Q: FreshTomato iptables bpf and much more

Discussion in 'Tomato Firmware' started by Archer, Jan 14, 2019.

Tags:
  1. Archer

    Archer New Member Member

    1. IPTABLES BPF not work

    Backgroud : u32 module is not working, try to use BPF instead. some packages must be detected by byte@offset.

    Since NFBPF_COMPILE is not available in either tomato and recent x86 linux, the bytecode is actually generated by
    I'd like to know which step is wrong.

    2. install binaries

    Later I found it is too bothersome to download tcpdump all the time, and tried to copy that to "/usr/sbin/"
    Actually the tor bounded with FreshTomato is not a complete package. We need obfsproxy to make connection with some bridges. Anyway, i cannot copy any executables over here.

    Some suggestions please.
     
  2. Sean B.

    Sean B. Network Guru Member

    You cannot change the read-only status of the file system, as it's loaded from the image contained in the firmware. Only the /tmp tree is r/w as it is built in the routers RAM. As far as the bpf extension for iptables, you can build a bpf kernel module for ARM or MIPS ( whichever you are running ) and load it manually.
     
  3. Archer

    Archer New Member Member

    I though there is a BPF module in the FreshTomato as iptables -m bpf did have some reply.

    I am not familiar with cross-compile, would give give some how-to guide on that please?

    Compile a module ... anyway. how can I put this module in its file system as / folder is always read only ?
     
  4. Sean B.

    Sean B. Network Guru Member

    Checking the source tree, libxt_bpf.c is present. I would guess your issue would likely be a syntax error, recommend checking the xtables extensions man page.

    The best way to go for persistant r/w storage on the router is USB flash/hdd. Next to that would be jffs partition. You then use scripts ( either init/wanup/firewall or autoruns ) to move files and/or create links etc on boot.
     
  5. Archer

    Archer New Member Member

    1. BPF
    I asked the author of nfbpf_compiler who said there is no remarkable issue in my understanding.

    And BPF require kernel jit. it is some thing much complicated than a included file, sir.

    2. file mount & add-ons

    mount files/folders to a read only file system?
     
  6. Sean B.

    Sean B. Network Guru Member

    No, it's no more complicated than a single file. The xtables extension for bpf, in source form, exists in libxt_bpf.c . Whether or not it's been compiled for your specific build I don't know, as you haven't even stated if you're running ARM or MIPS let alone what model of router.

    I explained what you need to do to use add on files in my previous post.
     
  7. Archer

    Archer New Member Member

    I did claim it is a ARM platform in advance. in the first post please notice.

    It is the best headache maker Syslink EA6700.

    So, "soft/hard link" and "put into the default partitions" are not possible at all. If I need to compile something, I have to change the prefix to some /tmp .... . And anything pre-compiled for Android is not usable to us.
     
  8. Sean B.

    Sean B. Network Guru Member

    According to the iptables extensions man page under bpf, the syntax is:

    Code:
    iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT
    There is a difference between this and yours, ' vs " . I'd suggest trying it as the example shows. Also make sure if the chain is listed in CAPS, that you match it in your syntax as well.
     
  9. Archer

    Archer New Member Member

    1. create a chain in big letters
    2. us ' instead of "
    3. the "true" constant value is 1 (6 0 0 1), rather than 65535 in redhat, or some 2xx144 in debian/android
    I remembered that I did try ' few days ago. It did not work
    As you said, libxt_bpf.so is present
     
    Last edited: Jan 16, 2019
  10. Sean B.

    Sean B. Network Guru Member

    Try specifying the protocol, and using different tables. Try the raw, mangle, and filter tables with a specified placement index:

    Code:
    iptables -t raw -I PREROUTING 1 -p tcp --dport 80 -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j DROP
    
    iptables -t mangle -I FORWARD 1 -p tcp --dport 80 -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j DROP
    
    iptables -t filter -I FORWARD 1 -p tcp --dport 80 -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j DROP
    Also, verify the bpf module is being loaded via lsmod.
     
    Last edited: Jan 16, 2019
  11. Archer

    Archer New Member Member

    Sean, I am not good at linux actually, although I did use it heavily.
    There is merely a libxt_bpf.SO file. No such KO file

    cat ./lib/modules/2.6.36.4brcmarm/modules.dep | grep -i bpf ---> returns empty result.

    I think it is the reason why iptables fails to find such a chain. Is the kernel module included and enabled in compiling?
     
  12. Sean B.

    Sean B. Network Guru Member

    Run:

    Code:
    cat /proc/net/ip_tables_matches
    Will show currently loaded iptables match modules

    Run:

    Code:
    ls /lib/modules/2.6.36.4brcmarm/kernel/net/netfilter
    Should show modules available to be loaded

    Run:

    Code:
    cat /lib/modules/2.6.36.4brcmarm/modules.builtin
    Should show modules that were built into the kernel at compile
     
    Last edited: Jan 16, 2019
  13. Archer

    Archer New Member Member

    I have to say " grep -i bpf" returns nothing on those 3 queries.

    so what shall i do next?

    BTW, I saw a duplicated u32 item in ip_tables_matches. Is this normal?

    regards
     
    Last edited: Jan 16, 2019
  14. Sean B.

    Sean B. Network Guru Member

    You can either clone the FreshTomato repo and build the module into the firmware, or you can do as I suggested and use USB storage with an optware/entware partition ( instructions are in multiple posts on this forum and elsewhere ). Cross compile the matching version of xtables extensions for ARM, put the bpf kernel module in the optware partition and have it load on boot via script.
     
    Last edited: Jan 16, 2019
  15. Archer

    Archer New Member Member

    Never tried so. Some tutorial please?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice