Basically, I want to write a kernel module that adds a possible filter to ebtables. Then I need to tell ebtables to use my filter on a bridge I have set up.
The reason I need to write my own module is that I want to introduce delay between consecutive packages (for some testing reason). To demonstrate, my network originally has a traffic like this:
+++-----------------+++-----------------+++-----------------+++-----------------
where + shows traffic of a package and - means no package on the line. I want to put a bridge in between so that the pattern of the packets would change to this:
+----+----+---------+----+----+---------+----+----+---------+----+----+---------
This means that I would make sure there would be a certain amount of delay between arrival of each packet.
Now I have written the following simple code which I basically took from linux-source/net/bridge/netfilter/ebt_ip.c:
static bool match(const struct sk_buff *skb, const struct xt_match_param *par)
{
printk(KERN_INFO"match called\n");
return true; // match everything!
}
static bool check(const struct xt_mtchk_param *par)
{
printk(KERN_INFO"check called\n");
return true; // pass everything!
}
static struct xt_match reg __read_mostly = {
.name = "any", // I made this up, but I tried also putting ip for example which didn't change anything.
.revision = 0,
.family = NFPROTO_BRIDGE,
.match = match,
.checkentry = check,
.matchsize = XT_ALIGN(4), // don't know what this is, so I just gave it an `int`
.me = THIS_MODULE
};
int init_module(void)
{
return xt_register_match(®);
}
void cleanup_module(void)
{
xt_unregister_match(®);
}
I successfully load the module. But it's as if it's not there. I'm not getting the logs inside match and check functions so the bridge is clearly not considering my filter. What am I doing wrong?
I have tried many combinations of loading my filter first, setting up the bridge first or setting ebtables rules first, but none of them change anything.
P.S. The bridge itself works. I am certain that ebtables is also in effect because if I add a policy to drop packages, I don't receive them on the final computer. What I can't figure out is how to tell ebtables to consider my filter also.
To use a kernel module, you also need to write an appropriate plugin for the userspace program, and afterwards, insert a rule invoking it.
If you do not have any options, do not specify any .matchsize parameter in struct xt_match (equal to specifying 0).