* [PATCH next] extensions: add libxt_skbuff extension
@ 2012-12-09 19:54 Willem de Bruijn
2012-12-09 22:52 ` [PATCH] [rfc] a bpf compilation tool for xt_bpf Willem de Bruijn
0 siblings, 1 reply; 2+ messages in thread
From: Willem de Bruijn @ 2012-12-09 19:54 UTC (permalink / raw)
To: netfilter-devel, pablo; +Cc: Willem de Bruijn
Support filtering based on sk_buff fields
---
extensions/libxt_skbuff.c | 157 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 157 insertions(+), 0 deletions(-)
create mode 100644 extensions/libxt_skbuff.c
diff --git a/extensions/libxt_skbuff.c b/extensions/libxt_skbuff.c
new file mode 100644
index 0000000..02dba82
--- /dev/null
+++ b/extensions/libxt_skbuff.c
@@ -0,0 +1,157 @@
+/*
+ * Xtables skb match extension
+ *
+ * Written by Willem de Bruijn (willemb@google.com)
+ * Copyright Google, Inc. 2012
+ * Licensed under the GNU General Public License version 2 (GPLv2)
+*/
+
+#include <linux/netfilter/xt_skbuff.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+
+enum { O_FIELD = 0,
+ O_VAL_EXACT,
+ O_VAL_MIN,
+ O_VAL_MAX,
+ O_VAL_MASK};
+
+const char *skbuff_field_names[] = {
+ "csum", "hatype", "iif", "len", "mark", "pkt_type", "priority",
+ "protocol", "queue_mapping", "rt_classid", "rxhash", "secmark",
+ "uid", "gid", "tstamp", "vlan_tci"};
+
+static void skbuff_help(void)
+{
+ int i, len;
+
+ printf(
+"skbuff match options:\n"
+"[!] --field <name> --val <val> [--mask <val>]\n"
+"[!] --field <name> --min <val> --max <val> [--mask <val>]\n"
+"where name is one of ");
+
+ len = sizeof(skbuff_field_names) / sizeof (void *);
+ for (i = 0; i < len; i++)
+ printf("%s ", skbuff_field_names[i]);
+ printf("\n");
+}
+
+static const struct xt_option_entry skbuff_opts[] = {
+ {.name = "field", .id = O_FIELD, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_INVERT},
+ {.name = "val", .id = O_VAL_EXACT, .type = XTTYPE_UINT64},
+ {.name = "min", .id = O_VAL_MIN, .type = XTTYPE_UINT64},
+ {.name = "max", .id = O_VAL_MAX, .type = XTTYPE_UINT64},
+ {.name = "mask", .id = O_VAL_MASK, .type = XTTYPE_UINT64},
+ XTOPT_TABLEEND,
+};
+
+static int skbuff_field_name_to_id(const char *name)
+{
+ int i, len = sizeof(skbuff_field_names) / sizeof (void *);
+
+ for (i = 0; i < len; i++)
+ if (!strcmp(skbuff_field_names[i], name))
+ return i;
+
+ xtables_error(PARAMETER_PROBLEM, "skbuff: unknown field\n");
+}
+
+static void skbuff_parse(struct xt_option_call *cb)
+{
+ struct xt_skbuff_info *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_FIELD:
+ info->field_id = skbuff_field_name_to_id(cb->arg);
+ if (cb->invert)
+ info->invert = 1;
+ break;
+ case O_VAL_EXACT:
+ info->min = info->max = strtoul(cb->arg, NULL, 0);
+ break;
+ case O_VAL_MIN:
+ info->min = strtoul(cb->arg, NULL, 0);
+ break;
+ case O_VAL_MAX:
+ info->max = strtoul(cb->arg, NULL, 0);
+ break;
+ case O_VAL_MASK:
+ info->mask = strtoul(cb->arg, NULL, 0);
+ break;
+ default:
+ xtables_error(PARAMETER_PROBLEM,
+ "skbuff: unknown argument");
+ break;
+ }
+}
+
+static void skbuff_check(struct xt_fcheck_call *cb)
+{
+ struct xt_skbuff_info *info = cb->data;
+ unsigned int val_mask, ran_mask, opt_mask;
+
+ if (!info->mask)
+ info->mask = (uint64_t) -1;
+
+ val_mask = 1 << O_VAL_EXACT;
+ ran_mask = (1 << O_VAL_MIN) | (1 << O_VAL_MAX);
+ opt_mask = val_mask | ran_mask;
+
+ if (((cb->xflags & opt_mask) != val_mask) &&
+ ((cb->xflags & opt_mask) != ran_mask))
+ xtables_error(PARAMETER_PROBLEM,
+ "skbuff: specify one of --val or --min/--max");
+}
+
+static void skbuff_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_skbuff_info *info = (void *) match->data;
+
+ printf("%s--field %s --min %llu --max %llu --mask 0x%llx",
+ info->invert ? "! " : "", skbuff_field_names[info->field_id],
+ (unsigned long long) info->min,
+ (unsigned long long) info->max,
+ (unsigned long long) info->mask);
+}
+
+static void skbuff_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_skbuff_info *info = (void *) match->data;
+
+ printf(" skbuff match ");
+ if (numeric)
+ printf("%hu", info->field_id);
+ else
+ printf("%s", skbuff_field_names[info->field_id]);
+
+ printf("%llu %llu %llx %u",
+ (unsigned long long) info->min,
+ (unsigned long long) info->max,
+ (unsigned long long) info->mask,
+ info->invert);
+}
+
+static struct xtables_match skbuff_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "skbuff",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_skbuff_info)),
+ .help = skbuff_help,
+ .print = skbuff_print,
+ .save = skbuff_save,
+ .x6_parse = skbuff_parse,
+ .x6_fcheck = skbuff_check,
+ .x6_options = skbuff_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&skbuff_match);
+}
+
--
1.7.7.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH] [rfc] a bpf compilation tool for xt_bpf
2012-12-09 19:54 [PATCH next] extensions: add libxt_skbuff extension Willem de Bruijn
@ 2012-12-09 22:52 ` Willem de Bruijn
0 siblings, 0 replies; 2+ messages in thread
From: Willem de Bruijn @ 2012-12-09 22:52 UTC (permalink / raw)
To: netfilter-devel, pablo; +Cc: Willem de Bruijn
An example tool to convert textual BPF into the instructions
acceptable by xt_bpf. This is mostly boilerplate around existing
pcap calls.
I do not intend this for submission as is. It adds a dependency
on pcap, which would at the least have to be optional and detected
by autoconf.
---
utils/Makefile.am | 3 ++-
utils/bpf_compile.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+), 1 deletions(-)
create mode 100644 utils/bpf_compile.c
diff --git a/utils/Makefile.am b/utils/Makefile.am
index f1bbfc5..4c67292 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -4,7 +4,8 @@ AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
-I${top_srcdir}/include ${libnfnetlink_CFLAGS}
-sbin_PROGRAMS = nfnl_osf
+sbin_PROGRAMS = nfnl_osf bpf_compile
pkgdata_DATA = pf.os
nfnl_osf_LDADD = -lnfnetlink
+bpf_compile_LDADD = -lpcap
diff --git a/utils/bpf_compile.c b/utils/bpf_compile.c
new file mode 100644
index 0000000..62f7bc8
--- /dev/null
+++ b/utils/bpf_compile.c
@@ -0,0 +1,47 @@
+/*
+ * BPF program compilation tool
+ *
+ * Written by Willem de Bruijn (willemb@google.com)
+ * Copyright Google, Inc. 2012
+ * Licensed under the GNU General Public License version 2 (GPLv2)
+*/
+
+#include <pcap.h>
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+ struct bpf_program program;
+ struct bpf_insn *ins;
+ int i, dlt = DLT_RAW;
+
+ if (argc < 2 || argc > 3) {
+ fprintf(stderr, "Usage: %s [linktype] <program>\n"
+ " linktype is one of EN10MB, RAW, ...\n"
+ " program must be one parameter\n",
+ argv[0]);
+ return 1;
+ }
+
+ if (argc == 3) {
+ dlt = pcap_datalink_name_to_val(argv[1]);
+ if (dlt == -1) {
+ fprintf(stderr, "Unknown datalinktype: %s\n", argv[1]);
+ return 1;
+ }
+ }
+
+ printf("Using datalinktype %s\n", pcap_datalink_val_to_name(dlt));
+ if (pcap_compile_nopcap(65535, dlt, &program, argv[argc - 1], 1, 0)) {
+ fprintf(stderr, "Compilation error\n");
+ return 1;
+ }
+
+ printf("%d\n", program.bf_len);
+ ins = program.bf_insns;
+ for (i = 0; i < program.bf_len; ++ins, ++i)
+ printf("%u %u %u %u\n", ins->code, ins->jt, ins->jf, ins->k);
+
+ return 0;
+}
+
--
1.7.7.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-12-09 22:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-09 19:54 [PATCH next] extensions: add libxt_skbuff extension Willem de Bruijn
2012-12-09 22:52 ` [PATCH] [rfc] a bpf compilation tool for xt_bpf Willem de Bruijn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).