On Fri, Jun 14, 2024 at 09:01:22AM +0200, Pawel Kraszewski wrote: > Hello! > > I'm trying to write a simple match module for ebtables. Nothing fancy, > just check ethertype and first 2 bytes of payload. I need to make > ebtables' dnat, based on a custom in-packet tag: > > > ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS > > Kernel module ebt_MYMATCH.ko is almost ready (it just accepts > everything now, just a PoC for now), based mostly on ebt_vlan. > > What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I > mean, it is written, compiled properly, and objdump reports the same > structure as existing ones (say, libebt_vlan.so). The only slight > problem is that ebtables doesn't detect or recognize it. > > When running the above ebtables example under strace, it does iterate > over "standard" libebt_* libraries (with newfstatat() and openat() ) > but doesn't even try to touch mine with a long stick. It doesn't even > check if it is there. > > When I do a match with existing libebt_* (say vlan), it still does > iterate over all standard libraries (for iteration's sake) and then > (apparently, there's no dload() or sth) just ignores libebt_vlan.so > and pulls NFT gun. > > That's Arch system: > * ebtables 1.8.10 (nf_tables) > * iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour) > * kernel 6.9.3-hardened1-1-hardened > > I even tried with manually compiled ebtables v2.0.11 (legacy), which > is, um, dated 2011. > > What are my options now? Any guides on writing both nft kernel modules > and matching userspace libraries? > Or just forget all that and use raw @base,offset,length matches? That is an option, if you provide more info what --MYMATCH-tag 10 does.
