newbie: writing custom target, need help with getting it to work

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Yossi Weihs" <yw@seafire.com>
To: <netfilter-devel@vger.kernel.org>
Cc: <yw@seafire.com>
Subject: newbie: writing custom target, need help with getting it to work
Date: Sun, 8 Aug 2010 16:20:09 -0400	[thread overview]
Message-ID: <00fe01cb3737$19358d20$4ba0a760$@com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1894 bytes --]

Hi List,

I have been working on a custom netfilter target to help with some in-house
testing. I’m running Fedora 13 and building within xtables-addons v 1.2.6 ;
I have gotten both the kernel module and library to build correctly within
the xtables-addons build enviroment, and am inserting the kernel module with
no errors. When trying to create a rule with my target, I get the cryptic
error:

iptables --verbose --table filter --insert INPUT --protocol TCP -m state
--state ESTABLISHED --jump TAP --device TAPPY
TAP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state ESTABLISHED TAP
dev:TAPPY 
iptables: No chain/target/match by that name.

I’m seeing dev:TAPPY, which I think means the user space library correctly
parsed the parameters. Since I manually inserted the module, I know it’s
there, although I did not see the module initialization kernel info
message... Any ideas on where to look next? I have attached my target code.

Thanks!


Joseph "Yossi" Weihs, CTO

SeaFire Micros, Inc.
39 Dodge St, #319
Beverly, MA 01915

http://www.seafire.com
yw@seafire.com
http://twitter.com/SeaFireMicros


****************************************************************************
*********************************************
This message is a PRIVATE communication. This message and all attachments
are a private communication sent by SeaFire and may be confidential or
protected by privilege. If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of the
information contained in or attached to this message is strictly
prohibited.  Please notify the sender of the delivery error by replying to
this message, and then delete it from your system.  Thank you.
****************************************************************************
*********************************************


[-- Attachment #2: xt_TAP.c --]
[-- Type: application/octet-stream, Size: 4227 bytes --]

/*
 *	"TAP" target extension for Xtables
 *
 */
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/route.h>
#include <linux/skbuff.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/ip6_route.h>
#include <net/route.h>
#include <linux/netfilter/x_tables.h>

#include <linux/version.h>
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
#include <asm/semaphore.h>
#else
#include <linux/semaphore.h>
#endif


#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#	define WITH_CONNTRACK 1
#	include <net/netfilter/nf_conntrack.h>
#endif
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#	define WITH_IPV6 1
#endif

#include "compat_xtables.h"
#include "seabatch.h"
#include "xt_TAP.h"

static unsigned int
tap_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
{
	const struct xt_tap_tginfo *info = par->targinfo;
	struct xt_tap_tginfo *private_info = (struct xt_tap_tginfo *)par->targinfo;
	const struct sk_buff *skb = *pskb;
	const struct iphdr *iph;
	const struct tcphdr *tcph;
	int iptcphlen,tcpdlen,idx,fidx;
	void * buf;

	iph = ip_hdr(skb);
	// verify source and dest address match
	fidx = -1;
	for (idx = 0; idx < info->filter_count; ++idx) {
		if ((iph->saddr == info->tap_filter[idx].source) ||
		    (iph->daddr == info->tap_filter[idx].dest)) {
			fidx = idx;
		}
	}
	if (-1 == fidx) {
		return XT_CONTINUE;
	}
	iptcphlen = ip_hdrlen(skb);

	// Time to grab mutex
	if (down_interruptible(private_info->tap_filter[fidx].lock)) {
		printk(KERN_CRIT "TAP down_interruptible %s %d\n",__FILE__,__LINE__);
		return XT_CONTINUE;
	}

	// snip some code removed
	
	// Fall out
	fallout:
	// Release Mutex
	up(private_info->tap_filter[fidx].lock);
	// done
	return XT_CONTINUE;
}

#ifdef WITH_IPV6
static unsigned int
tap_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
{
	printk (KERN_WARNING "TAP IPV6 not supported");
	return XT_CONTINUE;
}
#endif /* WITH_IPV6 */

static int tap_tg_check(const struct xt_tgchk_param *par)
{
	/* Const access to fields set by user space */
	const struct xt_tap_tginfo 	 *info = par->targinfo;
	/* non-const access to private TARGET module fields; TODO: find more elegant
	   way to store TARGET specific private information */
	struct xt_tap_tginfo *private_info = par->targinfo;
	int err;

	private_info->handle = Splinter_Register_TAP(info->dev);

	if (!private_info->handle) {
		/* Failed to register! */
		printk (KERN_ERR "TAP sorry failed to get handle.\n");
		return -EINVAL;
	}

	err = Copy_Splinter_Table(private_info->handle, 
	                          &private_info->tap_filter[0],
	                          MAX_FILTERS_PER_TARGET * 
	                            sizeof(struct SeaFire_Connection_Filter));

	if (-1 == err) {
		private_info->handle = 0;
		return -EINVAL;
	}

	private_info->filter_count = err;

	printk(KERN_INFO "SeaFire TAP Check Passed\n");
	
	return 0;
}

/* dunno why - this does not exist in current rev of library
static int tap_tg_dtor(const struct xt_tgchk_param *par)
{
	const struct xt_tap_tginfo *info = par->targinfo;

	return 0;
}
*/

static struct xt_target tap_tg_reg[] __read_mostly = {
	{
		.name       = "TAP",
		.revision   = 0,
		.family     = NFPROTO_IPV4,
		.target     = tap_tg4,
		.targetsize = sizeof(struct xt_tap_tginfo),
		.checkentry = tap_tg_check,
//		.destroy    = tap_tg_dtor,
		.me         = THIS_MODULE,
	},
#ifdef WITH_IPV6
	{
		.name       = "TAP",
		.revision   = 0,
		.family     = NFPROTO_IPV6,
		.target     = tap_tg6,
		.targetsize = sizeof(struct xt_tap_tginfo),
		.checkentry = tap_tg_check,
//		.destroy    = tap_tg_dtor,
		.me         = THIS_MODULE,
	},
#endif
};

static int __init tap_tg_init(void)
{
	printk(KERN_INFO "SeaFire TAP Installed\n");
	return xt_register_targets(tap_tg_reg, ARRAY_SIZE(tap_tg_reg));
}

static void __exit tap_tg_exit(void)
{
	printk(KERN_INFO "SeaFire TAP Removed\n");
	xt_unregister_targets(tap_tg_reg, ARRAY_SIZE(tap_tg_reg));
	/* Free up any allocated memory */
}

module_init(tap_tg_init);
module_exit(tap_tg_exit);

next             reply	other threads:[~2010-08-08 20:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-08 20:20 Yossi Weihs [this message]
2010-08-08 20:28 ` newbie: writing custom target, need help with getting it to work Jan Engelhardt
2010-08-08 21:09   ` Yossi Weihs
2010-08-08 21:13     ` Jan Engelhardt
2010-08-09  4:23       ` Yossi Weihs
2010-08-09  6:52         ` Jan Engelhardt
2010-08-08 20:34 ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='00fe01cb3737$19358d20$4ba0a760$@com' \
    --to=yw@seafire.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.