newbie: writing custom target, need help with getting it to work

newbie: writing custom target, need help with getting it to work

[Yossi Weihs]

[-- Attachment #1: Type: text/plain, Size: 1894 bytes --]

Hi List,

I have been working on a custom netfilter target to help with some in-house
testing. I’m running Fedora 13 and building within xtables-addons v 1.2.6 ;
I have gotten both the kernel module and library to build correctly within
the xtables-addons build enviroment, and am inserting the kernel module with
no errors. When trying to create a rule with my target, I get the cryptic
error:

iptables --verbose --table filter --insert INPUT --protocol TCP -m state
--state ESTABLISHED --jump TAP --device TAPPY
TAP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state ESTABLISHED TAP
dev:TAPPY 
iptables: No chain/target/match by that name.

I’m seeing dev:TAPPY, which I think means the user space library correctly
parsed the parameters. Since I manually inserted the module, I know it’s
there, although I did not see the module initialization kernel info
message... Any ideas on where to look next? I have attached my target code.

Thanks!


Joseph "Yossi" Weihs, CTO

SeaFire Micros, Inc.
39 Dodge St, #319
Beverly, MA 01915

http://www.seafire.com
yw@seafire.com
http://twitter.com/SeaFireMicros


****************************************************************************
*********************************************
This message is a PRIVATE communication. This message and all attachments
are a private communication sent by SeaFire and may be confidential or
protected by privilege. If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of the
information contained in or attached to this message is strictly
prohibited.  Please notify the sender of the delivery error by replying to
this message, and then delete it from your system.  Thank you.
****************************************************************************
*********************************************


[-- Attachment #2: xt_TAP.c --]
[-- Type: application/octet-stream, Size: 4227 bytes --]

/*
 *	"TAP" target extension for Xtables
 *
 */
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/route.h>
#include <linux/skbuff.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/ip6_route.h>
#include <net/route.h>
#include <linux/netfilter/x_tables.h>

#include <linux/version.h>
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
#include <asm/semaphore.h>
#else
#include <linux/semaphore.h>
#endif


#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#	define WITH_CONNTRACK 1
#	include <net/netfilter/nf_conntrack.h>
#endif
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#	define WITH_IPV6 1
#endif

#include "compat_xtables.h"
#include "seabatch.h"
#include "xt_TAP.h"

static unsigned int
tap_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
{
	const struct xt_tap_tginfo *info = par->targinfo;
	struct xt_tap_tginfo *private_info = (struct xt_tap_tginfo *)par->targinfo;
	const struct sk_buff *skb = *pskb;
	const struct iphdr *iph;
	const struct tcphdr *tcph;
	int iptcphlen,tcpdlen,idx,fidx;
	void * buf;

	iph = ip_hdr(skb);
	// verify source and dest address match
	fidx = -1;
	for (idx = 0; idx < info->filter_count; ++idx) {
		if ((iph->saddr == info->tap_filter[idx].source) ||
		    (iph->daddr == info->tap_filter[idx].dest)) {
			fidx = idx;
		}
	}
	if (-1 == fidx) {
		return XT_CONTINUE;
	}
	iptcphlen = ip_hdrlen(skb);

	// Time to grab mutex
	if (down_interruptible(private_info->tap_filter[fidx].lock)) {
		printk(KERN_CRIT "TAP down_interruptible %s %d\n",__FILE__,__LINE__);
		return XT_CONTINUE;
	}

	// snip some code removed
	
	// Fall out
	fallout:
	// Release Mutex
	up(private_info->tap_filter[fidx].lock);
	// done
	return XT_CONTINUE;
}

#ifdef WITH_IPV6
static unsigned int
tap_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
{
	printk (KERN_WARNING "TAP IPV6 not supported");
	return XT_CONTINUE;
}
#endif /* WITH_IPV6 */

static int tap_tg_check(const struct xt_tgchk_param *par)
{
	/* Const access to fields set by user space */
	const struct xt_tap_tginfo 	 *info = par->targinfo;
	/* non-const access to private TARGET module fields; TODO: find more elegant
	   way to store TARGET specific private information */
	struct xt_tap_tginfo *private_info = par->targinfo;
	int err;

	private_info->handle = Splinter_Register_TAP(info->dev);

	if (!private_info->handle) {
		/* Failed to register! */
		printk (KERN_ERR "TAP sorry failed to get handle.\n");
		return -EINVAL;
	}

	err = Copy_Splinter_Table(private_info->handle, 
	                          &private_info->tap_filter[0],
	                          MAX_FILTERS_PER_TARGET * 
	                            sizeof(struct SeaFire_Connection_Filter));

	if (-1 == err) {
		private_info->handle = 0;
		return -EINVAL;
	}

	private_info->filter_count = err;

	printk(KERN_INFO "SeaFire TAP Check Passed\n");
	
	return 0;
}

/* dunno why - this does not exist in current rev of library
static int tap_tg_dtor(const struct xt_tgchk_param *par)
{
	const struct xt_tap_tginfo *info = par->targinfo;

	return 0;
}
*/

static struct xt_target tap_tg_reg[] __read_mostly = {
	{
		.name       = "TAP",
		.revision   = 0,
		.family     = NFPROTO_IPV4,
		.target     = tap_tg4,
		.targetsize = sizeof(struct xt_tap_tginfo),
		.checkentry = tap_tg_check,
//		.destroy    = tap_tg_dtor,
		.me         = THIS_MODULE,
	},
#ifdef WITH_IPV6
	{
		.name       = "TAP",
		.revision   = 0,
		.family     = NFPROTO_IPV6,
		.target     = tap_tg6,
		.targetsize = sizeof(struct xt_tap_tginfo),
		.checkentry = tap_tg_check,
//		.destroy    = tap_tg_dtor,
		.me         = THIS_MODULE,
	},
#endif
};

static int __init tap_tg_init(void)
{
	printk(KERN_INFO "SeaFire TAP Installed\n");
	return xt_register_targets(tap_tg_reg, ARRAY_SIZE(tap_tg_reg));
}

static void __exit tap_tg_exit(void)
{
	printk(KERN_INFO "SeaFire TAP Removed\n");
	xt_unregister_targets(tap_tg_reg, ARRAY_SIZE(tap_tg_reg));
	/* Free up any allocated memory */
}

module_init(tap_tg_init);
module_exit(tap_tg_exit);

Re: newbie: writing custom target, need help with getting it to work

[Jan Engelhardt]

On Sunday 2010-08-08 22:20, Yossi Weihs wrote:

>Hi List,
>
>I have been working on a custom netfilter target to help with some in-house
>testing. I?m running Fedora 13 and building within xtables-addons v 1.2.6 ;
>I have gotten both the kernel module and library to build correctly within
>the xtables-addons build enviroment, and am inserting the kernel module with
>no errors. When trying to create a rule with my target, I get the cryptic
>error:
>
>iptables --verbose --table filter --insert INPUT --protocol TCP -m state
>--state ESTABLISHED --jump TAP --device TAPPY
>TAP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state ESTABLISHED TAP
>dev:TAPPY 
>iptables: No chain/target/match by that name.

When you want iptables to recognize (the user portion) of Xt-a's extra 
modules, you need to point to it via the XTABLES_LIBDIR environment 
variable.

XTABLES_LIBDIR=$HOME/xta/extensions:/usr/lib(64)/xtables iptables -S

Don't forget usr/lib/xtables otherwise it won't find the tcp match and 
all the ones that already ship with iptables.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: newbie: writing custom target, need help with getting it to work

[Yossi Weihs]

Thanks Jan!

I have added the env variable, but saw no change. My libxt_TAP.so is getting found as it is checking my parameter. I have tried a different xtables_addons target such as TEE, and the rule gets inserted fine. I had SELinux block my libxt_TAP.so and had added it to the SELinux rules, so that shouldn't be a problem. Any other idea what might be going on? I know my module is calling xt_register_targets(), is there a way for me to check the contents of its tables?

Thanks for looking at my code! I'll switch my mutex to a spinlock - I'd be wasting a lot of time once I get running with this without your help.

Yossi Weihs

-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@medozas.de] 
Sent: Sunday, August 08, 2010 4:29 PM
To: Yossi Weihs
Cc: netfilter-devel@vger.kernel.org
Subject: Re: newbie: writing custom target, need help with getting it to work

On Sunday 2010-08-08 22:20, Yossi Weihs wrote:

>Hi List,
>
>I have been working on a custom netfilter target to help with some in-house
>testing. I?m running Fedora 13 and building within xtables-addons v 1.2.6 ;
>I have gotten both the kernel module and library to build correctly within
>the xtables-addons build enviroment, and am inserting the kernel module with
>no errors. When trying to create a rule with my target, I get the cryptic
>error:
>
>iptables --verbose --table filter --insert INPUT --protocol TCP -m state
>--state ESTABLISHED --jump TAP --device TAPPY
>TAP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state ESTABLISHED TAP
>dev:TAPPY 
>iptables: No chain/target/match by that name.

When you want iptables to recognize (the user portion) of Xt-a's extra 
modules, you need to point to it via the XTABLES_LIBDIR environment 
variable.

XTABLES_LIBDIR=$HOME/xta/extensions:/usr/lib(64)/xtables iptables -S

Don't forget usr/lib/xtables otherwise it won't find the tcp match and 
all the ones that already ship with iptables.

RE: newbie: writing custom target, need help with getting it to work

[Jan Engelhardt]

On Sunday 2010-08-08 23:09, Yossi Weihs wrote:

>I have added the env variable, but saw no change.

Make sure that xt_TAP.ko is then actually loaded.

>going on? I know my module is calling xt_register_targets(), is there a 
>way for me to check the contents of its tables?

iptables -vvL

should print the semi-raw dump of the table before trying to resolve 
targets.

RE: newbie: writing custom target, need help with getting it to work

[Yossi Weihs]

OK - xt_TAP.ko is not getting loaded by iptables. I can modprobe it
manually, but iptables won't load it. Trying telling iptables which modprobe
to use, but no luck. xt_TEE.ko is getting loaded fine, and I cloned my
module off it ... I feel we're getting close.

-YW

-----Original Message-----
From: netfilter-devel-owner@vger.kernel.org
[mailto:netfilter-devel-owner@vger.kernel.org] On Behalf Of Jan Engelhardt
Sent: Sunday, August 08, 2010 5:13 PM
To: Yossi Weihs
Cc: netfilter-devel@vger.kernel.org
Subject: RE: newbie: writing custom target, need help with getting it to
work

On Sunday 2010-08-08 23:09, Yossi Weihs wrote:

>I have added the env variable, but saw no change.

Make sure that xt_TAP.ko is then actually loaded.

>going on? I know my module is calling xt_register_targets(), is there a 
>way for me to check the contents of its tables?

iptables -vvL

should print the semi-raw dump of the table before trying to resolve 
targets.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: newbie: writing custom target, need help with getting it to work

[Jan Engelhardt]

On Monday 2010-08-09 06:23, Yossi Weihs wrote:

>OK - xt_TAP.ko is not getting loaded by iptables. I can modprobe it
>manually, but iptables won't load it. Trying telling iptables which modprobe
>to use, but no luck. xt_TEE.ko is getting loaded fine, and I cloned my
>module off it ... I feel we're getting close.

iptables just calls modprobe. And modprobe only looks in /lib/modules.

Re: newbie: writing custom target, need help with getting it to work

[Jan Engelhardt]

On Sunday 2010-08-08 22:20, Yossi Weihs wrote:

>I?m seeing dev:TAPPY, which I think means the user space library correctly
>parsed the parameters. Since I manually inserted the module, I know it?s
>there, although I did not see the module initialization kernel info
>message... Any ideas on where to look next? I have attached my target code.

>#include "compat_xtables.h"
>#include "seabatch.h"
>#include "xt_TAP.h"
>
>static unsigned int
>tap_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
>{
...
>	// Time to grab mutex
>	if (down_interruptible(private_info->tap_filter[fidx].lock)) {

Your tap makes for water damage. You must not sleep in Xtables kernel
code, that is, anythiing higher of a class than a spinlock_bh
is a no-no.

>		printk(KERN_CRIT "TAP down_interruptible %s %d\n",__FILE__,__LINE__);
>		return XT_CONTINUE;
>	}
>
>	// snip some code removed
>	
>	// Fall out
>	fallout:
>	// Release Mutex
>	up(private_info->tap_filter[fidx].lock);
>	// done
>	return XT_CONTINUE;
>}
>