Running ROPE Modules In The Linux Kernel
KernelLand mode is the usual "production" mode for ROPE scipts. In this mode, a ROPE module becomes a match-module for IpTables, allowing complex tests to be performed on any combination of packet header fields (IP, UDP, TCP) and data payload.
A Rope module can be installed in the kernel at run time using IpTables by following the steps..
- Ensure that your kernel and IpTables distribution is compiled for ROPE support (See: ManualBuilding).
- Write and compile (see Compiling) the ROPE module.
- Test and debug the module using ROPE's UserLand mode.
- Place the compiled (tested) module in /etc/rope.d/scripts
- Load the module into the kernel using an IpTables command like...
iptables -A FORWARD -m rope --script limewire -j LOG
Command Line Options
In versions after 20050315, the "-m rope" argument may be followed by one or more of the following options..
- --rope-script filename
- Indicates the name of the compiled module file to load and run. This argument must be specified once (and once only).
- --script filename
- Means exactly the same as "--rope-script". This option is retained for backwards compatibility with earlier versions.
- --rope-push-int number
- --rope-push-str string
- Pushes the string onto the stack (like --rope-push-int). Note that the string may not contain unprintable characters, control characters (like newline, tab - etc) or quotes. This is because these characters would break the "iptables-save" and "iptables-restore" commands.
- --rope-push-ip name-or-address
- Resolves the name to an IP address (or simply takes the address specified) and pushes it onto the stack. See IpAddress for details of how the pushed address is formatted and can be handled by the module. Note that if a host name is provided, it must resolve to one (and only one) address. If more than one address results, an error is thrown.
See PassingArguments for a description of how the various --rope-push-XXX options can be used to pass arguments into a rope module.
Here's an example command line showing some of these features in use..
iptables -A INPUT -m rope \ --rope-script contlen \ --rope-push-int 2000000 \ --rope-push-ip www.digitage.co.uk \ -j ACCEPT
This command appends a call to the "contlen" module to the INPUT chain, and arranges that the number 2000000 and the IP address of www.digitage.co.uk are pushed onto the stack when the module starts to run. If the module returns a yes state, the packet is accepted.