Writing Netfilter module to accept only vlan packets

0
votes

I'm trying to build Netfilter. First stage is to accept only vlan packets, and then check if it is the correct vlan ID. the problem i dont get any vlan packets. simple example for code:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/if_ether.h>


static struct nf_hook_ops nfho;

static void __exit_filter(void) {
    printk("__exit_filter\n");
        nf_unregister_hook(&nfho); //unregister our hook
}

static u32
recv_packet_handler(const struct nf_hook_ops *ops,
           struct sk_buff *skb,
           const struct net_device *in,
           const struct net_device *out,
           int (*okfn)(struct sk_buff *)){

    //NEED TO GET HERE VLAN PACKETS

    return NF_ACCEPT; 
}

static int __init_filter(void) {
        nfho.hook     = recv_packet_handler;
        nfho.hooknum  = NF_INET_PRE_ROUTING;
        nfho.pf       = PF_INET; 
        nfho.priority = NF_IP_PRI_FIRST;
        nf_register_hook(&nfho); 

    printk("insert filter\n");
        return 0;
}

module_init(__init_filter);
module_exit(__exit_filter);

I guess the problem is with nfho.pf but I'm not sure what to do. Thanks for helpers

1
linux-kernelkernel-modulenetfiltervlan
Bridge in my system does not pass vlan packets, that is why I need to catch packets at eth0 level before they go through bridge. So changing to NFPROTO_BRIDGE won't work either.Izik
Would it not be better, especially if you require filtering based on vlan tags to do it at eth0 tc ingress hook ? Why do it at IP layer if it's for L2 VLANs ?Chaitanya Lala
I dont know how to do this.. can you show me example ?Izik
man7.org/linux/man-pages/man8/tc-vlan.8.htmlChaitanya Lala
I need to use filter in my own kernel module. Tried to search in source code of tc, tcpdump and libcap, how to get all packages but I didn't find a way. Strangely, tcpdump does show the vlan packages. buy my module don't.Izik

1 Answers

0
votes

So, after a lot of time I found out /config/network did not behave as expected because of configurations faults. If u want to enable Vlan in your OpenWrt u need this commands:

uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan=[any number from ?-15]
uci set network.@switch_vlan[-1].ports='0t 2t 5t'
uci set network.@switch_vlan[-1].vid=[any number between ?-4094]
uci commit network

pay attention that "ports" are vary and hardware dependent. In one AP I used 2t, and in another I needed 5t, so I included both to handle both cases. Your case may be different.