Re: xt_request_find_match
On Dec 20 2006 10:17, Patrick McHardy wrote: >Jan Engelhardt wrote: >>>Make sure the user specifies the match on the command line before >>>your match. Look at the TCPMSS or REJECT targets for examples for >>>this. >> >> That would mean I'd have to >> >> -p tcp -m multiport --dport 1,2,3,4 -m time --time sundays -m >> lotsofothers -j TARGET >> -p udp -m multiport --dport 1,2,3,4 -m time --time sundays -m >> lotsofothers -j TARGET > >I don't see any match that would depend on an other match in >your example. How about your start explaining what you would >like to do, ideally with some code. Yup, on the spot! http://jengelh.hopto.org/f/chaostables/chaostables-0.1.tar.bz2 (Contains a target, but still something that could use xt_request_find_module.) -`J' -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
Jan Engelhardt wrote: >>Make sure the user specifies the match on the command line before >>your match. Look at the TCPMSS or REJECT targets for examples for >>this. > > > That would mean I'd have to > > -p tcp -m multiport --dport 1,2,3,4 -m time --time sundays -m > lotsofothers -j TARGET > -p udp -m multiport --dport 1,2,3,4 -m time --time sundays -m > lotsofothers -j TARGET I don't see any match that would depend on an other match in your example. How about your start explaining what you would like to do, ideally with some code. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
>Jan Engelhardt wrote: >> [...] >> >> Ok, but let's say I wanted to use a bigger match module (layer7, anyone?) >> Then it's just not if(protocol == IPPROTO_TCP). What's the preferred solution >> then? > >Make sure the user specifies the match on the command line before >your match. Look at the TCPMSS or REJECT targets for examples for >this. That would mean I'd have to -p tcp -m multiport --dport 1,2,3,4 -m time --time sundays -m lotsofothers -j TARGET -p udp -m multiport --dport 1,2,3,4 -m time --time sundays -m lotsofothers -j TARGET which can become quite computationally expensive - which I wanted to avoid. -`J' -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
Jan Engelhardt wrote: > [...] > > Ok, but let's say I wanted to use a bigger match module (layer7, anyone?) > Then it's just not if(protocol == IPPROTO_TCP). What's the preferred solution > then? Make sure the user specifies the match on the command line before your match. Look at the TCPMSS or REJECT targets for examples for this. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
>>>>Reusing code is a good idea, and I would like to do so from my
>>>>match modules. netfilter already provides a xt_request_find_target() but
>>>>an xt_request_find_match() does not yet exist. This patch adds it.
>>>
>>>Why does your match module needs to lookup other matches?
>>
>> To use them?
>>
>> I did not want to write
>>
>> some_xt_target() {
>> if(skb->nh.iph->protocol == IPPROTO_TCP)
>> do_this();
>> else
>> do_that();
>> }
>
>I don't think
>
>xt_request_find_match(match->family, "tcp", 0)->match(lots of arguments)
>
>is better than a simple comparison. Besides that the tcp match itself
>expects that the protocol match already checked for IPPROTO_TCP, so
>you'd still have to do it.
>> /* To quote Alan:
>>
>>Don't allow a fragment of TCP 8 bytes in. Nobody normal
>>causes this. Its a cracker trying to break in by doing a
>>flag overwrite to pass the direction checks.
>> */
>
>This check makes sure the flags are not overwritten _after you
>matched on them_. It doesn't matter at all if you're only
>interested in the protocol since the user didn't tell you to care.
Ok, but let's say I wanted to use a bigger match module (layer7, anyone?)
Then it's just not if(protocol == IPPROTO_TCP). What's the preferred solution
then?
-`J'
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
Jan Engelhardt wrote:
> On Dec 19 2006 12:51, Patrick McHardy wrote:
>
>>>Reusing code is a good idea, and I would like to do so from my
>>>match modules. netfilter already provides a xt_request_find_target() but
>>>an xt_request_find_match() does not yet exist. This patch adds it.
>>
>>Why does your match module needs to lookup other matches?
>
>
> To use them?
>
> I did not want to write
>
>
> some_xt_target() {
> if(skb->nh.iph->protocol == IPPROTO_TCP)
> do_this();
> else
> do_that();
> }
I don't think
xt_request_find_match(match->family, "tcp", 0)->match(lots of arguments)
is better than a simple comparison. Besides that the tcp match itself
expects that the protocol match already checked for IPPROTO_TCP, so
you'd still have to do it.
> since the xt_tcpudp module provides far more checks than just the protocol
> (TCP/UDP), like
>
> /* To quote Alan:
>
>Don't allow a fragment of TCP 8 bytes in. Nobody normal
>causes this. Its a cracker trying to break in by doing a
>flag overwrite to pass the direction checks.
> */
This check makes sure the flags are not overwritten _after you
matched on them_. It doesn't matter at all if you're only
interested in the protocol since the user didn't tell you to care.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
On Dec 19 2006 12:51, Patrick McHardy wrote:
>> Reusing code is a good idea, and I would like to do so from my
>> match modules. netfilter already provides a xt_request_find_target() but
>> an xt_request_find_match() does not yet exist. This patch adds it.
>
>Why does your match module needs to lookup other matches?
To use them?
I did not want to write
some_xt_target() {
if(skb->nh.iph->protocol == IPPROTO_TCP)
do_this();
else
do_that();
}
since the xt_tcpudp module provides far more checks than just the protocol
(TCP/UDP), like
/* To quote Alan:
Don't allow a fragment of TCP 8 bytes in. Nobody normal
causes this. Its a cracker trying to break in by doing a
flag overwrite to pass the direction checks.
*/
(see xt_tcpudp.c)
-`J'
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] xt_request_find_match
Jan Engelhardt wrote: > Reusing code is a good idea, and I would like to do so from my > match modules. netfilter already provides a xt_request_find_target() but > an xt_request_find_match() does not yet exist. This patch adds it. Why does your match module needs to lookup other matches? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] xt_request_find_match
Hi,
Reusing code is a good idea, and I would like to do so from my
match modules. netfilter already provides a xt_request_find_target() but
an xt_request_find_match() does not yet exist. This patch adds it.
Objections welcome :)
---
Signed-off-by: Jan Engelhardt <[EMAIL PROTECTED]>
Index: linux-2.6.20-rc1/net/netfilter/x_tables.c
===
--- linux-2.6.20-rc1.orig/net/netfilter/x_tables.c
+++ linux-2.6.20-rc1/net/netfilter/x_tables.c
@@ -206,6 +206,19 @@ struct xt_match *xt_find_match(int af, c
}
EXPORT_SYMBOL(xt_find_match);
+struct xt_match *xt_request_find_match(int af, const char *name, u8 revision)
+{
+ struct xt_match *match;
+
+ match = try_then_request_module(xt_find_match(af, name, revision),
+ "%st_%s", xt_prefix[af], name);
+ if(IS_ERR(match) || match == NULL)
+ return NULL;
+
+ return match;
+}
+EXPORT_SYMBOL_GPL(xt_request_find_match);
+
/* Find target, grabs ref. Returns ERR_PTR() on error. */
struct xt_target *xt_find_target(int af, const char *name, u8 revision)
{
#
-`J'
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
