Re: [PATCHv6 iptables]Interface group match
On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c(revision 0) +++ extensions/libxt_ifgroup.c(revision 0) + info-in_group = strtoul(optarg, end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read /etc/iproute2/rt_ifgroup? There is no standard API like getservbyname()... I do have a draft patch for physdev which is however against iptables-1.3.8 and linux-2.6.19 so it will need some more work but I will attach it for discussion. (This will leave ebtables to be touched...) Best regards, Lutz -- Dr.-Ing. Lutz Jänicke CTO Innominate Security Technologies AG /protecting industrial networks/ tel: +49.30.6392-3308 fax: +49.30.6392-3307 Albert-Einstein-Str. 14 D-12489 Berlin, Germany www.innominate.com Register Court: AG Charlottenburg, HR B 81603 Management Board: Joachim Fietz, Dirk Seewald Chairman of the Supervisory Board: Edward M. Stadum Visit us at the SPS/IPC/Drives in Nuremberg / Germany 27 - 29 November 2007, Hall 9, Stand 9-141 diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c iptables-1.3.8/extensions/libipt_physdev.c --- iptables-1.3.8-vanilla/extensions/libipt_physdev.c 2007-01-23 13:50:00.0 +0100 +++ iptables-1.3.8/extensions/libipt_physdev.c 2007-11-01 16:57:58.0 +0100 @@ -19,6 +19,8 @@ physdev v%s options:\n --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n + --physgroup-in [!] input group bridge port group value\n + --physgroup-out [!] output group bridge port group value\n [!] --physdev-is-in arrived on a bridge device\n [!] --physdev-is-out will leave on a bridge device\n [!] --physdev-is-bridged it's a bridged packet\n @@ -31,6 +33,8 @@ { physdev-is-in, 0, 0, '3' }, { physdev-is-out, 0, 0, '4' }, { physdev-is-bridged, 0, 0, '5' }, + { physgroup-in, 1, 0, '6' }, + { physgroup-out, 1, 0, '7' }, {0} }; @@ -47,6 +51,7 @@ { struct ipt_physdev_info *info = (struct ipt_physdev_info*)(*match)-data; + char *end; switch (c) { case '1': @@ -103,6 +108,44 @@ info-bitmask |= IPT_PHYSDEV_OP_BRIDGED; break; + case '6': + if (*flags IPT_PHYSDEV_OP_GROUPIN) + goto multiple_use; + check_inverse(argv[optind-1], invert, optind, 0); + end = optarg = argv[optind-1]; + info-ingroup = strtoul(optarg, end, 0); + info-ingroupmask = 0xUL; + if (*end == '/') + info-ingroupmask = strtoul(end+1, end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, + physdev match: Bad ifgroup value `%s', + optarg); + if (invert) + info-invert |= IPT_PHYSDEV_OP_GROUPIN; + *flags |= IPT_PHYSDEV_OP_GROUPIN; + info-bitmask |= IPT_PHYSDEV_OP_GROUPIN; + break; + + case '7': + if (*flags IPT_PHYSDEV_OP_GROUPOUT) + goto multiple_use; + check_inverse(argv[optind-1], invert, optind, 0); + end = optarg = argv[optind-1]; + info-outgroup = strtoul(optarg, end, 0); + info-outgroupmask = 0xUL; + if (*end == '/') + info-outgroupmask = strtoul(end+1, end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, + physdev match: Bad ifgroup value `%s', + optarg); + if (invert) + info-invert |= IPT_PHYSDEV_OP_GROUPOUT; + *flags |= IPT_PHYSDEV_OP_GROUPOUT; + info-bitmask |= IPT_PHYSDEV_OP_GROUPOUT; + break; + default: return 0; } @@ -145,6 +186,13 @@ if (info-bitmask IPT_PHYSDEV_OP_BRIDGED) printf(%s --physdev-is-bridged, info-invert IPT_PHYSDEV_OP_BRIDGED ? !:); + + if (info-bitmask IPT_PHYSDEV_OP_GROUPIN) + printf(%s --physgroup-in 0x%x/0x%x, + (info-invert IPT_PHYSDEV_OP_GROUPIN) ? !:, info-ingroup,
Re: [PATCHv6 iproute 2/2] Interface group as new ip link option
On Tue, Nov 20, 2007 at 02:14:30PM +0100, Laszlo Attila Toth wrote: Interfaces can be grouped and each group has an unique positive integer ID. It can be set via ip link. Symbolic names can be specified in /etc/iproute2/rt_ifgroup. diff --git a/include/rt_names.h b/include/rt_names.h index 07a10e0..72c5247 100644 --- a/include/rt_names.h +++ b/include/rt_names.h @@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len); char* rtnl_rttable_n2a(__u32 id, char *buf, int len); char* rtnl_rtrealm_n2a(int id, char *buf, int len); char* rtnl_dsfield_n2a(int id, char *buf, int len); +char* rtnl_ifgroup_n2a(int id, char *buf, int len); int rtnl_rtprot_a2n(__u32 *id, char *arg); int rtnl_rtscope_a2n(__u32 *id, char *arg); int rtnl_rttable_a2n(__u32 *id, char *arg); int rtnl_rtrealm_a2n(__u32 *id, char *arg); int rtnl_dsfield_a2n(__u32 *id, char *arg); +int rtnl_ifgroup_a2n(__u32 *id, char *arg); Shouldn't rtnl_ifgroup_n2a() using __u32 for id? It is actually handed a __u32 value. diff --git a/lib/rt_names.c b/lib/rt_names.c index 8d019a0..a067e74 100644 --- a/lib/rt_names.c +++ b/lib/rt_names.c @@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg) return 0; } +static char * rtnl_rtifgroup_tab[256] = { + 0, +}; + +static int rtnl_rtifgroup_init; + +static void rtnl_rtifgroup_initialize(void) +{ + rtnl_rtifgroup_init = 1; + rtnl_tab_initialize(/etc/iproute2/rt_ifgroup, + rtnl_rtifgroup_tab, 256); +} + +char * rtnl_ifgroup_n2a(int id, char *buf, int len) +{ + if (id0 || id=256) { + snprintf(buf, len, %d, id); + return buf; + } Shouldn't we better use hex here? hex is used for values up to 255 and iptables matches use hex for all values as well. (__u32 change proposed above will make id0 pointless.) + if (!rtnl_rtifgroup_tab[id]) { + if (!rtnl_rtifgroup_init) + rtnl_rtifgroup_initialize(); + } + if (rtnl_rtifgroup_tab[id]) + return rtnl_rtifgroup_tab[id]; + snprintf(buf, len, 0x%02x, id); + return buf; +} +int rtnl_ifgroup_a2n(__u32 *id, char *arg) +{ + static char *cache = NULL; + static unsigned long res; + char *end; + int i; + + if (cache strcmp(cache, arg) == 0) { + *id = res; + return 0; + } + + if (!rtnl_rtifgroup_init) + rtnl_rtifgroup_initialize(); + + for (i=0; i256; i++) { + if (rtnl_rtifgroup_tab[i] + strcmp(rtnl_rtifgroup_tab[i], arg) == 0) { + cache = rtnl_rtifgroup_tab[i]; + res = i; + *id = res; + return 0; + } + } + + res = strtoul(arg, end, 16); Why should we hardcode base 16 here. strtoul can handle dec and hex (0x..) just fine. The iptables matches are usign strtoul(,,0) as well. + if (!end || end == arg || *end || res 255) + return -1; Why do you restrict to values =255? iptables match does not limit and I do not really understand why I should restrict the values here. (Even if they may not have a textual representation.) Best regards, Lutz -- Dr.-Ing. Lutz Jänicke CTO Innominate Security Technologies AG /protecting industrial networks/ tel: +49.30.6392-3308 fax: +49.30.6392-3307 Albert-Einstein-Str. 14 D-12489 Berlin, Germany www.innominate.com Register Court: AG Charlottenburg, HR B 81603 Management Board: Joachim Fietz, Dirk Seewald Chairman of the Supervisory Board: Edward M. Stadum Visit us at the SPS/IPC/Drives in Nuremberg / Germany 27 - 29 November 2007, Hall 9, Stand 9-141 - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 2/3] Interface group: core (netlink) part
On Tue, Nov 20, 2007 at 02:14:26PM +0100, Laszlo Attila Toth wrote: Interface groups let handle different interfaces together. Modified net device structure and netlink interface. Signed-off-by: Laszlo Attila Toth [EMAIL PROTECTED] --- include/linux/if_link.h |2 ++ include/linux/netdevice.h |2 ++ net/core/rtnetlink.c | 11 +++ 3 files changed, 15 insertions(+), 0 deletions(-) Adding read/write support via sysfs should not be too difficult: diff -ruN a/net/core/net-sysfs.c b/net/core/net-sysfs.c --- a/net/core/net-sysfs.c 2007-11-17 06:16:36.0 +0100 +++ b/net/core/net-sysfs.c 2007-11-23 14:04:47.0 +0100 @@ -219,6 +219,20 @@ return netdev_store(dev, attr, buf, len, change_tx_queue_len); } +NETDEVICE_SHOW(ifgroup, fmt_hex); + +static int change_ifgroup(struct net_device *net, unsigned long new_ifgroup) +{ + net-ifgroup = new_ifgroup; + return 0; +} + +static ssize_t store_ifgroup(struct device *dev, struct device_attribute *attr, + const char *buf, size_t len) +{ + return netdev_store(dev, attr, buf, len, change_ifgroup); +} + static struct device_attribute net_class_attributes[] = { __ATTR(addr_len, S_IRUGO, show_addr_len, NULL), __ATTR(iflink, S_IRUGO, show_iflink, NULL), @@ -235,6 +249,7 @@ __ATTR(flags, S_IRUGO | S_IWUSR, show_flags, store_flags), __ATTR(tx_queue_len, S_IRUGO | S_IWUSR, show_tx_queue_len, store_tx_queue_len), + __ATTR(ifgroup, S_IRUGO | S_IWUSR, show_ifgroup, store_ifgroup), {} }; -- Dr.-Ing. Lutz Jänicke CTO Innominate Security Technologies AG /protecting industrial networks/ tel: +49.30.6392-3308 fax: +49.30.6392-3307 Albert-Einstein-Str. 14 D-12489 Berlin, Germany www.innominate.com Register Court: AG Charlottenburg, HR B 81603 Management Board: Joachim Fietz, Dirk Seewald Chairman of the Supervisory Board: Edward M. Stadum Visit us at the SPS/IPC/Drives in Nuremberg / Germany 27 - 29 November 2007, Hall 9, Stand 9-141 - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html