[PATCH 1/3] Add revision field for xt_entry_target

[PATCH 1/3] Add revision field for xt_entry_target

[Gao feng]

This filed is useful if we want to add TARGET which
has revision for arptables rules.

Also make sure xt_entry_target is consistent with
the definition in kernel.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 include/linux/netfilter_arp/arp_tables.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 0acda66..ccf8cd0 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -19,7 +19,7 @@
 
 #include <linux/netfilter_arp.h>
 
-#define ARPT_FUNCTION_MAXNAMELEN 30
+#define ARPT_FUNCTION_MAXNAMELEN 29
 #define ARPT_TABLE_MAXNAMELEN 32
 
 #define ARPT_DEV_ADDR_LEN_MAX 16
@@ -69,6 +69,8 @@ struct arpt_entry_target
 
 			/* Used by userspace */
 			char name[ARPT_FUNCTION_MAXNAMELEN];
+
+			u_int8_t revision;
 		} user;
 		struct {
 			u_int16_t target_size;
-- 
2.1.0

[PATCH 2/3] Add MARK target for arptables

[Gao feng]

We can use MARK target to set make value for
arp packet.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 extensions/Makefile    |   2 +-
 extensions/arpt_MARK.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 extensions/arpt_MARK.c

diff --git a/extensions/Makefile b/extensions/Makefile
index 09b244e..0189cc9 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=standard mangle CLASSIFY
+EXT_FUNC+=standard mangle CLASSIFY MARK
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
 
 extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
diff --git a/extensions/arpt_MARK.c b/extensions/arpt_MARK.c
new file mode 100644
index 0000000..ce24bdb
--- /dev/null
+++ b/extensions/arpt_MARK.c
@@ -0,0 +1,119 @@
+/*
+ * (C) 2015 by Gao feng <gaofeng@cn.fujitsu.com>
+ *
+ * arpt_MARK.c -- arptables extension to set mark for arp packet
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <arptables.h>
+#include <linux/netfilter/xt_mark.h>
+#include <linux/netfilter/x_tables.h>
+
+static void
+help(void)
+{
+	printf(
+"MARK target v%s options:\n"
+"--set-mark mark : set the mark value\n",
+	ARPTABLES_VERSION);
+}
+
+#define MARK_OPT 1
+
+static struct option opts[] = {
+	{ "set-mark"   , required_argument, 0, MARK_OPT },
+	{0}
+};
+
+static void
+init(struct arpt_entry_target *t)
+{
+	struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *) t->data;
+
+	info->mark = 0;
+	info->mask = 0xffffffff;
+	t->u.user.revision = 2;
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+	const struct arpt_entry *e,
+	struct arpt_entry_target **t)
+{
+	struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *)(*t)->data;
+	int i;
+
+	switch (c) {
+		case MARK_OPT:
+			if (sscanf(argv[optind-1], "%x", &i) != 1) {
+				exit_error(PARAMETER_PROBLEM,
+						"Bad mark value `%s'", optarg);
+				return 0;
+			}
+			info->mark = i;
+			if (*flags)
+				exit_error(PARAMETER_PROBLEM,
+						"CLASSIFY: Can't specify --set-mark twice");
+			*flags = 1;
+			break;
+		default:
+			return 0;
+	}
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM, "MARK: Parameter --set-mark is required");
+}
+
+static void print(const struct arpt_arp *ip,
+	const struct arpt_entry_target *target, int numeric)
+{
+	struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *)(target->data);
+
+	printf("--set-mark %x", info->mark);
+}
+
+static void
+save(const struct arpt_arp *ip, const struct arpt_entry_target *target)
+{
+}
+
+static
+struct arptables_target mark
+= { NULL,
+	"MARK",
+	ARPTABLES_VERSION,
+	ARPT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+	ARPT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+	&help,
+	&init,
+	&parse,
+	&final_check,
+	&print,
+	&save,
+	opts
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+	register_target(&mark);
+}
-- 
2.1.0

[PATCH 3/3] Update the manpage for MARK target

[Gao feng]

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 arptables.8 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arptables.8 b/arptables.8
index 78b2c60..a0ada83 100644
--- a/arptables.8
+++ b/arptables.8
@@ -315,6 +315,16 @@ sify the packet into a specific CBQ class).
 Set the major and minor  class  value.  The  values  are  always
 interpreted as hexadecimal even if no 0x prefix is given.
 
+.SS MARK
+This  module  allows you to set the skb->mark value (and thus classify
+the packet by the mark in u32)
+
+.TP
+.BR "--set-mark mark"
+
+Set the mark value.  The  values  are  always
+interpreted as hexadecimal even if no 0x prefix is given.
+
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
 .SH SEE ALSO
-- 
2.1.0

Re: [PATCH 2/3] Add MARK target for arptables

[Pablo Neira Ayuso]

On Fri, Feb 06, 2015 at 03:26:29PM +0800, Gao feng wrote:
> We can use MARK target to set make value for
> arp packet.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
>  extensions/Makefile    |   2 +-
>  extensions/arpt_MARK.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 120 insertions(+), 1 deletion(-)
>  create mode 100644 extensions/arpt_MARK.c
> 
> diff --git a/extensions/Makefile b/extensions/Makefile
> index 09b244e..0189cc9 100644
> --- a/extensions/Makefile
> +++ b/extensions/Makefile
> @@ -1,6 +1,6 @@
>  #! /usr/bin/make
>  
> -EXT_FUNC+=standard mangle CLASSIFY
> +EXT_FUNC+=standard mangle CLASSIFY MARK
>  EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
>  
>  extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
> diff --git a/extensions/arpt_MARK.c b/extensions/arpt_MARK.c
> new file mode 100644
> index 0000000..ce24bdb
> --- /dev/null
> +++ b/extensions/arpt_MARK.c
> @@ -0,0 +1,119 @@
> +/*
> + * (C) 2015 by Gao feng <gaofeng@cn.fujitsu.com>
> + *
> + * arpt_MARK.c -- arptables extension to set mark for arp packet
> + *
> + *	This program is free software; you can redistribute it and/or modify
> + *	it under the terms of the GNU General Public License as published by
> + *	the Free Software Foundation; either version 2 of the License, or
> + *	(at your option) any later version.
> + *
> + *	This program is distributed in the hope that it will be useful,
> + *	but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *	GNU General Public License for more details.
> + *
> + *	You should have received a copy of the GNU General Public License
> + *	along with this program; if not, write to the Free Software
> + *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> + */
> +
> +#include <stdio.h>
> +#include <getopt.h>
> +#include <arptables.h>
> +#include <linux/netfilter/xt_mark.h>
> +#include <linux/netfilter/x_tables.h>
> +
> +static void
> +help(void)
> +{
> +	printf(
> +"MARK target v%s options:\n"
> +"--set-mark mark : set the mark value\n",
> +	ARPTABLES_VERSION);
> +}
> +
> +#define MARK_OPT 1
> +
> +static struct option opts[] = {
> +	{ "set-mark"   , required_argument, 0, MARK_OPT },
> +	{0}

Please, add all options that MARK support according to man
iptables-extensions.

Re: [PATCH 2/3] Add MARK target for arptables

[Gao feng]

On 02/11/2015 07:18 AM, Pablo Neira Ayuso wrote:
> On Fri, Feb 06, 2015 at 03:26:29PM +0800, Gao feng wrote:
>> We can use MARK target to set make value for
>> arp packet.
>>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>>  extensions/Makefile    |   2 +-
>>  extensions/arpt_MARK.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++
>>  2 files changed, 120 insertions(+), 1 deletion(-)
>>  create mode 100644 extensions/arpt_MARK.c
>>
>> diff --git a/extensions/Makefile b/extensions/Makefile
>> index 09b244e..0189cc9 100644
>> --- a/extensions/Makefile
>> +++ b/extensions/Makefile
>> @@ -1,6 +1,6 @@
>>  #! /usr/bin/make
>>  
>> -EXT_FUNC+=standard mangle CLASSIFY
>> +EXT_FUNC+=standard mangle CLASSIFY MARK
>>  EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
>>  
>>  extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
>> diff --git a/extensions/arpt_MARK.c b/extensions/arpt_MARK.c
>> new file mode 100644
>> index 0000000..ce24bdb
>> --- /dev/null
>> +++ b/extensions/arpt_MARK.c
>> @@ -0,0 +1,119 @@
>> +/*
>> + * (C) 2015 by Gao feng <gaofeng@cn.fujitsu.com>
>> + *
>> + * arpt_MARK.c -- arptables extension to set mark for arp packet
>> + *
>> + *	This program is free software; you can redistribute it and/or modify
>> + *	it under the terms of the GNU General Public License as published by
>> + *	the Free Software Foundation; either version 2 of the License, or
>> + *	(at your option) any later version.
>> + *
>> + *	This program is distributed in the hope that it will be useful,
>> + *	but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + *	GNU General Public License for more details.
>> + *
>> + *	You should have received a copy of the GNU General Public License
>> + *	along with this program; if not, write to the Free Software
>> + *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
>> + */
>> +
>> +#include <stdio.h>
>> +#include <getopt.h>
>> +#include <arptables.h>
>> +#include <linux/netfilter/xt_mark.h>
>> +#include <linux/netfilter/x_tables.h>
>> +
>> +static void
>> +help(void)
>> +{
>> +	printf(
>> +"MARK target v%s options:\n"
>> +"--set-mark mark : set the mark value\n",
>> +	ARPTABLES_VERSION);
>> +}
>> +
>> +#define MARK_OPT 1
>> +
>> +static struct option opts[] = {
>> +	{ "set-mark"   , required_argument, 0, MARK_OPT },
>> +	{0}
> 
> Please, add all options that MARK support according to man
> iptables-extensions.

Get, will do. thanks!

Re: [PATCH 1/3] Add revision field for xt_entry_target

[Pablo Neira Ayuso]

On Fri, Feb 06, 2015 at 03:26:28PM +0800, Gao feng wrote:
> This filed is useful if we want to add TARGET which
> has revision for arptables rules.
> 
> Also make sure xt_entry_target is consistent with
> the definition in kernel.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
>  include/linux/netfilter_arp/arp_tables.h | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
> index 0acda66..ccf8cd0 100644
> --- a/include/linux/netfilter_arp/arp_tables.h
> +++ b/include/linux/netfilter_arp/arp_tables.h
> @@ -19,7 +19,7 @@
>  
>  #include <linux/netfilter_arp.h>
>  
> -#define ARPT_FUNCTION_MAXNAMELEN 30
> +#define ARPT_FUNCTION_MAXNAMELEN 29
>  #define ARPT_TABLE_MAXNAMELEN 32
>  
>  #define ARPT_DEV_ADDR_LEN_MAX 16
> @@ -69,6 +69,8 @@ struct arpt_entry_target
>  
>  			/* Used by userspace */
>  			char name[ARPT_FUNCTION_MAXNAMELEN];
> +
> +			u_int8_t revision;

This structure is not exposed to userspace and I don't find any client
of it in this code:

include/uapi/linux/netfilter_arp/arp_tables.h:#define arpt_entry_target xt_entry_target

and arp_tables uses xt_entry_target all the time.

I guess you can get rid of this dead code. Then, update the cached
copy and also include x_tables.h definition in the arptables tree.

>  		} user;
>  		struct {
>  			u_int16_t target_size;
> -- 
> 2.1.0
>