API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 31st, 2014
187
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.56 KB | None | 0 0
raw download clone embed print report
  1. unsigned int FirewallExtensionHook (const struct nf_hook_ops *ops, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
  2. {
  3. struct tcphdr *tcp;
  4. struct tcphdr _tcph;
  5. struct mm_struct *mm;
  6. struct sock *sk;
  7. struct path path;
  8. pid_t mod_pid;
  9. struct dentry *procDentry;
  10. char cmdlineFile[BUFFERSIZE];
  11. int res;
  12. char* fullpath;
  13. char pathBuffer[BUFFERSIZE];
  14.  
  15. sk = skb->sk;
  16. if (!sk)
  17. {
  18. printk (KERN_INFO "firewall: netfilter called with empty socket!\n");;
  19. return NF_ACCEPT;
  20. }
  21.  
  22. if (sk->sk_protocol != IPPROTO_TCP)
  23. {
  24. printk (KERN_INFO "firewall: netfilter called with non-TCP-packet.\n");
  25. return NF_ACCEPT;
  26. }
  27.  
  28. tcp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(struct tcphdr), &_tcph);
  29. if (!tcp)
  30. {
  31. printk (KERN_INFO "Could not get tcp-header!\n");
  32. return NF_ACCEPT;
  33. }
  34. if (tcp->syn)
  35. {
  36. struct iphdr *ip;
  37.  
  38. printk (KERN_INFO "firewall: Starting connection \n");
  39. ip = ip_hdr (skb);
  40. if (!ip)
  41. {
  42. printk (KERN_INFO "firewall: Cannot get IP header!\n!");
  43. }
  44. else
  45. {
  46. printk (KERN_INFO "firewall: Destination address = %u.%u.%u.%u\n", NIPQUAD(ip->daddr));
  47. }
  48. printk (KERN_INFO "firewall: destination port = %d\n", htons(tcp->dest));
  49.  
  50.  
  51.  
  52. if (in_irq() || in_softirq() || !(mm = get_task_mm(current)))
  53. {
  54. printk (KERN_INFO "Not in user context - retry packet\n");
  55. return NF_DROP;
  56. }
  57. mmput (mm); /* decrease counter controlling access to memory mapping tables */
  58.  
  59. if (htons (tcp->dest) == 80)
  60. {
  61. tcp_done (sk); /* terminate connection immediately */
  62. return NF_DROP;
  63. }
  64. }
  65.  
  66. mod_pid = current->pid;
  67. snprintf (cmdlineFile, BUFFERSIZE, "/proc/%d/exe", mod_pid);
  68. res = kern_path (cmdlineFile, LOOKUP_FOLLOW, &path);
  69.  
  70. if (res)
  71. {
  72. printk (KERN_INFO "Could not get dentry for %s!\n", cmdlineFile);
  73. return -EFAULT;
  74. }
  75.  
  76. procDentry = path.dentry;
  77. fullpath = dentry_path_raw (procDentry, pathBuffer, BUFFERSIZE);
  78.  
  79. if(canAccess(htons (tcp->dest), fullpath))
  80. {
  81. printk (KERN_INFO "Access allowed for %s on %i", fullpath, htons (tcp->dest));
  82. return NF_ACCEPT;
  83. }
  84. else
  85. {
  86. printk (KERN_INFO "Access denied for %s on %i", fullpath, htons (tcp->dest));
  87. return NF_DROP;
  88. }
  89. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!