Help Building IPT / NFT Extension

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,


I am looking for someone who can help me build an IPTables extension.

I've done a fair bit of initial work, but the information I've acquired does not seem specific enough to help me through the next steps.

I would prefer to deal with one person directly instead of through the forums.


Here is a summary of the history and status of my results to date.


I have an application called 'LANDrive' on my Android G7 Play phone. The tool should allow me to establish a network connection between my phone and computer.

I have an application on my computer called 'Backer' which allows me to backup my computer to external drives. I want to network to my phone so I can backup or transfer files directly to my phone.

The 'LANDrive' app has a strange configurtion. It uses ports 137, 138, and 445 for 'smb/sharing/tcp' but only for a rooted phone. It will use ports 1137, 1138, and 1445 for non-rooted (standard) phones.

The problem is, I need a third app called 'MultiPort Forwarder' which is no longer available for my windows version.

However, the setup information for 'LANDrive' using 'Multiport Forwarder' indicates how the forwarder would work.


LINK: https://tubecast.webrox.fr/landrive/portmapping2.html

CLICK: Connect with Windows Explorer (All other Windows versions)


I have DDWrt installed on my routers, with IPT 1.8.5. I believe the same forwarding could be accomplished using IPTables / NFTables. Using IPT was suggested to me when I posted this topic in the DDWrt forum.


LINK: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=337377


I tried the suggestions and a whole lot of other ideas with no luck.

After extensive research, including the Netfilter 'HowTo' list, I found information on 'TEE' which seemed to indicate IPT could solve my problem.


I've recently downloaded DDWrt source which has IPT 1.8.5. I've figured out the IPT code philosophy (more or less) and found the 'TEE' sources.

Thus far, I've been able to lay out a 'CLONE' extension to accomplish the library handler functions.


The files I've created include (attached):

    libxt_CLONE.c
    libxt_ClONE.man
    libxt_CLONE.t
    libxt_CLONE.txlate

    xt_CLONE.h        (include\...netfilter)


The 'libxt_CLONE.c' has a 'match' and 'target' code.


My idea is to match packets before connection tracking, and create copies in the 'raw' tables (prerouting/output). These packets may need to be marked for identification as 'clones' for later DNAT translation.

Destination matching would occur in POSTROUTING so that destination ports can be modified in packets identified as 'clones'. This would allow returning packages from target ports to have their translations reversed.

Theoretically, this would accomplish  445 <--> 1445, etc and retain network discovery etc.


My current problems are 'next step' issues such as:


    1) How do I examine packets to return a 'match' condition (i.e. pointers etc.)

    2) How do I implement 'target' code to create copies in the stack (i.e. malloc)

    3) How do I modify packets as 'targets' of a rule match (i.e. pointers again)


I get the general ideas of the Kernel vectors, extension loading, netfilter stack, routing tables, routing paths...etc.

More or less, I'm not really sure what functions I need to build, and what functions and pointers I will need to accomplish the physical matching, copying, and modifying of packets.


Cheers,
Christopher


/*** HowTo: CLONE Library Extension ***/
/*
 * This file is both an 'iptables' and 'netfilter' extension, as well as
 * a 'mini-HowTo' for building such extension.
 *
 * The CLONE library extension will duplicate network packets for the
 * purpose of sending packet copies to other destinations or ports.
 *
 *
 * This file should be located in some 'srcpath' such as:
 *
 *   /src/linux/net/iptables/extensions/libxt_CLONE.c
 *
 *
 * This file should be accompanied by a header file in some 'srcpath':
 *
 *   /src/linux/include/netfilter/xt_CLONE.h
 *
 *
 * This file should be accompanied by supporting files in some 'srcpath':
 *
 *   /src/linux/net/iptables/extensions/libxt_CLONE.man
 *   /src/linux/net/iptables/extensions/libxt_CLONE.t
 *   /src/linux/net/iptables/extensions/libxt_CLONE.xlate
 *
 *
 * This file has been created from source code examples in:
 *
 *	libxt_addrtype.c
 *	libxt_TEE.c
 *
 *
 * NOTES:
 *
 * 1) This file has been embellished with comments to help guide others
 *    in the design and development of other libraries.
 *
 * 2) The 'iptables' executable has been replaced with 'nftables', but
 *    'nftables' is provided by the same maintainers as 'iptables'.
 *
 */



/*** HowTo: Excerpt from 'libxt_addrtype.c' ***/

/* Shared library add-on to iptables to add addrtype matching support
 *
 * Copyright (c) 2003-2013 Patrick McHardy <kaber@xxxxxxxxx>
 *
 * This program is released under the terms of GNU GPL
 */



/*** HowTo: Excerpt from 'libxt_TEE.c' ***/

/*
 *	"TEE" target extension for iptables
 *	Copyright © Sebastian Cla�en <sebastian.classen [at] freenet.ag>, 2007
 *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2010
 *
 *	This program is free software; you can redistribute it and/or
 *	modify it under the terms of the GNU General Public License; either
 *	version 2 of the License, or any later version, as published by the
 *	Free Software Foundation.
 */



/*** HowTo: Common headers ***/
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter/xt_CLONE.h>



/*** HowTo: Headers from 'libxt_addrtype.c' ***/
/*
#include <strings.h>
#include <linux/netfilter/xt_addrtype.h>
*/



/*** HowTo: Headers from 'libxt_TEE.c' ***/
/*
#include <sys/socket.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdlib.h>

#include <arpa/inet.h>
#include <net/if.h>
#include <netinet/in.h>

#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
*/



/*** HowTo: Private 'flags' for extension internals ***/

enum {
 	O_ISCPY,
 	O_ISDUP,
};






/*************************************************************************/
/*** ENTER - CLONE extension rule 'match' functions ***/
/*************************************************************************/



static void clone_chk_help(void)
{

	printf(

	"CLONE extension rule match syntax:\n"
	"   --iscpy           Continue if packet is a clone, else fail\n"
	"   --iscpy [nn]      Continue if packet is a clone number nn, else fail\n"
	"                        default nn = 1\n"
	"                        where: nn = 2-16\n"
	"\n");

};



/*** HowTo: Easy way to 'autoparse' the 'match' command options ***/
/*
 * The 'xt_option_entry' is defined in 'xtables.h'
 * The 'XTTYPE_' and 'XTOPT_' are defined in 'xtables.h'
 * Used by MASTER parsing function 'xt_option_parse()' in 'xtoptions.c'
 */

static const struct xt_option_entry clone_chk_opts[] = {

	{.name = "iscpy", .id = O_ISCPY, .type = XTTYPE_STRING,
		 .flags = XTOPT_MAND},

	{.name = "isdup", .id = O_ISDUP, .type = XTTYPE_UINT8},
	 .min = 2, .max = 16},

	XTOPT_TABLEEND,

};



/* Current 'match' status display output */
static void clone_chk_print(const void *ip, const struct xt_entry_match *match,
                         int numeric)
{

	const struct xt_clone_ops_info *info = (const void *)match->data;

	if (*info->isdup <= 1)
		printf(" iscpy=1", info->iscpy)
	else
		printf(" iscpy=%u", info->isdup);

};



/* Current 'match' status file output -- I think ??? */
static void clone_chk_save(const void *ip, const struct xt_entry_match *match,
                         int numeric)
{

	const struct xt_clone_ops_info *info = (const void *)match->data;

	if (*info->isdup <= 1)
		printf(" iscpy=1", info->iscpy)
	else
		printf(" iscpy=%u", info->isdup);

};



/* Current 'match' status translate to 'nftables' input file -- I think ??? */
static int clone_chk_xlate(struct xt_xlate *xl,
			const struct xt_xlate_trg_params *params)
{

	const struct xt_clone_ops_info *info = (const void *)params->match->data;

	if (*info->isdup <= 1)
		xt_xlate_add(xl,  " --iscpy", "")
	else
		xt_xlate_add(xl,  " --iscpy %u", info->isdup);

	return 1;

};



/*************************************************************************/
/*** LEAVE - CLONE extension rule 'match' functions ***/
/*************************************************************************/





/*************************************************************************/
/*** ENTER - CLONE extension rule 'target' functions ***/
/*************************************************************************/



static void clone_trg_help(void)
{

	printf(

	"CLONE extension rule target syntax:\n"
	"   [nn]              Create nn clones of selected packet\n"
	"                        default nn = 1\n"
	"                        where: nn = 2-16\n"
	"\n");

};



/*** HowTo: Easy way to 'autoparse' the 'target' command options ***/
/*
 * The 'xt_option_entry' is defined in 'xtables.h'
 * The 'XTTYPE_' and 'XTOPT_' are defined in 'xtables.h'
 * Used by MASTER parsing function 'xt_option_parse()' in 'xtoptions.c'
 */

static const struct xt_option_entry clone_trg_opts[] = {

	{.name = "isdup", .id = O_ISDUP, .type = XTTYPE_UINT8},
	 .min = 2, .max = 16},

	XTOPT_TABLEEND,

};



/* Current 'target' status display output */
static void clone_trg_print(const void *ip, const struct xt_entry_target *target,
                         int numeric)
{
	const struct xt_clone_ops_info *info = (const void *)target->data;

	if (*info->isdup <= 1)
		printf(" 1")
	else
		printf(" %u", info->isdup);

};



/* Current 'target' status file output -- I think ??? */
static void clone_trg_save(const void *ip, const struct xt_entry_target *target)
{

	if (*info->isdup <= 1)
		printf(" 1")
	else
		printf(" %u", info->isdup);

};



/* Current 'target' status translate to 'nftables' input file -- I think ??? */
static int clone_trg_xlate(struct xt_xlate *xl,
			const struct xt_xlate_trg_params *params)
{

	const struct xt_clone_ops_info *info = (const void *)params->target->data;

	if (*info->isdup <= 1)
		xt_xlate_add(xl,  " 1", "")
	else
		xt_xlate_add(xl,  " %u", info->isdup);

	return 1;

};



/*************************************************************************/
/*** ENTER - CLONE extension rule 'target' functions ***/
/*************************************************************************/






/*************************************************************************/
/*** ENTER - CLONE extension 'vector' function registrations ***/
/*************************************************************************/



/*** HowTo: The 'xtables_match' is defined in 'xtables.h' ***/
/*** CLONE: Structure of 'struct xtables_match' for 'match' chains ***/
/*** MATCH: Used by 'command_match()' in 'iptables.c' for '-m' option ***/
/*** MATCH: Used by 'command_match()' in 'xtables.c' for '-m' option ***/
/*** VECTOR: Used by 'xtables_find_match()' via 'command_match()' in 'xshared.c' ***/
static struct xtables_match clone_chk_reg[] = {
	{
		.name          = "CLONE",
		.version       = XTABLES_VERSION,


		/*** CPMB: Not sure what 'family' specifies ***/
		.family        = NFPROTO_IPV4,


		.size          = XT_ALIGN(sizeof(struct xt_clone_ops_info)),
		.userspacesize = offsetof(struct xt_clone_ops_info, priv),
		//.help          = clone_chk_help,
		.print         = clone_chk_print,
		.save          = clone_chk_save,
		.x6_parse      = xtables_option_parse,
		.x6_fcheck     = clone_chk_check,
		.x6_options    = clone_chk_opts,
		.xlate         = clone_chk_xlate,
	},
	{
		.name          = "CLONE",
		.version       = XTABLES_VERSION,


		/*** CPMB: Not sure what 'family' specifies ***/
		.family        = NFPROTO_UNSPEC,


		.size          = XT_ALIGN(sizeof(struct xt_clone_ops_info)),
		.userspacesize = offsetof(struct xt_clone_ops_info, priv),
		//.help          = clone_chk_help,
		.print         = clone_chk_print,
		.save          = clone_chk_save,
		.x6_parse      = xtables_option_parse,
		.x6_fcheck     = clone_chk_check,
		.x6_options    = clone_chk_opts,
		.xlate         = clone_chk_xlate,
	},
};



/*** HowTo: The 'xtables_target' is defined in 'xtables.h' ***/
/*** CLONE: Structure of 'struct xtables_target' for 'target' chains ***/
/*** TARGET: Used by 'command_jump()' in 'iptables.c' for '-j' option ***/
/*** TARGET: Used by 'command_jump()' in 'xtables.c' for '-j' option ***/
/*** VECTOR: Used by 'xtables_find_target()' via 'command_jump()' in 'xshared.c' ***/
static struct xtables_target clone_trg_reg[] = {
	{
		.name          = "CLONE",
		.version       = XTABLES_VERSION,


		/*** CPMB: Not sure what 'family' specifies ***/
		.family        = NFPROTO_IPV4,


		.size          = XT_ALIGN(sizeof(struct xt_clone_ops_info)),
		.userspacesize = offsetof(struct xt_clone_ops_info, priv),
		//.help          = clone_trg_help,
		.print         = clone_trg_print,
		.save          = clone_trg_save,
		.x6_parse      = xtables_option_parse,
		.x6_options    = clone_trg_opts,
		.xlate         = clone_trg_xlate,
	},
	{
		.name          = "CLONE",
		.version       = XTABLES_VERSION,


		/*** CPMB: Not sure what 'family' specifies ***/
		.family        = NFPROTO_UNSPEC,


		.size          = XT_ALIGN(sizeof(struct xt_clone_ops_info)),
		.userspacesize = offsetof(struct xt_clone_ops_info, priv),
		//.help          = clone_trg_help,
		.print         = clone_trg_print,
		.save          = clone_trg_save,
		.x6_parse      = xtables_option_parse,
		.x6_options    = clone_trg_opts,
		.xlate         = clone_trg_xlate,
	},
};



void _init(void)
{

	/*** HowTo: Function 'xtables_register_matches' defined in 'libxtables\xtables.c' ***/
	/*** HowTo: Validate the 'match' structure initial values ***/
	xtables_register_matches(clone_chk_reg, ARRAY_SIZE(clone_chk_reg));

	/*** HowTo: Function 'xtables_register_targets' defined in 'libxtables\xtables.c' ***/
	/*** HowTo: Validate the 'target' structure initial values ***/
	xtables_register_targets(clone_trg_reg, ARRAY_SIZE(clone_trg_reg));

}



/*************************************************************************/
/*** LEAVE - CLONE extension 'vector' function registrations ***/
/*************************************************************************/



The purpose of \fBCLONE\fP as a rule action target, is to clone a selected
packet for routing to other destinations. All cloned packets should
therefore be ignored unless another rule is applied to alter its content,
and thereby validate it for routing. Therefore, \fBCLONE\fP can only be
used in two ways: to clone a packet, or to modify a specific clone.
.PP
As a rule action target, by default \fBCLONE\fP will only make a single
clone of a selected packet. However, you may provide an optional positive
decimal value indicating the number of clones you wish to make. The
allowable maximum number of clones is 16, since any more may do nothing
more than produce network problems.
.PP
When \fBCLONE\fP is used as a rule action target, it must be preceeded by
the -j target jump option. However, \fBCLONE\fP may only be used with the -
t raw table targets, and only in the PREROUTING or OUTPUT chains. These
requirements ensure that all clones will be created before other packet
operations may occur.
.PP
EXAMPLE
.TP
iptables -t raw PREROUTING -p udp -d 192.168.1.2 -j \fBCLONE\fP 2
.PP
When \fBCLONE\fP is used in a rule match command, it should only be used
with the -t nat table option, and must include the --iscpy match command
option.
.PP
This --iscpy match command option will direct \fBCLONE\fP to test a packet
to determine if it is a clone. If the packet is determined to be a clone,
the match command will permit continued rule match evaluations, otherwise,
the match command will terminate the rule match chain.
.PP
The --iscpy match command option may also be followed by a positive decimal
value indicating the clone number to be selected. When such a value is
provided, the clone match command will determine if the packet is a clone,
and which copy of the original packet it is.
.PP
EXAMPLE
.TP
iptables -t raw -A PREROUTING -i eth0 -j \fBCLONE\fP 2
.TP
# Send first copy to another listener.TP
iptables -t nat -A PREROUTING \fBCLONE\fP --iscpy -j REDIRECT --to-ports
1234
.TP
# Send second copy to a remote device.TP
iptables -t nat -A PREROUTING \fBCLONE\fP --iscpy 2 -j DNAT --to
192.168.2.42

Attachment: libxt_CLONE.t
Description: Binary data

Attachment: libxt_CLONE.txlate
Description: Binary data


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux