Dear Mr. Westphal,
yes it is academic and what I want to do is user id matching on
non-local users (which means I need to connect the IP address with an
user id or something like that). What I want is to keep the full match
together, nf_queue is a target.
It should be my last year project but it seems to be impossible to
finalize due to a lack of documentation. An alternative Method would be
keeping an array of structs with IP addresses and user IDs in the kernel
and use those.
However this way I can see what is going on in the userspace application.
The problem ist, that I cannot get a correct rule reated in nft (auth or
numbers after it are always underlined)
For example all of those fail:
* auth
* auth 1
* auth user 1
* auth 1 1
so I think it cannot find the auth module or something other goes wrong.
lsmod says that it looks ok:
nft_auth 16384 0
nft_reject_inet 16384 1
...
nf_tables 65536 30
nf_tables_inet,nf_tables_ipv4,nf_tables_ipv6,...,nft_auth,...
NFT always ends up with an error like this one:
update link layer protocol context:
link layer : inet <-
network layer : none
transport layer : none
<cmdline>:1:28-33: Evaluate
add rule inet filter input auth 1 accept
^^^^^^
$auth $1
<cmdline>:1:28-33: Evaluate
add rule inet filter input auth 1 accept
^^^^^^
$auth $1
<cmdline>:1:28-31: Evaluate
add rule inet filter input auth 1 accept
^^^^
$auth
Stack now 0 1
Cleanup: popping nterm input (: )
<cmdline>:1:28-31: Error: No symbol type information
add rule inet filter input auth 1 accept
created using this command:
nft --debug all add rule inet filter input auth 1 accept
I hope this helps you to understand the error.
Am 2017-03-01 um 00:24 schrieb Florian Westphal:
> Fabian Franz <s1410239008@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>> I am working on my module but I cannot get the match visible to the nft
>> tool. Could you please give me a hint, what is wrong in the code? I have
>> uploaded it to my web server: http://files.fabian-franz.eu/nft_auth.c
> I do not know what 'visible to the nft tool' means.
> No 'obvious' mistake in the register department.
>
> My only comment is that it looks like you are re-inventing the wheels
> we already have, such as nf_log and nf_queue.
>
> If this is a learning exercise, fine, but we have real missing
> functionality that could be added instead.
>
> If this targets upstream, you should really discuss what problem wants
> to be solved. The building blocks we already have should be enough
> to do uid based authentication.
>
> (something like
> nf_log/queue -> userspace daemon -> query -> update nft set w. uid)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
