Writing own match module for modern ebtables.

Writing own match module for modern ebtables.

[Pawel Kraszewski]

Hello!

I'm trying to write a simple match module for ebtables. Nothing fancy,
just check ethertype and first 2 bytes of payload. I need to make
ebtables' dnat, based on a custom in-packet tag:

> ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS

Kernel module ebt_MYMATCH.ko is almost ready (it just accepts
everything now, just a PoC for now), based mostly on ebt_vlan.

What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I
mean, it is written, compiled properly, and objdump reports the same
structure as existing ones (say, libebt_vlan.so). The only slight
problem is that ebtables doesn't detect or recognize it.

When running the above ebtables example under strace, it does iterate
over "standard" libebt_* libraries (with newfstatat() and openat() )
but doesn't even try to touch mine with a long stick. It doesn't even
check if it is there.

When I do a match with existing libebt_* (say vlan), it still does
iterate over all standard libraries (for iteration's sake) and then
(apparently, there's no dload() or sth) just ignores libebt_vlan.so
and pulls NFT gun.

That's Arch system:
* ebtables 1.8.10 (nf_tables)
* iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour)
* kernel 6.9.3-hardened1-1-hardened

I even tried with manually compiled ebtables v2.0.11 (legacy), which
is, um, dated 2011.

What are my options now? Any guides on writing both nft kernel modules
and matching userspace libraries?
Or just forget all that and use raw @base,offset,length matches?

Best regards,
-- 
 Paweł Kraszewski

Re: Writing own match module for modern ebtables.

[Pablo Neira Ayuso]

On Fri, Jun 14, 2024 at 09:01:22AM +0200, Pawel Kraszewski wrote:
> Hello!
> 
> I'm trying to write a simple match module for ebtables. Nothing fancy,
> just check ethertype and first 2 bytes of payload. I need to make
> ebtables' dnat, based on a custom in-packet tag:
> 
> > ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS
> 
> Kernel module ebt_MYMATCH.ko is almost ready (it just accepts
> everything now, just a PoC for now), based mostly on ebt_vlan.
> 
> What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I
> mean, it is written, compiled properly, and objdump reports the same
> structure as existing ones (say, libebt_vlan.so). The only slight
> problem is that ebtables doesn't detect or recognize it.
> 
> When running the above ebtables example under strace, it does iterate
> over "standard" libebt_* libraries (with newfstatat() and openat() )
> but doesn't even try to touch mine with a long stick. It doesn't even
> check if it is there.
> 
> When I do a match with existing libebt_* (say vlan), it still does
> iterate over all standard libraries (for iteration's sake) and then
> (apparently, there's no dload() or sth) just ignores libebt_vlan.so
> and pulls NFT gun.
> 
> That's Arch system:
> * ebtables 1.8.10 (nf_tables)
> * iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour)
> * kernel 6.9.3-hardened1-1-hardened
> 
> I even tried with manually compiled ebtables v2.0.11 (legacy), which
> is, um, dated 2011.
> 
> What are my options now? Any guides on writing both nft kernel modules
> and matching userspace libraries?
> Or just forget all that and use raw @base,offset,length matches?

That is an option, if you provide more info what --MYMATCH-tag 10 does.

Re: Writing own match module for modern ebtables.

[Pawel Kraszewski]

For starters - verify that ether-type is XXX, lowest bit of byte 0 of
payload is 0 and second byte is YY. I managed to do that with raw
matches, along with "set" to rewrite the destination MAC address. I
assume that putting that in bridge/nat/prerouting chain will do the
trick and the bridge will forward the packet to the new destination.
-- 
 Paweł Kraszewski


pt., 14 cze 2024 o 17:26 Pablo Neira Ayuso <pablo@netfilter.org> napisał(a):
>
> On Fri, Jun 14, 2024 at 09:01:22AM +0200, Pawel Kraszewski wrote:
> > Hello!
> >
> > I'm trying to write a simple match module for ebtables. Nothing fancy,
> > just check ethertype and first 2 bytes of payload. I need to make
> > ebtables' dnat, based on a custom in-packet tag:
> >
> > > ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS
> >
> > Kernel module ebt_MYMATCH.ko is almost ready (it just accepts
> > everything now, just a PoC for now), based mostly on ebt_vlan.
> >
> > What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I
> > mean, it is written, compiled properly, and objdump reports the same
> > structure as existing ones (say, libebt_vlan.so). The only slight
> > problem is that ebtables doesn't detect or recognize it.
> >
> > When running the above ebtables example under strace, it does iterate
> > over "standard" libebt_* libraries (with newfstatat() and openat() )
> > but doesn't even try to touch mine with a long stick. It doesn't even
> > check if it is there.
> >
> > When I do a match with existing libebt_* (say vlan), it still does
> > iterate over all standard libraries (for iteration's sake) and then
> > (apparently, there's no dload() or sth) just ignores libebt_vlan.so
> > and pulls NFT gun.
> >
> > That's Arch system:
> > * ebtables 1.8.10 (nf_tables)
> > * iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour)
> > * kernel 6.9.3-hardened1-1-hardened
> >
> > I even tried with manually compiled ebtables v2.0.11 (legacy), which
> > is, um, dated 2011.
> >
> > What are my options now? Any guides on writing both nft kernel modules
> > and matching userspace libraries?
> > Or just forget all that and use raw @base,offset,length matches?
>
> That is an option, if you provide more info what --MYMATCH-tag 10 does.