ippool -X not working

ippool -X not working

[Rodrigo Severo]

Dear list,


I am testing the ip pool match and target.

I'm having problems with the ippool userspace support tool.

I can't make neither -x nor the -X POOL options work. I always get a
"IP_POOL_DESTROY POOL failed: Device or resource busy" message. The POOL
isn't used yet anywhere, I'm justing testing pool creation by now.

Is it a bug or am I doing something wrong?

I am not sure there is someone working on the ip pool functionality.

I wrote Patrick Schaaf, the former maintainer of this patch. He told me
that he never implemented pool destruction. He also mentioned that
Joackim Axelsson probably is the ip pool man presently.

Is there anybody working on it? I'm willing to help.

BTW, I'm messing with ip pool based on the assumption that using an ip
pool would give me faster results than having circa 180 rules for
different ip addresses as I have now. Am I right?


Thanks in advance for your attention,

Rodrigo Severo

--
----------------------------------------------------
Rodrigo Severo
Fábrica de Idéias
Fone: +55(61)321 1357
Fax: +55(61)223 1712
SBS - Quadra 2 - Ed. Empire Center - Sala 1301
Brasília/DF - Brasil
CEP: 70.070-904
----------------------------------------------------

Re: ippool -X not working

[Henrik Nordstrom]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 787 bytes --]

On Fri, 5 Dec 2003, Rodrigo Severo wrote:

> I can't make neither -x nor the -X POOL options work. I always get a 
> "IP_POOL_DESTROY POOL failed: Device or resource busy" message. The POOL 
> isn't used yet anywhere, I'm justing testing pool creation by now.

These operations are not implemented in the ippool version in 
base/ippool.patch.

Attached is a patch implementing the flush and destroy ippool operations.  
We have had this patch for a while but not posted it yet as there was talk
about replacing the ippool implementation with the new modularized
implementation by Joakim Axelsson and that the current implementation is
not actively maintained and we did not want to stir up confusion on that
subject. The patch obviously depends on the base/ippool.patch.

Regards
Henrik

[-- Attachment #2: ippool patch file --]
[-- Type: TEXT/PLAIN, Size: 3122 bytes --]

--- linux-2.4.19-uml/net/ipv4/netfilter/ip_pool.c.orig	Mon Sep 23 17:07:19 2002
+++ linux-2.4.19-uml/net/ipv4/netfilter/ip_pool.c	Tue Sep 24 08:22:53 2002
@@ -186,7 +186,7 @@
 		req.addr2 = pool->nr_match;
 		return copy_to_user(user, &req, sizeof(req));
 	case IP_POOL_TEST_ADDR:
-		DP("ip_pool TEST 0x%08x\n", req.addr);
+		DP("ip_pool TEST 0x%08x\n", ntohl(req.addr));
 		pool = lookup(req.index);
 		if (!pool)
 			return -EINVAL;
@@ -213,13 +213,39 @@
 		read_unlock_bh(&pool->lock);
 		return copy_to_user(user, &req, sizeof(req));
 	case IP_POOL_FLUSH:
-		DP("ip_pool FLUSH not yet implemented.\n");
-		return -EBUSY;
+		pool = lookup(req.index);
+		if (!pool)
+		    return -EINVAL;
+		write_lock_bh(&pool->lock);
+		if (!pool->members) {
+		    res = -EBADF;
+		    goto unlock_write_and_return_res;
+		}
+		newbytes = bitmap_bytes(pool->first_ip, pool->last_ip);
+		memset(pool->members, 0, newbytes);
+		pool->nr_use = 0;
+		pool->nr_match = 0;
+		write_unlock_bh(&pool->lock);
+		return 0;
 	case IP_POOL_DESTROY:
-		DP("ip_pool DESTROY not yet implemented.\n");
-		return -EBUSY;
+		pool = lookup(req.index);
+		if (!pool)
+		    return -EINVAL;
+		write_lock_bh(&pool->lock);
+		if (!pool->members) {
+		    res = -EBADF;
+		    goto unlock_write_and_return_res;
+		}
+		kfree(pool->members);
+		pool->members = NULL;
+		pool->first_ip = 0;
+		pool->last_ip = 0;
+		pool->nr_use = 0;
+		pool->nr_match = 0;
+		write_unlock_bh(pool->lock);
+		return 0;
 	case IP_POOL_INIT:
-		DP("ip_pool INIT 0x%08x-0x%08x\n", req.addr, req.addr2);
+		DP("ip_pool INIT 0x%08x-0x%08x\n", ntohl(req.addr), ntohl(req.addr2));
 		pool = lookup(req.index);
 		if (!pool)
 			return -EINVAL;
@@ -241,7 +267,7 @@
 			DP("ip_pool INIT pool %d exists\n", req.index);
 			kfree(newmembers);
 			res = -EBUSY;
-			goto unlock_and_return_res;
+			goto unlock_write_and_return_res;
 		}
 		pool->first_ip = req.addr;
 		pool->last_ip = req.addr2;
@@ -249,14 +275,23 @@
 		pool->nr_match = 0;
 		pool->members = newmembers;
 		write_unlock_bh(&pool->lock);
+		DP("ip_pool INIT %d bytes\n", newbytes);
 		return 0;
 	case IP_POOL_ADD_ADDR:
-		DP("ip_pool ADD_ADDR 0x%08x\n", req.addr);
+		DP("ip_pool ADD_ADDR 0x%08x\n", ntohl(req.addr));
 		req.addr = pool_change(req.index, ntohl(req.addr), 0);
+		if (req.addr == -1) {
+		    DP("ip_pool ADD_ADDR invalid\n");
+		    return -ERANGE;
+		}
 		return copy_to_user(user, &req, sizeof(req));
 	case IP_POOL_DEL_ADDR:
-		DP("ip_pool DEL_ADDR 0x%08x\n", req.addr);
+		DP("ip_pool DEL_ADDR 0x%08x\n", ntohl(req.addr));
 		req.addr = pool_change(req.index, ntohl(req.addr), 1);
+		if (req.addr == -1) {
+		    DP("ip_pool ADD_ADDR invalid\n");
+		    return -ERANGE;
+		}
 		return copy_to_user(user, &req, sizeof(req));
 	default:
 		DP("ip_pool:getpool bad op %d\n", req.op);
@@ -268,6 +303,10 @@
 	if (pool)
 		read_unlock_bh(&pool->lock);
 	return res;
+unlock_write_and_return_res:
+	if (pool)
+	    	write_unlock_bh(&pool->lock);
+	return res;
 }
 
 static struct nf_sockopt_ops so_pool

[-- Attachment #3: readme --]
[-- Type: TEXT/PLAIN, Size: 189 bytes --]

Author: Henrik Nordstrom <hno@marasystems.com>
Status: development

This patch adds the delete and flush operations to ip_pool, and some
minor cleanups of locking (and debug messages)

Re: ippool -X not working

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 1148 bytes --]

On Fri, 2003-12-05 at 16:10, Henrik Nordstrom wrote:
> On Fri, 5 Dec 2003, Rodrigo Severo wrote:
> 
> > I can't make neither -x nor the -X POOL options work. I always get a 
> > "IP_POOL_DESTROY POOL failed: Device or resource busy" message. The POOL 
> > isn't used yet anywhere, I'm justing testing pool creation by now.
> 
> These operations are not implemented in the ippool version in 
> base/ippool.patch.
> 
> Attached is a patch implementing the flush and destroy ippool operations.  
> We have had this patch for a while but not posted it yet as there was talk
> about replacing the ippool implementation with the new modularized
> implementation by Joakim Axelsson and that the current implementation is
> not actively maintained and we did not want to stir up confusion on that
> subject. The patch obviously depends on the base/ippool.patch.

The latest "semi-released" version of the new ippool can be found at:
http://gandalf.hjorten.nu/ippool/ippool-0.3.2b.tgz

It's not a nice patch, it needs some file-copying and manual chaning of
Makefile etc...

I use it in production here, works great.

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ippool -X not working

[Rodrigo Severo]

Martin Josefsson wrote:

>The latest "semi-released" version of the new ippool can be found at:
>http://gandalf.hjorten.nu/ippool/ippool-0.3.2b.tgz
>
>
I'm trying it in a test machine. Right now I'm still stuck at
compilation level.

I already compiled a kernel with pool support.

During iptables make I get:

[root@fellini iptables-1.2.9]# make
Extensions found: IPv4:IPMARK IPv4:ROUTE IPv4:condition IPv4:mport
IPv4:pool IPv4:POOL IPv4:recent IPv4:string IPv4:time IPv6:ah IPv6:esp
IPv6:frag IPv6:ipv6header IPv6:hbh IPv6:dst IPv6:rt
cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/
-DIPTABLES_VERSION=\"1.2.9\"  -fPIC -o extensions/libipt_pool_sh.o -c
extensions/libipt_pool.c
In file included from extensions/libipt_pool.c:13:
include/libippool/ip_pool_support.h:17: parse error before
"ip_pool_get_index"
include/libippool/ip_pool_support.h:17: warning: type defaults to `int'
in declaration of `ip_pool_get_index'
include/libippool/ip_pool_support.h:17: warning: data definition has no
type or storage class
include/libippool/ip_pool_support.h:24: parse error before "ip_pool_t"

AFAICT, the problem is the lack of ip_pool_t definition, but I can't
find a place where it IS defined so I could include it in ip_pool_support.h.

I have not compiled userspace ippool yet.

Suggestions?

>It's not a nice patch, it needs some file-copying and manual chaning of
>Makefile etc...
>
>
I believe I got the handwork fine but it can also be the reason for my
problems.



Thanks in advance for your attention,

Rodrigo

--
----------------------------------------------------
Rodrigo Severo
Fábrica de Idéias
Fone: +55(61)321 1357
Fax: +55(61)223 1712
SBS - Quadra 2 - Ed. Empire Center - Sala 1301
Brasília/DF - Brasil
CEP: 70.070-904
----------------------------------------------------

Re: ippool -X not working

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 2128 bytes --]

On Mon, 2003-12-08 at 13:56, Rodrigo Severo wrote:

> During iptables make I get:
> 
> [root@fellini iptables-1.2.9]# make
> Extensions found: IPv4:IPMARK IPv4:ROUTE IPv4:condition IPv4:mport 
> IPv4:pool IPv4:POOL IPv4:recent IPv4:string IPv4:time IPv6:ah IPv6:esp 
> IPv6:frag IPv6:ipv6header IPv6:hbh IPv6:dst IPv6:rt
> cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/ 
> -DIPTABLES_VERSION=\"1.2.9\"  -fPIC -o extensions/libipt_pool_sh.o -c 
> extensions/libipt_pool.c
> In file included from extensions/libipt_pool.c:13:
> include/libippool/ip_pool_support.h:17: parse error before 
> "ip_pool_get_index"
> include/libippool/ip_pool_support.h:17: warning: type defaults to `int' 
> in declaration of `ip_pool_get_index'
> include/libippool/ip_pool_support.h:17: warning: data definition has no 
> type or storage class
> include/libippool/ip_pool_support.h:24: parse error before "ip_pool_t"
> 
> AFAICT, the problem is the lack of ip_pool_t definition, but I can't 
> find a place where it IS defined so I could include it in ip_pool_support.h.
> 
> I have not compiled userspace ippool yet.
> 
> Suggestions?

What you need to do (which I failed to mention) is to completely remove
the old ippool (otherwise it will try to compile it which will fail)

rm -rf iptables-1.2.9/ippool

And did you replace iptables-1.2.9/extensions/libipt_{pool,POOL}.c with
the files from the ippool-0.3.2b/iptables/ directory?

If you do these two things it should compile nicely.

Then you probably have to modify ippool-0.3.2b/userspace/Makefile a
little, you need to change IPPOOL_LIB_DIR (where it will search for the
compiled libs at runtime) and CFLAGS (needs to point to the new kernel
with ippool support).

Maybe it's time someone wrote a small installation-howto, and maybe
replaced the code in netfilter cvs with this code as it works a lot
better than the old code (the old code might work well with Henrik's
patches, I've never used them...)
There's still some work to be done on ippool, the question is like
always when it will be done... nobody knows.

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ippool -X not working

[Henrik Nordstrom]

On Mon, 8 Dec 2003, Martin Josefsson wrote:

> Maybe it's time someone wrote a small installation-howto, and maybe
> replaced the code in netfilter cvs with this code as it works a lot
> better than the old code (the old code might work well with Henrik's
> patches, I've never used them...)

Have not experienced any problems with the modified code, and we have been
using this code for very long now. But I have to admit that we do have
some other patches extending the old ippool code with new functionality
but this has not been publishet yet for the same reasons as the
flush/destroy patch was not published.

As you may remember I have some minor objections to the user/kernel
interface of the new code (the use of kernel space pointers as pool
identifiers) but this is only minor and manageable. One could say that I
do not get why not using the pool name or a simple integer is not better.  
if this still is the same in the current implementation then I still have
that objection.

Note: The UltraSparc port will have issues from this "pointer abuse", in
addition to the pointer size issues it already have with iptables..

Regards
Henrik

Re: ippool -X not working

[Jozsef Kadlecsik]

On Mon, 8 Dec 2003, Martin Josefsson wrote:

> Maybe it's time someone wrote a small installation-howto, and maybe
> replaced the code in netfilter cvs with this code as it works a lot
> better than the old code (the old code might work well with Henrik's
> patches, I've never used them...)
> There's still some work to be done on ippool, the question is like
> always when it will be done... nobody knows.

I'm working on ippool: the main goal is to add sub/port pools to the
current version.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary