* Netfilter Extension Development Queries
@ 2014-02-11 21:30 Duncan Eastoe
2014-02-12 22:03 ` Mart Frauenlob
0 siblings, 1 reply; 4+ messages in thread
From: Duncan Eastoe @ 2014-02-11 21:30 UTC (permalink / raw
To: netfilter-devel
Hello,
I wish to build an extension that strips LSRR IPv4 Options from
outgoing traffic and re-inserts it for inbound traffic. I've been
given some pointers about how to approach this which are:
* A match extension which matches on the presence of LSRR options.
* A target extension, similar to NAT, that removes/reinserts the
appropriate LSRR options.
On the Netfilter Extensions HOWTO I have found a match extension by
Fabrice Marie (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.6)
which should already do what I want. There is also a target extension
which strips all IP Options
(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.2).
I believe these extensions were in the deprecated Patch-O-Matic system
(?) and this has been replaced by Xtables-addons which appears to
contain an IP Options match extension but not a target extension?
Also, regarding the switch to nftables from iptables. Will my approach
listed above work with iptables and nftables or is a different
approach required for nftables?
Thank you in advance.
Duncan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Netfilter Extension Development Queries
2014-02-11 21:30 Netfilter Extension Development Queries Duncan Eastoe
@ 2014-02-12 22:03 ` Mart Frauenlob
2014-02-12 22:56 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 4+ messages in thread
From: Mart Frauenlob @ 2014-02-12 22:03 UTC (permalink / raw
To: Duncan Eastoe; +Cc: netfilter-devel
On 11.02.2014 22:30, Duncan Eastoe wrote:
> Hello,
>
> I wish to build an extension that strips LSRR IPv4 Options from
> outgoing traffic and re-inserts it for inbound traffic. I've been
> given some pointers about how to approach this which are:
> * A match extension which matches on the presence of LSRR options.
> * A target extension, similar to NAT, that removes/reinserts the
> appropriate LSRR options.
>
> On the Netfilter Extensions HOWTO I have found a match extension by
> Fabrice Marie (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.6)
> which should already do what I want. There is also a target extension
> which strips all IP Options
> (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.2).
>
> I believe these extensions were in the deprecated Patch-O-Matic system
> (?) and this has been replaced by Xtables-addons which appears to
> contain an IP Options match extension but not a target extension?
Not that I'm a developer...
There's only TCPOPTSTRIP in main iptables.
>
> Also, regarding the switch to nftables from iptables. Will my approach
> listed above work with iptables and nftables or is a different
> approach required for nftables?
there is work in progress on a compat-layer:
http://git.netfilter.org/iptables-nftables/
which should transparently *translate* the syntax (if implemented in
nftables).
Best regards
Mart
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Netfilter Extension Development Queries
2014-02-12 22:03 ` Mart Frauenlob
@ 2014-02-12 22:56 ` Arturo Borrero Gonzalez
2014-02-13 20:50 ` Duncan Eastoe
0 siblings, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-02-12 22:56 UTC (permalink / raw
To: mart.frauenlob; +Cc: Duncan Eastoe, Netfilter Development Mailing list
On 12 February 2014 23:03, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
>> Also, regarding the switch to nftables from iptables. Will my approach
>> listed above work with iptables and nftables or is a different
>> approach required for nftables?
>
>
> there is work in progress on a compat-layer:
> http://git.netfilter.org/iptables-nftables/
> which should transparently *translate* the syntax (if implemented in
> nftables).
>
I (personally) would bet to write the extension natively using the new
framework.
I'm sure it would be nice to discuss how your new feature could be
achieved using nftables (using existing expressions or maybe new
ones).
regards
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Netfilter Extension Development Queries
2014-02-12 22:56 ` Arturo Borrero Gonzalez
@ 2014-02-13 20:50 ` Duncan Eastoe
0 siblings, 0 replies; 4+ messages in thread
From: Duncan Eastoe @ 2014-02-13 20:50 UTC (permalink / raw
To: Arturo Borrero Gonzalez
Cc: mart.frauenlob, Netfilter Development Mailing list
On 12 February 2014 23:03, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> Not that I'm a developer...
> There's only TCPOPTSTRIP in main iptables.
Yes, I haven't been able to find the IPV4OPTSTRIP patch anywhere. If
it had been, it might have been good to extend it for my needs.
On 12 February 2014 23:03, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> there is work in progress on a compat-layer:
> http://git.netfilter.org/iptables-nftables/
> which should transparently *translate* the syntax (if implemented in
> nftables).
Does this translate iptables rule syntax to nftables syntax or is it
an API compatibility layer?
On 12 February 2014 22:56, Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> wrote:
> I (personally) would bet to write the extension natively using the new
> framework.
> I'm sure it would be nice to discuss how your new feature could be
> achieved using nftables (using existing expressions or maybe new
> ones).
So I would be correct in saying that the Netfilter hooks/API no longer
work with nftables?
If so, is there any good documentation for writing extensions for
nftables? I have found docs such as
(http://inai.de/documents/Netfilter_Modules.pdf) for netfilter.
Thank you both for your replies
Best regards,
Duncan
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-02-13 20:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-11 21:30 Netfilter Extension Development Queries Duncan Eastoe
2014-02-12 22:03 ` Mart Frauenlob
2014-02-12 22:56 ` Arturo Borrero Gonzalez
2014-02-13 20:50 ` Duncan Eastoe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.