Re: [v2 PATCH 2/2] NETFILTER userspace part for target HMARK

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Hans Schillstrom <hans.schillstrom@ericsson.com>
Cc: kaber@trash.net, jengelh@medozas.de,
	netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
	hans@schillstrom.com
Subject: Re: [v2 PATCH 2/2] NETFILTER userspace part for target HMARK
Date: Mon, 7 Nov 2011 01:55:35 +0100	[thread overview]
Message-ID: <20111107005535.GB29665@1984> (raw)
In-Reply-To: <1317664003-28189-3-git-send-email-hans.schillstrom@ericsson.com>

On Mon, Oct 03, 2011 at 07:46:43PM +0200, Hans Schillstrom wrote:
> The target allows you to create rules in the "raw" and "mangle" tables
> which alter the netfilter mark (nfmark) field within a given range.
> First a 32 bit hash value is generated then modulus by <limit> and
> finally an offset is added before it's written to nfmark.
> Prior to routing, the nfmark can influence the routing method (see
> "Use netfilter MARK value as routing key") and can also be used by
> other subsystems to change their behaviour.
> 
> The mark match can also be used to match nfmark produced by this module.
> 
> Ver 2
>   IPv4 NAT added
>   iptables ver 1.4.12.1 adaptions.
> 
> Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
> ---
>  extensions/libxt_HMARK.c           |  381 ++++++++++++++++++++++++++++++++++++
>  extensions/libxt_HMARK.man         |   66 ++++++
>  include/linux/netfilter/xt_hmark.h |   48 +++++
>  3 files changed, 495 insertions(+), 0 deletions(-)
>  create mode 100644 extensions/libxt_HMARK.c
>  create mode 100644 extensions/libxt_HMARK.man
>  create mode 100644 include/linux/netfilter/xt_hmark.h
> 
> diff --git a/extensions/libxt_HMARK.c b/extensions/libxt_HMARK.c
> new file mode 100644
> index 0000000..0def034
> --- /dev/null
> +++ b/extensions/libxt_HMARK.c
> @@ -0,0 +1,381 @@
> +/*
> + * Shared library add-on to iptables to add HMARK target support.
> + *
> + * The kernel module calculates a hash value that can be modified by modulus
> + * and an offset. The hash value is based on a direction independent
> + * five tuple: src & dst addr src & dst ports and protocol.
> + * However src & dst port can be masked and are not used for fragmented
> + * packets, ESP and AH don't have ports so SPI will be used instead.
> + * For ICMP error messages the hash mark values will be calculated on
> + * the source packet i.e. the packet caused the error (If sufficient
> + * amount of data exists).
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + */
> +#include <stdbool.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <stdlib.h>
> +#include <getopt.h>
> +
> +#include <xtables.h>
> +#include <linux/netfilter/x_tables.h>
> +#include <linux/netfilter/xt_hmark.h>
> +
> +
> +#define DEF_HRAND 0xc175a3b8	/* Default "random" value to jhash */
> +
> +static void HMARK_help(void)
> +{
> +	printf(
> +"HMARK target options, i.e. modify hash calculation by:\n"
> +"  --hmark-smask value                Mask source address with value\n"
> +"  --hmark-dmask value                Mask Dest. address with value\n"
> +"  --hmark-sp-mask value              Mask src port with value\n"
> +"  --hmark-dp-mask value              Mask dst port with value\n"
> +"  --hmark-spi-mask value             For esp and ah AND spi with value\n"
> +"  --hmark-sp-set value               OR src port with value\n"
> +"  --hmark-dp-set value               OR dst port with value\n"
> +"  --hmark-spi-set value              For esp and ah OR spi with value\n"
> +"  --hmark-proto-mask value           Mask Protocol with value\n"
> +"  --hmark-rnd                        Random value to hash cacl.\n"
> +"  Limit/modify the calculated hash mark by:\n"
> +"  --hmark-mod value                  nfmark modulus value\n"
> +"  --hmark-offs value                 Last action add value to nfmark\n"
> +" For NAT in IPv4 the original address can be used in the return path.\n"
> +" Make sure to qualify the statement in a proper way when using nat flags\n"
> +"  --hmark-dnat                       Replace src addr/port with original dst addr/port\n"
> +"  --hmark-snat                       Replace dst addr/port with original src addr/port\n"
> +" In many cases hmark can be omitted i.e. --smask can be used\n");
> +}
> +
> +static const struct option HMARK_opts[] = {
> +	{ "hmark-smask", 1, NULL, XT_HMARK_SADR_AND },
> +	{ "hmark-dmask", 1, NULL, XT_HMARK_DADR_AND },
> +	{ "hmark-sp-mask", 1, NULL, XT_HMARK_SPORT_AND },
> +	{ "hmark-dp-mask", 1, NULL, XT_HMARK_DPORT_AND },
> +	{ "hmark-spi-mask", 1, NULL, XT_HMARK_SPI_AND },
> +	{ "hmark-sp-set", 1, NULL, XT_HMARK_SPORT_OR },
> +	{ "hmark-dp-set", 1, NULL, XT_HMARK_DPORT_OR },
> +	{ "hmark-spi-set", 1, NULL, XT_HMARK_SPI_OR },
> +	{ "hmark-proto-mask", 1, NULL, XT_HMARK_PROTO_AND },
> +	{ "hmark-rnd", 1, NULL, XT_HMARK_RND },
> +	{ "hmark-mod", 1, NULL, XT_HMARK_MODULUS },
> +	{ "hmark-offs", 1, NULL, XT_HMARK_OFFSET },
> +	{ "hmark-dnat", 1, NULL, XT_HMARK_USE_DNAT },
> +	{ "hmark-snat", 1, NULL, XT_HMARK_USE_SNAT },
> +	{ "smask", 1, NULL, XT_HMARK_SADR_AND },
> +	{ "dmask", 1, NULL, XT_HMARK_DADR_AND },
> +	{ "sp-mask", 1, NULL, XT_HMARK_SPORT_AND },
> +	{ "dp-mask", 1, NULL, XT_HMARK_DPORT_AND },
> +	{ "spi-mask", 1, NULL, XT_HMARK_SPI_AND },
> +	{ "sp-set", 1, NULL, XT_HMARK_SPORT_OR },
> +	{ "dp-set", 1, NULL, XT_HMARK_DPORT_OR },
> +	{ "spi-set", 1, NULL, XT_HMARK_SPI_OR },
> +	{ "proto-mask", 1, NULL, XT_HMARK_PROTO_AND },
> +	{ "rnd", 1, NULL, XT_HMARK_RND },
> +	{ "mod", 1, NULL, XT_HMARK_MODULUS },
> +	{ "offs", 1, NULL, XT_HMARK_OFFSET },
> +	{ "dnat", 1, NULL, XT_HMARK_USE_DNAT },
> +	{ "snat", 1, NULL, XT_HMARK_USE_SNAT },
> +	{ .name = NULL }
> +};
> +
> +static int
> +HMARK_parse(int c, char **argv, int invert, unsigned int *flags,
> +	    const void *entry, struct xt_entry_target **target)
> +{
> +	struct xt_hmark_info *hmarkinfo
> +		= (struct xt_hmark_info *)(*target)->data;
> +	unsigned int value = 0xffffffff;
> +	unsigned int maxint = UINT32_MAX;
> +
> +	if ((c < XT_HMARK_SADR_AND) || (c > XT_HMARK_OFFSET)) {
> +		xtables_error(PARAMETER_PROBLEM, "Bad HMARK option \"%s\"",
> +			      optarg);
> +		return 0;
> +	}
> +
> +	if (c >= XT_HMARK_SPORT_AND && c <= XT_HMARK_DPORT_OR)
> +		maxint = UINT16_MAX;
> +	else if (c == XT_HMARK_PROTO_AND)
> +		maxint = UINT8_MAX;
> +
> +	if (!xtables_strtoui(optarg, NULL, &value, 0, maxint))
> +		xtables_error(PARAMETER_PROBLEM, "Bad HMARK value \"%s\"",
> +			      optarg);
> +
> +	if (*flags == 0) {
> +		memset(hmarkinfo, 0xff, sizeof(struct xt_hmark_info));
> +		hmarkinfo->pset.v32 = 0;
> +		hmarkinfo->flags = 0;
> +		hmarkinfo->spiset = 0;
> +		hmarkinfo->hoffs = 0;
> +		hmarkinfo->hashrnd = DEF_HRAND;
> +	}
> +	switch (c) {
> +	case XT_HMARK_SADR_AND:
> +		if (*flags & (1 << c)) {
> +			xtables_error(PARAMETER_PROBLEM,
> +				      "Can only specify "
> +				      "`--hmark-smask' once");
> +		}
> +		hmarkinfo->smask = htonl(value);
> +		if (value == maxint)
> +			c = 0;
> +		break;

Please, check current iptables git tree. Jan implemented more advanced
method to handle options. For instance, have a look at libxt_cluster.c

next prev parent reply	other threads:[~2011-11-07  0:55 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-03 17:46 [v2 PATCH 0/2] NETFILTER new target module, HMARK Hans Schillstrom
2011-10-03 17:46 ` [v2 PATCH 1/2] NETFILTER module xt_hmark new target for HASH based fw Hans Schillstrom
2011-11-07  0:52   ` Pablo Neira Ayuso
2011-11-07  3:36     ` Jan Engelhardt
2011-10-03 17:46 ` [v2 PATCH 2/2] NETFILTER userspace part for target HMARK Hans Schillstrom
2011-11-07  0:55   ` Pablo Neira Ayuso [this message]
  -- strict thread matches above, loose matches on Subject: below --
2011-10-13 19:02 [v3 PATCH 0/2] NETFILTER new target module, HMARK Hans Schillstrom
2011-10-13 19:02 ` [v2 PATCH 2/2] NETFILTER userspace part for target HMARK Hans Schillstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111107005535.GB29665@1984 \
    --to=pablo@netfilter.org \
    --cc=hans.schillstrom@ericsson.com \
    --cc=hans@schillstrom.com \
    --cc=jengelh@medozas.de \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).