write a new simple target for netfilter

write a new simple target for netfilter

[Nicola Padovano]

Hi all!
I've write the following  (and dummy) module that drops all packet...
but...now? after i write the module i can use it?
for example: i want digit:
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
but i don't know how create this new target...
I've modified the netfilter makefile e Kbuild file (in net/netfilter),
and then i've do 'make' 'make modules' 'make modules_install' but
after i digit iptables i have this message

"iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
so: cannot open shared object file: No such file or directory"

what's my problem?


code:
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/x_tables.h>

static unsigned int xt_tar_target(unsigned int hook,
                                                 struct sk_buff **skb,
                                                 const struct net_device *in,
                                                 const struct net_device *out,
                                                 int (*okfn)(struct sk_buff*))
{
    printk(KERN_INFO "ciaociao");
    return NF_DROP;
}

static struct xt_target xt_tar_reg = {
    .name       = "TAR",
    .family     = AF_INET,
    .proto      = IPPROTO_TCP,
    .target     = xt_tar_target,
    .me         = THIS_MODULE,
};

static int __init xt_tar_init(void)
{
    return xt_register_target(&xt_tar_reg);
}

static void __exit xt_tar_exit(void)
{
    xt_unregister_target(&xt_tar_reg);
}

module_init(xt_tar_init);
module_exit(xt_tar_exit);

MODULE_DESCRIPTION("np des");
MODULE_LICENSE("GPL");
MODULE_ALIAS("xt_TAR");

Re: write a new simple target for netfilter

[Nicola Padovano]

i make an error the iptables line is:
 iptables -A INPUT -s 127.0.0.1 -p icmp -j TAR

On Mon, Aug 30, 2010 at 3:22 PM, Nicola Padovano
<nicola.padovano@gmail.com> wrote:
> Hi all!
> I've write the following  (and dummy) module that drops all packet...
> but...now? after i write the module i can use it?
> for example: i want digit:
> iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
> but i don't know how create this new target...
> I've modified the netfilter makefile e Kbuild file (in net/netfilter),
> and then i've do 'make' 'make modules' 'make modules_install' but
> after i digit iptables i have this message
>
> "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
> so: cannot open shared object file: No such file or directory"
>
> what's my problem?
>
>
> code:
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/kernel.h>
> #include <linux/netfilter.h>
> #include <linux/netfilter_ipv4.h>
> #include <linux/netfilter/x_tables.h>
>
> static unsigned int xt_tar_target(unsigned int hook,
>                                                 struct sk_buff **skb,
>                                                 const struct net_device *in,
>                                                 const struct net_device *out,
>                                                 int (*okfn)(struct sk_buff*))
> {
>    printk(KERN_INFO "ciaociao");
>    return NF_DROP;
> }
>
> static struct xt_target xt_tar_reg = {
>    .name       = "TAR",
>    .family     = AF_INET,
>    .proto      = IPPROTO_TCP,
>    .target     = xt_tar_target,
>    .me         = THIS_MODULE,
> };
>
> static int __init xt_tar_init(void)
> {
>    return xt_register_target(&xt_tar_reg);
> }
>
> static void __exit xt_tar_exit(void)
> {
>    xt_unregister_target(&xt_tar_reg);
> }
>
> module_init(xt_tar_init);
> module_exit(xt_tar_exit);
>
> MODULE_DESCRIPTION("np des");
> MODULE_LICENSE("GPL");
> MODULE_ALIAS("xt_TAR");
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Luciano Coelho]

On Mon, 2010-08-30 at 15:25 +0200, ext Nicola Padovano wrote:
> i make an error the iptables line is:
>  iptables -A INPUT -s 127.0.0.1 -p icmp -j TAR
> 
> On Mon, Aug 30, 2010 at 3:22 PM, Nicola Padovano
> <nicola.padovano@gmail.com> wrote:
> > Hi all!
> > I've write the following  (and dummy) module that drops all packet...
> > but...now? after i write the module i can use it?
> > for example: i want digit:
> > iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
> > but i don't know how create this new target...
> > I've modified the netfilter makefile e Kbuild file (in net/netfilter),
> > and then i've do 'make' 'make modules' 'make modules_install' but
> > after i digit iptables i have this message
> >
> > "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
> > so: cannot open shared object file: No such file or directory"
> >
> > what's my problem?

You need to add support for your new target in the iptables userspace
tool as well.  Check the source code here:

https://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=summary

You need to add a new extension file called extensions/libipt_TAR.c, the
rest should take care of itself ;)

-- 
Cheers,
Luca.

Re: write a new simple target for netfilter

[Nicola Padovano]

thanks luciano. but i'm a newbie...i don't understand your
explanation...can you help me? please :)

On Mon, Aug 30, 2010 at 3:34 PM, Luciano Coelho
<luciano.coelho@nokia.com> wrote:
> On Mon, 2010-08-30 at 15:25 +0200, ext Nicola Padovano wrote:
>> i make an error the iptables line is:
>>  iptables -A INPUT -s 127.0.0.1 -p icmp -j TAR
>>
>> On Mon, Aug 30, 2010 at 3:22 PM, Nicola Padovano
>> <nicola.padovano@gmail.com> wrote:
>> > Hi all!
>> > I've write the following  (and dummy) module that drops all packet...
>> > but...now? after i write the module i can use it?
>> > for example: i want digit:
>> > iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
>> > but i don't know how create this new target...
>> > I've modified the netfilter makefile e Kbuild file (in net/netfilter),
>> > and then i've do 'make' 'make modules' 'make modules_install' but
>> > after i digit iptables i have this message
>> >
>> > "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
>> > so: cannot open shared object file: No such file or directory"
>> >
>> > what's my problem?
>
> You need to add support for your new target in the iptables userspace
> tool as well.  Check the source code here:
>
> https://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=summary
>
> You need to add a new extension file called extensions/libipt_TAR.c, the
> rest should take care of itself ;)
>
> --
> Cheers,
> Luca.
>
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Luciano Coelho]

On Mon, 2010-08-30 at 15:46 +0200, ext Nicola Padovano wrote:
> thanks luciano. but i'm a newbie...i don't understand your
> explanation...can you help me? please :)

Well, I can't help you much more, but you could start by reading Jan and
Nicolas's document here:

http://jengelh.medozas.de/documents/Netfilter_Modules.pdf


-- 
Cheers,
Luca.

Re: write a new simple target for netfilter

[Justin Kamerman]

Nicola,
iptables is complaining because it can't locate the userspace companion
to your netfilter module. The userspace companion tells iptables which
kernel module to load and parses command line options before they are
passed to the kernel module. The module_install target takes care of the
kernel module but you also need a userspace helper installed to 
/lib/xtables. If building standalone (as opposed to using the
Xtables-addons framework) you could use a maekfile rule like:

libs_install:
        cp -f libxt_ipaddr.so /lib/xtables

Regards,
Justin Kamerman

On 10-08-30 10:25 AM, Nicola Padovano wrote:
> -s 127.0.0.1 -p icmp -j DROP
> > but i don't know how create this new target...
> > I've modified the netfilter makefile e Kbuild file (in net/netfilter)

Re: write a new simple target for netfilter

[Nicola Padovano]

ok justin thank you!
for now I only need standalone package (to test my code, in future i
will see how xtables-addons works).
but (there is always a "but")  the problem, justin, isn't the copy of
libxt_foo.so in /lib/xtables, but it is the creation of this library.
as i said before, when i compile the module i don't have no
lixt_foo.so file. So, how i can create it?

sorry for my ignorance, i've started with kernel programming only a few day ago.

thanks!

On Mon, Aug 30, 2010 at 3:57 PM, Justin Kamerman <justin@kaleco.net> wrote:
> Nicola,
> iptables is complaining because it can't locate the userspace companion
> to your netfilter module. The userspace companion tells iptables which
> kernel module to load and parses command line options before they are
> passed to the kernel module. The module_install target takes care of the
> kernel module but you also need a userspace helper installed to
> /lib/xtables. If building standalone (as opposed to using the
> Xtables-addons framework) you could use a maekfile rule like:
>
> libs_install:
>        cp -f libxt_ipaddr.so /lib/xtables
>
> Regards,
> Justin Kamerman
>
> On 10-08-30 10:25 AM, Nicola Padovano wrote:
>> -s 127.0.0.1 -p icmp -j DROP
>> > but i don't know how create this new target...
>> > I've modified the netfilter makefile e Kbuild file (in net/netfilter)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Justin Kamerman]

[-- Attachment #1: Type: text/plain, Size: 1906 bytes --]

Nicola,
attached is the sample code from the "Writing Netfilter modules"
tutorial. It builds and installs a filter module ipaddr for the running
kernel:

make all install

Hope this helps.

Regards,
Justin Kamerman

On 10-08-30 11:21 AM, Nicola Padovano wrote:
> ok justin thank you!
> for now I only need standalone package (to test my code, in future i
> will see how xtables-addons works).
> but (there is always a "but")  the problem, justin, isn't the copy of
> libxt_foo.so in /lib/xtables, but it is the creation of this library.
> as i said before, when i compile the module i don't have no
> lixt_foo.so file. So, how i can create it?
>
> sorry for my ignorance, i've started with kernel programming only a few day ago.
>
> thanks!
>
> On Mon, Aug 30, 2010 at 3:57 PM, Justin Kamerman <justin@kaleco.net> wrote:
>   
>> Nicola,
>> iptables is complaining because it can't locate the userspace companion
>> to your netfilter module. The userspace companion tells iptables which
>> kernel module to load and parses command line options before they are
>> passed to the kernel module. The module_install target takes care of the
>> kernel module but you also need a userspace helper installed to
>> /lib/xtables. If building standalone (as opposed to using the
>> Xtables-addons framework) you could use a maekfile rule like:
>>
>> libs_install:
>>        cp -f libxt_ipaddr.so /lib/xtables
>>
>> Regards,
>> Justin Kamerman
>>
>> On 10-08-30 10:25 AM, Nicola Padovano wrote:
>>     
>>> -s 127.0.0.1 -p icmp -j DROP
>>>       
>>>> but i don't know how create this new target...
>>>> I've modified the netfilter makefile e Kbuild file (in net/netfilter)
>>>>         
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
>
>
>   

[-- Attachment #2: libxt_ipaddr.c --]
[-- Type: text/x-csrc, Size: 6767 bytes --]

/* Shared library add-on to iptables to add ipaddr support. */

#include <stdio.h>
#include <getopt.h>
#include <string.h>
#include <arpa/inet.h>
#include <xtables.h>
#include "xt_ipaddr.h"


/**
 * If we have a rule we want to save, iptables provides the tool
 * iptables-save which dumps all your rules. It needs your extension's
 * help to interpret struct xt_ipaddr_mtinfo's contents and and dump
 * proper rules. The output that is produced must be options that can
 * be passed to iptables 
*/
static void ipaddr_mt4_save (const void *entry, const struct xt_entry_match *match)
{
    const struct xt_ipaddr_mtinfo *info = (const void *) match->data;

    /* Print the source address if it is part of the rule */
    if (info->flags & XT_IPADDR_SRC)
    {
        if (info->flags & XT_IPADDR_SRC_INV)
            printf ("! ");

        printf ("--ipsrc %s ", xtables_ipaddr_to_numeric (&info->src.in));
    }

    /* Print the destination address if it is part of the rule */
    if (info->flags & XT_IPADDR_DST)
    {
        if (info->flags & XT_IPADDR_DST_INV)
            printf ("! ");

        printf ("--ipdst %s ", xtables_ipaddr_to_numeric (&info->dst.in));
    }
}


/**
 * In the same philosophy as the save function, this function aims to
 * print information about the rule. It is called by iptables -L, and
 * you are free to output whatever you want and how you want. 
*/
static void ipaddr_mt4_print (const void *entry, 
                              const struct xt_entry_match *match, 
                              int numeric)
{
    const struct xt_ipaddr_mtinfo *info = (const void *) match->data;

    /* Print the source address if it is part of the rule */
    if (info->flags & XT_IPADDR_SRC)
    {
        printf ("src IP ");
        if (info->flags & XT_IPADDR_SRC_INV)
            printf ("! ");
        
        printf ("%s ", numeric ? 
                xtables_ipaddr_to_numeric (&info->src.in) :
                xtables_ipaddr_to_anyname (&info->src.in));
    }

    /* Print the destination address if it is part of the rule */
    if (info->flags & XT_IPADDR_DST)
    {
        printf ("dst IP ");
        if (info->flags & XT_IPADDR_DST_INV)
            printf ("! ");

        printf ("%s ", numeric ?
                xtables_ipaddr_to_numeric (&info->dst.in) :
                xtables_ipaddr_to_anyname (&info->dst.in));
    }
}


/**
 * This funciton verifies if arguments are used correctly and set
 * information we will share with the kernel part. It is called each
 * time an option is found, so if the user provides two options, it
 * will be called twice with the argument code provided in the
 * variable c. The argument code for a specific option is set in the
 * option table. 
*/
static int ipaddr_mt4_parse (int c, 
                             char **argv, 
                             int invert, 
                             unsigned int *flags, 
                             const void *entry, 
                             struct xt_entry_match **match)
{
    struct xt_ipaddr_mtinfo *info = (void *) (*match)->data;
    struct in_addr *addrs, mask;
    unsigned int naddr;

    switch (c)
    {
    case '1': /* --ipsrc */
        if (*flags & XT_IPADDR_SRC)
            xtables_error (PARAMETER_PROBLEM, 
                           "xt_ipaddr: Only use \"--ipsrc once!");
        *flags |= XT_IPADDR_SRC;
        info->flags |= XT_IPADDR_SRC;
        if (invert)
            info->flags |= XT_IPADDR_SRC_INV;
        xtables_ipparse_any (optarg, &addrs, &mask, &naddr);
        if (naddr != 1)
            xtables_error (PARAMETER_PROBLEM, 
                           "%s does not resolve to exactly one address",
                           optarg);
        /* copy the single address */
        memcpy (&info->src.in, addrs, sizeof (*addrs));
        return true;

    case '2': /* --ipdst */
        if (*flags & XT_IPADDR_DST)
            xtables_error (PARAMETER_PROBLEM, 
                           "xt_ipaddr: Only use \"--ipdst once!");
        *flags |= XT_IPADDR_DST;
        info->flags |= XT_IPADDR_DST;        
        if (invert)
            info->flags |= XT_IPADDR_DST_INV;
        xtables_ipparse_any (optarg, &addrs, &mask, &naddr);
        if (naddr != 1)
            xtables_error (PARAMETER_PROBLEM, 
                           "%s does not resolve to exactly one address",
                           optarg);
        /* copy the single address */
        memcpy (&info->dst.in, addrs, sizeof (*addrs));
        return true;
    }   
    
    return false;
}


/**
 * This function is a last chance for a sanity check. It is called
 * when the user enters a new rule, right after argument parsing is
 * done and flags is filled with whatever values you chose to assign
 * to it in your parse function.
 */
static void ipaddr_mt_check (unsigned int flags)
{
    if ( flags == 0 )
        xtables_error (PARAMETER_PROBLEM, 
                       "xt_ipaddr: You need to specify at least "
                       "\"--ipsrc\" or \"--ipdst\".");
}
    

/**
 * The init function can be used to populate our xt_ipaddr_mtinfo
 * structure with defaults before parse is called
*/
static void ipaddr_mt_init (struct xt_entry_match *match)
{
    struct xt_ipaddr_mtinfo *info = (void *) match->data;
    
    /* This default destination address will never actually be used as
     * the parser will not accept a --ipdst without an argument */
    inet_pton (PF_INET, "192.0.2.137", &info->dst.in);
}


/**
 * This funciton is called by iptables -m match_name -h. It shoudl
 * give an overview of the available options and a very brief short
 * description.
*/
static void ipaddr_mt_help (void)
{
    printf ("ipaddr match options:\n"
            "[!] --ipsrc addr    Match source address of packet\n"
            "[!] --ipdst addr    Match destination address of packet\n");
}
                   

static const struct  option ipaddr_mt_opts[] =
{
    { .name = "ipsrc", .has_arg = true, .val = '1' },
    { .name = "ipdst", .has_arg = true, .val = '2' },
    { NULL },
};


static struct xtables_match ipaddr_mt4_reg = 
{
    .version            = XTABLES_VERSION,
    .name               = "ipaddr",
    .revision           = 0,
    .family             = NFPROTO_IPV4,
    .size               = XT_ALIGN (sizeof (struct xt_ipaddr_mtinfo)),
    .userspacesize      = XT_ALIGN (sizeof (struct xt_ipaddr_mtinfo)),
    .help               = ipaddr_mt_help,
    .init               = ipaddr_mt_init,
    .parse              = ipaddr_mt4_parse,
    .final_check        = ipaddr_mt_check,
    .print              = ipaddr_mt4_print,
    .save               = ipaddr_mt4_save,
    .extra_opts         = ipaddr_mt_opts,
};


void _init (void)
{
    xtables_register_match (&ipaddr_mt4_reg);
}
    



[-- Attachment #3: Makefile --]
[-- Type: text/plain, Size: 827 bytes --]

# If KERNEL_RELEASE is defined then we have been called from the
# kernel build system and can use its language.
ifneq ($(KERNELRELEASE),)
	obj-m := xt_ipaddr.o

# Otherwise we were called directly from the command line; invoke the
# kernel build system.
else

MODULES_DIR := /lib/modules/$(shell uname -r)
KERNELDIR := $(MODULES_DIR)/build
CFLAGS = -O2 -Wall


.PHONY: all modules install modules_install libs_install clean

all: modules libxt_ipaddr.so

modules:
	$(MAKE) -C $(KERNELDIR) M=$$PWD $@

install: modules_install libs_install

modules_install:
	$(MAKE) -C $(KERNELDIR) M=$$PWD $@

libs_install:
		cp -f libxt_ipaddr.so /lib/xtables

clean:
	$(RM) *.so
	$(MAKE) -C $(KERNELDIR) M=$$PWD $@

# Pattern rules
lib%.so: lib%.o
	gcc -shared -o $@ $^;

lib%.o: lib%.c
	gcc ${CFLAGS} -D_INIT=lib$*_init -c -o $@ $<;

endif

[-- Attachment #4: xt_ipaddr.c --]
[-- Type: text/x-csrc, Size: 4504 bytes --]

#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/netfilter/x_tables.h>
#include <linux/skbuff.h>
#include "xt_ipaddr.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Justin Kamerman <justin@kaleco.net>");
MODULE_DESCRIPTION("Xtables: match source/destination address");
MODULE_ALIAS("ipt_ipaddr");


/**
 * the match function
 */
static bool ipaddr_mt (const struct sk_buff *skb, 
                       const struct xt_match_param *par) 
{
    struct tcphdr _tcph;
    const struct tcphdr *th;
    const struct xt_ipaddr_mtinfo *info;
    const struct iphdr *iph;

    /* Sanity check: if we don't have the whole header, drop packet. */    
	th = skb_header_pointer (skb, par->thoff, sizeof (_tcph), &_tcph);
	if (th == NULL) 
    {
		*par->hotdrop = true;
		return false;
	}

    /* Get a handle to data block copied from userspace i.e. match parameters */
    info = par->matchinfo;

    /* Get handle to IPv4 header from packet - can use ip_hdr()
     * because this match family is NFPROTO_IPV4; lower level
     * extension families must use skb_header_pointer() */
    iph = ip_hdr (skb);

    printk (KERN_INFO
            "xt_ipaddr: IN=%s OUT=%s "
            "SRC=" NIPQUAD_FMT " DST=" NIPQUAD_FMT " "
            "IPSRC=" NIPQUAD_FMT " IPDST=" NIPQUAD_FMT "\n",
            (par->in != NULL) ? par->in->name : "",
            (par->out != NULL) ? par->out->name : "",
            NIPQUAD (iph->saddr),
            NIPQUAD (iph->daddr),
            NIPQUAD (info->src),
            NIPQUAD (info->dst));

    /* If the XT_IPADDR_SRC flag has been set, we check whether the
     * source address matches the one specified in the rule. If it
     * does not match, the whole rule will not match so we can already
     * return false here. */
    if (info->flags & XT_IPADDR_SRC)
    {
        if ((iph->saddr != info->src.ip) ^ !!(info->flags & XT_IPADDR_SRC_INV))
        {
            printk (KERN_NOTICE "src IP - no match\n");
            return false;
        }
    }

    /* Here we do the same except we look for the destination address
     * if XT_IPADDR_DST has been set */
    if (info->flags & XT_IPADDR_DST)
    {
        if ((iph->daddr != info->dst.ip) ^ !!(info->flags & XT_IPADDR_DST_INV))
        {
            printk (KERN_NOTICE "dst IP - no match\n");
            return false;
        }
    }

    return true;
}


/**
 * function to check for validity of parameters in our struct and load
 * additional modules required to perform the match.
 */
static bool ipaddr_mt_check (const struct xt_mtchk_param *par)
{
    const struct xt_ipaddr_mtinfo *info = par->matchinfo;

    printk (KERN_INFO "xt_ipaddr: Added a rule with -m ipaddr in "
            "the %s table; this rule is reachable through "
            "hooks 0x%x\n",
            par->table,
            par->hook_mask);

    /* No flags set */
    if (!(info->flags & (XT_IPADDR_SRC | XT_IPADDR_DST)))
    {
        printk (KERN_INFO "xt_ipaddr: testing for nothing\n");
        return false;
    }

    /* Special test just because we can */
    if (ntohl (info->src.ip) == 0xDEADBEEF)
    {
        printk (KERN_INFO "xt_ipaddr: I just thought I do not "
                "want to let you match on 222.173.190.239\n");
        return false;
    }

    return true;
}


/**
 * function to call when rule is deleted to free any reserved space
 * and/or drop additional modules reference counts so they can be
 * unloaded if desired.
 */
static void ipaddr_mt_destroy (const struct xt_mtdtor_param *par)
{
    const struct xt_ipaddr_mtinfo *info = par->matchinfo;
    printk (KERN_INFO "Test for address %08X removed\n" , info->src.ip);
}


/**
 * structure containing all match metadata such as name and function pointer table.
 */
static struct xt_match ipaddr_mt4_reg __read_mostly = 
{
    .name       = "ipaddr",
    .revision   = 0,
    .family     = NFPROTO_IPV4,
    .match      = ipaddr_mt,
    .checkentry = ipaddr_mt_check,
    .destroy    = ipaddr_mt_destroy,
    .matchsize  = XT_ALIGN (sizeof (struct xt_ipaddr_mtinfo)),
    .me         = THIS_MODULE,
};


/**
 * function called on module loading
 */
static int __init ipaddr_mt_init (void)
{
    return xt_register_match (&ipaddr_mt4_reg);
}


/**
 * function called on module unloading
 */
static void __exit ipaddr_mt_exit (void)
{
    xt_unregister_match (&ipaddr_mt4_reg);
}

module_init (ipaddr_mt_init);
module_exit (ipaddr_mt_exit);

[-- Attachment #5: xt_ipaddr.h --]
[-- Type: text/x-chdr, Size: 347 bytes --]

#ifndef _LINUX_NETFILTER_XT_IPADDR_H
#define _LINUX_NETFILTER_XT_IPADDR_H 1

enum 
{
    XT_IPADDR_SRC       = 1 << 0,
    XT_IPADDR_DST       = 1 << 1,
    XT_IPADDR_SRC_INV   = 1 << 2,
    XT_IPADDR_DST_INV   = 1 << 3,
};


struct xt_ipaddr_mtinfo
{
    union nf_inet_addr src, dst;
    __u8 flags;
};

#endif /* _LINUX_NETFILTER_XT_IPADDR_H */

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Monday 2010-08-30 16:21, Nicola Padovano wrote:

>ok justin thank you!
>for now I only need standalone package (to test my code, in future i
>will see how xtables-addons works).
>but (there is always a "but")  the problem, justin, isn't the copy of
>libxt_foo.so in /lib/xtables, but it is the creation of this library.
>as i said before, when i compile the module i don't have no
>lixt_foo.so file. So, how i can create it?

It's all in the 'Writing Netfilter Modules' PDF. You just need to read 
it...

Re: write a new simple target for netfilter

[Nicola Padovano]

Jan, it's ok now...i've found the complete version of your book!!!
now i just read it.
thank you!

On Mon, Aug 30, 2010 at 4:59 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Monday 2010-08-30 16:21, Nicola Padovano wrote:
>
>>ok justin thank you!
>>for now I only need standalone package (to test my code, in future i
>>will see how xtables-addons works).
>>but (there is always a "but")  the problem, justin, isn't the copy of
>>libxt_foo.so in /lib/xtables, but it is the creation of this library.
>>as i said before, when i compile the module i don't have no
>>lixt_foo.so file. So, how i can create it?
>
> It's all in the 'Writing Netfilter Modules' PDF. You just need to read
> it...
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Elmar Stellnberger]

Would it be possible to extend your module so that it only
drops packages of a certain user or group?

2010/8/30 Nicola Padovano <nicola.padovano@gmail.com>:
> Hi all!
> I've write the following  (and dummy) module that drops all packet...
> but...now? after i write the module i can use it?
> for example: i want digit:
> iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
> but i don't know how create this new target...
> I've modified the netfilter makefile e Kbuild file (in net/netfilter),
> and then i've do 'make' 'make modules' 'make modules_install' but
> after i digit iptables i have this message
>
> "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
> so: cannot open shared object file: No such file or directory"
>
> what's my problem?
>
>
> code:
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/kernel.h>
> #include <linux/netfilter.h>
> #include <linux/netfilter_ipv4.h>
> #include <linux/netfilter/x_tables.h>
>
> static unsigned int xt_tar_target(unsigned int hook,
>                                                 struct sk_buff **skb,
>                                                 const struct net_device *in,
>                                                 const struct net_device *out,
>                                                 int (*okfn)(struct sk_buff*))
> {
>    printk(KERN_INFO "ciaociao");
>    return NF_DROP;
> }
>
> static struct xt_target xt_tar_reg = {
>    .name       = "TAR",
>    .family     = AF_INET,
>    .proto      = IPPROTO_TCP,
>    .target     = xt_tar_target,
>    .me         = THIS_MODULE,
> };
>
> static int __init xt_tar_init(void)
> {
>    return xt_register_target(&xt_tar_reg);
> }
>
> static void __exit xt_tar_exit(void)
> {
>    xt_unregister_target(&xt_tar_reg);
> }
>
> module_init(xt_tar_init);
> module_exit(xt_tar_exit);
>
> MODULE_DESCRIPTION("np des");
> MODULE_LICENSE("GPL");
> MODULE_ALIAS("xt_TAR");
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Justin Kamerman]

Although it probably is technically possible, I think you're better off
filtering with matches and actioning with targets. See the iptables
owner match module for filtering on uid and/or gid.

Regards,
Justin Kamerman

On 10-08-30 02:51 PM, Elmar Stellnberger wrote:
> Would it be possible to extend your module so that it only
> drops packages of a certain user or group?
>
> 2010/8/30 Nicola Padovano <nicola.padovano@gmail.com>:
>   
>> Hi all!
>> I've write the following  (and dummy) module that drops all packet...
>> but...now? after i write the module i can use it?
>> for example: i want digit:
>> iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
>> but i don't know how create this new target...
>> I've modified the netfilter makefile e Kbuild file (in net/netfilter),
>> and then i've do 'make' 'make modules' 'make modules_install' but
>> after i digit iptables i have this message
>>
>> "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
>> so: cannot open shared object file: No such file or directory"
>>
>> what's my problem?
>>
>>
>> code:
>> #include <linux/module.h>
>> #include <linux/skbuff.h>
>> #include <linux/netfilter_ipv4/ip_tables.h>
>> #include <linux/kernel.h>
>> #include <linux/netfilter.h>
>> #include <linux/netfilter_ipv4.h>
>> #include <linux/netfilter/x_tables.h>
>>
>> static unsigned int xt_tar_target(unsigned int hook,
>>                                                 struct sk_buff **skb,
>>                                                 const struct net_device *in,
>>                                                 const struct net_device *out,
>>                                                 int (*okfn)(struct sk_buff*))
>> {
>>    printk(KERN_INFO "ciaociao");
>>    return NF_DROP;
>> }
>>
>> static struct xt_target xt_tar_reg = {
>>    .name       = "TAR",
>>    .family     = AF_INET,
>>    .proto      = IPPROTO_TCP,
>>    .target     = xt_tar_target,
>>    .me         = THIS_MODULE,
>> };
>>
>> static int __init xt_tar_init(void)
>> {
>>    return xt_register_target(&xt_tar_reg);
>> }
>>
>> static void __exit xt_tar_exit(void)
>> {
>>    xt_unregister_target(&xt_tar_reg);
>> }
>>
>> module_init(xt_tar_init);
>> module_exit(xt_tar_exit);
>>
>> MODULE_DESCRIPTION("np des");
>> MODULE_LICENSE("GPL");
>> MODULE_ALIAS("xt_TAR");
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Monday 2010-08-30 19:51, Elmar Stellnberger wrote:

>Would it be possible to extend your module so that it only
>drops packages of a certain user or group?

Your desire to have this kind of feature seems overwhelming, but if such 
were possible in general, it would have been long done already.

Re: write a new simple target for netfilter

[Nicola Padovano]

what's the problem now!?!?
now i have:
- a new target module
- a makefile (like xt_ipaddr example makefile)
- a library .so in /lib/xtables

then i do 'make' and then 'insmod'
but when i digit:
iptables -A INPUT -s 127.0.0.1 -p icmp -j TAR
the result is
iptables: Invalid argument
:(

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Monday 2010-08-30 20:35, Nicola Padovano wrote:

>what's the problem now!?!?
>now i have:
>- a new target module
>- a makefile (like xt_ipaddr example makefile)
>- a library .so in /lib/xtables
>
>then i do 'make' and then 'insmod'
>but when i digit:
>iptables -A INPUT -s 127.0.0.1 -p icmp -j TAR
>the result is
>iptables: Invalid argument
>:(

Run dmesg and see.

Re: write a new simple target for netfilter

[Nicola Padovano]

oh sorry, i forget the dmesg output

[ 4871.255884] x_tables: ip_tables: TAR target: only valid for protocol 6

On Mon, Aug 30, 2010 at 8:45 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Monday 2010-08-30 20:35, Nicola Padovano wrote:
>
>>what's the problem now!?!?
>>now i have:
>>- a new target module
>>- a makefile (like xt_ipaddr example makefile)
>>- a library .so in /lib/xtables
>>
>>then i do 'make' and then 'insmod'
>>but when i digit:
>>iptables -A INPUT -s 127.0.0.1 -p icmp -j TAR
>>the result is
>>iptables: Invalid argument
>>:(
>
> Run dmesg and see.
>
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Monday 2010-08-30 21:00, Nicola Padovano wrote:

>oh sorry, i forget the dmesg output
>
>[ 4871.255884] x_tables: ip_tables: TAR target: only valid for protocol 6

So, you made your module enforce .proto = IPPROTO_TCP, now you also must 
specify -p tcp on iptables.

Re: write a new simple target for netfilter

[Nicola Padovano]

i'm sorry...but i've restarted my computer and then i tried to insmod
the module and now i have:
insmod: error inserting './xt_TAR.ko': -1 Unknown symbol in module
with this dmesg result:
[  413.359837] xt_TAR: Unknown symbol xt_register_target (err 0)
[  413.360019] xt_TAR: Unknown symbol xt_unregister_target (err 0)

wtf now? help me, please. i need to sleep. :P

On Mon, Aug 30, 2010 at 9:07 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Monday 2010-08-30 21:00, Nicola Padovano wrote:
>
>>oh sorry, i forget the dmesg output
>>
>>[ 4871.255884] x_tables: ip_tables: TAR target: only valid for protocol 6
>
> So, you made your module enforce .proto = IPPROTO_TCP, now you also must
> specify -p tcp on iptables.
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Monday 2010-08-30 23:47, Nicola Padovano wrote:

>i'm sorry...but i've restarted my computer and then i tried to insmod
>the module and now i have:
>insmod: error inserting './xt_TAR.ko': -1 Unknown symbol in module
>with this dmesg result:
>[  413.359837] xt_TAR: Unknown symbol xt_register_target (err 0)
>[  413.360019] xt_TAR: Unknown symbol xt_unregister_target (err 0)
>
>wtf now? help me, please. i need to sleep. :P


1. Patience
2. Read the PDF about module licenses.
3. ???
4. Profit!

Re: write a new simple target for netfilter

[Nicola Padovano]

(in italy it's half past midnight, i've sent the email only to jan, this is it)

jan, sorry for my impatience...but it seems a non-deterministic damn problem!
just now, without a reason, i repeat insmoding and i don't have that
error message...

On Tue, Aug 31, 2010 at 12:25 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Monday 2010-08-30 23:47, Nicola Padovano wrote:
>
>>i'm sorry...but i've restarted my computer and then i tried to insmod
>>the module and now i have:
>>insmod: error inserting './xt_TAR.ko': -1 Unknown symbol in module
>>with this dmesg result:
>>[  413.359837] xt_TAR: Unknown symbol xt_register_target (err 0)
>>[  413.360019] xt_TAR: Unknown symbol xt_unregister_target (err 0)
>>
>>wtf now? help me, please. i need to sleep. :P
>
>
> 1. Patience
> 2. Read the PDF about module licenses.
> 3. ???
> 4. Profit!
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Nicola Padovano]

something new:
the things work in this way:

- reboot the machine, so my system is "clear"
- if i do insmod before iptables i've "unknown symbol"
- but if i do first iptables (i've the error message saying that
doesn't exist the target TAR) and then insmod, the insmod works
well!!!

I trust in you...i'm going crazy...

On Tue, Aug 31, 2010 at 12:30 AM, Nicola Padovano
<nicola.padovano@gmail.com> wrote:
> (in italy it's half past midnight, i've sent the email only to jan, this is it)
>
> jan, sorry for my impatience...but it seems a non-deterministic damn problem!
> just now, without a reason, i repeat insmoding and i don't have that
> error message...
>
> On Tue, Aug 31, 2010 at 12:25 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>> On Monday 2010-08-30 23:47, Nicola Padovano wrote:
>>
>>>i'm sorry...but i've restarted my computer and then i tried to insmod
>>>the module and now i have:
>>>insmod: error inserting './xt_TAR.ko': -1 Unknown symbol in module
>>>with this dmesg result:
>>>[  413.359837] xt_TAR: Unknown symbol xt_register_target (err 0)
>>>[  413.360019] xt_TAR: Unknown symbol xt_unregister_target (err 0)
>>>
>>>wtf now? help me, please. i need to sleep. :P
>>
>>
>> 1. Patience
>> 2. Read the PDF about module licenses.
>> 3. ???
>> 4. Profit!
>>
>
>
>
> --
> Nicola Padovano
> e-mail: nicola.padovano@gmail.com
> web: http://npadov.blogspot.com/
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Tuesday 2010-08-31 01:02, Nicola Padovano wrote:

>something new:
>the things work in this way:
>
>- reboot the machine, so my system is "clear"
>- if i do insmod before iptables i've "unknown symbol"

insmod does not do automatic symbol resolution like modprobe. modprobe 
on the other hand only looks in /lib/modules/... (That sucks.)

Maybe Jon Masters can do something about this misalignmennt of features 
in module-init-tools.


>- but if i do first iptables (i've the error message saying that
>doesn't exist the target TAR) and then insmod, the insmod works
>well!!!

Re: write a new simple target for netfilter

[Nicola Padovano]

(!!Jan you're a guru!!)

so, how the things work? why only after i digit "iptables...." and
then "insmod" i've the resolutions of symbol?

(this is a great mailing list, i'm learning a lot, thank you very much)

On Tue, Aug 31, 2010 at 1:09 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Tuesday 2010-08-31 01:02, Nicola Padovano wrote:
>
>>something new:
>>the things work in this way:
>>
>>- reboot the machine, so my system is "clear"
>>- if i do insmod before iptables i've "unknown symbol"
>
> insmod does not do automatic symbol resolution like modprobe. modprobe
> on the other hand only looks in /lib/modules/... (That sucks.)
>
> Maybe Jon Masters can do something about this misalignmennt of features
> in module-init-tools.
>
>
>>- but if i do first iptables (i've the error message saying that
>>doesn't exist the target TAR) and then insmod, the insmod works
>>well!!!
>



-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadov.blogspot.com/

Re: write a new simple target for netfilter

[Jan Engelhardt]

On Tuesday 2010-08-31 01:17, Nicola Padovano wrote:

>(!!Jan you're a guru!!)
>
>so, how the things work? why only after i digit "iptables...." and
>then "insmod" i've the resolutions of symbol?
>
>(this is a great mailing list, i'm learning a lot, thank you very much)


Xtables modules require the x_tables module to be loaded. Since iptables 
causes autoloading of that and a few others, insmod is possible 
after these have been loaded.