subject:"Re\: \[PATCHv6 iptables\]Interface group match"

Re: [PATCHv6 iptables]Interface group match

2007-11-29 Thread Laszlo Attila Toth


Lutz Jaenicke írta:

On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:

Interface group values can be checked on both input and output interfaces
with optional mask.



Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c  (revision 0)
+++ extensions/libxt_ifgroup.c  (revision 0)



+   info-in_group = strtoul(optarg, end, 0);


This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read /etc/iproute2/rt_ifgroup?


It would be good but cannot be used if a mask is set and only values 
less than 256 can be used with names.



There is no standard API like getservbyname()...


The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
write this part.




I do have a draft patch for physdev which is however against
iptables-1.3.8 and linux-2.6.19 so it will need some more work
but I will attach it for discussion.


Thanks. I will send soon for net-2.6.25 and iptables svn version.

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

2007-11-29 Thread Patrick McHardy


Laszlo Attila Toth wrote:

Lutz Jaenicke írta:

On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
Interface group values can be checked on both input and output 
interfaces

with optional mask.



Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c(revision 0)
+++ extensions/libxt_ifgroup.c(revision 0)



+info-in_group = strtoul(optarg, end, 0);


This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read /etc/iproute2/rt_ifgroup?


It would be good but cannot be used if a mask is set and only values 
less than 256 can be used with names.



Why 256? I can see no such limitation. For masks you could
simply allow to define masks in rt_ifgroup too and use
name/name or simply name/0xmask.


There is no standard API like getservbyname()...


The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
write this part.



Of course. Please put the tab part somewhere common, I always
wanted to have named firewall marks shared with ip and tc
and I believe Balazs wanted that too :)

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

2007-11-29 Thread Laszlo Attila Toth


Patrick McHardy írta:

Laszlo Attila Toth wrote:

Lutz Jaenicke írta:

On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
Interface group values can be checked on both input and output 
interfaces

with optional mask.



Index: extensions/libxt_ifgroup.c
===
--- extensions/libxt_ifgroup.c(revision 0)
+++ extensions/libxt_ifgroup.c(revision 0)



+info-in_group = strtoul(optarg, end, 0);


This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read /etc/iproute2/rt_ifgroup?


It would be good but cannot be used if a mask is set and only values 
less than 256 can be used with names.



Why 256? I can see no such limitation. For masks you could
simply allow to define masks in rt_ifgroup too and use
name/name or simply name/0xmask.



256 because it is the size of a static array (and I don't want allocate 
too much memory when other arrays such as the routing table names also 
have this size). In the current version I posted some minutes ago 
0..2^32-1  can be used.


The syntax name/0xmask is simply too strange for me.




There is no standard API like getservbyname()...


The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
write this part.



Of course. Please put the tab part somewhere common, I always
wanted to have named firewall marks shared with ip and tc
and I believe Balazs wanted that too :)


Ok. Yes, he wants :)


--
Attila
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

2007-11-29 Thread Patrick McHardy


Laszlo Attila Toth wrote:

Patrick McHardy írta:

Laszlo Attila Toth wrote:

Lutz Jaenicke írta:



Should iptables be allowed to read /etc/iproute2/rt_ifgroup?


It would be good but cannot be used if a mask is set and only values 
less than 256 can be used with names.



Why 256? I can see no such limitation. For masks you could
simply allow to define masks in rt_ifgroup too and use
name/name or simply name/0xmask.



256 because it is the size of a static array (and I don't want allocate 
too much memory when other arrays such as the routing table names also 
have this size). In the current version I posted some minutes ago 
0..2^32-1  can be used.


Its a hash. You can put as much in there as you like :)


The syntax name/0xmask is simply too strange for me.


Then how about name/name with masks also defined in rt_ifgroup?
The same question applies for marks of course.


There is no standard API like getservbyname()...


The code of iproute2 should be copied. If Patrick says it is ok,  
I'll write this part.



Of course. Please put the tab part somewhere common, I always
wanted to have named firewall marks shared with ip and tc
and I believe Balazs wanted that too :)


Ok. Yes, he wants :)




-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

2007-11-29 Thread Jan Engelhardt


On Nov 29 2007 17:27, Patrick McHardy wrote:

 The syntax name/0xmask is simply too strange for me.

 Then how about name/name with masks also defined in rt_ifgroup?
 The same question applies for marks of course.

I would find that confusing, which is why the new xt_TOS only
allows names when no /mask or a mask of /allbits is used.

There is no standard API like getservbyname()...
  
   The code of iproute2 should be copied. If Patrick says it is ok,  I'll
   write this part.
 
  Of course. Please put the tab part somewhere common, I always
  wanted to have named firewall marks shared with ip and tc
  and I believe Balazs wanted that too :)
 
 Ok. Yes, he wants :)

So, we are going to see a librtnl?
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

2007-11-29 Thread Patrick McHardy


Jan Engelhardt wrote:

On Nov 29 2007 17:27, Patrick McHardy wrote:

The syntax name/0xmask is simply too strange for me.

Then how about name/name with masks also defined in rt_ifgroup?
The same question applies for marks of course.


I would find that confusing, which is why the new xt_TOS only
allows names when no /mask or a mask of /allbits is used.


Its still useful, you don't have to use it :) Another alternative
would be to allow defining names to val/mask.
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

2007-11-23 Thread Lutz Jaenicke

On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
 Interface group values can be checked on both input and output interfaces
 with optional mask.

 Index: extensions/libxt_ifgroup.c
 ===
 --- extensions/libxt_ifgroup.c(revision 0)
 +++ extensions/libxt_ifgroup.c(revision 0)

 + info-in_group = strtoul(optarg, end, 0);

This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read /etc/iproute2/rt_ifgroup?
There is no standard API like getservbyname()...

I do have a draft patch for physdev which is however against
iptables-1.3.8 and linux-2.6.19 so it will need some more work
but I will attach it for discussion.

(This will leave ebtables to be touched...)

Best regards,
Lutz
-- 
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG  /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum



Visit us at the SPS/IPC/Drives in Nuremberg / Germany

27 - 29 November 2007, Hall 9, Stand 9-141


diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c 
iptables-1.3.8/extensions/libipt_physdev.c
--- iptables-1.3.8-vanilla/extensions/libipt_physdev.c  2007-01-23 
13:50:00.0 +0100
+++ iptables-1.3.8/extensions/libipt_physdev.c  2007-11-01 16:57:58.0 
+0100
@@ -19,6 +19,8 @@
 physdev v%s options:\n
  --physdev-in [!] input name[+]   bridge port name ([+] for 
wildcard)\n
  --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n
+ --physgroup-in [!] input group   bridge port group value\n
+ --physgroup-out [!] output group bridge port group value\n
  [!] --physdev-is-in  arrived on a bridge device\n
  [!] --physdev-is-out will leave on a bridge device\n
  [!] --physdev-is-bridged it's a bridged packet\n
@@ -31,6 +33,8 @@
{ physdev-is-in, 0, 0, '3' },
{ physdev-is-out, 0, 0, '4' },
{ physdev-is-bridged, 0, 0, '5' },
+   { physgroup-in, 1, 0, '6' },
+   { physgroup-out, 1, 0, '7' },
{0}
 };
 
@@ -47,6 +51,7 @@
 {
struct ipt_physdev_info *info =
(struct ipt_physdev_info*)(*match)-data;
+   char *end;
 
switch (c) {
case '1':
@@ -103,6 +108,44 @@
info-bitmask |= IPT_PHYSDEV_OP_BRIDGED;
break;
 
+   case '6':
+   if (*flags  IPT_PHYSDEV_OP_GROUPIN)
+   goto multiple_use;
+   check_inverse(argv[optind-1], invert, optind, 0);
+   end = optarg = argv[optind-1];
+   info-ingroup = strtoul(optarg, end, 0);
+   info-ingroupmask = 0xUL;
+   if (*end == '/')
+   info-ingroupmask = strtoul(end+1, end, 0);
+   if (*end != '\0' || end == optarg)
+   exit_error(PARAMETER_PROBLEM,
+   physdev match: Bad ifgroup value `%s',
+   optarg);
+   if (invert)
+   info-invert |= IPT_PHYSDEV_OP_GROUPIN;
+   *flags |= IPT_PHYSDEV_OP_GROUPIN;
+   info-bitmask |= IPT_PHYSDEV_OP_GROUPIN;
+   break;
+
+   case '7':
+   if (*flags  IPT_PHYSDEV_OP_GROUPOUT)
+   goto multiple_use;
+   check_inverse(argv[optind-1], invert, optind, 0);
+   end = optarg = argv[optind-1];
+   info-outgroup = strtoul(optarg, end, 0);
+   info-outgroupmask = 0xUL;
+   if (*end == '/')
+   info-outgroupmask = strtoul(end+1, end, 0);
+   if (*end != '\0' || end == optarg)
+   exit_error(PARAMETER_PROBLEM,
+   physdev match: Bad ifgroup value `%s',
+   optarg);
+   if (invert)
+   info-invert |= IPT_PHYSDEV_OP_GROUPOUT;
+   *flags |= IPT_PHYSDEV_OP_GROUPOUT;
+   info-bitmask |= IPT_PHYSDEV_OP_GROUPOUT;
+   break;
+
default:
return 0;
}
@@ -145,6 +186,13 @@
if (info-bitmask  IPT_PHYSDEV_OP_BRIDGED)
printf(%s --physdev-is-bridged,
   info-invert  IPT_PHYSDEV_OP_BRIDGED ?  !:);
+
+   if (info-bitmask  IPT_PHYSDEV_OP_GROUPIN)
+   printf(%s --physgroup-in 0x%x/0x%x,
+   (info-invert  IPT_PHYSDEV_OP_GROUPIN) ?  !:, 
info-ingroup,

Re: [PATCHv6 iptables]Interface group match

Re: [PATCHv6 iptables]Interface group match

Re: [PATCHv6 iptables]Interface group match

Re: [PATCHv6 iptables]Interface group match

Re: [PATCHv6 iptables]Interface group match

Re: [PATCHv6 iptables]Interface group match

Re: [PATCHv6 iptables]Interface group match

7 matches

Site Navigation

Mail list logo

Footer information