From: Pablo Neira Ayuso <pablo@netfilter.org>
To: andre@dergraf.org
Cc: netfilter-devel@vger.kernel.org
Subject: Re: PacketScript: packet mangling using the Lua scripting language
Date: Tue, 21 Sep 2010 00:13:20 +0200 [thread overview]
Message-ID: <4C97DC80.7050201@netfilter.org> (raw)
In-Reply-To: <AANLkTi=mPHY0JqEm+dDH-QwiFvVLq7r_86+_xp8d7TLM@mail.gmail.com>
On 20/09/10 22:04, André Graf wrote:
> Hello
>
> As a part of my master thesis I developed PacketScript - a Netfilter
> extension, which enables to extend Netfilter with Lua scripts. The Lua
> scripts are loaded with iptables and provide an easy way to deal with
> network packets. Here a short example:
>
> # iptables -A INPUT -p tcp -j LUA --script /path/to/my/script.lua
>
> and the /path/to/my/script.lua can contain a Lua function similar to
> the following: (Lua uses -- for comments)
>
> -- called by the Netfilter callback function, gets a 'raw' packet
> function process_packet(raw)
> -- apply the Ethernet dissector
> ethernet = raw:data(packet_ethernet)
>
> -- apply the IP dissector
> ip = ethernet:data(packet_ip)
>
> -- dissect IP source address
> src = ip:saddr()
> if src:get() == "192.168.1.1" then
> -- rewrite IP source address
> src:set("10.0.0.123")
> -- accept packet
> return NF_ACCEPT
> end
> -- drop packet
> return NF_DROP
> end
>
> PacketScript was not build with a specific network protocol or
> protocol layer in mind, so it offers a simple framework to extend it
> with other protocols. The current version provides rudimentary support
> for Ethernet, IP, ICMP, UDP, TCP, TFTP, and HTTP. For my thesis I also
> developed the possibility to access the Linux workqueue interface
> using Lua.
>
> At the moment I am cleaning up the code and write the user
> documentation. But, before I put too much extra effort into it I would
> really like to know your opinion. Thank you!
Interesting approach, I'd like to see how the code looks like to know
what approach you've followed.
BTW, do you have some performance numbers in matching packets with
lua-based script?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2010-09-20 22:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-20 20:04 PacketScript: packet mangling using the Lua scripting language André Graf
2010-09-20 22:13 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C97DC80.7050201@netfilter.org \
--to=pablo@netfilter.org \
--cc=andre@dergraf.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).