[PATCH 0/5] adds ebtables nflog support to ulogd

[PATCH 0/5] adds ebtables nflog support to ulogd

[Peter Warasin]

Hi Guys

The following patch-set adds ebtables nflog support to ulogd.

In order to have this work it's also necessary to apply the
ebtables and kernel patches I posted some time ago
(i posted as well as this post on both, ebtables and
netfilter devel lists).

Those patches add both ebt_nflog kernel module and userland
module.

However the patches can certainly be applied separately.

This patchset adds now the corresponding support to ulogd's
BASE, PRINTPKT and IP2STR modules.
Currently it interprets the AF_BRIDGE family and knows to
differentiate IP and ARP header and log them accordingly.

Here is a sample log output:

Feb 11 20:56:30 efw-1201175446 ulogd[10972]: EBTABLES TEST IN=br0 OUT= \
MAC=00:0c:e0:e0:7d:62:ff:ff:08:00:0c:00 SRC=10.7.100.2 DST=10.7.222.22 \
PROTO=ARP REQUEST 
Feb 11 20:56:31 efw-1201175446 ulogd[10972]: EBTABLES TEST IN=br0 OUT= \
MAC=00:0c:e0:e0:7d:62:ff:ff:08:00:0c:00 SRC=10.7.100.2 DST=10.7.222.22 LEN=84 \
TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=10541 SEQ=0 
Feb 11 20:56:35 efw-1201175446 ulogd[10972]: EBTABLES TEST IN=br0 OUT= \
MAC=00:0c:e0:e0:7d:62:ff:ff:08:00:0c:00 SRC=10.7.100.2 DST=10.7.222.22 \
PROTO=ARP REPLY REPLY_MAC=00:0c:e0:e0:7d:62 

More protocols *could* be implemented later.

kind regards,

Peter

-- 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

[PATCH 1/5] Adds input keys enumeration

[Peter Warasin]

[-- Attachment #1: filter-raw2packet-usekeys.patch --]
[-- Type: text/plain, Size: 1948 bytes --]

Adds input key enumeration in order to address the fields
with symbols instead of numbers.
Shortens the lines by the use of GET_VALUE()

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/raw2packet/ulogd_raw2packet_BASE.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 22:03:19.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 22:04:15.000000000 +0100
@@ -43,6 +43,12 @@
 #include <ulogd/ulogd.h>
 #include <ulogd/ipfix_protocol.h>
 
+enum input_keys {
+	INKEY_RAW_PCKT,
+	INKEY_RAW_PCKTLEN,
+	INKEY_OOB_FAMILY,
+};
+
 enum output_keys {
 	KEY_IP_SADDR,
 	KEY_IP_DADDR,
@@ -633,7 +639,8 @@
 static int _interp_iphdr(struct ulogd_pluginstance *pi, u_int32_t len)
 {
 	struct ulogd_key *ret = pi->output.keys;
-	struct iphdr *iph = pi->input.keys[0].u.source->u.value.ptr;
+	struct iphdr *iph =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
 	void *nexthdr = (u_int32_t *)iph + iph->ihl;
 
 	if (len < sizeof(struct iphdr) || len <= iph->ihl * 4)
@@ -702,7 +709,8 @@
 static int _interp_ipv6hdr(struct ulogd_pluginstance *pi, u_int32_t len)
 {
 	struct ulogd_key *ret = pi->output.keys;
-	struct ip6_hdr *ipv6h = pi->input.keys[0].u.source->u.value.ptr;
+	struct ip6_hdr *ipv6h =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
 	unsigned int ptr, hdrlen = 0;
 	u_int8_t curhdr;
 	int fragment = 0;
@@ -819,8 +827,8 @@
 
 static int _interp_pkt(struct ulogd_pluginstance *pi)
 {
-	u_int32_t len = pi->input.keys[1].u.source->u.value.ui32;
-	u_int8_t family = pi->input.keys[2].u.source->u.value.ui8;
+	u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
+	u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
 
 	switch (family) {
 	case AF_INET:

-- 

[PATCH 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

[-- Attachment #1: ulogd2-PF_BRIDGE.patch --]
[-- Type: text/plain, Size: 5212 bytes --]

This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.

Signed-off-by: Peter Warasin <peter-k8AlXt1uIdjQT0dZR+AlfA@public.gmane.org>

---
 filter/raw2packet/ulogd_raw2packet_BASE.c |  127 +++++++++++++++++++++++++++++-
 1 file changed, 125 insertions(+), 2 deletions(-)

Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 22:13:27.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 22:20:05.000000000 +0100
@@ -10,6 +10,7 @@
  * 	o UDP header
  * 	o ICMP header
  * 	o AH/ESP header
+ *      o ARP header
  *
  * (C) 2000-2005 by Harald Welte <laforge-TgoAw6mPHtdg9hUCZPvPmw@public.gmane.org>
  *
@@ -42,11 +43,13 @@
 #include <netinet/udp.h>
 #include <ulogd/ulogd.h>
 #include <ulogd/ipfix_protocol.h>
+#include <netinet/if_ether.h>
 
 enum input_keys {
 	INKEY_RAW_PCKT,
 	INKEY_RAW_PCKTLEN,
 	INKEY_OOB_FAMILY,
+	INKEY_OOB_PROTOCOL,
 };
 
 enum output_keys {
@@ -101,6 +104,14 @@
 	KEY_ICMPV6_ECHOSEQ,
 	KEY_ICMPV6_CSUM,
 	KEY_AHESP_SPI,
+	KEY_OOB_PROTOCOL,
+	KEY_ARP_HTYPE,
+	KEY_ARP_PTYPE,
+	KEY_ARP_OPCODE,
+	KEY_ARP_SHA,
+	KEY_ARP_SPA,
+	KEY_ARP_THA,
+	KEY_ARP_TPA,
 };
 
 static struct ulogd_key iphdr_rets[] = {
@@ -455,7 +466,46 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "ahesp.spi",
 	},
-
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
+	[KEY_ARP_HTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.hwtype",
+	},
+	[KEY_ARP_PTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.protocoltype",
+	},
+	[KEY_ARP_OPCODE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.operation",
+	},
+	[KEY_ARP_SHA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.shwaddr",
+	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_THA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.dhwaddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 /***********************************************************************
@@ -825,16 +875,84 @@
 	return 0;
 }
 
+/***********************************************************************
+ * 			ARP HEADER
+ ***********************************************************************/
+static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct ether_arp *arph =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+
+	if (len < sizeof(struct ether_arp))
+		return 0;
+
+	ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd);
+	SET_VALID(ret[KEY_ARP_HTYPE]);
+	ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro);
+	SET_VALID(ret[KEY_ARP_PTYPE]);
+	ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op);
+	SET_VALID(ret[KEY_ARP_OPCODE]);
+
+	ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
+	SET_VALID(ret[KEY_ARP_SHA]);
+	ret[KEY_ARP_SPA].u.value.ptr = &arph->arp_spa;
+	SET_VALID(ret[KEY_ARP_SPA]);
+
+	ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
+	SET_VALID(ret[KEY_ARP_THA]);
+	ret[KEY_ARP_TPA].u.value.ptr = &arph->arp_tpa;
+	SET_VALID(ret[KEY_ARP_TPA]);
+
+	return 0;
+}
+
+/***********************************************************************
+ * 			ETHER HEADER
+ ***********************************************************************/
+
+static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct sk_buff *skb =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+	const u_int16_t proto =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+
+	switch (proto) {
+	case ETH_P_IP:
+		_interp_iphdr(pi, len);
+		break;
+	case ETH_P_IPV6:
+		_interp_ipv6hdr(pi, len);
+		break;
+	case ETH_P_ARP:
+		_interp_arp(pi, len);
+		break;
+	/* ETH_P_8021Q ?? others? */
+	};
+
+	return 0;
+}
+
+
 static int _interp_pkt(struct ulogd_pluginstance *pi)
 {
 	u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
 	u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
+	struct ulogd_key *ret = pi->output.keys;
+
+	ret[KEY_OOB_PROTOCOL].u.value.ui16 =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+	SET_VALID(ret[KEY_OOB_PROTOCOL]);
 
 	switch (family) {
 	case AF_INET:
 		return _interp_iphdr(pi, len);
 	case AF_INET6:
 		return _interp_ipv6hdr(pi, len);
+	case AF_BRIDGE:
+		return _interp_bridge(pi, len);
 	}
 	return 0;
 }
@@ -859,7 +977,12 @@
 	{
 		.type = ULOGD_RET_UINT8,
 		.name = "oob.family",
-	}
+	},
+	{
+		.type = ULOGD_RET_UINT16,
+		.name = "oob.protocol",
+	},
+
 };
 
 static struct ulogd_plugin base_plugin = {

-- 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

[PATCH 3/5] adds AF_BRIDGE support to PRINTPKT plugin

[Peter Warasin]

[-- Attachment #1: ulogd2-PF_BRIDGE-printpkt.patch --]
[-- Type: text/plain, Size: 4186 bytes --]

This patch adds support for AF_BRIDGE to
the PRINTPKT plugin, which allows to form
log lines for packets coming from ebtables.
Currently it supports IPv4, IPv6 and ARP.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 include/ulogd/printpkt.h |    8 ++++
 util/printpkt.c          |   81 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)

Index: ulogd2/include/ulogd/printpkt.h
===================================================================
--- ulogd2.orig/include/ulogd/printpkt.h	2008-02-11 22:37:18.000000000 +0100
+++ ulogd2/include/ulogd/printpkt.h	2008-02-11 22:37:20.000000000 +0100
@@ -51,6 +51,14 @@
 	KEY_ICMPV6_ECHOID,
 	KEY_ICMPV6_ECHOSEQ,
 	KEY_AHESP_SPI,
+	KEY_OOB_PROTOCOL,
+	KEY_ARP_HTYPE,
+	KEY_ARP_PTYPE,
+	KEY_ARP_OPCODE,
+	KEY_ARP_SHA,
+	KEY_ARP_SPA,
+	KEY_ARP_THA,
+	KEY_ARP_TPA,
 	__PRINTPKT_KEYS
 };
 #define PRINTPKT_KEYS (__PRINTPKT_KEYS)
Index: ulogd2/util/printpkt.c
===================================================================
--- ulogd2.orig/util/printpkt.c	2008-02-11 22:37:18.000000000 +0100
+++ ulogd2/util/printpkt.c	2008-02-11 22:40:05.000000000 +0100
@@ -36,9 +36,11 @@
 #include <ulogd/ulogd.h>
 #include <ulogd/conffile.h>
 #include <ulogd/printpkt.h>
+#include <netinet/if_ether.h>
 
 struct ulogd_key printpkt_keys[] = {
 	[KEY_OOB_FAMILY]	= { .name = "oob.family", },
+	[KEY_OOB_PROTOCOL]	= { .name = "oob.protocol", },
 	[KEY_OOB_TIME_SEC]	= { .name = "oob.time.sec", },
 	[KEY_OOB_PREFIX]	= { .name = "oob.prefix", },
 	[KEY_OOB_IN]		= { .name = "oob.in", },
@@ -90,6 +92,14 @@
 	[KEY_ICMPV6_ECHOID]	= { .name = "icmpv6.echoid", },
 	[KEY_ICMPV6_ECHOSEQ]	= { .name = "icmpv6.echoseq", },
 	[KEY_AHESP_SPI]		= { .name = "ahesp.spi", },
+	[KEY_ARP_HTYPE]         = { .name = "arp.hwtype", },
+	[KEY_ARP_PTYPE]         = { .name = "arp.protocoltype", },
+	[KEY_ARP_OPCODE]        = { .name = "arp.operation", },
+	[KEY_ARP_SHA]           = { .name = "arp.shwaddr", },
+	[KEY_ARP_SPA]           = { .name = "arp.saddr.str", },
+	[KEY_ARP_THA]           = { .name = "arp.dhwaddr", },
+	[KEY_ARP_TPA]           = { .name = "arp.daddr.str", },
+
 };
 
 static int printpkt_proto(struct ulogd_key *res, char *buf, int protocol)
@@ -334,6 +344,74 @@
 	return buf_cur - buf;
 }
 
+int printpkt_arp(struct ulogd_key *res, char *buf)
+{
+	char *buf_cur = buf;
+	u_int16_t code = 0;
+	u_int8_t *mac;
+	char tmp[INET_ADDRSTRLEN];
+
+	if (pp_is_valid(res, KEY_ARP_SPA))
+		buf_cur += sprintf(buf_cur, "SRC=%s ",
+				   GET_VALUE(res, KEY_ARP_SPA).ptr);
+
+	if (pp_is_valid(res, KEY_ARP_TPA))
+		buf_cur += sprintf(buf_cur, "DST=%s ",
+				   GET_VALUE(res, KEY_ARP_TPA).ptr);
+
+	buf_cur += sprintf(buf_cur, "PROTO=ARP ");
+
+	if (pp_is_valid(res, KEY_ARP_OPCODE)) {
+		code = GET_VALUE(res, KEY_ARP_OPCODE).ui16;
+		switch (code) {
+		case ARPOP_REQUEST:
+			buf_cur += sprintf(buf_cur, "REQUEST ");
+			break;
+		case ARPOP_REPLY:
+			buf_cur += sprintf(buf_cur, "REPLY ");
+			break;
+		case ARPOP_NAK:
+			buf_cur += sprintf(buf_cur, "NAK ");
+			break;
+		default:
+			buf_cur += sprintf(buf_cur, "CODE=%u ", code);
+		}
+
+		if (pp_is_valid(res, KEY_ARP_SHA) && (code == ARPOP_REPLY)) {
+			mac = GET_VALUE(res, KEY_ARP_SHA).ptr;
+			buf_cur += sprintf(buf_cur, "REPLY_MAC="
+					   "%02x:%02x:%02x:%02x:%02x:%02x ",
+					   mac[0], mac[1], mac[2],
+					   mac[3], mac[4], mac[5]);
+		}
+	}
+
+	return buf_cur - buf;
+}
+
+
+int printpkt_bridge(struct ulogd_key *res, char *buf)
+{
+	char *buf_cur = buf;
+
+	switch (GET_VALUE(res, KEY_OOB_PROTOCOL).ui16) {
+	case ETH_P_IP:
+		buf_cur += printpkt_ipv4(res, buf_cur);
+		break;
+	case ETH_P_IPV6:
+		buf_cur += printpkt_ipv6(res, buf_cur);
+		break;
+	case ETH_P_ARP:
+		buf_cur += printpkt_arp(res, buf_cur);
+		break;
+	default:
+		buf_cur += sprintf(buf_cur, "PROTO=%u ",
+			   GET_VALUE(res, KEY_OOB_PROTOCOL).ui16);
+	}
+
+	return buf_cur - buf;
+}
+
 int printpkt_print(struct ulogd_key *res, char *buf)
 {
 	char *buf_cur = buf;
@@ -366,6 +444,9 @@
 	case AF_INET6:
 		buf_cur += printpkt_ipv6(res, buf_cur);
 		break;
+	case AF_BRIDGE:
+		buf_cur += printpkt_bridge(res, buf_cur);
+		break;
 	}
 
 	if (pp_is_valid(res, KEY_OOB_UID))

-- 

[PATCH 4/5] adds AF_BRIDGE support to IP2STR

[Peter Warasin]

[-- Attachment #1: ulogd2-PF_BRIDGE-IP2STR.patch --]
[-- Type: text/plain, Size: 3850 bytes --]

This patch make the ip address string converter AF_BRIDGE
compatible and add ip address ARP keys in order to make
them also convert.

Signed-off-by: Peter Warasin <peter-k8AlXt1uIdjQT0dZR+AlfA@public.gmane.org>

---
 filter/ulogd_filter_IP2STR.c |   74 +++++++++++++++++++++++++++++++------------
 1 file changed, 54 insertions(+), 20 deletions(-)

Index: ulogd2/filter/ulogd_filter_IP2STR.c
===================================================================
--- ulogd2.orig/filter/ulogd_filter_IP2STR.c	2008-02-11 22:44:47.000000000 +0100
+++ ulogd2/filter/ulogd_filter_IP2STR.c	2008-02-11 22:53:42.000000000 +0100
@@ -27,11 +27,13 @@
 #include <string.h>
 #include <arpa/inet.h>
 #include <ulogd/ulogd.h>
+#include <netinet/if_ether.h>
 
 #define IPADDR_LENGTH 128
 
 enum input_keys {
 	KEY_OOB_FAMILY,
+	KEY_OOB_PROTOCOL,
 	KEY_IP_SADDR,
 	START_KEY = KEY_IP_SADDR,
 	KEY_IP_DADDR,
@@ -39,7 +41,9 @@
 	KEY_ORIG_IP_DADDR,
 	KEY_REPLY_IP_SADDR,
 	KEY_REPLY_IP_DADDR,
-	MAX_KEY = KEY_REPLY_IP_DADDR,
+	KEY_ARP_SPA,
+	KEY_ARP_TPA,
+	MAX_KEY = KEY_ARP_TPA,
 };
 
 static struct ulogd_key ip2str_inp[] = {
@@ -48,6 +52,11 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "oob.family",
 	},
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
 	[KEY_IP_SADDR] = {
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
@@ -78,6 +87,16 @@
 		.flags	= ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
 		.name	= "reply.ip.daddr",
 	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 static struct ulogd_key ip2str_keys[] = {
@@ -111,26 +130,41 @@
 		.flags = ULOGD_RETF_FREE,
 		.name = "reply.ip.daddr.str",
 	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.saddr.str",
+	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.daddr.str",
+	},
 };
 
-static char *ip2str(struct ulogd_key* inp, int index, char family)
+static char *ip2str(struct ulogd_key *inp, int index, int protocol)
 {
 	char tmp[IPADDR_LENGTH];
-	switch (family) {
-		case AF_INET6:
-			inet_ntop(AF_INET6,
-					&GET_VALUE(inp, index).ptr,
-					tmp, sizeof(tmp));
-			break;
-		case AF_INET:
-			inet_ntop(AF_INET,
-					&GET_VALUE(inp, index).ui32,
-					tmp, sizeof(tmp));
-			break;
-		default:
-			/* TODO error handling */
-			ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
-			return NULL;
+	switch (protocol) {
+	case ETH_P_IPV6:
+		inet_ntop(AF_INET6,
+			  &GET_VALUE(inp, index).ptr,
+			  tmp, sizeof(tmp));
+		break;
+	case ETH_P_IP:
+		inet_ntop(AF_INET,
+			  &GET_VALUE(inp, index).ui32,
+			  tmp, sizeof(tmp));
+		break;
+	case ETH_P_ARP:
+		inet_ntop(AF_INET,
+			  &GET_VALUE(inp, index).ptr,
+			  tmp, sizeof(tmp));
+		break;
+	default:
+		/* TODO error handling */
+		ulogd_log(ULOGD_NOTICE, "Unknown protocol\n");
+		return NULL;
 	}
 	return strdup(tmp);
 }
@@ -140,13 +174,13 @@
 	struct ulogd_key *ret = pi->output.keys;
 	struct ulogd_key *inp = pi->input.keys;
 	int i;
-	int oob_family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
+	int oob_protocol = GET_VALUE(inp, KEY_OOB_PROTOCOL).ui16;
 
 	/* Iter on all addr fields */
 	for(i = START_KEY; i < MAX_KEY; i++) {
 		if (pp_is_valid(inp, i)) {
-			ret[i-1].u.value.ptr = ip2str(inp, i, oob_family);
-			ret[i-1].flags |= ULOGD_RETF_VALID;
+			ret[i-START_KEY].u.value.ptr = ip2str(inp, i, oob_protocol);
+			ret[i-START_KEY].flags |= ULOGD_RETF_VALID;
 		}
 	}
 

-- 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

[PATCH 5/5] Adds ebtables nflog stack samples to config file

[Peter Warasin]

[-- Attachment #1: ulogd2-PF_BRIDGE-ulogdconf.patch --]
[-- Type: text/plain, Size: 1961 bytes --]

This patch adds a sample configuration for logging
with ebtables through nflog out to LOGEMU and SYSLOG.

It also fixes a config bug with ipv6 (log2)

Signed-off-by: Peter Warasin <peter@endian.com>

---
 ulogd.conf.in |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

Index: ulogd2/ulogd.conf.in
===================================================================
--- ulogd2.orig/ulogd.conf.in	2008-02-11 22:59:58.000000000 +0100
+++ ulogd2/ulogd.conf.in	2008-02-11 23:05:08.000000000 +0100
@@ -49,6 +49,9 @@
 # this is a stack for IPv6 packet-based logging via LOGEMU
 #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
 
+# this is a stack for ebtables packet-based logging via LOGEMU
+#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
 # this is a stack for ULOG packet-based logging via LOGEMU
 #stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
 
@@ -64,6 +67,9 @@
 # this is a stack for logging IPv6 packet to PGsql after a collect via NFLOG
 #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,pgsql1:PGSQL
 
+# this is a stack for logging ebtables packets to syslog after a collect via NFLOG
+#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
+
 # this is a stack for flow-based logging to MySQL
 #stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
 
@@ -75,10 +81,15 @@
 group=0
 
 # IPv6 logging through NFLOG
-[log1]
+[log2]
 group=1 # Group has to be different from the one use in log1
 addressfamily=10 # 10 is value of AF_INET6
 
+# ebtables logging through NFLOG
+[log3]
+group=2 # Group has to be different from the one use in log1/log2
+addressfamily=7 # 7 is value of AF_BRIDGE
+
 [ulog1]
 # netlink multicast group (the same as the iptables --ulog-nlgroup param)
 nlgroup=1
@@ -106,3 +117,6 @@
 table="ulog"
 pass="changeme"
 procedure="INSERT_PACKET_FULL"
+
+[sys2]
+facility=LOG_LOCAL2

-- 

Re: [Ebtables-devel] [PATCH 0/5] adds ebtables nflog support to ulogd

[Bart De Schuymer]

Op ma, 11-02-2008 te 23:07 +0100, schreef Peter Warasin:
> Hi Guys
> 
> The following patch-set adds ebtables nflog support to ulogd.
> 
> In order to have this work it's also necessary to apply the
> ebtables and kernel patches I posted some time ago
> (i posted as well as this post on both, ebtables and
> netfilter devel lists).

Hi Peter,

I just searched the mailing list archives and you've never before posted
to the ebtables lists. You must have forgotten to include
ebtables-devel. Anyway, I just subscribed to netfilter-devel to prevent
this stuff from happening again.
Maybe we should move ebtables traffic to the netfilter lists, I'm not
really against it. Patrick?

cheers,
Bart

Re: [PATCH 4/5] adds AF_BRIDGE support to IP2STR

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 845 bytes --]

Hello,

This patchset is fine but

On Monday, 2008 February 11 at 23:07:57 +0100, Peter Warasin wrote:
> This patch make the ip address string converter AF_BRIDGE
> compatible and add ip address ARP keys in order to make
> them also convert.
> +	[KEY_ARP_SPA] = {
> +		.type = ULOGD_RET_IPADDR,
> +		.flags = ULOGD_RETF_NONE,
> +		.name = "arp.saddr",
> +	},
> +	[KEY_ARP_TPA] = {
> +		.type = ULOGD_RET_IPADDR,
> +		.flags = ULOGD_RETF_NONE,
> +		.name = "arp.daddr",
> +	},

you defined here arp.daddr as ULOGD_RET_IPADDR although you've defined it in
BASE plugin as:
	[KEY_ARP_SPA] = {
		.type = ULOGD_RET_RAW,
		.flags =
			ULOGD_RETF_NONE,
		.name =
			"arp.saddr",
	},

This should work in current state code but it is only luck.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Ebtables-devel] [PATCH 0/5] adds ebtables nflog support to ulogd

[Peter Warasin]

Hi Bart

Bart De Schuymer wrote:
> I just searched the mailing list archives and you've never before posted
> to the ebtables lists. You must have forgotten to include
>   
Oh, i see.
That's wired. I got mails back from the ebtables list. Probably
they have been blocked by sourceforge's mailman and I got them
because of the crosspost and filtering rules.

Anyway, the posts in question are these:
http://marc.info/?l=netfilter-devel&m=120223788107898&w=2
http://marc.info/?l=netfilter-devel&m=120223788207901&w=2
http://marc.info/?l=netfilter-devel&m=120223788307904&w=2

hope these links are fine, otherwise i repost on ebtables-devel

peter

Re: [PATCH 4/5] adds AF_BRIDGE support to IP2STR

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 609 bytes --]

Hello,

On Monday, 2008 February 11 at 23:07:57 +0100, Peter Warasin wrote:
> This patch make the ip address string converter AF_BRIDGE
> compatible and add ip address ARP keys in order to make
> them also convert.

There is a problem with this patch. It uses oob_protocol to find which
output has to be done. Thus, oob_protocol has to be defined and this is
not the case for OUTPUT packet.

So, this patch breaks IP display for OUTPUT packet. It could be fixed by
using a combination of oob_family and oob_protocol.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 4/5] adds AF_BRIDGE support to IP2STR

[Peter Warasin]

Hi Eric

Eric Leblond wrote:
> So, this patch breaks IP display for OUTPUT packet. It could be fixed by
> using a combination of oob_family and oob_protocol.
>   
Oh, I understand. I was not aware of it and did not test with
OUTPUT packets :/
Thank you for the advice!

So, I will use family as it was before, and use protocol only when
family is AF_BRIDGE.

I will send fixes later

peter

Re: [PATCH 4/5] adds AF_BRIDGE support to IP2STR

[Peter Warasin]

Eric Leblond wrote:
> you defined here arp.daddr as ULOGD_RET_IPADDR although you've defined it in
> BASE plugin as:
> 	[KEY_ARP_SPA] = {
> 		.type = ULOGD_RET_RAW,
> 		.flags =
> 			ULOGD_RETF_NONE,
> 		.name =
> 			"arp.saddr",
> 	},
>
> This should work in current state code but it is only luck.
>   
Ah, yes. I was not sure which type to choose. Well, defining it
differently is surely suboptimal :)

I will fix it in patch to BASE plugin and set IPADDR type

peter

[PATCHv2 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 85 bytes --]

Hi guys

Fixed the type for  KEY_ARP_SPA and KEY_ARP_TPA,
as Eric mentioned.

peter


[-- Attachment #2: ulogd2-PF_BRIDGE.patch --]
[-- Type: text/x-patch, Size: 4979 bytes --]

Adds AF_BRIDGE and ARP header interpreter to BASE plugin

This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/raw2packet/ulogd_raw2packet_BASE.c |  127 +++++++++++++++++++++++++++++-
 1 file changed, 125 insertions(+), 2 deletions(-)

Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 22:13:27.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 22:20:05.000000000 +0100
@@ -10,6 +10,7 @@
  * 	o UDP header
  * 	o ICMP header
  * 	o AH/ESP header
+ *      o ARP header
  *
  * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
  *
@@ -42,11 +43,13 @@
 #include <netinet/udp.h>
 #include <ulogd/ulogd.h>
 #include <ulogd/ipfix_protocol.h>
+#include <netinet/if_ether.h>
 
 enum input_keys {
 	INKEY_RAW_PCKT,
 	INKEY_RAW_PCKTLEN,
 	INKEY_OOB_FAMILY,
+	INKEY_OOB_PROTOCOL,
 };
 
 enum output_keys {
@@ -101,6 +104,14 @@
 	KEY_ICMPV6_ECHOSEQ,
 	KEY_ICMPV6_CSUM,
 	KEY_AHESP_SPI,
+	KEY_OOB_PROTOCOL,
+	KEY_ARP_HTYPE,
+	KEY_ARP_PTYPE,
+	KEY_ARP_OPCODE,
+	KEY_ARP_SHA,
+	KEY_ARP_SPA,
+	KEY_ARP_THA,
+	KEY_ARP_TPA,
 };
 
 static struct ulogd_key iphdr_rets[] = {
@@ -455,7 +466,46 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "ahesp.spi",
 	},
-
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
+	[KEY_ARP_HTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.hwtype",
+	},
+	[KEY_ARP_PTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.protocoltype",
+	},
+	[KEY_ARP_OPCODE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.operation",
+	},
+	[KEY_ARP_SHA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.shwaddr",
+	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_THA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.dhwaddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 /***********************************************************************
@@ -825,16 +875,84 @@
 	return 0;
 }
 
+/***********************************************************************
+ * 			ARP HEADER
+ ***********************************************************************/
+static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct ether_arp *arph =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+
+	if (len < sizeof(struct ether_arp))
+		return 0;
+
+	ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd);
+	SET_VALID(ret[KEY_ARP_HTYPE]);
+	ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro);
+	SET_VALID(ret[KEY_ARP_PTYPE]);
+	ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op);
+	SET_VALID(ret[KEY_ARP_OPCODE]);
+
+	ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
+	SET_VALID(ret[KEY_ARP_SHA]);
+	ret[KEY_ARP_SPA].u.value.ptr = &arph->arp_spa;
+	SET_VALID(ret[KEY_ARP_SPA]);
+
+	ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
+	SET_VALID(ret[KEY_ARP_THA]);
+	ret[KEY_ARP_TPA].u.value.ptr = &arph->arp_tpa;
+	SET_VALID(ret[KEY_ARP_TPA]);
+
+	return 0;
+}
+
+/***********************************************************************
+ * 			ETHER HEADER
+ ***********************************************************************/
+
+static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct sk_buff *skb =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+	const u_int16_t proto =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+
+	switch (proto) {
+	case ETH_P_IP:
+		_interp_iphdr(pi, len);
+		break;
+	case ETH_P_IPV6:
+		_interp_ipv6hdr(pi, len);
+		break;
+	case ETH_P_ARP:
+		_interp_arp(pi, len);
+		break;
+	/* ETH_P_8021Q ?? others? */
+	};
+
+	return 0;
+}
+
+
 static int _interp_pkt(struct ulogd_pluginstance *pi)
 {
 	u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
 	u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
+	struct ulogd_key *ret = pi->output.keys;
+
+	ret[KEY_OOB_PROTOCOL].u.value.ui16 =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+	SET_VALID(ret[KEY_OOB_PROTOCOL]);
 
 	switch (family) {
 	case AF_INET:
 		return _interp_iphdr(pi, len);
 	case AF_INET6:
 		return _interp_ipv6hdr(pi, len);
+	case AF_BRIDGE:
+		return _interp_bridge(pi, len);
 	}
 	return 0;
 }
@@ -859,7 +977,12 @@
 	{
 		.type = ULOGD_RET_UINT8,
 		.name = "oob.family",
-	}
+	},
+	{
+		.type = ULOGD_RET_UINT16,
+		.name = "oob.protocol",
+	},
+
 };
 
 static struct ulogd_plugin base_plugin = {

[PATCHv2 4/5] adds AF_BRIDGE support to IP2STR

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 46 bytes --]

Hi Eric

Here is the corrected patch.

peter


[-- Attachment #2: ulogd2-PF_BRIDGE-IP2STR.patch --]
[-- Type: text/x-patch, Size: 3620 bytes --]

adds AF_BRIDGE support to IP2STR

This patch make the ip address string converter AF_BRIDGE
compatible and add ip address ARP keys in order to make
them also convert.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/ulogd_filter_IP2STR.c |   74 +++++++++++++++++++++++++++++++------------
 1 file changed, 54 insertions(+), 20 deletions(-)

Index: ulogd2/filter/ulogd_filter_IP2STR.c
===================================================================
--- ulogd2.orig/filter/ulogd_filter_IP2STR.c	2008-02-11 22:44:47.000000000 +0100
+++ ulogd2/filter/ulogd_filter_IP2STR.c	2008-02-11 22:53:42.000000000 +0100
@@ -27,11 +27,13 @@
 #include <string.h>
 #include <arpa/inet.h>
 #include <ulogd/ulogd.h>
+#include <netinet/if_ether.h>
 
 #define IPADDR_LENGTH 128
 
 enum input_keys {
 	KEY_OOB_FAMILY,
+	KEY_OOB_PROTOCOL,
 	KEY_IP_SADDR,
 	START_KEY = KEY_IP_SADDR,
 	KEY_IP_DADDR,
@@ -39,7 +41,9 @@
 	KEY_ORIG_IP_DADDR,
 	KEY_REPLY_IP_SADDR,
 	KEY_REPLY_IP_DADDR,
-	MAX_KEY = KEY_REPLY_IP_DADDR,
+	KEY_ARP_SPA,
+	KEY_ARP_TPA,
+	MAX_KEY = KEY_ARP_TPA,
 };
 
 static struct ulogd_key ip2str_inp[] = {
@@ -48,6 +52,11 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "oob.family",
 	},
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
 	[KEY_IP_SADDR] = {
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
@@ -78,6 +87,16 @@
 		.flags	= ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
 		.name	= "reply.ip.daddr",
 	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 static struct ulogd_key ip2str_keys[] = {
@@ -111,26 +130,41 @@
 		.flags = ULOGD_RETF_FREE,
 		.name = "reply.ip.daddr.str",
 	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.saddr.str",
+	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.daddr.str",
+	},
 };
 
-static char *ip2str(struct ulogd_key* inp, int index, char family)
+static char *ip2str(struct ulogd_key *inp, int index, int protocol)
 {
 	char tmp[IPADDR_LENGTH];
-	switch (family) {
-		case AF_INET6:
-			inet_ntop(AF_INET6,
-					&GET_VALUE(inp, index).ptr,
-					tmp, sizeof(tmp));
-			break;
-		case AF_INET:
-			inet_ntop(AF_INET,
-					&GET_VALUE(inp, index).ui32,
-					tmp, sizeof(tmp));
-			break;
-		default:
-			/* TODO error handling */
-			ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
-			return NULL;
+	switch (protocol) {
+	case ETH_P_IPV6:
+		inet_ntop(AF_INET6,
+			  &GET_VALUE(inp, index).ptr,
+			  tmp, sizeof(tmp));
+		break;
+	case ETH_P_IP:
+		inet_ntop(AF_INET,
+			  &GET_VALUE(inp, index).ui32,
+			  tmp, sizeof(tmp));
+		break;
+	case ETH_P_ARP:
+		inet_ntop(AF_INET,
+			  &GET_VALUE(inp, index).ptr,
+			  tmp, sizeof(tmp));
+		break;
+	default:
+		/* TODO error handling */
+		ulogd_log(ULOGD_NOTICE, "Unknown protocol\n");
+		return NULL;
 	}
 	return strdup(tmp);
 }
@@ -140,13 +174,13 @@
 	struct ulogd_key *ret = pi->output.keys;
 	struct ulogd_key *inp = pi->input.keys;
 	int i;
-	int oob_family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
+	int oob_protocol = GET_VALUE(inp, KEY_OOB_PROTOCOL).ui16;
 
 	/* Iter on all addr fields */
 	for(i = START_KEY; i < MAX_KEY; i++) {
 		if (pp_is_valid(inp, i)) {
-			ret[i-1].u.value.ptr = ip2str(inp, i, oob_family);
-			ret[i-1].flags |= ULOGD_RETF_VALID;
+			ret[i-START_KEY].u.value.ptr = ip2str(inp, i, oob_protocol);
+			ret[i-START_KEY].flags |= ULOGD_RETF_VALID;
 		}
 	}
 

Re: [PATCHv2 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Eric Leblond]

Hi,

> Hi guys
>
> Fixed the type for  KEY_ARP_SPA and KEY_ARP_TPA,
> as Eric mentioned.

I did not drink cofee this morning, and thus I may be wrong, but it seems
you've sent the same patch as yesterday. KEY_ARP_SPA is still of type RAW
for example. The other patch seems also unchanged.

BR,
--
Eric

[PATCHv3 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 427 bytes --]

Hi Eric

Eric Leblond wrote:
> I did not drink cofee this morning, and thus I may be wrong, but it seems
> you've sent the same patch as yesterday. KEY_ARP_SPA is still of type RAW
> for example. The other patch seems also unchanged.
>   

Oh my. I think it was to late yesterday. Took the
wrong directory :/

Here is the correct patch attached.
I hope so, did not drink coffee either :)

Sorry for the inconveniences

peter



[-- Attachment #2: ulogd2-PF_BRIDGE.patch --]
[-- Type: text/x-patch, Size: 4987 bytes --]

Adds AF_BRIDGE and ARP header interpreter to BASE plugin

This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/raw2packet/ulogd_raw2packet_BASE.c |  127 +++++++++++++++++++++++++++++-
 1 file changed, 125 insertions(+), 2 deletions(-)

Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-11 23:07:26.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-13 23:20:42.000000000 +0100
@@ -10,6 +10,7 @@
  * 	o UDP header
  * 	o ICMP header
  * 	o AH/ESP header
+ *      o ARP header
  *
  * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
  *
@@ -42,11 +43,13 @@
 #include <netinet/udp.h>
 #include <ulogd/ulogd.h>
 #include <ulogd/ipfix_protocol.h>
+#include <netinet/if_ether.h>
 
 enum input_keys {
 	INKEY_RAW_PCKT,
 	INKEY_RAW_PCKTLEN,
 	INKEY_OOB_FAMILY,
+	INKEY_OOB_PROTOCOL,
 };
 
 enum output_keys {
@@ -101,6 +104,14 @@
 	KEY_ICMPV6_ECHOSEQ,
 	KEY_ICMPV6_CSUM,
 	KEY_AHESP_SPI,
+	KEY_OOB_PROTOCOL,
+	KEY_ARP_HTYPE,
+	KEY_ARP_PTYPE,
+	KEY_ARP_OPCODE,
+	KEY_ARP_SHA,
+	KEY_ARP_SPA,
+	KEY_ARP_THA,
+	KEY_ARP_TPA,
 };
 
 static struct ulogd_key iphdr_rets[] = {
@@ -455,7 +466,46 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "ahesp.spi",
 	},
-
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
+	[KEY_ARP_HTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.hwtype",
+	},
+	[KEY_ARP_PTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.protocoltype",
+	},
+	[KEY_ARP_OPCODE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.operation",
+	},
+	[KEY_ARP_SHA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.shwaddr",
+	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_THA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.dhwaddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 /***********************************************************************
@@ -825,16 +875,84 @@
 	return 0;
 }
 
+/***********************************************************************
+ * 			ARP HEADER
+ ***********************************************************************/
+static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct ether_arp *arph =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+
+	if (len < sizeof(struct ether_arp))
+		return 0;
+
+	ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd);
+	SET_VALID(ret[KEY_ARP_HTYPE]);
+	ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro);
+	SET_VALID(ret[KEY_ARP_PTYPE]);
+	ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op);
+	SET_VALID(ret[KEY_ARP_OPCODE]);
+
+	ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
+	SET_VALID(ret[KEY_ARP_SHA]);
+	ret[KEY_ARP_SPA].u.value.ui32 = &arph->arp_spa;
+	SET_VALID(ret[KEY_ARP_SPA]);
+
+	ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
+	SET_VALID(ret[KEY_ARP_THA]);
+	ret[KEY_ARP_TPA].u.value.ui32 = &arph->arp_tpa;
+	SET_VALID(ret[KEY_ARP_TPA]);
+
+	return 0;
+}
+
+/***********************************************************************
+ * 			ETHER HEADER
+ ***********************************************************************/
+
+static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct sk_buff *skb =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+	const u_int16_t proto =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+
+	switch (proto) {
+	case ETH_P_IP:
+		_interp_iphdr(pi, len);
+		break;
+	case ETH_P_IPV6:
+		_interp_ipv6hdr(pi, len);
+		break;
+	case ETH_P_ARP:
+		_interp_arp(pi, len);
+		break;
+	/* ETH_P_8021Q ?? others? */
+	};
+
+	return 0;
+}
+
+
 static int _interp_pkt(struct ulogd_pluginstance *pi)
 {
 	u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
 	u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
+	struct ulogd_key *ret = pi->output.keys;
+
+	ret[KEY_OOB_PROTOCOL].u.value.ui16 =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+	SET_VALID(ret[KEY_OOB_PROTOCOL]);
 
 	switch (family) {
 	case AF_INET:
 		return _interp_iphdr(pi, len);
 	case AF_INET6:
 		return _interp_ipv6hdr(pi, len);
+	case AF_BRIDGE:
+		return _interp_bridge(pi, len);
 	}
 	return 0;
 }
@@ -859,7 +977,12 @@
 	{
 		.type = ULOGD_RET_UINT8,
 		.name = "oob.family",
-	}
+	},
+	{
+		.type = ULOGD_RET_UINT16,
+		.name = "oob.protocol",
+	},
+
 };
 
 static struct ulogd_plugin base_plugin = {

Re: [PATCHv3 4/5] adds AF_BRIDGE support to IP2STR

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 114 bytes --]

Hi

Correct patch is attached here.
Previous patch had the old patch attached.

Please consider this one.


peter

[-- Attachment #2: ulogd2-PF_BRIDGE-IP2STR.patch --]
[-- Type: text/x-patch, Size: 3977 bytes --]

adds AF_BRIDGE support to IP2STR

This patch make the ip address string converter AF_BRIDGE
compatible and add ip address ARP keys in order to make
them also convert.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/ulogd_filter_IP2STR.c |   86 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 70 insertions(+), 16 deletions(-)

Index: ulogd2/filter/ulogd_filter_IP2STR.c
===================================================================
--- ulogd2.orig/filter/ulogd_filter_IP2STR.c	2008-02-13 23:56:27.000000000 +0100
+++ ulogd2/filter/ulogd_filter_IP2STR.c	2008-02-13 23:58:02.000000000 +0100
@@ -27,11 +27,13 @@
 #include <string.h>
 #include <arpa/inet.h>
 #include <ulogd/ulogd.h>
+#include <netinet/if_ether.h>
 
 #define IPADDR_LENGTH 128
 
 enum input_keys {
 	KEY_OOB_FAMILY,
+	KEY_OOB_PROTOCOL,
 	KEY_IP_SADDR,
 	START_KEY = KEY_IP_SADDR,
 	KEY_IP_DADDR,
@@ -39,7 +41,9 @@
 	KEY_ORIG_IP_DADDR,
 	KEY_REPLY_IP_SADDR,
 	KEY_REPLY_IP_DADDR,
-	MAX_KEY = KEY_REPLY_IP_DADDR,
+	KEY_ARP_SPA,
+	KEY_ARP_TPA,
+	MAX_KEY = KEY_ARP_TPA,
 };
 
 static struct ulogd_key ip2str_inp[] = {
@@ -48,6 +52,11 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "oob.family",
 	},
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
 	[KEY_IP_SADDR] = {
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
@@ -78,6 +87,16 @@
 		.flags	= ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
 		.name	= "reply.ip.daddr",
 	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 static struct ulogd_key ip2str_keys[] = {
@@ -111,26 +130,62 @@
 		.flags = ULOGD_RETF_FREE,
 		.name = "reply.ip.daddr.str",
 	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.saddr.str",
+	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.daddr.str",
+	},
 };
 
-static char *ip2str(struct ulogd_key* inp, int index, char family)
+static char *ip2str(struct ulogd_key *inp, int index)
 {
 	char tmp[IPADDR_LENGTH];
-	switch (family) {
-		case AF_INET6:
-			inet_ntop(AF_INET6,
-					&GET_VALUE(inp, index).ptr,
-					tmp, sizeof(tmp));
+	char family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
+	char convfamily = family;
+
+	if (family == AF_BRIDGE) {
+		if (!pp_is_valid(inp, KEY_OOB_PROTOCOL)) {
+			ulogd_log(ULOGD_NOTICE,
+				  "No protocol inside AF_BRIDGE packet\n");
+			return NULL;
+		}
+		switch (GET_VALUE(inp, KEY_OOB_PROTOCOL).ui16) {
+		case ETH_P_IPV6:
+			convfamily = AF_INET6;
+			break;
+		case ETH_P_IP:
+			convfamily = AF_INET;
 			break;
-		case AF_INET:
-			inet_ntop(AF_INET,
-					&GET_VALUE(inp, index).ui32,
-					tmp, sizeof(tmp));
+		case ETH_P_ARP:
+			convfamily = AF_INET;
 			break;
 		default:
-			/* TODO error handling */
-			ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
+			ulogd_log(ULOGD_NOTICE,
+				  "Unknown protocol inside AF_BRIDGE packet\n");
 			return NULL;
+		}
+	}
+
+	switch (convfamily) {
+	case AF_INET6:
+		inet_ntop(AF_INET6,
+			  &GET_VALUE(inp, index).ptr,
+			  tmp, sizeof(tmp));
+		break;
+	case AF_INET:
+		inet_ntop(AF_INET,
+			  &GET_VALUE(inp, index).ui32,
+			  tmp, sizeof(tmp));
+		break;
+	default:
+		/* TODO error handling */
+		ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
+		return NULL;
 	}
 	return strdup(tmp);
 }
@@ -140,13 +195,12 @@
 	struct ulogd_key *ret = pi->output.keys;
 	struct ulogd_key *inp = pi->input.keys;
 	int i;
-	int oob_family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
 
 	/* Iter on all addr fields */
 	for(i = START_KEY; i < MAX_KEY; i++) {
 		if (pp_is_valid(inp, i)) {
-			ret[i-1].u.value.ptr = ip2str(inp, i, oob_family);
-			ret[i-1].flags |= ULOGD_RETF_VALID;
+			ret[i-START_KEY].u.value.ptr = ip2str(inp, i);
+			ret[i-START_KEY].flags |= ULOGD_RETF_VALID;
 		}
 	}
 

Re: [PATCH 1/5] Adds input keys enumeration

[Pablo Neira Ayuso]

Peter Warasin wrote:
> Adds input key enumeration in order to address the fields
> with symbols instead of numbers.
> Shortens the lines by the use of GET_VALUE()
> 
> Signed-off-by: Peter Warasin <peter@endian.com>

Applied, thanks Peter.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCHv3 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Pablo Neira Ayuso]

Peter Warasin wrote:
> Eric Leblond wrote:
>> I did not drink cofee this morning, and thus I may be wrong, but it seems
>> you've sent the same patch as yesterday. KEY_ARP_SPA is still of type RAW
>> for example. The other patch seems also unchanged.
>>   
> 
> Oh my. I think it was to late yesterday. Took the
> wrong directory :/
> 
> Here is the correct patch attached.
> I hope so, did not drink coffee either :)

Hm, I get this warnings with your patch:

ulogd_raw2packet_BASE.c: In function '_interp_arp':
ulogd_raw2packet_BASE.c:899: warning: assignment makes integer from
pointer without a cast
ulogd_raw2packet_BASE.c:904: warning: assignment makes integer from
pointer without a cast

> +	ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
> +	SET_VALID(ret[KEY_ARP_SHA]);
> +	ret[KEY_ARP_SPA].u.value.ui32 = &arph->arp_spa;
> +	SET_VALID(ret[KEY_ARP_SPA]);
> +
> +	ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
> +	SET_VALID(ret[KEY_ARP_THA]);
> +	ret[KEY_ARP_TPA].u.value.ui32 = &arph->arp_tpa;
> +	SET_VALID(ret[KEY_ARP_TPA]);

Now arp_spa and arp_tpa use ptr instead of ui32. Please, clarify.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[PATCHv4 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

Hi Pablo

Pablo Neira Ayuso wrote:
> Hm, I get this warnings with your patch:
>   
Fixed it (added casts) within the attached patch.

> Now arp_spa and arp_tpa use ptr instead of ui32. Please, clarify
I changed to ui32, since ip_addr is ui32, but the arp ip fields
are ui8[4].
I think ui32 should be correct with the casts now.

peter



[-- Attachment #2: ulogd2-PF_BRIDGE.patch --]
[-- Type: text/x-patch, Size: 5007 bytes --]

Adds AF_BRIDGE and ARP header interpreter to BASE plugin

This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/raw2packet/ulogd_raw2packet_BASE.c |  127 +++++++++++++++++++++++++++++-
 1 file changed, 125 insertions(+), 2 deletions(-)

Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-13 23:58:17.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-15 18:17:07.000000000 +0100
@@ -10,6 +10,7 @@
  * 	o UDP header
  * 	o ICMP header
  * 	o AH/ESP header
+ *      o ARP header
  *
  * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
  *
@@ -42,11 +43,13 @@
 #include <netinet/udp.h>
 #include <ulogd/ulogd.h>
 #include <ulogd/ipfix_protocol.h>
+#include <netinet/if_ether.h>
 
 enum input_keys {
 	INKEY_RAW_PCKT,
 	INKEY_RAW_PCKTLEN,
 	INKEY_OOB_FAMILY,
+	INKEY_OOB_PROTOCOL,
 };
 
 enum output_keys {
@@ -101,6 +104,14 @@
 	KEY_ICMPV6_ECHOSEQ,
 	KEY_ICMPV6_CSUM,
 	KEY_AHESP_SPI,
+	KEY_OOB_PROTOCOL,
+	KEY_ARP_HTYPE,
+	KEY_ARP_PTYPE,
+	KEY_ARP_OPCODE,
+	KEY_ARP_SHA,
+	KEY_ARP_SPA,
+	KEY_ARP_THA,
+	KEY_ARP_TPA,
 };
 
 static struct ulogd_key iphdr_rets[] = {
@@ -455,7 +466,46 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "ahesp.spi",
 	},
-
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
+	[KEY_ARP_HTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.hwtype",
+	},
+	[KEY_ARP_PTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.protocoltype",
+	},
+	[KEY_ARP_OPCODE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.operation",
+	},
+	[KEY_ARP_SHA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.shwaddr",
+	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_THA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.dhwaddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 /***********************************************************************
@@ -825,16 +875,84 @@
 	return 0;
 }
 
+/***********************************************************************
+ * 			ARP HEADER
+ ***********************************************************************/
+static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct ether_arp *arph =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+
+	if (len < sizeof(struct ether_arp))
+		return 0;
+
+	ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd);
+	SET_VALID(ret[KEY_ARP_HTYPE]);
+	ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro);
+	SET_VALID(ret[KEY_ARP_PTYPE]);
+	ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op);
+	SET_VALID(ret[KEY_ARP_OPCODE]);
+
+	ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
+	SET_VALID(ret[KEY_ARP_SHA]);
+	ret[KEY_ARP_SPA].u.value.ui32 = (u_int32_t)arph->arp_spa;
+	SET_VALID(ret[KEY_ARP_SPA]);
+
+	ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
+	SET_VALID(ret[KEY_ARP_THA]);
+	ret[KEY_ARP_TPA].u.value.ui32 = (u_int32_t)arph->arp_tpa;
+	SET_VALID(ret[KEY_ARP_TPA]);
+
+	return 0;
+}
+
+/***********************************************************************
+ * 			ETHER HEADER
+ ***********************************************************************/
+
+static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct sk_buff *skb =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+	const u_int16_t proto =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+
+	switch (proto) {
+	case ETH_P_IP:
+		_interp_iphdr(pi, len);
+		break;
+	case ETH_P_IPV6:
+		_interp_ipv6hdr(pi, len);
+		break;
+	case ETH_P_ARP:
+		_interp_arp(pi, len);
+		break;
+	/* ETH_P_8021Q ?? others? */
+	};
+
+	return 0;
+}
+
+
 static int _interp_pkt(struct ulogd_pluginstance *pi)
 {
 	u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
 	u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
+	struct ulogd_key *ret = pi->output.keys;
+
+	ret[KEY_OOB_PROTOCOL].u.value.ui16 =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+	SET_VALID(ret[KEY_OOB_PROTOCOL]);
 
 	switch (family) {
 	case AF_INET:
 		return _interp_iphdr(pi, len);
 	case AF_INET6:
 		return _interp_ipv6hdr(pi, len);
+	case AF_BRIDGE:
+		return _interp_bridge(pi, len);
 	}
 	return 0;
 }
@@ -859,7 +977,12 @@
 	{
 		.type = ULOGD_RET_UINT8,
 		.name = "oob.family",
-	}
+	},
+	{
+		.type = ULOGD_RET_UINT16,
+		.name = "oob.protocol",
+	},
+
 };
 
 static struct ulogd_plugin base_plugin = {

Re: [PATCHv4 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

Hi guys

Peter Warasin wrote:
> I changed to ui32, since ip_addr is ui32, but the arp ip fields
> are ui8[4].
> I think ui32 should be correct with the casts now.

I was to fast posting the patch. Sorry
The patch does not work anymore for me.
I will debug it and resent it later.

peter

[PATCHv5 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

Hi

Ok, now it is fixed and works for me
Made some confusion because i changed that type.
Please don't slap me :)

During tests i found another bug in IP2STR. The for loop goes only
until MAX_KEY-1, but should include MAX_KEY otherwise it will not print
out the last key (in this case the destination ip address of the arp 
packet).

It clashes with my patch 4, so i will resend that patch, too,
including the bugfix.

peter


[-- Attachment #2: ulogd2-PF_BRIDGE.patch --]
[-- Type: text/x-patch, Size: 5084 bytes --]

Adds AF_BRIDGE and ARP header interpreter to BASE plugin

This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/raw2packet/ulogd_raw2packet_BASE.c |  132 +++++++++++++++++++++++++++++-
 1 file changed, 130 insertions(+), 2 deletions(-)

Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c
===================================================================
--- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-16 01:12:59.000000000 +0100
+++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c	2008-02-16 01:14:27.000000000 +0100
@@ -10,6 +10,7 @@
  * 	o UDP header
  * 	o ICMP header
  * 	o AH/ESP header
+ *      o ARP header
  *
  * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
  *
@@ -42,11 +43,14 @@
 #include <netinet/udp.h>
 #include <ulogd/ulogd.h>
 #include <ulogd/ipfix_protocol.h>
+#include <netinet/if_ether.h>
+#include <string.h>
 
 enum input_keys {
 	INKEY_RAW_PCKT,
 	INKEY_RAW_PCKTLEN,
 	INKEY_OOB_FAMILY,
+	INKEY_OOB_PROTOCOL,
 };
 
 enum output_keys {
@@ -101,6 +105,14 @@
 	KEY_ICMPV6_ECHOSEQ,
 	KEY_ICMPV6_CSUM,
 	KEY_AHESP_SPI,
+	KEY_OOB_PROTOCOL,
+	KEY_ARP_HTYPE,
+	KEY_ARP_PTYPE,
+	KEY_ARP_OPCODE,
+	KEY_ARP_SHA,
+	KEY_ARP_SPA,
+	KEY_ARP_THA,
+	KEY_ARP_TPA,
 };
 
 static struct ulogd_key iphdr_rets[] = {
@@ -455,7 +467,46 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "ahesp.spi",
 	},
-
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
+	[KEY_ARP_HTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.hwtype",
+	},
+	[KEY_ARP_PTYPE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.protocoltype",
+	},
+	[KEY_ARP_OPCODE] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.operation",
+	},
+	[KEY_ARP_SHA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.shwaddr",
+	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_THA] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.dhwaddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 /***********************************************************************
@@ -825,16 +876,88 @@
 	return 0;
 }
 
+/***********************************************************************
+ * 			ARP HEADER
+ ***********************************************************************/
+static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct ether_arp *arph =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+
+	if (len < sizeof(struct ether_arp))
+		return 0;
+
+	ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd);
+	SET_VALID(ret[KEY_ARP_HTYPE]);
+	ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro);
+	SET_VALID(ret[KEY_ARP_PTYPE]);
+	ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op);
+	SET_VALID(ret[KEY_ARP_OPCODE]);
+
+	ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha;
+	SET_VALID(ret[KEY_ARP_SHA]);
+
+	memcpy(&ret[KEY_ARP_SPA].u.value.ui32, &arph->arp_spa,
+	       sizeof(u_int32_t));
+	SET_VALID(ret[KEY_ARP_SPA]);
+
+	ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha;
+	SET_VALID(ret[KEY_ARP_THA]);
+
+	memcpy(&ret[KEY_ARP_TPA].u.value.ui32, &arph->arp_tpa,
+	       sizeof(u_int32_t));
+	SET_VALID(ret[KEY_ARP_TPA]);
+
+	return 0;
+}
+
+/***********************************************************************
+ * 			ETHER HEADER
+ ***********************************************************************/
+
+static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len)
+{
+	struct ulogd_key *ret = pi->output.keys;
+	const struct sk_buff *skb =
+		GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr;
+	const u_int16_t proto =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+
+	switch (proto) {
+	case ETH_P_IP:
+		_interp_iphdr(pi, len);
+		break;
+	case ETH_P_IPV6:
+		_interp_ipv6hdr(pi, len);
+		break;
+	case ETH_P_ARP:
+		_interp_arp(pi, len);
+		break;
+	/* ETH_P_8021Q ?? others? */
+	};
+
+	return 0;
+}
+
+
 static int _interp_pkt(struct ulogd_pluginstance *pi)
 {
 	u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32;
 	u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8;
+	struct ulogd_key *ret = pi->output.keys;
+
+	ret[KEY_OOB_PROTOCOL].u.value.ui16 =
+		GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16;
+	SET_VALID(ret[KEY_OOB_PROTOCOL]);
 
 	switch (family) {
 	case AF_INET:
 		return _interp_iphdr(pi, len);
 	case AF_INET6:
 		return _interp_ipv6hdr(pi, len);
+	case AF_BRIDGE:
+		return _interp_bridge(pi, len);
 	}
 	return 0;
 }
@@ -859,7 +982,12 @@
 	{
 		.type = ULOGD_RET_UINT8,
 		.name = "oob.family",
-	}
+	},
+	{
+		.type = ULOGD_RET_UINT16,
+		.name = "oob.protocol",
+	},
+
 };
 
 static struct ulogd_plugin base_plugin = {

[PATCHv4 4/5] adds AF_BRIDGE support to IP2STR

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 163 bytes --]

Hi

This is a resend with a bugfix included, which clashed, but it's needed
in order to make the output of arp destination ip addresses working 
properly.

peter


[-- Attachment #2: ulogd2-PF_BRIDGE-IP2STR.patch --]
[-- Type: text/x-patch, Size: 4020 bytes --]

adds AF_BRIDGE support to IP2STR

This patch make the ip address string converter AF_BRIDGE
compatible and add ip address ARP keys in order to make
them also convert.

Signed-off-by: Peter Warasin <peter@endian.com>

---
 filter/ulogd_filter_IP2STR.c |   88 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 71 insertions(+), 17 deletions(-)

Index: ulogd2/filter/ulogd_filter_IP2STR.c
===================================================================
--- ulogd2.orig/filter/ulogd_filter_IP2STR.c	2008-02-16 00:39:16.000000000 +0100
+++ ulogd2/filter/ulogd_filter_IP2STR.c	2008-02-16 01:11:59.000000000 +0100
@@ -27,11 +27,13 @@
 #include <string.h>
 #include <arpa/inet.h>
 #include <ulogd/ulogd.h>
+#include <netinet/if_ether.h>
 
 #define IPADDR_LENGTH 128
 
 enum input_keys {
 	KEY_OOB_FAMILY,
+	KEY_OOB_PROTOCOL,
 	KEY_IP_SADDR,
 	START_KEY = KEY_IP_SADDR,
 	KEY_IP_DADDR,
@@ -39,7 +41,9 @@
 	KEY_ORIG_IP_DADDR,
 	KEY_REPLY_IP_SADDR,
 	KEY_REPLY_IP_DADDR,
-	MAX_KEY = KEY_REPLY_IP_DADDR,
+	KEY_ARP_SPA,
+	KEY_ARP_TPA,
+	MAX_KEY = KEY_ARP_TPA,
 };
 
 static struct ulogd_key ip2str_inp[] = {
@@ -48,6 +52,11 @@
 		.flags = ULOGD_RETF_NONE,
 		.name = "oob.family",
 	},
+	[KEY_OOB_PROTOCOL] = {
+		.type = ULOGD_RET_UINT16,
+		.flags = ULOGD_RETF_NONE,
+		.name = "oob.protocol",
+	},
 	[KEY_IP_SADDR] = {
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
@@ -78,6 +87,16 @@
 		.flags	= ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
 		.name	= "reply.ip.daddr",
 	},
+	[KEY_ARP_SPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.saddr",
+	},
+	[KEY_ARP_TPA] = {
+		.type = ULOGD_RET_IPADDR,
+		.flags = ULOGD_RETF_NONE,
+		.name = "arp.daddr",
+	},
 };
 
 static struct ulogd_key ip2str_keys[] = {
@@ -111,26 +130,62 @@
 		.flags = ULOGD_RETF_FREE,
 		.name = "reply.ip.daddr.str",
 	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.saddr.str",
+	},
+	{
+		.type = ULOGD_RET_STRING,
+		.flags = ULOGD_RETF_FREE,
+		.name = "arp.daddr.str",
+	},
 };
 
-static char *ip2str(struct ulogd_key* inp, int index, char family)
+static char *ip2str(struct ulogd_key *inp, int index)
 {
 	char tmp[IPADDR_LENGTH];
-	switch (family) {
-		case AF_INET6:
-			inet_ntop(AF_INET6,
-					&GET_VALUE(inp, index).ptr,
-					tmp, sizeof(tmp));
+	char family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
+	char convfamily = family;
+
+	if (family == AF_BRIDGE) {
+		if (!pp_is_valid(inp, KEY_OOB_PROTOCOL)) {
+			ulogd_log(ULOGD_NOTICE,
+				  "No protocol inside AF_BRIDGE packet\n");
+			return NULL;
+		}
+		switch (GET_VALUE(inp, KEY_OOB_PROTOCOL).ui16) {
+		case ETH_P_IPV6:
+			convfamily = AF_INET6;
+			break;
+		case ETH_P_IP:
+			convfamily = AF_INET;
 			break;
-		case AF_INET:
-			inet_ntop(AF_INET,
-					&GET_VALUE(inp, index).ui32,
-					tmp, sizeof(tmp));
+		case ETH_P_ARP:
+			convfamily = AF_INET;
 			break;
 		default:
-			/* TODO error handling */
-			ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
+			ulogd_log(ULOGD_NOTICE,
+				  "Unknown protocol inside AF_BRIDGE packet\n");
 			return NULL;
+		}
+	}
+
+	switch (convfamily) {
+	case AF_INET6:
+		inet_ntop(AF_INET6,
+			  &GET_VALUE(inp, index).ptr,
+			  tmp, sizeof(tmp));
+		break;
+	case AF_INET:
+		inet_ntop(AF_INET,
+			  &GET_VALUE(inp, index).ui32,
+			  tmp, sizeof(tmp));
+		break;
+	default:
+		/* TODO error handling */
+		ulogd_log(ULOGD_NOTICE, "Unknown protocol family\n");
+		return NULL;
 	}
 	return strdup(tmp);
 }
@@ -140,13 +195,12 @@
 	struct ulogd_key *ret = pi->output.keys;
 	struct ulogd_key *inp = pi->input.keys;
 	int i;
-	int oob_family = GET_VALUE(inp, KEY_OOB_FAMILY).ui8;
 
 	/* Iter on all addr fields */
-	for(i = START_KEY; i < MAX_KEY; i++) {
+	for (i = START_KEY; i <= MAX_KEY; i++) {
 		if (pp_is_valid(inp, i)) {
-			ret[i-1].u.value.ptr = ip2str(inp, i, oob_family);
-			ret[i-1].flags |= ULOGD_RETF_VALID;
+			ret[i-START_KEY].u.value.ptr = ip2str(inp, i);
+			ret[i-START_KEY].flags |= ULOGD_RETF_VALID;
 		}
 	}
 

Re: [PATCHv5 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Pablo Neira Ayuso]

Peter Warasin wrote:
> Ok, now it is fixed and works for me
> Made some confusion because i changed that type.
> Please don't slap me :)

Finally applied.

> During tests i found another bug in IP2STR. The for loop goes only
> until MAX_KEY-1, but should include MAX_KEY otherwise it will not print
> out the last key (in this case the destination ip address of the arp
> packet).
> 
> It clashes with my patch 4, so i will resend that patch, too,
> including the bugfix.

OK, wait for that patch. Thanks Peter.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[PATCH 1/2] Add IPv6 support

[Tseng, Kuo-Lang]

This is the userspace ebtables patch that implements IPv6 header field
checking and parsing. 

Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>




diff -urNp ebtables-v2.0.8-2.orig/ebtables.8
ebtables-v2.0.8-2.ipv6/ebtables.8
--- ebtables-v2.0.8-2.orig/ebtables.8	2007-09-21 10:27:20.000000000
-0700
+++ ebtables-v2.0.8-2.ipv6/ebtables.8	2008-02-18 15:40:31.000000000
-0800
@@ -652,6 +652,54 @@ If
 The flag
 .B --ip-dport
 is an alias for this option.
+.SS ipv6
+Specify IPv6 fields. The protocol must be specified as
+.IR IPv6 .
+.TP
+.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]"
+The source IPv6 address.
+The flag
+.B --ip6-src
+is an alias for this option.
+.TP
+.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination IPv6 address.
+The flag
+.B --ip6-dst
+is an alias for this option.
+.TP
+.BR "--ip6-tclass " "[!] \fItclass\fP"
+The IPv6 traffic class, in hexadecimal numbers.
+.TP
+.BR "--ip6-protocol " "[!] \fIprotocol\fP"
+The IP protocol.
+The flag
+.B --ip6-proto
+is an alias for this option.
+.TP
+.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The source port or port range for the IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted
but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-sport
+is an alias for this option.
+.TP
+.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The destination port or port range for IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted
but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-dport
+is an alias for this option.
 .SS limit
 This module matches at a limited rate using a token bucket filter.
 A rule using this extension will match until this limit is reached.
@@ -800,6 +848,11 @@ to be printed at the beginning of the li
 Will log the ip information when a frame made by the ip protocol
matches 
 the rule. The default is no ip information logging.
 .TP
+.B --log-ip6 
+.br
+Will log the ipv6 information when a frame made by the ipv6 protocol
matches 
+the rule. The default is no ipv6 information logging.
+.TP
 .B --log-arp
 .br
 Will log the (r)arp information when a frame made by the (r)arp
protocols
diff -urNp ebtables-v2.0.8-2.orig/extensions/ebt_ip6.c
ebtables-v2.0.8-2.ipv6/extensions/ebt_ip6.c
--- ebtables-v2.0.8-2.orig/extensions/ebt_ip6.c	1969-12-31
16:00:00.000000000 -0800
+++ ebtables-v2.0.8-2.ipv6/extensions/ebt_ip6.c	2008-02-18
15:24:21.000000000 -0800
@@ -0,0 +1,339 @@
+/* ebt_ip6
+ * 
+ * Authors:
+ * Kuo-Lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+ * Manohar Castelino <manohar.castelino-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+ *
+ * Summary:
+ * This is just a modification of the IPv4 code written by 
+ * Bart De Schuymer <bdschuym-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org>
+ * with the changes required to support IPv6
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <netdb.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_ip6.h>
+
+
+
+#define IP_SOURCE '1'
+#define IP_DEST   '2'
+#define IP_TCLASS '3'
+#define IP_PROTO  '4'
+#define IP_SPORT  '5'
+#define IP_DPORT  '6'
+
+static struct option opts[] =
+{
+	{ "ip6-source"           , required_argument, 0, IP_SOURCE },
+	{ "ip6-src"              , required_argument, 0, IP_SOURCE },
+	{ "ip6-destination"      , required_argument, 0, IP_DEST   },
+	{ "ip6-dst"              , required_argument, 0, IP_DEST   },
+	{ "ip6-traffic-class"    , required_argument, 0, IP_TCLASS },
+	{ "ip6-tclass"           , required_argument, 0, IP_TCLASS },
+	{ "ip6-protocol"         , required_argument, 0, IP_PROTO  },
+	{ "ip6-proto"            , required_argument, 0, IP_PROTO  },
+	{ "ip6-source-port"      , required_argument, 0, IP_SPORT  },
+	{ "ip6-sport"            , required_argument, 0, IP_SPORT  },
+	{ "ip6-destination-port" , required_argument, 0, IP_DPORT  },
+	{ "ip6-dport"            , required_argument, 0, IP_DPORT  },
+	{ 0 }
+};
+
+/* transform a protocol and service name into a port number */
+static uint16_t parse_port(const char *protocol, const char *name)
+{
+	struct servent *service;
+	char *end;
+	int port;
+
+	port = strtol(name, &end, 10);
+	if (*end != '\0') {
+		if (protocol && 
+		    (service = getservbyname(name, protocol)) != NULL)
+			return ntohs(service->s_port);
+	}
+	else if (port >= 0 || port <= 0xFFFF) {
+		return port;
+	}
+	ebt_print_error("Problem with specified %s port '%s'", 
+			protocol?protocol:"", name);
+	return 0;
+}
+
+static void
+parse_port_range(const char *protocol, const char *portstring, uint16_t
*ports)
+{
+	char *buffer;
+	char *cp;
+	
+	buffer = strdup(portstring);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		ports[0] = ports[1] = parse_port(protocol, buffer);
+	else {
+		*cp = '\0';
+		cp++;
+		ports[0] = buffer[0] ? parse_port(protocol, buffer) : 0;
+		if (ebt_errormsg[0] != '\0')
+			return;
+		ports[1] = cp[0] ? parse_port(protocol, cp) : 0xFFFF;
+		if (ebt_errormsg[0] != '\0')
+			return;
+		
+		if (ports[0] > ports[1])
+			ebt_print_error("Invalid portrange (min >
max)");
+	}
+	free(buffer);
+}
+
+static void print_port_range(uint16_t *ports)
+{
+	if (ports[0] == ports[1])
+		printf("%d ", ports[0]);
+	else
+		printf("%d:%d ", ports[0], ports[1]);
+}
+
+static void print_help()
+{
+	printf(
+"ip6 options:\n"
+"--ip6-src    [!] address[/mask]: ipv6 source specification\n"
+"--ip6-dst    [!] address[/mask]: ipv6 destination specification\n"
+"--ip6-tclass [!] tclass        : ipv6 traffic class specification\n"
+"--ip6-proto  [!] protocol      : ipv6 protocol specification\n"
+"--ip6-sport  [!] port[:port]   : tcp/udp source port or port range\n"
+"--ip6-dport  [!] port[:port]   : tcp/udp destination port or port
range\n");
+}
+
+static void init(struct ebt_entry_match *match)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)match->data;
+
+	ipinfo->invflags = 0;
+	ipinfo->bitmask = 0;
+}
+
+#define OPT_SOURCE 0x01
+#define OPT_DEST   0x02
+#define OPT_TCLASS 0x04
+#define OPT_PROTO  0x08
+#define OPT_SPORT  0x10
+#define OPT_DPORT  0x20
+static int parse(int c, char **argv, int argc, const struct ebt_u_entry
*entry,
+   unsigned int *flags, struct ebt_entry_match **match)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)(*match)->data;
+	char *end;
+	long int i;
+
+	switch (c) {
+	case IP_SOURCE:
+		ebt_check_option2(flags, OPT_SOURCE);
+		ipinfo->bitmask |= EBT_IP6_SOURCE;
+		if (ebt_check_inverse2(optarg)) {
+		    ipinfo->invflags |= EBT_IP6_SOURCE;
+		}
+		ebt_parse_ip6_address(optarg, &ipinfo->saddr,
&ipinfo->smsk);
+		break;
+
+	case IP_DEST:
+		ebt_check_option2(flags, OPT_DEST);
+		ipinfo->bitmask |= EBT_IP6_DEST;
+		if (ebt_check_inverse2(optarg)) {
+			ipinfo->invflags |= EBT_IP6_DEST;
+		}
+		ebt_parse_ip6_address(optarg, &ipinfo->daddr,
&ipinfo->dmsk);
+		break;
+
+	case IP_SPORT:
+	case IP_DPORT:
+		if (c == IP_SPORT) {
+			ebt_check_option2(flags, OPT_SPORT);
+			ipinfo->bitmask |= EBT_IP6_SPORT;
+			if (ebt_check_inverse2(optarg))
+				ipinfo->invflags |= EBT_IP6_SPORT;
+		} else {
+			ebt_check_option2(flags, OPT_DPORT);
+			ipinfo->bitmask |= EBT_IP6_DPORT;
+			if (ebt_check_inverse2(optarg))
+				ipinfo->invflags |= EBT_IP6_DPORT;
+		}
+		if (c == IP_SPORT)
+			parse_port_range(NULL, optarg, ipinfo->sport);
+		else
+			parse_port_range(NULL, optarg, ipinfo->dport);
+		break;
+
+	case IP_TCLASS:
+		ebt_check_option2(flags, OPT_TCLASS);
+		if (ebt_check_inverse2(optarg))
+			ipinfo->invflags |= EBT_IP6_TCLASS;
+		i = strtol(optarg, &end, 16);
+		if (i < 0 || i > 255 || *end != '\0')
+			ebt_print_error2("Problem with specified IPv6
traffic class");
+		ipinfo->tclass = i;
+		ipinfo->bitmask |= EBT_IP6_TCLASS;
+		break;
+
+	case IP_PROTO:
+		ebt_check_option2(flags, OPT_PROTO);
+		if (ebt_check_inverse2(optarg))
+			ipinfo->invflags |= EBT_IP6_PROTO;
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0') {
+			struct protoent *pe;
+
+			pe = getprotobyname(optarg);
+			if (pe == NULL)
+				ebt_print_error("Unknown specified IP
protocol - %s", argv[optind - 1]);
+			ipinfo->protocol = pe->p_proto;
+		} else {
+			ipinfo->protocol = (unsigned char) i;
+		}
+		ipinfo->bitmask |= EBT_IP6_PROTO;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+   const struct ebt_entry_match *match, const char *name,
+   unsigned int hookmask, unsigned int time)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)match->data;
+
+	if (entry->ethproto != ETH_P_IPV6 || entry->invflags &
EBT_IPROTO) {
+		ebt_print_error("For IPv6 filtering the protocol must be
"
+		            "specified as IPv6");
+	} else if (ipinfo->bitmask & (EBT_IP6_SPORT|EBT_IP6_DPORT) &&
+		(!(ipinfo->bitmask & EBT_IP6_PROTO) ||
+		ipinfo->invflags & EBT_IP6_PROTO ||
+		(ipinfo->protocol!=IPPROTO_TCP &&
+		 ipinfo->protocol!=IPPROTO_UDP &&
+		 ipinfo->protocol!=IPPROTO_SCTP &&
+		 ipinfo->protocol!=IPPROTO_DCCP)))
+		ebt_print_error("For port filtering the IP protocol must
be "
+				"either 6 (tcp), 17 (udp), 33 (dccp) or
"
+				"132 (sctp)");
+}
+
+static void print(const struct ebt_u_entry *entry,
+   const struct ebt_entry_match *match)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info
*)match->data;
+
+	if (ipinfo->bitmask & EBT_IP6_SOURCE) {
+		printf("--ip6-src ");
+		if (ipinfo->invflags & EBT_IP6_SOURCE)
+			printf("! ");
+		printf("%s", ebt_ip6_to_numeric(&ipinfo->saddr));
+		printf("/%s ", ebt_ip6_to_numeric(&ipinfo->smsk));
+	}
+	if (ipinfo->bitmask & EBT_IP6_DEST) {
+		printf("--ip6-dst ");
+		if (ipinfo->invflags & EBT_IP6_DEST)
+			printf("! ");
+		printf("%s", ebt_ip6_to_numeric(&ipinfo->daddr));
+		printf("/%s ", ebt_ip6_to_numeric(&ipinfo->dmsk));
+	}
+	if (ipinfo->bitmask & EBT_IP6_TCLASS) {
+		printf("--ip6-tclass ");
+		if (ipinfo->invflags & EBT_IP6_TCLASS)
+			printf("! ");
+		printf("0x%02X ", ipinfo->tclass);
+	}
+	if (ipinfo->bitmask & EBT_IP6_PROTO) {
+		struct protoent *pe;
+
+		printf("--ip6-proto ");
+		if (ipinfo->invflags & EBT_IP6_PROTO)
+			printf("! ");
+		pe = getprotobynumber(ipinfo->protocol);
+		if (pe == NULL) {
+			printf("%d ", ipinfo->protocol);
+		} else {
+			printf("%s ", pe->p_name);
+		}
+	}
+	if (ipinfo->bitmask & EBT_IP6_SPORT) {
+		printf("--ip6-sport ");
+		if (ipinfo->invflags & EBT_IP6_SPORT)
+			printf("! ");
+		print_port_range(ipinfo->sport);
+	}
+	if (ipinfo->bitmask & EBT_IP6_DPORT) {
+		printf("--ip6-dport ");
+		if (ipinfo->invflags & EBT_IP6_DPORT)
+			printf("! ");
+		print_port_range(ipinfo->dport);
+	}
+}
+
+static int compare(const struct ebt_entry_match *m1,
+   const struct ebt_entry_match *m2)
+{
+	struct ebt_ip6_info *ipinfo1 = (struct ebt_ip6_info *)m1->data;
+	struct ebt_ip6_info *ipinfo2 = (struct ebt_ip6_info *)m2->data;
+
+	if (ipinfo1->bitmask != ipinfo2->bitmask)
+		return 0;
+	if (ipinfo1->invflags != ipinfo2->invflags)
+		return 0;
+	if (ipinfo1->bitmask & EBT_IP6_SOURCE) {
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->saddr,
&ipinfo2->saddr))
+			return 0;
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->smsk, &ipinfo2->smsk))
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_DEST) {
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->daddr,
&ipinfo2->daddr))
+			return 0;
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->dmsk, &ipinfo2->dmsk))
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_TCLASS) {
+		if (ipinfo1->tclass != ipinfo2->tclass)
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_PROTO) {
+		if (ipinfo1->protocol != ipinfo2->protocol)
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_SPORT) {
+		if (ipinfo1->sport[0] != ipinfo2->sport[0] ||
+		   ipinfo1->sport[1] != ipinfo2->sport[1])
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_DPORT) {
+		if (ipinfo1->dport[0] != ipinfo2->dport[0] ||
+		   ipinfo1->dport[1] != ipinfo2->dport[1])
+			return 0;
+	}
+	return 1;
+}
+
+static struct ebt_u_match ip6_match =
+{
+	.name		= EBT_IP6_MATCH,
+	.size		= sizeof(struct ebt_ip6_info),
+	.help		= print_help,
+	.init		= init,
+	.parse		= parse,
+	.final_check	= final_check,
+	.print		= print,
+	.compare	= compare,
+	.extra_ops	= opts,
+};
+
+void _init(void)
+{
+	ebt_register_match(&ip6_match);
+}
diff -urNp ebtables-v2.0.8-2.orig/extensions/ebt_log.c
ebtables-v2.0.8-2.ipv6/extensions/ebt_log.c
--- ebtables-v2.0.8-2.orig/extensions/ebt_log.c	2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/extensions/ebt_log.c	2008-01-30
17:22:56.000000000 -0800
@@ -60,6 +60,7 @@ static int name_to_loglevel(char* arg)
 #define LOG_ARP    '3'
 #define LOG_IP     '4'
 #define LOG_LOG    '5'
+#define LOG_IP6    '6'
 static struct option opts[] =
 {
 	{ "log-prefix", required_argument, 0, LOG_PREFIX },
@@ -67,6 +68,7 @@ static struct option opts[] =
 	{ "log-arp"   , no_argument      , 0, LOG_ARP    },
 	{ "log-ip"    , no_argument      , 0, LOG_IP     },
 	{ "log"       , no_argument      , 0, LOG_LOG    },
+	{ "log-ip6"   , no_argument      , 0, LOG_IP6    },
 	{ 0 }
 };
 
@@ -81,6 +83,7 @@ static void print_help()
 "--log-prefix prefix : max. %d chars.\n"
 "--log-ip            : put ip info. in the log for ip packets\n"
 "--log-arp           : put (r)arp info. in the log for (r)arp
packets\n"
+"--log-ip6           : put ip6 info. in the log for ip6 packets\n"
 	, EBT_LOG_PREFIX_SIZE - 1);
 	printf("levels:\n");
 	for (i = 0; i < 8; i++)
@@ -102,6 +105,7 @@ static void init(struct ebt_entry_watche
 #define OPT_ARP    0x04
 #define OPT_IP     0x08
 #define OPT_LOG    0x10
+#define OPT_IP6    0x20
 static int parse(int c, char **argv, int argc, const struct ebt_u_entry
*entry,
    unsigned int *flags, struct ebt_entry_watcher **watcher)
 {
@@ -151,6 +155,13 @@ static int parse(int c, char **argv, int
 		if (ebt_check_inverse(optarg))
 			ebt_print_error2("Unexpected `!' after --log");
 		break;
+
+	case LOG_IP6:
+		ebt_check_option2(flags, OPT_IP6);
+		if (ebt_check_inverse(optarg))
+			ebt_print_error2("Unexpected `!' after
--log-ip6");
+		loginfo->bitmask |= EBT_LOG_IP6;
+		break;
 	default:
 		return 0;
 	}
@@ -175,6 +186,8 @@ static void print(const struct ebt_u_ent
 		printf(" --log-ip");
 	if (loginfo->bitmask & EBT_LOG_ARP)
 		printf(" --log-arp");
+	if (loginfo->bitmask & EBT_LOG_IP6)
+		printf(" --log-ip6");
 	printf(" ");
 }
 
diff -urNp ebtables-v2.0.8-2.orig/extensions/Makefile
ebtables-v2.0.8-2.ipv6/extensions/Makefile
--- ebtables-v2.0.8-2.orig/extensions/Makefile	2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/extensions/Makefile	2008-01-11
19:41:47.000000000 -0800
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=802_3 nat arp arpreply ip standard log redirect vlan mark_m
mark \
+EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan
mark_m mark \
           pkttype stp among limit ulog
 EXT_TABLES+=filter nat broute
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
diff -urNp ebtables-v2.0.8-2.orig/include/ebtables_u.h
ebtables-v2.0.8-2.ipv6/include/ebtables_u.h
--- ebtables-v2.0.8-2.orig/include/ebtables_u.h	2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/include/ebtables_u.h	2008-02-15
11:43:06.000000000 -0800
@@ -297,6 +297,10 @@ void ebt_print_mac_and_mask(const unsign
 int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned
char *mask);
 void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t
*msk);
 char *ebt_mask_to_dotted(uint32_t mask);
+void ebt_parse_ip6_address(char *address, struct in6_addr *addr, 
+						   struct in6_addr
*msk);
+char *ebt_ip6_to_numeric(const struct in6_addr *addrp);
+
 
 int do_command(int argc, char *argv[], int exec_style,
                struct ebt_u_replace *replace_);
diff -urNp ebtables-v2.0.8-2.orig/useful_functions.c
ebtables-v2.0.8-2.ipv6/useful_functions.c
--- ebtables-v2.0.8-2.orig/useful_functions.c	2007-09-21
10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/useful_functions.c	2008-02-18
15:20:52.000000000 -0800
@@ -29,6 +29,10 @@
 #include <string.h>
 #include <stdlib.h>
 #include <getopt.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
 
 const unsigned char mac_type_unicast[ETH_ALEN] =   {0,0,0,0,0,0};
 const unsigned char msk_type_unicast[ETH_ALEN] =   {1,0,0,0,0,0};
@@ -244,6 +248,7 @@ void ebt_parse_ip_address(char *address,
 	*addr = *addr & *msk;
 }
 
+
 /* Transform the ip mask into a string ready for output. */
 char *ebt_mask_to_dotted(uint32_t mask)
 {
@@ -276,3 +281,134 @@ char *ebt_mask_to_dotted(uint32_t mask)
 
 	return buf;
 }
+
+/* Most of the following code is derived from iptables */
+static void
+in6addrcpy(struct in6_addr *dst, struct in6_addr *src)
+{
+    memcpy(dst, src, sizeof(struct in6_addr));
+}
+
+int string_to_number_ll(const char *s, unsigned long long min,
+            unsigned long long max, unsigned long long *ret)
+{
+    unsigned long long number;
+    char *end;
+
+    /* Handle hex, octal, etc. */
+    errno = 0;
+    number = strtoull(s, &end, 0);
+    if (*end == '\0' && end != s) {
+        /* we parsed a number, let's see if we want this */
+        if (errno != ERANGE && min <= number && (!max || number <=
max)) {
+            *ret = number;
+            return 0;
+        }
+    }
+    return -1;
+}
+
+int string_to_number_l(const char *s, unsigned long min, unsigned long
max,
+               unsigned long *ret)
+{
+    int result;
+    unsigned long long number;
+
+    result = string_to_number_ll(s, min, max, &number);
+    *ret = (unsigned long)number;
+
+    return result;
+}
+
+int string_to_number(const char *s, unsigned int min, unsigned int max,
+        unsigned int *ret)
+{
+    int result;
+    unsigned long number;
+
+    result = string_to_number_l(s, min, max, &number);
+    *ret = (unsigned int)number;
+
+    return result;
+}
+
+static struct in6_addr *
+numeric_to_addr(const char *num)
+{
+    static struct in6_addr ap;
+    int err;
+    if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+        return &ap;
+    return (struct in6_addr *)NULL;
+}
+
+static struct in6_addr *
+parse_ip6_mask(char *mask)
+{
+    static struct in6_addr maskaddr;
+    struct in6_addr *addrp;
+    unsigned int bits;
+
+    if (mask == NULL) {
+        /* no mask at all defaults to 128 bits */
+        memset(&maskaddr, 0xff, sizeof maskaddr);
+        return &maskaddr;
+    }
+    if ((addrp = numeric_to_addr(mask)) != NULL)
+        return addrp;
+    if (string_to_number(mask, 0, 128, &bits) == -1)
+		ebt_print_error("Invalid IPv6 Mask '%s' specified",
mask);
+    if (bits != 0) {
+        char *p = (char *)&maskaddr;
+        memset(p, 0xff, bits / 8);
+        memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
+        p[bits / 8] = 0xff << (8 - (bits & 7));
+        return &maskaddr;
+    }
+
+    memset(&maskaddr, 0, sizeof maskaddr);
+    return &maskaddr;
+}
+
+/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
+ * The string pointed to by address can be altered. */
+void ebt_parse_ip6_address(char *address, struct in6_addr *addr, 
+						   struct in6_addr *msk)
+{
+    struct in6_addr *tmp_addr;
+    char buf[256];
+    char *p;
+    int i;
+    int err;
+
+    strncpy(buf, address, sizeof(buf) - 1);
+	/* first the mask */
+    buf[sizeof(buf) - 1] = '\0';
+    if ((p = strrchr(buf, '/')) != NULL) {
+        *p = '\0';
+        tmp_addr = parse_ip6_mask(p + 1);
+    } else
+        tmp_addr = parse_ip6_mask(NULL);
+    in6addrcpy(msk, tmp_addr);
+
+    /* if a null mask is given, the name is ignored, like in "any/0" */
+    if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
+        strcpy(buf, "::");
+
+    if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+		ebt_print_error("Invalid IPv6 Address '%s' specified",
buf);
+		return;
+	}
+
+ 	for (i = 0; i < 4; i++)
+    	addr->in6_u.u6_addr32[i] &= msk->in6_u.u6_addr32[i];
+}
+
+/* Transform the ip6 addr into a string ready for output. */
+char *ebt_ip6_to_numeric(const struct in6_addr *addrp)
+{
+    /* 0000:0000:0000:0000:0000:000.000.000.000
+     * 0000:0000:0000:0000:0000:0000:0000:0000 */
+    static char buf[50+1];
+    return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
+}

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [PATCHv5 2/5] Adds AF_BRIDGE and ARP header interpreter to BASE plugin

[Peter Warasin]

Pablo Neira Ayuso wrote:
> Peter Warasin wrote:
>> It clashes with my patch 4, so i will resend that patch, too,
>> including the bugfix.
> 
> OK, wait for that patch. Thanks Peter. 

The patch is here:
http://marc.info/?l=netfilter-devel&m=120312156418490&w=2

Thank's for the review and sorry for the confusion.
I will try to avoid this in future

peter

Re: [PATCH 3/5] adds AF_BRIDGE support to PRINTPKT plugin

[Pablo Neira Ayuso]

Peter Warasin wrote:
> This patch adds support for AF_BRIDGE to
> the PRINTPKT plugin, which allows to form
> log lines for packets coming from ebtables.
> Currently it supports IPv4, IPv6 and ARP.

Applied. Thanks.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCHv4 4/5] adds AF_BRIDGE support to IP2STR

[Pablo Neira Ayuso]

Peter Warasin wrote:
> Hi
> 
> This is a resend with a bugfix included, which clashed, but it's needed
> in order to make the output of arp destination ip addresses working
> properly.

Also applied. Thanks.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCH 5/5] Adds ebtables nflog stack samples to config file

[Pablo Neira Ayuso]

Peter Warasin wrote:
> This patch adds a sample configuration for logging
> with ebtables through nflog out to LOGEMU and SYSLOG.
> 
> It also fixes a config bug with ipv6 (log2)

Applied. Thanks Peter.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [Ebtables-devel] [PATCH 0/5] adds ebtables nflog support to ulogd

[Patrick McHardy]

Bart De Schuymer wrote:
> Op ma, 11-02-2008 te 23:07 +0100, schreef Peter Warasin:
>> Hi Guys
>>
>> The following patch-set adds ebtables nflog support to ulogd.
>>
>> In order to have this work it's also necessary to apply the
>> ebtables and kernel patches I posted some time ago
>> (i posted as well as this post on both, ebtables and
>> netfilter devel lists).
> 
> Hi Peter,
> 
> I just searched the mailing list archives and you've never before posted
> to the ebtables lists. You must have forgotten to include
> ebtables-devel. Anyway, I just subscribed to netfilter-devel to prevent
> this stuff from happening again.
> Maybe we should move ebtables traffic to the netfilter lists, I'm not
> really against it. Patrick?


I agree, that would make sense since there is quite a lot of
overlap between both topics.

RE: [Ebtables-devel] [PATCH 1/2] Add IPv6 support

[Tseng, Kuo-Lang]

[-- Attachment #1: Type: text/plain, Size: 328 bytes --]

Tseng, Kuo-Lang wrote on Monday, February 18, 2008 5:50 PM:

> This is the userspace ebtables patch that implements IPv6 header field
> checking and parsing.
> 
> Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng@intel.com>
> 

Reposting the patch as an attachment (earlier one had line split. Sorry
about that)






[-- Attachment #2: ebtables.patch --]
[-- Type: application/octet-stream, Size: 20206 bytes --]

diff -urNp ebtables-v2.0.8-2.orig/ebtables.8 ebtables-v2.0.8-2.ipv6/ebtables.8
--- ebtables-v2.0.8-2.orig/ebtables.8	2007-09-21 10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/ebtables.8	2008-02-18 15:40:31.000000000 -0800
@@ -652,6 +652,54 @@ If
 The flag
 .B --ip-dport
 is an alias for this option.
+.SS ipv6
+Specify IPv6 fields. The protocol must be specified as
+.IR IPv6 .
+.TP
+.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]"
+The source IPv6 address.
+The flag
+.B --ip6-src
+is an alias for this option.
+.TP
+.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination IPv6 address.
+The flag
+.B --ip6-dst
+is an alias for this option.
+.TP
+.BR "--ip6-tclass " "[!] \fItclass\fP"
+The IPv6 traffic class, in hexadecimal numbers.
+.TP
+.BR "--ip6-protocol " "[!] \fIprotocol\fP"
+The IP protocol.
+The flag
+.B --ip6-proto
+is an alias for this option.
+.TP
+.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The source port or port range for the IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-sport
+is an alias for this option.
+.TP
+.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The destination port or port range for IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-dport
+is an alias for this option.
 .SS limit
 This module matches at a limited rate using a token bucket filter.
 A rule using this extension will match until this limit is reached.
@@ -800,6 +848,11 @@ to be printed at the beginning of the li
 Will log the ip information when a frame made by the ip protocol matches 
 the rule. The default is no ip information logging.
 .TP
+.B --log-ip6 
+.br
+Will log the ipv6 information when a frame made by the ipv6 protocol matches 
+the rule. The default is no ipv6 information logging.
+.TP
 .B --log-arp
 .br
 Will log the (r)arp information when a frame made by the (r)arp protocols
diff -urNp ebtables-v2.0.8-2.orig/extensions/ebt_ip6.c ebtables-v2.0.8-2.ipv6/extensions/ebt_ip6.c
--- ebtables-v2.0.8-2.orig/extensions/ebt_ip6.c	1969-12-31 16:00:00.000000000 -0800
+++ ebtables-v2.0.8-2.ipv6/extensions/ebt_ip6.c	2008-02-18 15:24:21.000000000 -0800
@@ -0,0 +1,339 @@
+/* ebt_ip6
+ * 
+ * Authors:
+ * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
+ * Manohar Castelino <manohar.castelino@intel.com>
+ *
+ * Summary:
+ * This is just a modification of the IPv4 code written by 
+ * Bart De Schuymer <bdschuym@pandora.be>
+ * with the changes required to support IPv6
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <netdb.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_ip6.h>
+
+
+
+#define IP_SOURCE '1'
+#define IP_DEST   '2'
+#define IP_TCLASS '3'
+#define IP_PROTO  '4'
+#define IP_SPORT  '5'
+#define IP_DPORT  '6'
+
+static struct option opts[] =
+{
+	{ "ip6-source"           , required_argument, 0, IP_SOURCE },
+	{ "ip6-src"              , required_argument, 0, IP_SOURCE },
+	{ "ip6-destination"      , required_argument, 0, IP_DEST   },
+	{ "ip6-dst"              , required_argument, 0, IP_DEST   },
+	{ "ip6-traffic-class"    , required_argument, 0, IP_TCLASS },
+	{ "ip6-tclass"           , required_argument, 0, IP_TCLASS },
+	{ "ip6-protocol"         , required_argument, 0, IP_PROTO  },
+	{ "ip6-proto"            , required_argument, 0, IP_PROTO  },
+	{ "ip6-source-port"      , required_argument, 0, IP_SPORT  },
+	{ "ip6-sport"            , required_argument, 0, IP_SPORT  },
+	{ "ip6-destination-port" , required_argument, 0, IP_DPORT  },
+	{ "ip6-dport"            , required_argument, 0, IP_DPORT  },
+	{ 0 }
+};
+
+/* transform a protocol and service name into a port number */
+static uint16_t parse_port(const char *protocol, const char *name)
+{
+	struct servent *service;
+	char *end;
+	int port;
+
+	port = strtol(name, &end, 10);
+	if (*end != '\0') {
+		if (protocol && 
+		    (service = getservbyname(name, protocol)) != NULL)
+			return ntohs(service->s_port);
+	}
+	else if (port >= 0 || port <= 0xFFFF) {
+		return port;
+	}
+	ebt_print_error("Problem with specified %s port '%s'", 
+			protocol?protocol:"", name);
+	return 0;
+}
+
+static void
+parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
+{
+	char *buffer;
+	char *cp;
+	
+	buffer = strdup(portstring);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		ports[0] = ports[1] = parse_port(protocol, buffer);
+	else {
+		*cp = '\0';
+		cp++;
+		ports[0] = buffer[0] ? parse_port(protocol, buffer) : 0;
+		if (ebt_errormsg[0] != '\0')
+			return;
+		ports[1] = cp[0] ? parse_port(protocol, cp) : 0xFFFF;
+		if (ebt_errormsg[0] != '\0')
+			return;
+		
+		if (ports[0] > ports[1])
+			ebt_print_error("Invalid portrange (min > max)");
+	}
+	free(buffer);
+}
+
+static void print_port_range(uint16_t *ports)
+{
+	if (ports[0] == ports[1])
+		printf("%d ", ports[0]);
+	else
+		printf("%d:%d ", ports[0], ports[1]);
+}
+
+static void print_help()
+{
+	printf(
+"ip6 options:\n"
+"--ip6-src    [!] address[/mask]: ipv6 source specification\n"
+"--ip6-dst    [!] address[/mask]: ipv6 destination specification\n"
+"--ip6-tclass [!] tclass        : ipv6 traffic class specification\n"
+"--ip6-proto  [!] protocol      : ipv6 protocol specification\n"
+"--ip6-sport  [!] port[:port]   : tcp/udp source port or port range\n"
+"--ip6-dport  [!] port[:port]   : tcp/udp destination port or port range\n");
+}
+
+static void init(struct ebt_entry_match *match)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data;
+
+	ipinfo->invflags = 0;
+	ipinfo->bitmask = 0;
+}
+
+#define OPT_SOURCE 0x01
+#define OPT_DEST   0x02
+#define OPT_TCLASS 0x04
+#define OPT_PROTO  0x08
+#define OPT_SPORT  0x10
+#define OPT_DPORT  0x20
+static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
+   unsigned int *flags, struct ebt_entry_match **match)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)(*match)->data;
+	char *end;
+	long int i;
+
+	switch (c) {
+	case IP_SOURCE:
+		ebt_check_option2(flags, OPT_SOURCE);
+		ipinfo->bitmask |= EBT_IP6_SOURCE;
+		if (ebt_check_inverse2(optarg)) {
+		    ipinfo->invflags |= EBT_IP6_SOURCE;
+		}
+		ebt_parse_ip6_address(optarg, &ipinfo->saddr, &ipinfo->smsk);
+		break;
+
+	case IP_DEST:
+		ebt_check_option2(flags, OPT_DEST);
+		ipinfo->bitmask |= EBT_IP6_DEST;
+		if (ebt_check_inverse2(optarg)) {
+			ipinfo->invflags |= EBT_IP6_DEST;
+		}
+		ebt_parse_ip6_address(optarg, &ipinfo->daddr, &ipinfo->dmsk);
+		break;
+
+	case IP_SPORT:
+	case IP_DPORT:
+		if (c == IP_SPORT) {
+			ebt_check_option2(flags, OPT_SPORT);
+			ipinfo->bitmask |= EBT_IP6_SPORT;
+			if (ebt_check_inverse2(optarg))
+				ipinfo->invflags |= EBT_IP6_SPORT;
+		} else {
+			ebt_check_option2(flags, OPT_DPORT);
+			ipinfo->bitmask |= EBT_IP6_DPORT;
+			if (ebt_check_inverse2(optarg))
+				ipinfo->invflags |= EBT_IP6_DPORT;
+		}
+		if (c == IP_SPORT)
+			parse_port_range(NULL, optarg, ipinfo->sport);
+		else
+			parse_port_range(NULL, optarg, ipinfo->dport);
+		break;
+
+	case IP_TCLASS:
+		ebt_check_option2(flags, OPT_TCLASS);
+		if (ebt_check_inverse2(optarg))
+			ipinfo->invflags |= EBT_IP6_TCLASS;
+		i = strtol(optarg, &end, 16);
+		if (i < 0 || i > 255 || *end != '\0')
+			ebt_print_error2("Problem with specified IPv6 traffic class");
+		ipinfo->tclass = i;
+		ipinfo->bitmask |= EBT_IP6_TCLASS;
+		break;
+
+	case IP_PROTO:
+		ebt_check_option2(flags, OPT_PROTO);
+		if (ebt_check_inverse2(optarg))
+			ipinfo->invflags |= EBT_IP6_PROTO;
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0') {
+			struct protoent *pe;
+
+			pe = getprotobyname(optarg);
+			if (pe == NULL)
+				ebt_print_error("Unknown specified IP protocol - %s", argv[optind - 1]);
+			ipinfo->protocol = pe->p_proto;
+		} else {
+			ipinfo->protocol = (unsigned char) i;
+		}
+		ipinfo->bitmask |= EBT_IP6_PROTO;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+   const struct ebt_entry_match *match, const char *name,
+   unsigned int hookmask, unsigned int time)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data;
+
+	if (entry->ethproto != ETH_P_IPV6 || entry->invflags & EBT_IPROTO) {
+		ebt_print_error("For IPv6 filtering the protocol must be "
+		            "specified as IPv6");
+	} else if (ipinfo->bitmask & (EBT_IP6_SPORT|EBT_IP6_DPORT) &&
+		(!(ipinfo->bitmask & EBT_IP6_PROTO) ||
+		ipinfo->invflags & EBT_IP6_PROTO ||
+		(ipinfo->protocol!=IPPROTO_TCP &&
+		 ipinfo->protocol!=IPPROTO_UDP &&
+		 ipinfo->protocol!=IPPROTO_SCTP &&
+		 ipinfo->protocol!=IPPROTO_DCCP)))
+		ebt_print_error("For port filtering the IP protocol must be "
+				"either 6 (tcp), 17 (udp), 33 (dccp) or "
+				"132 (sctp)");
+}
+
+static void print(const struct ebt_u_entry *entry,
+   const struct ebt_entry_match *match)
+{
+	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data;
+
+	if (ipinfo->bitmask & EBT_IP6_SOURCE) {
+		printf("--ip6-src ");
+		if (ipinfo->invflags & EBT_IP6_SOURCE)
+			printf("! ");
+		printf("%s", ebt_ip6_to_numeric(&ipinfo->saddr));
+		printf("/%s ", ebt_ip6_to_numeric(&ipinfo->smsk));
+	}
+	if (ipinfo->bitmask & EBT_IP6_DEST) {
+		printf("--ip6-dst ");
+		if (ipinfo->invflags & EBT_IP6_DEST)
+			printf("! ");
+		printf("%s", ebt_ip6_to_numeric(&ipinfo->daddr));
+		printf("/%s ", ebt_ip6_to_numeric(&ipinfo->dmsk));
+	}
+	if (ipinfo->bitmask & EBT_IP6_TCLASS) {
+		printf("--ip6-tclass ");
+		if (ipinfo->invflags & EBT_IP6_TCLASS)
+			printf("! ");
+		printf("0x%02X ", ipinfo->tclass);
+	}
+	if (ipinfo->bitmask & EBT_IP6_PROTO) {
+		struct protoent *pe;
+
+		printf("--ip6-proto ");
+		if (ipinfo->invflags & EBT_IP6_PROTO)
+			printf("! ");
+		pe = getprotobynumber(ipinfo->protocol);
+		if (pe == NULL) {
+			printf("%d ", ipinfo->protocol);
+		} else {
+			printf("%s ", pe->p_name);
+		}
+	}
+	if (ipinfo->bitmask & EBT_IP6_SPORT) {
+		printf("--ip6-sport ");
+		if (ipinfo->invflags & EBT_IP6_SPORT)
+			printf("! ");
+		print_port_range(ipinfo->sport);
+	}
+	if (ipinfo->bitmask & EBT_IP6_DPORT) {
+		printf("--ip6-dport ");
+		if (ipinfo->invflags & EBT_IP6_DPORT)
+			printf("! ");
+		print_port_range(ipinfo->dport);
+	}
+}
+
+static int compare(const struct ebt_entry_match *m1,
+   const struct ebt_entry_match *m2)
+{
+	struct ebt_ip6_info *ipinfo1 = (struct ebt_ip6_info *)m1->data;
+	struct ebt_ip6_info *ipinfo2 = (struct ebt_ip6_info *)m2->data;
+
+	if (ipinfo1->bitmask != ipinfo2->bitmask)
+		return 0;
+	if (ipinfo1->invflags != ipinfo2->invflags)
+		return 0;
+	if (ipinfo1->bitmask & EBT_IP6_SOURCE) {
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->saddr, &ipinfo2->saddr))
+			return 0;
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->smsk, &ipinfo2->smsk))
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_DEST) {
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->daddr, &ipinfo2->daddr))
+			return 0;
+		if (!IN6_ARE_ADDR_EQUAL(&ipinfo1->dmsk, &ipinfo2->dmsk))
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_TCLASS) {
+		if (ipinfo1->tclass != ipinfo2->tclass)
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_PROTO) {
+		if (ipinfo1->protocol != ipinfo2->protocol)
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_SPORT) {
+		if (ipinfo1->sport[0] != ipinfo2->sport[0] ||
+		   ipinfo1->sport[1] != ipinfo2->sport[1])
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP6_DPORT) {
+		if (ipinfo1->dport[0] != ipinfo2->dport[0] ||
+		   ipinfo1->dport[1] != ipinfo2->dport[1])
+			return 0;
+	}
+	return 1;
+}
+
+static struct ebt_u_match ip6_match =
+{
+	.name		= EBT_IP6_MATCH,
+	.size		= sizeof(struct ebt_ip6_info),
+	.help		= print_help,
+	.init		= init,
+	.parse		= parse,
+	.final_check	= final_check,
+	.print		= print,
+	.compare	= compare,
+	.extra_ops	= opts,
+};
+
+void _init(void)
+{
+	ebt_register_match(&ip6_match);
+}
diff -urNp ebtables-v2.0.8-2.orig/extensions/ebt_log.c ebtables-v2.0.8-2.ipv6/extensions/ebt_log.c
--- ebtables-v2.0.8-2.orig/extensions/ebt_log.c	2007-09-21 10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/extensions/ebt_log.c	2008-01-30 17:22:56.000000000 -0800
@@ -60,6 +60,7 @@ static int name_to_loglevel(char* arg)
 #define LOG_ARP    '3'
 #define LOG_IP     '4'
 #define LOG_LOG    '5'
+#define LOG_IP6    '6'
 static struct option opts[] =
 {
 	{ "log-prefix", required_argument, 0, LOG_PREFIX },
@@ -67,6 +68,7 @@ static struct option opts[] =
 	{ "log-arp"   , no_argument      , 0, LOG_ARP    },
 	{ "log-ip"    , no_argument      , 0, LOG_IP     },
 	{ "log"       , no_argument      , 0, LOG_LOG    },
+	{ "log-ip6"   , no_argument      , 0, LOG_IP6    },
 	{ 0 }
 };
 
@@ -81,6 +83,7 @@ static void print_help()
 "--log-prefix prefix : max. %d chars.\n"
 "--log-ip            : put ip info. in the log for ip packets\n"
 "--log-arp           : put (r)arp info. in the log for (r)arp packets\n"
+"--log-ip6           : put ip6 info. in the log for ip6 packets\n"
 	, EBT_LOG_PREFIX_SIZE - 1);
 	printf("levels:\n");
 	for (i = 0; i < 8; i++)
@@ -102,6 +105,7 @@ static void init(struct ebt_entry_watche
 #define OPT_ARP    0x04
 #define OPT_IP     0x08
 #define OPT_LOG    0x10
+#define OPT_IP6    0x20
 static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
    unsigned int *flags, struct ebt_entry_watcher **watcher)
 {
@@ -151,6 +155,13 @@ static int parse(int c, char **argv, int
 		if (ebt_check_inverse(optarg))
 			ebt_print_error2("Unexpected `!' after --log");
 		break;
+
+	case LOG_IP6:
+		ebt_check_option2(flags, OPT_IP6);
+		if (ebt_check_inverse(optarg))
+			ebt_print_error2("Unexpected `!' after --log-ip6");
+		loginfo->bitmask |= EBT_LOG_IP6;
+		break;
 	default:
 		return 0;
 	}
@@ -175,6 +186,8 @@ static void print(const struct ebt_u_ent
 		printf(" --log-ip");
 	if (loginfo->bitmask & EBT_LOG_ARP)
 		printf(" --log-arp");
+	if (loginfo->bitmask & EBT_LOG_IP6)
+		printf(" --log-ip6");
 	printf(" ");
 }
 
diff -urNp ebtables-v2.0.8-2.orig/extensions/Makefile ebtables-v2.0.8-2.ipv6/extensions/Makefile
--- ebtables-v2.0.8-2.orig/extensions/Makefile	2007-09-21 10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/extensions/Makefile	2008-01-11 19:41:47.000000000 -0800
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=802_3 nat arp arpreply ip standard log redirect vlan mark_m mark \
+EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
           pkttype stp among limit ulog
 EXT_TABLES+=filter nat broute
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
diff -urNp ebtables-v2.0.8-2.orig/include/ebtables_u.h ebtables-v2.0.8-2.ipv6/include/ebtables_u.h
--- ebtables-v2.0.8-2.orig/include/ebtables_u.h	2007-09-21 10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/include/ebtables_u.h	2008-02-15 11:43:06.000000000 -0800
@@ -297,6 +297,10 @@ void ebt_print_mac_and_mask(const unsign
 int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
 void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk);
 char *ebt_mask_to_dotted(uint32_t mask);
+void ebt_parse_ip6_address(char *address, struct in6_addr *addr, 
+						   struct in6_addr *msk);
+char *ebt_ip6_to_numeric(const struct in6_addr *addrp);
+
 
 int do_command(int argc, char *argv[], int exec_style,
                struct ebt_u_replace *replace_);
diff -urNp ebtables-v2.0.8-2.orig/useful_functions.c ebtables-v2.0.8-2.ipv6/useful_functions.c
--- ebtables-v2.0.8-2.orig/useful_functions.c	2007-09-21 10:27:20.000000000 -0700
+++ ebtables-v2.0.8-2.ipv6/useful_functions.c	2008-02-18 15:20:52.000000000 -0800
@@ -29,6 +29,10 @@
 #include <string.h>
 #include <stdlib.h>
 #include <getopt.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
 
 const unsigned char mac_type_unicast[ETH_ALEN] =   {0,0,0,0,0,0};
 const unsigned char msk_type_unicast[ETH_ALEN] =   {1,0,0,0,0,0};
@@ -244,6 +248,7 @@ void ebt_parse_ip_address(char *address,
 	*addr = *addr & *msk;
 }
 
+
 /* Transform the ip mask into a string ready for output. */
 char *ebt_mask_to_dotted(uint32_t mask)
 {
@@ -276,3 +281,134 @@ char *ebt_mask_to_dotted(uint32_t mask)
 
 	return buf;
 }
+
+/* Most of the following code is derived from iptables */
+static void
+in6addrcpy(struct in6_addr *dst, struct in6_addr *src)
+{
+    memcpy(dst, src, sizeof(struct in6_addr));
+}
+
+int string_to_number_ll(const char *s, unsigned long long min,
+            unsigned long long max, unsigned long long *ret)
+{
+    unsigned long long number;
+    char *end;
+
+    /* Handle hex, octal, etc. */
+    errno = 0;
+    number = strtoull(s, &end, 0);
+    if (*end == '\0' && end != s) {
+        /* we parsed a number, let's see if we want this */
+        if (errno != ERANGE && min <= number && (!max || number <= max)) {
+            *ret = number;
+            return 0;
+        }
+    }
+    return -1;
+}
+
+int string_to_number_l(const char *s, unsigned long min, unsigned long max,
+               unsigned long *ret)
+{
+    int result;
+    unsigned long long number;
+
+    result = string_to_number_ll(s, min, max, &number);
+    *ret = (unsigned long)number;
+
+    return result;
+}
+
+int string_to_number(const char *s, unsigned int min, unsigned int max,
+        unsigned int *ret)
+{
+    int result;
+    unsigned long number;
+
+    result = string_to_number_l(s, min, max, &number);
+    *ret = (unsigned int)number;
+
+    return result;
+}
+
+static struct in6_addr *
+numeric_to_addr(const char *num)
+{
+    static struct in6_addr ap;
+    int err;
+    if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+        return &ap;
+    return (struct in6_addr *)NULL;
+}
+
+static struct in6_addr *
+parse_ip6_mask(char *mask)
+{
+    static struct in6_addr maskaddr;
+    struct in6_addr *addrp;
+    unsigned int bits;
+
+    if (mask == NULL) {
+        /* no mask at all defaults to 128 bits */
+        memset(&maskaddr, 0xff, sizeof maskaddr);
+        return &maskaddr;
+    }
+    if ((addrp = numeric_to_addr(mask)) != NULL)
+        return addrp;
+    if (string_to_number(mask, 0, 128, &bits) == -1)
+		ebt_print_error("Invalid IPv6 Mask '%s' specified", mask);
+    if (bits != 0) {
+        char *p = (char *)&maskaddr;
+        memset(p, 0xff, bits / 8);
+        memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
+        p[bits / 8] = 0xff << (8 - (bits & 7));
+        return &maskaddr;
+    }
+
+    memset(&maskaddr, 0, sizeof maskaddr);
+    return &maskaddr;
+}
+
+/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
+ * The string pointed to by address can be altered. */
+void ebt_parse_ip6_address(char *address, struct in6_addr *addr, 
+						   struct in6_addr *msk)
+{
+    struct in6_addr *tmp_addr;
+    char buf[256];
+    char *p;
+    int i;
+    int err;
+
+    strncpy(buf, address, sizeof(buf) - 1);
+	/* first the mask */
+    buf[sizeof(buf) - 1] = '\0';
+    if ((p = strrchr(buf, '/')) != NULL) {
+        *p = '\0';
+        tmp_addr = parse_ip6_mask(p + 1);
+    } else
+        tmp_addr = parse_ip6_mask(NULL);
+    in6addrcpy(msk, tmp_addr);
+
+    /* if a null mask is given, the name is ignored, like in "any/0" */
+    if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
+        strcpy(buf, "::");
+
+    if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+		ebt_print_error("Invalid IPv6 Address '%s' specified", buf);
+		return;
+	}
+
+ 	for (i = 0; i < 4; i++)
+    	addr->in6_u.u6_addr32[i] &= msk->in6_u.u6_addr32[i];
+}
+
+/* Transform the ip6 addr into a string ready for output. */
+char *ebt_ip6_to_numeric(const struct in6_addr *addrp)
+{
+    /* 0000:0000:0000:0000:0000:000.000.000.000
+     * 0000:0000:0000:0000:0000:0000:0000:0000 */
+    static char buf[50+1];
+    return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
+}

Re: [PATCH 1/2] Add IPv6 support

[Bart De Schuymer]

Op di, 19-02-2008 te 10:24 -0800, schreef Tseng, Kuo-Lang:
> Tseng, Kuo-Lang wrote on Monday, February 18, 2008 5:50 PM:
> 
> > This is the userspace ebtables patch that implements IPv6 header field
> > checking and parsing.
> > 
> > Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> > 
> 
> Reposting the patch as an attachment (earlier one had line split. Sorry
> about that)

Thanks a lot, userspace and kernel code look ok to me.

I'll commit the userspace part.

cheers,
Bart



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [Ebtables-devel] [PATCH 0/5] adds ebtables nflog support to ulogd

[Bart De Schuymer]

Op di, 12-02-2008 te 21:30 +0100, schreef Peter Warasin:
> Hi Bart
> 
> Bart De Schuymer wrote:
> > I just searched the mailing list archives and you've never before posted
> > to the ebtables lists. You must have forgotten to include
> >   
> Oh, i see.
> That's wired. I got mails back from the ebtables list. Probably
> they have been blocked by sourceforge's mailman and I got them
> because of the crosspost and filtering rules.
> 
> Anyway, the posts in question are these:
> http://marc.info/?l=netfilter-devel&m=120223788107898&w=2
> http://marc.info/?l=netfilter-devel&m=120223788207901&w=2
> http://marc.info/?l=netfilter-devel&m=120223788307904&w=2

Hi Peter,

I had a look at those posts (through your links), the patches seem fine.
However, the lines are truncated around 80 characters. Can you resend or
point me to newer patches?

cheers,
Bart

Re: [PATCH 0/5] adds ebtables nflog support to ulogd

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

Hi Bart

Bart De Schuymer wrote:
> I had a look at those posts (through your links), the patches seem fine.
> However, the lines are truncated around 80 characters. Can you resend or
> point me to newer patches?

I resend as attachment.
This is the patch for the ebtables userland tool.

The kernel module follows later as i rebased it to net-2.2.26 and test 
it currently.

peter

[-- Attachment #2: ulogd-ebt_nflog.patch --]
[-- Type: text/x-patch, Size: 8030 bytes --]

This patch adds ebt_nflog watcher extension to the ebtables
userland tool.
It's based on xt_NFLOG, so options are basically the same.

Signed-off-by: Peter Warasin <peter-k8AlXt1uIdjQT0dZR+AlfA@public.gmane.org>
---
 ebtables2/ebtables.8             |   35 +++++++
 ebtables2/extensions/Makefile    |    2 
 ebtables2/extensions/ebt_nflog.c |  179 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 215 insertions(+), 1 deletion(-)

Index: ebtables2/extensions/Makefile
===================================================================
--- ebtables2/extensions/Makefile.orig	2008-02-05 17:43:28.000000000 +0100
+++ ebtables2/extensions/Makefile	2008-02-05 18:27:26.000000000 +0100
@@ -1,7 +1,7 @@
 #! /usr/bin/make
 
 EXT_FUNC+=802_3 nat arp arpreply ip standard log redirect vlan mark_m mark \
-          pkttype stp among limit ulog
+          pkttype stp among limit ulog nflog
 EXT_TABLES+=filter nat broute
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
 EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
Index: ebtables2/extensions/ebt_nflog.c
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ ebtables2/extensions/ebt_nflog.c	2008-02-05 18:27:26.000000000 +0100
@@ -0,0 +1,179 @@
+/* ebt_nflog
+ *
+ * Authors:
+ * Peter Warasin <peter-k8AlXt1uIdjQT0dZR+AlfA@public.gmane.org>
+ *
+ *  February, 2008
+ *
+ * Based on:
+ *  ebt_ulog.c, (C) 2004, Bart De Schuymer <bdschuym-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org>
+ *  libxt_NFLOG.c
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_nflog.h>
+
+enum {
+	NFLOG_GROUP = 0x1,
+	NFLOG_PREFIX = 0x2,
+	NFLOG_RANGE = 0x4,
+	NFLOG_THRESHOLD = 0x8,
+	NFLOG_NFLOG = 0x16,
+};
+
+static struct option nflog_opts[] = {
+	{"nflog-group", required_argument, NULL, NFLOG_GROUP},
+	{"nflog-prefix", required_argument, NULL, NFLOG_PREFIX},
+	{"nflog-range", required_argument, NULL, NFLOG_RANGE},
+	{"nflog-threshold", required_argument, NULL, NFLOG_THRESHOLD},
+	{"nflog", no_argument, NULL, NFLOG_NFLOG},
+	{.name = NULL}
+};
+
+static void nflog_help()
+{
+	printf("nflog options:\n"
+	       "--nflog               : use the default nflog parameters\n"
+	       "--nflog-prefix prefix : Prefix string for log message\n"
+	       "--nflog-group group   : NETLINK group used for logging\n"
+	       "--nflog-range range   : Number of byte to copy\n"
+	       "--nflog-threshold     : Message threshold of"
+	       "in-kernel queue\n");
+}
+
+static void nflog_init(struct ebt_entry_watcher *watcher)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)watcher->data;
+
+	info->prefix[0] = '\0';
+	info->group = EBT_NFLOG_DEFAULT_GROUP;
+	info->threshold = EBT_NFLOG_DEFAULT_THRESHOLD;
+}
+
+static int nflog_parse(int c, char **argv, int argc,
+		       const struct ebt_u_entry *entry, unsigned int *flags,
+		       struct ebt_entry_watcher **watcher)
+{
+	struct ebt_nflog_info *info;
+	unsigned int i;
+	char *end;
+
+	info = (struct ebt_nflog_info *)(*watcher)->data;
+	switch (c) {
+	case NFLOG_PREFIX:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_PREFIX);
+		if (strlen(optarg) > EBT_NFLOG_PREFIX_SIZE - 1)
+			ebt_print_error("Prefix too long for nflog-prefix");
+		strcpy(info->prefix, optarg);
+		break;
+
+	case NFLOG_GROUP:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_GROUP);
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0')
+			ebt_print_error2("--nflog-group must be a number!");
+		if (i < 0)
+			ebt_print_error2("--nflog-group can not be negative");
+		info->group = i;
+		break;
+
+	case NFLOG_RANGE:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_RANGE);
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0')
+			ebt_print_error2("--nflog-range must be a number!");
+		if (i < 0)
+			ebt_print_error2("--nflog-range can not be negative");
+		info->len = i;
+		break;
+
+	case NFLOG_THRESHOLD:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_THRESHOLD);
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0')
+			ebt_print_error2("--nflog-threshold must be a number!");
+		if (i < 0)
+			ebt_print_error2
+			    ("--nflog-threshold can not be negative");
+		info->threshold = i;
+		break;
+	case NFLOG_NFLOG:
+		if (ebt_check_inverse(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_NFLOG);
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+
+ inverse_invalid:
+	ebt_print_error("The use of '!' makes no sense for the nflog watcher");
+	return 1;
+}
+
+static void nflog_final_check(const struct ebt_u_entry *entry,
+			      const struct ebt_entry_watcher *watcher,
+			      const char *name, unsigned int hookmask,
+			      unsigned int time)
+{
+}
+
+static void nflog_print(const struct ebt_u_entry *entry,
+			const struct ebt_entry_watcher *watcher)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)watcher->data;
+
+	if (info->prefix[0] != '\0')
+		printf("--nflog-prefix \"%s\"", info->prefix);
+	if (info->group)
+		printf("--nflog-group %d ", info->group);
+	if (info->len)
+		printf("--nflog-range %d", info->len);
+	if (info->threshold != EBT_NFLOG_DEFAULT_THRESHOLD)
+		printf(" --nflog-threshold %d ", info->threshold);
+}
+
+static int nflog_compare(const struct ebt_entry_watcher *w1,
+			 const struct ebt_entry_watcher *w2)
+{
+	struct ebt_nflog_info *info1 = (struct ebt_nflog_info *)w1->data;
+	struct ebt_nflog_info *info2 = (struct ebt_nflog_info *)w2->data;
+
+	if (info1->group != info2->group ||
+	    info1->len != info2->len ||
+	    info1->threshold != info2->threshold ||
+	    strcmp(info1->prefix, info2->prefix))
+		return 0;
+	return 1;
+}
+
+static struct ebt_u_watcher nflog_watcher = {
+	.name = "nflog",
+	.size = sizeof(struct ebt_nflog_info),
+	.help = nflog_help,
+	.init = nflog_init,
+	.parse = nflog_parse,
+	.final_check = nflog_final_check,
+	.print = nflog_print,
+	.compare = nflog_compare,
+	.extra_ops = nflog_opts,
+};
+
+void _init(void)
+{
+	ebt_register_watcher(&nflog_watcher);
+}
Index: ebtables2/ebtables.8
===================================================================
--- ebtables2/ebtables.8.orig	2008-02-05 18:27:08.000000000 +0100
+++ ebtables2/ebtables.8	2008-02-05 18:27:26.000000000 +0100
@@ -804,6 +804,41 @@
 .br
 Will log the (r)arp information when a frame made by the (r)arp protocols
 matches the rule. The default is no (r)arp information logging.
+.SS nflog
+The nflog watcher passes the packet to the loaded logging backend
+in order to log the packet. This is usually used in combination with
+nfnetlink_log as logging backend, which will multicast the packet
+through a
+.IR netlink
+socket to the specified multicast group. One or more userspace processes
+may subscribe to the group to receive the packets.
+.TP
+.B "--nflog"
+.br
+Log with the default logging options
+.TP
+.B --nflog-group "\fInlgroup\fP"
+.br
+The netlink group (1 - 2^32-1) to which packets are (only applicable for
+nfnetlink_log). The default value is 1.
+.TP
+.B --nflog-prefix "\fIprefix\fP"
+.br
+A prefix string to include in the log message, up to 30 characters
+long, useful for distinguishing messages in the logs.
+.TP
+.B --nflog-range "\fIsize\fP"
+.br
+The number of bytes to be copied to userspace (only applicable for
+nfnetlink_log). nfnetlink_log instances may specify their own
+range, this option overrides it.
+.TP
+.B --nflog-threshold "\fIsize\fP"
+.br
+Number of packets to queue inside the kernel before sending them
+to userspace (only applicable for nfnetlink_log). Higher values
+result in less overhead per packet, but increase delay until the
+packets reach userspace. The default value is 1.
 .SS ulog
 The ulog watcher passes the packet to a userspace
 logging daemon using netlink multicast sockets. This differs


[-- Attachment #3: Type: text/plain, Size: 228 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

[-- Attachment #4: Type: text/plain, Size: 201 bytes --]

_______________________________________________
Ebtables-devel mailing list
Ebtables-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/ebtables-devel