Re: write a new simple target for netfilter

Justin Kamerman <justin@xxxxxxxxxx> · Mon, 30 Aug 2010 15:30:35 -0300

Although it probably is technically possible, I think you're better off
filtering with matches and actioning with targets. See the iptables
owner match module for filtering on uid and/or gid.

Regards,
Justin Kamerman

On 10-08-30 02:51 PM, Elmar Stellnberger wrote:
> Would it be possible to extend your module so that it only
> drops packages of a certain user or group?
>
> 2010/8/30 Nicola Padovano <nicola.padovano@xxxxxxxxx>:
>   
>> Hi all!
>> I've write the following  (and dummy) module that drops all packet...
>> but...now? after i write the module i can use it?
>> for example: i want digit:
>> iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
>> but i don't know how create this new target...
>> I've modified the netfilter makefile e Kbuild file (in net/netfilter),
>> and then i've do 'make' 'make modules' 'make modules_install' but
>> after i digit iptables i have this message
>>
>> "iptables v1.4.2: Couldn't load target `TAR':/lib/xtables/libipt_TAR.
>> so: cannot open shared object file: No such file or directory"
>>
>> what's my problem?
>>
>>
>> code:
>> #include <linux/module.h>
>> #include <linux/skbuff.h>
>> #include <linux/netfilter_ipv4/ip_tables.h>
>> #include <linux/kernel.h>
>> #include <linux/netfilter.h>
>> #include <linux/netfilter_ipv4.h>
>> #include <linux/netfilter/x_tables.h>
>>
>> static unsigned int xt_tar_target(unsigned int hook,
>>                                                 struct sk_buff **skb,
>>                                                 const struct net_device *in,
>>                                                 const struct net_device *out,
>>                                                 int (*okfn)(struct sk_buff*))
>> {
>>    printk(KERN_INFO "ciaociao");
>>    return NF_DROP;
>> }
>>
>> static struct xt_target xt_tar_reg = {
>>    .name       = "TAR",
>>    .family     = AF_INET,
>>    .proto      = IPPROTO_TCP,
>>    .target     = xt_tar_target,
>>    .me         = THIS_MODULE,
>> };
>>
>> static int __init xt_tar_init(void)
>> {
>>    return xt_register_target(&xt_tar_reg);
>> }
>>
>> static void __exit xt_tar_exit(void)
>> {
>>    xt_unregister_target(&xt_tar_reg);
>> }
>>
>> module_init(xt_tar_init);
>> module_exit(xt_tar_exit);
>>
>> MODULE_DESCRIPTION("np des");
>> MODULE_LICENSE("GPL");
>> MODULE_ALIAS("xt_TAR");
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html