Hi Bernie, Thanks for submitting, comment below.
On Thu, Dec 21, 2017 at 01:01:35PM +1300, Bernie Harris wrote: > This patch is part of a proposal to add a new filter type to > ebtables that matches on an arbitrary string within the > encapsulated network-layer packet. > > The match starts from the beginning of the network-layer packet. > > Signed-off-by: Bernie Harris <[email protected]> > --- > include/uapi/linux/netfilter_bridge/ebt_string.h | 16 ++++++ > net/bridge/netfilter/Kconfig | 8 +++ > net/bridge/netfilter/Makefile | 1 + > net/bridge/netfilter/ebt_string.c | 65 > ++++++++++++++++++++++++ > 4 files changed, 90 insertions(+) > create mode 100644 include/uapi/linux/netfilter_bridge/ebt_string.h > create mode 100644 net/bridge/netfilter/ebt_string.c > > diff --git a/include/uapi/linux/netfilter_bridge/ebt_string.h > b/include/uapi/linux/netfilter_bridge/ebt_string.h > new file mode 100644 > index 000000000000..87d04e9efebd > --- /dev/null > +++ b/include/uapi/linux/netfilter_bridge/ebt_string.h > @@ -0,0 +1,16 @@ > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ > +#ifndef __LINUX_BRIDGE_EBT_STRING_H > +#define __LINUX_BRIDGE_EBT_STRING_H > + > +#include <linux/types.h> > + > +#define EBT_STRING_MATCH "string" > +#define MAX_STRING_OCTETS 64 > + > +struct ebt_string_info { > + __u16 offset; > + __u16 length; > + unsigned char string[MAX_STRING_OCTETS + 1]; > +}; > + > +#endif > diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig > index e7ef1a1ef3a6..ec1287b3678c 100644 > --- a/net/bridge/netfilter/Kconfig > +++ b/net/bridge/netfilter/Kconfig > @@ -154,6 +154,14 @@ config BRIDGE_EBT_VLAN > This option adds the 802.1Q vlan match, which allows the filtering of > 802.1Q vlan fields. > > + To compile it as a module, choose M here. If unsure, say N. > + > +config BRIDGE_EBT_STRING > + tristate "ebt: string filter support" > + help > + This option adds the string match, which allows filtering based on > + an arbitrary sequence of octets starting from a given offset. > + > To compile it as a module, choose M here. If unsure, say N. > # > # targets > diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile > index 2f28e16de6c7..450a84ada5e4 100644 > --- a/net/bridge/netfilter/Makefile > +++ b/net/bridge/netfilter/Makefile > @@ -28,6 +28,7 @@ obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o > obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o > obj-$(CONFIG_BRIDGE_EBT_STP) += ebt_stp.o > obj-$(CONFIG_BRIDGE_EBT_VLAN) += ebt_vlan.o > +obj-$(CONFIG_BRIDGE_EBT_STRING) += ebt_string.o > > # targets > obj-$(CONFIG_BRIDGE_EBT_ARPREPLY) += ebt_arpreply.o > diff --git a/net/bridge/netfilter/ebt_string.c > b/net/bridge/netfilter/ebt_string.c > new file mode 100644 > index 000000000000..66770506d3a3 > --- /dev/null > +++ b/net/bridge/netfilter/ebt_string.c > @@ -0,0 +1,65 @@ > +/* > + * string > + * > + * Author: > + * Bernie Harris [email protected] > + * > + * October 2017 > + * > + */ > +#include <linux/module.h> > +#include <linux/netfilter/x_tables.h> > +#include <linux/netfilter_bridge/ebtables.h> > +#include <linux/netfilter_bridge/ebt_string.h> > + > +static bool > +ebt_string_mt(const struct sk_buff *skb, struct xt_action_param *par) > +{ > + const struct ebt_string_info *info = par->matchinfo; > + unsigned char buf[MAX_STRING_OCTETS + 1]; > + unsigned char *match_start; > + int i; > + int offset = skb_network_offset(skb) + info->offset; > + > + if (offset + info->length >= skb->len) > + return false; > + > + match_start = skb_header_pointer(skb, offset, info->length, buf); > + > + for (i = 0; i < info->length; i++) { > + if (*(match_start + i) != info->string[i]) > + return false; > + } I would prefer something that converges with net/netfilter/xt_string.c -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
