ebtables-devel Mailing List for Ethernet bridge tables (Page 6)
Brought to you by:
bdschuym
Menu
▾
▴
ebtables-devel — Development questions, bugs, patches
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(6) |
May
(9) |
Jun
(6) |
Jul
(5) |
Aug
(7) |
Sep
(13) |
Oct
(9) |
Nov
(11) |
Dec
(8) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(13) |
Feb
(8) |
Mar
(32) |
Apr
(21) |
May
(15) |
Jun
(7) |
Jul
(35) |
Aug
(26) |
Sep
(29) |
Oct
(13) |
Nov
(4) |
Dec
(32) |
| 2004 |
Jan
(2) |
Feb
(20) |
Mar
(9) |
Apr
|
May
(7) |
Jun
(22) |
Jul
(7) |
Aug
(6) |
Sep
(15) |
Oct
(17) |
Nov
(12) |
Dec
(16) |
| 2005 |
Jan
(6) |
Feb
(15) |
Mar
(17) |
Apr
(27) |
May
(13) |
Jun
(43) |
Jul
(3) |
Aug
(12) |
Sep
(16) |
Oct
(12) |
Nov
(9) |
Dec
(10) |
| 2006 |
Jan
(3) |
Feb
(1) |
Mar
(1) |
Apr
(4) |
May
|
Jun
(2) |
Jul
(15) |
Aug
(2) |
Sep
(1) |
Oct
(5) |
Nov
(5) |
Dec
(10) |
| 2007 |
Jan
(2) |
Feb
(14) |
Mar
(19) |
Apr
|
May
(1) |
Jun
(3) |
Jul
|
Aug
(9) |
Sep
(6) |
Oct
(7) |
Nov
(4) |
Dec
|
| 2008 |
Jan
(11) |
Feb
(43) |
Mar
(3) |
Apr
(5) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(2) |
Oct
(2) |
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(4) |
Jul
(3) |
Aug
|
Sep
(2) |
Oct
(4) |
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ivan V. <adm...@ne...> - 2007-03-23 07:38:16
|
Carl-Daniel Hailfinger wrote: > On 22.03.2007 21:36, Bart De Schuymer wrote: > >> Hi Patrick, >> >> The ebtables arpreply target should not answer gratuitous arp's as this >> has no use and can give rise to problems when client machines >> send gratuitous arp requests to check for ip conflicts, as reported by >> Ivan Vladimirov. >> The attached patch resolves this. >> > > Please don't apply this patch! It causes more problems than it solves. > Before the patch, a client machine has a chance to find out that its > IP conflicts with one handled by the arpreply target. After the patch, > there will still be an IP conflict, but it is now impossible to find > that out for the affected machine. > > Regards, > Carl-Daniel > You are wrong about ip conflict with machine having arpreply on it . In case when client machine conflicts with server having arpreply target arpreply wont answer but the network stack while answer so your consern is pointless ... |
|
From: Patrick M. <ka...@tr...> - 2007-03-22 22:08:38
|
Carl-Daniel Hailfinger wrote: > On 22.03.2007 21:36, Bart De Schuymer wrote: > >>Hi Patrick, >> >>The ebtables arpreply target should not answer gratuitous arp's as this >>has no use and can give rise to problems when client machines >>send gratuitous arp requests to check for ip conflicts, as reported by >>Ivan Vladimirov. >>The attached patch resolves this. > > > Please don't apply this patch! It causes more problems than it solves. > Before the patch, a client machine has a chance to find out that its > IP conflicts with one handled by the arpreply target. After the patch, > there will still be an IP conflict, but it is now impossible to find > that out for the affected machine. I have no opinion on this, please sort this out and let me know whether I should apply it. |
|
From: Patrick M. <ka...@tr...> - 2007-03-22 22:07:19
|
Bart De Schuymer wrote: > Hi Patrick, > > The attached patch by Michael Milner adds support for using iptables and > ip6tables on bridged traffic encapsulated in ppoe frames, similar to > what's already supported for vlan. Looks good, but doesn't apply to the net-2.6.22 tree since it conflicts with Arnaldo's skb accessor changes. Please rediff and resend. > --- a/net/bridge/br_netfilter.c 2007-02-20 01:34:32.000000000 -0500 > +++ b/net/bridge/br_netfilter.c 2007-03-01 13:29:08.000000000 -0500 > @@ -12,6 +12,7 @@ > * Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge > * (bdschuym) > * Sep 01 2004: add IPv6 filtering (bdschuym) > + * Jan 16 2007: let iptables see bridged PPPoE IP traffic (mdmilner) And please don't do this, we have git for changelogs, there is no need to keep them in the source. In fact I have a patch queued which removes them from all net/ipv[46]/netfilter and net/netfilter files. |
|
From: Carl-Daniel H. <c-d...@gm...> - 2007-03-22 21:00:51
|
On 22.03.2007 21:36, Bart De Schuymer wrote: > Hi Patrick, > > The ebtables arpreply target should not answer gratuitous arp's as this > has no use and can give rise to problems when client machines > send gratuitous arp requests to check for ip conflicts, as reported by > Ivan Vladimirov. > The attached patch resolves this. Please don't apply this patch! It causes more problems than it solves. Before the patch, a client machine has a chance to find out that its IP conflicts with one handled by the arpreply target. After the patch, there will still be an IP conflict, but it is now impossible to find that out for the affected machine. Regards, Carl-Daniel |
|
From: Bart De S. <bds...@pa...> - 2007-03-22 20:37:31
|
Hi Patrick, The ebtables arpreply target should not answer gratuitous arp's as this has no use and can give rise to problems when client machines send gratuitous arp requests to check for ip conflicts, as reported by Ivan Vladimirov. The attached patch resolves this. cheers, Bart Signed-off-by: Bart De Schuymer <bds...@pa...> |
|
From: Bart De S. <bds...@pa...> - 2007-03-22 19:57:22
|
Hi Patrick, The attached patch by Michael Milner adds support for using iptables and ip6tables on bridged traffic encapsulated in ppoe frames, similar to what's already supported for vlan. Please apply, Bart Signed-off-by: Bart De Schuymer <bds...@pa...> Signed-off-by: Michal Milner <mi...@bl...> |
|
From: Michael M. <mi...@bl...> - 2007-03-22 14:59:59
|
>> > Op ma, 05-02-2007 te 16:48 -0500, schreef Michael Milner:
>> >> Hi,
>> >>
>> >> I've put together some code to allow IPTables to filter PPPoE traffic
>> in
>> >> the same way that bridge-nf allows iptables to filter VLAN traffic.
Hi,
I've fixed up the return statements as you mentioned. This should now
apply against 2.6.20.1
Mike
--- a/include/linux/sysctl.h 2007-02-20 01:34:32.000000000 -0500
+++ b/include/linux/sysctl.h 2007-03-01 12:01:50.000000000 -0500
@@ -777,6 +777,7 @@
NET_BRIDGE_NF_CALL_IPTABLES = 2,
NET_BRIDGE_NF_CALL_IP6TABLES = 3,
NET_BRIDGE_NF_FILTER_VLAN_TAGGED = 4,
+ NET_BRIDGE_NF_FILTER_PPPOE_TAGGED = 5,
};
/* CTL_FS names: */
--- a/include/linux/if_pppox.h 2007-02-20 01:34:32.000000000 -0500
+++ b/include/linux/if_pppox.h 2007-03-01 13:30:38.000000000 -0500
@@ -111,6 +111,9 @@
struct pppoe_tag tag[0];
} __attribute__ ((packed));
+/* Length of entire PPPoE + PPP header */
+#define PPPOE_SES_HLEN 8
+
#ifdef __KERNEL__
struct pppoe_opt {
struct net_device *dev; /* device associated with socket*/
--- a/include/linux/netfilter_bridge.h 2007-02-20 01:34:32.000000000 -0500
+++ b/include/linux/netfilter_bridge.h 2007-03-22 10:41:53.000000000 -0400
@@ -7,6 +7,7 @@
#include <linux/netfilter.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
/* Bridge Hooks */
/* After promisc drops, checksum checks. */
@@ -58,8 +59,14 @@
* enough room for the encapsulating header (if there is one). */
static inline int nf_bridge_pad(const struct sk_buff *skb)
{
- return (skb->nf_bridge && skb->protocol == htons(ETH_P_8021Q))
- ? VLAN_HLEN : 0;
+ int padding = 0;
+
+ if (skb->nf_bridge && skb->protocol == htons(ETH_P_8021Q))
+ padding = VLAN_HLEN;
+ else if (skb->nf_bridge && skb->protocol == htons(ETH_P_PPP_SES))
+ padding = PPPOE_SES_HLEN;
+
+ return padding;
}
struct bridge_skb_cb {
--- a/net/bridge/br_netfilter.c 2007-02-20 01:34:32.000000000 -0500
+++ b/net/bridge/br_netfilter.c 2007-03-01 13:29:08.000000000 -0500
@@ -12,6 +12,7 @@
* Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
* (bdschuym)
* Sep 01 2004: add IPv6 filtering (bdschuym)
+ * Jan 16 2007: let iptables see bridged PPPoE IP traffic (mdmilner)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -29,6 +30,8 @@
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
+#include <linux/ppp_defs.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
@@ -57,6 +60,7 @@
static int brnf_call_ip6tables __read_mostly = 1;
static int brnf_call_arptables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 1;
+static int brnf_filter_pppoe_tagged __read_mostly = 1;
#else
#define brnf_filter_vlan_tagged 1
#endif
@@ -81,6 +85,21 @@
vlan_proto(skb) == htons(ETH_P_ARP) && \
brnf_filter_vlan_tagged)
+static __be16 inline pppoe_proto(const struct sk_buff *skb)
+{
+ return *((__be16*)(skb->mac.raw + ETH_HLEN + sizeof(struct pppoe_hdr)));
+}
+
+#define IS_PPPOE_IP(skb) \
+ (skb->protocol == htons(ETH_P_PPP_SES) && \
+ pppoe_proto(skb) == htons(PPP_IP) && \
+ brnf_filter_pppoe_tagged)
+
+#define IS_PPPOE_IPV6(skb) \
+ (skb->protocol == htons(ETH_P_PPP_SES) && \
+ pppoe_proto(skb) == htons(PPP_IPV6) && \
+ brnf_filter_pppoe_tagged)
+
/* We need these fake structures to make netfilter happy --
* lots of places assume that skb->dst != NULL, which isn't
* all that unreasonable.
@@ -128,6 +147,8 @@
if (skb->protocol == htons(ETH_P_8021Q))
header_size += VLAN_HLEN;
+ else if (skb->protocol == htons(ETH_P_PPP_SES))
+ header_size += PPPOE_SES_HLEN;
memcpy(skb->nf_bridge->data, skb->data - header_size, header_size);
}
@@ -143,6 +164,8 @@
if (skb->protocol == htons(ETH_P_8021Q))
header_size += VLAN_HLEN;
+ else if (skb->protocol == htons(ETH_P_PPP_SES))
+ header_size += PPPOE_SES_HLEN;
err = skb_cow(skb, header_size);
if (err)
@@ -152,6 +175,8 @@
if (skb->protocol == htons(ETH_P_8021Q))
__skb_push(skb, VLAN_HLEN);
+ else if (skb->protocol == htons(ETH_P_PPP_SES))
+ __skb_push(skb, PPPOE_SES_HLEN);
return 0;
}
@@ -175,6 +200,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
br_handle_frame_finish, 1);
@@ -256,6 +284,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
skb->dst->output(skb);
}
@@ -326,6 +357,10 @@
htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if(skb->protocol ==
+ htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
skb, skb->dev, NULL,
@@ -345,6 +380,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
br_handle_frame_finish, 1);
@@ -485,7 +523,8 @@
__u32 len;
struct sk_buff *skb = *pskb;
- if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb)) {
+ if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
+ IS_PPPOE_IPV6(skb)) {
#ifdef CONFIG_SYSCTL
if (!brnf_call_ip6tables)
return NF_ACCEPT;
@@ -496,6 +535,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull_rcsum(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull_rcsum(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
}
@@ -504,7 +546,8 @@
return NF_ACCEPT;
#endif
- if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb))
+ if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
+ !IS_PPPOE_IP(skb))
return NF_ACCEPT;
if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
@@ -513,6 +556,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull_rcsum(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull_rcsum(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
@@ -594,6 +640,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
skb->dev, br_forward_finish, 1);
@@ -622,7 +671,8 @@
if (!parent)
return NF_DROP;
- if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb))
+ if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
+ IS_PPPOE_IP(skb))
pf = PF_INET;
else
pf = PF_INET6;
@@ -630,6 +680,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull(*pskb, VLAN_HLEN);
(*pskb)->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull(*pskb, PPPOE_SES_HLEN);
+ (*pskb)->nh.raw += PPPOE_SES_HLEN;
}
nf_bridge = skb->nf_bridge;
@@ -722,6 +775,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
@@ -766,7 +822,8 @@
if (!realoutdev)
return NF_DROP;
- if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb))
+ if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
+ IS_PPPOE_IP(skb))
pf = PF_INET;
else
pf = PF_INET6;
@@ -788,6 +845,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
nf_bridge_save_header(skb);
@@ -925,6 +985,14 @@
.mode = 0644,
.proc_handler = &brnf_sysctl_call_tables,
},
+ {
+ .ctl_name = NET_BRIDGE_NF_FILTER_PPPOE_TAGGED,
+ .procname = "bridge-nf-filter-pppoe-tagged",
+ .data = &brnf_filter_pppoe_tagged,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &brnf_sysctl_call_tables,
+ },
{ .ctl_name = 0 }
};
|
|
From: <dor...@ms...> - 2007-03-22 05:40:15
|
<DIV> <DIV><BR></DIV> <DIV>Hi All,<BR> Sorry!! uC= libc does not support function fork. I replace "fork" to "vfork".</DIV> <DIV>Now it was compilered successfully.</DIV> <DIV>Thanks a lot.</DIV> <DIV>//Dora</DIV> <DIV><BR></DIV> <DIV id=3DHiNet_separatrix></DIV> <br><span style=3D"font-size:13px">--- =A5=BB=B6l=A5=F3=A8=D3=A6=DBHiNet We= bMail ---</span> <DIV><BR></DIV> <DIV>>>>>> Forwarded As Follows <<<<<</DIV> <DIV><B>From:</B> <A href=3D"mailto:dor...@ms...">dora1234@ms57.= hinet.net</A> </DIV> <DIV><B>To:</B> <A href=3D"mailto:ebt...@li...">ebt= abl...@li...</A> </DIV> <DIV><B>Sent:</B> Wed,21 Mar 2007 20:01:30 Asia/Taipei </DIV> <DIV><B>Subject:</B> Compiler err-undefined reference to `fork'(unistd.h)</= DIV> <DIV> <DIV> <DIV>Hi All,</DIV> <DIV> I use the latest stable userspace release(2.0.= 6)of ebtables,and my linux kernel is 2.6.14.</DIV> <DIV>I have to port ebtables for arm system.But i met one problem= when it was compilered.</DIV> <DIV>It can not find the correct "fork"function. I am sure that i give it t= he correct kernel path.</DIV> <DIV> The error message as below,</DIV> <DIV>----------------------------------------------------------</DIV> <DIV>ebtables.o: In function `ebtables_insmod':<BR>ebtables.c:(.text+0xca0)= : undefined reference to `fork'</DIV> <DIV>----------------------------------------------------------<BR>Anyone c= an give me suggestion, i will very appreciate.</DIV> <DIV>Thanks a lot.</DIV> <DIV>//Dora</DIV></DIV><BR><SPAN style=3D"FONT-SIZE: 13px">--- =A5=BB=B6l= =A5=F3=A8=D3=A6=DBHiNet WebMail ---</SPAN> </DIV></DIV> |
|
From: <dor...@ms...> - 2007-03-21 12:01:53
|
<DIV> <DIV>Hi All,</DIV> <DIV> I use the latest stable userspace release(2.0.= 6)of ebtables,and my linux kernel is 2.6.14.</DIV> <DIV>I have to port ebtables for arm system.But i met one problem= when it was compilered.</DIV> <DIV>It can not find the correct "fork"function. I am sure that i give it t= he correct kernel path.</DIV> <DIV> The error message as below,</DIV> <DIV>----------------------------------------------------------</DIV> <DIV>ebtables.o: In function `ebtables_insmod':<BR>ebtables.c:(.text+0xca0)= : undefined reference to `fork'</DIV> <DIV>----------------------------------------------------------<BR>Anyone c= an give me suggestion, i will very appreciate.</DIV> <DIV>Thanks a lot.</DIV> <DIV>//Dora</DIV></DIV><br><span style=3D"font-size:13px">--- =A5=BB=B6l=A5= =F3=A8=D3=A6=DBHiNet WebMail ---</span> |
|
From: Michael M. <mi...@bl...> - 2007-03-05 22:29:47
|
> Op do, 01-03-2007 te 14:43 -0500, schreef Michael Milner: >> > Op ma, 05-02-2007 te 16:48 -0500, schreef Michael Milner: >> >> Hi, >> >> >> >> I've put together some code to allow IPTables to filter PPPoE traffic >> in >> >> the same way that bridge-nf allows iptables to filter VLAN traffic. >> >> [snip] >> >> The patch is against 2.6.15. Comments appreciated. It works fine >> for >> >> me >> >> but I wanted some input before submitting it "officially". >> > >> > Please update this to 2.6.20. More comments are below. >> > >> > Thanks, >> > Bart >> > >> >> I've made the changes you requested. This patch is now based on >> 2.6.20.1. >> I added a defined constant into if_pppoe.h. > > Hi, > > Thanks for the update, it looks good. I don't want to be annoying, but > still a few remarks: > - arp encapsulated in pppoe should be implemented too (this is used with > pppoe, right?), sorry that I didn't mention that in my previous answer > [snip] > cheers, > Bart Hi, Please don't hold back comments, no matter how small. I want to be able to avoid those problems in future patches! As far as I know arp is not used with PPP since it is only a point to point link. Also, <linux/ppp_defs.h> does not have any definition for arp as a ppp payload (like it does for IP and IPv6). I will make the changes you requested regarding the return statements and resubmit. Thanks! Mike |
|
From: Bart De S. <bds...@pa...> - 2007-03-05 20:23:14
|
Op do, 01-03-2007 te 14:43 -0500, schreef Michael Milner: > > Op ma, 05-02-2007 te 16:48 -0500, schreef Michael Milner: > >> Hi, > >> > >> I've put together some code to allow IPTables to filter PPPoE traffic in > >> the same way that bridge-nf allows iptables to filter VLAN traffic. > >> [snip] > >> The patch is against 2.6.15. Comments appreciated. It works fine for > >> me > >> but I wanted some input before submitting it "officially". > > > > Please update this to 2.6.20. More comments are below. > > > > Thanks, > > Bart > > > > I've made the changes you requested. This patch is now based on 2.6.20.1. > I added a defined constant into if_pppoe.h. Hi, Thanks for the update, it looks good. I don't want to be annoying, but still a few remarks: - arp encapsulated in pppoe should be implemented too (this is used with pppoe, right?), sorry that I didn't mention that in my previous answer - nf_bridge_pad() should be implemented with only one return. The kernel maintainers like code like this: ret = 0; if (skb->nf_bridge && skb->protocol == htons(ETH_P_8021Q)) ret = VLAN_HLEN; else if (skb->nf_bridge && skb->protocol == htons(ETH_P_PPP_SES)) ret = PPPOE_SES_HLEN; return ret; Apart from that it looks great. cheers, Bart |
|
From: Michael M. <mi...@bl...> - 2007-03-01 19:43:58
|
> Op ma, 05-02-2007 te 16:48 -0500, schreef Michael Milner:
>> Hi,
>>
>> I've put together some code to allow IPTables to filter PPPoE traffic in
>> the same way that bridge-nf allows iptables to filter VLAN traffic.
>> [snip]
>> The patch is against 2.6.15. Comments appreciated. It works fine for
>> me
>> but I wanted some input before submitting it "officially".
>
> Please update this to 2.6.20. More comments are below.
>
> Thanks,
> Bart
>
I've made the changes you requested. This patch is now based on 2.6.20.1.
I added a defined constant into if_pppoe.h.
I've tested the code on PPPoE encapsulated IP traffic (simple bridging
only). Please comment!
Mike
--- linux-2.6.20.1/net/bridge/br_netfilter.c 2007-02-20 01:34:32.000000000
-0500
+++ linux-2.6.20.1-modified/net/bridge/br_netfilter.c 2007-03-01
13:29:08.000000000 -0500
@@ -12,6 +12,7 @@
* Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
* (bdschuym)
* Sep 01 2004: add IPv6 filtering (bdschuym)
+ * Jan 16 2007: let iptables see bridged PPPoE IP traffic (mdmilner)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -29,6 +30,8 @@
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
+#include <linux/ppp_defs.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
@@ -57,6 +60,7 @@
static int brnf_call_ip6tables __read_mostly = 1;
static int brnf_call_arptables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 1;
+static int brnf_filter_pppoe_tagged __read_mostly = 1;
#else
#define brnf_filter_vlan_tagged 1
#endif
@@ -81,6 +85,21 @@
vlan_proto(skb) == htons(ETH_P_ARP) && \
brnf_filter_vlan_tagged)
+static __be16 inline pppoe_proto(const struct sk_buff *skb)
+{
+ return *((__be16*)(skb->mac.raw + ETH_HLEN + sizeof(struct pppoe_hdr)));
+}
+
+#define IS_PPPOE_IP(skb) \
+ (skb->protocol == htons(ETH_P_PPP_SES) && \
+ pppoe_proto(skb) == htons(PPP_IP) && \
+ brnf_filter_pppoe_tagged)
+
+#define IS_PPPOE_IPV6(skb) \
+ (skb->protocol == htons(ETH_P_PPP_SES) && \
+ pppoe_proto(skb) == htons(PPP_IPV6) && \
+ brnf_filter_pppoe_tagged)
+
/* We need these fake structures to make netfilter happy --
* lots of places assume that skb->dst != NULL, which isn't
* all that unreasonable.
@@ -128,6 +147,8 @@
if (skb->protocol == htons(ETH_P_8021Q))
header_size += VLAN_HLEN;
+ else if (skb->protocol == htons(ETH_P_PPP_SES))
+ header_size += PPPOE_SES_HLEN;
memcpy(skb->nf_bridge->data, skb->data - header_size, header_size);
}
@@ -143,6 +164,8 @@
if (skb->protocol == htons(ETH_P_8021Q))
header_size += VLAN_HLEN;
+ else if (skb->protocol == htons(ETH_P_PPP_SES))
+ header_size += PPPOE_SES_HLEN;
err = skb_cow(skb, header_size);
if (err)
@@ -152,6 +175,8 @@
if (skb->protocol == htons(ETH_P_8021Q))
__skb_push(skb, VLAN_HLEN);
+ else if (skb->protocol == htons(ETH_P_PPP_SES))
+ __skb_push(skb, PPPOE_SES_HLEN);
return 0;
}
@@ -175,6 +200,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
br_handle_frame_finish, 1);
@@ -256,6 +284,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
skb->dst->output(skb);
}
@@ -326,6 +357,10 @@
htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if(skb->protocol ==
+ htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
skb, skb->dev, NULL,
@@ -345,6 +380,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
br_handle_frame_finish, 1);
@@ -485,7 +523,8 @@
__u32 len;
struct sk_buff *skb = *pskb;
- if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb)) {
+ if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
+ IS_PPPOE_IPV6(skb)) {
#ifdef CONFIG_SYSCTL
if (!brnf_call_ip6tables)
return NF_ACCEPT;
@@ -496,6 +535,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull_rcsum(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull_rcsum(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
}
@@ -504,7 +546,8 @@
return NF_ACCEPT;
#endif
- if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb))
+ if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
+ !IS_PPPOE_IP(skb))
return NF_ACCEPT;
if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
@@ -513,6 +556,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull_rcsum(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull_rcsum(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
@@ -594,6 +640,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
skb->dev, br_forward_finish, 1);
@@ -622,7 +671,8 @@
if (!parent)
return NF_DROP;
- if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb))
+ if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
+ IS_PPPOE_IP(skb))
pf = PF_INET;
else
pf = PF_INET6;
@@ -630,6 +680,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull(*pskb, VLAN_HLEN);
(*pskb)->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull(*pskb, PPPOE_SES_HLEN);
+ (*pskb)->nh.raw += PPPOE_SES_HLEN;
}
nf_bridge = skb->nf_bridge;
@@ -722,6 +775,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_push(skb, VLAN_HLEN);
skb->nh.raw -= VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_push(skb, PPPOE_SES_HLEN);
+ skb->nh.raw -= PPPOE_SES_HLEN;
}
NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
@@ -766,7 +822,8 @@
if (!realoutdev)
return NF_DROP;
- if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb))
+ if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
+ IS_PPPOE_IP(skb))
pf = PF_INET;
else
pf = PF_INET6;
@@ -788,6 +845,9 @@
if (skb->protocol == htons(ETH_P_8021Q)) {
skb_pull(skb, VLAN_HLEN);
skb->nh.raw += VLAN_HLEN;
+ } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
+ skb_pull(skb, PPPOE_SES_HLEN);
+ skb->nh.raw += PPPOE_SES_HLEN;
}
nf_bridge_save_header(skb);
@@ -925,6 +985,14 @@
.mode = 0644,
.proc_handler = &brnf_sysctl_call_tables,
},
+ {
+ .ctl_name = NET_BRIDGE_NF_FILTER_PPPOE_TAGGED,
+ .procname = "bridge-nf-filter-pppoe-tagged",
+ .data = &brnf_filter_pppoe_tagged,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &brnf_sysctl_call_tables,
+ },
{ .ctl_name = 0 }
};
--- linux-2.6.20.1/include/linux/netfilter_bridge.h 2007-02-20
01:34:32.000000000 -0500
+++ linux-2.6.20.1-modified/include/linux/netfilter_bridge.h 2007-03-01
13:31:45.000000000 -0500
@@ -7,6 +7,7 @@
#include <linux/netfilter.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
/* Bridge Hooks */
/* After promisc drops, checksum checks. */
@@ -58,8 +59,12 @@
* enough room for the encapsulating header (if there is one). */
static inline int nf_bridge_pad(const struct sk_buff *skb)
{
- return (skb->nf_bridge && skb->protocol == htons(ETH_P_8021Q))
- ? VLAN_HLEN : 0;
+ if (skb->nf_bridge && skb->protocol == htons(ETH_P_8021Q))
+ return VLAN_HLEN;
+ else if (skb->nf_bridge && skb->protocol == htons(ETH_P_PPP_SES))
+ return PPPOE_SES_HLEN;
+ else
+ return 0;
}
struct bridge_skb_cb {
--- linux-2.6.20.1/include/linux/if_pppox.h 2007-02-20 01:34:32.000000000
-0500
+++ linux-2.6.20.1-modified/include/linux/if_pppox.h 2007-03-01
13:30:38.000000000 -0500
@@ -111,6 +111,9 @@
struct pppoe_tag tag[0];
} __attribute__ ((packed));
+/* Length of entire PPPoE + PPP header */
+#define PPPOE_SES_HLEN 8
+
#ifdef __KERNEL__
struct pppoe_opt {
struct net_device *dev; /* device associated with socket*/
--- linux-2.6.20.1/include/linux/sysctl.h 2007-02-20 01:34:32.000000000 -0500
+++ linux-2.6.20.1-modified/include/linux/sysctl.h 2007-03-01
12:01:50.000000000 -0500
@@ -777,6 +777,7 @@
NET_BRIDGE_NF_CALL_IPTABLES = 2,
NET_BRIDGE_NF_CALL_IP6TABLES = 3,
NET_BRIDGE_NF_FILTER_VLAN_TAGGED = 4,
+ NET_BRIDGE_NF_FILTER_PPPOE_TAGGED = 5,
};
/* CTL_FS names: */
|
|
From: Michael M. <mi...@bl...> - 2007-02-28 20:13:31
|
> Op wo, 28-02-2007 te 22:15 +0800, schreef Ming-Ching Tiew: >> From: "Ming-Ching Tiew" <min...@re...> >> > >> > From: "Bart De Schuymer" <bds...@pa...> >> > > > >> > > > How does one use it with iptables ( ie the syntax ) ? >> > > > Will the patch work with tos/dscp match and CLASSIFY ? >> > > >> > > The patch should allow you to use the full functionality of >> iptables. >> > > >> > >> > I look through the archive it seems that there is a patch for it, but >> it's >> > for 2.6 kernel. But I intend to use this functionality on a 2.4 >> kernel. >> > Well I have two paths, either upgrade my kernel to 2.6 or is there >> > a possibility of a 2.4 patch ? ........ I am using an embedded system, >> > to change it to 2.6 will be a big change for me. >> > >> >> Maybe I am asking too much. Actually there is a 2.6 kernel I could use >> for the embedded system, but it is 2.6.19.2, is there one patch for this >> kernel version soon ? > > I didn't write the patch, Michael Milner did and has disappeared since > then (check this mailing list's archives). His patch was against 2.6.15, > maybe you are lucky and it applies to 2.6.19, or you can alter it > without much problems. > > cheers, > Bart Yes, sorry about that. Sunny vacation called! I'm actually working on the patch now and I will resubmit it shortly with your suggested changes. Mike |
|
From: Bart De S. <bds...@pa...> - 2007-02-28 19:45:50
|
Op wo, 28-02-2007 te 22:15 +0800, schreef Ming-Ching Tiew: > From: "Ming-Ching Tiew" <min...@re...> > > > > From: "Bart De Schuymer" <bds...@pa...> > > > > > > > > How does one use it with iptables ( ie the syntax ) ? > > > > Will the patch work with tos/dscp match and CLASSIFY ? > > > > > > The patch should allow you to use the full functionality of iptables. > > > > > > > I look through the archive it seems that there is a patch for it, but it's > > for 2.6 kernel. But I intend to use this functionality on a 2.4 kernel. > > Well I have two paths, either upgrade my kernel to 2.6 or is there > > a possibility of a 2.4 patch ? ........ I am using an embedded system, > > to change it to 2.6 will be a big change for me. > > > > Maybe I am asking too much. Actually there is a 2.6 kernel I could use > for the embedded system, but it is 2.6.19.2, is there one patch for this > kernel version soon ? I didn't write the patch, Michael Milner did and has disappeared since then (check this mailing list's archives). His patch was against 2.6.15, maybe you are lucky and it applies to 2.6.19, or you can alter it without much problems. cheers, Bart |
|
From: Ming-Ching T. <min...@re...> - 2007-02-28 14:16:44
|
From: "Ming-Ching Tiew" <min...@re...> > > From: "Bart De Schuymer" <bds...@pa...> > > > > > > How does one use it with iptables ( ie the syntax ) ? > > > Will the patch work with tos/dscp match and CLASSIFY ? > > > > The patch should allow you to use the full functionality of iptables. > > > > I look through the archive it seems that there is a patch for it, but it's > for 2.6 kernel. But I intend to use this functionality on a 2.4 kernel. > Well I have two paths, either upgrade my kernel to 2.6 or is there > a possibility of a 2.4 patch ? ........ I am using an embedded system, > to change it to 2.6 will be a big change for me. > Maybe I am asking too much. Actually there is a 2.6 kernel I could use for the embedded system, but it is 2.6.19.2, is there one patch for this kernel version soon ? Cheers. |
|
From: Ming-Ching T. <min...@re...> - 2007-02-17 23:54:14
|
From: "Bart De Schuymer" <bds...@pa...> > > > > How does one use it with iptables ( ie the syntax ) ? > > Will the patch work with tos/dscp match and CLASSIFY ? > > The patch should allow you to use the full functionality of iptables. > I look through the archive it seems that there is a patch for it, but it's for 2.6 kernel. But I intend to use this functionality on a 2.4 kernel. Well I have two paths, either upgrade my kernel to 2.6 or is there a possibility of a 2.4 patch ? ........ I am using an embedded system, to change it to 2.6 will be a big change for me. Cheers. |
|
From: Bart De S. <bds...@pa...> - 2007-02-17 08:38:12
|
Op vr, 16-02-2007 te 17:26 +0530, schreef Darshak: > I want to DNAT [ebtables postrouting] a frame.But I have to get the > Destination MAC from IP address .For ebtable will it be possible to know > the > > MAC of that machine from IP Address ? That's currently not supported by ebtables. Check the kernel sourcecode net/bridge/* for information of the bridging code. cheers, Bart |
|
From: Bart De S. <bds...@pa...> - 2007-02-17 08:34:04
|
Op wo, 14-02-2007 te 09:35 +0800, schreef Ming-Ching Tiew: > From: "Bart De Schuymer" <bds...@pa...> > > > > Ebtables can't help you with tc since they are quite unrelated. If you > > can do what you want using iptables then there's hope for you since > > someone recently wrote a patch to support ipv4 encapsulated in pppoe. If > > you need tc, then the tc code needs to be altered which will probably be > > not so easy (I don't know the tc implementation though). > > > > How does one use it with iptables ( ie the syntax ) ? > Will the patch work with tos/dscp match and CLASSIFY ? The patch should allow you to use the full functionality of iptables. cheers, Bart |
|
From: Darshak <da...@el...> - 2007-02-16 12:02:07
|
I want to DNAT [ebtables postrouting] a frame.But I have to get the Destination MAC from IP address .For ebtable will it be possible to know the MAC of that machine from IP Address ? Thanxs Darshak |
|
From: Darshak <da...@el...> - 2007-02-16 10:27:31
|
Can ebtables read bridge information I have to DNAT MAC address by reading the address from bridge information ? How can it be possible? Thanx Darshak |
|
From: Darshak <da...@el...> - 2007-02-16 05:22:46
|
Hi, guys I am new to ebtables. Is there any document describing bridge coding? hacking ? Where and how does bridge stores MAC address of all machines ? |
|
From: Ming-Ching T. <min...@re...> - 2007-02-14 01:42:39
|
From: "Bart De Schuymer" <bds...@pa...> > > Ebtables can't help you with tc since they are quite unrelated. If you > can do what you want using iptables then there's hope for you since > someone recently wrote a patch to support ipv4 encapsulated in pppoe. If > you need tc, then the tc code needs to be altered which will probably be > not so easy (I don't know the tc implementation though). > How does one use it with iptables ( ie the syntax ) ? Will the patch work with tos/dscp match and CLASSIFY ? If yes, there is hope that it will be useful :- iptables ....(pppoe frame) .... -m tos --tos 8 -j CLASSIFY --set-class 1:10 or iptables ....(pppoe frame) .... -m dscp --dscp 64 -j CLASSIFY --set-class 1:10 Best regards. |
|
From: Bart De S. <bds...@pa...> - 2007-02-13 19:57:40
|
Op di, 13-02-2007 te 16:44 +0800, schreef Ming-Ching Tiew: > For example, normal tc script :- > > tc filter add dev ppp0 parent 1:0 prio 10 u32 \ > match ip tos 0x10 0xff \ > flowid 1:4 > > This will work on a ppp0 device because the ppp0 has ip packets flowing > through it. Now in my bridge, there is no such device, I only have access to > eth0 > or eth1, how could I perform the same thing on devices such as eth0 or eth1, > but > matching the ip TOS setting inside the pppoe frame ? > > It seems somebody is already asking for ebtables to deal extra things for > pppoe. > But I wonder if my objective can be met with the help of ebtables ? Ebtables can't help you with tc since they are quite unrelated. If you can do what you want using iptables then there's hope for you since someone recently wrote a patch to support ipv4 encapsulated in pppoe. If you need tc, then the tc code needs to be altered which will probably be not so easy (I don't know the tc implementation though). cheers, Bart |
|
From: Ming-Ching T. <min...@re...> - 2007-02-13 08:41:30
|
I have a requirement which I don't think it's too fancy but there is
probably no off-hand ready solution to it. I would need some
advise on the subject matter.
I have made myself a Linux-based bridge, eth0 bridged with
eth1 to form br0.
In this bridge, I run 'tc' script to handle QoS.
So far nothing unusual.
However, what's different is that this bridge is sitted in between a pppoe
client
and pppoe server, ie pppoe frames are bridge between the Linux bridge, and
I am interested to perform QoS on the pppoe frames, based on the ip tos
setting of the ppp packets ( I presume the ip is encapsulated inside the
pppoe frames ?).
For example, normal tc script :-
tc filter add dev ppp0 parent 1:0 prio 10 u32 \
match ip tos 0x10 0xff \
flowid 1:4
This will work on a ppp0 device because the ppp0 has ip packets flowing
through it. Now in my bridge, there is no such device, I only have access to
eth0
or eth1, how could I perform the same thing on devices such as eth0 or eth1,
but
matching the ip TOS setting inside the pppoe frame ?
It seems somebody is already asking for ebtables to deal extra things for
pppoe.
But I wonder if my objective can be met with the help of ebtables ?
Best regards.
|
|
From: Bart De S. <bds...@pa...> - 2007-02-11 11:31:18
|
Op ma, 05-02-2007 te 16:48 -0500, schreef Michael Milner:
> Hi,
>
> I've put together some code to allow IPTables to filter PPPoE traffic in
> the same way that bridge-nf allows iptables to filter VLAN traffic.
>
> I don't have much experience with this code so my approach is very
> simplistic and modelled after the VLAN code. I have some questions as
> comments in the patches.
>
> I also added a new sysctl entry to allow the functionality to be disabled.
>
> The patch is against 2.6.15. Comments appreciated. It works fine for me
> but I wanted some input before submitting it "officially".
Please update this to 2.6.20. More comments are below.
Thanks,
Bart
> Thanks,
>
> Mike Milner
>
> --- a/include/linux/sysctl.h 2006-03-02 16:18:41.000000000 -0500
> +++ b/include/linux/sysctl.h 2007-01-16 15:42:27.000000000 -0500
> @@ -726,6 +726,7 @@ enum {
> NET_BRIDGE_NF_CALL_IPTABLES = 2,
> NET_BRIDGE_NF_CALL_IP6TABLES = 3,
> NET_BRIDGE_NF_FILTER_VLAN_TAGGED = 4,
> + NET_BRIDGE_NF_FILTER_PPPOE_TAGGED = 5,
> };
>
> /* CTL_PROC names: */
>
> --- a/include/linux/netfilter_bridge.h 2006-03-02 16:18:41.000000000 -0500
> +++ b/include/linux/netfilter_bridge.h 2007-02-02 14:31:15.000000000 -0500
> @@ -72,6 +72,19 @@ void nf_bridge_maybe_copy_header(struct
> if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
> memcpy(skb->data - 18, skb->nf_bridge->data, 18);
> skb_push(skb, 4);
> + }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
Please make this one line, i.e. "} else if ". The same comment holds in
some other places.
> + /*
> + * Not sure about '24'. Default else block below
> + * copies 16 bytes. Block above copies 18 (2 more) but
> + * skb_push's 4 bytes. VLAN header is 4 bytes, so why
> + * aren't 4 extra bytes being memcpy'd?
> + *
> + * I'm memcpy'ing AND skb_push'ing 8 extra bytes, the size
> + * of the PPPoE header.
> + */
Ethernet header is only 14 bytes long, but the networking stack always
puts that in 16 bytes (the first 2 bytes are meaningless afaik). They
probably do that because 16 is a power of 2. Anyway, 14+4=18
> + memcpy(skb->data - 24, skb->nf_bridge->data, 24);
> + skb_push(skb, 8);
> } else
> memcpy(skb->data - 16, skb->nf_bridge->data, 16);
> }
> @@ -84,6 +97,13 @@ void nf_bridge_save_header(struct sk_buf
>
> if (skb->protocol == __constant_htons(ETH_P_8021Q))
> header_size = 18;
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES))
> + header_size = 24;
> + /*
> + * Why does the VLAN code only increase the header by 2 bytes?
> + * AFAIK the VLAN header is 4 bytes. I reserve 8 extra bytes,
> + * the size of the PPPoE header.
> + */
>
> memcpy(skb->nf_bridge->data, skb->data - header_size, header_size);
> }
>
> --- a/net/bridge/br_netfilter.c 2006-03-09 08:19:49.000000000 -0500
> +++ b/net/bridge/br_netfilter.c 2007-02-05 16:26:13.000000000 -0500
> @@ -12,6 +12,7 @@
> * Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
> * (bdschuym)
> * Sep 01 2004: add IPv6 filtering (bdschuym)
> + * Jan 16 2007: let iptables see bridged PPPoE traffic (mdmilner)
> *
> * This program is free software; you can redistribute it and/or
> * modify it under the terms of the GNU General Public License
> @@ -28,6 +29,7 @@
> #include <linux/skbuff.h>
> #include <linux/if_ether.h>
> #include <linux/if_vlan.h>
> +#include <linux/ppp_defs.h>
> #include <linux/netfilter_bridge.h>
> #include <linux/netfilter_ipv4.h>
> #include <linux/netfilter_ipv6.h>
> @@ -53,6 +55,7 @@ static int brnf_call_iptables = 1;
> static int brnf_call_ip6tables = 1;
> static int brnf_call_arptables = 1;
> static int brnf_filter_vlan_tagged = 1;
> +static int brnf_filter_pppoe_tagged = 1;
> #else
> #define brnf_filter_vlan_tagged 1
> #endif
> @@ -67,6 +70,43 @@ static int brnf_filter_vlan_tagged = 1;
> hdr->h_vlan_encapsulated_proto == __constant_htons(ETH_P_ARP) && \
> brnf_filter_vlan_tagged)
>
> +/**
> + * Entire Ethernet + PPPoE + PPP header
> + */
> +struct pppoe_ethhdr {
> + unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
> + unsigned char h_source[ETH_ALEN]; /* source ether addr */
> + __be16 h_pppoe_proto; /* Should always be 0x8864 */
> +#if defined(__LITTLE_ENDIAN_BITFIELD)
> + __u8 ver : 4;
> + __u8 type : 4;
> +#elif defined(__BIG_ENDIAN_BITFIELD)
> + __u8 type : 4;
> + __u8 ver : 4;
> +#elsedevel
> +#error "Please fix <asm/byteorder.h>"
> +#endif
> + __u8 code;
> + __u16 sid;
> + __u16 length;
> + __be16 h_pppoe_encapsulated_proto;
> +} __attribute__ ((packed));
> +
Don't make this new struct, just use include/linux/if_pppox.h.
> +#define PPPOE_HLEN (sizeof(struct pppoe_ethhdr) - ETH_HLEN)
> +
> +/* Extracts the pppoe_ethhdr from an sk_buff */
> +static inline struct pppoe_ethhdr *pppoe_eth_hdr(const struct sk_buff *skb)
> +{
> + return (struct pppoe_ethhdr *)skb->mac.raw;
> +}
> +
> +#define IS_PPPOE_IP (skb->protocol == __constant_htons(ETH_P_PPP_SES) && \
> + pppoe->h_pppoe_encapsulated_proto == __constant_htons(PPP_IP) && \
> + brnf_filter_pppoe_tagged)
> +//#define IS_PPPOE_IPV6 (skb->protocol == __constant_htons(ETH_P_PPP_SES)
> && \
> +// pppoe->h_pppoe_encapsulated_proto == __constant_htons(PPP_P_IPV6) && \
> +// brnf_filter_pppoe_tagged)
> +
> /* We need these fake structures to make netfilter happy --
> * lots of places assume that skb->dst != NULL, which isn't
> * all that unreasonable.
> @@ -195,6 +235,10 @@ static int br_nf_pre_routing_finish_brid
> skb_pull(skb, VLAN_HLEN);
> skb->nh.raw += VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_pull(skb, PPPOE_HLEN);
> + skb->nh.raw += PPPOE_HLEN;
> + }
> skb->dst->output(skb);
> }
> return 0;
> @@ -246,6 +290,11 @@ bridged_dnat:
> skb_push(skb, VLAN_HLEN);
> skb->nh.raw -= VLAN_HLEN;
> }
> + else if (skb->protocol ==
> + __constant_htons(ETH_P_PPP_SES)) {
> + skb_push(skb, PPPOE_HLEN);
> + skb->nh.raw -= PPPOE_HLEN;
> + }
> NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
> skb, skb->dev, NULL,
> br_nf_pre_routing_finish_bridge,
> @@ -266,6 +315,10 @@ bridged_dnat:
> skb_push(skb, VLAN_HLEN);
> skb->nh.raw -= VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_push(skb, PPPOE_HLEN);
> + skb->nh.raw -= PPPOE_HLEN;
> + }
> NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
> br_handle_frame_finish, 1);
>
> @@ -408,6 +461,7 @@ static unsigned int br_nf_pre_routing(un
> struct sk_buff *skb = *pskb;
> struct nf_bridge_info *nf_bridge;
> struct vlan_ethhdr *hdr = vlan_eth_hdr(*pskb);
> + struct pppoe_ethhdr *pppoe = pppoe_eth_hdr(*pskb);
>
> if (skb->protocol == __constant_htons(ETH_P_IPV6) || IS_VLAN_IPV6) {
> #ifdef CONFIG_SYSCTL
> @@ -427,7 +481,8 @@ static unsigned int br_nf_pre_routing(un
> return NF_ACCEPT;
> #endif
>
> - if (skb->protocol != __constant_htons(ETH_P_IP) && !IS_VLAN_IP)
> + if (skb->protocol != __constant_htons(ETH_P_IP) && !IS_VLAN_IP &&
> + !IS_PPPOE_IP)
> return NF_ACCEPT;
>
> if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
> @@ -436,6 +491,13 @@ static unsigned int br_nf_pre_routing(un
> if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
> skb_pull(skb, VLAN_HLEN);
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + /* Not sure why VLAN doesn't have the '+=' line, but PPPoE
> + * doesn't work without it
> + */
Later kernel versions differ here. Try 2.6.20.
> + skb_pull(skb, PPPOE_HLEN);
> + skb->nh.raw += PPPOE_HLEN;
> + }
>
> if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> goto inhdr_error;
> @@ -522,6 +584,10 @@ static int br_nf_forward_finish(struct s
> skb_push(skb, VLAN_HLEN);
> skb->nh.raw -= VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_push(skb, PPPOE_HLEN);
> + skb->nh.raw -= PPPOE_HLEN;
> + }
> NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
> skb->dev, br_forward_finish, 1);
> return 0;
> @@ -539,6 +605,7 @@ static unsigned int br_nf_forward_ip(uns
> struct sk_buff *skb = *pskb;
> struct nf_bridge_info *nf_bridge;
> struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
> + struct pppoe_ethhdr *pppoe = pppoe_eth_hdr(skb);
> struct net_device *parent;
> int pf;
>
> @@ -549,7 +616,8 @@ static unsigned int br_nf_forward_ip(uns
> if (!parent)
> return NF_DROP;
>
> - if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
> + if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP ||
> + IS_PPPOE_IP)
> pf = PF_INET;
> else
> pf = PF_INET6;
> @@ -558,6 +626,10 @@ static unsigned int br_nf_forward_ip(uns
> skb_pull(*pskb, VLAN_HLEN);
> (*pskb)->nh.raw += VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_pull(*pskb, PPPOE_HLEN);
> + (*pskb)->nh.raw += PPPOE_HLEN;
> + }
>
> nf_bridge = skb->nf_bridge;
> if (skb->pkt_type == PACKET_OTHERHOST) {
> @@ -617,6 +689,10 @@ static int br_nf_local_out_finish(struct
> skb_push(skb, VLAN_HLEN);
> skb->nh.raw -= VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_push(skb, PPPOE_HLEN);
> + skb->nh.raw -= PPPOE_HLEN;
> + }
>
> NF_HOOK_THRESH(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
> br_forward_finish, NF_BR_PRI_FIRST + 1);
> @@ -652,12 +728,14 @@ static unsigned int br_nf_local_out(unsi
> struct sk_buff *skb = *pskb;
> struct nf_bridge_info *nf_bridge;
> struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
> + struct pppoe_ethhdr *pppoe = pppoe_eth_hdr(skb);
> int pf;
>
> if (!skb->nf_bridge)
> return NF_ACCEPT;
>
> - if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
> + if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP ||
> + IS_PPPOE_IP)
> pf = PF_INET;
> else
> pf = PF_INET6;
> @@ -687,6 +765,10 @@ static unsigned int br_nf_local_out(unsi
> skb_push(skb, VLAN_HLEN);
> skb->nh.raw -= VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_push(skb, PPPOE_HLEN);
> + skb->nh.raw -= PPPOE_HLEN;
> + }
>
> NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev,
> skb->dev, br_forward_finish);
> @@ -705,6 +787,10 @@ static unsigned int br_nf_local_out(unsi
> skb_pull(skb, VLAN_HLEN);
> (*pskb)->nh.raw += VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_pull(skb, PPPOE_HLEN);
> + (*pskb)->nh.raw += PPPOE_HLEN;
> + }
> /* IP forwarded traffic has a physindev, locally
> * generated traffic hasn't. */
> if (realindev != NULL) {
> @@ -736,6 +822,7 @@ static unsigned int br_nf_post_routing(u
> struct sk_buff *skb = *pskb;
> struct nf_bridge_info *nf_bridge = (*pskb)->nf_bridge;
> struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
> + struct pppoe_ethhdr *pppoe = pppoe_eth_hdr(skb);
> struct net_device *realoutdev = bridge_parent(skb->dev);
> int pf;
>
> @@ -755,7 +842,8 @@ static unsigned int br_nf_post_routing(u
> if (!realoutdev)
> return NF_DROP;
>
> - if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
> + if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP ||
> + IS_PPPOE_IP)
> pf = PF_INET;
> else
> pf = PF_INET6;
> @@ -778,6 +866,10 @@ static unsigned int br_nf_post_routing(u
> skb_pull(skb, VLAN_HLEN);
> skb->nh.raw += VLAN_HLEN;
> }
> + else if (skb->protocol == __constant_htons(ETH_P_PPP_SES)) {
> + skb_pull(skb, PPPOE_HLEN);
> + skb->nh.raw += PPPOE_HLEN;
> + }
>
> nf_bridge_save_header(skb);
>
> @@ -1004,6 +1096,14 @@ static ctl_table brnf_table[] = {
> .mode = 0644,
> .proc_handler = &brnf_sysctl_call_tables,
> },
> + {
> + .ctl_name = NET_BRIDGE_NF_FILTER_PPPOE_TAGGED,
> + .procname = "bridge-nf-filter-pppoe-tagged",
> + .data = &brnf_filter_pppoe_tagged,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = &brnf_sysctl_call_tables,
> + },
> { .ctl_name = 0 }
> };
>
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Ebtables-devel mailing list
> Ebt...@li...
> https://lists.sourceforge.net/lists/listinfo/ebtables-devel
>
|
4 messages has been excluded from this view by a project administrator.
