mask for interface

mask for interface

[Ozgur AKAN]

[-- Attachment #1: Type: text/plain, Size: 423 bytes --]

Hi,

in the code of "struct ipt_ip" there is a mask value for the interface. 
I can understand mask for an ip address but can not understand mask 
value for an interface. For example what can be the mask for eth0?

36         char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
37         unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];

Can anyone write me some about "iniface_mask[IFNAMSIZ]" ?

thanks,
Ozgur AKAN

[-- Attachment #2: Type: text/html, Size: 900 bytes --]

Re: mask for interface

[Henrik Nordstrom]

On Thu, 25 Mar 2004, Ozgur AKAN wrote:

> Hi,
> 
> in the code of "struct ipt_ip" there is a mask value for the interface. 
> I can understand mask for an ip address but can not understand mask 
> value for an interface. For example what can be the mask for eth0?

It is used for wildcards like eth+ or ppp+. The kernel actually supports
even more complex matches thanks to the masking but the iptables binary
don't have a syntax for specifyig other kinds of non-exact 
interface matches..

Regards
Henrik

Re: mask for interface

[Ozgur AKAN]

...to test mask value of the input interface I wrote a small program 
(below) and insert these rules..

iptables -N test
iptables -A test -i eth0 -p tcp -s 10.0.0.1 -d 10.1.1.1 -j ACCEPT
iptables -A test -i eth+ -p tcp -s 10.0.0.1 -d 10.1.1.1 -j ACCEPT

-----------------------------------begin---------sample code to test 
interface mask-----------------------------
#include <stdio.h>
#include <sys/errno.h>
#include "iptables.h"
#include "libiptc/libiptc.h"
#include <stdlib.h>

int main(void)
{

   iptc_handle_t h;
   const struct ipt_entry *e;
   const char *chain = NULL;
   const char *tablename = "filter";

   h = iptc_init(tablename);
   if ( !h ) {
       printf("Problem when initializing: %s\n", iptc_strerror(errno));
       exit(errno);
   }

   for ( chain = iptc_first_chain(&h); chain; chain = 
iptc_next_chain(&h)) {
       printf("%s\n", chain);
       for ( e = iptc_first_rule(chain, &h); e; e = iptc_next_rule(e, 
&h)) {
           printf("iface : %s, mask : %s \n", e->ip.iniface, 
e->ip.iniface_mask);
       }
   }
   exit(0);
}

-----------------------------------end---------sample code to test 
interface mask-----------------------------


the output is same for eth+ and eth0

-----------------------------------begin---------output of the 
test-----------------------------
iface : eth0, mask :
iface : eth+, mask :
-----------------------------------end---------output of the 
test-------------------------------


Is there another way to create a mask for an interface?
What am I doing wrong to test iniface_mask?

thanks,
Ozgur AKAN

Re: mask for interface

[Ozgur AKAN]

[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]

Hi,

In the manual of iptables there is nothing about the mask value of an 
interface. + sign at the end of a few characters of an interface means 
any interface which begins with this name will match.

Again what I wonder is the why iniface_mask value is used???

thanks,
Ozgur AKAN

---------------------------------------------------------------------
*-i, --in-interface *[!] [/name/]
    Optional name of an interface via which a packet is received (for
    packets entering the *INPUT*, *FORWARD* and *PREROUTING* chains).
    When the "!" argument is used before the interface name, the sense
    is inverted. If the interface name ends in a "+", then any interface
    which begins with this name will match. If this option is omitted,
    the string "+" is assumed, which will match with any interface name.
*-o, --out-interface *[!] [/name/]
    Optional name of an interface via which a packet is going to be sent
    (for packets entering the *FORWARD*, *OUTPUT* and *POSTROUTING*
    chains). When the "!" argument is used before the interface name,
    the sense is inverted. If the interface name ends in a "+", then any
    interface which begins with this name will match. If this option is
    omitted, the string "+" is assumed, which will match with any
    interface name.
------------------------------------------------------------------------


[-- Attachment #2: Type: text/html, Size: 1714 bytes --]

Re: mask for interface

[Henrik Nordstrom]

On Fri, 26 Mar 2004, Ozgur AKAN wrote:

> Hi,
> 
> In the manual of iptables there is nothing about the mask value of an 
> interface. + sign at the end of a few characters of an interface means 
> any interface which begins with this name will match.
> 
> Again what I wonder is the why iniface_mask value is used???

Again, it is used for the + wildcard.

In theory it could be used for other things as well, but only the + 
wildcard is implemented in the iptables application.

Regards
Henrik

Re: mask for interface

[Ozgur AKAN]

Finally I understand it !

iptables -A test -i eth+ -j ACCEPT
iptables -A test -i eth0 -j ACCEPT
iptables -A test -i eth0+ -j ACCEPT
iptables -A test -i + -j ACCEPT
iptables -A test -i e+ -j ACCEPT

output of a test program is

iface : eth+, Mask is :FF,FF,FF
iface : eth0, Mask is :FF,FF,FF,FF,FF
iface : eth0+, Mask is :FF,FF,FF,FF
iface : +, Mask is :
iface : e+, Mask is :FF


-------test function to print mask value------
static void printMask(unsigned char *mask)
{
    printf("Mask is :");

    while (*mask != '\0') {
        printf("%X%s", *mask, *(mask+1) != '\0' ? "," : "\n");
        ++mask;
    }
}
-----------------------------------------------------



Thanks for your help...

Ozgur AKAN

>Again, it is used for the + wildcard.
>
>In theory it could be used for other things as well, but only the + 
>wildcard is implemented in the iptables application.
>
>Regards
>Henrik
>
>
>
>  
>