Re: Writing new Netfilter Modules

Re: Writing new Netfilter Modules

[Chris Lowth]

You could try "Rope", which allows modules to be written using a 
scripting language that doesnt required kernel development.
You get access to the vast majority of IP/UDP and TCP headers plus the 
data payload, conntrack, packet marks and other facilities.
Currently this is for kernel 2.4.x only - 2.6.x will be covered shortly.

Even if your eventual module isnt written in Rope, it does provide a way 
of playing with ideas (protyping) in a safe environment before 
committing them to C.

http://www.lowth.com/rope

Chris

Gingold Tomasz wrote:

>Hello,
>
>i want to write my own netfilter module. Can anybody tell me how to start?
>Are there any tutorials/documents which could help?
>
>Up to now i have found the "Linux netfilter Hacking HOWTO", especially
>chapter 4 "Information for Programmers.
>Is this the only help i can obtain?
>
>
>Another question: 
>I have found on www.netfilter.org <www.netfilter.org>  the following statement: 
>"netfilter and iptables are building blocks of a framework inside the Linux <http://www.kernel.org/>  2.4.x and 2.6.x kernel"
>Does this mean, that netfilter and iptables are part of the kernel and don´t have to be installed?
>
>thanks for helping
>gingold tomasz
>berlin
>  
>

Writing new Netfilter Modules

[Gingold Tomasz]

Hello,

i want to write my own netfilter module. Can anybody tell me how to start?
Are there any tutorials/documents which could help?

Up to now i have found the "Linux netfilter Hacking HOWTO", especially
chapter 4 "Information for Programmers.
Is this the only help i can obtain?


Another question: 
I have found on www.netfilter.org <www.netfilter.org>  the following statement: 
"netfilter and iptables are building blocks of a framework inside the Linux <http://www.kernel.org/>  2.4.x and 2.6.x kernel"
Does this mean, that netfilter and iptables are part of the kernel and don´t have to be installed?

thanks for helping
gingold tomasz
berlin

Re: Writing new Netfilter Modules

[Max Kellermann]

On 2005/05/24 12:58, Gingold Tomasz <tomasz.gingold@siemens.com> wrote:
> Up to now i have found the "Linux netfilter Hacking HOWTO", especially
> chapter 4 "Information for Programmers.
> Is this the only help i can obtain?

afaik, yes. Use the source, Luke ;) - reading the source of simple
netfilter modules may give you an idea how to start.

> Another question: I have found on www.netfilter.org
> <www.netfilter.org> the following statement: "netfilter and iptables
> are building blocks of a framework inside the Linux
> <http://www.kernel.org/> 2.4.x and 2.6.x kernel" Does this mean,
> that netfilter and iptables are part of the kernel and don´t have to
> be installed?

iptables is the userspace frontend for netfilter (i.e. it's not part
of the kernel), and needs to be installed. Netfilter itself is
compiled into the kernel.

Max

Re: Writing new Netfilter Modules

[Hadrien HAMEL]

Gingold Tomasz wrote:

>Hello,
>
>i want to write my own netfilter module. Can anybody tell me how to start?
>Are there any tutorials/documents which could help?
>
>Up to now i have found the "Linux netfilter Hacking HOWTO", especially
>chapter 4 "Information for Programmers.
>Is this the only help i can obtain?
>
>
>Another question: 
>I have found on www.netfilter.org <www.netfilter.org>  the following statement: 
>"netfilter and iptables are building blocks of a framework inside the Linux <http://www.kernel.org/>  2.4.x and 2.6.x kernel"
>Does this mean, that netfilter and iptables are part of the kernel and don´t have to be installed?
>
>thanks for helping
>gingold tomasz
>berlin
>
>
>  
>

Hi,

There's a step-by-step description about writing a "match" extension here:

http://www.linuxfocus.org/English/February2005/article367.shtml


I'm planning on writing another tutorial to help people developping
extensions for NetFilter :)
If you have any suggestions, send them to me!

--
Hadrien Hamel
French engineer

Re: Writing new Netfilter Modules

[Kenneth Porter]

--On Thursday, June 02, 2005 7:17 PM +0200 Hadrien HAMEL <hamel@enseirb.fr> 
wrote:

> There's a step-by-step description about writing a "match" extension here:
>
> http://www.linuxfocus.org/English/February2005/article367.shtml
>
>
> I'm planning on writing another tutorial to help people developping
> extensions for NetFilter :)
> If you have any suggestions, send them to me!

Does the 2.6 kernel need to be built with knowledge of a new module, or can 
the module be built completely outside the kernel tree as one does with 
device drivers? It would be nice if one could experiment with new modules 
using a "stock" kernel. One could then use, for instance, the standard Red 
Hat update systems to stay up to date with the latest kernel and use dkms 
(http://linux.dell.com/files/dkms/dkms.html) to rebuild any custom 
netfilter modules.