Hi Bernie,
Thanks for submitting, comment below.
On Thu, Dec 21, 2017 at 01:01:35PM +1300, Bernie Harris wrote:
> This patch is part of a proposal to add a new filter type to
> ebtables that matches on an arbitrary string within the
> encapsulated network-layer packet.
>
> The match starts from the beginning of the network-layer packet.
>
> Signed-off-by: Bernie Harris <bernie.harris@xxxxxxxxxxxxxxxxxxx>
> ---
> include/uapi/linux/netfilter_bridge/ebt_string.h | 16 ++++++
> net/bridge/netfilter/Kconfig | 8 +++
> net/bridge/netfilter/Makefile | 1 +
> net/bridge/netfilter/ebt_string.c | 65 ++++++++++++++++++++++++
> 4 files changed, 90 insertions(+)
> create mode 100644 include/uapi/linux/netfilter_bridge/ebt_string.h
> create mode 100644 net/bridge/netfilter/ebt_string.c
>
> diff --git a/include/uapi/linux/netfilter_bridge/ebt_string.h b/include/uapi/linux/netfilter_bridge/ebt_string.h
> new file mode 100644
> index 000000000000..87d04e9efebd
> --- /dev/null
> +++ b/include/uapi/linux/netfilter_bridge/ebt_string.h
> @@ -0,0 +1,16 @@
> +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +#ifndef __LINUX_BRIDGE_EBT_STRING_H
> +#define __LINUX_BRIDGE_EBT_STRING_H
> +
> +#include <linux/types.h>
> +
> +#define EBT_STRING_MATCH "string"
> +#define MAX_STRING_OCTETS 64
> +
> +struct ebt_string_info {
> + __u16 offset;
> + __u16 length;
> + unsigned char string[MAX_STRING_OCTETS + 1];
> +};
> +
> +#endif
> diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
> index e7ef1a1ef3a6..ec1287b3678c 100644
> --- a/net/bridge/netfilter/Kconfig
> +++ b/net/bridge/netfilter/Kconfig
> @@ -154,6 +154,14 @@ config BRIDGE_EBT_VLAN
> This option adds the 802.1Q vlan match, which allows the filtering of
> 802.1Q vlan fields.
>
> + To compile it as a module, choose M here. If unsure, say N.
> +
> +config BRIDGE_EBT_STRING
> + tristate "ebt: string filter support"
> + help
> + This option adds the string match, which allows filtering based on
> + an arbitrary sequence of octets starting from a given offset.
> +
> To compile it as a module, choose M here. If unsure, say N.
> #
> # targets
> diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
> index 2f28e16de6c7..450a84ada5e4 100644
> --- a/net/bridge/netfilter/Makefile
> +++ b/net/bridge/netfilter/Makefile
> @@ -28,6 +28,7 @@ obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o
> obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o
> obj-$(CONFIG_BRIDGE_EBT_STP) += ebt_stp.o
> obj-$(CONFIG_BRIDGE_EBT_VLAN) += ebt_vlan.o
> +obj-$(CONFIG_BRIDGE_EBT_STRING) += ebt_string.o
>
> # targets
> obj-$(CONFIG_BRIDGE_EBT_ARPREPLY) += ebt_arpreply.o
> diff --git a/net/bridge/netfilter/ebt_string.c b/net/bridge/netfilter/ebt_string.c
> new file mode 100644
> index 000000000000..66770506d3a3
> --- /dev/null
> +++ b/net/bridge/netfilter/ebt_string.c
> @@ -0,0 +1,65 @@
> +/*
> + * string
> + *
> + * Author:
> + * Bernie Harris bernie.harris@xxxxxxxxxxxxxxxxxxx
> + *
> + * October 2017
> + *
> + */
> +#include <linux/module.h>
> +#include <linux/netfilter/x_tables.h>
> +#include <linux/netfilter_bridge/ebtables.h>
> +#include <linux/netfilter_bridge/ebt_string.h>
> +
> +static bool
> +ebt_string_mt(const struct sk_buff *skb, struct xt_action_param *par)
> +{
> + const struct ebt_string_info *info = par->matchinfo;
> + unsigned char buf[MAX_STRING_OCTETS + 1];
> + unsigned char *match_start;
> + int i;
> + int offset = skb_network_offset(skb) + info->offset;
> +
> + if (offset + info->length >= skb->len)
> + return false;
> +
> + match_start = skb_header_pointer(skb, offset, info->length, buf);
> +
> + for (i = 0; i < info->length; i++) {
> + if (*(match_start + i) != info->string[i])
> + return false;
> + }
I would prefer something that converges with net/netfilter/xt_string.c
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
