Re: [PATCHv6 iptables]Interface group match
Lutz Jaenicke írta: On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c (revision 0) +++ extensions/libxt_ifgroup.c (revision 0) + info-in_group = strtoul(optarg, end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read /etc/iproute2/rt_ifgroup? It would be good but cannot be used if a mask is set and only values less than 256 can be used with names. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. I do have a draft patch for physdev which is however against iptables-1.3.8 and linux-2.6.19 so it will need some more work but I will attach it for discussion. Thanks. I will send soon for net-2.6.25 and iptables svn version. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
Laszlo Attila Toth wrote: Lutz Jaenicke írta: On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c(revision 0) +++ extensions/libxt_ifgroup.c(revision 0) +info-in_group = strtoul(optarg, end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read /etc/iproute2/rt_ifgroup? It would be good but cannot be used if a mask is set and only values less than 256 can be used with names. Why 256? I can see no such limitation. For masks you could simply allow to define masks in rt_ifgroup too and use name/name or simply name/0xmask. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. Of course. Please put the tab part somewhere common, I always wanted to have named firewall marks shared with ip and tc and I believe Balazs wanted that too :) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
Patrick McHardy írta: Laszlo Attila Toth wrote: Lutz Jaenicke írta: On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c(revision 0) +++ extensions/libxt_ifgroup.c(revision 0) +info-in_group = strtoul(optarg, end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read /etc/iproute2/rt_ifgroup? It would be good but cannot be used if a mask is set and only values less than 256 can be used with names. Why 256? I can see no such limitation. For masks you could simply allow to define masks in rt_ifgroup too and use name/name or simply name/0xmask. 256 because it is the size of a static array (and I don't want allocate too much memory when other arrays such as the routing table names also have this size). In the current version I posted some minutes ago 0..2^32-1 can be used. The syntax name/0xmask is simply too strange for me. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. Of course. Please put the tab part somewhere common, I always wanted to have named firewall marks shared with ip and tc and I believe Balazs wanted that too :) Ok. Yes, he wants :) -- Attila - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
Laszlo Attila Toth wrote: Patrick McHardy írta: Laszlo Attila Toth wrote: Lutz Jaenicke írta: Should iptables be allowed to read /etc/iproute2/rt_ifgroup? It would be good but cannot be used if a mask is set and only values less than 256 can be used with names. Why 256? I can see no such limitation. For masks you could simply allow to define masks in rt_ifgroup too and use name/name or simply name/0xmask. 256 because it is the size of a static array (and I don't want allocate too much memory when other arrays such as the routing table names also have this size). In the current version I posted some minutes ago 0..2^32-1 can be used. Its a hash. You can put as much in there as you like :) The syntax name/0xmask is simply too strange for me. Then how about name/name with masks also defined in rt_ifgroup? The same question applies for marks of course. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. Of course. Please put the tab part somewhere common, I always wanted to have named firewall marks shared with ip and tc and I believe Balazs wanted that too :) Ok. Yes, he wants :) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
On Nov 29 2007 17:27, Patrick McHardy wrote: The syntax name/0xmask is simply too strange for me. Then how about name/name with masks also defined in rt_ifgroup? The same question applies for marks of course. I would find that confusing, which is why the new xt_TOS only allows names when no /mask or a mask of /allbits is used. There is no standard API like getservbyname()... The code of iproute2 should be copied. If Patrick says it is ok, I'll write this part. Of course. Please put the tab part somewhere common, I always wanted to have named firewall marks shared with ip and tc and I believe Balazs wanted that too :) Ok. Yes, he wants :) So, we are going to see a librtnl? - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
Jan Engelhardt wrote: On Nov 29 2007 17:27, Patrick McHardy wrote: The syntax name/0xmask is simply too strange for me. Then how about name/name with masks also defined in rt_ifgroup? The same question applies for marks of course. I would find that confusing, which is why the new xt_TOS only allows names when no /mask or a mask of /allbits is used. Its still useful, you don't have to use it :) Another alternative would be to allow defining names to val/mask. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv6 iptables]Interface group match
On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: Interface group values can be checked on both input and output interfaces with optional mask. Index: extensions/libxt_ifgroup.c === --- extensions/libxt_ifgroup.c(revision 0) +++ extensions/libxt_ifgroup.c(revision 0) + info-in_group = strtoul(optarg, end, 0); This is somewhat inconsistent with the iproute patch which targets specific groups (with names). Should iptables be allowed to read /etc/iproute2/rt_ifgroup? There is no standard API like getservbyname()... I do have a draft patch for physdev which is however against iptables-1.3.8 and linux-2.6.19 so it will need some more work but I will attach it for discussion. (This will leave ebtables to be touched...) Best regards, Lutz -- Dr.-Ing. Lutz Jänicke CTO Innominate Security Technologies AG /protecting industrial networks/ tel: +49.30.6392-3308 fax: +49.30.6392-3307 Albert-Einstein-Str. 14 D-12489 Berlin, Germany www.innominate.com Register Court: AG Charlottenburg, HR B 81603 Management Board: Joachim Fietz, Dirk Seewald Chairman of the Supervisory Board: Edward M. Stadum Visit us at the SPS/IPC/Drives in Nuremberg / Germany 27 - 29 November 2007, Hall 9, Stand 9-141 diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c iptables-1.3.8/extensions/libipt_physdev.c --- iptables-1.3.8-vanilla/extensions/libipt_physdev.c 2007-01-23 13:50:00.0 +0100 +++ iptables-1.3.8/extensions/libipt_physdev.c 2007-11-01 16:57:58.0 +0100 @@ -19,6 +19,8 @@ physdev v%s options:\n --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n + --physgroup-in [!] input group bridge port group value\n + --physgroup-out [!] output group bridge port group value\n [!] --physdev-is-in arrived on a bridge device\n [!] --physdev-is-out will leave on a bridge device\n [!] --physdev-is-bridged it's a bridged packet\n @@ -31,6 +33,8 @@ { physdev-is-in, 0, 0, '3' }, { physdev-is-out, 0, 0, '4' }, { physdev-is-bridged, 0, 0, '5' }, + { physgroup-in, 1, 0, '6' }, + { physgroup-out, 1, 0, '7' }, {0} }; @@ -47,6 +51,7 @@ { struct ipt_physdev_info *info = (struct ipt_physdev_info*)(*match)-data; + char *end; switch (c) { case '1': @@ -103,6 +108,44 @@ info-bitmask |= IPT_PHYSDEV_OP_BRIDGED; break; + case '6': + if (*flags IPT_PHYSDEV_OP_GROUPIN) + goto multiple_use; + check_inverse(argv[optind-1], invert, optind, 0); + end = optarg = argv[optind-1]; + info-ingroup = strtoul(optarg, end, 0); + info-ingroupmask = 0xUL; + if (*end == '/') + info-ingroupmask = strtoul(end+1, end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, + physdev match: Bad ifgroup value `%s', + optarg); + if (invert) + info-invert |= IPT_PHYSDEV_OP_GROUPIN; + *flags |= IPT_PHYSDEV_OP_GROUPIN; + info-bitmask |= IPT_PHYSDEV_OP_GROUPIN; + break; + + case '7': + if (*flags IPT_PHYSDEV_OP_GROUPOUT) + goto multiple_use; + check_inverse(argv[optind-1], invert, optind, 0); + end = optarg = argv[optind-1]; + info-outgroup = strtoul(optarg, end, 0); + info-outgroupmask = 0xUL; + if (*end == '/') + info-outgroupmask = strtoul(end+1, end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, + physdev match: Bad ifgroup value `%s', + optarg); + if (invert) + info-invert |= IPT_PHYSDEV_OP_GROUPOUT; + *flags |= IPT_PHYSDEV_OP_GROUPOUT; + info-bitmask |= IPT_PHYSDEV_OP_GROUPOUT; + break; + default: return 0; } @@ -145,6 +186,13 @@ if (info-bitmask IPT_PHYSDEV_OP_BRIDGED) printf(%s --physdev-is-bridged, info-invert IPT_PHYSDEV_OP_BRIDGED ? !:); + + if (info-bitmask IPT_PHYSDEV_OP_GROUPIN) + printf(%s --physgroup-in 0x%x/0x%x, + (info-invert IPT_PHYSDEV_OP_GROUPIN) ? !:, info-ingroup,