Target extension with nf_hooks

Target extension with nf_hooks

[Aft nix]

Hi,

Is there any technical difficulties associated with the following scenario:

1) its invoked with $iptables -t mangle -A PREROUTING -j MY_TARGET

2) My target module is initialized as :

static struct xt_target obsf_tg_reg __read_mostly = {

        .name = "OBSF",
        .family = NFPROTO_UNSPEC,
        .target = obsf_tg,
        .checkentry = obsf_tg_check,
        .targetsize = sizeof(struct xt_OBSF_tginfo),
        .me = THIS_MODULE,
};

static int __init obsf_tg_init(void)
{
    return xt_register_target(&obsf_tg_reg);
}

2) Now inside the module, it also registers a nf_hook:


static struct nf_hook_ops inward_obsf_ops __read_mostly = {
    .pf = NFPROTO_IPV4,
    .priority = 1,
    .hooknum = NF_INET_PRE_ROUTING,
    .hook = ibss_obsf_inward_begin,
};

/*
 * Module init and exit functions
 * No need ot worry about them
 */

static int __init ibss_obsf_inward_init(void)
{
    printk(KERN_ALERT "\nPacket_Inward module started ...");
    return nf_register_hook(&inward_obsf_ops);
}

My question is

a) Between ibss_obsf_inward_begin() and obsf_tg() who will be called first?

b) Does this design lead to any inconsistencies?

c) Should i register ibss_ofsf_inward_begin() with different hook ,
say NF_INET_LOCAL_INPUT?

Only example i could find inside 3.7.rc3 kernel tree is :

net/ipv4/ipt_CLUSTERIP.c:540

540 static struct nf_hook_ops cip_arp_ops __read_mostly = {
541         .hook = arp_mangle,
542         .pf = NFPROTO_ARP,
543         .hooknum = NF_ARP_OUT,
544         .priority = -1
545 };

I'm not sure i can do the same for ordinary netfilter module.


--
-aft

Re: Target extension with nf_hooks

[Jan Engelhardt]

On Sunday 2012-11-11 11:56, Aft nix wrote:
>
>static struct xt_target obsf_tg_reg __read_mostly = {
>
>        .name = "OBSF",
>        .family = NFPROTO_UNSPEC,
>        .target = obsf_tg,
>        .checkentry = obsf_tg_check,
>        .targetsize = sizeof(struct xt_OBSF_tginfo),
>        .me = THIS_MODULE,
>};
>
>static struct nf_hook_ops inward_obsf_ops __read_mostly = {
>    .pf = NFPROTO_IPV4,
>    .priority = 1,
>    .hooknum = NF_INET_PRE_ROUTING,
>    .hook = ibss_obsf_inward_begin,
>};
>
>a) Between ibss_obsf_inward_begin() and obsf_tg() who will be called first?

The filter,mangle,etc. tables all have a specific and different priority
assigned (git grep NF_IP_PRI_ include/).

Re: Target extension with nf_hooks

[Aft nix]

On Sun, Nov 11, 2012 at 7:36 PM, Jan Engelhardt <jengelh@inai.de> wrote:
>
> On Sunday 2012-11-11 11:56, Aft nix wrote:
>>
>>static struct xt_target obsf_tg_reg __read_mostly = {
>>
>>        .name = "OBSF",
>>        .family = NFPROTO_UNSPEC,
>>        .target = obsf_tg,
>>        .checkentry = obsf_tg_check,
>>        .targetsize = sizeof(struct xt_OBSF_tginfo),
>>        .me = THIS_MODULE,
>>};
>>
>>static struct nf_hook_ops inward_obsf_ops __read_mostly = {
>>    .pf = NFPROTO_IPV4,
>>    .priority = 1,
>>    .hooknum = NF_INET_PRE_ROUTING,
>>    .hook = ibss_obsf_inward_begin,
>>};
>>
>>a) Between ibss_obsf_inward_begin() and obsf_tg() who will be called first?
>
> The filter,mangle,etc. tables all have a specific and different priority
> assigned (git grep NF_IP_PRI_ include/).

Hi jan,

Thanks for the reply. Now mangle tables has this:

include/uapi/linux/netfilter_ipv4.h:    NF_IP_PRI_MANGLE = -150,

What i get from this list that which table will get priority.

But i'm trying to know which function will be called first? I guess i
should build a demo module to test to see which one called first.

But i'm still confused about which function (one registered with
struct xt_target , another registered with struct nf_hook_ops) will
get priority?

How does a table associated with different chains?


--
-aft

Re: Target extension with nf_hooks

[Jan Engelhardt]

On Sunday 2012-11-11 15:47, Aft nix wrote:
>
>Thanks for the reply. Now mangle tables has this:
>
>include/uapi/linux/netfilter_ipv4.h:    NF_IP_PRI_MANGLE = -150,
>
>What i get from this list that which table will get priority.
>
>But i'm trying to know which function will be called first?

The one with a lower numerical value.
What is to happen when two hooks have the same priority value
is unspecified.

>But i'm still confused about which function (one registered with
>struct xt_target , another registered with struct nf_hook_ops) will
>get priority?

Those are two very different things.

>How does a table associated with different chains?

Re: Target extension with nf_hooks

[arif]

On 11/11/2012 11:15 PM, Jan Engelhardt wrote:
>
> On Sunday 2012-11-11 15:47, Aft nix wrote:
>>
>> Thanks for the reply. Now mangle tables has this:
>>
>> include/uapi/linux/netfilter_ipv4.h:    NF_IP_PRI_MANGLE = -150,
>>
>> What i get from this list that which table will get priority.
>>
>> But i'm trying to know which function will be called first?
>
> The one with a lower numerical value.
> What is to happen when two hooks have the same priority value
> is unspecified.
>
>> But i'm still confused about which function (one registered with
>> struct xt_target , another registered with struct nf_hook_ops) will
>> get priority?
>
> Those are two very different things.
>
>> How does a table associated with different chains?

Thanks for the help. So my use case seems unspecified and can't be done.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Target extension with nf_hooks

[Jan Engelhardt]

On Sunday 2012-12-02 11:58, arif wrote:
>>
>>> But i'm still confused about which function (one registered with
>>> struct xt_target , another registered with struct nf_hook_ops) will
>>> get priority?
>>
>> Those are two very different things.
>>
>>> How does a table associated with different chains?
>
> Thanks for the help. So my use case seems unspecified and can't be done.

Well I don't know, you never said anything about your case.