Ebtables plans

Ebtables plans

[Jan Engelhardt]

On Feb 8 2008 19:20, Bart De Schuymer wrote:
>Hi Kuo,
>
>Thanks for your patch. The patch looks ok. Tiny comment: the header
>diffs belong in the kernel patch and the userspace patch lacks a man
>page update.
>Seems like we'll need a merge of the two kernel patches and extra
>userspace code.
>
>I was gonna give my say about posting to netfilter-devel only, without
>userspace code, but I guess I'm better off restraining myself from doing
>that.

Time to unveil some plans.

I am not sure where exactly I picked the idea up, probably in one of the
last discussions on netfilter-devel, to make ebtables use xtables code.
Well, I am in the process of writing up a bunch of patches to get us
closer to that. Nothing spectacularly interesting for modules (ebt_*.c),

but at the same time I have to give a worry about the userspace code.
ebtables and arptables have not gotten the same attention as iptables
and look a bit disheveled. Eventually I would just merge them with the
iptables tree so it also shares all the option parsing and whatnot.

It would be most convenient to use a better VCS (thinking git) because
running quilt on top of svn or even cvs (ebtables) is not too nice,
even more if the changeset agglomeration is then lost in cvs.
While Patrick still seems to be AWOL for an opinion, I would want to
know from all parties (iptables, ebtables) if we can take this
management step.

Re: Ebtables plans

[Bart De Schuymer]

Op za, 09-02-2008 te 01:49 +0100, schreef Jan Engelhardt:
> Time to unveil some plans.
> 
> I am not sure where exactly I picked the idea up, probably in one of the
> last discussions on netfilter-devel, to make ebtables use xtables code.
> Well, I am in the process of writing up a bunch of patches to get us
> closer to that. Nothing spectacularly interesting for modules (ebt_*.c),
> 
> but at the same time I have to give a worry about the userspace code.
> ebtables and arptables have not gotten the same attention as iptables
> and look a bit disheveled. Eventually I would just merge them with the
> iptables tree so it also shares all the option parsing and whatnot.

Arptables was a hack from the start. Ebtables is completely different
code and is not portable with a few simple patches. Thanks for pointing
out your opinion about the code though, it really helps.

> It would be most convenient to use a better VCS (thinking git) because
> running quilt on top of svn or even cvs (ebtables) is not too nice,
> even more if the changeset agglomeration is then lost in cvs.
> While Patrick still seems to be AWOL for an opinion, I would want to
> know from all parties (iptables, ebtables) if we can take this
> management step.

Once ebtables or arptables is in a state so that it can be merged with
the rest of netfilter I'm fine with it residing wherever the netfilter
core team wants.
I'm not going to go change the versioning system at this stage just so
it's a bit more convenient for you. Use whatever versioning tool you
want on your local checked out version.

cheers,
Bart

RE: [Ebtables-devel] [PATCH] IPv6 dnat/snat support

[Tseng, Kuo-Lang]

Tseng, Kuo-Lang wrote on Monday, February 11, 2008 9:59 AM:

> Bart De Schuymer wrote on Sunday, February 10, 2008 9:21 AM:
> 
>> Op vr, 08-02-2008 te 16:01 -0800, schreef Tseng, Kuo-Lang:
>>> Bart De Schuymer wrote on Friday, February 08, 2008 10:21 AM:
>>> 
>>>> Hi Kuo,
>>>> 
>>>> Thanks for your patch. The patch looks ok. Tiny comment: the header
>>>> diffs belong in the kernel patch and the userspace patch lacks a
>>>> man page update. Seems like we'll need a merge of the two kernel
>>>> patches and extra userspace code.
>>>> 
>>>> I was gonna give my say about posting to netfilter-devel only,
>>>> without userspace code, but I guess I'm better off restraining
>>>> myself from doing that. 
>>>> 
>>>> cheers,
>>>> Bart
>>> 
>>> Thanks. I have attached an updated userspace patch that includes the
>>> missing man page update and removed the header diffs.
>> 
>> It would be better if the ipv6 address and traffic class matching
>> were implemented in the patch. So I'm going to wait for that. Is
>> there any reason why you didn't do this in the first place?
> We wanted to keep the first patch small for the review. Once the first
> patch is merged in, the v6 address and traffic class can be added
> after that.

Hi Jan, have you posted the corresponding patch to ebtables-devel for
the kernel patch you posted in here
http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 ? 

If not, I can add the code and send an updated patch to ebtables-devel
to make the v6 support more complete as Bart suggested. 

We also need to merge the two kernel patches (your above one and the one
I sent last Friday). Has your kernel patch been pushed in? If not, I'll
add my part on top of yours and send an updated patch to
netfilter-devel. What do you think? 

To quickly summarize what we got: 

- You above kernel patch implements matches for TFCLASS, FLOWLBL,
NEXTHDR (w/o skipping ext. header), H- OPLIMIT, SRCADDR, and DSTADDR. 
- My kernel patch implements matches for PROTOCOL (w/ ext. header
skipped), DPORT, and SPORT and logging for v6.

- My user ebtables patch implements parsing for PROTO, SPORT, and DPORT.

RE: [Ebtables-devel] [PATCH] IPv6 dnat/snat support

[Jan Engelhardt]

On Feb 11 2008 18:26, Tseng, Kuo-Lang wrote:
>
>Hi Jan, have you posted the corresponding patch to ebtables-devel for
>the kernel patch you posted in here
>http://marc.info/?l=netfilter-devel&m=120182168424052&w=2 ?

I had not posted ebt_ip6(j) to ebtables-devel. I suppose it's because
I did not consider ebtables too vivid, esp. after confirmation
of Bart being not too active 
( http://marc.info/?l=netfilter-devel&m=120083920425755&w=2 ) -- but 
right, I should have Cc'ed at least.


>If not, I can add the code and send an updated patch to ebtables-devel
>to make the v6 support more complete as Bart suggested.
>
>We also need to merge the two kernel patches (your above one and the one
>I sent last Friday). Has your kernel patch been pushed in? If not, I'll
>add my part on top of yours and send an updated patch to
>netfilter-devel. What do you think? 

The patch did not made it in time for 2.6.25-rc1, but I have it
slated for the next possible time - 2.6.26 or maybe someone
lets it slip into the current rcX :)

Yes, please proceed with adding proper nexthdr parsing (one patch)
and layer-4 port inspection (another patch) - perhaps in two patches.


>To quickly summarize what we got: 
>
>- You above kernel patch implements matches for TFCLASS, FLOWLBL,
>NEXTHDR (w/o skipping ext. header), H- OPLIMIT, SRCADDR, and DSTADDR. 
>- My kernel patch implements matches for PROTOCOL (w/ ext. header
>skipped), DPORT, and SPORT and logging for v6.
>
>- My user ebtables patch implements parsing for PROTO, SPORT, and DPORT.

Re: Ebtables plans

[Jan Engelhardt]

On Feb 11 2008 21:57, Bart De Schuymer wrote:
>Op za, 09-02-2008 te 01:49 +0100, schreef Jan Engelhardt:
>> Time to unveil some plans.
>> 
>> I am not sure where exactly I picked the idea up, probably in one of the
>> last discussions on netfilter-devel, to make ebtables use xtables code.
>> Well, I am in the process of writing up a bunch of patches to get us
>> closer to that. Nothing spectacularly interesting for modules (ebt_*.c),
>> 
>> but at the same time I have to give a worry about the userspace code.
>> ebtables and arptables have not gotten the same attention as iptables
>> and look a bit disheveled. Eventually I would just merge them with the
>> iptables tree so it also shares all the option parsing and whatnot.
>
>Arptables was a hack from the start.

Mh, I particularly like it for one reason: you do not need to make a
half-bridge (a bridge with one port) out of an interface just to do
ARP filtering. Unfortunately, but I hope to change that, arpreply is
only available with a bridge right now.

>Ebtables is completely different
>code and is not portable with a few simple patches.

I noticed. A flag day will most likely be needed to get it into shape, 
but it still looking promising.

Only annoyance so far was ebt_among which uses a dynamic match size, but 
other than that it seems that I have successfully converted the 
kernel-side ebtables to use x_tables.

>Thanks for pointing
>out your opinion about the code though, it really helps.
>

>I'm not going to go change the versioning system at this stage just so
>it's a bit more convenient for you. Use whatever versioning tool you
>want on your local checked out version.

Right, I have started a blank git without caring about history for now.

[PATCH 0/2] Add IPv6 support

[Tseng, Kuo-Lang]

According to
http://article.gmane.org/gmane.linux.network.bridge.ebtables.devel/719,
I need to add required functions into userspace ebtables program and
bridge-nf kernel module for parsing and matching on IPv6 header fields
address, traffic class, IP protocol, and layer-4 port ids. 

Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>

Kuo  

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

[PATCH 2/2] Add IPv6 support

[Tseng, Kuo-Lang]

This is the corresponding br-netfilter patch. 

It implements matching functions for IPv6 address & traffic class
(merged from the patch sent by Jan Engelhardt [jengelh-bdq14YP6qtRlEiWPh9xO2Q@public.gmane.org]
http://marc.info/?l=netfilter-devel&m=120182168424052&w=2), protocol,
and layer-4 port id. Corresponding watcher logging function is also
added for IPv6. 

Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>



diff -ruNp a/include/linux/netfilter_bridge/ebt_ip6.h
b/include/linux/netfilter_bridge/ebt_ip6.h
--- a/include/linux/netfilter_bridge/ebt_ip6.h	1969-12-31
16:00:00.000000000 -0800
+++ b/include/linux/netfilter_bridge/ebt_ip6.h	2008-02-18
16:34:57.000000000 -0800
@@ -0,0 +1,40 @@
+/*
+ *  ebt_ip6
+ *
+ *	Authors:
+ * Kuo-Lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+ * Manohar Castelino <manohar.r.castelino-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+ *
+ *  Jan 11, 2008
+ *
+ */
+
+#ifndef __LINUX_BRIDGE_EBT_IP6_H
+#define __LINUX_BRIDGE_EBT_IP6_H
+
+#define EBT_IP6_SOURCE 0x01
+#define EBT_IP6_DEST 0x02
+#define EBT_IP6_TCLASS 0x04
+#define EBT_IP6_PROTO 0x08
+#define EBT_IP6_SPORT 0x10
+#define EBT_IP6_DPORT 0x20
+#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\
+ EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT )
+#define EBT_IP6_MATCH "ip6"
+
+/* the same values are used for the invflags */
+struct ebt_ip6_info
+{
+	struct in6_addr saddr;
+	struct in6_addr daddr;
+	struct in6_addr smsk;
+	struct in6_addr dmsk;
+	uint8_t  tclass;
+	uint8_t  protocol;
+	uint8_t  bitmask;
+	uint8_t  invflags;
+	uint16_t sport[2];
+	uint16_t dport[2];
+};
+
+#endif
diff -ruNp a/include/linux/netfilter_bridge/ebt_log.h
b/include/linux/netfilter_bridge/ebt_log.h
--- a/include/linux/netfilter_bridge/ebt_log.h	2008-02-18
16:32:34.000000000 -0800
+++ b/include/linux/netfilter_bridge/ebt_log.h	2008-02-18
16:34:57.000000000 -0800
@@ -4,7 +4,8 @@
 #define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip
information */
 #define EBT_LOG_ARP 0x02
 #define EBT_LOG_NFLOG 0x04
-#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
+#define EBT_LOG_IP6 0x08
+#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6)
 #define EBT_LOG_PREFIX_SIZE 30
 #define EBT_LOG_WATCHER "log"
 
diff -ruNp a/net/bridge/netfilter/ebt_ip6.c
b/net/bridge/netfilter/ebt_ip6.c
--- a/net/bridge/netfilter/ebt_ip6.c	1969-12-31 16:00:00.000000000
-0800
+++ b/net/bridge/netfilter/ebt_ip6.c	2008-02-18 16:26:59.000000000
-0800
@@ -0,0 +1,141 @@
+/*
+ *  ebt_ip6
+ *
+ *	Authors:
+ *	Manohar Castelino <manohar.r.castelino-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+ *	Kuo-Lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+ *	Jan Engelhardt <jengelh-bdq14YP6qtRlEiWPh9xO2Q@public.gmane.org>
+ *
+ * Summary:
+ * This is just a modification of the IPv4 code written by 
+ * Bart De Schuymer <bdschuym-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org>
+ * with the changes required to support IPv6
+ *
+ *  Jan, 2008
+ */
+
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_ip6.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <linux/in.h>
+#include <linux/module.h>
+#include <net/dsfield.h>
+
+struct tcpudphdr {
+	uint16_t src;
+	uint16_t dst;
+};
+
+static int ebt_filter_ip6(const struct sk_buff *skb, const struct
net_device *in,
+   const struct net_device *out, const void *data,
+   unsigned int datalen)
+{
+	struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
+	struct ipv6hdr _ip6h, *ih6;
+	struct in6_addr tmp_addr;
+	int i;
+
+	ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
+	if (ih6 == NULL)
+		return EBT_NOMATCH;
+	if (info->bitmask & EBT_IP6_TCLASS &&
+	   FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
+		return EBT_NOMATCH;
+	for (i = 0; i < 4; i++)
+	   tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &

+			info->smsk.in6_u.u6_addr32[i];
+	if (info->bitmask & EBT_IP6_SOURCE &&
+	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
EBT_IP6_SOURCE))
+		return EBT_NOMATCH;
+	for (i = 0; i < 4; i++)
+	   tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &

+			info->dmsk.in6_u.u6_addr32[i];
+	if (info->bitmask & EBT_IP6_DEST &&
+	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0),
EBT_IP6_DEST))
+		return EBT_NOMATCH;
+	if (info->bitmask & EBT_IP6_PROTO) {
+		struct tcpudphdr _phdr, *pptr;
+		uint8_t *nexthdrp = &ih6->nexthdr;
+		int offset_ph;
+
+		offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h),
nexthdrp);
+		if (offset_ph == -1)
+			return EBT_NOMATCH;
+		if (FWINV(info->protocol != *nexthdrp, EBT_IP6_PROTO))
+			return EBT_NOMATCH;
+
+		if (!(info->bitmask & EBT_IP6_DPORT) &&
+			!(info->bitmask & EBT_IP6_SPORT))
+			return EBT_MATCH;
+		pptr = skb_header_pointer(skb, offset_ph, sizeof(_phdr),
&_phdr);
+		if (pptr == NULL)
+			return EBT_NOMATCH;
+		if (info->bitmask & EBT_IP6_DPORT) {
+			u32 dst = ntohs(pptr->dst);
+			if (FWINV(dst < info->dport[0] ||
+			          dst > info->dport[1],
+			          EBT_IP6_DPORT))
+				return EBT_NOMATCH;
+		}
+		if (info->bitmask & EBT_IP6_SPORT) {
+			u32 src = ntohs(pptr->src);
+			if (FWINV(src < info->sport[0] ||
+			          src > info->sport[1],
+			          EBT_IP6_SPORT))
+			return EBT_NOMATCH;
+		}
+		return EBT_MATCH;
+	}
+	return EBT_MATCH;
+}
+
+static int ebt_ip6_check(const char *tablename, unsigned int hookmask,
+   const struct ebt_entry *e, void *data, unsigned int datalen)
+{
+	struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
+
+	if (datalen != EBT_ALIGN(sizeof(struct ebt_ip6_info)))
+		return -EINVAL;
+	if (e->ethproto != htons(ETH_P_IPV6) ||
+	   e->invflags & EBT_IPROTO)
+		return -EINVAL;
+	if (info->bitmask & ~EBT_IP6_MASK || info->invflags &
~EBT_IP6_MASK)
+		return -EINVAL;
+	if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
+		if (info->invflags & EBT_IP6_PROTO)
+			return -EINVAL;
+		if (info->protocol != IPPROTO_TCP &&
+		    info->protocol != IPPROTO_UDP &&
+		    info->protocol != IPPROTO_SCTP &&
+		    info->protocol != IPPROTO_DCCP)
+			 return -EINVAL;
+	}
+	if (info->bitmask & EBT_IP6_DPORT && info->dport[0] >
info->dport[1])
+		return -EINVAL;
+	if (info->bitmask & EBT_IP6_SPORT && info->sport[0] >
info->sport[1])
+		return -EINVAL;
+	return 0;
+}
+
+static struct ebt_match filter_ip6 =
+{
+	.name		= EBT_IP6_MATCH,
+	.match		= ebt_filter_ip6,
+	.check		= ebt_ip6_check,
+	.me		= THIS_MODULE,
+};
+
+static int __init ebt_ip6_init(void)
+{
+	return ebt_register_match(&filter_ip6);
+}
+
+static void __exit ebt_ip6_fini(void)
+{
+	ebt_unregister_match(&filter_ip6);
+}
+
+module_init(ebt_ip6_init);
+module_exit(ebt_ip6_fini);
+MODULE_LICENSE("GPL");
diff -ruNp a/net/bridge/netfilter/ebt_log.c
b/net/bridge/netfilter/ebt_log.c
--- a/net/bridge/netfilter/ebt_log.c	2008-02-18 16:26:37.000000000
-0800
+++ b/net/bridge/netfilter/ebt_log.c	2008-02-18 16:26:58.000000000
-0800
@@ -18,6 +18,8 @@
 #include <linux/in.h>
 #include <linux/if_arp.h>
 #include <linux/spinlock.h>
+#include <linux/ipv6.h>
+#include <linux/in6.h>
 
 static DEFINE_SPINLOCK(ebt_log_lock);
 
@@ -112,6 +114,43 @@ ebt_log_packet(unsigned int pf, unsigned
 		goto out;
 	}
 
+	if ((bitmask & EBT_LOG_IP6) && eth_hdr(skb)->h_proto ==
+	   htons(ETH_P_IPV6)){
+		struct ipv6hdr _iph, *ih;
+		uint8_t *nexthdrp;
+		int offset_ph;
+
+		ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
+		if (ih == NULL) {
+			printk(" INCOMPLETE IPv6 header");
+			goto out;
+		}
+		printk(" IPv6 SRC=%x:%x:%x:%x:%x:%x:%x:%x "
+		       "IPv6 DST=%x:%x:%x:%x:%x:%x:%x:%x, IPv6 "
+		       "priority=0x%01X, Next Header=%d",
NIP6(ih->saddr),
+		       NIP6(ih->daddr), ih->priority, ih->nexthdr);
+		nexthdrp = &ih->nexthdr;
+		offset_ph = ipv6_skip_exthdr(skb, sizeof(_iph),
nexthdrp);
+		if (offset_ph == -1)
+			goto out;
+		if (*nexthdrp == IPPROTO_TCP ||
+		    *nexthdrp == IPPROTO_UDP ||
+		    *nexthdrp == IPPROTO_SCTP ||
+		    *nexthdrp == IPPROTO_DCCP) {
+			struct tcpudphdr _ports, *pptr;
+
+			pptr = skb_header_pointer(skb, offset_ph, 
+						  sizeof(_ports),
&_ports);
+			if (pptr == NULL) {
+				printk(" INCOMPLETE TCP/UDP header");
+				goto out;
+			}
+			printk(" SPT=%u DPT=%u", ntohs(pptr->src),
+			   ntohs(pptr->dst));
+		}
+		goto out;
+	}
+
 	if ((bitmask & EBT_LOG_ARP) &&
 	    ((eth_hdr(skb)->h_proto == htons(ETH_P_ARP)) ||
 	     (eth_hdr(skb)->h_proto == htons(ETH_P_RARP)))) {
diff -ruNp a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
--- a/net/bridge/netfilter/Kconfig	2008-02-18 16:26:37.000000000
-0800
+++ b/net/bridge/netfilter/Kconfig	2008-02-18 16:26:58.000000000
-0800
@@ -83,6 +83,15 @@ config BRIDGE_EBT_IP
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config BRIDGE_EBT_IP6
+	tristate "ebt: IP6 filter support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option adds the IP6 match, which allows basic IPV6 header
field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config BRIDGE_EBT_LIMIT
 	tristate "ebt: limit match support"
 	depends on BRIDGE_NF_EBTABLES
diff -ruNp a/net/bridge/netfilter/Makefile
b/net/bridge/netfilter/Makefile
--- a/net/bridge/netfilter/Makefile	2008-02-18 16:26:37.000000000
-0800
+++ b/net/bridge/netfilter/Makefile	2008-02-18 16:26:59.000000000
-0800
@@ -14,6 +14,7 @@ obj-$(CONFIG_BRIDGE_EBT_802_3) += ebt_80
 obj-$(CONFIG_BRIDGE_EBT_AMONG) += ebt_among.o
 obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o
 obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o
+obj-$(CONFIG_BRIDGE_EBT_IP6) += ebt_ip6.o
 obj-$(CONFIG_BRIDGE_EBT_LIMIT) += ebt_limit.o
 obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o
 obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [PATCH 0/2] Add IPv6 support

[Patrick McHardy]

Tseng, Kuo-Lang wrote:
> According to
> http://article.gmane.org/gmane.linux.network.bridge.ebtables.devel/719,
> I need to add required functions into userspace ebtables program and
> bridge-nf kernel module for parsing and matching on IPv6 header fields
> address, traffic class, IP protocol, and layer-4 port ids. 
> 
> Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>


I'll queue this for 2.6.26 if Bart is fine with these patches.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [Ebtables-devel] [PATCH 0/2] Add IPv6 support

[Bart De Schuymer]

Op di, 19-02-2008 te 16:03 +0100, schreef Patrick McHardy:
> Tseng, Kuo-Lang wrote:
> > According to
> > http://article.gmane.org/gmane.linux.network.bridge.ebtables.devel/719,
> > I need to add required functions into userspace ebtables program and
> > bridge-nf kernel module for parsing and matching on IPv6 header fields
> > address, traffic class, IP protocol, and layer-4 port ids. 
> > 
> > Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng@intel.com>
> 
> 
> I'll queue this for 2.6.26 if Bart is fine with these patches.

I received this with lines split around 80 characters. Kuo, please
repost with an attachment or fix your mailer...

cheers,
Bart

RE: [Ebtables-devel] [PATCH 2/2] Add IPv6 support

[Tseng, Kuo-Lang]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

Tseng, Kuo-Lang wrote on Monday, February 18, 2008 6:05 PM:

> This is the corresponding br-netfilter patch.
> 
> It implements matching functions for IPv6 address & traffic class
> (merged from the patch sent by Jan Engelhardt
> [jengelh@computergmbh.de]
> http://marc.info/?l=netfilter-devel&m=120182168424052&w=2), protocol,
> and layer-4 port id. Corresponding watcher logging function is also
> added for IPv6. 
> 
> Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng@intel.com>

Reposting the patch as an attachment (earlier one had line split. Sorry
about that)



[-- Attachment #2: br-nf.patch --]
[-- Type: application/octet-stream, Size: 9065 bytes --]

diff -ruNp a/include/linux/netfilter_bridge/ebt_ip6.h b/include/linux/netfilter_bridge/ebt_ip6.h
--- a/include/linux/netfilter_bridge/ebt_ip6.h	1969-12-31 16:00:00.000000000 -0800
+++ b/include/linux/netfilter_bridge/ebt_ip6.h	2008-02-18 16:34:57.000000000 -0800
@@ -0,0 +1,40 @@
+/*
+ *  ebt_ip6
+ *
+ *	Authors:
+ * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
+ * Manohar Castelino <manohar.r.castelino@intel.com>
+ *
+ *  Jan 11, 2008
+ *
+ */
+
+#ifndef __LINUX_BRIDGE_EBT_IP6_H
+#define __LINUX_BRIDGE_EBT_IP6_H
+
+#define EBT_IP6_SOURCE 0x01
+#define EBT_IP6_DEST 0x02
+#define EBT_IP6_TCLASS 0x04
+#define EBT_IP6_PROTO 0x08
+#define EBT_IP6_SPORT 0x10
+#define EBT_IP6_DPORT 0x20
+#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\
+ EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT )
+#define EBT_IP6_MATCH "ip6"
+
+/* the same values are used for the invflags */
+struct ebt_ip6_info
+{
+	struct in6_addr saddr;
+	struct in6_addr daddr;
+	struct in6_addr smsk;
+	struct in6_addr dmsk;
+	uint8_t  tclass;
+	uint8_t  protocol;
+	uint8_t  bitmask;
+	uint8_t  invflags;
+	uint16_t sport[2];
+	uint16_t dport[2];
+};
+
+#endif
diff -ruNp a/include/linux/netfilter_bridge/ebt_log.h b/include/linux/netfilter_bridge/ebt_log.h
--- a/include/linux/netfilter_bridge/ebt_log.h	2008-02-18 16:32:34.000000000 -0800
+++ b/include/linux/netfilter_bridge/ebt_log.h	2008-02-18 16:34:57.000000000 -0800
@@ -4,7 +4,8 @@
 #define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */
 #define EBT_LOG_ARP 0x02
 #define EBT_LOG_NFLOG 0x04
-#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
+#define EBT_LOG_IP6 0x08
+#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6)
 #define EBT_LOG_PREFIX_SIZE 30
 #define EBT_LOG_WATCHER "log"
 
diff -ruNp a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
--- a/net/bridge/netfilter/ebt_ip6.c	1969-12-31 16:00:00.000000000 -0800
+++ b/net/bridge/netfilter/ebt_ip6.c	2008-02-19 10:09:33.000000000 -0800
@@ -0,0 +1,142 @@
+/*
+ *  ebt_ip6
+ *
+ *	Authors:
+ *	Manohar Castelino <manohar.r.castelino@intel.com>
+ *	Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
+ *	Jan Engelhardt <jengelh@computergmbh.de>
+ *
+ * Summary:
+ * This is just a modification of the IPv4 code written by 
+ * Bart De Schuymer <bdschuym@pandora.be>
+ * with the changes required to support IPv6
+ *
+ *  Jan, 2008
+ */
+
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_ip6.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <linux/in.h>
+#include <linux/module.h>
+#include <net/dsfield.h>
+
+struct tcpudphdr {
+	uint16_t src;
+	uint16_t dst;
+};
+
+static int ebt_filter_ip6(const struct sk_buff *skb,
+   const struct net_device *in,
+   const struct net_device *out, const void *data,
+   unsigned int datalen)
+{
+	struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
+	struct ipv6hdr _ip6h, *ih6;
+	struct in6_addr tmp_addr;
+	int i;
+
+	ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
+	if (ih6 == NULL)
+		return EBT_NOMATCH;
+	if (info->bitmask & EBT_IP6_TCLASS &&
+	   FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
+		return EBT_NOMATCH;
+	for (i = 0; i < 4; i++)
+	   tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & 
+			info->smsk.in6_u.u6_addr32[i];
+	if (info->bitmask & EBT_IP6_SOURCE &&
+	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0), EBT_IP6_SOURCE))
+		return EBT_NOMATCH;
+	for (i = 0; i < 4; i++)
+	   tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] & 
+			info->dmsk.in6_u.u6_addr32[i];
+	if (info->bitmask & EBT_IP6_DEST &&
+	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
+		return EBT_NOMATCH;
+	if (info->bitmask & EBT_IP6_PROTO) {
+		struct tcpudphdr _phdr, *pptr;
+		uint8_t *nexthdrp = &ih6->nexthdr;
+		int offset_ph;
+
+		offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), nexthdrp);
+		if (offset_ph == -1)
+			return EBT_NOMATCH;
+		if (FWINV(info->protocol != *nexthdrp, EBT_IP6_PROTO))
+			return EBT_NOMATCH;
+
+		if (!(info->bitmask & EBT_IP6_DPORT) &&
+			!(info->bitmask & EBT_IP6_SPORT))
+			return EBT_MATCH;
+		pptr = skb_header_pointer(skb, offset_ph, sizeof(_phdr), &_phdr);
+		if (pptr == NULL)
+			return EBT_NOMATCH;
+		if (info->bitmask & EBT_IP6_DPORT) {
+			u32 dst = ntohs(pptr->dst);
+			if (FWINV(dst < info->dport[0] ||
+			          dst > info->dport[1],
+			          EBT_IP6_DPORT))
+				return EBT_NOMATCH;
+		}
+		if (info->bitmask & EBT_IP6_SPORT) {
+			u32 src = ntohs(pptr->src);
+			if (FWINV(src < info->sport[0] ||
+			          src > info->sport[1],
+			          EBT_IP6_SPORT))
+			return EBT_NOMATCH;
+		}
+		return EBT_MATCH;
+	}
+	return EBT_MATCH;
+}
+
+static int ebt_ip6_check(const char *tablename, unsigned int hookmask,
+   const struct ebt_entry *e, void *data, unsigned int datalen)
+{
+	struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
+
+	if (datalen != EBT_ALIGN(sizeof(struct ebt_ip6_info)))
+		return -EINVAL;
+	if (e->ethproto != htons(ETH_P_IPV6) ||
+	   e->invflags & EBT_IPROTO)
+		return -EINVAL;
+	if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
+		return -EINVAL;
+	if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
+		if (info->invflags & EBT_IP6_PROTO)
+			return -EINVAL;
+		if (info->protocol != IPPROTO_TCP &&
+		    info->protocol != IPPROTO_UDP &&
+		    info->protocol != IPPROTO_SCTP &&
+		    info->protocol != IPPROTO_DCCP)
+			 return -EINVAL;
+	}
+	if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
+		return -EINVAL;
+	if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
+		return -EINVAL;
+	return 0;
+}
+
+static struct ebt_match filter_ip6 =
+{
+	.name		= EBT_IP6_MATCH,
+	.match		= ebt_filter_ip6,
+	.check		= ebt_ip6_check,
+	.me		= THIS_MODULE,
+};
+
+static int __init ebt_ip6_init(void)
+{
+	return ebt_register_match(&filter_ip6);
+}
+
+static void __exit ebt_ip6_fini(void)
+{
+	ebt_unregister_match(&filter_ip6);
+}
+
+module_init(ebt_ip6_init);
+module_exit(ebt_ip6_fini);
+MODULE_LICENSE("GPL");
diff -ruNp a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
--- a/net/bridge/netfilter/ebt_log.c	2008-02-18 16:26:37.000000000 -0800
+++ b/net/bridge/netfilter/ebt_log.c	2008-02-19 10:09:33.000000000 -0800
@@ -18,6 +18,8 @@
 #include <linux/in.h>
 #include <linux/if_arp.h>
 #include <linux/spinlock.h>
+#include <linux/ipv6.h>
+#include <linux/in6.h>
 
 static DEFINE_SPINLOCK(ebt_log_lock);
 
@@ -112,6 +114,43 @@ ebt_log_packet(unsigned int pf, unsigned
 		goto out;
 	}
 
+	if ((bitmask & EBT_LOG_IP6) && eth_hdr(skb)->h_proto ==
+	   htons(ETH_P_IPV6)){
+		struct ipv6hdr _iph, *ih;
+		uint8_t *nexthdrp;
+		int offset_ph;
+
+		ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
+		if (ih == NULL) {
+			printk(" INCOMPLETE IPv6 header");
+			goto out;
+		}
+		printk(" IPv6 SRC=%x:%x:%x:%x:%x:%x:%x:%x "
+		       "IPv6 DST=%x:%x:%x:%x:%x:%x:%x:%x, IPv6 "
+		       "priority=0x%01X, Next Header=%d", NIP6(ih->saddr),
+		       NIP6(ih->daddr), ih->priority, ih->nexthdr);
+		nexthdrp = &ih->nexthdr;
+		offset_ph = ipv6_skip_exthdr(skb, sizeof(_iph), nexthdrp);
+		if (offset_ph == -1)
+			goto out;
+		if (*nexthdrp == IPPROTO_TCP ||
+		    *nexthdrp == IPPROTO_UDP ||
+		    *nexthdrp == IPPROTO_SCTP ||
+		    *nexthdrp == IPPROTO_DCCP) {
+			struct tcpudphdr _ports, *pptr;
+
+			pptr = skb_header_pointer(skb, offset_ph, 
+						  sizeof(_ports), &_ports);
+			if (pptr == NULL) {
+				printk(" INCOMPLETE TCP/UDP header");
+				goto out;
+			}
+			printk(" SPT=%u DPT=%u", ntohs(pptr->src),
+			   ntohs(pptr->dst));
+		}
+		goto out;
+	}
+
 	if ((bitmask & EBT_LOG_ARP) &&
 	    ((eth_hdr(skb)->h_proto == htons(ETH_P_ARP)) ||
 	     (eth_hdr(skb)->h_proto == htons(ETH_P_RARP)))) {
diff -ruNp a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
--- a/net/bridge/netfilter/Kconfig	2008-02-18 16:26:37.000000000 -0800
+++ b/net/bridge/netfilter/Kconfig	2008-02-19 10:09:33.000000000 -0800
@@ -83,6 +83,15 @@ config BRIDGE_EBT_IP
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config BRIDGE_EBT_IP6
+	tristate "ebt: IP6 filter support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option adds the IP6 match, which allows basic IPV6 header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config BRIDGE_EBT_LIMIT
 	tristate "ebt: limit match support"
 	depends on BRIDGE_NF_EBTABLES
diff -ruNp a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
--- a/net/bridge/netfilter/Makefile	2008-02-18 16:26:37.000000000 -0800
+++ b/net/bridge/netfilter/Makefile	2008-02-19 10:09:33.000000000 -0800
@@ -14,6 +14,7 @@ obj-$(CONFIG_BRIDGE_EBT_802_3) += ebt_80
 obj-$(CONFIG_BRIDGE_EBT_AMONG) += ebt_among.o
 obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o
 obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o
+obj-$(CONFIG_BRIDGE_EBT_IP6) += ebt_ip6.o
 obj-$(CONFIG_BRIDGE_EBT_LIMIT) += ebt_limit.o
 obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o
 obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o

RE: [Ebtables-devel] [PATCH 0/2] Add IPv6 support

[Tseng, Kuo-Lang]

Tseng, Kuo-Lang wrote on Monday, February 18, 2008 5:49 PM:

> According to
>
http://article.gmane.org/gmane.linux.network.bridge.ebtables.devel/719,
> I need to add required functions into userspace ebtables program and
> bridge-nf kernel module for parsing and matching on IPv6 header
> fields address, traffic class, IP protocol, and layer-4 port ids.    
> 
> Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng@intel.com>

I haven't heard any feedback yet. Since these patches have been accepted
upstream, I suggest we can push the patch files into our tree (this will
be needed by va_nw_mgr for adding IPv6 support). 

The kernel patch (sent in [PATCH 2/2] mail]) needs to be applied into
linux-2.6.18-xen source. Is it the hg/xen/patches/linux-2.6.18 directory
that we should add the patch file into? Who can do this push? 

For userspace change, since I don't see ebtbales user space source in
our tree so I assume we only need to push in the excutable ebtables
which should be in /sbin in sos file system. 

Re: [PATCH 0/2] Add IPv6 support

[Tseng, Kuo-Lang]

Tseng, Kuo-Lang wrote on Tuesday, February 26, 2008 11:09 AM:

> Tseng, Kuo-Lang wrote on Monday, February 18, 2008 5:49 PM:
> 
>> According to
>>
http://article.gmane.org/gmane.linux.network.bridge.ebtables.devel/719,
>> I need to add required functions into userspace ebtables program and
>> bridge-nf kernel module for parsing and matching on IPv6 header
>> fields address, traffic class, IP protocol, and layer-4 port ids.
>> 
>> Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> 
> I haven't heard any feedback yet. Since these patches have been
> accepted upstream, I suggest we can push the patch files into our
> tree (this will be needed by va_nw_mgr for adding IPv6 support).  
> 
> The kernel patch (sent in [PATCH 2/2] mail]) needs to be applied into
> linux-2.6.18-xen source. Is it the hg/xen/patches/linux-2.6.18
> directory that we should add the patch file into? Who can do this
> push?   
> 
> For userspace change, since I don't see ebtbales user space source in
> our tree so I assume we only need to push in the excutable ebtables
> which should be in /sbin in sos file system.  

Please ignore my previous email (was sent to wrong mailing list). 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [Ebtables-devel] [PATCH 2/2] Add IPv6 support

[Patrick McHardy]

Tseng, Kuo-Lang wrote:
> Tseng, Kuo-Lang wrote on Monday, February 18, 2008 6:05 PM:
> 
>> This is the corresponding br-netfilter patch.
>>
>> It implements matching functions for IPv6 address & traffic class
>> (merged from the patch sent by Jan Engelhardt
>> [jengelh@computergmbh.de]
>> http://marc.info/?l=netfilter-devel&m=120182168424052&w=2), protocol,
>> and layer-4 port id. Corresponding watcher logging function is also
>> added for IPv6. 
>>
>> Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng@intel.com>
> 
> Reposting the patch as an attachment (earlier one had line split. Sorry
> about that)


I wanted to apply this, but the patch has multiple checkpatch
errors. There are also some codingstyle errors checkpatch doesn't
complain about, like:

+       for (i = 0; i < 4; i++)
+          tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &
         ^^^ needs tab

It also seems the TCP/UDP/.. logging part could be shared between
IPv4 and IPv6. The protocol checks seem to be missing UDPLITE.

Please fix those up and resend, thanks.

Re: [PATCH 2/2] Add IPv6 support

[Tseng, Kuo-Lang]

Patrick McHardy wrote on Tuesday, April 08, 2008 10:38 AM:
> 
> 
> I wanted to apply this, but the patch has multiple checkpatch
> errors. There are also some codingstyle errors checkpatch doesn't
> complain about, like:
> 
> +       for (i = 0; i < 4; i++)
> +          tmp_addr.in6_u.u6_addr32[i] =
>          ih6->saddr.in6_u.u6_addr32[i] & ^^^ needs tab
> 
> It also seems the TCP/UDP/.. logging part could be shared between
> IPv4 and IPv6. The protocol checks seem to be missing UDPLITE.
> 
> Please fix those up and resend, thanks.

I'll fix and re-send the patch next week. 

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

RE: [Ebtables-devel] [PATCH 2/2] Add IPv6 support

[Tseng, Kuo-Lang]

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

Tseng, Kuo-Lang wrote on Thursday, April 10, 2008 1:23 PM:

> Patrick McHardy wrote on Tuesday, April 08, 2008 10:38 AM:
>> 
>> 
>> I wanted to apply this, but the patch has multiple checkpatch
>> errors. There are also some codingstyle errors checkpatch doesn't
>> complain about, like: 
>> 
>> +       for (i = 0; i < 4; i++)
>> +          tmp_addr.in6_u.u6_addr32[i] =
>>          ih6->saddr.in6_u.u6_addr32[i] & ^^^ needs tab
>> 
>> It also seems the TCP/UDP/.. logging part could be shared between
>> IPv4 and IPv6. The protocol checks seem to be missing UDPLITE.
>> 
>> Please fix those up and resend, thanks.
> 
> I'll fix and re-send the patch next week.

Hi, 

Please try out the updated patch. It has fixed the coding style errors
and added protocol checks for UDPLITE, and shared the TCP/UDP/.. logging
part. 



[-- Attachment #2: br-nf.patch --]
[-- Type: application/octet-stream, Size: 10211 bytes --]

diff -ruNp a/include/linux/netfilter_bridge/ebt_ip6.h b/include/linux/netfilter_bridge/ebt_ip6.h
--- a/include/linux/netfilter_bridge/ebt_ip6.h	1969-12-31 16:00:00.000000000 -0800
+++ b/include/linux/netfilter_bridge/ebt_ip6.h	2008-04-20 17:41:22.000000000 -0700
@@ -0,0 +1,40 @@
+/*
+ *  ebt_ip6
+ *
+ *	Authors:
+ * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
+ * Manohar Castelino <manohar.r.castelino@intel.com>
+ *
+ *  Jan 11, 2008
+ *
+ */
+
+#ifndef __LINUX_BRIDGE_EBT_IP6_H
+#define __LINUX_BRIDGE_EBT_IP6_H
+
+#define EBT_IP6_SOURCE 0x01
+#define EBT_IP6_DEST 0x02
+#define EBT_IP6_TCLASS 0x04
+#define EBT_IP6_PROTO 0x08
+#define EBT_IP6_SPORT 0x10
+#define EBT_IP6_DPORT 0x20
+#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\
+ EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT )
+#define EBT_IP6_MATCH "ip6"
+
+/* the same values are used for the invflags */
+struct ebt_ip6_info
+{
+	struct in6_addr saddr;
+	struct in6_addr daddr;
+	struct in6_addr smsk;
+	struct in6_addr dmsk;
+	uint8_t  tclass;
+	uint8_t  protocol;
+	uint8_t  bitmask;
+	uint8_t  invflags;
+	uint16_t sport[2];
+	uint16_t dport[2];
+};
+
+#endif
diff -ruNp a/include/linux/netfilter_bridge/ebt_log.h b/include/linux/netfilter_bridge/ebt_log.h
--- a/include/linux/netfilter_bridge/ebt_log.h	2008-04-20 16:21:21.000000000 -0700
+++ b/include/linux/netfilter_bridge/ebt_log.h	2008-04-20 17:41:22.000000000 -0700
@@ -4,7 +4,8 @@
 #define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */
 #define EBT_LOG_ARP 0x02
 #define EBT_LOG_NFLOG 0x04
-#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
+#define EBT_LOG_IP6 0x08
+#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6)
 #define EBT_LOG_PREFIX_SIZE 30
 #define EBT_LOG_WATCHER "log"
 
diff -ruNp a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
--- a/net/bridge/netfilter/ebt_ip6.c	1969-12-31 16:00:00.000000000 -0800
+++ b/net/bridge/netfilter/ebt_ip6.c	2008-04-20 17:39:21.000000000 -0700
@@ -0,0 +1,144 @@
+/*
+ *  ebt_ip6
+ *
+ *	Authors:
+ *	Manohar Castelino <manohar.r.castelino@intel.com>
+ *	Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
+ *	Jan Engelhardt <jengelh@computergmbh.de>
+ *
+ * Summary:
+ * This is just a modification of the IPv4 code written by 
+ * Bart De Schuymer <bdschuym@pandora.be>
+ * with the changes required to support IPv6
+ *
+ *  Jan, 2008
+ */
+
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_ip6.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <linux/in.h>
+#include <linux/module.h>
+#include <net/dsfield.h>
+
+struct tcpudphdr {
+	uint16_t src;
+	uint16_t dst;
+};
+
+static int ebt_filter_ip6(const struct sk_buff *skb,
+   const struct net_device *in,
+   const struct net_device *out, const void *data,
+   unsigned int datalen)
+{
+	const struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
+	const struct ipv6hdr *ih6;
+	struct ipv6hdr _ip6h;
+	const struct tcpudphdr *pptr;
+	struct tcpudphdr _ports;
+	struct in6_addr tmp_addr;
+	int i;
+
+	ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
+	if (ih6 == NULL)
+		return EBT_NOMATCH;
+	if (info->bitmask & EBT_IP6_TCLASS &&
+	   FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
+		return EBT_NOMATCH;
+	for (i = 0; i < 4; i++)
+		tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & 
+			info->smsk.in6_u.u6_addr32[i];
+	if (info->bitmask & EBT_IP6_SOURCE &&
+		FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0), 
+			EBT_IP6_SOURCE))
+		return EBT_NOMATCH;
+	for (i = 0; i < 4; i++)
+		tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] & 
+			info->dmsk.in6_u.u6_addr32[i];
+	if (info->bitmask & EBT_IP6_DEST &&
+	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
+		return EBT_NOMATCH;
+	if (info->bitmask & EBT_IP6_PROTO) {
+		uint8_t nexthdr = ih6->nexthdr;
+		int offset_ph;
+
+		offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr);
+		if (offset_ph == -1)
+			return EBT_NOMATCH;
+		if (FWINV(info->protocol != nexthdr, EBT_IP6_PROTO))
+			return EBT_NOMATCH;
+		if (!(info->bitmask & EBT_IP6_DPORT) &&
+		    !(info->bitmask & EBT_IP6_SPORT))
+			return EBT_MATCH;
+		pptr = skb_header_pointer(skb, offset_ph, sizeof(_ports), 
+					  &_ports);
+		if (pptr == NULL)
+			return EBT_NOMATCH;
+		if (info->bitmask & EBT_IP6_DPORT) {
+			u32 dst = ntohs(pptr->dst);
+			if (FWINV(dst < info->dport[0] ||
+				  dst > info->dport[1], EBT_IP6_DPORT))
+				return EBT_NOMATCH;
+		}
+		if (info->bitmask & EBT_IP6_SPORT) {
+			u32 src = ntohs(pptr->src);
+			if (FWINV(src < info->sport[0] ||
+			    	  src > info->sport[1], EBT_IP6_SPORT))
+			return EBT_NOMATCH;
+		}
+		return EBT_MATCH;
+	}
+	return EBT_MATCH;
+}
+
+static int ebt_ip6_check(const char *tablename, unsigned int hookmask,
+   const struct ebt_entry *e, void *data, unsigned int datalen)
+{
+	struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
+
+	if (datalen != EBT_ALIGN(sizeof(struct ebt_ip6_info)))
+		return -EINVAL;
+	if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
+		return -EINVAL;
+	if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
+		return -EINVAL;
+	if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
+		if (info->invflags & EBT_IP6_PROTO)
+			return -EINVAL;
+		if (info->protocol != IPPROTO_TCP &&
+		    info->protocol != IPPROTO_UDP &&
+		    info->protocol != IPPROTO_UDPLITE &&
+		    info->protocol != IPPROTO_SCTP &&
+		    info->protocol != IPPROTO_DCCP)
+			 return -EINVAL;
+	}
+	if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
+		return -EINVAL;
+	if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
+		return -EINVAL;
+	return 0;
+}
+
+static struct ebt_match filter_ip6 =
+{
+	.name		= EBT_IP6_MATCH,
+	.match		= ebt_filter_ip6,
+	.check		= ebt_ip6_check,
+	.me		= THIS_MODULE,
+};
+
+static int __init ebt_ip6_init(void)
+{
+	return ebt_register_match(&filter_ip6);
+}
+
+static void __exit ebt_ip6_fini(void)
+{
+	ebt_unregister_match(&filter_ip6);
+}
+
+module_init(ebt_ip6_init);
+module_exit(ebt_ip6_fini);
+MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
+MODULE_LICENSE("GPL");
diff -ruNp a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
--- a/net/bridge/netfilter/ebt_log.c	2008-04-20 16:22:24.000000000 -0700
+++ b/net/bridge/netfilter/ebt_log.c	2008-04-20 17:46:19.000000000 -0700
@@ -18,6 +18,9 @@
 #include <linux/if_arp.h>
 #include <linux/spinlock.h>
 #include <net/netfilter/nf_log.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <linux/in6.h>
 
 static DEFINE_SPINLOCK(ebt_log_lock);
 
@@ -58,6 +61,27 @@ static void print_MAC(const unsigned cha
 		printk("%02x%c", *p, i == ETH_ALEN - 1 ? ' ':':');
 }
 
+static void
+print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
+{
+	if (protocol == IPPROTO_TCP ||
+	    protocol == IPPROTO_UDP ||
+	    protocol == IPPROTO_UDPLITE ||
+	    protocol == IPPROTO_SCTP ||
+	    protocol == IPPROTO_DCCP) {
+		const struct tcpudphdr *pptr;
+		struct tcpudphdr _ports;
+
+		pptr = skb_header_pointer(skb, offset,
+					  sizeof(_ports), &_ports);
+		if (pptr == NULL) {
+			printk(" INCOMPLETE TCP/UDP header");
+			return;
+		}
+		printk(" SPT=%u DPT=%u", ntohs(pptr->src), ntohs(pptr->dst));
+	}
+}
+
 #define myNIPQUAD(a) a[0], a[1], a[2], a[3]
 static void
 ebt_log_packet(unsigned int pf, unsigned int hooknum,
@@ -95,23 +119,31 @@ ebt_log_packet(unsigned int pf, unsigned
 		printk(" IP SRC=%u.%u.%u.%u IP DST=%u.%u.%u.%u, IP "
 		       "tos=0x%02X, IP proto=%d", NIPQUAD(ih->saddr),
 		       NIPQUAD(ih->daddr), ih->tos, ih->protocol);
-		if (ih->protocol == IPPROTO_TCP ||
-		    ih->protocol == IPPROTO_UDP ||
-		    ih->protocol == IPPROTO_UDPLITE ||
-		    ih->protocol == IPPROTO_SCTP ||
-		    ih->protocol == IPPROTO_DCCP) {
-			const struct tcpudphdr *pptr;
-			struct tcpudphdr _ports;
-
-			pptr = skb_header_pointer(skb, ih->ihl*4,
-						  sizeof(_ports), &_ports);
-			if (pptr == NULL) {
-				printk(" INCOMPLETE TCP/UDP header");
-				goto out;
-			}
-			printk(" SPT=%u DPT=%u", ntohs(pptr->src),
-			   ntohs(pptr->dst));
+		print_ports(skb, ih->protocol, ih->ihl*4);
+		goto out;
+	}
+
+	if ((bitmask & EBT_LOG_IP6) && eth_hdr(skb)->h_proto ==
+	   htons(ETH_P_IPV6)){
+		const struct ipv6hdr *ih;
+		struct ipv6hdr _iph;
+		uint8_t nexthdr;
+		int offset_ph;
+
+		ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
+		if (ih == NULL) {
+			printk(" INCOMPLETE IPv6 header");
+			goto out;
 		}
+		printk(" IPv6 SRC=%x:%x:%x:%x:%x:%x:%x:%x "
+		       "IPv6 DST=%x:%x:%x:%x:%x:%x:%x:%x, IPv6 "
+		       "priority=0x%01X, Next Header=%d", NIP6(ih->saddr),
+		       NIP6(ih->daddr), ih->priority, ih->nexthdr);
+		nexthdr = ih->nexthdr;
+		offset_ph = ipv6_skip_exthdr(skb, sizeof(_iph), &nexthdr);
+		if (offset_ph == -1)
+			goto out;
+		print_ports(skb, nexthdr, offset_ph);
 		goto out;
 	}
 
diff -ruNp a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
--- a/net/bridge/netfilter/Kconfig	2008-04-20 16:22:24.000000000 -0700
+++ b/net/bridge/netfilter/Kconfig	2008-04-20 17:39:21.000000000 -0700
@@ -83,6 +83,15 @@ config BRIDGE_EBT_IP
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config BRIDGE_EBT_IP6
+	tristate "ebt: IP6 filter support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option adds the IP6 match, which allows basic IPV6 header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config BRIDGE_EBT_LIMIT
 	tristate "ebt: limit match support"
 	depends on BRIDGE_NF_EBTABLES
diff -ruNp a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
--- a/net/bridge/netfilter/Makefile	2008-04-20 16:22:24.000000000 -0700
+++ b/net/bridge/netfilter/Makefile	2008-04-20 17:39:21.000000000 -0700
@@ -14,6 +14,7 @@ obj-$(CONFIG_BRIDGE_EBT_802_3) += ebt_80
 obj-$(CONFIG_BRIDGE_EBT_AMONG) += ebt_among.o
 obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o
 obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o
+obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip6.o
 obj-$(CONFIG_BRIDGE_EBT_LIMIT) += ebt_limit.o
 obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o
 obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o

Re: [Ebtables-devel] [PATCH 2/2] Add IPv6 support

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 344 bytes --]

Tseng, Kuo-Lang wrote:
> Please try out the updated patch. It has fixed the coding style errors
> and added protocol checks for UDPLITE, and shared the TCP/UDP/.. logging
> part. 


Thanks. Unfortunately you've missed the networking merge window by
a few days. I've queued your patch for 2.6.27 with the attached
whitespace and sparse fixes.



[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2645 bytes --]

diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 7fc44ae..36efb3a 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -7,7 +7,7 @@
  *	Jan Engelhardt <jengelh@computergmbh.de>
  *
  * Summary:
- * This is just a modification of the IPv4 code written by 
+ * This is just a modification of the IPv4 code written by
  * Bart De Schuymer <bdschuym@pandora.be>
  * with the changes required to support IPv6
  *
@@ -23,8 +23,8 @@
 #include <net/dsfield.h>
 
 struct tcpudphdr {
-	uint16_t src;
-	uint16_t dst;
+	__be16 src;
+	__be16 dst;
 };
 
 static int ebt_filter_ip6(const struct sk_buff *skb,
@@ -47,14 +47,14 @@ static int ebt_filter_ip6(const struct sk_buff *skb,
 	   FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
 		return EBT_NOMATCH;
 	for (i = 0; i < 4; i++)
-		tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & 
+		tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &
 			info->smsk.in6_u.u6_addr32[i];
 	if (info->bitmask & EBT_IP6_SOURCE &&
-		FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0), 
+		FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
 			EBT_IP6_SOURCE))
 		return EBT_NOMATCH;
 	for (i = 0; i < 4; i++)
-		tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] & 
+		tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
 			info->dmsk.in6_u.u6_addr32[i];
 	if (info->bitmask & EBT_IP6_DEST &&
 	   FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
@@ -71,7 +71,7 @@ static int ebt_filter_ip6(const struct sk_buff *skb,
 		if (!(info->bitmask & EBT_IP6_DPORT) &&
 		    !(info->bitmask & EBT_IP6_SPORT))
 			return EBT_MATCH;
-		pptr = skb_header_pointer(skb, offset_ph, sizeof(_ports), 
+		pptr = skb_header_pointer(skb, offset_ph, sizeof(_ports),
 					  &_ports);
 		if (pptr == NULL)
 			return EBT_NOMATCH;
@@ -84,7 +84,7 @@ static int ebt_filter_ip6(const struct sk_buff *skb,
 		if (info->bitmask & EBT_IP6_SPORT) {
 			u32 src = ntohs(pptr->src);
 			if (FWINV(src < info->sport[0] ||
-			    	  src > info->sport[1], EBT_IP6_SPORT))
+				  src > info->sport[1], EBT_IP6_SPORT))
 			return EBT_NOMATCH;
 		}
 		return EBT_MATCH;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index ba132e5..c883ec8 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -124,7 +124,7 @@ ebt_log_packet(unsigned int pf, unsigned int hooknum,
 	}
 
 	if ((bitmask & EBT_LOG_IP6) && eth_hdr(skb)->h_proto ==
-	   htons(ETH_P_IPV6)){
+	   htons(ETH_P_IPV6)) {
 		const struct ipv6hdr *ih;
 		struct ipv6hdr _iph;
 		uint8_t nexthdr;