Key Pages: [ Rope Home Page | Basics (tutorial) | Language Reference | Download ]

Running ROPE Scripts In The Linux Kernel

KernelLand mode is the usual "production" mode for ROPE scipts. In this mode, a ROPE script becomes a match-module for IpTables, allowing complex tests to be performed on any combination of packet header fields (IP, UDP, TCP) and data payload.

A Rope script can be installed in the kernel at run time using IpTables by following the steps..

• Ensure that your kernel and IpTables distribution is compiled for ROPE support (See: ManualBuilding).
• Write and compile (see Compiling) the ROPE script.
• Test and debug the script using ROPE's UserLand mode.
• Place the compiled (tested) script in /etc/rope.d/scripts
• Load the script into the kernel using an IpTables command like...

iptables -A FORWARD -m rope --script limewire -j LOG

Command Line Options

In versions after 20050315, the "-m rope" argument may be followed by one or more of the following options..

• --rope-script filename
  • Indicates the name of the compiled script file to load and run. This argument must be specified once (and once only).
• --script filename
  • Means exactly the same as "--rope-script". This option is retained for backwards compatibility with earlier versions.
• --rope-push-int number
  • Pushes an integer number onto the stack, ready for collection by the script when it starts to execute. You can specify multiple instances of this argument, each one pushes a new number higher on to the stack.
• --rope-push-str string
  • Pushes the string onto the stack (like --rope-push-int). Note that the string may not contain unprintable characters, control characters (like newline, tab - etc) or quotes. This is because these characters would break the "iptables-save" and "iptables-restore" commands.
• --rope-push-ip name-or-address
  • Resolves the name to an IP address (or simply takes the address specified) and pushes it onto the stack. See IpAddress for details of how the pushed address is formatted and can be handled by the script. Note that if a host name is provided, it must resolve to one (and only one) address. If more than one address results, an error is thrown.

See PassingArguments for a description of how the various --rope-push-XXX options can be used to pass arguments into a rope script.

Here's an example command line showing some of these features in use..

iptables -A INPUT -m rope \
    --rope-script contlen \
    --rope-push-int 2000000 \
    --rope-push-ip www.lowth.com \
    -j ACCEPT

This command appends a call to the "contlen" script to the INPUT chain, and arranges that the number 2000000 and the IP address of www.lowth.com are pushed onto the stack when the script starts to run. If the script returns a yes state, the packet is accepted.

See Also

UserLand, Compiling, Basics, IpAddress

Lowth.com: [ Home | Rope | P2PWall | LinWiz | cutter | Protector - Free Antivirus software | TapeIO ]