Re: Implementation of Ebtables target similar to QUEUE

[Patrick McHardy <kaber@trash.net>]

Abhinav Srivastava wrote:
> Hi there,
>
> I have questions regarding the extension of ebtables
> code to support target similar to QUEUE target. In my
> project, I have a requirement of intercepting packets
> inside ebtables and pass some information related to
> packet to userspace tool. Ebtables code should wait to
> receive reply from userspace tool and then drop or
> accept packet. Since, ebtables code run in the context
> of interrupt's bottom half, I cannot wait inside that
> code path.
>
> To avoid that problem, I would like to create queues
> inside ebtables so that I could put that packet into
> the queue and start processing the next packet. I can
> have other design where I send packets to userspace
> and let userspace tool handle the packets. But, I do
> not want to cross the user-kernel boundary for each
> packet.
>
> I need help in order to achieve my first design:
>
> 1) Is my requirement very complex? Can it be achieved
> easily?
>
> 2) What are the parts of ebtables code i should
> change?
>
> 3) In case, userspace tool says accept the packet. How
> I would implement the fucntionality of getting old
> packets from queue and send them out of the network or
> for incoming packets send to higher level protocols?
>
> 4) Is there any effective way for creating queues
> inside ebtables?
>
> I would really appreciate any help or suggestions in
> this regard?

The ebtables part is very easy, just add a target that returns
NF_QUEUE. For the actually queueing and reinjection use
nfnetlink_queue. The two slightly harder parts are:

- Fix the netfilter hooks in the briding code to handle
queued packets, which requires to provide proper okfns
to NF_HOOK that continue packet processing path after
reinjection.

- Fix __nf_queue to not fail when the afinfo lookup is
unsuccessful.

That should be all thats necessary.