All of lore.kernel.org
 help / color / mirror / Atom feed
From: Justin Kamerman <justin@kaleco.net>
To: Elmar Stellnberger <estellnb@gmail.com>
Cc: Nicola Padovano <nicola.padovano@gmail.com>,
	netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: write a new simple target for netfilter
Date: Mon, 30 Aug 2010 15:30:35 -0300	[thread overview]
Message-ID: <4C7BF8CB.9080700@kaleco.net> (raw)
In-Reply-To: <AANLkTikAwPd81RW7-ajL24wh2W-KwmF073zHLYJDoaaK@mail.gmail.com>

Although it probably is technically possible, I think you're better off
filtering with matches and actioning with targets. See the iptables
owner match module for filtering on uid and/or gid.

Regards,
Justin Kamerman

On 10-08-30 02:51 PM, Elmar Stellnberger wrote:
> Would it be possible to extend your module so that it only
> drops packages of a certain user or group?
>
> 2010/8/30 Nicola Padovano <nicola.padovano@gmail.com>:
>   
>> Hi all!
>> I've write the following  (and dummy) module that drops all packet...
>> but...now? after i write the module i can use it?
>> for example: i want digit:
>> iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
>> but i don't know how create this new target...
>> I've modified the netfilter makefile e Kbuild file (in net/netfilter),
>> and then i've do 'make' 'make modules' 'make modules_install' but
>> after i digit iptables i have this message
>>
>> "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
>> so: cannot open shared object file: No such file or directory"
>>
>> what's my problem?
>>
>>
>> code:
>> #include <linux/module.h>
>> #include <linux/skbuff.h>
>> #include <linux/netfilter_ipv4/ip_tables.h>
>> #include <linux/kernel.h>
>> #include <linux/netfilter.h>
>> #include <linux/netfilter_ipv4.h>
>> #include <linux/netfilter/x_tables.h>
>>
>> static unsigned int xt_tar_target(unsigned int hook,
>>                                                 struct sk_buff **skb,
>>                                                 const struct net_device *in,
>>                                                 const struct net_device *out,
>>                                                 int (*okfn)(struct sk_buff*))
>> {
>>    printk(KERN_INFO "ciaociao");
>>    return NF_DROP;
>> }
>>
>> static struct xt_target xt_tar_reg = {
>>    .name       = "TAR",
>>    .family     = AF_INET,
>>    .proto      = IPPROTO_TCP,
>>    .target     = xt_tar_target,
>>    .me         = THIS_MODULE,
>> };
>>
>> static int __init xt_tar_init(void)
>> {
>>    return xt_register_target(&xt_tar_reg);
>> }
>>
>> static void __exit xt_tar_exit(void)
>> {
>>    xt_unregister_target(&xt_tar_reg);
>> }
>>
>> module_init(xt_tar_init);
>> module_exit(xt_tar_exit);
>>
>> MODULE_DESCRIPTION("np des");
>> MODULE_LICENSE("GPL");
>> MODULE_ALIAS("xt_TAR");
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

  reply	other threads:[~2010-08-30 18:30 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-30 13:22 write a new simple target for netfilter Nicola Padovano
2010-08-30 13:25 ` Nicola Padovano
2010-08-30 13:34   ` Luciano Coelho
2010-08-30 13:46     ` Nicola Padovano
2010-08-30 13:53       ` Luciano Coelho
2010-08-30 13:57   ` Justin Kamerman
2010-08-30 14:21     ` Nicola Padovano
2010-08-30 14:34       ` Justin Kamerman
2010-08-30 14:59       ` Jan Engelhardt
2010-08-30 15:15         ` Nicola Padovano
2010-08-30 18:35         ` Nicola Padovano
2010-08-30 18:45           ` Jan Engelhardt
2010-08-30 19:00             ` Nicola Padovano
2010-08-30 19:07               ` Jan Engelhardt
2010-08-30 21:47                 ` Nicola Padovano
2010-08-30 22:25                   ` Jan Engelhardt
2010-08-30 22:30                     ` Nicola Padovano
2010-08-30 23:02                       ` Nicola Padovano
2010-08-30 23:09                         ` Jan Engelhardt
2010-08-30 23:17                           ` Nicola Padovano
2010-08-30 23:53                             ` Jan Engelhardt
2010-08-30 17:51 ` Elmar Stellnberger
2010-08-30 18:30   ` Justin Kamerman [this message]
2010-08-30 18:34   ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C7BF8CB.9080700@kaleco.net \
    --to=justin@kaleco.net \
    --cc=estellnb@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=nicola.padovano@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.