char* fullpath;
- char pathBuffer[BUFFERSIZE];
- sk = skb->sk;
- if (!sk)
- {
- printk (KERN_INFO "firewall: netfilter called with empty socket!\n");;
- return NF_ACCEPT;
- }
- if (sk->sk_protocol != IPPROTO_TCP)
- {
- printk (KERN_INFO "firewall: netfilter called with non-TCP-packet.\n");
- return NF_ACCEPT;
- }
- tcp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(struct tcphdr), &_tcph);
- if (!tcp)
- {
- printk (KERN_INFO "Could not get tcp-header!\n");
- return NF_ACCEPT;
- }
- if (tcp->syn)
- {
- struct iphdr *ip;
- printk (KERN_INFO "firewall: Starting connection \n");
- ip = ip_hdr (skb);
- if (!ip)
- {
- printk (KERN_INFO "firewall: Cannot get IP header!\n!");
- }
- else
- {
- printk (KERN_INFO "firewall: Destination address = %u.%u.%u.%u\n", NIPQUAD(ip->daddr));
- }
- printk (KERN_INFO "firewall: destination port = %d\n", htons(tcp->dest));
- if (in_irq() || in_softirq() || !(mm = get_task_mm(current)))
- {
- printk (KERN_INFO "Not in user context - retry packet\n");
- return NF_DROP;
- }
- mmput (mm); /* decrease counter controlling access to memory mapping tables */
- if (htons (tcp->dest) == 80)
- {
- tcp_done (sk); /* terminate connection immediately */
- return NF_DROP;
- }
- }
- mod_pid = current->pid;
- snprintf (cmdlineFile, BUFFERSIZE, "/proc/%d/exe", mod_pid);
- res = kern_path (cmdlineFile, LOOKUP_FOLLOW, &path);
- if (res)
- {
- printk (KERN_INFO "Could not get dentry for %s!\n", cmdlineFile);
- return -EFAULT;
- }
- procDentry = path.dentry;
- fullpath = dentry_path_raw (procDentry, pathBuffer, BUFFERSIZE);
- if(canAccess(htons (tcp->dest), fullpath))
- {
- printk (KERN_INFO "Access allowed for %s on %i", fullpath, htons (tcp->dest));
- return NF_ACCEPT;
- }
- else
- {
- printk (KERN_INFO "Access denied for %s on %i", fullpath, htons (tcp->dest));
- return NF_DROP;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement