Re: [PATCHv6 iptables]Interface group match
On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
Interface group values can be checked on both input and output interfaces
with optional mask.
Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c(revision 0)
+++ extensions/libxt_ifgroup.c(revision 0)
+ info-in_group = strtoul(optarg, end, 0);
This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read /etc/iproute2/rt_ifgroup?
There is no standard API like getservbyname()...
I do have a draft patch for physdev which is however against
iptables-1.3.8 and linux-2.6.19 so it will need some more work
but I will attach it for discussion.
(This will leave ebtables to be touched...)
Best regards,
Lutz
--
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
Visit us at the SPS/IPC/Drives in Nuremberg / Germany
27 - 29 November 2007, Hall 9, Stand 9-141
diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c
iptables-1.3.8/extensions/libipt_physdev.c
--- iptables-1.3.8-vanilla/extensions/libipt_physdev.c 2007-01-23
13:50:00.0 +0100
+++ iptables-1.3.8/extensions/libipt_physdev.c 2007-11-01 16:57:58.0
+0100
@@ -19,6 +19,8 @@
physdev v%s options:\n
--physdev-in [!] input name[+] bridge port name ([+] for
wildcard)\n
--physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n
+ --physgroup-in [!] input group bridge port group value\n
+ --physgroup-out [!] output group bridge port group value\n
[!] --physdev-is-in arrived on a bridge device\n
[!] --physdev-is-out will leave on a bridge device\n
[!] --physdev-is-bridged it's a bridged packet\n
@@ -31,6 +33,8 @@
{ physdev-is-in, 0, 0, '3' },
{ physdev-is-out, 0, 0, '4' },
{ physdev-is-bridged, 0, 0, '5' },
+ { physgroup-in, 1, 0, '6' },
+ { physgroup-out, 1, 0, '7' },
{0}
};
@@ -47,6 +51,7 @@
{
struct ipt_physdev_info *info =
(struct ipt_physdev_info*)(*match)-data;
+ char *end;
switch (c) {
case '1':
@@ -103,6 +108,44 @@
info-bitmask |= IPT_PHYSDEV_OP_BRIDGED;
break;
+ case '6':
+ if (*flags IPT_PHYSDEV_OP_GROUPIN)
+ goto multiple_use;
+ check_inverse(argv[optind-1], invert, optind, 0);
+ end = optarg = argv[optind-1];
+ info-ingroup = strtoul(optarg, end, 0);
+ info-ingroupmask = 0xUL;
+ if (*end == '/')
+ info-ingroupmask = strtoul(end+1, end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ physdev match: Bad ifgroup value `%s',
+ optarg);
+ if (invert)
+ info-invert |= IPT_PHYSDEV_OP_GROUPIN;
+ *flags |= IPT_PHYSDEV_OP_GROUPIN;
+ info-bitmask |= IPT_PHYSDEV_OP_GROUPIN;
+ break;
+
+ case '7':
+ if (*flags IPT_PHYSDEV_OP_GROUPOUT)
+ goto multiple_use;
+ check_inverse(argv[optind-1], invert, optind, 0);
+ end = optarg = argv[optind-1];
+ info-outgroup = strtoul(optarg, end, 0);
+ info-outgroupmask = 0xUL;
+ if (*end == '/')
+ info-outgroupmask = strtoul(end+1, end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM,
+ physdev match: Bad ifgroup value `%s',
+ optarg);
+ if (invert)
+ info-invert |= IPT_PHYSDEV_OP_GROUPOUT;
+ *flags |= IPT_PHYSDEV_OP_GROUPOUT;
+ info-bitmask |= IPT_PHYSDEV_OP_GROUPOUT;
+ break;
+
default:
return 0;
}
@@ -145,6 +186,13 @@
if (info-bitmask IPT_PHYSDEV_OP_BRIDGED)
printf(%s --physdev-is-bridged,
info-invert IPT_PHYSDEV_OP_BRIDGED ? !:);
+
+ if (info-bitmask IPT_PHYSDEV_OP_GROUPIN)
+ printf(%s --physgroup-in 0x%x/0x%x,
+ (info-invert IPT_PHYSDEV_OP_GROUPIN) ? !:,
info-ingroup,
Re: [PATCHv6 iproute 2/2] Interface group as new ip link option
On Tue, Nov 20, 2007 at 02:14:30PM +0100, Laszlo Attila Toth wrote:
Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
char* rtnl_rtrealm_n2a(int id, char *buf, int len);
char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
int rtnl_rtprot_a2n(__u32 *id, char *arg);
int rtnl_rtscope_a2n(__u32 *id, char *arg);
int rtnl_rttable_a2n(__u32 *id, char *arg);
int rtnl_rtrealm_a2n(__u32 *id, char *arg);
int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
Shouldn't rtnl_ifgroup_n2a() using __u32 for id? It is actually handed
a __u32 value.
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
return 0;
}
+static char * rtnl_rtifgroup_tab[256] = {
+ 0,
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+ rtnl_rtifgroup_init = 1;
+ rtnl_tab_initialize(/etc/iproute2/rt_ifgroup,
+ rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(int id, char *buf, int len)
+{
+ if (id0 || id=256) {
+ snprintf(buf, len, %d, id);
+ return buf;
+ }
Shouldn't we better use hex here? hex is used for values up to 255
and iptables matches use hex for all values as well.
(__u32 change proposed above will make id0 pointless.)
+ if (!rtnl_rtifgroup_tab[id]) {
+ if (!rtnl_rtifgroup_init)
+ rtnl_rtifgroup_initialize();
+ }
+ if (rtnl_rtifgroup_tab[id])
+ return rtnl_rtifgroup_tab[id];
+ snprintf(buf, len, 0x%02x, id);
+ return buf;
+}
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+ static char *cache = NULL;
+ static unsigned long res;
+ char *end;
+ int i;
+
+ if (cache strcmp(cache, arg) == 0) {
+ *id = res;
+ return 0;
+ }
+
+ if (!rtnl_rtifgroup_init)
+ rtnl_rtifgroup_initialize();
+
+ for (i=0; i256; i++) {
+ if (rtnl_rtifgroup_tab[i]
+ strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+ cache = rtnl_rtifgroup_tab[i];
+ res = i;
+ *id = res;
+ return 0;
+ }
+ }
+
+ res = strtoul(arg, end, 16);
Why should we hardcode base 16 here. strtoul can handle dec and hex
(0x..) just fine. The iptables matches are usign strtoul(,,0) as
well.
+ if (!end || end == arg || *end || res 255)
+ return -1;
Why do you restrict to values =255? iptables match does not limit
and I do not really understand why I should restrict the values here.
(Even if they may not have a textual representation.)
Best regards,
Lutz
--
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
Visit us at the SPS/IPC/Drives in Nuremberg / Germany
27 - 29 November 2007, Hall 9, Stand 9-141
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 2/3] Interface group: core (netlink) part
On Tue, Nov 20, 2007 at 02:14:26PM +0100, Laszlo Attila Toth wrote:
Interface groups let handle different interfaces together.
Modified net device structure and netlink interface.
Signed-off-by: Laszlo Attila Toth [EMAIL PROTECTED]
---
include/linux/if_link.h |2 ++
include/linux/netdevice.h |2 ++
net/core/rtnetlink.c | 11 +++
3 files changed, 15 insertions(+), 0 deletions(-)
Adding read/write support via sysfs should not be too difficult:
diff -ruN a/net/core/net-sysfs.c b/net/core/net-sysfs.c
--- a/net/core/net-sysfs.c 2007-11-17 06:16:36.0 +0100
+++ b/net/core/net-sysfs.c 2007-11-23 14:04:47.0 +0100
@@ -219,6 +219,20 @@
return netdev_store(dev, attr, buf, len, change_tx_queue_len);
}
+NETDEVICE_SHOW(ifgroup, fmt_hex);
+
+static int change_ifgroup(struct net_device *net, unsigned long new_ifgroup)
+{
+ net-ifgroup = new_ifgroup;
+ return 0;
+}
+
+static ssize_t store_ifgroup(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t len)
+{
+ return netdev_store(dev, attr, buf, len, change_ifgroup);
+}
+
static struct device_attribute net_class_attributes[] = {
__ATTR(addr_len, S_IRUGO, show_addr_len, NULL),
__ATTR(iflink, S_IRUGO, show_iflink, NULL),
@@ -235,6 +249,7 @@
__ATTR(flags, S_IRUGO | S_IWUSR, show_flags, store_flags),
__ATTR(tx_queue_len, S_IRUGO | S_IWUSR, show_tx_queue_len,
store_tx_queue_len),
+ __ATTR(ifgroup, S_IRUGO | S_IWUSR, show_ifgroup, store_ifgroup),
{}
};
--
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
Visit us at the SPS/IPC/Drives in Nuremberg / Germany
27 - 29 November 2007, Hall 9, Stand 9-141
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
