ebtables-devel — Development questions, bugs, patches

Re: [Ebtables-devel] catch ebtables rule with a kernel module.

[Bart De S. <bds...@pa...>]

In userspace, I would just build my own wrapper script around ebtables. 
In kernel space, you will need to hack the code, see 
net/bridge/netfilter/ebtables.c::do_replace

cheers,
Bart

Op 22/07/2013 15:50, daniel tehila schreef:
> Hello All,
>    I have been working on Ethernet Bridge using ebtables on kernel 2.6 & 3.x. What
> I wanted to know is how can I catch {from kernel space} any new ebtable rule configured
> by the users, I want to catch the rules configured to the kernel and do some parsing on it.
>
> Thanks.
>
> Daniel.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Ebtables-devel mailing list
> Ebt...@li...
> https://lists.sourceforge.net/lists/listinfo/ebtables-devel

[Ebtables-devel] Fwd: catch ebtables rule with a kernel module.

[daniel t. <dan...@gm...>]

Hello All,
  I have been working on Ethernet Bridge using ebtables on kernel 2.6
& 3.x. What
I wanted to know is how can I catch {from kernel space} any new
ebtable rule configured
by the users, I want to catch the rules configured to the kernel and
do some parsing on it.

Thanks.

Daniel.

[Ebtables-devel] catch ebtables rule with a kernel module.

[daniel t. <dan...@gm...>]

Hello All,
  I have been working on Ethernet Bridge using ebtables on kernel 2.6
& 3.x. What
I wanted to know is how can I catch {from kernel space} any new
ebtable rule configured
by the users, I want to catch the rules configured to the kernel and
do some parsing on it.

Thanks.

Daniel.

Re: [Ebtables-devel] [patch] arptables: some patches from debian

[Bart De S. <bds...@pa...>]

Applied.

Thanks,

Bart

On 14-10-10 17:37, Peter Volkov wrote:
> Hi Bart. Thank you for review/applying patches. Could you also apply
> attached patch to fix not respecting LDFLAGS issue (very similar to one
> I've sent you long time ago for ebtables :) )
>
> --
> Peter.
>
> В Сбт, 09/10/2010 в 21:17 +0200, Bart De Schuymer пишет:
>> Hello Peter,
>>
>> Patch 2 and 3 are committed.
>> For the '*' part of patch 1 I'd rather remove the -v usage in 
>> arptables-restore. This will require fixing the reason why -v is used in 
>> the first place. I wasn't aware this is due to a bug: the -i and -o 
>> interfaces aren't printed unless -v is specified. I'll look into this.
>>
>> cheers,
>> Bart
>>
>> On 09-10-10 15:17, Peter Volkov wrote:
>>> Hi again. What is the best way to contact arptables developers? My
>>> previous patch was left without attention, should I resend it? In
>>> attachment there are three fixes from debian:
>>>
>>> 1. arptables_save patch makes arp_tables don't resolve host names and
>>> don't convert '*' interface names to any. Remove '*' interface names.
>>> 2. manpage patch removes old version from man page
>>> 3. is a patch from Jeroen van Wolffelaar to make arptables --proto-type
>>> also accept hexadecimal inputs (ethernet protocol numbers are often
>>> specfied in hex, not decimal), using standard strtol() behaviour (hex
>>> iff starts with 0x).


-- 
Bart De Schuymer
www.artinalgorithms.be

Re: [Ebtables-devel] [patch] arptables: some patches from debian

[Peter V. <pv...@ge...>]

Hi Bart. Thank you for review/applying patches. Could you also apply
attached patch to fix not respecting LDFLAGS issue (very similar to one
I've sent you long time ago for ebtables :) )

--
Peter.

В Сбт, 09/10/2010 в 21:17 +0200, Bart De Schuymer пишет:
> Hello Peter,
> 
> Patch 2 and 3 are committed.
> For the '*' part of patch 1 I'd rather remove the -v usage in 
> arptables-restore. This will require fixing the reason why -v is used in 
> the first place. I wasn't aware this is due to a bug: the -i and -o 
> interfaces aren't printed unless -v is specified. I'll look into this.
> 
> cheers,
> Bart
> 
> On 09-10-10 15:17, Peter Volkov wrote:
> > Hi again. What is the best way to contact arptables developers? My
> > previous patch was left without attention, should I resend it? In
> > attachment there are three fixes from debian:
> >
> > 1. arptables_save patch makes arp_tables don't resolve host names and
> > don't convert '*' interface names to any. Remove '*' interface names.
> > 2. manpage patch removes old version from man page
> > 3. is a patch from Jeroen van Wolffelaar to make arptables --proto-type
> > also accept hexadecimal inputs (ethernet protocol numbers are often
> > specfied in hex, not decimal), using standard strtol() behaviour (hex
> > iff starts with 0x).

Re: [Ebtables-devel] [patch] arptables: some patches from debian

[Bart De S. <bds...@pa...>]

Hello Peter,

Patch 2 and 3 are committed.
For the '*' part of patch 1 I'd rather remove the -v usage in 
arptables-restore. This will require fixing the reason why -v is used in 
the first place. I wasn't aware this is due to a bug: the -i and -o 
interfaces aren't printed unless -v is specified. I'll look into this.

cheers,
Bart

On 09-10-10 15:17, Peter Volkov wrote:
> Hi again. What is the best way to contact arptables developers? My
> previous patch was left without attention, should I resend it? In
> attachment there are three fixes from debian:
>
> 1. arptables_save patch makes arp_tables don't resolve host names and
> don't convert '*' interface names to any. Remove '*' interface names.
> 2. manpage patch removes old version from man page
> 3. is a patch from Jeroen van Wolffelaar to make arptables --proto-type
> also accept hexadecimal inputs (ethernet protocol numbers are often
> specfied in hex, not decimal), using standard strtol() behaviour (hex
> iff starts with 0x).
>
> Please, apply.
>    


-- 
Bart De Schuymer
www.artinalgorithms.be

[Ebtables-devel] [patch] arptables: some patches from debian

[Peter V. <pv...@ge...>]

Hi again. What is the best way to contact arptables developers? My
previous patch was left without attention, should I resend it? In
attachment there are three fixes from debian:

1. arptables_save patch makes arp_tables don't resolve host names and
don't convert '*' interface names to any. Remove '*' interface names.
2. manpage patch removes old version from man page
3. is a patch from Jeroen van Wolffelaar to make arptables --proto-type
also accept hexadecimal inputs (ethernet protocol numbers are often
specfied in hex, not decimal), using standard strtol() behaviour (hex
iff starts with 0x).

Please, apply.
-- 
Peter.

[Ebtables-devel] [patch] arptables respect LDFLAGS

[Peter V. <pv...@ge...>]

Hi. The patch in attachment makes arptables respect LDFLAGS. Please,
apply. Thank you.

-- 
Peter.

[Ebtables-devel] VLAN tag target

[Michele Jr De C. <mic...@al...>]

Hi all,
I read on mailing list that somebody has tried to do a new target module
to add or remove the VLAN tag with ebtables.

There were some patches or references about previous developments?

Thanks in advance,
Michele

Re: [Ebtables-devel] [rfc] netfilter: copy less data to the user

[Patrick M. <ka...@tr...>]

Am 15.07.2010 12:16, schrieb Dan Carpenter:
> On Thu, Jul 15, 2010 at 11:48:09AM +0200, Patrick McHardy wrote:
>> Am 14.07.2010 23:04, schrieb Dan Carpenter:
>>> Smatch complains that we copy too much data to the user in ebtables.
>>> We copied EBT_FUNCTION_MAXNAMELEN (32) characters to the user here, but 
>>> "m->u.match->name" has XT_EXTENSION_MAXNAMELEN (29) characters.
>>>
>>> I'm not sure if this is a bug where someone got confused with m->u.name
>>> which has 32 characters or if this is done for backwards compatability.
>>
>> Looking at ebtables.h, ebt_entry_match->name uses
>> EBT_FUNCTION_MAXNAMELEN, which is 32 bytes. Where did you get
>> XT_EXTENSION_MAXNAMELEN from?
>>
> 
> Exactly.  ebt_entry_match->u.name uses EBT_FUNCTION_MAXNAMELEN but this is
> from ebt_entry_match->u.match->name which is type struct xt_match.

Right, I see.

> But it looks like we're exporting struct ebt_match which also uses
> EBT_FUNCTION_MAXNAMELEN.  So maybe the fix is to copy ->u.name instead
> of ->u.match->name.

That name is not valid within the kernel, the union contains the
xt_match pointer. So your patch seems correct, but we probably
also need to adjust ebtables userspace.

Jan?

Re: [Ebtables-devel] [rfc] netfilter: copy less data to the user

[Patrick M. <ka...@tr...>]

Am 14.07.2010 23:04, schrieb Dan Carpenter:
> Smatch complains that we copy too much data to the user in ebtables.
> We copied EBT_FUNCTION_MAXNAMELEN (32) characters to the user here, but 
> "m->u.match->name" has XT_EXTENSION_MAXNAMELEN (29) characters.
> 
> I'm not sure if this is a bug where someone got confused with m->u.name
> which has 32 characters or if this is done for backwards compatability.

Looking at ebtables.h, ebt_entry_match->name uses
EBT_FUNCTION_MAXNAMELEN, which is 32 bytes. Where did you get
XT_EXTENSION_MAXNAMELEN from?

> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 59ca00e..6bcb31d 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1323,7 +1323,7 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
>      const char *base, char __user *ubase)
>  {
>  	char __user *hlp = ubase + ((char *)m - base);
> -	if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
> +	if (copy_to_user(hlp, m->u.match->name, XT_EXTENSION_MAXNAMELEN))
>  		return -EFAULT;
>  	return 0;
>  }
> @@ -1332,7 +1332,7 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
>      const char *base, char __user *ubase)
>  {
>  	char __user *hlp = ubase + ((char *)w - base);
> -	if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
> +	if (copy_to_user(hlp , w->u.watcher->name, XT_EXTENSION_MAXNAMELEN))
>  		return -EFAULT;
>  	return 0;
>  }
> @@ -1356,7 +1356,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
>  	ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
>  	if (ret != 0)
>  		return ret;
> -	if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
> +	if (copy_to_user(hlp, t->u.target->name, XT_EXTENSION_MAXNAMELEN))
>  		return -EFAULT;
>  	return 0;
>  }
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to maj...@vg...
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

[Ebtables-devel] ebtables ebt_vlan.c kernel part

[Eric d. <eri...@ho...>]

Hello everybody,


I have questions about ebtables program: where is the kernel part of the file ebt_vlan.c? Or anyboby have one idea how it is written the ebtables kernel vlan match module?
Does it include the file if_vlan.h? 
Because it would like to write a module using the same steps for ppp frames and I don't understand how  the vlan module works because there are no kernel part. If somebody has written the kernel part of the vlan module, it could given idea to write the kernel part of my ppp module?

Thanks,

Regards,

Eric 

 		 	   		  
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969

[Ebtables-devel] ebt_ppp extension module for ebtables

[Eric d. <eri...@ho...>]

 Hello All,

I have 
added the kernel part on my module like this:

I
 have  add in Makefile  EXT_FUNC+=802_3 nat arp arpreply 
ip ip6 standard log redirect vlan mark_m mark ppp \
 pkttype stp 
among limit ulog nflog 

It compiles but I  have many errors :

gcc -Wall -Wunused -fPIC 
-DPROGVERSION=\"2.0.9-2\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"June\ 
2009\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -DEBTD_ARGC_MAX=50 
-DEBTD_CMDLINE_MAXLN=2048 -c -o extensions/ebt_ppp.o 
extensions/ebt_ppp.c -Iinclude/
In file included from 
extensions/../include/ebtables.h:16,
                 from 
extensions/ebt_ppp.c:15:
/usr/include/linux/if.h:166: error: field 
‘ifru_addr’ has incomplete type
/usr/include/linux/if.h:167: error: 
field ‘ifru_dstaddr’ has incomplete type
/usr/include/linux/if.h:168:
 error: field ‘ifru_broadaddr’ has incomplete type
/usr/include/linux/if.h:169:

 error: field ‘ifru_netmask’ has incomplete type
/usr/include/linux/if.h:170:

 error: field ‘ifru_hwaddr’ has incomplete type
In file included from
 include/linux/netfilter_bridge.h:7,
                 from 
extensions/../include/ebtables.h:17,
                 from 
extensions/ebt_ppp.c:15:
/usr/include/linux/netfilter.h:44: error: 
field ‘in’ has incomplete type
/usr/include/linux/netfilter.h:45: 
error: field ‘in6’ has incomplete type
In file included from 
/usr/include/linux/if_pppox.h:23,
                 from 
include/linux/netfilter_bridge.h:10,
                 from 
extensions/../include/ebtables.h:17,
                 from 
extensions/ebt_ppp.c:15:
/usr/include/linux/if_pppol2tp.h:30: error: 
field ‘addr’ has incomplete type
In file included from 
include/linux/netfilter_bridge.h:10,
                 from 
extensions/../include/ebtables.h:17,
                 from 
extensions/ebt_ppp.c:15:
/usr/include/linux/if_pppox.h:51: error: 
expected specifier-qualifier-list before ‘sa_family_t’
/usr/include/linux/if_pppox.h:64:

 error: expected specifier-qualifier-list before ‘sa_family_t’
In 
file included from extensions/ebt_ppp.c:15:
extensions/../include/ebtables.h:37:

 error: expected specifier-qualifier-list before ‘uint64_t’
extensions/../include/ebtables.h:170:

 error: expected specifier-qualifier-list before ‘uint16_t’
extensions/ebt_ppp.c:198:

 warning: ‘struct net_device’ declared inside parameter list
extensions/ebt_ppp.c:198:

 warning: its scope is only this definition or declaration, which is 
probably not what you want
extensions/ebt_ppp.c:198: warning: ‘struct
 sk_buff’ declared inside parameter list
extensions/ebt_ppp.c: In 
function ‘ebt_filter_ppp’:
extensions/ebt_ppp.c:204: warning: 
implicit declaration of function ‘skb_copy_bits’
extensions/ebt_ppp.c:205:

 error: ‘EBT_NOMATCH’ undeclared (first use in this function)
extensions/ebt_ppp.c:205:

 error: (Each undeclared identifier is reported only once
extensions/ebt_ppp.c:205:

 error: for each function it appears in.)
extensions/ebt_ppp.c:207: 
warning: implicit declaration of function ‘FWINV’
extensions/ebt_ppp.c:218:

 warning: control reaches end of non-void function
extensions/ebt_ppp.c:

 In function ‘ebt_ppp_check’:
extensions/ebt_ppp.c:225: error: 
‘EINVAL’ undeclared (first use in this function)
extensions/ebt_ppp.c:226:

 error: ‘const struct ebt_entry’ has no member named ‘ethproto’
extensions/ebt_ppp.c:

 At top level:
extensions/ebt_ppp.c:234: error: variable ‘filter_ppp’
 has initializer but incomplete type
extensions/ebt_ppp.c:236: error:
 unknown field ‘name’ specified in initializer
extensions/ebt_ppp.c:236:

 warning: excess elements in struct initializer
extensions/ebt_ppp.c:236:

 warning: (near initialization for ‘filter_ppp’)
extensions/ebt_ppp.c:237:

 error: unknown field ‘match’ specified in initializer
extensions/ebt_ppp.c:237:

 warning: excess elements in struct initializer
extensions/ebt_ppp.c:237:

 warning: (near initialization for ‘filter_ppp’)
extensions/ebt_ppp.c:238:

 error: unknown field ‘check’ specified in initializer
extensions/ebt_ppp.c:238:

 warning: excess elements in struct initializer
extensions/ebt_ppp.c:238:

 warning: (near initialization for ‘filter_ppp’)
extensions/ebt_ppp.c:239:

 error: unknown field ‘me’ specified in initializer
extensions/ebt_ppp.c:239:

 error: ‘THIS_MODULE’ undeclared here (not in a function)
extensions/ebt_ppp.c:239:

 warning: excess elements in struct initializer
extensions/ebt_ppp.c:239:

 warning: (near initialization for ‘filter_ppp’)
extensions/ebt_ppp.c:242:

 error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘init’
extensions/ebt_ppp.c:247:

 error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘fini’
extensions/ebt_ppp.c:252:

 warning: data definition has no type or storage class
extensions/ebt_ppp.c:252:

 warning: type defaults to ‘int’ in declaration of ‘module_init’
extensions/ebt_ppp.c:252:

 warning: parameter names (without types) in function declaration
extensions/ebt_ppp.c:253:

 warning: data definition has no type or storage class
extensions/ebt_ppp.c:253:

 warning: type defaults to ‘int’ in declaration of ‘module_exit’
extensions/ebt_ppp.c:253:

 warning: parameter names (without types) in function declaration
make:

 *** [extensions/ebt_ppp.o] Erreur 1

Can anybody help me please?

 		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Re: [Ebtables-devel] ebt_ppp extension module for ebtables

[Eric d. <eri...@ho...>]

OK thanks Bart,
I was focused on ebt_vlan template which does not contain kernel part in this file. So I have to add kernel part on ebt_ppp.c and I will test again. May be it is a dummy question but How does it works for the vlan module? Where is the kernel part?

Thanks,

Eric


> Date: Thu, 3 Jun 2010 18:35:23 +0200
> From: bds...@pa...
> To: eri...@ho...
> CC: ebt...@li...
> Subject: Re: [Ebtables-devel] ebt_ppp extension module for ebtables
> 
> Hi,
> 
> you seem to be missing the kernel part for your module.
> 
> cheers,
> Bart
> 
> Eric delalandes schreef:
> > Hello to all,
> >
> > I have written an extension in order to filter pppoe and ppp frames. So extension names are ebt_ppp.c and ebt_ppp.h. The goal of these extension is to filter specific PPP discovery packet like PADO or PADS and specific PPP session packet on  PPPOE protocol and PPP layer.  I have used ebt_vlan.c and ebt_vlan.h as template. See description as below:
> >
> > /* ebt_ppp
> >  * 
> >  * Authors:
> >  * Bart De Schuymer <bds...@pa...>
> >  * Nick Fedchik <ni...@fe...> 
> >  * 
> >  * June, 2002
> >  */
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <getopt.h>
> > #include <ctype.h>
> > #include "../include/ebtables_u.h"
> > #include "../include/ethernetdb.h"
> > #include <linux/netfilter_bridge/ebt_ppp.h>
> > #include <linux/if_ether.h>
> >
> > #define NAME_PPP_CODE    "code"
> > #define NAME_PPP_LENGTH  "length"
> > #define NAME_PPP_PPPTYPE "ppptype"
> >
> > #define PPP_CODE    '1'
> > #define PPP_LENGTH  '2'
> > #define PPP_PPPTYPE '3'
> >
> > static struct option opts[] = {
> >     {"ppp-code"   , required_argument, NULL, PPP_CODE},
> >     {"ppp-length" , required_argument, NULL, PPP_LENGTH},
> >     {"ppp-ppptype", required_argument, NULL, PPP_PPPTYPE},
> >     { 0 }
> > };
> >
> > /*
> >  * option inverse flags definition 
> >  */
> > #define OPT_PPP_CODE     0x01
> > #define OPT_PPP_LENGTH   0x02
> > #define OPT_PPP_PPPTYPE  0x04
> > #define OPT_PPP_FLAGS    (OPT_PPP_CODE | OPT_PPP_LENGTH | OPT_PPP_PPPTYPE)
> >
> > struct ethertypeent *ethent;
> >
> > static void print_help()
> > {
> >     printf(
> > "ppp options:\n"
> > "--ppp-code [!] code       : pppoe code identifier, \n"
> > "--ppp-length [!] length   : pppoe length (integer)\n"
> > "--ppp-ppptype [!] ppptype :PPP protocol (hexadecimal or name)\n");
> > }
> >
> > static void init(struct ebt_entry_match *match)
> > {
> >     struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) match->data;
> >     pppinfo->invflags = 0;
> >     pppinfo->bitmask = 0;
> > }
> >
> >
> > static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
> >    unsigned int *flags, struct ebt_entry_match **match)
> > {
> >     struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) (*match)->data;
> >     char *end;
> >     struct ebt_ppp_info local;
> >
> >     switch (c) {
> >     case PPP_CODE:
> >         ebt_check_option2(flags, OPT_PPP_CODE);
> >         if (ebt_check_inverse2(optarg))
> >             pppinfo->invflags |= EBT_PPP_CODE;
> >         local.code = strtoul(optarg, &end, 10);
> >         if (local.code >= 200 || *end != '\0')
> >             ebt_print_error2("Invalid --code range <200 ('%s')", optarg);
> >         pppinfo->code = local.code;
> >         pppinfo->bitmask |= EBT_PPP_CODE;
> >         break;
> >
> >     case PPP_LENGTH:
> >
> >         ebt_check_option2(flags, PPP_LENGTH);
> >         if (ebt_check_inverse2(optarg))
> >             pppinfo->invflags |= EBT_PPP_LENGTH;
> >         local.length = strtoul(optarg, &end, 10);
> >         if (local.length > 4094 || *end != '\0')
> >             ebt_print_error2("Invalid --ppp-length range ('%s')", optarg);
> >         pppinfo->length = local.length;
> >         pppinfo->bitmask |= EBT_PPP_LENGTH;
> >         break;
> >     case PPP_PPPTYPE:
> >         ebt_check_option2(flags, OPT_PPP_PPPTYPE);
> >         if (ebt_check_inverse2(optarg))
> >             pppinfo->invflags |= EBT_PPP_PPPTYPE;
> >         local.ppptype = strtoul(optarg, &end, 16);
> >         if (*end != '\0') {
> >             ethent = getethertypebyname(optarg);
> >             if (ethent == NULL)
> >                 ebt_print_error("Unknown  value ('%s')", optarg);
> >             local.ppptype = ethent->e_ethertype;
> >         }
> >         if (local.ppptype < ETH_ZLEN) //define ETH_ZLEN    6
> >             ebt_print_error2("Invalid ---ppptype range ('%s')", optarg);
> >         pppinfo->ppptype = htons(local.ppptype);
> >         pppinfo->bitmask |= EBT_PPP_PPPTYPE;
> >         break;
> >     default:
> >         return 0;
> >
> >     }
> >     return 1;
> > }
> >
> > static void final_check(const struct ebt_u_entry *entry,
> >    const struct ebt_entry_match *match,
> >    const char *name, unsigned int hookmask, unsigned int time)
> > {
> >     if (entry->ethproto != ETH_P_PPP_DISC || entry->invflags & EBT_IPROTO)
> >         ebt_print_error("For ppp filtering the protocol must be specified as PPP_DISC or PPP_SES");
> >
> >     /* Check if specified vlan-id=0 (priority-tagged frame condition) 
> >      * when vlan-prio was specified. */
> >     /* I see no reason why a user should be prohibited to match on a perhaps impossible situation <BDS>
> >     if (vlaninfo->bitmask & EBT_VLAN_PRIO &&
> >         vlaninfo->id && vlaninfo->bitmask & EBT_VLAN_ID)
> >         ebt_print_error("When setting --vlan-prio the specified --vlan-id must be 0");*/
> > }
> >
> > static void print(const struct ebt_u_entry *entry,
> >    const struct ebt_entry_match *match)
> > {
> >     struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) match->data;
> >
> >     if (pppinfo->bitmask & EBT_PPP_CODE) {
> >         printf("--ppp-code %s%d ", (pppinfo->invflags & EBT_PPP_CODE) ? "! " : "", pppinfo->code);
> >     }
> >     if (pppinfo->bitmask & EBT_PPP_LENGTH) {
> >         printf("--ppp-length %s%d ", (pppinfo->invflags & EBT_PPP_LENGTH) ? "! " : "", pppinfo->length);
> >     }
> >     if (pppinfo->bitmask & EBT_PPP_PPPTYPE) {
> >         printf("--ppp-ppptype %s", (pppinfo->invflags & EBT_PPP_PPPTYPE) ? "! " : "");
> >         ethent = getethertypebynumber(ntohs(pppinfo->ppptype));
> >         if (ethent != NULL) {
> >             printf("%s ", ethent->e_name);
> >         } else {
> >             printf("%4.4X ", ntohs(pppinfo->ppptype));
> >         }
> >     }
> > }
> >
> > static int compare(const struct ebt_entry_match *ppp1,
> >    const struct ebt_entry_match *ppp2)
> > {
> >     struct ebt_ppp_info *pppinfo1 = (struct ebt_ppp_info *) ppp1->data;
> >     struct ebt_ppp_info *pppinfo2 = (struct ebt_ppp_info *) ppp2->data;
> >
> >     if (pppinfo1->bitmask != pppinfo2->bitmask)
> >         return 0;
> >     if (pppinfo1->invflags != pppinfo2->invflags)
> >         return 0;
> >     if (pppinfo1->bitmask & EBT_PPP_CODE &&
> >         pppinfo1->code != pppinfo2->code)
> >         return 0;
> >     if (pppinfo1->bitmask & EBT_PPP_LENGTH &&
> >         pppinfo1->length != pppinfo2->length)
> >         return 0;
> >     if (pppinfo1->bitmask & EBT_PPP_PPPTYPE &&
> >         pppinfo1->ppptype != pppinfo2->ppptype)
> >         return 0; 
> >     return 1;
> > }
> >
> > static struct ebt_u_match ppp_match = {
> >     .name        = "ppp",
> >     .size        = sizeof(struct ebt_ppp_info),
> >     .help        = print_help,
> >     .init        = init,
> >     .parse        = parse,
> >     .final_check    = final_check,
> >     .print        = print,
> >     .compare    = compare,
> >     .extra_ops    = opts,
> > };
> >
> > void _init(void)
> > {
> >     ebt_register_match(&ppp_match);
> > }
> >
> >
> > -------------------------------------------------------
> > #ifndef __LINUX_BRIDGE_EBT_PPP_H
> > #define __LINUX_BRIDGE_EBT_PPP_H
> >
> > #define EBT_PPP_CODE    0x01
> > #define EBT_PPP_LENGTH    0x02
> > #define EBT_PPP_PPPTYPE    0x04
> > #define EBT_PPP_MASK (EBT_PPP_CODE| EBT_PPP_LENGTH | EBT_PPP_PPPTYPE)
> > #define EBT_PPP_MATCH "ppp"
> >
> >
> > struct ebt_ppp_info
> >
> > {
> >
> >   uint8_t vertype
> >   uint8_t code; //PADO O7:7  //PADS 65 :101(dec) //ETH:8863
> >
> >   uint16_t session;
> >
> >   uint16_t length;/
> >   unsigned short int ppptype;  
> >
> >   uint8_t bitmask;        /* Args bitmask bit 1=1 - ID arg,
> >                bit 2=1 User-Priority arg, bit 3=1 encap*/
> >   uint8_t invflags;
> >
> > };
> > #endif
> >
> >
> >
> > I have added to Makefile like this: EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark ppp \
> >           pkttype stp among limit ulog nflog  and it compiled with no issue.
> >
> >  But when I launch this command line for example : 
> > ./ebtables -A FORWARD -p PPP_DISC --ppp-code 7 -j DROP                      // DROP PADO frames if it works
> >
> > A message appears:
> > "The kernel doesn't support a certain ebtables extension, consider recompiling your kernel or insmod the extension"
> > (see communication.c)
> >
> >
> > I think it is due to the size of the structure ebt_ppp_info
> >
> > defined in ebt_ppp.h but I do not understand. Can anybody help me to understand please?
> >
> > Is there other easy way to filter specific ppp packet ?
> >
> > Thanks,
> >
> > Eric 
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >  		 	   		  
> > _________________________________________________________________
> > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
> > https://signup.live.com/signup.aspx?id=60969
> >   
> > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------------
> > ThinkGeek and WIRED's GeekDad team up for the Ultimate 
> > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
> > lucky parental unit.  See the prize list and enter to win: 
> > http://p.sf.net/sfu/thinkgeek-promo
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Ebtables-devel mailing list
> > Ebt...@li...
> > https://lists.sourceforge.net/lists/listinfo/ebtables-devel
> >   
> 
> 
> -- 
> Bart De Schuymer
> www.artinalgorithms.be
> 
 		 	   		  
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969

Re: [Ebtables-devel] ebt_ppp extension module for ebtables

[Bart De S. <bds...@pa...>]

Hi,

you seem to be missing the kernel part for your module.

cheers,
Bart

Eric delalandes schreef:
> Hello to all,
>
> I have written an extension in order to filter pppoe and ppp frames. So extension names are ebt_ppp.c and ebt_ppp.h. The goal of these extension is to filter specific PPP discovery packet like PADO or PADS and specific PPP session packet on  PPPOE protocol and PPP layer.  I have used ebt_vlan.c and ebt_vlan.h as template. See description as below:
>
> /* ebt_ppp
>  * 
>  * Authors:
>  * Bart De Schuymer <bds...@pa...>
>  * Nick Fedchik <ni...@fe...> 
>  * 
>  * June, 2002
>  */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <getopt.h>
> #include <ctype.h>
> #include "../include/ebtables_u.h"
> #include "../include/ethernetdb.h"
> #include <linux/netfilter_bridge/ebt_ppp.h>
> #include <linux/if_ether.h>
>
> #define NAME_PPP_CODE    "code"
> #define NAME_PPP_LENGTH  "length"
> #define NAME_PPP_PPPTYPE "ppptype"
>
> #define PPP_CODE    '1'
> #define PPP_LENGTH  '2'
> #define PPP_PPPTYPE '3'
>
> static struct option opts[] = {
>     {"ppp-code"   , required_argument, NULL, PPP_CODE},
>     {"ppp-length" , required_argument, NULL, PPP_LENGTH},
>     {"ppp-ppptype", required_argument, NULL, PPP_PPPTYPE},
>     { 0 }
> };
>
> /*
>  * option inverse flags definition 
>  */
> #define OPT_PPP_CODE     0x01
> #define OPT_PPP_LENGTH   0x02
> #define OPT_PPP_PPPTYPE  0x04
> #define OPT_PPP_FLAGS    (OPT_PPP_CODE | OPT_PPP_LENGTH | OPT_PPP_PPPTYPE)
>
> struct ethertypeent *ethent;
>
> static void print_help()
> {
>     printf(
> "ppp options:\n"
> "--ppp-code [!] code       : pppoe code identifier, \n"
> "--ppp-length [!] length   : pppoe length (integer)\n"
> "--ppp-ppptype [!] ppptype :PPP protocol (hexadecimal or name)\n");
> }
>
> static void init(struct ebt_entry_match *match)
> {
>     struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) match->data;
>     pppinfo->invflags = 0;
>     pppinfo->bitmask = 0;
> }
>
>
> static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
>    unsigned int *flags, struct ebt_entry_match **match)
> {
>     struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) (*match)->data;
>     char *end;
>     struct ebt_ppp_info local;
>
>     switch (c) {
>     case PPP_CODE:
>         ebt_check_option2(flags, OPT_PPP_CODE);
>         if (ebt_check_inverse2(optarg))
>             pppinfo->invflags |= EBT_PPP_CODE;
>         local.code = strtoul(optarg, &end, 10);
>         if (local.code >= 200 || *end != '\0')
>             ebt_print_error2("Invalid --code range <200 ('%s')", optarg);
>         pppinfo->code = local.code;
>         pppinfo->bitmask |= EBT_PPP_CODE;
>         break;
>
>     case PPP_LENGTH:
>
>         ebt_check_option2(flags, PPP_LENGTH);
>         if (ebt_check_inverse2(optarg))
>             pppinfo->invflags |= EBT_PPP_LENGTH;
>         local.length = strtoul(optarg, &end, 10);
>         if (local.length > 4094 || *end != '\0')
>             ebt_print_error2("Invalid --ppp-length range ('%s')", optarg);
>         pppinfo->length = local.length;
>         pppinfo->bitmask |= EBT_PPP_LENGTH;
>         break;
>     case PPP_PPPTYPE:
>         ebt_check_option2(flags, OPT_PPP_PPPTYPE);
>         if (ebt_check_inverse2(optarg))
>             pppinfo->invflags |= EBT_PPP_PPPTYPE;
>         local.ppptype = strtoul(optarg, &end, 16);
>         if (*end != '\0') {
>             ethent = getethertypebyname(optarg);
>             if (ethent == NULL)
>                 ebt_print_error("Unknown  value ('%s')", optarg);
>             local.ppptype = ethent->e_ethertype;
>         }
>         if (local.ppptype < ETH_ZLEN) //define ETH_ZLEN    6
>             ebt_print_error2("Invalid ---ppptype range ('%s')", optarg);
>         pppinfo->ppptype = htons(local.ppptype);
>         pppinfo->bitmask |= EBT_PPP_PPPTYPE;
>         break;
>     default:
>         return 0;
>
>     }
>     return 1;
> }
>
> static void final_check(const struct ebt_u_entry *entry,
>    const struct ebt_entry_match *match,
>    const char *name, unsigned int hookmask, unsigned int time)
> {
>     if (entry->ethproto != ETH_P_PPP_DISC || entry->invflags & EBT_IPROTO)
>         ebt_print_error("For ppp filtering the protocol must be specified as PPP_DISC or PPP_SES");
>
>     /* Check if specified vlan-id=0 (priority-tagged frame condition) 
>      * when vlan-prio was specified. */
>     /* I see no reason why a user should be prohibited to match on a perhaps impossible situation <BDS>
>     if (vlaninfo->bitmask & EBT_VLAN_PRIO &&
>         vlaninfo->id && vlaninfo->bitmask & EBT_VLAN_ID)
>         ebt_print_error("When setting --vlan-prio the specified --vlan-id must be 0");*/
> }
>
> static void print(const struct ebt_u_entry *entry,
>    const struct ebt_entry_match *match)
> {
>     struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) match->data;
>
>     if (pppinfo->bitmask & EBT_PPP_CODE) {
>         printf("--ppp-code %s%d ", (pppinfo->invflags & EBT_PPP_CODE) ? "! " : "", pppinfo->code);
>     }
>     if (pppinfo->bitmask & EBT_PPP_LENGTH) {
>         printf("--ppp-length %s%d ", (pppinfo->invflags & EBT_PPP_LENGTH) ? "! " : "", pppinfo->length);
>     }
>     if (pppinfo->bitmask & EBT_PPP_PPPTYPE) {
>         printf("--ppp-ppptype %s", (pppinfo->invflags & EBT_PPP_PPPTYPE) ? "! " : "");
>         ethent = getethertypebynumber(ntohs(pppinfo->ppptype));
>         if (ethent != NULL) {
>             printf("%s ", ethent->e_name);
>         } else {
>             printf("%4.4X ", ntohs(pppinfo->ppptype));
>         }
>     }
> }
>
> static int compare(const struct ebt_entry_match *ppp1,
>    const struct ebt_entry_match *ppp2)
> {
>     struct ebt_ppp_info *pppinfo1 = (struct ebt_ppp_info *) ppp1->data;
>     struct ebt_ppp_info *pppinfo2 = (struct ebt_ppp_info *) ppp2->data;
>
>     if (pppinfo1->bitmask != pppinfo2->bitmask)
>         return 0;
>     if (pppinfo1->invflags != pppinfo2->invflags)
>         return 0;
>     if (pppinfo1->bitmask & EBT_PPP_CODE &&
>         pppinfo1->code != pppinfo2->code)
>         return 0;
>     if (pppinfo1->bitmask & EBT_PPP_LENGTH &&
>         pppinfo1->length != pppinfo2->length)
>         return 0;
>     if (pppinfo1->bitmask & EBT_PPP_PPPTYPE &&
>         pppinfo1->ppptype != pppinfo2->ppptype)
>         return 0; 
>     return 1;
> }
>
> static struct ebt_u_match ppp_match = {
>     .name        = "ppp",
>     .size        = sizeof(struct ebt_ppp_info),
>     .help        = print_help,
>     .init        = init,
>     .parse        = parse,
>     .final_check    = final_check,
>     .print        = print,
>     .compare    = compare,
>     .extra_ops    = opts,
> };
>
> void _init(void)
> {
>     ebt_register_match(&ppp_match);
> }
>
>
> -------------------------------------------------------
> #ifndef __LINUX_BRIDGE_EBT_PPP_H
> #define __LINUX_BRIDGE_EBT_PPP_H
>
> #define EBT_PPP_CODE    0x01
> #define EBT_PPP_LENGTH    0x02
> #define EBT_PPP_PPPTYPE    0x04
> #define EBT_PPP_MASK (EBT_PPP_CODE| EBT_PPP_LENGTH | EBT_PPP_PPPTYPE)
> #define EBT_PPP_MATCH "ppp"
>
>
> struct ebt_ppp_info
>
> {
>
>   uint8_t vertype
>   uint8_t code; //PADO O7:7  //PADS 65 :101(dec) //ETH:8863
>
>   uint16_t session;
>
>   uint16_t length;/
>   unsigned short int ppptype;  
>
>   uint8_t bitmask;        /* Args bitmask bit 1=1 - ID arg,
>                bit 2=1 User-Priority arg, bit 3=1 encap*/
>   uint8_t invflags;
>
> };
> #endif
>
>
>
> I have added to Makefile like this: EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark ppp \
>           pkttype stp among limit ulog nflog  and it compiled with no issue.
>
>  But when I launch this command line for example : 
> ./ebtables -A FORWARD -p PPP_DISC --ppp-code 7 -j DROP                      // DROP PADO frames if it works
>
> A message appears:
> "The kernel doesn't support a certain ebtables extension, consider recompiling your kernel or insmod the extension"
> (see communication.c)
>
>
> I think it is due to the size of the structure ebt_ppp_info
>
> defined in ebt_ppp.h but I do not understand. Can anybody help me to understand please?
>
> Is there other easy way to filter specific ppp packet ?
>
> Thanks,
>
> Eric 
>
>
>
>
>
>
>
>
>
>
>  		 	   		  
> _________________________________________________________________
> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
> https://signup.live.com/signup.aspx?id=60969
>   
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate 
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
> lucky parental unit.  See the prize list and enter to win: 
> http://p.sf.net/sfu/thinkgeek-promo
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ebtables-devel mailing list
> Ebt...@li...
> https://lists.sourceforge.net/lists/listinfo/ebtables-devel
>   


-- 
Bart De Schuymer
www.artinalgorithms.be

[Ebtables-devel] ebt_ppp extension module for ebtables

[Eric d. <eri...@ho...>]

Hello to all,

I have written an extension in order to filter pppoe and ppp frames. So extension names are ebt_ppp.c and ebt_ppp.h. The goal of these extension is to filter specific PPP discovery packet like PADO or PADS and specific PPP session packet on  PPPOE protocol and PPP layer.  I have used ebt_vlan.c and ebt_vlan.h as template. See description as below:

/* ebt_ppp
 * 
 * Authors:
 * Bart De Schuymer <bds...@pa...>
 * Nick Fedchik <ni...@fe...> 
 * 
 * June, 2002
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <getopt.h>
#include <ctype.h>
#include "../include/ebtables_u.h"
#include "../include/ethernetdb.h"
#include <linux/netfilter_bridge/ebt_ppp.h>
#include <linux/if_ether.h>

#define NAME_PPP_CODE    "code"
#define NAME_PPP_LENGTH  "length"
#define NAME_PPP_PPPTYPE "ppptype"

#define PPP_CODE    '1'
#define PPP_LENGTH  '2'
#define PPP_PPPTYPE '3'

static struct option opts[] = {
    {"ppp-code"   , required_argument, NULL, PPP_CODE},
    {"ppp-length" , required_argument, NULL, PPP_LENGTH},
    {"ppp-ppptype", required_argument, NULL, PPP_PPPTYPE},
    { 0 }
};

/*
 * option inverse flags definition 
 */
#define OPT_PPP_CODE     0x01
#define OPT_PPP_LENGTH   0x02
#define OPT_PPP_PPPTYPE  0x04
#define OPT_PPP_FLAGS    (OPT_PPP_CODE | OPT_PPP_LENGTH | OPT_PPP_PPPTYPE)

struct ethertypeent *ethent;

static void print_help()
{
    printf(
"ppp options:\n"
"--ppp-code [!] code       : pppoe code identifier, \n"
"--ppp-length [!] length   : pppoe length (integer)\n"
"--ppp-ppptype [!] ppptype :PPP protocol (hexadecimal or name)\n");
}

static void init(struct ebt_entry_match *match)
{
    struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) match->data;
    pppinfo->invflags = 0;
    pppinfo->bitmask = 0;
}


static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
   unsigned int *flags, struct ebt_entry_match **match)
{
    struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) (*match)->data;
    char *end;
    struct ebt_ppp_info local;

    switch (c) {
    case PPP_CODE:
        ebt_check_option2(flags, OPT_PPP_CODE);
        if (ebt_check_inverse2(optarg))
            pppinfo->invflags |= EBT_PPP_CODE;
        local.code = strtoul(optarg, &end, 10);
        if (local.code >= 200 || *end != '\0')
            ebt_print_error2("Invalid --code range <200 ('%s')", optarg);
        pppinfo->code = local.code;
        pppinfo->bitmask |= EBT_PPP_CODE;
        break;

    case PPP_LENGTH:

        ebt_check_option2(flags, PPP_LENGTH);
        if (ebt_check_inverse2(optarg))
            pppinfo->invflags |= EBT_PPP_LENGTH;
        local.length = strtoul(optarg, &end, 10);
        if (local.length > 4094 || *end != '\0')
            ebt_print_error2("Invalid --ppp-length range ('%s')", optarg);
        pppinfo->length = local.length;
        pppinfo->bitmask |= EBT_PPP_LENGTH;
        break;
    case PPP_PPPTYPE:
        ebt_check_option2(flags, OPT_PPP_PPPTYPE);
        if (ebt_check_inverse2(optarg))
            pppinfo->invflags |= EBT_PPP_PPPTYPE;
        local.ppptype = strtoul(optarg, &end, 16);
        if (*end != '\0') {
            ethent = getethertypebyname(optarg);
            if (ethent == NULL)
                ebt_print_error("Unknown  value ('%s')", optarg);
            local.ppptype = ethent->e_ethertype;
        }
        if (local.ppptype < ETH_ZLEN) //define ETH_ZLEN    6
            ebt_print_error2("Invalid ---ppptype range ('%s')", optarg);
        pppinfo->ppptype = htons(local.ppptype);
        pppinfo->bitmask |= EBT_PPP_PPPTYPE;
        break;
    default:
        return 0;

    }
    return 1;
}

static void final_check(const struct ebt_u_entry *entry,
   const struct ebt_entry_match *match,
   const char *name, unsigned int hookmask, unsigned int time)
{
    if (entry->ethproto != ETH_P_PPP_DISC || entry->invflags & EBT_IPROTO)
        ebt_print_error("For ppp filtering the protocol must be specified as PPP_DISC or PPP_SES");

    /* Check if specified vlan-id=0 (priority-tagged frame condition) 
     * when vlan-prio was specified. */
    /* I see no reason why a user should be prohibited to match on a perhaps impossible situation <BDS>
    if (vlaninfo->bitmask & EBT_VLAN_PRIO &&
        vlaninfo->id && vlaninfo->bitmask & EBT_VLAN_ID)
        ebt_print_error("When setting --vlan-prio the specified --vlan-id must be 0");*/
}

static void print(const struct ebt_u_entry *entry,
   const struct ebt_entry_match *match)
{
    struct ebt_ppp_info *pppinfo = (struct ebt_ppp_info *) match->data;

    if (pppinfo->bitmask & EBT_PPP_CODE) {
        printf("--ppp-code %s%d ", (pppinfo->invflags & EBT_PPP_CODE) ? "! " : "", pppinfo->code);
    }
    if (pppinfo->bitmask & EBT_PPP_LENGTH) {
        printf("--ppp-length %s%d ", (pppinfo->invflags & EBT_PPP_LENGTH) ? "! " : "", pppinfo->length);
    }
    if (pppinfo->bitmask & EBT_PPP_PPPTYPE) {
        printf("--ppp-ppptype %s", (pppinfo->invflags & EBT_PPP_PPPTYPE) ? "! " : "");
        ethent = getethertypebynumber(ntohs(pppinfo->ppptype));
        if (ethent != NULL) {
            printf("%s ", ethent->e_name);
        } else {
            printf("%4.4X ", ntohs(pppinfo->ppptype));
        }
    }
}

static int compare(const struct ebt_entry_match *ppp1,
   const struct ebt_entry_match *ppp2)
{
    struct ebt_ppp_info *pppinfo1 = (struct ebt_ppp_info *) ppp1->data;
    struct ebt_ppp_info *pppinfo2 = (struct ebt_ppp_info *) ppp2->data;

    if (pppinfo1->bitmask != pppinfo2->bitmask)
        return 0;
    if (pppinfo1->invflags != pppinfo2->invflags)
        return 0;
    if (pppinfo1->bitmask & EBT_PPP_CODE &&
        pppinfo1->code != pppinfo2->code)
        return 0;
    if (pppinfo1->bitmask & EBT_PPP_LENGTH &&
        pppinfo1->length != pppinfo2->length)
        return 0;
    if (pppinfo1->bitmask & EBT_PPP_PPPTYPE &&
        pppinfo1->ppptype != pppinfo2->ppptype)
        return 0; 
    return 1;
}

static struct ebt_u_match ppp_match = {
    .name        = "ppp",
    .size        = sizeof(struct ebt_ppp_info),
    .help        = print_help,
    .init        = init,
    .parse        = parse,
    .final_check    = final_check,
    .print        = print,
    .compare    = compare,
    .extra_ops    = opts,
};

void _init(void)
{
    ebt_register_match(&ppp_match);
}


-------------------------------------------------------
#ifndef __LINUX_BRIDGE_EBT_PPP_H
#define __LINUX_BRIDGE_EBT_PPP_H

#define EBT_PPP_CODE    0x01
#define EBT_PPP_LENGTH    0x02
#define EBT_PPP_PPPTYPE    0x04
#define EBT_PPP_MASK (EBT_PPP_CODE| EBT_PPP_LENGTH | EBT_PPP_PPPTYPE)
#define EBT_PPP_MATCH "ppp"


struct ebt_ppp_info

{

  uint8_t vertype
  uint8_t code; //PADO O7:7  //PADS 65 :101(dec) //ETH:8863

  uint16_t session;

  uint16_t length;/
  unsigned short int ppptype;  

  uint8_t bitmask;        /* Args bitmask bit 1=1 - ID arg,
               bit 2=1 User-Priority arg, bit 3=1 encap*/
  uint8_t invflags;

};
#endif



I have added to Makefile like this: EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark ppp \
          pkttype stp among limit ulog nflog  and it compiled with no issue.

 But when I launch this command line for example : 
./ebtables -A FORWARD -p PPP_DISC --ppp-code 7 -j DROP                      // DROP PADO frames if it works

A message appears:
"The kernel doesn't support a certain ebtables extension, consider recompiling your kernel or insmod the extension"
(see communication.c)


I think it is due to the size of the structure ebt_ppp_info

defined in ebt_ppp.h but I do not understand. Can anybody help me to understand please?

Is there other easy way to filter specific ppp packet ?

Thanks,

Eric 










 		 	   		  
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969

[Ebtables-devel] Adding ebtables entry from kernel module

[Parthiv S. <par...@si...>]

Hi,
 
I am new to using ebtables and my requirements is to do L2 NATing of clients
connected on the bridge, through WiFi interface.
 
As a proof of concept, I am able to add following rules in ebtables and have
the functionality that I want. (this is for one client connected on bridge)
 
 1. ebtables -t nat -A POSTROUTING -o ath0 -j snat --to-src
00:03:7F:12:06:90 --snat-arp --snat-target ACCEPT
 
 2. ebtables -t nat -A PREROUTING -p 0x0800 -i ath0 --ip-dst 192.168.40.239
-j dnat --to-dst 08:00:46:6A:A4:AC --dnat-target ACCEPT
 3. ebtables -t nat -A PREROUTING -p 0x0806 -i ath0 --arp-ip-dst
192.168.40.239 -j dnat --to-dst 08:00:46:6A:A4:AC --dnat-target ACCEPT

With above rules, client PC (192.168.40.239) is able to ping gateway
(through WiFi - WAN interface) and it's packets are properly NATed. Now
practically, there will be many clients connected on the bridge and run time
they will join and leave the bridge port. So now I need to add/delete these
rules (specifically 2 and 3) for each client as and when they join / leave.
I was thinking of modifying the ebtables rules from the kernel itself (at
the time of dhcp / arp / ip packet flow for any new client).
 
How can I add / delete the above rules (2 and 3), from the kernel module?
Basically I don't want to use ebtables user space tool to add/delete rules
in ebtables, neither I want to extend ebtables. I just want to be able to
create / delete ebtables rule entries from kernel space.
 
Any help on this will be appreciated.
 
Thanks,
Parthiv
 
 

Re: [Ebtables-devel] [PATCH net-2.6] netfilter: ebt_ip6: Use ipv6_masked_addr_cmp().

[Patrick M. <ka...@tr...>]

Bart De Schuymer wrote:
> YOSHIFUJI Hideaki schreef:
>> Signed-off-by: YOSHIFUJI Hideaki <yos...@li...>
>> ---
>>  net/bridge/netfilter/ebt_ip6.c |   18 ++++--------------
>>  1 files changed, 4 insertions(+), 14 deletions(-)
>>
> Signed-off-by: Bart De Schuymer <bds...@pa...>
> 
> Looks OK to me.

Applied, thanks.

Re: [Ebtables-devel] [PATCH net-2.6] netfilter: ebt_ip6: Use ipv6_masked_addr_cmp().

[Bart De S. <bds...@pa...>]

YOSHIFUJI Hideaki schreef:
> Signed-off-by: YOSHIFUJI Hideaki <yos...@li...>
> ---
>  net/bridge/netfilter/ebt_ip6.c |   18 ++++--------------
>  1 files changed, 4 insertions(+), 14 deletions(-)
>
> diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
> index bbf2534..4644cc9 100644
> --- a/net/bridge/netfilter/ebt_ip6.c
> +++ b/net/bridge/netfilter/ebt_ip6.c
> @@ -35,8 +35,6 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>  	struct ipv6hdr _ip6h;
>  	const struct tcpudphdr *pptr;
>  	struct tcpudphdr _ports;
> -	struct in6_addr tmp_addr;
> -	int i;
>  
>  	ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
>  	if (ih6 == NULL)
> @@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>  	if (info->bitmask & EBT_IP6_TCLASS &&
>  	   FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
>  		return false;
> -	for (i = 0; i < 4; i++)
> -		tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &
> -			info->smsk.in6_u.u6_addr32[i];
> -	if (info->bitmask & EBT_IP6_SOURCE &&
> -		FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
> -			EBT_IP6_SOURCE))
> -		return false;
> -	for (i = 0; i < 4; i++)
> -		tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
> -			info->dmsk.in6_u.u6_addr32[i];
> -	if (info->bitmask & EBT_IP6_DEST &&
> -	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
> +	if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
> +				       &info->saddr), EBT_IP6_SOURCE) ||
> +	    FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
> +				       &info->daddr), EBT_IP6_DEST))
>  		return false;
>  	if (info->bitmask & EBT_IP6_PROTO) {
>  		uint8_t nexthdr = ih6->nexthdr;
>   
Signed-off-by: Bart De Schuymer <bds...@pa...>

Looks OK to me.


cheers,
Bart


-- 
Bart De Schuymer
www.artinalgorithms.be

Re: [Ebtables-devel] [PATCH] netfilter: ebtables: Use print_mac instead of own function

[Patrick M. <ka...@tr...>]

Tobias Klauser wrote:
> ebt_log uses its own implementation of print_mac to print MAC addresses.
> This patch converts it to use print_mac from linux/if_ether.h

You can do this even simpler by using %pM as format string.

Re: [Ebtables-devel] [PATCH] fix source code corruption in ebtables Makefile

[Bart De S. <bds...@pa...>]

Hi,

Thanks for the report. The problem was actually in the naming of the 
nflog init function, see the update in cvs.

cheers,
Bart

Tino Keitel schreef:
> Hi,
>
> the attached patch fixes source code corruption in the static: target
> of the ebtables userspace Makefile. The sed magic tries to clean up the
> modified source files, but fails. It ends up with this modifications:
>
> diff -ru ebtables-v2.0.8-2.orig/extensions/ebt_nflog.c
> ebtables-v2.0.8-2/extensions/ebt_nflog.c
> --- ebtables-v2.0.8-2.orig/extensions/ebt_nflog.c       2009-02-11
> 16:21:37.000000000 +0100
> +++ ebtables-v2.0.8-2/extensions/ebt_nflog.c    2009-02-11
> 17:22:58.000000000 +0100
> @@ -45,7 +45,7 @@
>                "in-kernel queue\n");
>  }
>  
> -static void nflog_init(struct ebt_entry_watcher *watcher)
> +static _init(struct ebt_entry_watcher *watcher)
>  {
>         struct ebt_nflog_info *info = (struct ebt_nflog_info
> *)watcher->data;
>  
> @@ -165,7 +165,7 @@
>         .name = "nflog",
>         .size = sizeof(struct ebt_nflog_info),
>         .help = nflog_help,
> -       .init = nflog_init,
> +       .init _init,
>         .parse = nflog_parse,
>         .final_check = nflog_final_check,
>         .print = nflog_print,
>
> With the patch, the Makefile makes a backup of the original files and
> restores it after compilation.
>
> Signed-off-by: Tino Keitel <tin...@in...>
>
>   

Re: [Ebtables-devel] ebt_vnat: Adding VLAN tag target

[Bart De S. <bds...@pa...>]

Jon Petralanda schreef:
> Hi! I'm trying to do a new target module for ebtables to add the VLAN 
> tag depending on some parameters with this kind of rule:
>
> # ebtables -t nat -A OUTPUT/POSTROUTING -s sourceMAC -j vnat --to-vlan
>
> Like Ashwin did it here: 
> http://osdir.com/ml/linux.network.bridge.ebtables.devel/2003-12/msg00026.html
>
> I'm using 2.6.22-15 kernel and ebtables-v2.0.8-1. I have copied the 
> dnat code on userspace and kernel and I have read the 
> vlan_dev.c/if_vlan.h codes and I have this on mi ebt_vnat_target function:
>
>  static int ebt_target_vnat(struct sk_buff **pskb, unsigned int hooknr,
>     const struct net_device *in, const struct net_device *out,
>     const void *data, unsigned int datalen)
>  {
>
>     struct ebt_nat_info *info = (struct ebt_nat_info *)data;
>     unsigned short veth_TCI = 0;
>     struct vlan_ethhdr *veth;
>
>     if (skb_headroom(*pskb) < VLAN_HLEN) {
>         struct sk_buff *sk_tmp = *pskb;
>         *pskb = skb_realloc_headroom(sk_tmp, VLAN_HLEN);
>         kfree_skb(sk_tmp);
>         if (*pskb == NULL) {
>             printk(KERN_ERR "vlan: failed to realloc headroom\n");
>             return EBT_DROP;
>         }
You shouldn't allow *pskb to be NULL. Only change *pskb if the 
reallocation worked.

>     } else {
>         *pskb = skb_unshare(*pskb, GFP_ATOMIC);
>         if (!*pskb) {
>             printk(KERN_ERR "vlan: failed to unshare skbuff\n");
>             return EBT_DROP;
>         }
>     }
Same comment as above.

>
>     veth = (struct vlan_ethhdr *)skb_push(*pskb, VLAN_HLEN);i
>
>     /* Move the mac addresses to the beginning of the new header. */
>     memmove((*pskb)->data, (*pskb)->data + VLAN_HLEN, 2 * VLAN_ETH_ALEN);
>
>     /* first, the ethernet type */
>     veth->h_vlan_proto = __constant_htons(ETH_P_8021Q);
>
>     /* now, the tag */
>     veth->h_vlan_TCI = htons(veth_TCI);
>
>     (*pskb)->protocol = __constant_htons(ETH_P_8021Q);
>     (*pskb)->mac_header -= VLAN_HLEN;
>     (*pskb)->network_header -= VLAN_HLEN;
>
>      return info->target;
>  }
>
> If I execute my target with the PREROUTING chain when I see some 
> strange packets on br0 with Wireshark (for example if I do a 98 bytes 
> ping to my computer I receive 102 bytes but the other things like 
> Ethertype or the source/destination MACs goes bad).
>
> If I execute it with OUTPUT... I have Kernel panic. I have tried 
> different combinations of commenting lines, adding some functions but 
> nothing.
>
Changing the protocol type in the middle of network processing will 
cause problems. The code in net/bridge/br_netfilter.c is probably 
causing the kernel panic. You should only do this kind of change very 
early. Try the BROUTING chain if PREROUTING keeps failing.

>
> My questions are:
>
> 1. How can I debug (with printks or something like that) the module to 
> see what its doing exactly line by line?
Follow the packet in the network code (you can eg mark it) and check if 
the header is what you intend it to be (if not, printk something).

> 2. It seems like I have to debug the kernel, do you know a form to 
> debug it more or less easily?
>
> 3. Do you know what I'm doing wrong on my target? It seems like the 
> code is apparently ok.
>
> PD: If the things goes well... Bart, are you interested on a patch of 
> this target adding the options of choosing an vlan-id and vlan-priority?
Depends how intrusive it is and if it's useful for other people. What 
exactly is the benefit of this and in what sense is it impossible to do 
this with routing and the vlan tool? Note that the kernel code has 
changed quite a bit since 2.6.22.

cheers,
Bart

[Ebtables-devel] ebt_vnat: Adding VLAN tag target

[Jon P. <jon...@gm...>]

Hi! I'm trying to do a new target module for ebtables to add the VLAN tag
depending on some parameters with this kind of rule:

# ebtables -t nat -A OUTPUT/POSTROUTING -s sourceMAC -j vnat --to-vlan

Like Ashwin did it here:
http://osdir.com/ml/linux.network.bridge.ebtables.devel/2003-12/msg00026.html

I'm using 2.6.22-15 kernel and ebtables-v2.0.8-1. I have copied the dnat
code on userspace and kernel and I have read the vlan_dev.c/if_vlan.h codes
and I have this on mi ebt_vnat_target function:

 static int ebt_target_vnat(struct sk_buff **pskb, unsigned int hooknr,
    const struct net_device *in, const struct net_device *out,
    const void *data, unsigned int datalen)
 {

    struct ebt_nat_info *info = (struct ebt_nat_info *)data;
    unsigned short veth_TCI = 0;
    struct vlan_ethhdr *veth;

    if (skb_headroom(*pskb) < VLAN_HLEN) {
        struct sk_buff *sk_tmp = *pskb;
        *pskb = skb_realloc_headroom(sk_tmp, VLAN_HLEN);
        kfree_skb(sk_tmp);
        if (*pskb == NULL) {
            printk(KERN_ERR "vlan: failed to realloc headroom\n");
            return EBT_DROP;
        }
    } else {
        *pskb = skb_unshare(*pskb, GFP_ATOMIC);
        if (!*pskb) {
            printk(KERN_ERR "vlan: failed to unshare skbuff\n");
            return EBT_DROP;
        }
    }

    veth = (struct vlan_ethhdr *)skb_push(*pskb, VLAN_HLEN);

    /* Move the mac addresses to the beginning of the new header. */
    memmove((*pskb)->data, (*pskb)->data + VLAN_HLEN, 2 * VLAN_ETH_ALEN);

    /* first, the ethernet type */
    veth->h_vlan_proto = __constant_htons(ETH_P_8021Q);

    /* now, the tag */
    veth->h_vlan_TCI = htons(veth_TCI);

    (*pskb)->protocol = __constant_htons(ETH_P_8021Q);
    (*pskb)->mac_header -= VLAN_HLEN;
    (*pskb)->network_header -= VLAN_HLEN;

     return info->target;
 }

If I execute my target with the PREROUTING chain when I see some strange
packets on br0 with Wireshark (for example if I do a 98 bytes ping to my
computer I receive 102 bytes but the other things like Ethertype or the
source/destination MACs goes bad).

If I execute it with OUTPUT... I have Kernel panic. I have tried different
combinations of commenting lines, adding some functions but nothing.


My questions are:

1. How can I debug (with printks or something like that) the module to see
what its doing exactly line by line?

2. It seems like I have to debug the kernel, do you know a form to debug it
more or less easily?

3. Do you know what I'm doing wrong on my target? It seems like the code is
apparently ok.

PD: If the things goes well... Bart, are you interested on a patch of this
target adding the options of choosing an vlan-id and vlan-priority?

I'm sorry for my poor english, thank you very much.

Regards,

Jon

Re: [Ebtables-devel] Adding a new target to add the vlan tag

[Bart De S. <bds...@pa...>]

Op wo, 24-09-2008 te 18:07 +0200, schreef Jon Petralanda:
> Hi! I'm trying to do a tool to ensure QoS on layer 2 on Linux and for
> that I need to add the VLAN tag to especified packets and change the
> field depending on diferent network parameters on layer 2.
> 
> To manage that I am trying to do a new target for ebtables like
> Kashyap Ashwin was doing some time ago here:
> http://osdir.com/ml/linux.network.bridge.ebtables.devel/2003-12/msg00027.html adding the 802.1q tag but with adding two options: the user can change vlan ID and change priority fields.
> 
> I was seeing around the net and I see the functions __vlan_put_tag and
> __vlan_get_tag from /usr/include/linux/if_vlan.h. And I also saw the
> function vlan_dev_hard_start_xmit from Bart's response in
> http://article.gmane.org/gmane.linux.network.bridge.ebtables.user/381.
> I also read the Ebtables hacking howto and talk with Ashwin.
> 
> My question is about the dificulty of doing this knowing that I'm a
> newbie on ebtables and from where can I start doing this. I read about
> copying the dnat userspace and kernel code and linking the
> ebt_target_vnat with __vlan_put_tag (from if_vlan.h) but after I write
> the codes of Kernel and userspace... How I can add it to ebtables for
> testing?
> 
> PD: Ashwin told me about a patch sent by him to you Bart, still have
> you it?

I see some mails from/to Ashwin in my archive, but afaict I didn't
receive a working patch from him. I'll forward his last (private)
message to you.
For a kernel newbie I think it isn't trivial to do this, as it involves
increasing the packet's size (possible lack of space in the Ethernet
frame payload?). Of course, if you have time and patience you should
manage to succeed.

cheers,
Bart

[Ebtables-devel] Adding a new target to add the vlan tag

[Jon P. <jon...@gm...>]

Hi! I'm trying to do a tool to ensure QoS on layer 2 on Linux and for that I
need to add the VLAN tag to especified packets and change the field
depending on diferent network parameters on layer 2.

To manage that I am trying to do a new target for ebtables like Kashyap
Ashwin was doing some time ago here:
http://osdir.com/ml/linux.network.bridge.ebtables.devel/2003-12/msg00027.htmladding
the 802.1q tag but with adding two options: the user can change vlan
ID and change priority fields.

I was seeing around the net and I see the functions __vlan_put_tag and
__vlan_get_tag from /usr/include/linux/if_vlan.h. And I also saw the
function vlan_dev_hard_start_xmit from Bart's response in
http://article.gmane.org/gmane.linux.network.bridge.ebtables.user/381. I
also read the Ebtables hacking howto and talk with Ashwin.

My question is about the dificulty of doing this knowing that I'm a newbie
on ebtables and from where can I start doing this. I read about copying the
dnat userspace and kernel code and linking the ebt_target_vnat with
__vlan_put_tag (from if_vlan.h) but after I write the codes of Kernel and
userspace... How I can add it to ebtables for testing?

PD: Ashwin told me about a patch sent by him to you Bart, still have you it?

Sorry for my poor English.

Regards, Jon.