Re: nft authentication
Fabian Franzwrote: > yes it is academic and what I want to do is user id matching on > non-local users (which means I need to connect the IP address with an > user id or something like that). What I want is to keep the full match > together, nf_queue is a target. I'm not sure what 'keep the full match together' is supposed to mean. > It should be my last year project but it seems to be impossible to > finalize due to a lack of documentation. An alternative Method would be > keeping an array of structs with IP addresses and user IDs in the kernel > and use those. That seems like the only solution, what did you have in mind instead? > Stack now 0 1 > Cleanup: popping nterm input (: ) > :1:28-31: Error: No symbol type information > add rule inet filter input auth 1 accept > created using this command: > > nft --debug all add rule inet filter input auth 1 accept > > I hope this helps you to understand the error. It looks like you haven't extended nft parser yet. You need to extend both libnftnl and nft. Have a look at commit dfd92948a0a88a9f245e71c1cfb63ae670e6e7c1 rt: introduce routing expression in nftables.git for an example. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: nft authentication
Dear Mr. Westphal, yes it is academic and what I want to do is user id matching on non-local users (which means I need to connect the IP address with an user id or something like that). What I want is to keep the full match together, nf_queue is a target. It should be my last year project but it seems to be impossible to finalize due to a lack of documentation. An alternative Method would be keeping an array of structs with IP addresses and user IDs in the kernel and use those. However this way I can see what is going on in the userspace application. The problem ist, that I cannot get a correct rule reated in nft (auth or numbers after it are always underlined) For example all of those fail: * auth * auth 1 * auth user 1 * auth 1 1 so I think it cannot find the auth module or something other goes wrong. lsmod says that it looks ok: nft_auth 16384 0 nft_reject_inet16384 1 ... nf_tables 65536 30 nf_tables_inet,nf_tables_ipv4,nf_tables_ipv6,...,nft_auth,... NFT always ends up with an error like this one: update link layer protocol context: link layer : inet <- network layer : none transport layer : none :1:28-33: Evaluate add rule inet filter input auth 1 accept ^^ $auth $1 :1:28-33: Evaluate add rule inet filter input auth 1 accept ^^ $auth $1 :1:28-31: Evaluate add rule inet filter input auth 1 accept $auth Stack now 0 1 Cleanup: popping nterm input (: ) :1:28-31: Error: No symbol type information add rule inet filter input auth 1 accept created using this command: nft --debug all add rule inet filter input auth 1 accept I hope this helps you to understand the error. Am 2017-03-01 um 00:24 schrieb Florian Westphal: > Fabian Franzwrote: >> I am working on my module but I cannot get the match visible to the nft >> tool. Could you please give me a hint, what is wrong in the code? I have >> uploaded it to my web server: http://files.fabian-franz.eu/nft_auth.c > I do not know what 'visible to the nft tool' means. > No 'obvious' mistake in the register department. > > My only comment is that it looks like you are re-inventing the wheels > we already have, such as nf_log and nf_queue. > > If this is a learning exercise, fine, but we have real missing > functionality that could be added instead. > > If this targets upstream, you should really discuss what problem wants > to be solved. The building blocks we already have should be enough > to do uid based authentication. > > (something like > nf_log/queue -> userspace daemon -> query -> update nft set w. uid) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: nft authentication
Fabian Franzwrote: > I am working on my module but I cannot get the match visible to the nft > tool. Could you please give me a hint, what is wrong in the code? I have > uploaded it to my web server: http://files.fabian-franz.eu/nft_auth.c I do not know what 'visible to the nft tool' means. No 'obvious' mistake in the register department. My only comment is that it looks like you are re-inventing the wheels we already have, such as nf_log and nf_queue. If this is a learning exercise, fine, but we have real missing functionality that could be added instead. If this targets upstream, you should really discuss what problem wants to be solved. The building blocks we already have should be enough to do uid based authentication. (something like nf_log/queue -> userspace daemon -> query -> update nft set w. uid) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
nft authentication
Hi all, I am working on my module but I cannot get the match visible to the nft tool. Could you please give me a hint, what is wrong in the code? I have uploaded it to my web server: http://files.fabian-franz.eu/nft_auth.c The match should be "auth ". Kind regards Fabian Franz -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html