PacketScript: packet mangling using the Lua scripting language

PacketScript: packet mangling using the Lua scripting language

[André Graf]

Hello

As a part of my master thesis I developed PacketScript - a Netfilter
extension, which enables to extend Netfilter with Lua scripts. The Lua
scripts are loaded with iptables and provide an easy way to deal with
network packets. Here a short example:

# iptables -A INPUT -p tcp -j LUA --script /path/to/my/script.lua

and the /path/to/my/script.lua can contain a Lua function similar to
the following: (Lua uses -- for comments)

-- called by the Netfilter callback function, gets a 'raw' packet
function process_packet(raw)
    -- apply the Ethernet dissector
    ethernet = raw:data(packet_ethernet)

    -- apply the IP dissector
    ip = ethernet:data(packet_ip)

    -- dissect IP source address
    src = ip:saddr()
    if src:get() == "192.168.1.1" then
        -- rewrite IP source address
        src:set("10.0.0.123")
        -- accept packet
        return NF_ACCEPT
    end
    -- drop packet
    return NF_DROP
end

PacketScript was not build with a specific network protocol or
protocol layer in mind, so it offers a simple framework to extend it
with other protocols. The current version provides rudimentary support
for Ethernet, IP, ICMP, UDP, TCP, TFTP, and HTTP. For my thesis I also
developed the possibility to access the Linux workqueue interface
using Lua.

At the moment I am cleaning up the code and write the user
documentation. But, before I put too much extra effort into it I would
really like to know your opinion. Thank you!

Re: PacketScript: packet mangling using the Lua scripting language

[Pablo Neira Ayuso]

On 20/09/10 22:04, André Graf wrote:
> Hello
> 
> As a part of my master thesis I developed PacketScript - a Netfilter
> extension, which enables to extend Netfilter with Lua scripts. The Lua
> scripts are loaded with iptables and provide an easy way to deal with
> network packets. Here a short example:
> 
> # iptables -A INPUT -p tcp -j LUA --script /path/to/my/script.lua
> 
> and the /path/to/my/script.lua can contain a Lua function similar to
> the following: (Lua uses -- for comments)
> 
> -- called by the Netfilter callback function, gets a 'raw' packet
> function process_packet(raw)
>     -- apply the Ethernet dissector
>     ethernet = raw:data(packet_ethernet)
> 
>     -- apply the IP dissector
>     ip = ethernet:data(packet_ip)
> 
>     -- dissect IP source address
>     src = ip:saddr()
>     if src:get() == "192.168.1.1" then
>         -- rewrite IP source address
>         src:set("10.0.0.123")
>         -- accept packet
>         return NF_ACCEPT
>     end
>     -- drop packet
>     return NF_DROP
> end
> 
> PacketScript was not build with a specific network protocol or
> protocol layer in mind, so it offers a simple framework to extend it
> with other protocols. The current version provides rudimentary support
> for Ethernet, IP, ICMP, UDP, TCP, TFTP, and HTTP. For my thesis I also
> developed the possibility to access the Linux workqueue interface
> using Lua.
> 
> At the moment I am cleaning up the code and write the user
> documentation. But, before I put too much extra effort into it I would
> really like to know your opinion. Thank you!

Interesting approach, I'd like to see how the code looks like to know
what approach you've followed.

BTW, do you have some performance numbers in matching packets with
lua-based script?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html