Re: [PATCH] ebtables: Add filter for matching on a string

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 21 Dec 2017 09:18:02 +0100

On Thu, Dec 21, 2017 at 09:17:27AM +0100, Pablo Neira Ayuso wrote:
> Hi again,
> 
> On Thu, Dec 21, 2017 at 01:08:52AM +0100, Pablo Neira Ayuso wrote:
> > > diff --git a/net/bridge/netfilter/ebt_string.c b/net/bridge/netfilter/ebt_string.c
> > > new file mode 100644
> > > index 000000000000..66770506d3a3
> > > --- /dev/null
> > > +++ b/net/bridge/netfilter/ebt_string.c
> > > @@ -0,0 +1,65 @@
> > > +/*
> > > + * string
> > > + *
> > > + * Author:
> > > + * Bernie Harris bernie.harris@xxxxxxxxxxxxxxxxxxx
> > > + *
> > > + * October 2017
> > > + *
> > > + */
> > > +#include <linux/module.h>
> > > +#include <linux/netfilter/x_tables.h>
> > > +#include <linux/netfilter_bridge/ebtables.h>
> > > +#include <linux/netfilter_bridge/ebt_string.h>
> > > +
> > > +static bool
> > > +ebt_string_mt(const struct sk_buff *skb, struct xt_action_param *par)
> > > +{
> > > +	const struct ebt_string_info *info = par->matchinfo;
> > > +	unsigned char buf[MAX_STRING_OCTETS + 1];
> > > +	unsigned char *match_start;
> > > +	int i;
> > > +	int offset = skb_network_offset(skb) + info->offset;
> > > +
> > > +	if (offset + info->length >= skb->len)
> > > +		return false;
> > > +
> > > +	match_start = skb_header_pointer(skb, offset, info->length, buf);
> > > +
> > > +	for (i = 0; i < info->length; i++) {
> > > +		if (*(match_start + i) != info->string[i])
> > > +			return false;
> > > +	}
> > 
> > I would prefer something that converges with net/netfilter/xt_string.c
> 
> This oneliner that I'm attaching plus code in ebtables userspace (see
> iptables/extensions/libxt_string.c for rerefence) to add support for
> the string match in ebtables should suffice.

Forgot attachment, here it comes.

diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 423293ee57c2..be1feddadcf0 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -21,6 +21,7 @@ MODULE_DESCRIPTION("Xtables: string-based matching");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_string");
 MODULE_ALIAS("ip6t_string");
+MODULE_ALIAS("ebt_string");
 
 static bool
 string_mt(const struct sk_buff *skb, struct xt_action_param *par)




