Menu
▾
▴
Re: [Snort-inline-users] [PATCH] Add netfilter_reinject_mask option.
|
From: Will M. <wil...@gm...> - 2008-12-02 13:23:56
|
Thanks for the patches. We will have a look at them.
Regards,
Will
On Tue, Dec 2, 2008 at 3:16 AM, Eric Leblond <er...@in...> wrote:
> This patch adds a netfilter_reinject_mask option which can be
> used to only modify the packet mark with respect to the selected
> mask. Let's say you can use mark 1 and mask 1 (thus reserve one
> bit to the reinjection process). To send all traffic to snort-inline,
> you can just add at the top of your ruleset:
> iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
>
> Signed-off-by: Eric Leblond <er...@in...>
> ---
> src/inline.c | 10 +++++++---
> src/parser.c | 20 ++++++++++++++++++++
> src/snort.h | 1 +
> 3 files changed, 28 insertions(+), 3 deletions(-)
>
> diff --git a/src/inline.c b/src/inline.c
> index 2f3b6f0..a5f8766 100644
> --- a/src/inline.c
> +++ b/src/inline.c
> @@ -242,7 +242,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
> //ipq_pkt.packet_id = glid;
> //ipq_pkt.hw_protocol = ntohs(ph->hw_protocol);
> //ipq_pkt.hook = ph->hook;
> - //ipq_pkt.mark = nfq_get_nfmark(nfa);
> + ipq_pkt.mark = nfq_get_nfmark(nfa);
>
> /* TODO: we only use this for rejects, so we might move
> * this to the reject code */
> @@ -998,7 +998,9 @@ void HandlePacket()
> #ifdef NFNETLINKQ
> if (pv.netfilter_reinject_mark)
> {
> - status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
> + status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
> + htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
> + 0, NULL);
> } else {
> status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
> }
> @@ -1018,7 +1020,9 @@ void HandlePacket()
> {
> #ifdef NFNETLINKQ
> if (pv.netfilter_reinject_mark) {
> - status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
> + status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
> + htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
> + m->data_len, m->payload);
> } else {
> status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
> }
> diff --git a/src/parser.c b/src/parser.c
> index 991a8f7..b0ac525 100644
> --- a/src/parser.c
> +++ b/src/parser.c
> @@ -6861,6 +6861,26 @@ void ParseConfig(char *rule)
> return;
>
> }
> + else if(!strcasecmp(config, "netfilter_reinject_mask"))
> + {
> + if(args)
> + {
> + toks = mSplit(args, " ", 1, &num_toks, 0);
> +#ifdef GIDS
> +#ifdef NFNETLINKQ
> + pv.netfilter_reinject_mask = atoi(toks[0]);
> +#endif
> +#endif
> +
> + mSplitFree( &toks, num_toks );
> + }
> +
> + mSplitFree(&rule_toks,num_rule_toks);
> + mSplitFree(&config_decl,num_config_decl_toks);
> +
> + return;
> +
> + }
> else if(!strcasecmp(config, "asn1"))
> {
> toks = mSplit(args, ", ", 20, &num_toks, 0);
> diff --git a/src/snort.h b/src/snort.h
> index a9ea3a4..d0f1542 100644
> --- a/src/snort.h
> +++ b/src/snort.h
> @@ -300,6 +300,7 @@ typedef struct _progvars
> #endif /* USE IPFW DIVERT socket instead of IPtables */
> #ifdef NFNETLINKQ
> int netfilter_reinject_mark;
> + int netfilter_reinject_mask;
> #endif
> #endif /* GIDS */
> #ifdef WIN32
> --
> 1.5.6.5
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
