Help writing netfilter match

Help writing netfilter match

[Richard Bishop]

Hi,

I'm trying to write a netfilter match and have run into some problems. I've 
read through the how-to documents, though they only seem to skim over things 
and don't really explain what I need to know.

As I understand it, in order to write a netfilter match, you have a kernel 
level module that integrates with the ip_tables module in the kernel and does 
your classification of packets coming to it and telling the iptables module 
what to drop etc. You then have a userspace shared library (or a furby in 
Rusty's case :-) ) which you call with "iptables -A [table] -m [matchname]" 
which then determines what to send to the kernel module. - Can somebody 
confirm that my interpretation of things is right here please.

I have a kernel module working, though the userspace module is elluding me 
somewhat.  I have the following skeleton code, put together from various match 
libraries that I've found, saved as libipt_net.c

----------------------------------------------------------------------------
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>

static void help(void) {
	print("iptables v%s options:\n some options here\n)",IPTABLES_VERSION);
}

static struct option opts[] = {
	{ "option", 1, 0, '1' },
	{0}
};

static void init(struct ipt_entry_match *m, unsigned int *nfcache) {
	printf("Hello from iptables match library\n");
}

/* Function which parses command options; returns true if it
   ate an option */
static int parse(int c, char **argv,
		int invert,
		unsigned int *flags,
		const struct ipt_entry *entry,
		unsigned int *nfcache,
		struct ipt_entry_match **match)
{
	return 1;
}

/* Final check - we really don't care in this instance */
static void final_check(unsigned int flags) {
}

/* Print the match info to stdout */
static void print(	const struct ipt_ip *ip,
			const struct ipt_entry_match *match,
			int numeric) {
	int *net = (int*)match->data;

	printf("net %d");
}

/* Dump the match info in a parseable form to stdout */
static void save(	const struct ipt_ip *ip,
			const struct ipt_entry_match *match) {

	int *net = (int*)match->data;

	printf("--option %d",*net);
}

static struct iptables_match net = {
	.name		= "net",
	.version	= IPTABLES_VERSION,
	.size		= IPT_ALIGN(sizeof(int)),
	.userspacesize	= IPT_ALIGN(sizeof(int)),
	.help		= &help,
	.init		= &init,
	.parse		= &parse,
	.final_check	= &final_check,
	.print		= &print,
	.save		= &save,
	.extra_opts	= opts
};

void __init(void) {
	register_match(&net);
}
----------------------------------------------------------------------------

This is compiled with the command  "gcc -shared -o libipt_net.so 
-DIPTABLES_VERSION=\"1.2.9\" -I/usr/src/linux/include libipt_net.c"  and the 
.so file placed in /lib/iptables. Incidentally I'm compiling and running on 
Debian with kernel 2.4.24-1-k7.

As root I then run "iptables -A INPUT -m net --help" and get "iptables v1.2.9: 
Couldn't load match `net'". I've obviously missed something somewhere - can 
somebody point me in the right direction please?!  After a day or so of 
googling I've got nowhere. I've also tried compiling with the '-c' option, but 
get an error that "ELF file's phentsize not the expected size".

Can anybody help please!

Many thanks in advance


Richard

---
Richard Bishop
Department of Computer Science
University of Exeter. UK

Help writing netfilter match

[Richard Bishop]

Hi,

I'm trying to write a netfilter match and have run into some problems. I've
read through the how-to documents, though they only seem to skim over things
and don't really explain what I need to know.

As I understand it, in order to write a netfilter match, you have a kernel
level module that integrates with the ip_tables module in the kernel and does
your classification of packets coming to it and telling the iptables module
what to drop etc. You then have a userspace shared library (or a furby in
Rusty's case :-) ) which you call with "iptables -A [table] -m [matchname]"
which then determines what to send to the kernel module. - Can somebody
confirm that my interpretation of things is right here please.

I have a kernel module working, though the userspace module is elluding me
somewhat.  I have the following skeleton code, put together from various match
libraries that I've found, saved as libipt_net.c

----------------------------------------------------------------------------
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>

static void help(void) {
	print("iptables v%s options:\n some options here\n)",IPTABLES_VERSION);
}

static struct option opts[] = {
	{ "option", 1, 0, '1' },
	{0}
};

static void init(struct ipt_entry_match *m, unsigned int *nfcache) {
	printf("Hello from iptables match library\n");
}

/* Function which parses command options; returns true if it
   ate an option */
static int parse(int c, char **argv,
		int invert,
		unsigned int *flags,
		const struct ipt_entry *entry,
		unsigned int *nfcache,
		struct ipt_entry_match **match)
{
	return 1;
}

/* Final check - we really don't care in this instance */
static void final_check(unsigned int flags) {
}

/* Print the match info to stdout */
static void print(	const struct ipt_ip *ip,
			const struct ipt_entry_match *match,
			int numeric) {
	int *net = (int*)match->data;

	printf("net %d");
}

/* Dump the match info in a parseable form to stdout */
static void save(	const struct ipt_ip *ip,
			const struct ipt_entry_match *match) {

	int *net = (int*)match->data;

	printf("--option %d",*net);
}

static struct iptables_match net = {
	.name		= "net",
	.version	= IPTABLES_VERSION,
	.size		= IPT_ALIGN(sizeof(int)),
	.userspacesize	= IPT_ALIGN(sizeof(int)),
	.help		= &help,
	.init		= &init,
	.parse		= &parse,
	.final_check	= &final_check,
	.print		= &print,
	.save		= &save,
	.extra_opts	= opts
};

void __init(void) {
	register_match(&net);
}
----------------------------------------------------------------------------

This is compiled with the command  "gcc -shared -o libipt_net.so
-DIPTABLES_VERSION=\"1.2.9\" -I/usr/src/linux/include libipt_net.c"  and the
.so file placed in /lib/iptables. Incidentally I'm compiling and running on
Debian with kernel 2.4.24-1-k7.

As root I then run "iptables -A INPUT -m net --help" and get "iptables v1.2.9:
Couldn't load match `net'". I've obviously missed something somewhere - can
somebody point me in the right direction please?!  After a day or so of
googling I've got nowhere. I've also tried compiling with the '-c' option, but
get an error that "ELF file's phentsize not the expected size".

Can anybody help please!

Many thanks in advance


Richard

---
Richard Bishop
Department of Computer Science
University of Exeter. UK

Re: Help writing netfilter match

[Henrik Nordstrom]

On Sun, 28 Mar 2004, Richard Bishop wrote:

> I'm trying to write a netfilter match and have run into some problems. I've 
> read through the how-to documents, though they only seem to skim over things 
> and don't really explain what I need to know.

The source documents the details, the howto the principles..

> As I understand it, in order to write a netfilter match, you have a kernel 
> level module that integrates with the ip_tables module in the kernel and does 
> your classification of packets coming to it and telling the iptables module 
> what to drop etc. You then have a userspace shared library (or a furby in 
> Rusty's case :-) ) which you call with "iptables -A [table] -m [matchname]" 
> which then determines what to send to the kernel module. - Can somebody 
> confirm that my interpretation of things is right here please.

Correct.

> I have a kernel module working, though the userspace module is elluding me 
> somewhat.  I have the following skeleton code, put together from various match 
> libraries that I've found, saved as libipt_net.c
> 
> ----------------------------------------------------------------------------
> #include <stdio.h>
> #include <netdb.h>
> #include <string.h>
> #include <stdlib.h>
> #include <stddef.h>
> #include <getopt.h>
> #include <iptables.h>
> #include <linux/netfilter_ipv4/ip_conntrack.h>

What I am missing here is your include file for the match structure used
by your match.. and you should not include ip_conntrack.h unless you have
a specific reason to..

Even if your match takes a very simple argument it is better to 
encapsulate it into a structure to make typecasing, sizing etc more 
obvious.

> /* Function which parses command options; returns true if it
>    ate an option */
> static int parse(int c, char **argv,
> 		int invert,
> 		unsigned int *flags,
> 		const struct ipt_entry *entry,
> 		unsigned int *nfcache,
> 		struct ipt_entry_match **match)
> {
> 	return 1;
> }

This needs to fill in your match structure... 'c' is the option number 
and the global "optarg" is the value.. 

> /* Print the match info to stdout */
> static void print(	const struct ipt_ip *ip,
> 			const struct ipt_entry_match *match,
> 			int numeric) {
> 	int *net = (int*)match->data;
> 
> 	printf("net %d");

Missing some data there..

> As root I then run "iptables -A INPUT -m net --help" and get "iptables v1.2.9: 
> Couldn't load match `net'". I've obviously missed something somewhere - can 
> somebody point me in the right direction please?!

Make sure the permissions of your .so is correct, and that it is in the 
correct directory for the iptables binary you are using (maybe you have 
more than one?)

Also try building your userspace module as part of building iptables. This 
is the method I use for building my extensions. Just place the file in 
userspace/extensions/ and a correstponding .<modulename>-test file

Regards
Henrik

Re: Help writing netfilter match

[Kiran Kumar]

--- Richard Bishop <R.J.Bishop@exeter.ac.uk> wrote:
> 
> This is compiled with the command  "gcc -shared -o
> libipt_net.so
> -DIPTABLES_VERSION=\"1.2.9\"
> -I/usr/src/linux/include libipt_net.c"  and the
> .so file placed in /lib/iptables. Incidentally I'm
> compiling and running on
> Debian with kernel 2.4.24-1-k7.

  Why dont you use the existing Makefiles for "make"
and "make install"? They would put the proper
libraries in the proper places.

> 
> As root I then run "iptables -A INPUT -m net --help"
> and get "iptables v1.2.9:
> Couldn't load match `net'". I've obviously missed
> something somewhere - can
> somebody point me in the right direction please?! 

  The iptables binary looks for the shared library in
the directory IPT_LIB_DIR (look for it in iptables.c).
So, iptables would be looking for libipt_net.so in
this directory. Making the .so available at the proper
location will solve the problem.

=====
Regards,
Kiran Kumar Immidi

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html