ebtables-devel Mailing List for Ethernet bridge tables (Page 3)
Brought to you by:
bdschuym
Menu
▾
▴
ebtables-devel — Development questions, bugs, patches
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(6) |
May
(9) |
Jun
(6) |
Jul
(5) |
Aug
(7) |
Sep
(13) |
Oct
(9) |
Nov
(11) |
Dec
(8) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(13) |
Feb
(8) |
Mar
(32) |
Apr
(21) |
May
(15) |
Jun
(7) |
Jul
(35) |
Aug
(26) |
Sep
(29) |
Oct
(13) |
Nov
(4) |
Dec
(32) |
| 2004 |
Jan
(2) |
Feb
(20) |
Mar
(9) |
Apr
|
May
(7) |
Jun
(22) |
Jul
(7) |
Aug
(6) |
Sep
(15) |
Oct
(17) |
Nov
(12) |
Dec
(16) |
| 2005 |
Jan
(6) |
Feb
(15) |
Mar
(17) |
Apr
(27) |
May
(13) |
Jun
(43) |
Jul
(3) |
Aug
(12) |
Sep
(16) |
Oct
(12) |
Nov
(9) |
Dec
(10) |
| 2006 |
Jan
(3) |
Feb
(1) |
Mar
(1) |
Apr
(4) |
May
|
Jun
(2) |
Jul
(15) |
Aug
(2) |
Sep
(1) |
Oct
(5) |
Nov
(5) |
Dec
(10) |
| 2007 |
Jan
(2) |
Feb
(14) |
Mar
(19) |
Apr
|
May
(1) |
Jun
(3) |
Jul
|
Aug
(9) |
Sep
(6) |
Oct
(7) |
Nov
(4) |
Dec
|
| 2008 |
Jan
(11) |
Feb
(43) |
Mar
(3) |
Apr
(5) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(2) |
Oct
(2) |
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(4) |
Jul
(3) |
Aug
|
Sep
(2) |
Oct
(4) |
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-19 01:53:33
|
This is the userspace ebtables patch that implements IPv6 header field
checking and parsing.
Signed-off-by: Kuo-lang Tseng <kuo...@in...>
diff -urNp ebtables-v2.0.8-2.orig/ebtables.8
ebtables-v2.0.8-2.ipv6/ebtables.8
--- ebtables-v2.0.8-2.orig/ebtables.8 2007-09-21 10:27:20.000000000
-0700
+++ ebtables-v2.0.8-2.ipv6/ebtables.8 2008-02-18 15:40:31.000000000
-0800
@@ -652,6 +652,54 @@ If
The flag
.B --ip-dport
is an alias for this option.
+.SS ipv6
+Specify IPv6 fields. The protocol must be specified as
+.IR IPv6 .
+.TP
+.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]"
+The source IPv6 address.
+The flag
+.B --ip6-src
+is an alias for this option.
+.TP
+.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination IPv6 address.
+The flag
+.B --ip6-dst
+is an alias for this option.
+.TP
+.BR "--ip6-tclass " "[!] \fItclass\fP"
+The IPv6 traffic class, in hexadecimal numbers.
+.TP
+.BR "--ip6-protocol " "[!] \fIprotocol\fP"
+The IP protocol.
+The flag
+.B --ip6-proto
+is an alias for this option.
+.TP
+.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The source port or port range for the IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted
but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-sport
+is an alias for this option.
+.TP
+.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The destination port or port range for IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted
but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-dport
+is an alias for this option.
.SS limit
This module matches at a limited rate using a token bucket filter.
A rule using this extension will match until this limit is reached.
@@ -800,6 +848,11 @@ to be printed at the beginning of the li
Will log the ip information when a frame made by the ip protocol
matches
the rule. The default is no ip information logging.
.TP
+.B --log-ip6
+.br
+Will log the ipv6 information when a frame made by the ipv6 protocol
matches
+the rule. The default is no ipv6 information logging.
+.TP
.B --log-arp
.br
Will log the (r)arp information when a frame made by the (r)arp
protocols
diff -urNp ebtables-v2.0.8-2.orig/extensions/ebt_ip6.c
ebtables-v2.0.8-2.ipv6/extensions/ebt_ip6.c
--- ebtables-v2.0.8-2.orig/extensions/ebt_ip6.c 1969-12-31
16:00:00.000000000 -0800
+++ ebtables-v2.0.8-2.ipv6/extensions/ebt_ip6.c 2008-02-18
15:24:21.000000000 -0800
@@ -0,0 +1,339 @@
+/* ebt_ip6
+ *
+ * Authors:
+ * Kuo-Lang Tseng <kuo...@in...>
+ * Manohar Castelino <man...@in...>
+ *
+ * Summary:
+ * This is just a modification of the IPv4 code written by
+ * Bart De Schuymer <bds...@pa...>
+ * with the changes required to support IPv6
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <netdb.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_ip6.h>
+
+
+
+#define IP_SOURCE '1'
+#define IP_DEST '2'
+#define IP_TCLASS '3'
+#define IP_PROTO '4'
+#define IP_SPORT '5'
+#define IP_DPORT '6'
+
+static struct option opts[] =
+{
+ { "ip6-source" , required_argument, 0, IP_SOURCE },
+ { "ip6-src" , required_argument, 0, IP_SOURCE },
+ { "ip6-destination" , required_argument, 0, IP_DEST },
+ { "ip6-dst" , required_argument, 0, IP_DEST },
+ { "ip6-traffic-class" , required_argument, 0, IP_TCLASS },
+ { "ip6-tclass" , required_argument, 0, IP_TCLASS },
+ { "ip6-protocol" , required_argument, 0, IP_PROTO },
+ { "ip6-proto" , required_argument, 0, IP_PROTO },
+ { "ip6-source-port" , required_argument, 0, IP_SPORT },
+ { "ip6-sport" , required_argument, 0, IP_SPORT },
+ { "ip6-destination-port" , required_argument, 0, IP_DPORT },
+ { "ip6-dport" , required_argument, 0, IP_DPORT },
+ { 0 }
+};
+
+/* transform a protocol and service name into a port number */
+static uint16_t parse_port(const char *protocol, const char *name)
+{
+ struct servent *service;
+ char *end;
+ int port;
+
+ port = strtol(name, &end, 10);
+ if (*end != '\0') {
+ if (protocol &&
+ (service = getservbyname(name, protocol)) != NULL)
+ return ntohs(service->s_port);
+ }
+ else if (port >= 0 || port <= 0xFFFF) {
+ return port;
+ }
+ ebt_print_error("Problem with specified %s port '%s'",
+ protocol?protocol:"", name);
+ return 0;
+}
+
+static void
+parse_port_range(const char *protocol, const char *portstring, uint16_t
*ports)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(portstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ports[0] = ports[1] = parse_port(protocol, buffer);
+ else {
+ *cp = '\0';
+ cp++;
+ ports[0] = buffer[0] ? parse_port(protocol, buffer) : 0;
+ if (ebt_errormsg[0] != '\0')
+ return;
+ ports[1] = cp[0] ? parse_port(protocol, cp) : 0xFFFF;
+ if (ebt_errormsg[0] != '\0')
+ return;
+
+ if (ports[0] > ports[1])
+ ebt_print_error("Invalid portrange (min >
max)");
+ }
+ free(buffer);
+}
+
+static void print_port_range(uint16_t *ports)
+{
+ if (ports[0] == ports[1])
+ printf("%d ", ports[0]);
+ else
+ printf("%d:%d ", ports[0], ports[1]);
+}
+
+static void print_help()
+{
+ printf(
+"ip6 options:\n"
+"--ip6-src [!] address[/mask]: ipv6 source specification\n"
+"--ip6-dst [!] address[/mask]: ipv6 destination specification\n"
+"--ip6-tclass [!] tclass : ipv6 traffic class specification\n"
+"--ip6-proto [!] protocol : ipv6 protocol specification\n"
+"--ip6-sport [!] port[:port] : tcp/udp source port or port range\n"
+"--ip6-dport [!] port[:port] : tcp/udp destination port or port
range\n");
+}
+
+static void init(struct ebt_entry_match *match)
+{
+ struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)match->data;
+
+ ipinfo->invflags = 0;
+ ipinfo->bitmask = 0;
+}
+
+#define OPT_SOURCE 0x01
+#define OPT_DEST 0x02
+#define OPT_TCLASS 0x04
+#define OPT_PROTO 0x08
+#define OPT_SPORT 0x10
+#define OPT_DPORT 0x20
+static int parse(int c, char **argv, int argc, const struct ebt_u_entry
*entry,
+ unsigned int *flags, struct ebt_entry_match **match)
+{
+ struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)(*match)->data;
+ char *end;
+ long int i;
+
+ switch (c) {
+ case IP_SOURCE:
+ ebt_check_option2(flags, OPT_SOURCE);
+ ipinfo->bitmask |= EBT_IP6_SOURCE;
+ if (ebt_check_inverse2(optarg)) {
+ ipinfo->invflags |= EBT_IP6_SOURCE;
+ }
+ ebt_parse_ip6_address(optarg, &ipinfo->saddr,
&ipinfo->smsk);
+ break;
+
+ case IP_DEST:
+ ebt_check_option2(flags, OPT_DEST);
+ ipinfo->bitmask |= EBT_IP6_DEST;
+ if (ebt_check_inverse2(optarg)) {
+ ipinfo->invflags |= EBT_IP6_DEST;
+ }
+ ebt_parse_ip6_address(optarg, &ipinfo->daddr,
&ipinfo->dmsk);
+ break;
+
+ case IP_SPORT:
+ case IP_DPORT:
+ if (c == IP_SPORT) {
+ ebt_check_option2(flags, OPT_SPORT);
+ ipinfo->bitmask |= EBT_IP6_SPORT;
+ if (ebt_check_inverse2(optarg))
+ ipinfo->invflags |= EBT_IP6_SPORT;
+ } else {
+ ebt_check_option2(flags, OPT_DPORT);
+ ipinfo->bitmask |= EBT_IP6_DPORT;
+ if (ebt_check_inverse2(optarg))
+ ipinfo->invflags |= EBT_IP6_DPORT;
+ }
+ if (c == IP_SPORT)
+ parse_port_range(NULL, optarg, ipinfo->sport);
+ else
+ parse_port_range(NULL, optarg, ipinfo->dport);
+ break;
+
+ case IP_TCLASS:
+ ebt_check_option2(flags, OPT_TCLASS);
+ if (ebt_check_inverse2(optarg))
+ ipinfo->invflags |= EBT_IP6_TCLASS;
+ i = strtol(optarg, &end, 16);
+ if (i < 0 || i > 255 || *end != '\0')
+ ebt_print_error2("Problem with specified IPv6
traffic class");
+ ipinfo->tclass = i;
+ ipinfo->bitmask |= EBT_IP6_TCLASS;
+ break;
+
+ case IP_PROTO:
+ ebt_check_option2(flags, OPT_PROTO);
+ if (ebt_check_inverse2(optarg))
+ ipinfo->invflags |= EBT_IP6_PROTO;
+ i = strtoul(optarg, &end, 10);
+ if (*end != '\0') {
+ struct protoent *pe;
+
+ pe = getprotobyname(optarg);
+ if (pe == NULL)
+ ebt_print_error("Unknown specified IP
protocol - %s", argv[optind - 1]);
+ ipinfo->protocol = pe->p_proto;
+ } else {
+ ipinfo->protocol = (unsigned char) i;
+ }
+ ipinfo->bitmask |= EBT_IP6_PROTO;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match, const char *name,
+ unsigned int hookmask, unsigned int time)
+{
+ struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)match->data;
+
+ if (entry->ethproto != ETH_P_IPV6 || entry->invflags &
EBT_IPROTO) {
+ ebt_print_error("For IPv6 filtering the protocol must be
"
+ "specified as IPv6");
+ } else if (ipinfo->bitmask & (EBT_IP6_SPORT|EBT_IP6_DPORT) &&
+ (!(ipinfo->bitmask & EBT_IP6_PROTO) ||
+ ipinfo->invflags & EBT_IP6_PROTO ||
+ (ipinfo->protocol!=IPPROTO_TCP &&
+ ipinfo->protocol!=IPPROTO_UDP &&
+ ipinfo->protocol!=IPPROTO_SCTP &&
+ ipinfo->protocol!=IPPROTO_DCCP)))
+ ebt_print_error("For port filtering the IP protocol must
be "
+ "either 6 (tcp), 17 (udp), 33 (dccp) or
"
+ "132 (sctp)");
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match)
+{
+ struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)match->data;
+
+ if (ipinfo->bitmask & EBT_IP6_SOURCE) {
+ printf("--ip6-src ");
+ if (ipinfo->invflags & EBT_IP6_SOURCE)
+ printf("! ");
+ printf("%s", ebt_ip6_to_numeric(&ipinfo->saddr));
+ printf("/%s ", ebt_ip6_to_numeric(&ipinfo->smsk));
+ }
+ if (ipinfo->bitmask & EBT_IP6_DEST) {
+ printf("--ip6-dst ");
+ if (ipinfo->invflags & EBT_IP6_DEST)
+ printf("! ");
+ printf("%s", ebt_ip6_to_numeric(&ipinfo->daddr));
+ printf("/%s ", ebt_ip6_to_numeric(&ipinfo->dmsk));
+ }
+ if (ipinfo->bitmask & EBT_IP6_TCLASS) {
+ printf("--ip6-tclass ");
+ if (ipinfo->invflags & EBT_IP6_TCLASS)
+ printf("! ");
+ printf("0x%02X ", ipinfo->tclass);
+ }
+ if (ipinfo->bitmask & EBT_IP6_PROTO) {
+ struct protoent *pe;
+
+ printf("--ip6-proto ");
+ if (ipinfo->invflags & EBT_IP6_PROTO)
+ printf("! ");
+ pe = getprotobynumber(ipinfo->protocol);
+ if (pe == NULL) {
+ printf("%d ", ipinfo->protocol);
+ } else {
+ printf("%s ", pe->p_name);
+ }
+ }
+ if (ipinfo->bitmask & EBT_IP6_SPORT) {
+ printf("--ip6-sport ");
+ if (ipinfo->invflags & EBT_IP6_SPORT)
+ printf("! ");
+ print_port_range(ipinfo->sport);
+ }
+ if (ipinfo->bitmask & EBT_IP6_DPORT) {
+ printf("--ip6-dport ");
+ if (ipinfo->invflags & EBT_IP6_DPORT)
+ printf("! ");
+ print_port_range(ipinfo->dport);
+ }
+}
+
+static int compare(const struct ebt_entry_match *m1,
+ const struct ebt_entry_match *m2)
+{
+ struct ebt_ip6_info *ipinfo1 = (struct ebt_ip6_info *)m1->data;
+ struct ebt_ip6_info *ipinfo2 = (struct ebt_ip6_info *)m2->data;
+
+ if (ipinfo1->bitmask != ipinfo2->bitmask)
+ return 0;
+ if (ipinfo1->invflags != ipinfo2->invflags)
+ return 0;
+ if (ipinfo1->bitmask & EBT_IP6_SOURCE) {
+ if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->saddr,
&ipinfo2->saddr))
+ return 0;
+ if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->smsk, &ipinfo2->smsk))
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP6_DEST) {
+ if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->daddr,
&ipinfo2->daddr))
+ return 0;
+ if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->dmsk, &ipinfo2->dmsk))
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP6_TCLASS) {
+ if (ipinfo1->tclass != ipinfo2->tclass)
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP6_PROTO) {
+ if (ipinfo1->protocol != ipinfo2->protocol)
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP6_SPORT) {
+ if (ipinfo1->sport[0] != ipinfo2->sport[0] ||
+ ipinfo1->sport[1] != ipinfo2->sport[1])
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP6_DPORT) {
+ if (ipinfo1->dport[0] != ipinfo2->dport[0] ||
+ ipinfo1->dport[1] != ipinfo2->dport[1])
+ return 0;
+ }
+ return 1;
+}
+
+static struct ebt_u_match ip6_match =
+{
+ .name = EBT_IP6_MATCH,
+ .size = sizeof(struct ebt_ip6_info),
+ .help = print_help,
+ .init = init,
+ .parse = parse,
+ .final_check = final_check,
+ .print = print,
+ .compare = compare,
+ .extra_ops = opts,
+};
+
+void _init(void)
+{
+ ebt_register_match(&ip6_match);
+}
diff -urNp ebtables-v2.0.8-2.orig/extensions/ebt_log.c
ebtables-v2.0.8-2.ipv6/extensions/ebt_log.c
--- ebtables-v2.0.8-2.orig/extensions/ebt_log.c 2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/extensions/ebt_log.c 2008-01-30
17:22:56.000000000 -0800
@@ -60,6 +60,7 @@ static int name_to_loglevel(char* arg)
#define LOG_ARP '3'
#define LOG_IP '4'
#define LOG_LOG '5'
+#define LOG_IP6 '6'
static struct option opts[] =
{
{ "log-prefix", required_argument, 0, LOG_PREFIX },
@@ -67,6 +68,7 @@ static struct option opts[] =
{ "log-arp" , no_argument , 0, LOG_ARP },
{ "log-ip" , no_argument , 0, LOG_IP },
{ "log" , no_argument , 0, LOG_LOG },
+ { "log-ip6" , no_argument , 0, LOG_IP6 },
{ 0 }
};
@@ -81,6 +83,7 @@ static void print_help()
"--log-prefix prefix : max. %d chars.\n"
"--log-ip : put ip info. in the log for ip packets\n"
"--log-arp : put (r)arp info. in the log for (r)arp
packets\n"
+"--log-ip6 : put ip6 info. in the log for ip6 packets\n"
, EBT_LOG_PREFIX_SIZE - 1);
printf("levels:\n");
for (i = 0; i < 8; i++)
@@ -102,6 +105,7 @@ static void init(struct ebt_entry_watche
#define OPT_ARP 0x04
#define OPT_IP 0x08
#define OPT_LOG 0x10
+#define OPT_IP6 0x20
static int parse(int c, char **argv, int argc, const struct ebt_u_entry
*entry,
unsigned int *flags, struct ebt_entry_watcher **watcher)
{
@@ -151,6 +155,13 @@ static int parse(int c, char **argv, int
if (ebt_check_inverse(optarg))
ebt_print_error2("Unexpected `!' after --log");
break;
+
+ case LOG_IP6:
+ ebt_check_option2(flags, OPT_IP6);
+ if (ebt_check_inverse(optarg))
+ ebt_print_error2("Unexpected `!' after
--log-ip6");
+ loginfo->bitmask |= EBT_LOG_IP6;
+ break;
default:
return 0;
}
@@ -175,6 +186,8 @@ static void print(const struct ebt_u_ent
printf(" --log-ip");
if (loginfo->bitmask & EBT_LOG_ARP)
printf(" --log-arp");
+ if (loginfo->bitmask & EBT_LOG_IP6)
+ printf(" --log-ip6");
printf(" ");
}
diff -urNp ebtables-v2.0.8-2.orig/extensions/Makefile
ebtables-v2.0.8-2.ipv6/extensions/Makefile
--- ebtables-v2.0.8-2.orig/extensions/Makefile 2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/extensions/Makefile 2008-01-11
19:41:47.000000000 -0800
@@ -1,6 +1,6 @@
#! /usr/bin/make
-EXT_FUNC+=802_3 nat arp arpreply ip standard log redirect vlan mark_m
mark \
+EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan
mark_m mark \
pkttype stp among limit ulog
EXT_TABLES+=filter nat broute
EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
diff -urNp ebtables-v2.0.8-2.orig/include/ebtables_u.h
ebtables-v2.0.8-2.ipv6/include/ebtables_u.h
--- ebtables-v2.0.8-2.orig/include/ebtables_u.h 2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/include/ebtables_u.h 2008-02-15
11:43:06.000000000 -0800
@@ -297,6 +297,10 @@ void ebt_print_mac_and_mask(const unsign
int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned
char *mask);
void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t
*msk);
char *ebt_mask_to_dotted(uint32_t mask);
+void ebt_parse_ip6_address(char *address, struct in6_addr *addr,
+ struct in6_addr
*msk);
+char *ebt_ip6_to_numeric(const struct in6_addr *addrp);
+
int do_command(int argc, char *argv[], int exec_style,
struct ebt_u_replace *replace_);
diff -urNp ebtables-v2.0.8-2.orig/useful_functions.c
ebtables-v2.0.8-2.ipv6/useful_functions.c
--- ebtables-v2.0.8-2.orig/useful_functions.c 2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/useful_functions.c 2008-02-18
15:20:52.000000000 -0800
@@ -29,6 +29,10 @@
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
const unsigned char mac_type_unicast[ETH_ALEN] = {0,0,0,0,0,0};
const unsigned char msk_type_unicast[ETH_ALEN] = {1,0,0,0,0,0};
@@ -244,6 +248,7 @@ void ebt_parse_ip_address(char *address,
*addr = *addr & *msk;
}
+
/* Transform the ip mask into a string ready for output. */
char *ebt_mask_to_dotted(uint32_t mask)
{
@@ -276,3 +281,134 @@ char *ebt_mask_to_dotted(uint32_t mask)
return buf;
}
+
+/* Most of the following code is derived from iptables */
+static void
+in6addrcpy(struct in6_addr *dst, struct in6_addr *src)
+{
+ memcpy(dst, src, sizeof(struct in6_addr));
+}
+
+int string_to_number_ll(const char *s, unsigned long long min,
+ unsigned long long max, unsigned long long *ret)
+{
+ unsigned long long number;
+ char *end;
+
+ /* Handle hex, octal, etc. */
+ errno = 0;
+ number = strtoull(s, &end, 0);
+ if (*end == '\0' && end != s) {
+ /* we parsed a number, let's see if we want this */
+ if (errno != ERANGE && min <= number && (!max || number <=
max)) {
+ *ret = number;
+ return 0;
+ }
+ }
+ return -1;
+}
+
+int string_to_number_l(const char *s, unsigned long min, unsigned long
max,
+ unsigned long *ret)
+{
+ int result;
+ unsigned long long number;
+
+ result = string_to_number_ll(s, min, max, &number);
+ *ret = (unsigned long)number;
+
+ return result;
+}
+
+int string_to_number(const char *s, unsigned int min, unsigned int max,
+ unsigned int *ret)
+{
+ int result;
+ unsigned long number;
+
+ result = string_to_number_l(s, min, max, &number);
+ *ret = (unsigned int)number;
+
+ return result;
+}
+
+static struct in6_addr *
+numeric_to_addr(const char *num)
+{
+ static struct in6_addr ap;
+ int err;
+ if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+ return ≈
+ return (struct in6_addr *)NULL;
+}
+
+static struct in6_addr *
+parse_ip6_mask(char *mask)
+{
+ static struct in6_addr maskaddr;
+ struct in6_addr *addrp;
+ unsigned int bits;
+
+ if (mask == NULL) {
+ /* no mask at all defaults to 128 bits */
+ memset(&maskaddr, 0xff, sizeof maskaddr);
+ return &maskaddr;
+ }
+ if ((addrp = numeric_to_addr(mask)) != NULL)
+ return addrp;
+ if (string_to_number(mask, 0, 128, &bits) == -1)
+ ebt_print_error("Invalid IPv6 Mask '%s' specified",
mask);
+ if (bits != 0) {
+ char *p = (char *)&maskaddr;
+ memset(p, 0xff, bits / 8);
+ memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
+ p[bits / 8] = 0xff << (8 - (bits & 7));
+ return &maskaddr;
+ }
+
+ memset(&maskaddr, 0, sizeof maskaddr);
+ return &maskaddr;
+}
+
+/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
+ * The string pointed to by address can be altered. */
+void ebt_parse_ip6_address(char *address, struct in6_addr *addr,
+ struct in6_addr *msk)
+{
+ struct in6_addr *tmp_addr;
+ char buf[256];
+ char *p;
+ int i;
+ int err;
+
+ strncpy(buf, address, sizeof(buf) - 1);
+ /* first the mask */
+ buf[sizeof(buf) - 1] = '\0';
+ if ((p = strrchr(buf, '/')) != NULL) {
+ *p = '\0';
+ tmp_addr = parse_ip6_mask(p + 1);
+ } else
+ tmp_addr = parse_ip6_mask(NULL);
+ in6addrcpy(msk, tmp_addr);
+
+ /* if a null mask is given, the name is ignored, like in "any/0" */
+ if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
+ strcpy(buf, "::");
+
+ if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+ ebt_print_error("Invalid IPv6 Address '%s' specified",
buf);
+ return;
+ }
+
+ for (i = 0; i < 4; i++)
+ addr->in6_u.u6_addr32[i] &= msk->in6_u.u6_addr32[i];
+}
+
+/* Transform the ip6 addr into a string ready for output. */
+char *ebt_ip6_to_numeric(const struct in6_addr *addrp)
+{
+ /* 0000:0000:0000:0000:0000:000.000.000.000
+ * 0000:0000:0000:0000:0000:0000:0000:0000 */
+ static char buf[50+1];
+ return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
+}
|
|
From: Jan E. <je...@co...> - 2008-02-16 22:49:49
|
On Feb 11 2008 21:57, Bart De Schuymer wrote: >Op za, 09-02-2008 te 01:49 +0100, schreef Jan Engelhardt: >> Time to unveil some plans. >> >> I am not sure where exactly I picked the idea up, probably in one of the >> last discussions on netfilter-devel, to make ebtables use xtables code. >> Well, I am in the process of writing up a bunch of patches to get us >> closer to that. Nothing spectacularly interesting for modules (ebt_*.c), >> >> but at the same time I have to give a worry about the userspace code. >> ebtables and arptables have not gotten the same attention as iptables >> and look a bit disheveled. Eventually I would just merge them with the >> iptables tree so it also shares all the option parsing and whatnot. > >Arptables was a hack from the start. Mh, I particularly like it for one reason: you do not need to make a half-bridge (a bridge with one port) out of an interface just to do ARP filtering. Unfortunately, but I hope to change that, arpreply is only available with a bridge right now. >Ebtables is completely different >code and is not portable with a few simple patches. I noticed. A flag day will most likely be needed to get it into shape, but it still looking promising. Only annoyance so far was ebt_among which uses a dynamic match size, but other than that it seems that I have successfully converted the kernel-side ebtables to use x_tables. >Thanks for pointing >out your opinion about the code though, it really helps. > >I'm not going to go change the versioning system at this stage just so >it's a bit more convenient for you. Use whatever versioning tool you >want on your local checked out version. Right, I have started a blank git without caring about history for now. |
|
From: Peter W. <pe...@en...> - 2008-02-12 20:30:56
|
Hi Bart Bart De Schuymer wrote: > I just searched the mailing list archives and you've never before posted > to the ebtables lists. You must have forgotten to include > Oh, i see. That's wired. I got mails back from the ebtables list. Probably they have been blocked by sourceforge's mailman and I got them because of the crosspost and filtering rules. Anyway, the posts in question are these: http://marc.info/?l=netfilter-devel&m=120223788107898&w=2 http://marc.info/?l=netfilter-devel&m=120223788207901&w=2 http://marc.info/?l=netfilter-devel&m=120223788307904&w=2 hope these links are fine, otherwise i repost on ebtables-devel peter |
|
From: Bart De S. <bds...@pa...> - 2008-02-12 20:05:02
|
Op ma, 11-02-2008 te 23:07 +0100, schreef Peter Warasin: > Hi Guys > > The following patch-set adds ebtables nflog support to ulogd. > > In order to have this work it's also necessary to apply the > ebtables and kernel patches I posted some time ago > (i posted as well as this post on both, ebtables and > netfilter devel lists). Hi Peter, I just searched the mailing list archives and you've never before posted to the ebtables lists. You must have forgotten to include ebtables-devel. Anyway, I just subscribed to netfilter-devel to prevent this stuff from happening again. Maybe we should move ebtables traffic to the netfilter lists, I'm not really against it. Patrick? cheers, Bart |
|
From: Ming-Ching T. <mc...@ya...> - 2008-02-12 03:39:22
|
I thought I would try here since I don't seem to get any response from this :- http://bugzilla.kernel.org/show_bug.cgi?id=9920 Ignore if this has already been attented to. Best regards. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ |
|
From: Jan E. <je...@co...> - 2008-02-12 02:44:03
|
On Feb 11 2008 18:26, Tseng, Kuo-Lang wrote: > >Hi Jan, have you posted the corresponding patch to ebtables-devel for >the kernel patch you posted in here >http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 ? I had not posted ebt_ip6(j) to ebtables-devel. I suppose it's because I did not consider ebtables too vivid, esp. after confirmation of Bart being not too active ( http://marc.info/?l=netfilter-devel&m=120083920425755&w=2 ) -- but right, I should have Cc'ed at least. >If not, I can add the code and send an updated patch to ebtables-devel >to make the v6 support more complete as Bart suggested. > >We also need to merge the two kernel patches (your above one and the one >I sent last Friday). Has your kernel patch been pushed in? If not, I'll >add my part on top of yours and send an updated patch to >netfilter-devel. What do you think? The patch did not made it in time for 2.6.25-rc1, but I have it slated for the next possible time - 2.6.26 or maybe someone lets it slip into the current rcX :) Yes, please proceed with adding proper nexthdr parsing (one patch) and layer-4 port inspection (another patch) - perhaps in two patches. >To quickly summarize what we got: > >- You above kernel patch implements matches for TFCLASS, FLOWLBL, >NEXTHDR (w/o skipping ext. header), H- OPLIMIT, SRCADDR, and DSTADDR. >- My kernel patch implements matches for PROTOCOL (w/ ext. header >skipped), DPORT, and SPORT and logging for v6. > >- My user ebtables patch implements parsing for PROTO, SPORT, and DPORT. |
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-12 02:29:23
|
Tseng, Kuo-Lang wrote on Monday, February 11, 2008 9:59 AM: > Bart De Schuymer wrote on Sunday, February 10, 2008 9:21 AM: > >> Op vr, 08-02-2008 te 16:01 -0800, schreef Tseng, Kuo-Lang: >>> Bart De Schuymer wrote on Friday, February 08, 2008 10:21 AM: >>> >>>> Hi Kuo, >>>> >>>> Thanks for your patch. The patch looks ok. Tiny comment: the header >>>> diffs belong in the kernel patch and the userspace patch lacks a >>>> man page update. Seems like we'll need a merge of the two kernel >>>> patches and extra userspace code. >>>> >>>> I was gonna give my say about posting to netfilter-devel only, >>>> without userspace code, but I guess I'm better off restraining >>>> myself from doing that. >>>> >>>> cheers, >>>> Bart >>> >>> Thanks. I have attached an updated userspace patch that includes the >>> missing man page update and removed the header diffs. >> >> It would be better if the ipv6 address and traffic class matching >> were implemented in the patch. So I'm going to wait for that. Is >> there any reason why you didn't do this in the first place? > We wanted to keep the first patch small for the review. Once the first > patch is merged in, the v6 address and traffic class can be added > after that. Hi Jan, have you posted the corresponding patch to ebtables-devel for the kernel patch you posted in here http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 ? If not, I can add the code and send an updated patch to ebtables-devel to make the v6 support more complete as Bart suggested. We also need to merge the two kernel patches (your above one and the one I sent last Friday). Has your kernel patch been pushed in? If not, I'll add my part on top of yours and send an updated patch to netfilter-devel. What do you think? To quickly summarize what we got: - You above kernel patch implements matches for TFCLASS, FLOWLBL, NEXTHDR (w/o skipping ext. header), H- OPLIMIT, SRCADDR, and DSTADDR. - My kernel patch implements matches for PROTOCOL (w/ ext. header skipped), DPORT, and SPORT and logging for v6. - My user ebtables patch implements parsing for PROTO, SPORT, and DPORT. |
|
From: Peter W. <pe...@en...> - 2008-02-11 22:11:06
|
Hi Guys The following patch-set adds ebtables nflog support to ulogd. In order to have this work it's also necessary to apply the ebtables and kernel patches I posted some time ago (i posted as well as this post on both, ebtables and netfilter devel lists). Those patches add both ebt_nflog kernel module and userland module. However the patches can certainly be applied separately. This patchset adds now the corresponding support to ulogd's BASE, PRINTPKT and IP2STR modules. Currently it interprets the AF_BRIDGE family and knows to differentiate IP and ARP header and log them accordingly. Here is a sample log output: Feb 11 20:56:30 efw-1201175446 ulogd[10972]: EBTABLES TEST IN=br0 OUT= \ MAC=00:0c:e0:e0:7d:62:ff:ff:08:00:0c:00 SRC=10.7.100.2 DST=10.7.222.22 \ PROTO=ARP REQUEST Feb 11 20:56:31 efw-1201175446 ulogd[10972]: EBTABLES TEST IN=br0 OUT= \ MAC=00:0c:e0:e0:7d:62:ff:ff:08:00:0c:00 SRC=10.7.100.2 DST=10.7.222.22 LEN=84 \ TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=10541 SEQ=0 Feb 11 20:56:35 efw-1201175446 ulogd[10972]: EBTABLES TEST IN=br0 OUT= \ MAC=00:0c:e0:e0:7d:62:ff:ff:08:00:0c:00 SRC=10.7.100.2 DST=10.7.222.22 \ PROTO=ARP REPLY REPLY_MAC=00:0c:e0:e0:7d:62 More protocols *could* be implemented later. kind regards, Peter -- |
|
From: Peter W. <pe...@en...> - 2008-02-11 22:11:05
|
This patch adds support for AF_BRIDGE to
the PRINTPKT plugin, which allows to form
log lines for packets coming from ebtables.
Currently it supports IPv4, IPv6 and ARP.
Signed-off-by: Peter Warasin <pe...@en...>
---
include/ulogd/printpkt.h | 8 ++++
util/printpkt.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+)
Index: ulogd2/include/ulogd/printpkt.h
===================================================================
--- ulogd2.orig/include/ulogd/printpkt.h 2008-02-11 22:37:18.000000000 +0100
+++ ulogd2/include/ulogd/printpkt.h 2008-02-11 22:37:20.000000000 +0100
@@ -51,6 +51,14 @@
KEY_ICMPV6_ECHOID,
KEY_ICMPV6_ECHOSEQ,
KEY_AHESP_SPI,
+ KEY_OOB_PROTOCOL,
+ KEY_ARP_HTYPE,
+ KEY_ARP_PTYPE,
+ KEY_ARP_OPCODE,
+ KEY_ARP_SHA,
+ KEY_ARP_SPA,
+ KEY_ARP_THA,
+ KEY_ARP_TPA,
__PRINTPKT_KEYS
};
#define PRINTPKT_KEYS (__PRINTPKT_KEYS)
Index: ulogd2/util/printpkt.c
===================================================================
--- ulogd2.orig/util/printpkt.c 2008-02-11 22:37:18.000000000 +0100
+++ ulogd2/util/printpkt.c 2008-02-11 22:40:05.000000000 +0100
@@ -36,9 +36,11 @@
#include <ulogd/ulogd.h>
#include <ulogd/conffile.h>
#include <ulogd/printpkt.h>
+#include <netinet/if_ether.h>
struct ulogd_key printpkt_keys[] = {
[KEY_OOB_FAMILY] = { .name = "oob.family", },
+ [KEY_OOB_PROTOCOL] = { .name = "oob.protocol", },
[KEY_OOB_TIME_SEC] = { .name = "oob.time.sec", },
[KEY_OOB_PREFIX] = { .name = "oob.prefix", },
[KEY_OOB_IN] = { .name = "oob.in", },
@@ -90,6 +92,14 @@
[KEY_ICMPV6_ECHOID] = { .name = "icmpv6.echoid", },
[KEY_ICMPV6_ECHOSEQ] = { .name = "icmpv6.echoseq", },
[KEY_AHESP_SPI] = { .name = "ahesp.spi", },
+ [KEY_ARP_HTYPE] = { .name = "arp.hwtype", },
+ [KEY_ARP_PTYPE] = { .name = "arp.protocoltype", },
+ [KEY_ARP_OPCODE] = { .name = "arp.operation", },
+ [KEY_ARP_SHA] = { .name = "arp.shwaddr", },
+ [KEY_ARP_SPA] = { .name = "arp.saddr.str", },
+ [KEY_ARP_THA] = { .name = "arp.dhwaddr", },
+ [KEY_ARP_TPA] = { .name = "arp.daddr.str", },
+
};
static int printpkt_proto(struct ulogd_key *res, char *buf, int protocol)
@@ -334,6 +344,74 @@
return buf_cur - buf;
}
+int printpkt_arp(struct ulogd_key *res, char *buf)
+{
+ char *buf_cur = buf;
+ u_int16_t code = 0;
+ u_int8_t *mac;
+ char tmp[INET_ADDRSTRLEN];
+
+ if (pp_is_valid(res, KEY_ARP_SPA))
+ buf_cur += sprintf(buf_cur, "SRC=%s ",
+ GET_VALUE(res, KEY_ARP_SPA).ptr);
+
+ if (pp_is_valid(res, KEY_ARP_TPA))
+ buf_cur += sprintf(buf_cur, "DST=%s ",
+ GET_VALUE(res, KEY_ARP_TPA).ptr);
+
+ buf_cur += sprintf(buf_cur, "PROTO=ARP ");
+
+ if (pp_is_valid(res, KEY_ARP_OPCODE)) {
+ code = GET_VALUE(res, KEY_ARP_OPCODE).ui16;
+ switch (code) {
+ case ARPOP_REQUEST:
+ buf_cur += sprintf(buf_cur, "REQUEST ");
+ break;
+ case ARPOP_REPLY:
+ buf_cur += sprintf(buf_cur, "REPLY ");
+ break;
+ case ARPOP_NAK:
+ buf_cur += sprintf(buf_cur, "NAK ");
+ break;
+ default:
+ buf_cur += sprintf(buf_cur, "CODE=%u ", code);
+ }
+
+ if (pp_is_valid(res, KEY_ARP_SHA) && (code == ARPOP_REPLY)) {
+ mac = GET_VALUE(res, KEY_ARP_SHA).ptr;
+ buf_cur += sprintf(buf_cur, "REPLY_MAC="
+ "%02x:%02x:%02x:%02x:%02x:%02x ",
+ mac[0], mac[1], mac[2],
+ mac[3], mac[4], mac[5]);
+ }
+ }
+
+ return buf_cur - buf;
+}
+
+
+int printpkt_bridge(struct ulogd_key *res, char *buf)
+{
+ char *buf_cur = buf;
+
+ switch (GET_VALUE(res, KEY_OOB_PROTOCOL).ui16) {
+ case ETH_P_IP:
+ buf_cur += printpkt_ipv4(res, buf_cur);
+ break;
+ case ETH_P_IPV6:
+ buf_cur += printpkt_ipv6(res, buf_cur);
+ break;
+ case ETH_P_ARP:
+ buf_cur += printpkt_arp(res, buf_cur);
+ break;
+ default:
+ buf_cur += sprintf(buf_cur, "PROTO=%u ",
+ GET_VALUE(res, KEY_OOB_PROTOCOL).ui16);
+ }
+
+ return buf_cur - buf;
+}
+
int printpkt_print(struct ulogd_key *res, char *buf)
{
char *buf_cur = buf;
@@ -366,6 +444,9 @@
case AF_INET6:
buf_cur += printpkt_ipv6(res, buf_cur);
break;
+ case AF_BRIDGE:
+ buf_cur += printpkt_bridge(res, buf_cur);
+ break;
}
if (pp_is_valid(res, KEY_OOB_UID))
--
|
|
From: Peter W. <pe...@en...> - 2008-02-11 22:11:04
|
This patch adds a sample configuration for logging with ebtables through nflog out to LOGEMU and SYSLOG. It also fixes a config bug with ipv6 (log2) Signed-off-by: Peter Warasin <pe...@en...> --- ulogd.conf.in | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) Index: ulogd2/ulogd.conf.in =================================================================== --- ulogd2.orig/ulogd.conf.in 2008-02-11 22:59:58.000000000 +0100 +++ ulogd2/ulogd.conf.in 2008-02-11 23:05:08.000000000 +0100 @@ -49,6 +49,9 @@ # this is a stack for IPv6 packet-based logging via LOGEMU #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU +# this is a stack for ebtables packet-based logging via LOGEMU +#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + # this is a stack for ULOG packet-based logging via LOGEMU #stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU @@ -64,6 +67,9 @@ # this is a stack for logging IPv6 packet to PGsql after a collect via NFLOG #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,pgsql1:PGSQL +# this is a stack for logging ebtables packets to syslog after a collect via NFLOG +#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + # this is a stack for flow-based logging to MySQL #stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL @@ -75,10 +81,15 @@ group=0 # IPv6 logging through NFLOG -[log1] +[log2] group=1 # Group has to be different from the one use in log1 addressfamily=10 # 10 is value of AF_INET6 +# ebtables logging through NFLOG +[log3] +group=2 # Group has to be different from the one use in log1/log2 +addressfamily=7 # 7 is value of AF_BRIDGE + [ulog1] # netlink multicast group (the same as the iptables --ulog-nlgroup param) nlgroup=1 @@ -106,3 +117,6 @@ table="ulog" pass="changeme" procedure="INSERT_PACKET_FULL" + +[sys2] +facility=LOG_LOCAL2 -- |
|
From: Peter W. <pe...@en...> - 2008-02-11 22:11:03
|
This patch make the ip address string converter AF_BRIDGE
compatible and add ip address ARP keys in order to make
them also convert.
Signed-off-by: Peter Warasin <pe...@en...>
---
filter/ulogd_filter_IP2STR.c | 74 +++++++++++++++++++++++++++++++------------
1 file changed, 54 insertions(+), 20 deletions(-)
Index: ulogd2/filter/ulogd_filter_IP2STR.c
===================================================================
--- ulogd2.orig/filter/ulogd_filter_IP2STR.c 2008-02-11 22:44:47.000000000 +0100
+++ ulogd2/filter/ulogd_filter_IP2STR.c 2008-02-11 22:53:42.000000000 +0100
@@ -27,11 +27,13 @@
#include <string.h>
#include <arpa/inet.h>
#include <ulogd/ulogd.h>
+#include <netinet/if_ether.h>
#define IPADDR_LENGTH 128
enum input_keys {
KEY_OOB_FAMILY,
+ KEY_OOB_PROTOCOL,
KEY_IP_SADDR,
START_KEY = KEY_IP_SADDR,
KEY_IP_DADDR,
@@ -39,7 +41,9 @@
KEY_ORIG_IP_DADDR,
KEY_REPLY_IP_SADDR,
KEY_REPLY_IP_DADDR,
- MAX_KEY = KEY_REPLY_IP_DADDR,
+ KEY_ARP_SPA,
+ KEY_ARP_TPA,
+ MAX_KEY = KEY_ARP_TPA,
};
static struct ulogd_key ip2str_inp[] = {
@@ -48,6 +52,11 @@
.flags = ULOGD_RETF_NONE,
.name = "oob.family",
},
+ [KEY_OOB_PROTOCOL] = {
+ .type = ULOGD_RET_UINT16,
+ .flags = ULOGD_RETF_NONE,
+ .name = "oob.protocol",
+ },
[KEY_IP_SADDR] = {
.type = ULOGD_RET_IPADDR,
.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
@@ -78,6 +87,16 @@
.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
.name = "reply.ip.daddr",
},
+ [KEY_ARP_SPA] = {
+ .type = ULOGD_RET_IPADDR,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.saddr",
+ },
+ [KEY_ARP_TPA] = {
+ .type = ULOGD_RET_IPADDR,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.daddr",
+ },
};
static struct ulogd_key ip2str_keys[] = {
@@ -111,26 +130,41 @@
.flags = ULOGD_RETF_FREE,
.name = "reply.ip.daddr.str",
},
+ {
+ .type = ULOGD_RET_STRING,
+ .flags = ULOGD_RETF_FREE,
+ .name = "arp.saddr.str",
+ },
+ {
+ .type = ULOGD_RET_STRING,
+ .flags = ULOGD_RETF_FREE,
+ .name = "arp.daddr.str",
+ },
};
-static char *ip2str(struct ulogd_key* inp, int index, char family)
+static char *ip2str(struct ulogd_key *inp, int index, int protocol)
{
char tmp[IPADDR_LENGTH];
- switch (family) {
- case AF_INET6:
- inet_ntop(AF_INET6,
- &GET_VALUE(inp, index).ptr,
- tmp, sizeof(tmp));
- break;
- case AF_INET:
- inet_ntop(AF_INET,
- &GET_VALUE(inp, index).ui32,
- tmp, sizeof(tmp));
- break;
- default:
- /* TODO error handling */
- ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
- return NULL;
+ switch (protocol) {
+ case ETH_P_IPV6:
+ inet_ntop(AF_INET6,
+ &GET_VALUE(inp, index).ptr,
+ tmp, sizeof(tmp));
+ break;
+ case ETH_P_IP:
+ inet_ntop(AF_INET,
+ &GET_VALUE(inp, index).ui32,
+ tmp, sizeof(tmp));
+ break;
+ case ETH_P_ARP:
+ inet_ntop(AF_INET,
+ &GET_VALUE(inp, index).ptr,
+ tmp, sizeof(tmp));
+ break;
+ default:
+ /* TODO error handling */
+ ulogd_log(ULOGD_NOTICE, "Unknown protocol\n");
+ return NULL;
}
return strdup(tmp);
}
@@ -140,13 +174,13 @@
struct ulogd_key *ret = pi->output.keys;
struct ulogd_key *inp = pi->input.keys;
int i;
- int oob_family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
+ int oob_protocol = GET_VALUE(inp, KEY_OOB_PROTOCOL).ui16;
/* Iter on all addr fields */
for(i = START_KEY; i < MAX_KEY; i++) {
if (pp_is_valid(inp, i)) {
- ret[i-1].u.value.ptr = ip2str(inp, i, oob_family);
- ret[i-1].flags |= ULOGD_RETF_VALID;
+ ret[i-START_KEY].u.value.ptr = ip2str(inp, i, oob_protocol);
+ ret[i-START_KEY].flags |= ULOGD_RETF_VALID;
}
}
--
|
|
From: Peter W. <pe...@en...> - 2008-02-11 22:11:02
|
This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.
Signed-off-by: Peter Warasin <pe...@en...>
---
filter/raw2packet/ulogd_raw2packet_BASE.c | 127 +++++++++++++++++++++++++++++-
1 file changed, 125 insertions(+), 2 deletions(-)
Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c 2008-02-11 22:13:27.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c 2008-02-11 22:20:05.000000000 +0100
@@ -10,6 +10,7 @@
* o UDP header
* o ICMP header
* o AH/ESP header
+ * o ARP header
*
* (C) 2000-2005 by Harald Welte <la...@gn...>
*
@@ -42,11 +43,13 @@
#include <netinet/udp.h>
#include <ulogd/ulogd.h>
#include <ulogd/ipfix_protocol.h>
+#include <netinet/if_ether.h>
enum input_keys {
INKEY_RAW_PCKT,
INKEY_RAW_PCKTLEN,
INKEY_OOB_FAMILY,
+ INKEY_OOB_PROTOCOL,
};
enum output_keys {
@@ -101,6 +104,14 @@
KEY_ICMPV6_ECHOSEQ,
KEY_ICMPV6_CSUM,
KEY_AHESP_SPI,
+ KEY_OOB_PROTOCOL,
+ KEY_ARP_HTYPE,
+ KEY_ARP_PTYPE,
+ KEY_ARP_OPCODE,
+ KEY_ARP_SHA,
+ KEY_ARP_SPA,
+ KEY_ARP_THA,
+ KEY_ARP_TPA,
};
static struct ulogd_key iphdr_rets[] = {
@@ -455,7 +466,46 @@
.flags = ULOGD_RETF_NONE,
.name = "ahesp.spi",
},
-
+ [KEY_OOB_PROTOCOL] = {
+ .type = ULOGD_RET_UINT16,
+ .flags = ULOGD_RETF_NONE,
+ .name = "oob.protocol",
+ },
+ [KEY_ARP_HTYPE] = {
+ .type = ULOGD_RET_UINT16,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.hwtype",
+ },
+ [KEY_ARP_PTYPE] = {
+ .type = ULOGD_RET_UINT16,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.protocoltype",
+ },
+ [KEY_ARP_OPCODE] = {
+ .type = ULOGD_RET_UINT16,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.operation",
+ },
+ [KEY_ARP_SHA] = {
+ .type = ULOGD_RET_RAW,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.shwaddr",
+ },
+ [KEY_ARP_SPA] = {
+ .type = ULOGD_RET_RAW,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.saddr",
+ },
+ [KEY_ARP_THA] = {
+ .type = ULOGD_RET_RAW,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.dhwaddr",
+ },
+ [KEY_ARP_TPA] = {
+ .type = ULOGD_RET_RAW,
+ .flags = ULOGD_RETF_NONE,
+ .name = "arp.daddr",
+ },
};
/***********************************************************************
@@ -825,16 +875,84 @@
return 0;
}
+/***********************************************************************
+ * ARP HEADER
+ ***********************************************************************/
+static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+ struct ulogd_key *ret = pi->output.keys;
+ const struct ether_arp *arph =
+ GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+
+ if (len < sizeof(struct ether_arp))
+ return 0;
+
+ ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd);
+ SET_VALID(ret[KEY_ARP_HTYPE]);
+ ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro);
+ SET_VALID(ret[KEY_ARP_PTYPE]);
+ ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op);
+ SET_VALID(ret[KEY_ARP_OPCODE]);
+
+ ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
+ SET_VALID(ret[KEY_ARP_SHA]);
+ ret[KEY_ARP_SPA].u.value.ptr = &arph->arp_spa;
+ SET_VALID(ret[KEY_ARP_SPA]);
+
+ ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
+ SET_VALID(ret[KEY_ARP_THA]);
+ ret[KEY_ARP_TPA].u.value.ptr = &arph->arp_tpa;
+ SET_VALID(ret[KEY_ARP_TPA]);
+
+ return 0;
+}
+
+/***********************************************************************
+ * ETHER HEADER
+ ***********************************************************************/
+
+static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+ struct ulogd_key *ret = pi->output.keys;
+ const struct sk_buff *skb =
+ GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+ const u_int16_t proto =
+ GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+
+ switch (proto) {
+ case ETH_P_IP:
+ _interp_iphdr(pi, len);
+ break;
+ case ETH_P_IPV6:
+ _interp_ipv6hdr(pi, len);
+ break;
+ case ETH_P_ARP:
+ _interp_arp(pi, len);
+ break;
+ /* ETH_P_8021Q ?? others? */
+ };
+
+ return 0;
+}
+
+
static int _interp_pkt(struct ulogd_pluginstance *pi)
{
u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
+ struct ulogd_key *ret = pi->output.keys;
+
+ ret[KEY_OOB_PROTOCOL].u.value.ui16 =
+ GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+ SET_VALID(ret[KEY_OOB_PROTOCOL]);
switch (family) {
case AF_INET:
return _interp_iphdr(pi, len);
case AF_INET6:
return _interp_ipv6hdr(pi, len);
+ case AF_BRIDGE:
+ return _interp_bridge(pi, len);
}
return 0;
}
@@ -859,7 +977,12 @@
{
.type = ULOGD_RET_UINT8,
.name = "oob.family",
- }
+ },
+ {
+ .type = ULOGD_RET_UINT16,
+ .name = "oob.protocol",
+ },
+
};
static struct ulogd_plugin base_plugin = {
--
|
|
From: Peter W. <pe...@en...> - 2008-02-11 22:11:02
|
Adds input key enumeration in order to address the fields
with symbols instead of numbers.
Shortens the lines by the use of GET_VALUE()
Signed-off-by: Peter Warasin <pe...@en...>
---
filter/raw2packet/ulogd_raw2packet_BASE.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c 2008-02-11 22:03:19.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c 2008-02-11 22:04:15.000000000 +0100
@@ -43,6 +43,12 @@
#include <ulogd/ulogd.h>
#include <ulogd/ipfix_protocol.h>
+enum input_keys {
+ INKEY_RAW_PCKT,
+ INKEY_RAW_PCKTLEN,
+ INKEY_OOB_FAMILY,
+};
+
enum output_keys {
KEY_IP_SADDR,
KEY_IP_DADDR,
@@ -633,7 +639,8 @@
static int _interp_iphdr(struct ulogd_pluginstance *pi, u_int32_t len)
{
struct ulogd_key *ret = pi->output.keys;
- struct iphdr *iph = pi->input.keys[0].u.source->u.value.ptr;
+ struct iphdr *iph =
+ GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
void *nexthdr = (u_int32_t *)iph + iph->ihl;
if (len < sizeof(struct iphdr) || len <= iph->ihl * 4)
@@ -702,7 +709,8 @@
static int _interp_ipv6hdr(struct ulogd_pluginstance *pi, u_int32_t len)
{
struct ulogd_key *ret = pi->output.keys;
- struct ip6_hdr *ipv6h = pi->input.keys[0].u.source->u.value.ptr;
+ struct ip6_hdr *ipv6h =
+ GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
unsigned int ptr, hdrlen = 0;
u_int8_t curhdr;
int fragment = 0;
@@ -819,8 +827,8 @@
static int _interp_pkt(struct ulogd_pluginstance *pi)
{
- u_int32_t len = pi->input.keys[1].u.source->u.value.ui32;
- u_int8_t family = pi->input.keys[2].u.source->u.value.ui8;
+ u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
+ u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
switch (family) {
case AF_INET:
--
|
|
From: Bart De S. <bds...@pa...> - 2008-02-11 21:23:46
|
Op za, 09-02-2008 te 01:49 +0100, schreef Jan Engelhardt: > Time to unveil some plans. > > I am not sure where exactly I picked the idea up, probably in one of the > last discussions on netfilter-devel, to make ebtables use xtables code. > Well, I am in the process of writing up a bunch of patches to get us > closer to that. Nothing spectacularly interesting for modules (ebt_*.c), > > but at the same time I have to give a worry about the userspace code. > ebtables and arptables have not gotten the same attention as iptables > and look a bit disheveled. Eventually I would just merge them with the > iptables tree so it also shares all the option parsing and whatnot. Arptables was a hack from the start. Ebtables is completely different code and is not portable with a few simple patches. Thanks for pointing out your opinion about the code though, it really helps. > It would be most convenient to use a better VCS (thinking git) because > running quilt on top of svn or even cvs (ebtables) is not too nice, > even more if the changeset agglomeration is then lost in cvs. > While Patrick still seems to be AWOL for an opinion, I would want to > know from all parties (iptables, ebtables) if we can take this > management step. Once ebtables or arptables is in a state so that it can be merged with the rest of netfilter I'm fine with it residing wherever the netfilter core team wants. I'm not going to go change the versioning system at this stage just so it's a bit more convenient for you. Use whatever versioning tool you want on your local checked out version. cheers, Bart |
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-11 18:07:42
|
Bart De Schuymer wrote on Sunday, February 10, 2008 9:21 AM: > Op vr, 08-02-2008 te 16:01 -0800, schreef Tseng, Kuo-Lang: >> Bart De Schuymer wrote on Friday, February 08, 2008 10:21 AM: >> >>> Hi Kuo, >>> >>> Thanks for your patch. The patch looks ok. Tiny comment: the header >>> diffs belong in the kernel patch and the userspace patch lacks a >>> man page update. Seems like we'll need a merge of the two kernel >>> patches and extra userspace code. >>> >>> I was gonna give my say about posting to netfilter-devel only, >>> without userspace code, but I guess I'm better off restraining >>> myself from doing that. >>> >>> cheers, >>> Bart >> >> Thanks. I have attached an updated userspace patch that includes the >> missing man page update and removed the header diffs. > > It would be better if the ipv6 address and traffic class matching were > implemented in the patch. So I'm going to wait for that. Is there any > reason why you didn't do this in the first place? We wanted to keep the first patch small for the review. Once the first patch is merged in, the v6 address and traffic class can be added after that. > >> I will post to the netfilter-devel for the kernel code. > > I don't read netfilter-devel, so at least CC ebtables-devel. Until > ebtables becomes an official part of the netfilter code (currently) > under Patrick's control it's common courtesy to mail to > ebtables-devel. Sure. I will CC ebtables-devel next time when I send emails to netfilter-devel. (Same kernel patch that I sent in this thread has been posted to netfilter-devel.) > > cheers, > Bart |
|
From: Bart De S. <bds...@pa...> - 2008-02-10 17:21:24
|
Op vr, 08-02-2008 te 16:01 -0800, schreef Tseng, Kuo-Lang: > Bart De Schuymer wrote on Friday, February 08, 2008 10:21 AM: > > > Hi Kuo, > > > > Thanks for your patch. The patch looks ok. Tiny comment: the header > > diffs belong in the kernel patch and the userspace patch lacks a man > > page update. > > Seems like we'll need a merge of the two kernel patches and extra > > userspace code. > > > > I was gonna give my say about posting to netfilter-devel only, without > > userspace code, but I guess I'm better off restraining myself from > > doing that. > > > > cheers, > > Bart > > Thanks. I have attached an updated userspace patch that includes the > missing man page update and removed the header diffs. It would be better if the ipv6 address and traffic class matching were implemented in the patch. So I'm going to wait for that. Is there any reason why you didn't do this in the first place? > I will post to the netfilter-devel for the kernel code. I don't read netfilter-devel, so at least CC ebtables-devel. Until ebtables becomes an official part of the netfilter code (currently) under Patrick's control it's common courtesy to mail to ebtables-devel. cheers, Bart |
|
From: Jan E. <je...@co...> - 2008-02-09 00:50:06
|
On Feb 8 2008 19:20, Bart De Schuymer wrote: >Hi Kuo, > >Thanks for your patch. The patch looks ok. Tiny comment: the header >diffs belong in the kernel patch and the userspace patch lacks a man >page update. >Seems like we'll need a merge of the two kernel patches and extra >userspace code. > >I was gonna give my say about posting to netfilter-devel only, without >userspace code, but I guess I'm better off restraining myself from doing >that. Time to unveil some plans. I am not sure where exactly I picked the idea up, probably in one of the last discussions on netfilter-devel, to make ebtables use xtables code. Well, I am in the process of writing up a bunch of patches to get us closer to that. Nothing spectacularly interesting for modules (ebt_*.c), but at the same time I have to give a worry about the userspace code. ebtables and arptables have not gotten the same attention as iptables and look a bit disheveled. Eventually I would just merge them with the iptables tree so it also shares all the option parsing and whatnot. It would be most convenient to use a better VCS (thinking git) because running quilt on top of svn or even cvs (ebtables) is not too nice, even more if the changeset agglomeration is then lost in cvs. While Patrick still seems to be AWOL for an opinion, I would want to know from all parties (iptables, ebtables) if we can take this management step. |
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-09 00:01:57
|
Bart De Schuymer wrote on Friday, February 08, 2008 10:21 AM: > Hi Kuo, > > Thanks for your patch. The patch looks ok. Tiny comment: the header > diffs belong in the kernel patch and the userspace patch lacks a man > page update. > Seems like we'll need a merge of the two kernel patches and extra > userspace code. > > I was gonna give my say about posting to netfilter-devel only, without > userspace code, but I guess I'm better off restraining myself from > doing that. > > cheers, > Bart Thanks. I have attached an updated userspace patch that includes the missing man page update and removed the header diffs. I will post to the netfilter-devel for the kernel code. |
|
From: Bart De S. <bds...@pa...> - 2008-02-08 18:21:00
|
Hi Kuo, Thanks for your patch. The patch looks ok. Tiny comment: the header diffs belong in the kernel patch and the userspace patch lacks a man page update. Seems like we'll need a merge of the two kernel patches and extra userspace code. I was gonna give my say about posting to netfilter-devel only, without userspace code, but I guess I'm better off restraining myself from doing that. cheers, Bart Op do, 07-02-2008 te 17:03 -0800, schreef Tseng, Kuo-Lang: > Jan Engelhardt wrote on Thursday, February 07, 2008 4:33 PM: > > > On Feb 7 2008 15:59, Tseng, Kuo-Lang wrote: > >> Jan Engelhardt wrote on Wednesday, February 06, 2008 4:33 PM: > >>> On Feb 6 2008 16:14, Tseng, Kuo-Lang wrote: > >>> > >>>>>>> I would like to find out if there is any IPv6 support in > >>>>>>> ebtables for replacing MAC address of the Ethernet header based > >>>>>>> on TCP or UDP port id in IPv6 packets. I would appreciate it if > >>>>>>> there is anyone on this list who knows of any prior work in > >>>>>>> ebtables to support IPv6. > >>> > >>> Sorry; I only monitor ebtables-devel since recently, > >>> an ebt_ip6 match has been posted at > >>> http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 > >>> > >>> I am not to keen to add layer-4 parsing to ebt code; instead, > >>> it should (ideally) interface with Xtables. > >> > >> We are not adding any new functionality. This only extends ebtables > >> adding Layer 4 Port Based NAT for IPv6, which is already present for > >> IPv4. This is efficient and is consistent with the current > >> Functionality (this involves only few lines of code (see my patch) > >> and matches the same way today ebtables is doing for v4). > > > > Yes I see. > > Thanks. Will you please then merge the port-based NATing code from my > patch in? > > > > >> A few comments to the br-netfilter patch you posted in that link: > >> > >> 1. > >> + if ((info->match_flags & EBT_IP6_NEXTHDR) && > >> + (iph->nexthdr != info->nexthdr) ^ > >> + !!(info->invert_flags & EBT_IP6_NEXTHDR)) > >> + return EBT_NOMATCH; > >> > >> This is not sufficient and is broken if you got options headers in > >> between the v6 header and the protocol header that you wish to match. > > > > I was not sure about that - is there a way other than ->nexthdr==OPT > > to distinguish from headers that should be skipped and those that > > should not? I am sort of thinking of TCP-in-IPv6-in-IPv6. > > Not any fast way that I know. But you meant to match just > layer-4 protocol, you can use ipv6_skip_exthdr() function which will > save you some work (e.g. the code used in my patch): > > offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), nexthdrp); > if (offset_ph == -1) > return EBT_NOMATCH; > if (FWINV(info->protocol != *nexthdrp, EBT_IP6_PROTO)) > return EBT_NOMATCH; > > > > >> 2. You could use the macro FWINV and same name for the mask field, > >> bitmask, so that this module is consistent with other protocol > >> modules in br-netfilter. > > > > Almost none of the other netfilter code uses FWINV, most likely > > because it's just too scary. The last remnants are in core > > ipv4/netfilter/ and ipv6/netfilter, and the extension modules > > only have one instance in xt_conntrack.c, which is going away > > anyway: > > > > if (FWINV((statebit & sinfo->statemask) == 0, > > XT_CONNTRACK_STATE)) > > return false; > > > > this is much clearer for the same amount of code: > > > > if ((info->state_mask & statebit) ^ > > !(info->invert_flags & XT_CONNTRACK_STATE)) > > return false; > > OK. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Ebtables-devel mailing list > Ebt...@li... > https://lists.sourceforge.net/lists/listinfo/ebtables-devel > |
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-08 01:04:59
|
Jan Engelhardt wrote on Thursday, February 07, 2008 4:33 PM: > On Feb 7 2008 15:59, Tseng, Kuo-Lang wrote: >> Jan Engelhardt wrote on Wednesday, February 06, 2008 4:33 PM: >>> On Feb 6 2008 16:14, Tseng, Kuo-Lang wrote: >>> >>>>>>> I would like to find out if there is any IPv6 support in >>>>>>> ebtables for replacing MAC address of the Ethernet header based >>>>>>> on TCP or UDP port id in IPv6 packets. I would appreciate it if >>>>>>> there is anyone on this list who knows of any prior work in >>>>>>> ebtables to support IPv6. >>> >>> Sorry; I only monitor ebtables-devel since recently, >>> an ebt_ip6 match has been posted at >>> http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 >>> >>> I am not to keen to add layer-4 parsing to ebt code; instead, >>> it should (ideally) interface with Xtables. >> >> We are not adding any new functionality. This only extends ebtables >> adding Layer 4 Port Based NAT for IPv6, which is already present for >> IPv4. This is efficient and is consistent with the current >> Functionality (this involves only few lines of code (see my patch) >> and matches the same way today ebtables is doing for v4). > > Yes I see. Thanks. Will you please then merge the port-based NATing code from my patch in? > >> A few comments to the br-netfilter patch you posted in that link: >> >> 1. >> + if ((info->match_flags & EBT_IP6_NEXTHDR) && >> + (iph->nexthdr != info->nexthdr) ^ >> + !!(info->invert_flags & EBT_IP6_NEXTHDR)) >> + return EBT_NOMATCH; >> >> This is not sufficient and is broken if you got options headers in >> between the v6 header and the protocol header that you wish to match. > > I was not sure about that - is there a way other than ->nexthdr==OPT > to distinguish from headers that should be skipped and those that > should not? I am sort of thinking of TCP-in-IPv6-in-IPv6. Not any fast way that I know. But you meant to match just layer-4 protocol, you can use ipv6_skip_exthdr() function which will save you some work (e.g. the code used in my patch): offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), nexthdrp); if (offset_ph == -1) return EBT_NOMATCH; if (FWINV(info->protocol != *nexthdrp, EBT_IP6_PROTO)) return EBT_NOMATCH; > >> 2. You could use the macro FWINV and same name for the mask field, >> bitmask, so that this module is consistent with other protocol >> modules in br-netfilter. > > Almost none of the other netfilter code uses FWINV, most likely > because it's just too scary. The last remnants are in core > ipv4/netfilter/ and ipv6/netfilter, and the extension modules > only have one instance in xt_conntrack.c, which is going away > anyway: > > if (FWINV((statebit & sinfo->statemask) == 0, > XT_CONNTRACK_STATE)) > return false; > > this is much clearer for the same amount of code: > > if ((info->state_mask & statebit) ^ > !(info->invert_flags & XT_CONNTRACK_STATE)) > return false; OK. |
|
From: Jan E. <je...@co...> - 2008-02-08 00:32:44
|
On Feb 7 2008 15:59, Tseng, Kuo-Lang wrote: >Jan Engelhardt wrote on Wednesday, February 06, 2008 4:33 PM: >> On Feb 6 2008 16:14, Tseng, Kuo-Lang wrote: >> >>>>>> I would like to find out if there is any IPv6 support in ebtables >>>>>> for replacing MAC address of the Ethernet header based on TCP or >>>>>> UDP port id in IPv6 packets. I would appreciate it if there is >>>>>> anyone on this list who knows of any prior work in ebtables to >>>>>> support IPv6. >> >> Sorry; I only monitor ebtables-devel since recently, >> an ebt_ip6 match has been posted at >> http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 >> >> I am not to keen to add layer-4 parsing to ebt code; instead, >> it should (ideally) interface with Xtables. > >We are not adding any new functionality. This only extends ebtables >adding Layer 4 Port Based NAT for IPv6, which is already present for >IPv4. This is efficient and is consistent with the current >Functionality (this involves only few lines of code (see my patch) >and matches the same way today ebtables is doing for v4). Yes I see. >A few comments to the br-netfilter patch you posted in that link: > >1. >+ if ((info->match_flags & EBT_IP6_NEXTHDR) && >+ (iph->nexthdr != info->nexthdr) ^ >+ !!(info->invert_flags & EBT_IP6_NEXTHDR)) >+ return EBT_NOMATCH; > >This is not sufficient and is broken if you got options headers in >between the v6 header and the protocol header that you wish to match. I was not sure about that - is there a way other than ->nexthdr==OPT to distinguish from headers that should be skipped and those that should not? I am sort of thinking of TCP-in-IPv6-in-IPv6. >2. You could use the macro FWINV and same name for the mask field, >bitmask, so that this module is consistent with other protocol >modules in br-netfilter. Almost none of the other netfilter code uses FWINV, most likely because it's just too scary. The last remnants are in core ipv4/netfilter/ and ipv6/netfilter, and the extension modules only have one instance in xt_conntrack.c, which is going away anyway: if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE)) return false; this is much clearer for the same amount of code: if ((info->state_mask & statebit) ^ !(info->invert_flags & XT_CONNTRACK_STATE)) return false; |
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-08 00:00:08
|
Jan Engelhardt wrote on Wednesday, February 06, 2008 4:33 PM: > On Feb 6 2008 16:14, Tseng, Kuo-Lang wrote: > >>>>> I would like to find out if there is any IPv6 support in ebtables >>>>> for replacing MAC address of the Ethernet header based on TCP or >>>>> UDP port id in IPv6 packets. I would appreciate it if there is >>>>> anyone on this list who knows of any prior work in ebtables to >>>>> support IPv6. > > Sorry; I only monitor ebtables-devel since recently, > an ebt_ip6 match has been posted at > http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 > > I am not to keen to add layer-4 parsing to ebt code; instead, > it should (ideally) interface with Xtables. We are not adding any new functionality. This only extends ebtables adding Layer 4 Port Based NAT for IPv6, which is already present for IPv4. This is efficient and is consistent with the current Functionality (this involves only few lines of code (see my patch) and matches the same way today ebtables is doing for v4). A few comments to the br-netfilter patch you posted in that link: 1. + if ((info->match_flags & EBT_IP6_NEXTHDR) && + (iph->nexthdr != info->nexthdr) ^ + !!(info->invert_flags & EBT_IP6_NEXTHDR)) + return EBT_NOMATCH; This is not sufficient and is broken if you got options headers in between the v6 header and the protocol header that you wish to match. 2. You could use the macro FWINV and same name for the mask field, bitmask, so that this module is consistent with other protocol modules in br-netfilter. 3. The other suggestion is that next time when you post br-netfiler change for ebtables, please also post an email to ebtables-devel list so that people on that list can be aware coming changes/patches in ebtables (as br-netfilter is where ebtables is implemented) thus can avoid duplication of work. Let's folow the standard practice. |
|
From: Alvarez-Blanes, G. A <gia...@lm...> - 2008-02-07 16:51:30
|
Hi, I was wondering if there is currently any development done regarding VLANs on the ebtables code. I currently need to switch a packet from one VLAN to another. Thanks, Gian A. Alvarez-Blanes Engineering LDP Associate Information Systems & Global Services 700 N. Frederick Ave., Gaithersburg MD 20879 Office: B182/3F120 Email: gia...@lm... <mailto:gia...@lm...> Phone: (301) 240-6068 Cellphone: (301) 300-7638 L |
|
From: Tseng, Kuo-L. <kuo...@in...> - 2008-02-07 01:05:27
|
For IPv4, Ebtables supports layer-4 parsing on port id so why not add the same for IPv6 too? It would be just adding a few lines of code extracted from patch I sent. >-----Original Message----- >From: Jan Engelhardt [mailto:je...@co...] >Sent: Wednesday, February 06, 2008 4:33 PM >To: Tseng, Kuo-Lang >Cc: Bart De Schuymer; ebt...@li... >Subject: Re: [Ebtables-devel] [PATCH] IPv6 dnat/snat support > >On Feb 6 2008 16:14, Tseng, Kuo-Lang wrote: > >>>>>I would like to find out if there is any IPv6 support in ebtables >>>>>for replacing MAC address of the Ethernet header based on TCP or >>>>>UDP port id in IPv6 packets. I would appreciate it if there is >>>>>anyone on this list who knows of any prior work in ebtables to >>>>>support IPv6. > >Sorry; I only monitor ebtables-devel since recently, >an ebt_ip6 match has been posted at >http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 > >I am not to keen to add layer-4 parsing to ebt code; instead, >it should (ideally) interface with Xtables. |
|
From: Jan E. <je...@co...> - 2008-02-07 00:33:03
|
On Feb 6 2008 16:14, Tseng, Kuo-Lang wrote: >>>>I would like to find out if there is any IPv6 support in ebtables >>>>for replacing MAC address of the Ethernet header based on TCP or >>>>UDP port id in IPv6 packets. I would appreciate it if there is >>>>anyone on this list who knows of any prior work in ebtables to >>>>support IPv6. Sorry; I only monitor ebtables-devel since recently, an ebt_ip6 match has been posted at http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 I am not to keen to add layer-4 parsing to ebt code; instead, it should (ideally) interface with Xtables. |
4 messages has been excluded from this view by a project administrator.
