uisng L7 filter in ebtables commands

uisng L7 filter in ebtables commands

[agashi shipora]

I want to use L7 filter with ebtables for setting a MARK on the packet
similar to how it is being done with iptables today.

Using brouting the bridge packet can be re-directed to the routing
path traversing the iptables.But all packets arriving on the interface
enslaved to the bridge would have to be brouted.This may not be
acceptable as a solution in my case.

example:
Whats available:
iptables -t filter -A FORWARD -m layer7 --l7proto edonkey -j MARK --set-mark 3

What needs to be supported:
ebtables -t nat -A PRE-ROUTING -m layer7 --l7proto edonkey -j MARK --mark-set 3

Is any work going on to port L7 filter to ebtables or does this port
of L7 filter already exist?

Thanks
GP

Re: uisng L7 filter in ebtables commands

[Bart De Schuymer]

agashi shipora wrote:
> I want to use L7 filter with ebtables for setting a MARK on the packet
> similar to how it is being done with iptables today.
> 
> Using brouting the bridge packet can be re-directed to the routing
> path traversing the iptables.But all packets arriving on the interface
> enslaved to the bridge would have to be brouted.This may not be
> acceptable as a solution in my case.
> 
> example:
> Whats available:
> iptables -t filter -A FORWARD -m layer7 --l7proto edonkey -j MARK --set-mark 3
> 
> What needs to be supported:
> ebtables -t nat -A PRE-ROUTING -m layer7 --l7proto edonkey -j MARK --mark-set 3
> 
> Is any work going on to port L7 filter to ebtables or does this port
> of L7 filter already exist?
> 

You can use iptables to filter bridged IP traffic, so I don't see the
problem. Just make sure /proc/sys/net/bridge/bridge-nf-call-iptables
contains 1. No need for brouting.

cheers,
Bart


-- 
Bart De Schuymer
www.artinalgorithms.be

Re: uisng L7 filter in ebtables commands

[agashi shipora]

Hi ,

Sorry I forget to mention one more constraint with the linux kernel
source base I am working with.

In the general linux 2.6.30 kernel , iptables are introduced into the
bridge path by selecting the CONFIG_BRIDGE_NETFILTER  option at
compile time which selects the br_netfilter.c which invokes the
traversal of iptables. Also the CONFIG_BRIDGE_NF_EBTABLES option is
dependent on  CONFIG_BRIDGE_NETFILTER being selected.

Whereas in the linux kernel source I am working with (which is also
2.6.30 but customized) CONFIG_BRIDGE_NETFILTER option , though present
in the "make menuconfig" for selection is not compatible with the
customizations , hence results in crash.Here also
CONFIG_BRIDGE_NF_EBTABLES has been made independent of
CONFIG_BRIDGE_NETFILTER.

So as you can see one doesn't have the luxury of iptables in the
bridging path.Hence unable to use the L7 filter with iptables in the
bridging path.

I wasn't aware of the option of setting
/proc/sys/net/bridge/bridge-nf-call-iptables to 1 . But i think this
must be  same as selecting CONFIG_BRIDGE_NETFILTER and hence
br_netfilter.c.

Thanks
GP







On Thu, Apr 1, 2010 at 12:21 PM, Bart De Schuymer <bdschuym@pandora.be> wrote:
> agashi shipora wrote:
>> I want to use L7 filter with ebtables for setting a MARK on the packet
>> similar to how it is being done with iptables today.
>>
>> Using brouting the bridge packet can be re-directed to the routing
>> path traversing the iptables.But all packets arriving on the interface
>> enslaved to the bridge would have to be brouted.This may not be
>> acceptable as a solution in my case.
>>
>> example:
>> Whats available:
>> iptables -t filter -A FORWARD -m layer7 --l7proto edonkey -j MARK --set-mark 3
>>
>> What needs to be supported:
>> ebtables -t nat -A PRE-ROUTING -m layer7 --l7proto edonkey -j MARK --mark-set 3
>>
>> Is any work going on to port L7 filter to ebtables or does this port
>> of L7 filter already exist?
>>
>
> You can use iptables to filter bridged IP traffic, so I don't see the
> problem. Just make sure /proc/sys/net/bridge/bridge-nf-call-iptables
> contains 1. No need for brouting.
>
> cheers,
> Bart
>
>
> --
> Bart De Schuymer
> www.artinalgorithms.be
>

Re: uisng L7 filter in ebtables commands

[Jan Engelhardt]

On Thursday 2010-04-01 09:50, agashi shipora wrote:
>
>Whereas in the linux kernel source I am working with (which is also
>2.6.30 but customized) CONFIG_BRIDGE_NETFILTER option , though present
>in the "make menuconfig" for selection is not compatible with the
>customizations , hence results in crash.

So the crash is a result of your own modification, so as far as I
can see, you should fix that, given it's working in a standard kernel.

Re: uisng L7 filter in ebtables commands

[agashi shipora]

Hi ,

The customizations in the linux kernel are provided as binary
modules(libraries) hence making CONFIG_BRIDGE_NETFILTER work is been
ruled out.  Thats why I am looking for L7 filter support directly by
ebtables.

Thanks
GP


On Thu, Apr 1, 2010 at 1:30 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Thursday 2010-04-01 09:50, agashi shipora wrote:
>>
>>Whereas in the linux kernel source I am working with (which is also
>>2.6.30 but customized) CONFIG_BRIDGE_NETFILTER option , though present
>>in the "make menuconfig" for selection is not compatible with the
>>customizations , hence results in crash.
>
> So the crash is a result of your own modification, so as far as I
> can see, you should fix that, given it's working in a standard kernel.
>

Re: uisng L7 filter in ebtables commands

[Jan Engelhardt]

>
>The customizations in the linux kernel are provided as binary
>modules(libraries) hence making CONFIG_BRIDGE_NETFILTER work is been
>ruled out.  Thats why I am looking for L7 filter support directly by
>ebtables.

The GPL has provisions for getting the source when these modules are 
derivates.

Re: uisng L7 filter in ebtables commands

[Bart De Schuymer]

agashi shipora wrote:
> Hi ,
>
> The customizations in the linux kernel are provided as binary
> modules(libraries) hence making CONFIG_BRIDGE_NETFILTER work is been
> ruled out.  Thats why I am looking for L7 filter support directly by
> ebtables.
>
>   
What you're asking for isn't going to be included in the standard Linux
distribution. So you'll either have to make the modifications yourself
or pay someone else to do them for you. Feel free to contact me if the
latter case applies.

cheers,
Bart

-- 
Bart De Schuymer
www.artinalgorithms.be

Re: uisng L7 filter in ebtables commands

[agashi shipora]

Thanks Bart and Jan.

Bart , my boss says I will have to forgo my salary  if we have to get
it done from someone else.
Let me keep my salary .



On Thu, Apr 1, 2010 at 3:50 PM, Bart De Schuymer <bdschuym@pandora.be> wrote:
> agashi shipora wrote:
>> Hi ,
>>
>> The customizations in the linux kernel are provided as binary
>> modules(libraries) hence making CONFIG_BRIDGE_NETFILTER work is been
>> ruled out.  Thats why I am looking for L7 filter support directly by
>> ebtables.
>>
>>
> What you're asking for isn't going to be included in the standard Linux
> distribution. So you'll either have to make the modifications yourself
> or pay someone else to do them for you. Feel free to contact me if the
> latter case applies.
>
> cheers,
> Bart
>
> --
> Bart De Schuymer
> www.artinalgorithms.be
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: uisng L7 filter in ebtables commands

[Stephen Hemminger]

On Thu, 1 Apr 2010 15:18:52 +0530
agashi shipora <gashipo@gmail.com> wrote:

> Hi ,
> 
> The customizations in the linux kernel are provided as binary
> modules(libraries) hence making CONFIG_BRIDGE_NETFILTER work is been
> ruled out.  Thats why I am looking for L7 filter support directly by
> ebtables.

If you can't get source, ask a friend for help

http://gpl-violations.org/

Re: uisng L7 filter in ebtables commands

[/dev/rob0]

[ Top-posting fixed ]

> On Thu, Apr 1, 2010 at 3:50 PM, Bart De Schuymer 
> <bdschuym@pandora.be> wrote:
> > agashi shipora wrote:
> >> The customizations in the linux kernel are provided as binary 
> >> modules(libraries) hence making CONFIG_BRIDGE_NETFILTER work is 
> >> been ruled out.  Thats why I am looking for L7 filter support 
> >> directly by ebtables.
> >>
> > What you're asking for isn't going to be included in the standard 
> > Linux distribution. So you'll either have to make the 
> > modifications yourself or pay someone else to do them for you. 
> > Feel free to contact me if the latter case applies.

On Thu, Apr 01, 2010 at 07:44:35PM +0530, agashi shipora wrote:
> Bart , my boss says I will have to forgo my salary if we have to 
> get it done from someone else.

That sounds reasonable to me. If you can't do the job, you shouldn't 
collect the pay.

> Let me keep my salary .

That sounds like you are asking for volunteers to earn your salary 
for you. That's not so reasonable.

http://sweet.nodns4.us/
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header