checkentry function

checkentry function

[Nicola Padovano]

Hello there.
I've written checkentry function to check my new target, in this way:

[CHECK_ENTRY_CODE]
static bool xt_tarpit_check(const char *tablename, const void *entry,
                            const struct xt_target *target, void *targinfo,
                            unsigned int hook_mask)
{
 if (strcmp(tablename, "filter"))   {
    printk(KERN_INFO "DEBUG: the tablename (not FILTER) is %s\n",tablename);
    return false;
  }
return true;
}
[/CHECK_ENTRY_CODE]

but it doesn't work.
In fact if I do:

iptables -A INPUT -t filter -s 192.168.0.1 -p tcp -j TAR

the printk prints this message: DEBUG: the tablename (not FILTER) is: �%H �

so: in the tablename i haven't the string "filter"...what' the matter?

-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadovano.altervista.org

"My only ambition is not be anything at all; it seems the most
sensible thing" (C. Bukowski)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: checkentry function

[Stephen Hemminger]

On Sat, 2 Oct 2010 13:59:30 +0200
Nicola Padovano <nicola.padovano@gmail.com> wrote:

> Hello there.
> I've written checkentry function to check my new target, in this way:
> 
> [CHECK_ENTRY_CODE]
> static bool xt_tarpit_check(const char *tablename, const void *entry,
>                             const struct xt_target *target, void *targinfo,
>                             unsigned int hook_mask)
> {
>  if (strcmp(tablename, "filter"))   {
>     printk(KERN_INFO "DEBUG: the tablename (not FILTER) is %s\n",tablename);
>     return false;
>   }
> return true;
> }
> [/CHECK_ENTRY_CODE]
> 
> but it doesn't work.
> In fact if I do:
> 
> iptables -A INPUT -t filter -s 192.168.0.1 -p tcp -j TAR
> 
> the printk prints this message: DEBUG: the tablename (not FILTER) is: �%H �
> 
> so: in the tablename i haven't the string "filter"...what' the matter?
> 

In current kernels, checkentry returns errno values.
0 = okay
<0 is error (example -EINVAL).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: checkentry function

[Nicola Padovano]

> In current kernels, checkentry returns errno values.
> 0 = okay
> <0 is error (example -EINVAL).
0 = ok? and then you say 0 is error? which one?




-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadovano.altervista.org

"My only ambition is not be anything at all; it seems the most
sensible thing" (C. Bukowski)

Re: checkentry function

[Stephen Hemminger]

On Tue, 5 Oct 2010 07:52:39 +0200
Nicola Padovano <nicola.padovano@gmail.com> wrote:

> > In current kernels, checkentry returns errno values.
> > 0 = okay
> > <0 is error (example -EINVAL).
> 0 = ok? and then you say 0 is error? which one?
> 

Negative (ie < 0) is used for error numbers. This is confusing
because in older kernels the checkentry returned a bool which
is defined as 1 okay and 0 for error. 

Re: checkentry function

[Nicola Padovano]

>
> Negative (ie < 0) is used for error numbers. This is confusing
> because in older kernels the checkentry returned a bool which
> is defined as 1 okay and 0 for error.
>
ok i see.

and why i have this output?
DEBUG: the tablename (not FILTER) is: �%H �

I want block my target if the table name is NOT filter...so i write:

[CODE]
...
 if (strcmp(tablename, "filter"))   {
   printk(KERN_INFO "DEBUG: the tablename (not FILTER) is %s\n",tablename);
   return ERROR_VALUE; // < 0
 }
[/CODE]

but in the tablename variable i haven't the table's right value (but i
have: �%H � a wrong value)...what's the problem?


-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadovano.altervista.org

"My only ambition is not be anything at all; it seems the most
sensible thing" (C. Bukowski)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: checkentry function

[Eric Dumazet]

Le mardi 05 octobre 2010 à 08:11 +0200, Nicola Padovano a écrit :
> >
> > Negative (ie < 0) is used for error numbers. This is confusing
> > because in older kernels the checkentry returned a bool which
> > is defined as 1 okay and 0 for error.
> >
> ok i see.
> 
> and why i have this output?
> DEBUG: the tablename (not FILTER) is: �%H �
> 
> I want block my target if the table name is NOT filter...so i write:
> 
> [CODE]
> ...
>  if (strcmp(tablename, "filter"))   {
>    printk(KERN_INFO "DEBUG: the tablename (not FILTER) is %s\n",tablename);
>    return ERROR_VALUE; // < 0
>  }
> [/CODE]
> 
> but in the tablename variable i haven't the table's right value (but i
> have: �%H � a wrong value)...what's the problem?
> 
> 

Because xxx_check() signature is not the one you use.

Could you read source code of _current_ existing modules , and use
copy/paste ?

static int hashlimit_mt_check(const struct xt_mtchk_param *par)
{
...
}

Re: checkentry function

[Nicola Padovano]

>
> Because xxx_check() signature is not the one you use.
>
> Could you read source code of _current_ existing modules , and use
> copy/paste ?
>
> static int hashlimit_mt_check(const struct xt_mtchk_param *par)
> {
> ...
> }

as i've written in a previously mail this is the checkentry function
that i use in my source code to check if the iptables command line is
a right line.

[CHECK_ENTRY_CODE]
static bool xt_tarpit_check(const char *tablename, const void *entry,
                           const struct xt_target *target, void *targinfo,
                           unsigned int hook_mask)
{
 if (strcmp(tablename, "filter"))   {
   printk(KERN_INFO "DEBUG: the tablename (not FILTER) is %s\n",tablename);
   return false;
 }
return true;
}
[/CHECK_ENTRY_CODE]

but it doesn't work...NOTE: the module goes inside the function but
the tablename value is a wrong one (also if I set "-t filter" option
in the iptables command line)

i don't know what "static int hashlimit_mt_check(const struct
xt_mtchk_param *par)" is...

thank you

-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadovano.altervista.org

"My only ambition is not be anything at all; it seems the most
sensible thing" (C. Bukowski)

Re: checkentry function

[Jan Engelhardt]

On Tuesday 2010-10-05 13:16, Nicola Padovano wrote:
>>
>> Could you read source code of _current_ existing modules , and use
>> copy/paste ?
>>
>> static int hashlimit_mt_check(const struct xt_mtchk_param *par)
>> {
>> ...
>> }
>
>as i've written in a previously mail this is the checkentry function
>that i use in my source code to check if the iptables command line is
>a right line.
>
>[CHECK_ENTRY_CODE]
>static bool xt_tarpit_check(const char *tablename, const void *entry,
>                           const struct xt_target *target, void *targinfo,
>                           unsigned int hook_mask)
>
>i don't know what "static int hashlimit_mt_check(const struct
>xt_mtchk_param *par)" is...

It's the proper function header.

Re: checkentry function

[Nicola Padovano]

On Tue, Oct 5, 2010 at 1:32 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Tuesday 2010-10-05 13:16, Nicola Padovano wrote:
>>>
>>> Could you read source code of _current_ existing modules , and use
>>> copy/paste ?
>>>
>>> static int hashlimit_mt_check(const struct xt_mtchk_param *par)
>>> {
>>> ...
>>> }
>>
>>as i've written in a previously mail this is the checkentry function
>>that i use in my source code to check if the iptables command line is
>>a right line.
>>
>>[CHECK_ENTRY_CODE]
>>static bool xt_tarpit_check(const char *tablename, const void *entry,
>>                           const struct xt_target *target, void *targinfo,
>>                           unsigned int hook_mask)
>>
>>i don't know what "static int hashlimit_mt_check(const struct
>>xt_mtchk_param *par)" is...
>
> It's the proper function header.
>

this is the whole code:

[WHOLE_CODE]
static void function_target(const struct sk_buff *oskb,
		       struct rtable *ort)
{
...
}


/*
 * target function, called everyone the rule is satisfied
 * standard behaviour: NF_DROP
 */
static unsigned int xt_tar_target(struct sk_buff *skb,
                                  const struct net_device *in,
                                  const struct net_device *out,
                                  unsigned int hooknum,
                                  const struct xt_target *target,
                                  const void *targinfo)
{
  struct rtable *rt         = (void *)skb->_skb_refdst;
  function_target(skb,rt);
  return NF_DROP;
}

/*
 * xt_tarpit_check, it allows only:
 * 1. raw table & PRE_ROUTING hook or
 * 2. filter table & (LOCAL_IN or FORWARD) hook
 */
static bool xt_function_check(const char *tablename, const void *entry,
                            const struct xt_target *target, void *targinfo,
                            unsigned int hook_mask)
{

  if (strcmp(tablename, "filter"))
  {
    printk(KERN_INFO "!=filter %s\n",tablename);
    return false;
  }

  return true;
}


static struct xt_target xt_tar_reg = {
  .name       = "FUN",               /* target name */
  .family     = AF_INET,             /* level 3 protocol */
  .proto      = IPPROTO_TCP,         /* we recognize only tcp protocol */
  .target     = xt_tar_target,       /* pointer to target function */
  .checkentry = xt_function_check,     /* pointer to check-entry function */
  .me         = THIS_MODULE,
};

/*
 * initing module function
 */
static int __init xt_tar_init(void)
{
  return xt_register_target(&xt_tar_reg);
}

/*
 * delete module
 */
static void __exit xt_tar_exit(void)
{
  xt_unregister_target(&xt_tar_reg);
  printk(KERN_INFO "TARPIT> !!!exit!!! \n");
}

module_init(xt_tar_init);
module_exit(xt_tar_exit);

/* information about the module and its author */
MODULE_DESCRIPTION("TARPIT target, info: http://npadovano.altervista.org");
MODULE_AUTHOR("Nicola Padovano <nicola.padovano@gmail.com>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("xt_TAR");

[/WHOLE_CODE]

-- 
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadovano.altervista.org

"My only ambition is not be anything at all; it seems the most
sensible thing" (C. Bukowski)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: checkentry function

[Jan Engelhardt]

On Tuesday 2010-10-05 13:46, Nicola Padovano wrote:
>On Tue, Oct 5, 2010 at 1:32 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>> On Tuesday 2010-10-05 13:16, Nicola Padovano wrote:
>>>>
>>>> Could you read source code of _current_ existing modules , and use
>>>> copy/paste ?
>>>>
>>>> static int hashlimit_mt_check(const struct xt_mtchk_param *par)
>>>> {
>>>> ...
>>>> }
>>>
>
>this is the whole code:
>
>[WHOLE_CODE]
>static bool xt_function_check(const char *tablename, const void *entry,
>                            const struct xt_target *target, void *targinfo,
>                            unsigned int hook_mask)
>{
>
>  if (strcmp(tablename, "filter"))
>  {
>    printk(KERN_INFO "!=filter %s\n",tablename);
>    return false;
>  }
>
>  return true;
>}

And as Stephen said, the proper type for current kernels
is
(static) bool xt_function_check(const struct xt_mtchk_param *par).

If you are compiling against such, you should have gotten appropriate
warnings from gcc.

Re: checkentry function

[Eric Dumazet]

Le mardi 05 octobre 2010 à 13:46 +0200, Nicola Padovano a écrit :
> On Tue, Oct 5, 2010 at 1:32 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> > On Tuesday 2010-10-05 13:16, Nicola Padovano wrote:
> >>>
> >>> Could you read source code of _current_ existing modules , and use
> >>> copy/paste ?
> >>>
> >>> static int hashlimit_mt_check(const struct xt_mtchk_param *par)
> >>> {
> >>> ...
> >>> }
> >>
> >>as i've written in a previously mail this is the checkentry function
> >>that i use in my source code to check if the iptables command line is
> >>a right line.
> >>
> >>[CHECK_ENTRY_CODE]
> >>static bool xt_tarpit_check(const char *tablename, const void *entry,
> >>                           const struct xt_target *target, void *targinfo,
> >>                           unsigned int hook_mask)
> >>
> >>i don't know what "static int hashlimit_mt_check(const struct
> >>xt_mtchk_param *par)" is...
> >
> > It's the proper function header.
> >
> 
> this is the whole code:
> 
> [WHOLE_CODE]

> [/WHOLE_CODE]
> 

Nicola

For the second and last time, could you please _read_ _current_ kernel
source code, and correct your code, before asking us ?

We do not support prehistoric kernels.

Thank you

Dont ask us if you are not able to find hashlimit_mt_check() or any
checkentry function in current kernel sources.

# find net/netfilter/ | xargs grep -n _check
net/netfilter/nf_conntrack_proto_dccp.c:596:	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
net/netfilter/nf_conntrack_proto_dccp.c:597:	    nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP,
net/netfilter/xt_connmark.c:77:static int connmark_tg_check(const struct xt_tgchk_param *par)
net/netfilter/xt_connmark.c:107:static int connmark_mt_check(const struct xt_mtchk_param *par)
net/netfilter/xt_connmark.c:127:	.checkentry     = connmark_tg_check,
net/netfilter/xt_connmark.c:138:	.checkentry     = connmark_mt_check,
net/netfilter/xt_CT.c:57:static int xt_ct_tg_check(const struct xt_tgchk_param *par)
net/netfilter/xt_CT.c:149:	.checkentry	= xt_ct_tg_check,
...


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html