Added support for --cmd-owner option when ownercmd.patch is applied to kernel.

diff --git a/extensions/libipt_owner.c b/extensions/libipt_owner.c
index 953eb59aaa10e08e4bd19b528422d1b6c2395dd2..30ee0c110eac04419e1ad724357f4052f939cad0 100644 (file)
--- a/extensions/libipt_owner.c
+++ b/extensions/libipt_owner.c
@@ -20,6 +20,9 @@ help(void)
 "[!] --gid-owner groupid    Match local gid\n"
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
+#ifdef IPT_OWNER_COMM
+"[!] --cmd-owner name       Match local command name\n"
+#endif
 "\n",
 NETFILTER_VERSION);
 }
@@ -29,6 +32,9 @@ static struct option opts[] = {
        { "gid-owner", 1, 0, '2' },
        { "pid-owner", 1, 0, '3' },
        { "sid-owner", 1, 0, '4' },
+#ifdef IPT_OWNER_COMM
+       { "cmd-owner", 1, 0, '5' },
+#endif
        {0}
 };
 
@@ -111,6 +117,22 @@ parse(int c, char **argv, int invert, unsigned int *flags,
                *flags = 1;
                break;
 
+#ifdef IPT_OWNER_COMM
+       case '5':
+               if (check_inverse(optarg, &invert))
+                       optind++;
+               if(strlen(optarg) > sizeof(ownerinfo->comm))
+                       exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
+
+               strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
+
+               if (invert)
+                       ownerinfo->invert |= IPT_OWNER_COMM;
+               ownerinfo->match |= IPT_OWNER_COMM;
+               *flags = 1;
+               break;
+#endif
+
        default:
                return 0;
        }
@@ -158,6 +180,11 @@ print_item(struct ipt_owner_info *info, u_int8_t flag, int numeric, char *label)
                case IPT_OWNER_SID:
                        printf("%u ", info->sid);
                        break;
+#ifdef IPT_OWNER_COMM
+               case IPT_OWNER_COMM:
+                       printf("%.*s ", (int)sizeof(info->comm), info->comm);
+                       break;
+#endif
                default:
                        break;
                }
@@ -185,6 +212,9 @@ print(const struct ipt_ip *ip,
        print_item(info, IPT_OWNER_GID, numeric, "OWNER GID match ");
        print_item(info, IPT_OWNER_PID, numeric, "OWNER PID match ");
        print_item(info, IPT_OWNER_SID, numeric, "OWNER SID match ");
+#ifdef IPT_OWNER_COMM
+       print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
+#endif
 }
 
 /* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -197,6 +227,9 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
        print_item(info, IPT_OWNER_GID, 0, "--gid-owner ");
        print_item(info, IPT_OWNER_PID, 0, "--pid-owner ");
        print_item(info, IPT_OWNER_SID, 0, "--sid-owner ");
+#ifdef IPT_OWNER_COMM
+       print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
+#endif
 }
 
 static

diff --git a/iptables.8 b/iptables.8
index 16008b338a9087634330fd4c44a23e98be1d8747..baa3d33bf903239834f439b84799d7636c383623 100644 (file)
--- a/iptables.8
+++ b/iptables.8
@@ -483,6 +483,11 @@ process id.
 .BI "--sid-owner " "sessionid"
 Matches if the packet was created by a process in the given session
 group.
+.TP
+.BI "--cmd-owner " "name"
+Matches if the packet was created by a process with the given command name.
+(this option is present only if iptables was compiled under a kernel
+supporting this feature)
 .SS state
 This module, when combined with connection tracking, allows access to
 the connection tracking state for this packet.