From: Lutz Jaenicke <ljaenicke@innominate.com>
To: Laszlo Attila Toth <panther@balabit.hu>
Cc: David Miller <davem@davemloft.net>,
Patrick McHardy <kaber@trash.net>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [PATCHv6 iptables]Interface group match
Date: Fri, 23 Nov 2007 14:39:33 +0100 [thread overview]
Message-ID: <20071123133933.GA31396@innominate.com> (raw)
In-Reply-To: <11955644702194-git-send-email-panther@balabit.hu>
[-- Attachment #1: Type: text/plain, Size: 1463 bytes --]
On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
> Interface group values can be checked on both input and output interfaces
> with optional mask.
> Index: extensions/libxt_ifgroup.c
> ===================================================================
> --- extensions/libxt_ifgroup.c (revision 0)
> +++ extensions/libxt_ifgroup.c (revision 0)
> + info->in_group = strtoul(optarg, &end, 0);
This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
There is no standard API like getservbyname()...
I do have a draft patch for physdev which is however against
iptables-1.3.8 and linux-2.6.19 so it will need some more work
but I will attach it for discussion.
(This will leave ebtables to be touched...)
Best regards,
Lutz
--
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
----------------------------------------------------------------------------
Visit us at the SPS/IPC/Drives in Nuremberg / Germany
27 - 29 November 2007, Hall 9, Stand 9-141
----------------------------------------------------------------------------
[-- Attachment #2: ifgroup_physdev.patch --]
[-- Type: text/plain, Size: 4806 bytes --]
diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c iptables-1.3.8/extensions/libipt_physdev.c
--- iptables-1.3.8-vanilla/extensions/libipt_physdev.c 2007-01-23 13:50:00.000000000 +0100
+++ iptables-1.3.8/extensions/libipt_physdev.c 2007-11-01 16:57:58.000000000 +0100
@@ -19,6 +19,8 @@
"physdev v%s options:\n"
" --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n"
" --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n"
+" --physgroup-in [!] input group bridge port group value\n"
+" --physgroup-out [!] output group bridge port group value\n"
" [!] --physdev-is-in arrived on a bridge device\n"
" [!] --physdev-is-out will leave on a bridge device\n"
" [!] --physdev-is-bridged it's a bridged packet\n"
@@ -31,6 +33,8 @@
{ "physdev-is-in", 0, 0, '3' },
{ "physdev-is-out", 0, 0, '4' },
{ "physdev-is-bridged", 0, 0, '5' },
+ { "physgroup-in", 1, 0, '6' },
+ { "physgroup-out", 1, 0, '7' },
{0}
};
@@ -47,6 +51,7 @@
{
struct ipt_physdev_info *info =
(struct ipt_physdev_info*)(*match)->data;
+ char *end;
switch (c) {
case '1':
@@ -103,6 +108,44 @@
info->bitmask |= IPT_PHYSDEV_OP_BRIDGED;
break;
+ case '6':
+ if (*flags & IPT_PHYSDEV_OP_GROUPIN)
+ goto multiple_use;
+ check_inverse(argv[optind-1], &invert, &optind, 0);
+ end = optarg = argv[optind-1];
+ info->ingroup = strtoul(optarg, &end, 0);
+ info->ingroupmask = 0xffffffffUL;
+ if (*end == '/')
+ info->ingroupmask = strtoul(end+1, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "physdev match: Bad ifgroup value `%s'",
+ optarg);
+ if (invert)
+ info->invert |= IPT_PHYSDEV_OP_GROUPIN;
+ *flags |= IPT_PHYSDEV_OP_GROUPIN;
+ info->bitmask |= IPT_PHYSDEV_OP_GROUPIN;
+ break;
+
+ case '7':
+ if (*flags & IPT_PHYSDEV_OP_GROUPOUT)
+ goto multiple_use;
+ check_inverse(argv[optind-1], &invert, &optind, 0);
+ end = optarg = argv[optind-1];
+ info->outgroup = strtoul(optarg, &end, 0);
+ info->outgroupmask = 0xffffffffUL;
+ if (*end == '/')
+ info->outgroupmask = strtoul(end+1, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "physdev match: Bad ifgroup value `%s'",
+ optarg);
+ if (invert)
+ info->invert |= IPT_PHYSDEV_OP_GROUPOUT;
+ *flags |= IPT_PHYSDEV_OP_GROUPOUT;
+ info->bitmask |= IPT_PHYSDEV_OP_GROUPOUT;
+ break;
+
default:
return 0;
}
@@ -145,6 +186,13 @@
if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED)
printf("%s --physdev-is-bridged",
info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":"");
+
+ if (info->bitmask & IPT_PHYSDEV_OP_GROUPIN)
+ printf("%s --physgroup-in 0x%x/0x%x",
+ (info->invert & IPT_PHYSDEV_OP_GROUPIN) ? " !":"", info->ingroup, info->ingroupmask);
+ if (info->bitmask & IPT_PHYSDEV_OP_GROUPOUT)
+ printf("%s --physgroup-out 0x%x/0x%x",
+ (info->invert & IPT_PHYSDEV_OP_GROUPOUT) ? " !":"", info->outgroup, info->outgroupmask);
printf(" ");
}
diff -ruN iptables-1.3.8-vanilla/include/linux/netfilter_ipv4/ipt_physdev.h iptables-1.3.8/include/linux/netfilter_ipv4/ipt_physdev.h
--- iptables-1.3.8-vanilla/include/linux/netfilter_ipv4/ipt_physdev.h 2007-01-23 13:49:51.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_physdev.h 2007-11-01 16:15:38.000000000 +0100
@@ -10,13 +10,19 @@
#define IPT_PHYSDEV_OP_BRIDGED 0x04
#define IPT_PHYSDEV_OP_ISIN 0x08
#define IPT_PHYSDEV_OP_ISOUT 0x10
-#define IPT_PHYSDEV_OP_MASK (0x20 - 1)
+#define IPT_PHYSDEV_OP_GROUPIN 0x20
+#define IPT_PHYSDEV_OP_GROUPOUT 0x40
+#define IPT_PHYSDEV_OP_MASK (0x80 - 1)
struct ipt_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
+ u_int32_t ingroup;
+ u_int32_t ingroupmask;
+ u_int32_t outgroup;
+ u_int32_t outgroupmask;
u_int8_t invert;
u_int8_t bitmask;
};
diff -ruN iptables-1.3.8-vanilla/include/linux/netfilter_ipv6/ip6t_physdev.h iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_physdev.h
--- iptables-1.3.8-vanilla/include/linux/netfilter_ipv6/ip6t_physdev.h 2007-01-23 13:49:51.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_physdev.h 2007-11-01 16:15:21.000000000 +0100
@@ -10,13 +10,19 @@
#define IP6T_PHYSDEV_OP_BRIDGED 0x04
#define IP6T_PHYSDEV_OP_ISIN 0x08
#define IP6T_PHYSDEV_OP_ISOUT 0x10
-#define IP6T_PHYSDEV_OP_MASK (0x20 - 1)
+#define IP6T_PHYSDEV_OP_GROUPIN 0x20
+#define IP6T_PHYSDEV_OP_GROUPOUT 0x40
+#define IP6T_PHYSDEV_OP_MASK (0x80 - 1)
struct ip6t_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
+ u_int32_t ingroup;
+ u_int32_t ingroupmask;
+ u_int32_t outgroup;
+ u_int32_t outgroupmask;
u_int8_t invert;
u_int8_t bitmask;
};
[-- Attachment #3: ifgroup_physdev_kernel.patch --]
[-- Type: text/plain, Size: 2576 bytes --]
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index fbcc7ce..75cdc51 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -23,6 +23,23 @@ MODULE_DESCRIPTION("iptables bridge physical device match module");
MODULE_ALIAS("ipt_physdev");
MODULE_ALIAS("ip6t_physdev");
+static inline bool
+ifgroup_match_in(u_int32_t ingroup,
+ const struct xt_physdev_info *info)
+{
+
+ return ((ingroup & info->ingroupmask) == info->ingroup) ^
+ ((info->invert & XT_PHYSDEV_OP_GROUPIN) == XT_PHYSDEV_OP_GROUPIN);
+}
+
+static inline bool
+ifgroup_match_out(u_int32_t outgroup,
+ const struct xt_physdev_info *info)
+{
+ return ((outgroup & info->outgroupmask) == info->outgroup) ^
+ ((info->invert & XT_PHYSDEV_OP_GROUPOUT) == XT_PHYSDEV_OP_GROUPOUT);
+}
+
static int
match(const struct sk_buff *skb,
const struct net_device *in,
@@ -38,6 +55,7 @@ match(const struct sk_buff *skb,
const struct xt_physdev_info *info = matchinfo;
unsigned int ret;
const char *indev, *outdev;
+ u_int32_t ingroup, outgroup;
struct nf_bridge_info *nf_bridge;
/* Not a bridged IP packet or no info available yet:
@@ -60,6 +78,12 @@ match(const struct sk_buff *skb,
if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
!(info->invert & XT_PHYSDEV_OP_OUT))
return NOMATCH;
+ if ((info->bitmask & XT_PHYSDEV_OP_GROUPIN) &&
+ !(info->invert & XT_PHYSDEV_OP_GROUPIN))
+ return NOMATCH;
+ if ((info->bitmask & XT_PHYSDEV_OP_GROUPOUT) &&
+ !(info->invert & XT_PHYSDEV_OP_GROUPOUT))
+ return NOMATCH;
return MATCH;
}
@@ -75,6 +99,18 @@ match(const struct sk_buff *skb,
(!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
return NOMATCH;
+ if (info->bitmask & XT_PHYSDEV_OP_GROUPIN) {
+ ingroup = nf_bridge->physindev ? nf_bridge->physindev->ifgroup : -1;
+ if (!ifgroup_match_in(ingroup, info))
+ return NOMATCH;
+ }
+
+ if (info->bitmask & XT_PHYSDEV_OP_GROUPOUT) {
+ outgroup = nf_bridge->physoutdev ? nf_bridge->physoutdev->ifgroup : -1;
+ if (!ifgroup_match_out(outgroup, info))
+ return NOMATCH;
+ }
+
if (!(info->bitmask & XT_PHYSDEV_OP_IN))
goto match_outdev;
indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
@@ -114,6 +150,7 @@ checkentry(const char *tablename,
info->bitmask & ~XT_PHYSDEV_OP_MASK)
return 0;
if (brnf_deferred_hooks == 0 &&
+ info->bitmask & XT_PHYSDEV_OP_GROUPOUT &&
info->bitmask & XT_PHYSDEV_OP_OUT &&
(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
info->invert & XT_PHYSDEV_OP_BRIDGED) &&
next prev parent reply other threads:[~2007-11-23 13:39 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-20 13:14 [PATCHv6 0/3] Interface group patches Laszlo Attila Toth
2007-11-20 13:14 ` [PATCHv6 1/3] rtnetlink: setlink changes are unprotected; with single notification Laszlo Attila Toth
2007-11-20 13:14 ` [PATCHv6 2/3] Interface group: core (netlink) part Laszlo Attila Toth
2007-11-20 13:14 ` [PATCHv6 3/3] Netfilter Interface group match Laszlo Attila Toth
2007-11-20 13:14 ` [PATCHv6 iptables]Interface " Laszlo Attila Toth
2007-11-20 13:14 ` [PATCHv6 iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 Laszlo Attila Toth
2007-11-20 13:14 ` [PATCHv6 iproute 2/2] Interface group as new ip link option Laszlo Attila Toth
2007-11-23 13:25 ` Lutz Jaenicke
2007-11-23 13:39 ` Lutz Jaenicke [this message]
2007-11-29 12:50 ` [PATCHv6 iptables]Interface group match Laszlo Attila Toth
2007-11-29 16:16 ` Patrick McHardy
2007-11-29 16:23 ` Laszlo Attila Toth
2007-11-29 16:27 ` Patrick McHardy
2007-11-29 17:14 ` Jan Engelhardt
2007-11-29 17:15 ` Patrick McHardy
2007-11-27 13:10 ` [PATCHv6 3/3] Netfilter Interface " Patrick McHardy
2007-11-23 13:18 ` [PATCHv6 2/3] Interface group: core (netlink) part Lutz Jaenicke
2007-11-27 13:07 ` Patrick McHardy
2007-11-27 13:07 ` [PATCHv6 1/3] rtnetlink: setlink changes are unprotected; with single notification Patrick McHardy
2007-11-20 13:26 ` [PATCHv6 0/3] Interface group patches Jan Engelhardt
2007-11-20 13:52 ` Laszlo Attila Toth
2007-11-20 21:42 ` David Miller
2007-11-21 0:25 ` Patrick McHardy
2007-11-21 1:17 ` David Miller
2007-11-22 9:05 ` Laszlo Attila Toth
2007-11-21 15:56 ` Balazs Scheidler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071123133933.GA31396@innominate.com \
--to=ljaenicke@innominate.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=panther@balabit.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.