Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: extending netfilter...plz help
Top Forums Programming extending netfilter...plz help Post 97538 by Rakesh Ranjan on Tuesday 31st of January 2006 10:02:10 AM
Old 01-31-2006
extending netfilter...plz help
Hello friends i'm trying to extend iptables to include a target by which we can change the packet type field of a packet.
For this i created a kernel module and a userspace extension.
Now i face the problem that when i try to invoke iptable with the target i created i get an error message saying that "no match/target/chain by that name" but when i do lsmod to show the modules that are loaded my kernel module is shown (that means it is loaded) i also went through userspace extension in iptables made by me but could not locate any problem.
only thing that i could locate was that the error message was coming from libiptc.c (here strange thing was that in libiptc.c in the function that printed error there was a structure which stored the function name where error originally occured, the error no. and msg. Now in my case the function name was shown as NULL so I can't figure out where the error is actually coming from.)

One more related problem, to debug above, in kernel module i gave some kernel messages (which i obviously thought that would be printed out some where as they will b reached) but i'm not able to figure out where that message is going. I checked system log in /var/log/messages but there i could just find one system message that the module has been loaded but not the customized message that i gave. Can someone help me out with that where is my message going.

Oh sorry! I forgot to tell my system description. I'm running redhat 9.0 (kernel 2.4.20) and using iptables 1.2.7a.
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

plz Help How should I configure cc compiler output file plz help???

i.e configuration of C compiler :confused: (4 Replies)
Discussion started by: atiato
4 Replies

2. Programming

Help in extending netfilter

Hi everybody, I have to write a module for matching in netfilter , extending the netfilter but I'm facing some problems can somebody guide me in that. I know that I need to write matching module working in kernel space and a program in userspace. I went through the HOWTO on netfilter-hacking but... (0 Replies)
Discussion started by: Trusted Penguin
0 Replies

3. Programming

Problem in registering new netfilter target module

Friends I'm facing a big problem trying to extend the netfilter. Somone please help me with your quick reply (any hint) as I've to meet a deadline. My problem is that I've written a new netfilter target module and its corresponding userspace program for iptables to change the packet type of a... (0 Replies)
Discussion started by: Rakesh Ranjan
0 Replies

4. IP Networking

netfilter connection tracking

hi, i'm using tcpreplay to send a traffic trace to my wireless interface (the trace is been captured by the same interface). It seems as netfilter can't trace connections. Is it possible? (0 Replies)
Discussion started by: littleboyblu
0 Replies

5. Cybersecurity

Netfilter conntracking for P2P protocols (edonkey, bittorent...)

Hi everyone, I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol. Thanks guys. (0 Replies)
Discussion started by: nekkro-kvlt
0 Replies

6. Linux

netfilter / iptables

HI, Is the Netfilter and IPtables same? Thanks & Regards Arun (1 Reply)
Discussion started by: Arun.Kakarla
1 Replies

7. Linux

C, LKM, netfilter, PF_PACKET and ARP.

Hello, Everyone knows that with PF_PACKET sockets one can "sniff" a determinated frame from the network device, but just that, see the frame without altering its action on the receiving host. What i want is to "intercept" the incoming frame and pass it through some rules, and if it doesn't pass... (9 Replies)
Discussion started by: Zykl0n-B
9 Replies

8. Cybersecurity

Experience with libvirt netfilter API

Hi all, I would like to get some ideas and opinions on matter of libvirt netfilter application in KVM environment. I am looking for some easy way to control it with an API and possible experience with that and its performance in real life application. Thanks for all ideas (0 Replies)
Discussion started by: smoofy
0 Replies

9. Cybersecurity

How to use Netfilter properly with IPv6?

Hello, on a PC with Debian 8 I try to use a Bash script with Netfilter rules so that only traffic goes in and out that is wanted. For that I set all 3 default policies to "drop". The machine uses DHCP to get its IP, gateway and DNS. And I never checked so I was quite surprised that my... (1 Reply)
Discussion started by: SInt
1 Replies

LEARN ABOUT SUSE

libipq

LIBIPQ(3)						     Linux Programmer's Manual							 LIBIPQ(3)

NAME

       libipq -- iptables userspace packet queuing library.

SYNOPSIS

       #include <linux/netfilter.h>
       #include <libipq.h>

DESCRIPTION

       libipq is a development library for iptables userspace packet queuing.

   Userspace Packet Queuing
       Netfilter  provides  a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the
       kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP).  These packets may also  be  modified  in  userspace
       prior to reinjection back into the kernel.

       For each supported protocol, a kernel module called a queue handler may register with Netfilter to perform the mechanics of passing packets
       to and from userspace.

       The standard queue handler for IPv4 is ip_queue.  It is provided as an experimental module with 2.4 kernels, and uses a Netlink socket  for
       kernel/userspace communication.

       Once  ip_queue  is loaded, IP packets may be selected with iptables and queued for userspace processing via the QUEUE target.  For example,
       running the following commands:

	    # modprobe iptable_filter
	    # modprobe ip_queue
	    # iptables -A OUTPUT -p icmp -j QUEUE

       will cause any locally generated ICMP packets (e.g. ping output) to be sent to the ip_queue module, which will then attempt to deliver  the
       packets to a userspace application.  If no userspace application is waiting, the packets will be dropped

       An application may receive and process these packets via libipq.

   Libipq Overview
       Libipq  provides an API for communicating with ip_queue.  The following is an overview of API usage, refer to individual man pages for more
       details on each function.

       Initialisation
       To initialise the library, call ipq_create_handle(3).  This will attempt to bind to the Netlink socket  used  by  ip_queue  and	return	an
       opaque context handle for subsequent library calls.

       Setting the Queue Mode
       ipq_set_mode(3)	allows the application to specify whether packet metadata, or packet payloads as well as metadata are copied to userspace.
       It is also used to initially notify ip_queue that an application is ready to receive queue messages.

       Receiving Packets from the Queue
       ipq_read(3) waits for queue messages to arrive from ip_queue and copies them into a supplied buffer.  Queue messages may be packet messages
       or error messages.

       The type of packet may be determined with ipq_message_type(3).

       If it's a packet message, the metadata and optional payload may be retrieved with ipq_get_packet(3).

       To retrieve the value of an error message, use ipq_get_msgerr(3).

       Issuing Verdicts on Packets
       To issue a verdict on a packet, and optionally return a modified version of the packet to the kernel, call ipq_set_verdict(3).

       Error Handling
       An error string corresponding to the current value of the internal error variable ipq_errno may be obtained with ipq_errstr(3).

       For  simple  applications,  calling  ipq_perror(3) will print the same message as ipq_errstr(3), as well as the string corresponding to the
       global errno value (if set) to stderr.

       Cleaning Up
       To free up the Netlink socket and destroy resources associated with the context handle, call ipq_destroy_handle(3).

SUMMARY

       ipq_create_handle(3)
	   Initialise library, return context handle.

       ipq_set_mode(3)
	   Set the queue mode, to copy either packet metadata, or payloads as well as metadata to userspace.

       ipq_read(3)
	   Wait for a queue message to arrive from ip_queue and read it into a buffer.

       ipq_message_type(3)
	   Determine message type in the buffer.

       ipq_get_packet(3)
	   Retrieve a packet message from the buffer.

       ipq_get_msgerr(3)
	   Retrieve an error message from the buffer.

       ipq_set_verdict(3)
	   Set a verdict on a packet, optionally replacing its contents.

       ipq_errstr(3)
	   Return an error message corresponding to the internal ipq_errno variable.

       ipq_perror(3)
	   Helper function to print error messages to stderr.

       ipq_destroy_handle(3)
	   Destroy context handle and associated resources.

EXAMPLE

       The following is an example of a simple application which receives packets and issues NF_ACCEPT verdicts on each packet.
	      /*
	       * This code is GPL.
	       */
	      #include <linux/netfilter.h>
	      #include <libipq.h>
	      #include <stdio.h>

	      #define BUFSIZE 2048

	      static void die(struct ipq_handle *h)
	      {
		   ipq_perror("passer");
		   ipq_destroy_handle(h);
		   exit(1);
	      }

	      int main(int argc, char **argv)
	      {
		   int status;
		   unsigned char buf[BUFSIZE];
		   struct ipq_handle *h;

		   h = ipq_create_handle(0, NFPROTO_IPV4);
		   if (!h)
			die(h);

		   status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
		   if (status < 0)
			die(h);

		   do{
			status = ipq_read(h, buf, BUFSIZE, 0);
			if (status < 0)
			     die(h);

			switch (ipq_message_type(buf)) {
			     case NLMSG_ERROR:
				  fprintf(stderr, "Received error message %d
",
					  ipq_get_msgerr(buf));
				  break;

			     case IPQM_PACKET: {
				  ipq_packet_msg_t *m = ipq_get_packet(buf);

				  status = ipq_set_verdict(h, m->packet_id,
							   NF_ACCEPT, 0, NULL);
				  if (status < 0)
				       die(h);
				  break;
			     }

			     default:
				  fprintf(stderr, "Unknown message type!
");
				  break;
			}
		   } while (1);

		   ipq_destroy_handle(h);
		   return 0;
	      }

       Pointers to more libipq application examples may be found in The Netfilter FAQ.

DIAGNOSTICS

       For information about monitoring and tuning ip_queue, refer to the Linux 2.4 Packet Filtering HOWTO.

       If an application modifies a packet, it needs to also update any checksums for the packet.  Typically, the  kernel  will  silently  discard
       modified packets with invalid checksums.

SECURITY

       Processes  require  CAP_NET_ADMIN  capabilty to access the kernel ip_queue module.  Such processes can potentially access and modify any IP
       packets received, generated or forwarded by the kernel.

TODO

       Per-handle ipq_errno values.

BUGS

       Probably.

AUTHOR

       James Morris <jmorris@intercode.com.au>

COPYRIGHT

       Copyright (c) 2000-2001 Netfilter Core Team.

       Distributed under the GNU General Public License.

CREDITS

       Joost Remijn implemented the ipq_read timeout feature, which appeared in the 1.2.4 release of iptables.

       Fernando Anton added support for IPv6.

SEE ALSO

       iptables(8),  ipq_create_handle(3),  ipq_destroy_handle(3),  ipq_errstr(3),  ipq_get_msgerr(3),	 ipq_get_packet(3),   ipq_message_type(3),
       ipq_perror(3), ipq_read(3), ipq_set_mode(3), ipq_set_verdict(3).

       The  Netfilter  home  page  at http://netfilter.samba.org/ which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet Filtering
       HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO, The Netfilter FAQ and many other useful resources.

Linux iptables 1.2						  16 October 2001							 LIBIPQ(3)
All times are GMT -4. The time now is 04:10 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy