Netfilter Module for NAT IVI available

Netfilter Module for NAT IVI available

[Pierre Rondou]

Hello everybody,

I'm currently a student at the University of Liège. As part of my master 
thesis, I have to develop a Linux kernel module for IVI ( 
http://datatracker.ietf.org/doc/rfc6219/ ).

I now consider my module as finished (i.e, all functionalities are 
implemented) and publish it.

It is available on sourceforge:

http://sourceforge.net/projects/nativi/

Feel free to test it and report to me any bug, bad implementation, 
error, ...

If you believe that this module can be included is the Linux Kernel or 
in the Xtables-addons framework, I'll be glad and will help you in this 
task.


I have tested my module inside the Xtables-addons framework (version 
1.32) on a debian squeeze (6.0.1) linux with a 2.6.32-5  kernel (i686).

Because of the lack of "EXPORT_SYMBOL" in the kernel, I had to 
copy-paste several functions from the kernel into the 
nativi_kernel_code.c file in order to use some features already 
available in the kernel (ip_finish_output, ip6_output, icmp_send).

Documentation is provided in the source code, if you have any question 
don't hesitate to ask me.

Regards,

Pierre RONDOU
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Eric Dumazet]

Le jeudi 05 mai 2011 à 03:18 +0200, Pierre Rondou a écrit :
> Hello everybody,
> 
> I'm currently a student at the University of Liège. As part of my master 
> thesis, I have to develop a Linux kernel module for IVI ( 
> http://datatracker.ietf.org/doc/rfc6219/ ).
> 
> I now consider my module as finished (i.e, all functionalities are 
> implemented) and publish it.
> 
> It is available on sourceforge:
> 
> http://sourceforge.net/projects/nativi/
> 
> Feel free to test it and report to me any bug, bad implementation, 
> error, ...
> 
> If you believe that this module can be included is the Linux Kernel or 
> in the Xtables-addons framework, I'll be glad and will help you in this 
> task.
> 
> 
> I have tested my module inside the Xtables-addons framework (version 
> 1.32) on a debian squeeze (6.0.1) linux with a 2.6.32-5  kernel (i686).
> 
> Because of the lack of "EXPORT_SYMBOL" in the kernel, I had to 
> copy-paste several functions from the kernel into the 
> nativi_kernel_code.c file in order to use some features already 
> available in the kernel (ip_finish_output, ip6_output, icmp_send).
> 
> Documentation is provided in the source code, if you have any question 
> don't hesitate to ask me.
> 

Hi Pierre

1) Are you sure netfilter is the right place for this IVI feature ?
   (fact that you had to copy/paste ~1300 lines of code from kernel
might show that this would be better to use a module hooked into
forwarding stack ?)

2) How this can integrate a {conntrack enabled} firewall ?



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Pierre Rondou]

Le 24/05/11 16:56, Eric Dumazet a écrit :
> Le jeudi 05 mai 2011 à 03:18 +0200, Pierre Rondou a écrit :
>    
>> Hello everybody,
>>
>> I'm currently a student at the University of Liège. As part of my master
>> thesis, I have to develop a Linux kernel module for IVI (
>> http://datatracker.ietf.org/doc/rfc6219/ ).
>>
>> I now consider my module as finished (i.e, all functionalities are
>> implemented) and publish it.
>>
>> It is available on sourceforge:
>>
>> http://sourceforge.net/projects/nativi/
>>
>> Feel free to test it and report to me any bug, bad implementation,
>> error, ...
>>
>> If you believe that this module can be included is the Linux Kernel or
>> in the Xtables-addons framework, I'll be glad and will help you in this
>> task.
>>
>>
>> I have tested my module inside the Xtables-addons framework (version
>> 1.32) on a debian squeeze (6.0.1) linux with a 2.6.32-5  kernel (i686).
>>
>> Because of the lack of "EXPORT_SYMBOL" in the kernel, I had to
>> copy-paste several functions from the kernel into the
>> nativi_kernel_code.c file in order to use some features already
>> available in the kernel (ip_finish_output, ip6_output, icmp_send).
>>
>> Documentation is provided in the source code, if you have any question
>> don't hesitate to ask me.
>>
>>      
> Hi Pierre
>
> 1) Are you sure netfilter is the right place for this IVI feature ?
>     (fact that you had to copy/paste ~1300 lines of code from kernel
> might show that this would be better to use a module hooked into
> forwarding stack ?)
>    
I used Xtables to produce my module, fact is that I was (and still am) a 
kernel nooby, Xtables seemed to a be good way to produce this code.
I'm not sure to what you're refering about, are you suggesting I should 
have developed the module directly into the kernel?

> 2) How this can integrate a {conntrack enabled} firewall ?
>
>    

I can't ... It's a drawback of the module. The fact is that I only have 
found a very little documentation about conntrack code, so I dropped the 
idea of dealing with it.
But it shouldn't be difficult to update the conntrack for a kernel pro I 
guess ;-)

Regards,

Pierre
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Eric Dumazet]

Le mardi 24 mai 2011 à 17:46 +0200, Pierre Rondou a écrit :
> Le 24/05/11 16:56, Eric Dumazet a écrit :
> > Le jeudi 05 mai 2011 à 03:18 +0200, Pierre Rondou a écrit :
> >    
> >> Hello everybody,
> >>
> >> I'm currently a student at the University of Liège. As part of my master
> >> thesis, I have to develop a Linux kernel module for IVI (
> >> http://datatracker.ietf.org/doc/rfc6219/ ).
> >>
> >> I now consider my module as finished (i.e, all functionalities are
> >> implemented) and publish it.
> >>
> >> It is available on sourceforge:
> >>
> >> http://sourceforge.net/projects/nativi/
> >>
> >> Feel free to test it and report to me any bug, bad implementation,
> >> error, ...
> >>
> >> If you believe that this module can be included is the Linux Kernel or
> >> in the Xtables-addons framework, I'll be glad and will help you in this
> >> task.
> >>
> >>
> >> I have tested my module inside the Xtables-addons framework (version
> >> 1.32) on a debian squeeze (6.0.1) linux with a 2.6.32-5  kernel (i686).
> >>
> >> Because of the lack of "EXPORT_SYMBOL" in the kernel, I had to
> >> copy-paste several functions from the kernel into the
> >> nativi_kernel_code.c file in order to use some features already
> >> available in the kernel (ip_finish_output, ip6_output, icmp_send).
> >>
> >> Documentation is provided in the source code, if you have any question
> >> don't hesitate to ask me.
> >>
> >>      
> > Hi Pierre
> >
> > 1) Are you sure netfilter is the right place for this IVI feature ?
> >     (fact that you had to copy/paste ~1300 lines of code from kernel
> > might show that this would be better to use a module hooked into
> > forwarding stack ?)
> >    
> I used Xtables to produce my module, fact is that I was (and still am) a 
> kernel nooby, Xtables seemed to a be good way to produce this code.
> I'm not sure to what you're refering about, are you suggesting I should 
> have developed the module directly into the kernel?
> 

We all were kernel newbie at very beginning ;)

> > 2) How this can integrate a {conntrack enabled} firewall ?
> >
> >    
> 
> I can't ... It's a drawback of the module. The fact is that I only have 
> found a very little documentation about conntrack code, so I dropped the 
> idea of dealing with it.
> But it shouldn't be difficult to update the conntrack for a kernel pro I 
> guess ;-)

This has to be discussed before even coding ;)

One packet going through this gateway has one IPv6 side and one ipv4
side. This can be a problem to firewalling (either its ipv4, either its
ipv6) and conntracking.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Pierre Rondou]

Le 24/05/11 17:55, Eric Dumazet a écrit :
>
>>>>
>>>>          
>>> Hi Pierre
>>>
>>> 1) Are you sure netfilter is the right place for this IVI feature ?
>>>      (fact that you had to copy/paste ~1300 lines of code from kernel
>>> might show that this would be better to use a module hooked into
>>> forwarding stack ?)
>>>
>>>        
>> I used Xtables to produce my module, fact is that I was (and still am) a
>> kernel nooby, Xtables seemed to a be good way to produce this code.
>> I'm not sure to what you're refering about, are you suggesting I should
>> have developed the module directly into the kernel?
>>
>>      
> We all were kernel newbie at very beginning ;)
>    

Sure, unfortunately there is no real book to teach new coders on what 
they should do.

>    
>>> 2) How this can integrate a {conntrack enabled} firewall ?
>>>
>>>
>>>        
>> I can't ... It's a drawback of the module. The fact is that I only have
>> found a very little documentation about conntrack code, so I dropped the
>> idea of dealing with it.
>> But it shouldn't be difficult to update the conntrack for a kernel pro I
>> guess ;-)
>>      
> This has to be discussed before even coding ;)
>
> One packet going through this gateway has one IPv6 side and one ipv4
> side. This can be a problem to firewalling (either its ipv4, either its
> ipv6) and conntracking.
>
>
>    

It is a problem that's sure.
But as stated before, I didn't any suitable conntrack doc :(
My main thesis goal is to provide a working module, conntrack support 
would be a bonus, but for now, I cannot do it on my own because of a 
lack of conntrack knowledge.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Maciej Żenczykowski]

Not that I've really been following the thread.
But I think that this sort of functionality should most likely be
developed as a virtual (tun/tap/veth/sit) style tunnel-like device.

You would use ipv4/ipv6 routing in the normal kernel to direct traffic
out this virtual interface, and immediately ipv6/ipv4 traffic would
come back out of it.

This should allow all the rest of the kernel (including connection
tracking) to function normally - although of course every connection
would be registered in an unrelated way twice (once as v4, once as
v6).

I think this has nice 'black box' semantics.

On Wed, May 25, 2011 at 14:59, Pierre Rondou <prondou@gmail.com> wrote:
> Le 24/05/11 17:55, Eric Dumazet a écrit :
>>
>>>>>
>>>>>
>>>>
>>>> Hi Pierre
>>>>
>>>> 1) Are you sure netfilter is the right place for this IVI feature ?
>>>>     (fact that you had to copy/paste ~1300 lines of code from kernel
>>>> might show that this would be better to use a module hooked into
>>>> forwarding stack ?)
>>>>
>>>>
>>>
>>> I used Xtables to produce my module, fact is that I was (and still am) a
>>> kernel nooby, Xtables seemed to a be good way to produce this code.
>>> I'm not sure to what you're refering about, are you suggesting I should
>>> have developed the module directly into the kernel?
>>>
>>>
>>
>> We all were kernel newbie at very beginning ;)
>>
>
> Sure, unfortunately there is no real book to teach new coders on what they
> should do.
>
>>
>>>>
>>>> 2) How this can integrate a {conntrack enabled} firewall ?
>>>>
>>>>
>>>>
>>>
>>> I can't ... It's a drawback of the module. The fact is that I only have
>>> found a very little documentation about conntrack code, so I dropped the
>>> idea of dealing with it.
>>> But it shouldn't be difficult to update the conntrack for a kernel pro I
>>> guess ;-)
>>>
>>
>> This has to be discussed before even coding ;)
>>
>> One packet going through this gateway has one IPv6 side and one ipv4
>> side. This can be a problem to firewalling (either its ipv4, either its
>> ipv6) and conntracking.
>>
>>
>>
>
> It is a problem that's sure.
> But as stated before, I didn't any suitable conntrack doc :(
> My main thesis goal is to provide a working module, conntrack support would
> be a bonus, but for now, I cannot do it on my own because of a lack of
> conntrack knowledge.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Eric Dumazet]

Le mercredi 25 mai 2011 à 15:09 +0200, Maciej Żenczykowski a écrit :
> Not that I've really been following the thread.
> But I think that this sort of functionality should most likely be
> developed as a virtual (tun/tap/veth/sit) style tunnel-like device.
> 
> You would use ipv4/ipv6 routing in the normal kernel to direct traffic
> out this virtual interface, and immediately ipv6/ipv4 traffic would
> come back out of it.
> 
> This should allow all the rest of the kernel (including connection
> tracking) to function normally - although of course every connection
> would be registered in an unrelated way twice (once as v4, once as
> v6).
> 
> I think this has nice 'black box' semantics.

CERNET doc refers to  : http://linux.ivi2.org/

With an implementation for linux-2.6.18 : http://linux.ivi2.org/impl/

This seems enough to me, and not intrusive.

Pierre, you really should discuss why a netfilter module is needed at
all. Maybe you have a pdf or some slides somewhere (no code, but formal
discussion) ?



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Netfilter Module for NAT IVI available

[Pierre Rondou]

Le 25/05/11 15:16, Eric Dumazet a écrit :
> Le mercredi 25 mai 2011 à 15:09 +0200, Maciej Żenczykowski a écrit :
>    
>> Not that I've really been following the thread.
>> But I think that this sort of functionality should most likely be
>> developed as a virtual (tun/tap/veth/sit) style tunnel-like device.
>>
>> You would use ipv4/ipv6 routing in the normal kernel to direct traffic
>> out this virtual interface, and immediately ipv6/ipv4 traffic would
>> come back out of it.
>>
>> This should allow all the rest of the kernel (including connection
>> tracking) to function normally - although of course every connection
>> would be registered in an unrelated way twice (once as v4, once as
>> v6).
>>
>> I think this has nice 'black box' semantics.
>>      
> CERNET doc refers to  : http://linux.ivi2.org/
>
> With an implementation for linux-2.6.18 : http://linux.ivi2.org/impl/
>
> This seems enough to me, and not intrusive.
>
> Pierre, you really should discuss why a netfilter module is needed at
> all. Maybe you have a pdf or some slides somewhere (no code, but formal
> discussion) ?
>
>    

Well, as stated before, it is a master thesis work, so at the time I 
started this work, I didn't knew anything about the kernel organization 
(even though it's been years I use linux everyday).
At first I have browsed a bit in the netfilters' files, but it was 
nearly impossible to understand what file was related to what, I had no 
clue on where to install my transition code.

Then a co-worker came with Jan's ebook (Writting Netfilter Modules) and 
Professors watching my thesis (Guy Leduc and Eric Vyncke, in copy) 
agreed that is was a good way to implement my translation code.

Now, may be Maciej's way or CERNET's way to get it into the kernel is 
better, but as it's a thesis, it has to be my own work and moreover, I 
have to understand what I'm doing, which is the case with Jan's 
excellent ebook.

The main drawback with "in-kernel" module is that there is almost no 
documentation, so I had no idea on how and where put my transition 
module or simply what to do (structures, ...).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html