Re: Writing own match module for modern ebtables.

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Fri, Jun 14, 2024 at 09:01:22AM +0200, Pawel Kraszewski wrote:
> Hello!
> 
> I'm trying to write a simple match module for ebtables. Nothing fancy,
> just check ethertype and first 2 bytes of payload. I need to make
> ebtables' dnat, based on a custom in-packet tag:
> 
> > ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS
> 
> Kernel module ebt_MYMATCH.ko is almost ready (it just accepts
> everything now, just a PoC for now), based mostly on ebt_vlan.
> 
> What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I
> mean, it is written, compiled properly, and objdump reports the same
> structure as existing ones (say, libebt_vlan.so). The only slight
> problem is that ebtables doesn't detect or recognize it.
> 
> When running the above ebtables example under strace, it does iterate
> over "standard" libebt_* libraries (with newfstatat() and openat() )
> but doesn't even try to touch mine with a long stick. It doesn't even
> check if it is there.
> 
> When I do a match with existing libebt_* (say vlan), it still does
> iterate over all standard libraries (for iteration's sake) and then
> (apparently, there's no dload() or sth) just ignores libebt_vlan.so
> and pulls NFT gun.
> 
> That's Arch system:
> * ebtables 1.8.10 (nf_tables)
> * iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour)
> * kernel 6.9.3-hardened1-1-hardened
> 
> I even tried with manually compiled ebtables v2.0.11 (legacy), which
> is, um, dated 2011.
> 
> What are my options now? Any guides on writing both nft kernel modules
> and matching userspace libraries?
> Or just forget all that and use raw @base,offset,length matches?

That is an option, if you provide more info what --MYMATCH-tag 10 does.