[arptables] rfc: add classify target

[arptables] rfc: add classify target

[Frederic Leroy]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

Hello,

I ran into an old problem with Linux [1]. I need to touch the
skb->priority field for arp packet in order to map it to vlan cos.

I wrote a new classify target. Patches for both current linux-stable and
arptables cvs are joined.

For example, if you wan't to put arp packets on vlan 100 with priority,
you can do it like this : 

vconfig set_egressmap eth0.100 7 7
arptables -A OUTPUT -o eth0.100 -j classify --set-class 0:7


[1] http://lists.openwall.net/netdev/2007/06/04/71

-- 
Frédéric Leroy

[-- Attachment #2: arptables_classify.patch --]
[-- Type: text/x-patch, Size: 4198 bytes --]

diff -r e7c5081f9739 arptables.8
--- a/arptables.8	Sat Nov 06 23:20:16 2010 +0100
+++ b/arptables.8	Sun Nov 07 15:07:59 2010 +0100
@@ -297,6 +297,10 @@
 .BR "--mangle-target target "
 Target of ARP mangle operation
 .BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.SS classify
+.TP
+.BR "--set-class-mac major:minor"
+Classifies arp packet
 
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
diff -r e7c5081f9739 extensions/Makefile
--- a/extensions/Makefile	Sat Nov 06 23:20:16 2010 +0100
+++ b/extensions/Makefile	Sun Nov 07 15:07:59 2010 +0100
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=standard mangle
+EXT_FUNC+=standard mangle classify
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
 
 extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
diff -r e7c5081f9739 extensions/arpt_classify.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/arpt_classify.c	Sun Nov 07 15:07:59 2010 +0100
@@ -0,0 +1,112 @@
+/*
+ * (C) 2010 by Frederic Leroy <fredo@starox.org>
+ *
+ * arpt_classify.c -- arptables extension to classify arp packet
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <arptables.h>
+#include <linux/netfilter_arp/arpt_classify.h>
+
+#define TC_H_MAJ_MASK (0xFFFF0000U)
+#define TC_H_MIN_MASK (0x0000FFFFU)
+#define TC_H_MAJ(h) ((h)&TC_H_MAJ_MASK)
+#define TC_H_MIN(h) ((h)&TC_H_MIN_MASK)
+#define TC_H_MAKE(maj,min) (((maj)&TC_H_MAJ_MASK)|((min)&TC_H_MIN_MASK))
+
+static void
+help(void)
+{
+	printf(
+"classify target v%s options:\n"
+"--set-class major:minor : set the major and minor class value\n",
+	ARPTABLES_VERSION);
+}
+
+#define CLASSIFY_OPT 1
+
+static struct option opts[] = {
+	{ "set-class"   , required_argument, 0, CLASSIFY_OPT },
+	{0}
+};
+
+static void
+init(struct arpt_entry_target *t)
+{
+	struct arpt_classify *classify = (struct arpt_classify *) t->data;
+	classify->priority = 0;
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+	const struct arpt_entry *e,
+	struct arpt_entry_target **t)
+{
+	struct arpt_classify *classify = (struct arpt_classify *)(*t)->data;
+	int i,j;
+
+	switch (c) {
+		case CLASSIFY_OPT:
+			if (sscanf(argv[optind-1], "%x:%x", &i, &j) != 2)
+				return 0;
+			classify->priority = TC_H_MAKE(i<<16, j);
+			break;
+		default:
+			return 0;
+	}
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+}
+
+static void print(const struct arpt_arp *ip,
+	const struct arpt_entry_target *target, int numeric)
+{
+	struct arpt_classify *t = (struct arpt_classify *)(target->data);
+
+	printf("--set-class %x:%x ", TC_H_MAJ(t->priority)>>16, TC_H_MIN(t->priority));
+}
+
+static void
+save(const struct arpt_arp *ip, const struct arpt_entry_target *target)
+{
+}
+
+static
+struct arptables_target change
+= { NULL,
+	"classify",
+	ARPTABLES_VERSION,
+	ARPT_ALIGN(sizeof(struct arpt_classify)),
+	ARPT_ALIGN(sizeof(struct arpt_classify)),
+	&help,
+	&init,
+	&parse,
+	&final_check,
+	&print,
+	&save,
+	opts
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+	register_target(&change);
+}
diff -r e7c5081f9739 include/linux/netfilter_arp/arpt_classify.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/include/linux/netfilter_arp/arpt_classify.h	Sun Nov 07 15:07:59 2010 +0100
@@ -0,0 +1,9 @@
+#ifndef _ARPT_CLASSIFY_H
+#define _ARPT_CLASSIFY_H
+
+struct arpt_classify
+{
+	__u32 priority;
+};
+
+#endif /* _ARPT_CLASSIFY */

[-- Attachment #3: arptables_classify_linux.patch --]
[-- Type: text/x-patch, Size: 2832 bytes --]

diff --git a/include/linux/netfilter_arp/arpt_classify.h b/include/linux/netfilter_arp/arpt_classify.h
new file mode 100644
index 0000000..1bbc6d0
--- /dev/null
+++ b/include/linux/netfilter_arp/arpt_classify.h
@@ -0,0 +1,9 @@
+#ifndef _ARPT_CLASSIFY_H
+#define _ARPT_CLASSIFY_H
+
+struct arpt_classify
+{
+	__u32 priority;
+};
+
+#endif /* _ARPT_CLASSIFY */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index babd1a2..4f10dbf 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -386,6 +386,17 @@ config IP_NF_ARP_MANGLE
 	  Allows altering the ARP packet payload: source and destination
 	  hardware and network addresses.
 
+config IP_NF_ARP_CLASSIFY
+	tristate "ARP packet classification target"
+	help
+	  This option adds a `classify' target, which enables the user to set
+	  the priority of an arp packet. Some qdiscs can use this value for
+	  classification, among these are:
+
+  	  atm, cbq, dsmark, pfifo_fast, htb, prio
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 endif # IP_NF_ARPTABLES
 
 endmenu
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 4811159..a5387dc 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -65,6 +65,7 @@ obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 # generic ARP tables
 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
 obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o
+obj-$(CONFIG_IP_NF_ARP_CLASSIFY) += arpt_classify.o
 
 # just filtering instance of ARP tables for now
 obj-$(CONFIG_IP_NF_ARPFILTER) += arptable_filter.o
diff --git a/net/ipv4/netfilter/arpt_classify.c b/net/ipv4/netfilter/arpt_classify.c
new file mode 100644
index 0000000..39aa0c3
--- /dev/null
+++ b/net/ipv4/netfilter/arpt_classify.c
@@ -0,0 +1,41 @@
+/* module that allows classification of arp packet */
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_arp/arpt_classify.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Frederic Leroy <fredo@starox.org>");
+MODULE_DESCRIPTION("arptables arp classify target");
+
+static unsigned int
+target(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	const struct arpt_classify *classify = par->targinfo;
+
+	skb->priority=classify->priority;
+
+	return XT_CONTINUE;
+}
+
+static struct xt_target arpt_classify_reg __read_mostly = {
+	.name		= "classify",
+	.family		= NFPROTO_ARP,
+	.target		= target,
+	.targetsize	= sizeof(struct arpt_classify),
+	.checkentry	= NULL,
+	.me		= THIS_MODULE,
+};
+
+static int __init arpt_classify_init(void)
+{
+	return xt_register_target(&arpt_classify_reg);
+}
+
+static void __exit arpt_classify_fini(void)
+{
+	xt_unregister_target(&arpt_classify_reg);
+}
+
+module_init(arpt_classify_init);
+module_exit(arpt_classify_fini);

Re: [arptables] rfc: add classify target

[Jan Engelhardt]

On Sunday 2010-11-07 15:26, Frederic Leroy wrote:
>
>I wrote a new classify target. Patches for both current linux-stable and
>arptables cvs are joined.
>
>+++ b/net/ipv4/netfilter/arpt_classify.c
>@@ -0,0 +1,41 @@
>+/* module that allows classification of arp packet */
>+#include <linux/module.h>
>+#include <linux/netfilter.h>
>+#include <linux/netfilter/x_tables.h>
>+#include <linux/netfilter_arp/arpt_classify.h>
>+
>+MODULE_LICENSE("GPL");
>+MODULE_AUTHOR("Frederic Leroy <fredo@starox.org>");
>+MODULE_DESCRIPTION("arptables arp classify target");
>+
>+static unsigned int
>+target(struct sk_buff *skb, const struct xt_action_param *par)
>+{
>+	const struct arpt_classify *classify = par->targinfo;
>+
>+	skb->priority=classify->priority;
>+
>+	return XT_CONTINUE;
>+}

Why did you not update xt_CLASSIFY instead?

Re: [arptables] rfc: add classify target

[Patrick McHardy]

Am 07.11.2010 16:18, schrieb Jan Engelhardt:
> On Sunday 2010-11-07 15:26, Frederic Leroy wrote:
>>
>> I wrote a new classify target. Patches for both current linux-stable and
>> arptables cvs are joined.
>>
>> +++ b/net/ipv4/netfilter/arpt_classify.c
>> @@ -0,0 +1,41 @@
>> +/* module that allows classification of arp packet */
>> +#include <linux/module.h>
>> +#include <linux/netfilter.h>
>> +#include <linux/netfilter/x_tables.h>
>> +#include <linux/netfilter_arp/arpt_classify.h>
>> +
>> +MODULE_LICENSE("GPL");
>> +MODULE_AUTHOR("Frederic Leroy <fredo@starox.org>");
>> +MODULE_DESCRIPTION("arptables arp classify target");
>> +
>> +static unsigned int
>> +target(struct sk_buff *skb, const struct xt_action_param *par)
>> +{
>> +	const struct arpt_classify *classify = par->targinfo;
>> +
>> +	skb->priority=classify->priority;
>> +
>> +	return XT_CONTINUE;
>> +}
> 
> Why did you not update xt_CLASSIFY instead?

Actually we already register for NFPROTO_UNSPEC, so simply
adding a userspace extension should do the job.

Re: [arptables] rfc: add classify target

[Frederic Leroy]

On Tue, Nov 09, 2010 at 03:25:26PM +0100, Patrick McHardy wrote:
> Am 07.11.2010 16:18, schrieb Jan Engelhardt:
> > On Sunday 2010-11-07 15:26, Frederic Leroy wrote:
> Actually we already register for NFPROTO_UNSPEC, so simply
> adding a userspace extension should do the job.

Not really, the mangle table for arp seems to be inexistnet.
And hacking and using the filter table  I got arptables complaining about
chain INPUT missing although the command line with -A OUTPUT.

It seems there need a big work on arptables userspace side.

-- 
Frédéric Leroy
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Patrick McHardy]

Am 09.11.2010 17:10, schrieb Frederic Leroy:
> On Tue, Nov 09, 2010 at 03:25:26PM +0100, Patrick McHardy wrote:
>> Am 07.11.2010 16:18, schrieb Jan Engelhardt:
>>> On Sunday 2010-11-07 15:26, Frederic Leroy wrote:
>> Actually we already register for NFPROTO_UNSPEC, so simply
>> adding a userspace extension should do the job.
> 
> Not really, the mangle table for arp seems to be inexistnet.
> And hacking and using the filter table  I got arptables complaining about
> chain INPUT missing although the command line with -A OUTPUT.
> 
> It seems there need a big work on arptables userspace side.

Actually there is no technical reason for limiting the CLASSIFY
target to the mangle table. You can simply remove this.

Re: [arptables] rfc: add classify target

[Bart De Schuymer]

Op 9/11/2010 17:10, Frederic Leroy schreef:
> On Tue, Nov 09, 2010 at 03:25:26PM +0100, Patrick McHardy wrote:
>> Am 07.11.2010 16:18, schrieb Jan Engelhardt:
>>> On Sunday 2010-11-07 15:26, Frederic Leroy wrote:
>> Actually we already register for NFPROTO_UNSPEC, so simply
>> adding a userspace extension should do the job.
> Not really, the mangle table for arp seems to be inexistnet.
> And hacking and using the filter table  I got arptables complaining about
> chain INPUT missing although the command line with -A OUTPUT.
>
> It seems there need a big work on arptables userspace side.
>
I'm not sure why you think this requires a lot of work on the userspace
side. If you get stuck, feel free to post what you already have and I'll
have a look at it. As it seems the kernel functionality is already
there, I'd be glad to submit your userspace patch.

Best regards,
Bart

-- 
Bart De Schuymer
www.artinalgorithms.be

Re: [arptables] rfc: add classify target

[Frederic Leroy]

[-- Attachment #1: Type: text/plain, Size: 1714 bytes --]

Hello Bart,

Le Tue, 09 Nov 2010 18:39:18 +0100,
Bart De Schuymer <bdschuym@pandora.be> a écrit :

> Op 9/11/2010 17:10, Frederic Leroy schreef:
> > On Tue, Nov 09, 2010 at 03:25:26PM +0100, Patrick McHardy wrote:
> >> Am 07.11.2010 16:18, schrieb Jan Engelhardt:
> >>> On Sunday 2010-11-07 15:26, Frederic Leroy wrote:
> >> Actually we already register for NFPROTO_UNSPEC, so simply
> >> adding a userspace extension should do the job.
> > Not really, the mangle table for arp seems to be inexistnet.
> > And hacking and using the filter table  I got arptables complaining
> > about chain INPUT missing although the command line with -A OUTPUT.
> >
> > It seems there need a big work on arptables userspace side.
> >
> I'm not sure why you think this requires a lot of work on the
> userspace side. If you get stuck, feel free to post what you already
> have and I'll have a look at it. As it seems the kernel functionality
> is already there, I'd be glad to submit your userspace patch.

It may not requires a lot of work to the userspace side, but it doesn't
seem straight for me.
By the way, I joined what I've done for the moment. My free time is
sparse, but I wan't to go until the end :)

+#include <linux/netfilter/xt_CLASSIFY.h>

I have a doubt with this include because arptables have copies of the
kernel header. Should I copy it in arptables ? (compiles fine without
it here)

For the kernel part,I didn't add modalias command because the
userspace don't work yet :

# ./arptables -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but only
usable from FORWARD/OUTPUT/POSTROUTING

-- 
Frédéric Leroy

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: xt_CLASSIFY.all_table.patch --]
[-- Type: text/x-patch, Size: 691 bytes --]

commit 01c54593df8a3e975d76b1ab745abdc26b477379
Author: Frédéric Leroy <fredo@starox.org>
Date:   Tue Nov 9 20:54:47 2010 +0100

    netfilter: xtables: allow xt_CLASSIFY in all tables

diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index c2c0e4a..eb7057a 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -39,7 +39,6 @@ static struct xt_target classify_tg_reg __read_mostly = {
 	.name       = "CLASSIFY",
 	.revision   = 0,
 	.family     = NFPROTO_UNSPEC,
-	.table      = "mangle",
 	.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
 		      (1 << NF_INET_POST_ROUTING),
 	.target     = classify_tg,

[-- Attachment #3: userspace_arptables_CLASSIFY.patch --]
[-- Type: text/x-patch, Size: 3933 bytes --]

diff -r e7c5081f9739 arptables.8
--- a/arptables.8	Sat Nov 06 23:20:16 2010 +0100
+++ b/arptables.8	Tue Nov 09 21:13:44 2010 +0100
@@ -297,6 +297,10 @@
 .BR "--mangle-target target "
 Target of ARP mangle operation
 .BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.SS CLASSIFY
+.TP
+.BR "--set-class-mac major:minor"
+Classifies arp packet
 
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
diff -r e7c5081f9739 extensions/Makefile
--- a/extensions/Makefile	Sat Nov 06 23:20:16 2010 +0100
+++ b/extensions/Makefile	Tue Nov 09 21:13:44 2010 +0100
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=standard mangle
+EXT_FUNC+=standard mangle CLASSIFY
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
 
 extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
diff -r e7c5081f9739 extensions/arpt_CLASSIFY.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/arpt_CLASSIFY.c	Tue Nov 09 21:13:44 2010 +0100
@@ -0,0 +1,112 @@
+/*
+ * (C) 2010 by Frederic Leroy <fredo@starox.org>
+ *
+ * arpt_classify.c -- arptables extension to classify arp packet
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <arptables.h>
+#include <linux/netfilter/xt_CLASSIFY.h>
+
+#define TC_H_MAJ_MASK (0xFFFF0000U)
+#define TC_H_MIN_MASK (0x0000FFFFU)
+#define TC_H_MAJ(h) ((h)&TC_H_MAJ_MASK)
+#define TC_H_MIN(h) ((h)&TC_H_MIN_MASK)
+#define TC_H_MAKE(maj,min) (((maj)&TC_H_MAJ_MASK)|((min)&TC_H_MIN_MASK))
+
+static void
+help(void)
+{
+	printf(
+"CLASSIFY target v%s options:\n"
+"--set-class major:minor : set the major and minor class value\n",
+	ARPTABLES_VERSION);
+}
+
+#define CLASSIFY_OPT 1
+
+static struct option opts[] = {
+	{ "set-class"   , required_argument, 0, CLASSIFY_OPT },
+	{0}
+};
+
+static void
+init(struct arpt_entry_target *t)
+{
+	struct xt_classify_target_info *classify = (struct xt_classify_target_info *) t->data;
+	classify->priority = 0;
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+	const struct arpt_entry *e,
+	struct arpt_entry_target **t)
+{
+	struct xt_classify_target_info *classify = (struct xt_classify_target_info *)(*t)->data;
+	int i,j;
+
+	switch (c) {
+		case CLASSIFY_OPT:
+			if (sscanf(argv[optind-1], "%x:%x", &i, &j) != 2)
+				return 0;
+			classify->priority = TC_H_MAKE(i<<16, j);
+			break;
+		default:
+			return 0;
+	}
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+}
+
+static void print(const struct arpt_arp *ip,
+	const struct arpt_entry_target *target, int numeric)
+{
+	struct xt_classify_target_info *t = (struct xt_classify_target_info *)(target->data);
+
+	printf("--set-class %x:%x ", TC_H_MAJ(t->priority)>>16, TC_H_MIN(t->priority));
+}
+
+static void
+save(const struct arpt_arp *ip, const struct arpt_entry_target *target)
+{
+}
+
+static
+struct arptables_target change
+= { NULL,
+	"CLASSIFY",
+	ARPTABLES_VERSION,
+	ARPT_ALIGN(sizeof(struct xt_classify_target_info)),
+	ARPT_ALIGN(sizeof(struct xt_classify_target_info)),
+	&help,
+	&init,
+	&parse,
+	&final_check,
+	&print,
+	&save,
+	opts
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+	register_target(&change);
+}

Re: [arptables] rfc: add classify target

[Jan Engelhardt]

On Tuesday 2010-11-09 21:18, Frederic Leroy wrote:
>
>For the kernel part,I didn't add modalias command because the
>userspace don't work yet :
>
># ./arptables -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
>x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but only
>usable from FORWARD/OUTPUT/POSTROUTING

Here we have a perfect example of the dentrimentality of code duplication.
Hooray for NF_ARP_* not matching NF_INET_*.

Alas, when I originally coded NFPROTO_UNSPEC wildcard support,
I allowed for same-rev overloading, as in:

static struct xt_target classify_tg_reg[] __read_mostly = {
	{
		.name       = "CLASSIFY",
		.revision   = 0,
		.family     = NFPROTO_UNSPEC,
		.table      = "mangle",
		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
		              (1 << NF_INET_POST_ROUTING),
		.target     = classify_tg,
		.targetsize = sizeof(struct xt_classify_target_info),
		.me         = THIS_MODULE,
	},
	{
		.name       = "CLASSIFY",
		.revision   = 0,
		.family     = NFPROTO_ARP,
		.hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORDWARD),
		.target     = classify_tg,
		.targetsize = sizeof(struct xt_classify_target_info),
		.me         = THIS_MODULE,
	},
};

This should nicely work around the NF_ARP_* hook number deviation
for the time being.

Re: [arptables] rfc: add classify target

[Frederic Leroy]

Le Tue, 9 Nov 2010 21:28:09 +0100 (CET),
Jan Engelhardt <jengelh@medozas.de> a écrit :

> On Tuesday 2010-11-09 21:18, Frederic Leroy wrote:
> >
> >For the kernel part,I didn't add modalias command because the
> >userspace don't work yet :
> >
> ># ./arptables -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
> >x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but
> >only usable from FORWARD/OUTPUT/POSTROUTING
> 
> Here we have a perfect example of the dentrimentality of code
> duplication. Hooray for NF_ARP_* not matching NF_INET_*.

It was what saying me that it would be a lot of work. Move arptables to
match NF_INET_* 

-- 
Frédéric Leroy
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Jan Engelhardt]

On Tuesday 2010-11-09 21:34, Frederic Leroy wrote:
>> On Tuesday 2010-11-09 21:18, Frederic Leroy wrote:
>> >
>> >For the kernel part,I didn't add modalias command because the
>> >userspace don't work yet :
>> >
>> ># ./arptables -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
>> >x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but
>> >only usable from FORWARD/OUTPUT/POSTROUTING
>> 
>> Here we have a perfect example of the dentrimentality of code
>> duplication. Hooray for NF_ARP_* not matching NF_INET_*.
>
>It was what saying me that it would be a lot of work. Move arptables to
>match NF_INET_* 

The actual work is minimal - since you just need to change the values
of the NF_ARP_ constants. The problem is that it is shared with
userspace.

Re: [arptables] rfc: add classify target

[Frederic Leroy]

Le Tue, 9 Nov 2010 22:27:53 +0100 (CET),
Jan Engelhardt <jengelh@medozas.de> a écrit :

> 
> On Tuesday 2010-11-09 21:34, Frederic Leroy wrote:
> >> On Tuesday 2010-11-09 21:18, Frederic Leroy wrote:
> >> >
> >> >For the kernel part,I didn't add modalias command because the
> >> >userspace don't work yet :
> >> >
> >> ># ./arptables -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
> >> >x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but
> >> >only usable from FORWARD/OUTPUT/POSTROUTING
> >> 
> >> Here we have a perfect example of the dentrimentality of code
> >> duplication. Hooray for NF_ARP_* not matching NF_INET_*.
> >
> >It was what saying me that it would be a lot of work. Move arptables
> >to match NF_INET_* 
> 
> The actual work is minimal - since you just need to change the values
> of the NF_ARP_ constants. The problem is that it is shared with
> userspace.

If I remember correctly what I've see sunday, there is some arrays of
size : number of NF_ARP*
There is some code with ->hook[NF_xxx]=yyy

Moreover, when I turned debug on, it outputs me warnings with overflow
on these arrays when I switched to NF_INET.

-- 
Frédéric Leroy
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Frederic Leroy]

[-- Attachment #1: Type: text/plain, Size: 411 bytes --]

Le Tue, 9 Nov 2010 21:28:09 +0100 (CET),
Jan Engelhardt <jengelh@medozas.de> a écrit :

> Alas, when I originally coded NFPROTO_UNSPEC wildcard support,
> I allowed for same-rev overloading, as in:
> 
> static struct xt_target classify_tg_reg[] __read_mostly = {
> 	{
> [...]
> };
> 

Here is a patch against my previous patch with your insights.
I had time to test it. 

-- 
Frédéric Leroy

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: xt_CLASSIFY.arp_table.patch --]
[-- Type: text/x-patch, Size: 2196 bytes --]

commit fdf76e03e17b7d4cd5a160ee3a5b005859eff2fd
Author: Frédéric Leroy <fredo@starox.org>
Date:   Tue Nov 9 21:46:29 2010 +0100

    netfilter: xtables: allow xt_CLASSIFY for arp tables

diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index eb7057a..add7435 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -19,6 +19,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CLASSIFY.h>
+#include <linux/netfilter_arp.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_LICENSE("GPL");
@@ -35,25 +36,37 @@ classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target classify_tg_reg __read_mostly = {
-	.name       = "CLASSIFY",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-		      (1 << NF_INET_POST_ROUTING),
-	.target     = classify_tg,
-	.targetsize = sizeof(struct xt_classify_target_info),
-	.me         = THIS_MODULE,
+static struct xt_target classify_tg_reg[] __read_mostly = {
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_UNSPEC,
+		.table      = "mangle",
+		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+		              (1 << NF_INET_POST_ROUTING),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_ARP,
+		.hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init classify_tg_init(void)
 {
-	return xt_register_target(&classify_tg_reg);
+	return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 
 static void __exit classify_tg_exit(void)
 {
-	xt_unregister_target(&classify_tg_reg);
+	xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 
 module_init(classify_tg_init);

Re: [arptables] rfc: add classify target

[Patrick McHardy]

On 09.11.2010 21:51, Frederic Leroy wrote:
> Le Tue, 9 Nov 2010 21:28:09 +0100 (CET),
> Jan Engelhardt <jengelh@medozas.de> a écrit :
> 
>> Alas, when I originally coded NFPROTO_UNSPEC wildcard support,
>> I allowed for same-rev overloading, as in:
>>
>> static struct xt_target classify_tg_reg[] __read_mostly = {
>> 	{
>> [...]
>> };
>>
> 
> Here is a patch against my previous patch with your insights.
> I had time to test it. 

This seems like the best we can do for now. Does it work as intended?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Frederic Leroy]

Le Thu, 11 Nov 2010 11:38:41 +0100,
Patrick McHardy <kaber@trash.net> a écrit :

> On 09.11.2010 21:51, Frederic Leroy wrote:
> > Le Tue, 9 Nov 2010 21:28:09 +0100 (CET),
> > Jan Engelhardt <jengelh@medozas.de> a écrit :
> > 
> >> Alas, when I originally coded NFPROTO_UNSPEC wildcard support,
> >> I allowed for same-rev overloading, as in:
> >>
> >> static struct xt_target classify_tg_reg[] __read_mostly = {
> >> 	{
> >> [...]
> >> };
> >>
> > 
> > Here is a patch against my previous patch with your insights.
> > I had time to test it. 
> 
> This seems like the best we can do for now. Does it work as intended?

Yes, it works as intended. 

Nevertheless, I plan to update kernel and arptables to match NF_INET_*.
I should have time to do it for sunday. 

-- 
Frédéric Leroy
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Patrick McHardy]

On 11.11.2010 12:45, Frederic Leroy wrote:
> Le Thu, 11 Nov 2010 11:38:41 +0100,
> Patrick McHardy <kaber@trash.net> a écrit :
> 
>> On 09.11.2010 21:51, Frederic Leroy wrote:
>>> Le Tue, 9 Nov 2010 21:28:09 +0100 (CET),
>>> Jan Engelhardt <jengelh@medozas.de> a écrit :
>>>
>>>> Alas, when I originally coded NFPROTO_UNSPEC wildcard support,
>>>> I allowed for same-rev overloading, as in:
>>>>
>>>> static struct xt_target classify_tg_reg[] __read_mostly = {
>>>> 	{
>>>> [...]
>>>> };
>>>>
>>>
>>> Here is a patch against my previous patch with your insights.
>>> I had time to test it. 
>>
>> This seems like the best we can do for now. Does it work as intended?
> 
> Yes, it works as intended. 
> 
> Nevertheless, I plan to update kernel and arptables to match NF_INET_*.
> I should have time to do it for sunday. 

You can't change the numerical values, that would break compatibility.
That basically leaves the option of using NF_INET_PRE_ROUTING instead
of NF_ARP_IN etc, which would make things highly confusing :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Frederic Leroy]

[-- Attachment #1: Type: text/plain, Size: 753 bytes --]

Le Fri, 12 Nov 2010 08:49:59 +0100,
Patrick McHardy <kaber@trash.net> a écrit :

> On 11.11.2010 12:45, Frederic Leroy wrote:
> > Le Thu, 11 Nov 2010 11:38:41 +0100,
> > Patrick McHardy <kaber@trash.net> a écrit :
> 
> You can't change the numerical values, that would break compatibility.
> That basically leaves the option of using NF_INET_PRE_ROUTING instead
> of NF_ARP_IN etc, which would make things highly confusing :)

There is no much use of NF_ARP_* in the google codesearch world, but I
understand the need to not break compatibility.

So I joined my last patches to xt_CLASSIFY and arptables. 

I checked that :
- modules are autoloaded
- it works as intended for marking cos on vlan interface.

-- 
Frédéric Leroy

[-- Attachment #2: userspace_arptables_CLASSIFY_20101113.patch --]
[-- Type: text/x-patch, Size: 3937 bytes --]

diff -r e7c5081f9739 arptables.8
--- a/arptables.8	Sat Nov 06 23:20:16 2010 +0100
+++ b/arptables.8	Sat Nov 13 16:12:30 2010 +0100
@@ -297,6 +297,10 @@
 .BR "--mangle-target target "
 Target of ARP mangle operation
 .BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.SS CLASSIFY
+.TP
+.BR "--set-class-mac major:minor"
+Classifies arp packet
 
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
diff -r e7c5081f9739 extensions/Makefile
--- a/extensions/Makefile	Sat Nov 06 23:20:16 2010 +0100
+++ b/extensions/Makefile	Sat Nov 13 16:12:30 2010 +0100
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=standard mangle
+EXT_FUNC+=standard mangle CLASSIFY
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
 
 extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
diff -r e7c5081f9739 extensions/arpt_CLASSIFY.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/arpt_CLASSIFY.c	Sat Nov 13 16:12:30 2010 +0100
@@ -0,0 +1,112 @@
+/*
+ * (C) 2010 by Frederic Leroy <fredo@starox.org>
+ *
+ * arpt_classify.c -- arptables extension to classify arp packet
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <arptables.h>
+#include <linux/netfilter/xt_CLASSIFY.h>
+
+#define TC_H_MAJ_MASK (0xFFFF0000U)
+#define TC_H_MIN_MASK (0x0000FFFFU)
+#define TC_H_MAJ(h) ((h)&TC_H_MAJ_MASK)
+#define TC_H_MIN(h) ((h)&TC_H_MIN_MASK)
+#define TC_H_MAKE(maj,min) (((maj)&TC_H_MAJ_MASK)|((min)&TC_H_MIN_MASK))
+
+static void
+help(void)
+{
+	printf(
+"CLASSIFY target v%s options:\n"
+"--set-class major:minor : set the major and minor class value\n",
+	ARPTABLES_VERSION);
+}
+
+#define CLASSIFY_OPT 1
+
+static struct option opts[] = {
+	{ "set-class"   , required_argument, 0, CLASSIFY_OPT },
+	{0}
+};
+
+static void
+init(struct arpt_entry_target *t)
+{
+	struct xt_classify_target_info *classify = (struct xt_classify_target_info *) t->data;
+	classify->priority = 0;
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+	const struct arpt_entry *e,
+	struct arpt_entry_target **t)
+{
+	struct xt_classify_target_info *classify = (struct xt_classify_target_info *)(*t)->data;
+	int i,j;
+
+	switch (c) {
+		case CLASSIFY_OPT:
+			if (sscanf(argv[optind-1], "%x:%x", &i, &j) != 2)
+				return 0;
+			classify->priority = TC_H_MAKE(i<<16, j);
+			break;
+		default:
+			return 0;
+	}
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+}
+
+static void print(const struct arpt_arp *ip,
+	const struct arpt_entry_target *target, int numeric)
+{
+	struct xt_classify_target_info *t = (struct xt_classify_target_info *)(target->data);
+
+	printf("--set-class %x:%x ", TC_H_MAJ(t->priority)>>16, TC_H_MIN(t->priority));
+}
+
+static void
+save(const struct arpt_arp *ip, const struct arpt_entry_target *target)
+{
+}
+
+static
+struct arptables_target classify
+= { NULL,
+	"CLASSIFY",
+	ARPTABLES_VERSION,
+	ARPT_ALIGN(sizeof(struct xt_classify_target_info)),
+	ARPT_ALIGN(sizeof(struct xt_classify_target_info)),
+	&help,
+	&init,
+	&parse,
+	&final_check,
+	&print,
+	&save,
+	opts
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+	register_target(&classify);
+}

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: kernelspace_arptables_CLASSIFY_20101113.patch --]
[-- Type: text/x-patch, Size: 2465 bytes --]

commit 80e6be1186004e7f325482c0f151ab9c9fad155f
Author: Frédéric Leroy <fredo@starox.org>
Date:   Sat Nov 13 16:16:43 2010 +0100

    netfilter: xtables: add arp support, allow CLASSIFY target on any table

diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index c2c0e4a..af9c4da 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -19,12 +19,14 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CLASSIFY.h>
+#include <linux/netfilter_arp.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Xtables: Qdisc classification");
 MODULE_ALIAS("ipt_CLASSIFY");
 MODULE_ALIAS("ip6t_CLASSIFY");
+MODULE_ALIAS("arpt_CLASSIFY");
 
 static unsigned int
 classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
@@ -35,26 +37,36 @@ classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target classify_tg_reg __read_mostly = {
-	.name       = "CLASSIFY",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.table      = "mangle",
-	.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-		      (1 << NF_INET_POST_ROUTING),
-	.target     = classify_tg,
-	.targetsize = sizeof(struct xt_classify_target_info),
-	.me         = THIS_MODULE,
+static struct xt_target classify_tg_reg[] __read_mostly = {
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_UNSPEC,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+		              (1 << NF_INET_POST_ROUTING),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_ARP,
+		.hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init classify_tg_init(void)
 {
-	return xt_register_target(&classify_tg_reg);
+	return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 
 static void __exit classify_tg_exit(void)
 {
-	xt_unregister_target(&classify_tg_reg);
+	xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 
 module_init(classify_tg_init);

Re: [arptables] rfc: add classify target

[Bart De Schuymer]

Apart from my comments below, the userspace patch looks ok:
- I would line up the help and man page entries between arptables and
iptables so noone gets confused. Also, the man page entry refers to
set-class-mac.
- In final_check() you should make sure that the priority has been set
(similar to what's done in libxt_CLASSIFY.c).

cheers,
Bart

On 13-11-10 16:29, Frederic Leroy wrote:
> Le Fri, 12 Nov 2010 08:49:59 +0100,
> Patrick McHardy <kaber@trash.net> a écrit :
>
>> On 11.11.2010 12:45, Frederic Leroy wrote:
>>> Le Thu, 11 Nov 2010 11:38:41 +0100,
>>> Patrick McHardy <kaber@trash.net> a écrit :
>> You can't change the numerical values, that would break compatibility.
>> That basically leaves the option of using NF_INET_PRE_ROUTING instead
>> of NF_ARP_IN etc, which would make things highly confusing :)
> There is no much use of NF_ARP_* in the google codesearch world, but I
> understand the need to not break compatibility.
>
> So I joined my last patches to xt_CLASSIFY and arptables. 
>
> I checked that :
> - modules are autoloaded
> - it works as intended for marking cos on vlan interface.
>


-- 
Bart De Schuymer
www.artinalgorithms.be

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Frederic Leroy]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

Le Sun, 14 Nov 2010 16:36:18 +0100,
Bart De Schuymer <bdschuym@pandora.be> a écrit :

> Apart from my comments below, the userspace patch looks ok:
> - I would line up the help and man page entries between arptables and
> iptables so noone gets confused. Also, the man page entry refers to
> set-class-mac.
> - In final_check() you should make sure that the priority has been set
> (similar to what's done in libxt_CLASSIFY.c).

Here it is, largely borrowed from iptables.

Cheers,

-- 
Frédéric Leroy

[-- Attachment #2: userspace_arptables_CLASSIFY_20101115.patch --]
[-- Type: text/x-patch, Size: 4455 bytes --]

diff -r e7c5081f9739 arptables.8
--- a/arptables.8	Sat Nov 06 23:20:16 2010 +0100
+++ b/arptables.8	Mon Nov 15 11:17:34 2010 +0100
@@ -297,6 +297,15 @@
 .BR "--mangle-target target "
 Target of ARP mangle operation
 .BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.SS CLASSIFY
+This  module  allows you to set the skb->priority value (and thus clas-
+sify the packet into a specific CBQ class).
+
+.TP
+.BR "--set-class major:minor"
+
+Set the major and minor  class  value.  The  values  are  always
+interpreted as hexadecimal even if no 0x prefix is given.
 
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
diff -r e7c5081f9739 extensions/Makefile
--- a/extensions/Makefile	Sat Nov 06 23:20:16 2010 +0100
+++ b/extensions/Makefile	Mon Nov 15 11:17:34 2010 +0100
@@ -1,6 +1,6 @@
 #! /usr/bin/make
 
-EXT_FUNC+=standard mangle
+EXT_FUNC+=standard mangle CLASSIFY
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o)
 
 extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h
diff -r e7c5081f9739 extensions/arpt_CLASSIFY.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/arpt_CLASSIFY.c	Mon Nov 15 11:17:34 2010 +0100
@@ -0,0 +1,121 @@
+/*
+ * (C) 2010 by Frederic Leroy <fredo@starox.org>
+ *
+ * arpt_classify.c -- arptables extension to classify arp packet
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <arptables.h>
+#include <linux/netfilter/xt_CLASSIFY.h>
+
+#define TC_H_MAJ_MASK (0xFFFF0000U)
+#define TC_H_MIN_MASK (0x0000FFFFU)
+#define TC_H_MAJ(h) ((h)&TC_H_MAJ_MASK)
+#define TC_H_MIN(h) ((h)&TC_H_MIN_MASK)
+#define TC_H_MAKE(maj,min) (((maj)&TC_H_MAJ_MASK)|((min)&TC_H_MIN_MASK))
+
+static void
+help(void)
+{
+	printf(
+"CLASSIFY target v%s options:\n"
+"--set-class major:minor : set the major and minor class value\n",
+	ARPTABLES_VERSION);
+}
+
+#define CLASSIFY_OPT 1
+
+static struct option opts[] = {
+	{ "set-class"   , required_argument, 0, CLASSIFY_OPT },
+	{0}
+};
+
+static void
+init(struct arpt_entry_target *t)
+{
+	struct xt_classify_target_info *classify = (struct xt_classify_target_info *) t->data;
+	classify->priority = 0;
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+	const struct arpt_entry *e,
+	struct arpt_entry_target **t)
+{
+	struct xt_classify_target_info *classify = (struct xt_classify_target_info *)(*t)->data;
+	int i,j;
+
+	switch (c) {
+		case CLASSIFY_OPT:
+			if (sscanf(argv[optind-1], "%x:%x", &i, &j) != 2) {
+				exit_error(PARAMETER_PROBLEM,
+						"Bad class value `%s'", optarg);
+				return 0;
+			}
+			classify->priority = TC_H_MAKE(i<<16, j);
+			if (*flags)
+				exit_error(PARAMETER_PROBLEM,
+						"CLASSIFY: Can't specify --set-class twice");
+			*flags = 1;
+			break;
+		default:
+			return 0;
+	}
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM, "CLASSIFY: Parameter --set-class is required");
+}
+
+static void print(const struct arpt_arp *ip,
+	const struct arpt_entry_target *target, int numeric)
+{
+	struct xt_classify_target_info *t = (struct xt_classify_target_info *)(target->data);
+
+	printf("--set-class %x:%x ", TC_H_MAJ(t->priority)>>16, TC_H_MIN(t->priority));
+}
+
+static void
+save(const struct arpt_arp *ip, const struct arpt_entry_target *target)
+{
+}
+
+static
+struct arptables_target classify
+= { NULL,
+	"CLASSIFY",
+	ARPTABLES_VERSION,
+	ARPT_ALIGN(sizeof(struct xt_classify_target_info)),
+	ARPT_ALIGN(sizeof(struct xt_classify_target_info)),
+	&help,
+	&init,
+	&parse,
+	&final_check,
+	&print,
+	&save,
+	opts
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+	register_target(&classify);
+}

Re: [arptables] rfc: add classify target

[Bart De Schuymer]

Applied,

Thanks Frederic.

Bart

On 15-11-10 13:32, Frederic Leroy wrote:
> Le Sun, 14 Nov 2010 16:36:18 +0100,
> Bart De Schuymer<bdschuym@pandora.be>  a écrit :
>
>> Apart from my comments below, the userspace patch looks ok:
>> - I would line up the help and man page entries between arptables and
>> iptables so noone gets confused. Also, the man page entry refers to
>> set-class-mac.
>> - In final_check() you should make sure that the priority has been set
>> (similar to what's done in libxt_CLASSIFY.c).
> Here it is, largely borrowed from iptables.
>
> Cheers,
>


-- 
Bart De Schuymer
www.artinalgorithms.be

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [arptables] rfc: add classify target

[Patrick McHardy]

On 13.11.2010 16:29, Frederic Leroy wrote:
> Le Fri, 12 Nov 2010 08:49:59 +0100,
> Patrick McHardy <kaber@trash.net> a écrit :
> 
>> On 11.11.2010 12:45, Frederic Leroy wrote:
>>> Le Thu, 11 Nov 2010 11:38:41 +0100,
>>> Patrick McHardy <kaber@trash.net> a écrit :
>>
>> You can't change the numerical values, that would break compatibility.
>> That basically leaves the option of using NF_INET_PRE_ROUTING instead
>> of NF_ARP_IN etc, which would make things highly confusing :)
> 
> There is no much use of NF_ARP_* in the google codesearch world, but I
> understand the need to not break compatibility.
> 
> So I joined my last patches to xt_CLASSIFY and arptables. 
> 
> I checked that :
> - modules are autoloaded
> - it works as intended for marking cos on vlan interface.
> 

Thanks. Please add a Signed-off-by: line to your patch and I'll apply
it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: xtables: add arp support, allow CLASSIFY target on any table

[Frederic Leroy]

Signed-off-by: Frédéric Leroy <fredo@starox.org>
---
 net/netfilter/xt_CLASSIFY.c |   36 ++++++++++++++++++++++++------------
 1 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index c2c0e4a..af9c4da 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -19,12 +19,14 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CLASSIFY.h>
+#include <linux/netfilter_arp.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Xtables: Qdisc classification");
 MODULE_ALIAS("ipt_CLASSIFY");
 MODULE_ALIAS("ip6t_CLASSIFY");
+MODULE_ALIAS("arpt_CLASSIFY");
 
 static unsigned int
 classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
@@ -35,26 +37,36 @@ classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target classify_tg_reg __read_mostly = {
-	.name       = "CLASSIFY",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.table      = "mangle",
-	.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-		      (1 << NF_INET_POST_ROUTING),
-	.target     = classify_tg,
-	.targetsize = sizeof(struct xt_classify_target_info),
-	.me         = THIS_MODULE,
+static struct xt_target classify_tg_reg[] __read_mostly = {
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_UNSPEC,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+		              (1 << NF_INET_POST_ROUTING),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_ARP,
+		.hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init classify_tg_init(void)
 {
-	return xt_register_target(&classify_tg_reg);
+	return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 
 static void __exit classify_tg_exit(void)
 {
-	xt_unregister_target(&classify_tg_reg);
+	xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 
 module_init(classify_tg_init);
-- 
1.7.2.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: xtables: add arp support, allow CLASSIFY target on any table

[Patrick McHardy]

On 15.11.2010 13:28, Frederic Leroy wrote:
> Signed-off-by: Frédéric Leroy <fredo@starox.org>

Applied, thanks Frédéric.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html