Writing own match module for modern ebtables.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

I'm trying to write a simple match module for ebtables. Nothing fancy,
just check ethertype and first 2 bytes of payload. I need to make
ebtables' dnat, based on a custom in-packet tag:

> ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS

Kernel module ebt_MYMATCH.ko is almost ready (it just accepts
everything now, just a PoC for now), based mostly on ebt_vlan.

What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I
mean, it is written, compiled properly, and objdump reports the same
structure as existing ones (say, libebt_vlan.so). The only slight
problem is that ebtables doesn't detect or recognize it.

When running the above ebtables example under strace, it does iterate
over "standard" libebt_* libraries (with newfstatat() and openat() )
but doesn't even try to touch mine with a long stick. It doesn't even
check if it is there.

When I do a match with existing libebt_* (say vlan), it still does
iterate over all standard libraries (for iteration's sake) and then
(apparently, there's no dload() or sth) just ignores libebt_vlan.so
and pulls NFT gun.

That's Arch system:
* ebtables 1.8.10 (nf_tables)
* iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour)
* kernel 6.9.3-hardened1-1-hardened

I even tried with manually compiled ebtables v2.0.11 (legacy), which
is, um, dated 2011.

What are my options now? Any guides on writing both nft kernel modules
and matching userspace libraries?
Or just forget all that and use raw @base,offset,length matches?

Best regards,
-- 
 Paweł Kraszewski





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux