| This is a big patch. |
| Hope I didn't break anything. |
| |
| --- ebtables-v2.0pre2.001/Makefile Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/Makefile Thu Apr 11 18:38:47 2002 |
| @@ -2,8 +2,7 @@ |
| |
| KERNEL_DIR?=/usr/src/linux |
| PROGNAME:=ebtables |
| -PROGVERSION:="2.0pre1 (April 2002)" |
| - |
| +PROGVERSION:="2.0pre2.001 (April 2002)" |
| |
| MANDIR?=/usr/local/man |
| CFLAGS:=-Wall -Wunused |
| --- ebtables-v2.0pre2.001/ebtables.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/ebtables.c Wed Apr 10 22:46:27 2002 |
| @@ -34,7 +34,8 @@ |
| #include <asm/types.h> |
| #include "include/ebtables_u.h" |
| |
| -// here are the number-name correspondences kept for the ethernet frame type field |
| +// here are the number-name correspondences kept for the ethernet |
| +// frame type field |
| #define PROTOCOLFILE "/etc/etherproto" |
| |
| #define DATABASEHOOKNR NF_BR_NUMHOOKS |
| @@ -81,27 +82,28 @@ |
| |
| // yup, all the possible target names |
| char* standard_targets[NUM_STANDARD_TARGETS] = { |
| - "ACCEPT" , |
| + "ACCEPT", |
| "DROP", |
| "CONTINUE", |
| }; |
| |
| // tells what happened to the old rules |
| -unsigned short *counterchanges; |
| +static unsigned short *counterchanges; |
| // holds all the data |
| -struct ebt_u_replace replace; |
| +static struct ebt_u_replace replace; |
| |
| // the chosen table |
| -struct ebt_u_table *table = NULL; |
| +static struct ebt_u_table *table = NULL; |
| // the lists of supported tables, matches, watchers and targets |
| -struct ebt_u_table *tables = NULL; |
| -struct ebt_u_match *matches = NULL; |
| -struct ebt_u_watcher *watchers = NULL; |
| -struct ebt_u_target *targets = NULL; |
| +static struct ebt_u_table *tables = NULL; |
| +static struct ebt_u_match *matches = NULL; |
| +static struct ebt_u_watcher *watchers = NULL; |
| +static struct ebt_u_target *targets = NULL; |
| |
| struct ebt_u_target *find_target(const char *name) |
| { |
| struct ebt_u_target *t = targets; |
| + |
| while(t && strcmp(t->name, name)) |
| t = t->next; |
| return t; |
| @@ -110,6 +112,7 @@ |
| struct ebt_u_match *find_match(const char *name) |
| { |
| struct ebt_u_match *m = matches; |
| + |
| while(m && strcmp(m->name, name)) |
| m = m->next; |
| return m; |
| @@ -118,6 +121,7 @@ |
| struct ebt_u_watcher *find_watcher(const char *name) |
| { |
| struct ebt_u_watcher *w = watchers; |
| + |
| while(w && strcmp(w->name, name)) |
| w = w->next; |
| return w; |
| @@ -126,17 +130,18 @@ |
| struct ebt_u_table *find_table(char *name) |
| { |
| struct ebt_u_table *t = tables; |
| + |
| while (t && strcmp(t->name, name)) |
| t = t->next; |
| return t; |
| } |
| |
| -// the pointers in here are special: |
| -// the struct ebt_target * pointer is actually a struct ebt_u_target * pointer |
| -// instead of making yet a few other structs, we just do a cast |
| -// we need a struct ebt_u_target pointer because we know the address of the data they |
| -// point to won't change. We want to allow that the struct ebt_u_target.t member can |
| -// change. |
| +// The pointers in here are special: |
| +// The struct ebt_target * pointer is actually a struct ebt_u_target * pointer. |
| +// instead of making yet a few other structs, we just do a cast. |
| +// We need a struct ebt_u_target pointer because we know the address of the data |
| +// they point to won't change. We want to allow that the struct ebt_u_target.t |
| +// member can change. |
| // Same holds for the struct ebt_match and struct ebt_watcher pointers |
| struct ebt_u_entry *new_entry; |
| |
| @@ -149,13 +154,14 @@ |
| strcpy(e->out, ""); |
| e->m_list = NULL; |
| e->w_list = NULL; |
| - // the init function of the standard target should have put the verdict on CONTINUE |
| + // the init function of the standard target should have put the verdict |
| + // on CONTINUE |
| e->t = (struct ebt_entry_target *)find_target(EBT_STANDARD_TARGET); |
| if (!e->t) |
| print_bug("Couldn't load standard target\n"); |
| } |
| |
| -// this doesn't free e, basically becoz it's lazy |
| +// this doesn't free e, becoz the calling function might need e->next |
| void free_u_entry(struct ebt_u_entry *e) |
| { |
| struct ebt_u_match_list *m_l, *m_l2; |
| @@ -178,6 +184,40 @@ |
| free(e->t); |
| } |
| |
| +// the user will use the match, so put it in new_entry |
| +static void add_match(struct ebt_u_match *m) |
| +{ |
| + struct ebt_u_match_list **m_list, *new; |
| + |
| + m->used = 1; |
| + for (m_list = &new_entry->m_list; |
| + *m_list; m_list = &(*m_list)->next); |
| + new = (struct ebt_u_match_list *) |
| + malloc(sizeof(struct ebt_u_match_list)); |
| + if (!new) |
| + print_memory(); |
| + *m_list = new; |
| + new->next = NULL; |
| + new->m = (struct ebt_entry_match *)m; |
| +} |
| + |
| +static void add_watcher(struct ebt_u_watcher *w) |
| +{ |
| + struct ebt_u_watcher_list **w_list; |
| + struct ebt_u_watcher_list *new; |
| + |
| + w->used = 1; |
| + for (w_list = &new_entry->w_list; |
| + *w_list; w_list = &(*w_list)->next); |
| + new = (struct ebt_u_watcher_list *) |
| + malloc(sizeof(struct ebt_u_watcher_list)); |
| + if (!new) |
| + print_memory(); |
| + *w_list = new; |
| + new->next = NULL; |
| + new->w = (struct ebt_entry_watcher *)w; |
| +} |
| + |
| static int global_option_offset = 0; |
| #define OPTION_OFFSET 256 |
| static struct option * |
| @@ -196,6 +236,8 @@ |
| *options_offset = global_option_offset; |
| |
| merge = malloc(sizeof(struct option) * (num_new + num_old + 1)); |
| + if (!merge) |
| + print_memory(); |
| memcpy(merge, oldopts, num_old * sizeof(struct option)); |
| for (i = 0; i < num_new; i++) { |
| merge[num_old + i] = newopts[i]; |
| @@ -219,7 +261,8 @@ |
| print_memory(); |
| strcpy(m->m->u.name, m->name); |
| m->m->match_size = size; |
| - ebt_options = merge_options(ebt_options, m->extra_ops, &(m->option_offset)); |
| + ebt_options = merge_options |
| + (ebt_options, m->extra_ops, &(m->option_offset)); |
| m->init(m->m); |
| |
| for (i = &matches; *i; i = &((*i)->next)); |
| @@ -237,7 +280,8 @@ |
| print_memory(); |
| strcpy(w->w->u.name, w->name); |
| w->w->watcher_size = size; |
| - ebt_options = merge_options(ebt_options, w->extra_ops, &(w->option_offset)); |
| + ebt_options = merge_options |
| + (ebt_options, w->extra_ops, &(w->option_offset)); |
| w->init(w->w); |
| |
| for (i = &watchers; *i; i = &((*i)->next)); |
| @@ -255,7 +299,8 @@ |
| print_memory(); |
| strcpy(t->t->u.name, t->name); |
| t->t->target_size = size; |
| - ebt_options = merge_options(ebt_options, t->extra_ops, &(t->option_offset)); |
| + ebt_options = merge_options |
| + (ebt_options, t->extra_ops, &(t->option_offset)); |
| t->init(t->t); |
| for (i = &targets; *i; i = &((*i)->next)); |
| t->next = NULL; |
| @@ -292,7 +337,7 @@ |
| return 0; |
| } |
| |
| -/* helper function: processes a line of data from the file brebt_protocolnames */ |
| +// helper function: processes a line of data from the file /etc/etherproto |
| int get_a_line(char *buffer, char *value, FILE *ifp) |
| { |
| int i, hlp; |
| @@ -314,7 +359,7 @@ |
| |
| // buffer[0] already contains the first letter |
| for (i = 1; i < 21; i++) { |
| - hlp = fscanf(ifp, "%c", buffer+i); |
| + hlp = fscanf(ifp, "%c", buffer + i); |
| if (hlp == EOF || hlp == 0) return -1; |
| if (buffer[i] == '\t' || buffer[i] == ' ') |
| break; |
| @@ -327,7 +372,8 @@ |
| // buffer[0] already contains the first letter |
| for (i = 1; i < 5; i++) { |
| hlp = fscanf(ifp, "%c", value+i); |
| - if (value[i] == '\n' || value[i] == '\t' || value[i] == ' ' || hlp == EOF) |
| + if (value[i] == '\n' || value[i] == '\t' || |
| + value[i] == ' ' || hlp == EOF) |
| break; |
| } |
| if (i == 5) return -1; |
| @@ -342,7 +388,7 @@ |
| return 0; |
| } |
| |
| -/* helper function for list_em() */ |
| +// helper function for list_em() |
| int number_to_name(unsigned short proto, char *name) |
| { |
| FILE *ifp; |
| @@ -363,13 +409,12 @@ |
| fclose(ifp); |
| return 0; |
| } |
| - return -1; |
| } |
| |
| -/* helper function for list_rules() */ |
| +// helper function for list_rules() |
| static void list_em(int hooknr) |
| { |
| - int i, space = 0; |
| + int i, j, space = 0, digits; |
| struct ebt_u_entry *hlp; |
| struct ebt_u_match_list *m_l; |
| struct ebt_u_watcher_list *w_l; |
| @@ -379,7 +424,8 @@ |
| char name[21]; |
| |
| hlp = replace.hook_entry[hooknr]->entries; |
| - printf("\nBridge chain: %s\nPolicy: %s\n", hooknames[hooknr], standard_targets[(int)(replace.hook_entry[hooknr]->policy)]); |
| + printf("\nBridge chain: %s\nPolicy: %s\n", hooknames[hooknr], |
| + standard_targets[replace.hook_entry[hooknr]->policy]); |
| printf("nr. of entries: %d \n", replace.hook_entry[hooknr]->nentries); |
| |
| i = replace.hook_entry[hooknr]->nentries; |
| @@ -389,19 +435,18 @@ |
| } |
| |
| for (i = 0; i < replace.hook_entry[hooknr]->nentries; i++) { |
| - int j = i + 1, space2 = 0; |
| - // a little work to get nice rule numbers |
| - // this can probably be done easier - so what |
| + digits = 0; |
| + // A little work to get nice rule numbers. |
| while (j > 9) { |
| - space2++; |
| + digits++; |
| j /= 10; |
| } |
| - for (j = 0; j < space - space2; j++) |
| + for (j = 0; j < space - digits; j++) |
| printf(" "); |
| printf("%d. ", i + 1); |
| |
| - // don't print anything about the protocol if no protocol was specified |
| - // obviously this means any protocol will do |
| + // Don't print anything about the protocol if no protocol was |
| + // specified, obviously this means any protocol will do. |
| if (!(hlp->bitmask & EBT_NOPROTO)) { |
| printf("eth proto: "); |
| if (hlp->invflags & EBT_IPROTO) |
| @@ -416,20 +461,20 @@ |
| } |
| } |
| if (hlp->bitmask & EBT_SOURCEMAC) { |
| - int j; |
| printf("source mac: "); |
| if (hlp->invflags & EBT_ISOURCE) |
| printf("! "); |
| for (j = 0; j < ETH_ALEN; j++) |
| - printf("%02x%s", hlp->sourcemac[j], (j == ETH_ALEN - 1) ? ", " : ":"); |
| + printf("%02x%s", hlp->sourcemac[j], |
| + (j == ETH_ALEN - 1) ? ", " : ":"); |
| } |
| if (hlp->bitmask & EBT_DESTMAC) { |
| - int j; |
| printf("dest mac: "); |
| if (hlp->invflags & EBT_IDEST) |
| printf("! "); |
| for (j = 0; j < ETH_ALEN; j++) |
| - printf("%02x%s", hlp->destmac[j], (j == ETH_ALEN - 1) ? ", " : ":"); |
| + printf("%02x%s", hlp->destmac[j], |
| + (j == ETH_ALEN - 1) ? ", " : ":"); |
| } |
| if (hlp->in[0] != '\0') { |
| if (hlp->invflags & EBT_IIN) |
| @@ -462,9 +507,10 @@ |
| printf("target: "); |
| t = find_target(hlp->t->u.name); |
| if (!t) |
| - print_error("Target not found."); |
| + print_bug("Target not found"); |
| t->print(hlp, hlp->t); |
| - printf(", count = %llu", replace.counters[replace.counter_entry[hooknr] + i].pcnt); |
| + printf(", count = %llu", |
| + replace.counters[replace.counter_entry[hooknr] + i].pcnt); |
| printf("\n"); |
| hlp = hlp->next; |
| } |
| @@ -492,30 +538,30 @@ |
| struct ebt_u_watcher_list *w_l; |
| |
| printf( |
| - "%s v%s\n" |
| - "Usage:\n" |
| - "ebtables -[ADI] chain rule-specification [options]\n" |
| - "ebtables -P chain target\n" |
| - "ebtables -[LFZ] [chain]\n" |
| - "ebtables -[b] [y,n]\n" |
| - "Commands:\n" |
| - "--append -A chain : Append to chain\n" |
| - "--delete -D chain : Delete matching rule from chain\n" |
| - "--delete -D chain rulenum : Delete rule at position rulenum from chain\n" |
| - "--insert -I chain rulenum : insert rule at position rulenum in chain\n" |
| - "--list -L [chain] : List the rules in a chain or in all chains\n" |
| - "--list -L "DATABASEHOOKNAME" : List the database (if present)\n" |
| - "--flush -F [chain] : Delete all rules in chain or in all chains\n" |
| - "--zero -Z [chain] : Put counters on zero in chain or in all chains\n" |
| - "--policy -P chain target : Change policy on chain to target\n" |
| - "Options:\n" |
| - "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" |
| - "--src -s [!] address : source mac address\n" |
| - "--dst -d [!] address : destination mac address\n" |
| - "--in-if -i [!] name : network input interface name\n" |
| - "--out-if -o [!] name : network output interface name\n" |
| - "--version -V : print package version\n" |
| - "\n" , |
| +"%s v%s\n" |
| +"Usage:\n" |
| +"ebtables -[ADI] chain rule-specification [options]\n" |
| +"ebtables -P chain target\n" |
| +"ebtables -[LFZ] [chain]\n" |
| +"ebtables -[b] [y,n]\n" |
| +"Commands:\n" |
| +"--append -A chain : Append to chain\n" |
| +"--delete -D chain : Delete matching rule from chain\n" |
| +"--delete -D chain rulenum : Delete rule at position rulenum from chain\n" |
| +"--insert -I chain rulenum : insert rule at position rulenum in chain\n" |
| +"--list -L [chain] : List the rules in a chain or in all chains\n" |
| +"--list -L "DATABASEHOOKNAME" : List the database (if present)\n" |
| +"--flush -F [chain] : Delete all rules in chain or in all chains\n" |
| +"--zero -Z [chain] : Put counters on zero in chain or in all chains\n" |
| +"--policy -P chain target : Change policy on chain to target\n" |
| +"Options:\n" |
| +"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" |
| +"--src -s [!] address : source mac address\n" |
| +"--dst -d [!] address : destination mac address\n" |
| +"--in-if -i [!] name : network input interface name\n" |
| +"--out-if -o [!] name : network output interface name\n" |
| +"--version -V : print package version\n" |
| +"\n" , |
| prog_name, |
| prog_version); |
| |
| @@ -538,7 +584,7 @@ |
| exit(0); |
| } |
| |
| -/* execute command L */ |
| +// execute command L |
| static void list_rules() |
| { |
| int i; |
| @@ -563,7 +609,8 @@ |
| replace.num_counters = replace.nentries; |
| if (replace.nentries) { |
| // '+ 1' for the CNT_END |
| - if ( !(counterchanges = (unsigned short *)malloc((replace.nentries + 1) * sizeof(unsigned short))) ) |
| + if (!(counterchanges = (unsigned short *) malloc( |
| + (replace.nentries + 1) * sizeof(unsigned short)))) |
| print_memory(); |
| // done nothing special to the rules |
| for (i = 0; i < replace.nentries; i++) |
| @@ -611,12 +658,14 @@ |
| if (replace.hook_entry[replace.selected_hook]->nentries == 0) |
| exit(0); |
| oldnentries = replace.nentries; |
| - replace.nentries = replace.nentries - replace.hook_entry[replace.selected_hook]->nentries; |
| + replace.nentries = replace.nentries - |
| + replace.hook_entry[replace.selected_hook]->nentries; |
| |
| // delete the counters belonging to the specified chain |
| if (replace.nentries) { |
| // +1 for CNT_END |
| - if ( !(counterchanges = (unsigned short *)malloc((oldnentries + 1) * sizeof(unsigned short))) ) |
| + if ( !(counterchanges = (unsigned short *) |
| + malloc((oldnentries + 1) * sizeof(unsigned short))) ) |
| print_memory(); |
| cnt = counterchanges; |
| for (i = 0; i < NF_BR_NUMHOOKS; i++) { |
| @@ -660,23 +709,31 @@ |
| |
| // handle '-D chain rulenr' command |
| if (rule_nr != -1) { |
| - if (rule_nr > replace.hook_entry[replace.selected_hook]->nentries) |
| + if (rule_nr > |
| + replace.hook_entry[replace.selected_hook]->nentries) |
| return 0; |
| + // user starts counting from 1 |
| return rule_nr - 1; |
| } |
| u_e = replace.hook_entry[replace.selected_hook]->entries; |
| - // check for an existing rule (if there are duplicate rules, take the first occurance) |
| - for (i = 0; i < replace.hook_entry[replace.selected_hook]->nentries; i++, u_e = u_e->next) { |
| + // check for an existing rule (if there are duplicate rules, |
| + // take the first occurance) |
| + for (i = 0; i < replace.hook_entry[replace.selected_hook]->nentries; |
| + i++, u_e = u_e->next) { |
| if (!u_e) |
| print_bug("Hmm, trouble"); |
| if ( u_e->ethproto == new_entry->ethproto |
| - && !strncmp(u_e->in, new_entry->in, IFNAMSIZ) |
| - && !strncmp(u_e->out, new_entry->out, IFNAMSIZ) && u_e->bitmask == new_entry->bitmask) { |
| - if (new_entry->bitmask & EBT_SOURCEMAC && strncmp(u_e->sourcemac, new_entry->sourcemac, ETH_ALEN)) |
| + && !strcmp(u_e->in, new_entry->in) |
| + && !strcmp(u_e->out, new_entry->out) |
| + && u_e->bitmask == new_entry->bitmask) { |
| + if (new_entry->bitmask & EBT_SOURCEMAC && |
| + strcmp(u_e->sourcemac, new_entry->sourcemac)) |
| continue; |
| - if (new_entry->bitmask & EBT_DESTMAC && strncmp(u_e->destmac, new_entry->destmac, ETH_ALEN)) |
| + if (new_entry->bitmask & EBT_DESTMAC && |
| + strcmp(u_e->destmac, new_entry->destmac)) |
| continue; |
| - if (new_entry->bitmask != u_e->bitmask || new_entry->invflags != u_e->invflags) |
| + if (new_entry->bitmask != u_e->bitmask || |
| + new_entry->invflags != u_e->invflags) |
| continue; |
| // compare all matches |
| m_l = new_entry->m_list; |
| @@ -684,7 +741,8 @@ |
| while (m_l) { |
| m = (struct ebt_u_match *)(m_l->m); |
| m_l2 = u_e->m_list; |
| - while (m_l2 && strcmp(m_l2->m->u.name, m->m->u.name)) |
| + while (m_l2 && |
| + strcmp(m_l2->m->u.name, m->m->u.name)) |
| m_l2 = m_l2->next; |
| if (!m_l2 || !m->compare(m->m, m_l2->m)) |
| goto letscontinue; |
| @@ -707,7 +765,8 @@ |
| while (w_l) { |
| w = (struct ebt_u_watcher *)(w_l->w); |
| w_l2 = u_e->w_list; |
| - while (w_l2 && strcmp(w_l2->w->u.name, w->w->u.name)) |
| + while (w_l2 && |
| + strcmp(w_l2->w->u.name, w->w->u.name)) |
| w_l2 = w_l2->next; |
| if (!w_l2 || !w->compare(w->w, w_l2->w)) |
| goto letscontinue; |
| @@ -743,8 +802,10 @@ |
| struct ebt_u_watcher_list *w_l; |
| |
| if (rule_nr != -1) { // command -I |
| - if (--rule_nr > replace.hook_entry[replace.selected_hook]->nentries) |
| - print_error("rule nr too high: %d > %d.", rule_nr, replace.hook_entry[replace.selected_hook]->nentries); |
| + if (--rule_nr > |
| + replace.hook_entry[replace.selected_hook]->nentries) |
| + print_error("rule nr too high: %d > %d", rule_nr, |
| + replace.hook_entry[replace.selected_hook]->nentries); |
| } else |
| rule_nr = replace.hook_entry[replace.selected_hook]->nentries; |
| // we're adding one rule |
| @@ -754,7 +815,8 @@ |
| |
| // handle counter stuff |
| // +1 for CNT_END |
| - if ( !(counterchanges = (unsigned short *)malloc((replace.nentries + 1) * sizeof(unsigned short))) ) |
| + if ( !(counterchanges = (unsigned short *) |
| + malloc((replace.nentries + 1) * sizeof(unsigned short))) ) |
| print_memory(); |
| cnt = counterchanges; |
| for (i = 0; i < replace.selected_hook; i++) { |
| @@ -813,7 +875,7 @@ |
| struct ebt_u_entry *u_e, *u_e2; |
| |
| if ( (i = check_rule_exists(rule_nr)) == -1 ) |
| - print_error("Sorry, rule does not exists."); |
| + print_error("Sorry, rule does not exists"); |
| |
| // we're deleting a rule |
| replace.num_counters = replace.nentries; |
| @@ -827,7 +889,8 @@ |
| } |
| lentmp += i; |
| // +1 for CNT_END |
| - if ( !(counterchanges = (unsigned short *)malloc((replace.num_counters + 1) * sizeof(unsigned short))) ) |
| + if ( !(counterchanges = (unsigned short *)malloc( |
| + (replace.num_counters + 1) * sizeof(unsigned short))) ) |
| print_memory(); |
| cnt = counterchanges; |
| for (j = 0; j < lentmp; j++) { |
| @@ -871,8 +934,8 @@ |
| |
| if (zerochain == -1) { |
| // tell main() we don't update the counters |
| - // this results in tricking the kernel to zero his counters, naively expecting |
| - // userspace to update its counters. Muahahaha |
| + // this results in tricking the kernel to zero his counters, |
| + // naively expecting userspace to update its counters. Muahahaha |
| counterchanges = NULL; |
| replace.num_counters = 0; |
| } else { |
| @@ -881,7 +944,10 @@ |
| |
| if (replace.hook_entry[zerochain]->nentries == 0) |
| exit(0); |
| - counterchanges = (unsigned short *)malloc((replace.nentries + 1) * sizeof(unsigned short)); |
| + counterchanges = (unsigned short *) |
| + malloc((replace.nentries + 1) * sizeof(unsigned short)); |
| + if (!counterchanges) |
| + print_memory(); |
| cnt = counterchanges; |
| for (i = 0; i < zerochain; i++) { |
| if (!(replace.valid_hooks & (1 << i))) |
| @@ -915,10 +981,12 @@ |
| |
| // 0 : database disabled (-db n) |
| if (!(nr.nentries)) |
| - print_error("Database not present (disabled), try ebtables --db y."); |
| - (nr.nentries)--; |
| - if (!nr.nentries) print_error("Database empty."); |
| - if ( !(db = (struct brdb_dbentry *) malloc(nr.nentries * sizeof(struct brdb_dbentry))) ) |
| + print_error("Database not present" |
| + " (disabled), try ebtables --db y"); |
| + nr.nentries--; |
| + if (!nr.nentries) print_error("Database empty"); |
| + if ( !(db = (struct brdb_dbentry *) |
| + malloc(nr.nentries * sizeof(struct brdb_dbentry))) ) |
| print_memory(); |
| |
| get_db(nr.nentries, db); |
| @@ -931,7 +999,7 @@ |
| "out-if : %s\n" |
| "protocol: ", i + 1, hooknames[db->hook], db->in, db->out); |
| if (db->ethproto == IDENTIFY802_3) |
| - printf("NO PROTO, OLD 802.3 STYLE LENGTH FIELD\n"); |
| + printf("802.2/802.3 STYLE LENGTH FIELD\n"); |
| else { |
| if (number_to_name(ntohs(db->ethproto), name)) |
| printf("%x\n",ntohs(db->ethproto)); |
| @@ -943,13 +1011,13 @@ |
| exit(0); |
| } |
| |
| -// handle counter and db disabling and enabling |
| +// handle db [dis,en]abling |
| static void allowdb(char yorn) |
| { |
| __u16 decision; |
| |
| if (yorn != 'y' && yorn != 'n') |
| - print_error("Option [y] or [n] needed."); |
| + print_error("Option [y] or [n] needed"); |
| |
| if (yorn == 'y') |
| decision = BRDB_DB; |
| @@ -980,7 +1048,8 @@ |
| if (strcasecmp(buffer, name)) |
| continue; |
| i = (unsigned short) strtol(value, &bfr, 16); |
| - if (*bfr != '\0') return -1; |
| + if (*bfr != '\0') |
| + return -1; |
| new_entry->ethproto = i; |
| fclose(ifp); |
| return 0; |
| @@ -1022,7 +1091,7 @@ |
| void check_option(unsigned int *flags, unsigned int mask) |
| { |
| if (*flags & mask) |
| - print_error("Multiple use of same option not allowed."); |
| + print_error("Multiple use of same option not allowed"); |
| *flags |= mask; |
| } |
| |
| @@ -1040,17 +1109,21 @@ |
| { |
| char *buffer, allowbc = 'n'; |
| int c, i; |
| - int zerochain = -1; // this special one for the -Z option (we can have -Z <this> -L <that>) |
| + // this special one for the -Z option (we can have -Z <this> -L <that>) |
| + int zerochain = -1; |
| int policy = -1; |
| int rule_nr = -1;// used for -D chain number |
| struct ebt_u_target *t; |
| + struct ebt_u_match *m; |
| + struct ebt_u_watcher *w; |
| + struct ebt_u_match_list *m_l; |
| + struct ebt_u_watcher_list *w_l; |
| |
| - // initialize the table name, OPT_ flags and selected hook |
| + // initialize the table name, OPT_ flags, selected hook and command |
| strcpy(replace.name, "filter"); |
| replace.flags = 0; |
| replace.selected_hook = -1; |
| replace.command = 'h'; |
| - // execute the _init functions of the extensions |
| |
| new_entry = (struct ebt_u_entry *)malloc(sizeof(struct ebt_u_entry)); |
| if (!new_entry) |
| @@ -1059,7 +1132,8 @@ |
| initialize_entry(new_entry); |
| |
| // getopt saves the day |
| - while ((c = getopt_long(argc, argv, "-A:D:I:L::Z::F::P:Vhi:o:j:p:b:s:d:t:", ebt_options, NULL)) != -1) { |
| + while ((c = getopt_long(argc, argv, |
| + "-A:D:I:L::Z::F::P:Vhi:o:j:p:b:s:d:t:", ebt_options, NULL)) != -1) { |
| switch (c) { |
| |
| case 'A': // add a rule |
| @@ -1068,33 +1142,39 @@ |
| case 'I': // insert a rule |
| replace.command = c; |
| if (replace.flags & OPT_COMMAND) |
| - print_error("Multiple commands not allowed."); |
| + print_error("Multiple commands not allowed"); |
| replace.flags |= OPT_COMMAND; |
| if ((replace.selected_hook = get_hooknr(optarg)) == -1) |
| - print_error("Bad chain."); |
| - // '-' denotes another option, if no other option it must be the (optional) rule number |
| - if (c == 'D' && optind < argc && argv[optind][0] != '-') { |
| + print_error("Bad chain"); |
| + if (c == 'D' && optind < argc && |
| + argv[optind][0] != '-') { |
| rule_nr = strtol(argv[optind], &buffer, 10); |
| if (*buffer != '\0' || rule_nr < 0) |
| - print_error("Problem with the specified rule number."); |
| + print_error("Problem with the " |
| + "specified rule number"); |
| optind++; |
| } |
| if (c == 'P') { |
| if (optind >= argc) |
| - print_error("No policy specified."); |
| + print_error("No policy specified"); |
| for (i = 0; i < 2; i++) |
| - if (!strcmp(argv[optind], standard_targets[i])) |
| + if (!strcmp(argv[optind], |
| + standard_targets[i])) { |
| policy = i; |
| + break; |
| + } |
| if (policy == -1) |
| - print_error("Wrong policy."); |
| + print_error("Wrong policy"); |
| optind++; |
| } |
| if (c == 'I') { |
| if (optind >= argc) |
| - print_error("No rulenr for -I specified."); |
| + print_error("No rulenr for -I" |
| + " specified"); |
| rule_nr = strtol(argv[optind], &buffer, 10); |
| if (*buffer != '\0' || rule_nr < 0) |
| - print_error("Problem with the specified rule number."); |
| + print_error("Problem with the specified" |
| + " rule number"); |
| optind++; |
| } |
| break; |
| @@ -1104,24 +1184,29 @@ |
| case 'Z': // zero counters |
| if (c == 'Z') { |
| if (replace.flags & OPT_ZERO) |
| - print_error("Multiple commands not allowed."); |
| - if ( (replace.flags & OPT_COMMAND && replace.command != 'L')) |
| - print_error("command -Z only allowed together with command -L."); |
| + print_error("Multiple commands" |
| + " not allowed"); |
| + if ( (replace.flags & OPT_COMMAND && |
| + replace.command != 'L')) |
| + print_error("command -Z only allowed " |
| + "together with command -L"); |
| replace.flags |= OPT_ZERO; |
| } else { |
| replace.command = c; |
| if (replace.flags & OPT_COMMAND) |
| - print_error("Multiple commands not allowed."); |
| + print_error("Multiple commands" |
| + " not allowed"); |
| replace.flags |= OPT_COMMAND; |
| } |
| i = -1; |
| if (optarg) { |
| if ( (i = get_hooknr(optarg)) == -1 ) |
| - print_error("Bad chain."); |
| + print_error("Bad chain"); |
| } else |
| if (optind < argc && argv[optind][0] != '-') { |
| - if ( (i = get_hooknr(argv[optind])) == -1 ) |
| - print_error("Bad chain."); |
| + if ((i = get_hooknr(argv[optind])) |
| + == -1) |
| + print_error("Bad chain"); |
| optind++; |
| } |
| if (i != -1) { |
| @@ -1135,47 +1220,34 @@ |
| case 'V': // version |
| replace.command = 'V'; |
| if (replace.flags & OPT_COMMAND) |
| - print_error("Multiple commands not allowed."); |
| + print_error("Multiple commands not allowed"); |
| printf("%s, %s\n", prog_name, prog_version); |
| exit(0); |
| |
| case 'h': // help |
| if (replace.flags & OPT_COMMAND) |
| - print_error("Multiple commands not allowed."); |
| + print_error("Multiple commands not allowed"); |
| replace.command = 'h'; |
| // All other arguments should be extension names |
| while (optind < argc) { |
| struct ebt_u_match *m; |
| struct ebt_u_watcher *w; |
| |
| - if ((m = find_match(argv[optind]))) { |
| - struct ebt_u_match_list **m_list, *new; |
| - |
| - m->used = 1; |
| - for (m_list = &new_entry->m_list; *m_list; m_list = &(*m_list)->next); |
| - new = (struct ebt_u_match_list *)malloc(sizeof(struct ebt_u_match_list)); |
| - if (!new) |
| - print_memory(); |
| - *m_list = new; |
| - new->next = NULL; |
| - new->m = (struct ebt_entry_match *)m; |
| - } else if ((w = find_watcher(argv[optind]))) { |
| - struct ebt_u_watcher_list **w_list, *new; |
| - w->used = 1; |
| - for (w_list = &new_entry->w_list; *w_list; w_list = &(*w_list)->next); |
| - new = (struct ebt_u_watcher_list *)malloc(sizeof(struct ebt_u_watcher_list)); |
| - if (!new) |
| - print_memory(); |
| - *w_list = new; |
| - new->next = NULL; |
| - new->w = (struct ebt_entry_watcher *)w; |
| - } else { |
| + if ((m = find_match(argv[optind]))) |
| + add_match(m); |
| + else if ((w = find_watcher(argv[optind]))) |
| + add_watcher(w); |
| + else { |
| if (!(t = find_target(argv[optind]))) |
| - print_error("Extension %s not found.", argv[optind]); |
| + print_error("Extension %s " |
| + "not found", argv[optind]); |
| if (replace.flags & OPT_JUMP) |
| - print_error("Sorry, you can only see help for one target extension each time."); |
| + print_error("Sorry, you can " |
| + "only see help for one " |
| + "target extension each time"); |
| replace.flags |= OPT_JUMP; |
| - new_entry->t = (struct ebt_entry_target *)t; |
| + new_entry->t = |
| + (struct ebt_entry_target *)t; |
| } |
| optind++; |
| } |
| @@ -1184,7 +1256,7 @@ |
| case 't': // table |
| check_option(&replace.flags, OPT_TABLE); |
| if (strlen(optarg) > EBT_TABLE_MAXNAMELEN) |
| - print_error("Table name too long."); |
| + print_error("Table name too long"); |
| strcpy(replace.name, optarg); |
| break; |
| |
| @@ -1195,56 +1267,69 @@ |
| case 's': // source mac |
| case 'd': // destination mac |
| if ((replace.flags & OPT_COMMAND) == 0) |
| - print_error("No command specified."); |
| - if ( replace.command != 'A' && replace.command != 'D' && replace.command != 'I') |
| - print_error("Command and option do not match."); |
| + print_error("No command specified"); |
| + if ( replace.command != 'A' && |
| + replace.command != 'D' && replace.command != 'I') |
| + print_error("Command and option do not match"); |
| if (c == 'i') { |
| check_option(&replace.flags, OPT_IN); |
| - if (replace.selected_hook == 2) |
| - print_error("Use in-interface only in INPUT, FORWARD and PREROUTING chains."); |
| + if (replace.selected_hook > 2) |
| + print_error("Use in-interface only in " |
| + "INPUT, FORWARD and PREROUTING chains"); |
| if (check_inverse(optarg)) |
| new_entry->invflags |= EBT_IIN; |
| |
| if (optind > argc) |
| - print_error("Missing interface argument."); |
| + print_error("No in-interface " |
| + "specified"); |
| if (strlen(argv[optind - 1]) >= IFNAMSIZ) |
| - print_error("Illegal interfacelength."); |
| - strncpy(new_entry->in, argv[optind - 1], IFNAMSIZ); |
| + print_error("Illegal interfacelength"); |
| + strcpy(new_entry->in, argv[optind - 1]); |
| break; |
| } |
| if (c == 'o') { |
| check_option(&replace.flags, OPT_OUT); |
| - if (replace.selected_hook == 0) |
| - print_error("Use out-interface only in OUTPUT, FORWARD and POSTROUTING chains."); |
| + if (replace.selected_hook < 2) |
| + print_error("Use out-interface only" |
| + " in OUTPUT, FORWARD and " |
| + "POSTROUTING chains"); |
| if (check_inverse(optarg)) |
| new_entry->invflags |= EBT_IOUT; |
| |
| if (optind > argc) |
| - print_error("Missing interface argument."); |
| + print_error("No out-interface " |
| + "specified"); |
| + |
| if (strlen(argv[optind - 1]) >= IFNAMSIZ) |
| - print_error("Illegal interface length."); |
| - strncpy(new_entry->out, argv[optind - 1], IFNAMSIZ); |
| + print_error("Illegal interface " |
| + "length"); |
| + strcpy(new_entry->out, argv[optind - 1]); |
| break; |
| } |
| if (c == 'j') { |
| |
| check_option(&replace.flags, OPT_JUMP); |
| for (i = 0; i < NUM_STANDARD_TARGETS; i++) |
| - if (!strcmp(optarg, standard_targets[i])) { |
| - t = find_target(EBT_STANDARD_TARGET); |
| - ((struct ebt_standard_target *)t->t)->verdict = i; |
| + if (!strcmp(optarg, |
| + standard_targets[i])) { |
| + t = find_target( |
| + EBT_STANDARD_TARGET); |
| + ((struct ebt_standard_target *) |
| + t->t)->verdict = i; |
| break; |
| } |
| // must be an extension then |
| if (i == NUM_STANDARD_TARGETS) { |
| struct ebt_u_target *t; |
| t = find_target(optarg); |
| - if (!t) |
| - print_error("Illegal target name."); |
| - new_entry->t = (struct ebt_entry_target *)t; |
| - } else |
| - ((struct ebt_standard_target *)(((struct ebt_u_target *)new_entry->t)->t))->verdict = i; |
| - |
| + // -j standard not allowed either |
| + if (!t || t == |
| + (struct ebt_u_target *)new_entry->t) |
| + print_error("Illegal target " |
| + "name"); |
| + new_entry->t = |
| + (struct ebt_entry_target *)t; |
| + } |
| break; |
| } |
| if (c == 's') { |
| @@ -1253,9 +1338,12 @@ |
| new_entry->invflags |= EBT_ISOURCE; |
| |
| if (optind > argc) |
| - print_error("Missing source mac argument."); |
| - if (getmac(argv[optind - 1], new_entry->sourcemac)) |
| - print_error("Problem with specified source mac."); |
| + print_error("No source mac " |
| + "specified"); |
| + if (getmac(argv[optind - 1], |
| + new_entry->sourcemac)) |
| + print_error("Problem with specified " |
| + "source mac"); |
| new_entry->bitmask |= EBT_SOURCEMAC; |
| break; |
| } |
| @@ -1265,9 +1353,12 @@ |
| new_entry->invflags |= EBT_IDEST; |
| |
| if (optind > argc) |
| - print_error("Missing destination mac argument."); |
| - if (getmac(argv[optind - 1], new_entry->destmac)) |
| - print_error("Problem with specified destination mac."); |
| + print_error("No destination mac " |
| + "specified"); |
| + if (getmac(argv[optind - 1], |
| + new_entry->destmac)) |
| + print_error("Problem with specified " |
| + "destination mac"); |
| new_entry->bitmask |= EBT_DESTMAC; |
| break; |
| } |
| @@ -1276,22 +1367,26 @@ |
| new_entry->invflags |= EBT_IPROTO; |
| |
| if (optind > argc) |
| - print_error("Missing protocol argument."); |
| + print_error("No protocol specified"); |
| new_entry->bitmask &= ~((unsigned int)EBT_NOPROTO); |
| i = strtol(argv[optind - 1], &buffer, 16); |
| if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) |
| - print_error("Problem with the specified protocol."); |
| + print_error("Problem with the specified " |
| + "protocol"); |
| new_entry->ethproto = i; |
| if (*buffer != '\0') |
| if (name_to_protocol(argv[optind - 1]) == -1) |
| - print_error("Problem with the specified protocol."); |
| - if (new_entry->ethproto < 1536 && !(new_entry->bitmask & EBT_802_3)) |
| - print_error("Sorry, protocols have values above or equal to 1536 (0x0600)."); |
| + print_error("Problem with the specified" |
| + " protocol"); |
| + if (new_entry->ethproto < 1536 && |
| + !(new_entry->bitmask & EBT_802_3)) |
| + print_error("Sorry, protocols have values above" |
| + " or equal to 1536 (0x0600)"); |
| break; |
| |
| case 'b': // allow database? |
| if (replace.flags & OPT_COMMAND) |
| - print_error("Multiple commands not allowed."); |
| + print_error("Multiple commands not allowed"); |
| replace.command = c; |
| allowbc = *optarg; |
| break; |
| @@ -1300,49 +1395,32 @@ |
| |
| // is it a target option? |
| t = (struct ebt_u_target *)new_entry->t; |
| - if (!(t->parse(c - t->option_offset, argv, argc, new_entry, &t->flags, &t->t))) { |
| - struct ebt_u_match *m; |
| - |
| - // is it a match_option? |
| - for (m = matches; m; m = m->next) |
| - if (m->parse(c - m->option_offset, argv, argc, new_entry, &m->flags, &m->m)) |
| - break; |
| + if ((t->parse(c - t->option_offset, argv, argc, |
| + new_entry, &t->flags, &t->t))) |
| + continue; |
| |
| - if (m == NULL) { |
| - struct ebt_u_watcher *w; |
| + // is it a match_option? |
| + for (m = matches; m; m = m->next) |
| + if (m->parse(c - m->option_offset, argv, |
| + argc, new_entry, &m->flags, &m->m)) |
| + break; |
| |
| - // is it a watcher option? |
| - for (w = watchers; w; w = w->next) |
| - if (w->parse(c - w->option_offset, argv, argc, new_entry, &w->flags, &w->w)) |
| - break; |
| - |
| - if (w == NULL) |
| - print_error("Unknown argument."); |
| - if (w->used == 0) { |
| - struct ebt_u_watcher_list **w_list, *new; |
| - w->used = 1; |
| - for (w_list = &new_entry->w_list; *w_list; w_list = &(*w_list)->next); |
| - new = (struct ebt_u_watcher_list *)malloc(sizeof(struct ebt_u_watcher_list)); |
| - if (!new) |
| - print_memory(); |
| - *w_list = new; |
| - new->next = NULL; |
| - new->w = (struct ebt_entry_watcher *)w; |
| - } |
| - } else { |
| - if (m->used == 0) { |
| - struct ebt_u_match_list **m_list, *new; |
| - m->used = 1; |
| - for (m_list = &new_entry->m_list; *m_list; m_list = &(*m_list)->next); |
| - new = (struct ebt_u_match_list *)malloc(sizeof(struct ebt_u_match_list)); |
| - if (!new) |
| - print_memory(); |
| - *m_list = new; |
| - new->next = NULL; |
| - new->m = (struct ebt_entry_match *)m; |
| - } |
| - } |
| + if (m != NULL) { |
| + if (m->used == 0) |
| + add_match(m); |
| + continue; |
| } |
| + |
| + // is it a watcher option? |
| + for (w = watchers; w; w = w->next) |
| + if (w->parse(c-w->option_offset, argv, |
| + argc, new_entry, &w->flags, &w->w)) |
| + break; |
| + |
| + if (w == NULL) |
| + print_error("Unknown argument"); |
| + if (w->used == 0) |
| + add_watcher(w); |
| } |
| } |
| |
| @@ -1352,43 +1430,40 @@ |
| if (replace.command == 'L' && replace.selected_hook == DATABASEHOOKNR) |
| list_db(); |
| |
| - if ( (replace.flags & OPT_COMMAND) && replace.command != 'L' && replace.flags & OPT_ZERO ) |
| - print_error("Command -Z only allowed together with command -L."); |
| + if ( (replace.flags & OPT_COMMAND) && replace.command != 'L' && |
| + replace.flags & OPT_ZERO ) |
| + print_error("Command -Z only allowed together with command -L"); |
| |
| - if (replace.command == 'A' || replace.command == 'I' || replace.command == 'D') { |
| + if (replace.command == 'A' || replace.command == 'I' || |
| + replace.command == 'D') { |
| if (replace.selected_hook == -1) |
| - print_error("Not enough information."); |
| + print_error("Not enough information"); |
| } |
| |
| if ( !(table = find_table(replace.name)) ) |
| - print_error("Bad table name."); |
| + print_error("Bad table name"); |
| |
| // do this after parsing everything, so we can print specific info |
| if (replace.command == 'h' && !(replace.flags & OPT_ZERO)) |
| print_help(); |
| |
| // do the final checks |
| - { |
| - struct ebt_u_match_list *m_l = new_entry->m_list; |
| - struct ebt_u_match *m; |
| - struct ebt_u_watcher_list *w_l = new_entry->w_list; |
| - struct ebt_u_watcher *w; |
| - struct ebt_u_target *t = (struct ebt_u_target *)new_entry->t; |
| - |
| + m_l = new_entry->m_list; |
| + w_l = new_entry->w_list; |
| + t = (struct ebt_u_target *)new_entry->t; |
| while (m_l) { |
| m = (struct ebt_u_match *)(m_l->m); |
| - m->final_check(new_entry, m->m, replace.name, replace.selected_hook); |
| + m->final_check(new_entry, m->m, replace.name, |
| + replace.selected_hook); |
| m_l = m_l->next; |
| } |
| - |
| while (w_l) { |
| w = (struct ebt_u_watcher *)(w_l->w); |
| - w->final_check(new_entry, w->w, replace.name, replace.selected_hook); |
| + w->final_check(new_entry, w->w, replace.name, |
| + replace.selected_hook); |
| w_l = w_l->next; |
| } |
| - |
| t->final_check(new_entry, t->t, replace.name, replace.selected_hook); |
| - } |
| |
| // so, the extensions can work with the host endian |
| // the kernel does not have to do this ofcourse |
| @@ -1396,10 +1471,10 @@ |
| |
| // get the kernel's information |
| get_table(&replace); |
| - replace.nentries = replace.nentries; |
| // check if selected_hook is a valid_hook |
| - if (replace.selected_hook >= 0 && !(replace.valid_hooks & (1 << replace.selected_hook))) |
| - print_error("Bad chain name."); |
| + if (replace.selected_hook >= 0 && |
| + !(replace.valid_hooks & (1 << replace.selected_hook))) |
| + print_error("Bad chain name"); |
| if (replace.command == 'P') |
| change_policy(policy); |
| else if (replace.command == 'L') { |
| --- ebtables-v2.0pre2.001/communication.c Wed Apr 3 17:22:39 2002 |
| +++ ebtables-v2.0pre2.002/communication.c Wed Apr 10 22:10:49 2002 |
| @@ -25,12 +25,6 @@ |
| |
| extern char* hooknames[NF_BR_NUMHOOKS]; |
| |
| -void print_memory() |
| -{ |
| - printf("Out of memory\n"); |
| - exit(0); |
| -} |
| - |
| int sockfd = -1; |
| |
| void get_sockfd() |
| @@ -38,7 +32,7 @@ |
| if (sockfd == -1) { |
| sockfd = socket(AF_INET, SOCK_RAW, PF_INET); |
| if (sockfd < 0) |
| - print_error("Problem getting a socket."); |
| + print_error("Problem getting a socket"); |
| } |
| } |
| |
| @@ -60,7 +54,8 @@ |
| new->nentries = u_repl->nentries; |
| new->num_counters = u_repl->num_counters; |
| new->counters = u_repl->counters; |
| - memcpy(new->counter_entry, u_repl->counter_entry, sizeof(new->counter_entry)); |
| + memcpy(new->counter_entry, u_repl->counter_entry, |
| + sizeof(new->counter_entry)); |
| // determine size |
| for (i = 0; i < NF_BR_NUMHOOKS; i++) { |
| if (!(new->valid_hooks & (1 << i))) |
| @@ -86,7 +81,8 @@ |
| } |
| // a little sanity check |
| if (j != u_repl->hook_entry[i]->nentries) |
| - print_bug("Wrong nentries: %d != %d, hook = %s", j, u_repl->hook_entry[i]->nentries, hooknames[i]); |
| + print_bug("Wrong nentries: %d != %d, hook = %s", j, |
| + u_repl->hook_entry[i]->nentries, hooknames[i]); |
| } |
| |
| new->entries_size = entries_size; |
| @@ -116,7 +112,8 @@ |
| tmp->ethproto = e->ethproto; |
| memcpy(tmp->in, e->in, sizeof(tmp->in)); |
| memcpy(tmp->out, e->out, sizeof(tmp->out)); |
| - memcpy(tmp->sourcemac, e->sourcemac, sizeof(tmp->sourcemac)); |
| + memcpy(tmp->sourcemac, e->sourcemac, |
| + sizeof(tmp->sourcemac)); |
| memcpy(tmp->destmac, e->destmac, sizeof(tmp->destmac)); |
| |
| base = p; |
| @@ -159,11 +156,13 @@ |
| // give the data to the kernel |
| optlen = sizeof(struct ebt_replace) + repl->entries_size; |
| if (setsockopt(sockfd, IPPROTO_IP, EBT_SO_SET_ENTRIES, repl, optlen)) |
| - print_error("Couldn't update kernel chains, you probably need to insmod an extension."); |
| + print_error("Couldn't update kernel chains, you probably need " |
| + "to insmod an extension"); |
| } |
| |
| // gets executed after deliver_table |
| -void deliver_counters(struct ebt_u_replace *u_repl, unsigned short *counterchanges) |
| +void |
| +deliver_counters(struct ebt_u_replace *u_repl, unsigned short *counterchanges) |
| { |
| unsigned short *point; |
| struct ebt_counter *old, *new, *newcounters; |
| @@ -173,7 +172,8 @@ |
| if (u_repl->nentries == 0) |
| return; |
| |
| - newcounters = (struct ebt_counter *)malloc(u_repl->nentries * sizeof(struct ebt_counter)); |
| + newcounters = (struct ebt_counter *) |
| + malloc(u_repl->nentries * sizeof(struct ebt_counter)); |
| if (!newcounters) |
| print_memory(); |
| memset(newcounters, 0, u_repl->nentries * sizeof(struct ebt_counter)); |
| @@ -208,7 +208,8 @@ |
| free(u_repl->counters); |
| u_repl->counters = newcounters; |
| u_repl->num_counters = u_repl->nentries; |
| - optlen = u_repl->nentries * sizeof(struct ebt_counter) + sizeof(struct ebt_replace); |
| + optlen = u_repl->nentries * sizeof(struct ebt_counter) + |
| + sizeof(struct ebt_replace); |
| // now put the stuff in the kernel's struct ebt_replace |
| repl.counters = u_repl->counters; |
| repl.num_counters = u_repl->num_counters; |
| @@ -224,7 +225,8 @@ |
| { |
| struct ebt_u_match_list *new; |
| |
| - new = (struct ebt_u_match_list *)malloc(sizeof(struct ebt_u_match_list)); |
| + new = (struct ebt_u_match_list *) |
| + malloc(sizeof(struct ebt_u_match_list)); |
| if (!new) |
| print_memory(); |
| new->m = (struct ebt_entry_match *)malloc(m->match_size); |
| @@ -235,12 +237,14 @@ |
| **l = new; |
| *l = &new->next; |
| if (find_match(new->m->u.name) == NULL) |
| - print_error("Kernel match %s unsupported by userspace tool.", new->m->u.name); |
| + print_error("Kernel match %s unsupported by userspace tool", |
| + new->m->u.name); |
| return 0; |
| } |
| |
| static int |
| -ebt_translate_watcher(struct ebt_entry_watcher *w, struct ebt_u_watcher_list ***l) |
| +ebt_translate_watcher(struct ebt_entry_watcher *w, |
| + struct ebt_u_watcher_list ***l) |
| { |
| struct ebt_u_watcher_list *new; |
| |
| @@ -255,13 +259,15 @@ |
| **l = new; |
| *l = &new->next; |
| if (find_watcher(new->w->u.name) == NULL) |
| - print_error("Kernel watcher %s unsupported by userspace tool.", new->w->u.name); |
| + print_error("Kernel watcher %s unsupported by userspace tool", |
| + new->w->u.name); |
| return 0; |
| } |
| |
| static int |
| -ebt_translate_entry(struct ebt_entry *e, unsigned int *hook, int *n, int *cnt, int *totalcnt, |
| - struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl, unsigned int valid_hooks) |
| +ebt_translate_entry(struct ebt_entry *e, unsigned int *hook, int *n, int *cnt, |
| + int *totalcnt, struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl, |
| + unsigned int valid_hooks) |
| { |
| // an entry |
| if (e->bitmask & EBT_ENTRY_OR_ENTRIES) { |
| @@ -295,7 +301,8 @@ |
| if (!new->t) |
| print_memory(); |
| if (find_target(t->u.name) == NULL) |
| - print_error("Kernel target %s unsupported by userspace tool.", t->u.name); |
| + print_error("Kernel target %s unsupported by " |
| + "userspace tool", t->u.name); |
| memcpy(new->t, t, t->target_size); |
| |
| // I love pointers |
| @@ -304,7 +311,7 @@ |
| (*cnt)++; |
| (*totalcnt)++; |
| return 0; |
| - } else {// a new chain |
| + } else { // a new chain |
| int i; |
| struct ebt_entries *entries = (struct ebt_entries *)e; |
| struct ebt_u_entries *new; |
| @@ -319,7 +326,8 @@ |
| print_bug("Nr of entries in the chain is wrong"); |
| *n = entries->nentries; |
| *cnt = 0; |
| - new = (struct ebt_u_entries *)malloc(sizeof(struct ebt_u_entries)); |
| + new = (struct ebt_u_entries *) |
| + malloc(sizeof(struct ebt_u_entries)); |
| if (!new) |
| print_memory(); |
| new->nentries = entries->nentries; |
| @@ -344,12 +352,14 @@ |
| optlen = sizeof(struct ebt_replace); |
| strcpy(repl.name, u_repl->name); |
| if (getsockopt(sockfd, IPPROTO_IP, EBT_SO_GET_INFO, &repl, &optlen)) |
| - print_bug("hmm, what is wrong??? bug#3"); |
| + print_error("A kernel module needed by your command is probably" |
| + " not loaded. Try insmod ebtables or the like"); |
| |
| if ( !(repl.entries = (char *) malloc(repl.entries_size)) ) |
| print_memory(); |
| if (repl.nentries) { |
| - if (!(repl.counters = (struct ebt_counter *) malloc(repl.nentries * sizeof(struct ebt_counter))) ) |
| + if (!(repl.counters = (struct ebt_counter *) |
| + malloc(repl.nentries * sizeof(struct ebt_counter))) ) |
| print_memory(); |
| } |
| else |
| @@ -357,7 +367,8 @@ |
| |
| // we want to receive the counters |
| repl.num_counters = repl.nentries; |
| - optlen += repl.entries_size + repl.num_counters * sizeof(struct ebt_counter); |
| + optlen += repl.entries_size + repl.num_counters * |
| + sizeof(struct ebt_counter); |
| if (getsockopt(sockfd, IPPROTO_IP, EBT_SO_GET_ENTRIES, &repl, &optlen)) |
| print_bug("hmm, what is wrong??? bug#1"); |
| |
| @@ -367,12 +378,15 @@ |
| u_repl->nentries = repl.nentries; |
| u_repl->num_counters = repl.num_counters; |
| u_repl->counters = repl.counters; |
| - memcpy(u_repl->counter_entry, repl.counter_entry, sizeof(repl.counter_entry)); |
| + memcpy(u_repl->counter_entry, repl.counter_entry, |
| + sizeof(repl.counter_entry)); |
| hook = -1; |
| i = 0; // holds the expected nr. of entries for the chain |
| j = 0; // holds the up to now counted entries for the chain |
| - k = 0; // holds the total nr. of entries, should equal u_repl->nentries afterwards |
| - EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry, &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks); |
| + k = 0; // holds the total nr. of entries, |
| + // should equal u_repl->nentries afterwards |
| + EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry, |
| + &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks); |
| if (k != u_repl->nentries) |
| print_bug("Wrong total nentries"); |
| } |
| @@ -384,7 +398,8 @@ |
| get_sockfd(); |
| |
| if (getsockopt(sockfd, IPPROTO_IP, BRDB_SO_GET_DBINFO, nr, &optlen)) |
| - print_error("Sorry, br_db code probably not in kernel, try insmod br_db."); |
| + print_error("Sorry, br_db code probably not in kernel, " |
| + "try insmod br_db"); |
| } |
| |
| void get_db(int len, struct brdb_dbentry *db) |
| @@ -405,5 +420,6 @@ |
| get_sockfd(); |
| |
| if (setsockopt(sockfd, IPPROTO_IP, BRDB_SO_SET_ALLOWDB, decision, optlen)) |
| - print_error("Sorry, br_db code probably not in kernel, try insmod br_db."); |
| + print_error("Sorry, br_db code probably not in kernel, " |
| + "try insmod br_db"); |
| } |
| --- ebtables-v2.0pre2.001/extensions/ebt_nat.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebt_nat.c Thu Apr 11 18:12:55 2002 |
| @@ -52,8 +52,9 @@ |
| } |
| |
| #define OPT_SNAT 0x01 |
| -static int parse_s(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_target **target) |
| +static int parse_s(int c, char **argv, int argc, |
| + const struct ebt_u_entry *entry, unsigned int *flags, |
| + struct ebt_entry_target **target) |
| { |
| struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data; |
| |
| @@ -62,7 +63,7 @@ |
| check_option(flags, OPT_SNAT); |
| to_source_supplied = 1; |
| if (getmac(optarg, natinfo->mac)) |
| - print_error("Problem with specified to-source mac."); |
| + print_error("Problem with specified to-source mac"); |
| break; |
| default: |
| return 0; |
| @@ -71,8 +72,9 @@ |
| } |
| |
| #define OPT_DNAT 0x01 |
| -static int parse_d(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_target **target) |
| +static int parse_d(int c, char **argv, int argc, |
| + const struct ebt_u_entry *entry, unsigned int *flags, |
| + struct ebt_entry_target **target) |
| { |
| struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data; |
| |
| @@ -81,7 +83,8 @@ |
| check_option(flags, OPT_DNAT); |
| to_dest_supplied = 1; |
| if (getmac(optarg, natinfo->mac)) |
| - print_error("Problem with specified to-destination mac."); |
| + print_error("Problem with specified " |
| + "to-destination mac"); |
| break; |
| default: |
| return 0; |
| @@ -89,44 +92,52 @@ |
| return 1; |
| } |
| |
| -static void final_check_s(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook) |
| +static void final_check_s(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target, const char *name, unsigned int hook) |
| { |
| if (hook != NF_BR_POST_ROUTING || strcmp(name, "nat")) |
| - print_error("Wrong chain for SNAT."); |
| + print_error("Wrong chain for SNAT"); |
| if (to_source_supplied == 0) |
| - print_error("No snat address supplied."); |
| + print_error("No snat address supplied"); |
| |
| } |
| |
| -static void final_check_d(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook) |
| +static void final_check_d(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target, const char *name, unsigned int hook) |
| { |
| - if ( (hook != NF_BR_PRE_ROUTING && hook != NF_BR_LOCAL_OUT) || strcmp(name, "nat") ) |
| - print_error("Wrong chain for DNAT."); |
| + if ( (hook != NF_BR_PRE_ROUTING && hook != NF_BR_LOCAL_OUT) || |
| + strcmp(name, "nat") ) |
| + print_error("Wrong chain for DNAT"); |
| if (to_dest_supplied == 0) |
| - print_error("No dnat address supplied."); |
| + print_error("No dnat address supplied"); |
| } |
| |
| -static void print_s(const struct ebt_u_entry *entry, const struct ebt_entry_target *target) |
| +static void print_s(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target) |
| { |
| struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; |
| int i; |
| |
| printf("snat - to: "); |
| for (i = 0; i < ETH_ALEN; i++) |
| - printf("%02x%s", natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); |
| + printf("%02x%s", |
| + natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); |
| } |
| |
| -static void print_d(const struct ebt_u_entry *entry, const struct ebt_entry_target *target) |
| +static void print_d(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target) |
| { |
| struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; |
| int i; |
| |
| printf("dnat - to: "); |
| for (i = 0; i < ETH_ALEN; i++) |
| - printf("%02x%s", natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); |
| + printf("%02x%s", |
| + natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); |
| } |
| |
| -static int compare(const struct ebt_entry_target *t1, const struct ebt_entry_target *t2) |
| +static int compare(const struct ebt_entry_target *t1, |
| + const struct ebt_entry_target *t2) |
| { |
| struct ebt_nat_info *natinfo1 = (struct ebt_nat_info *)t1->data; |
| struct ebt_nat_info *natinfo2 = (struct ebt_nat_info *)t2->data; |
| --- ebtables-v2.0pre2.001/extensions/ebt_ip.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebt_ip.c Wed Apr 10 23:28:40 2002 |
| @@ -40,16 +40,16 @@ |
| return -1; |
| *q = '\0'; |
| onebyte = strtol(p, &end, 10); |
| - if (*end != '\0' || onebyte >255 || onebyte < 0) |
| + if (*end != '\0' || onebyte > 255 || onebyte < 0) |
| return -1; |
| - ip2[i] = (unsigned char) onebyte; |
| + ip2[i] = (unsigned char)onebyte; |
| p = q + 1; |
| } |
| |
| onebyte = strtol(p, &end, 10); |
| if (*end != '\0' || onebyte >255 || onebyte < 0) |
| return -1; |
| - ip2[3] = (unsigned char) onebyte; |
| + ip2[3] = (unsigned char)onebyte; |
| |
| return 0; |
| } |
| @@ -88,15 +88,15 @@ |
| *p = '\0'; |
| i = ip_mask(p + 1, (unsigned char *)msk); |
| if (i) |
| - print_error("Problem with the ip mask."); |
| + print_error("Problem with the ip mask"); |
| } |
| else |
| *msk = 0xFFFFFFFF; |
| |
| i = undot_ip(address, (unsigned char *)addr); |
| - *addr = *addr & *msk; |
| if (i) |
| - print_error("Problem with the ip address."); |
| + print_error("Problem with the ip address"); |
| + *addr = *addr & *msk; |
| } |
| |
| // transform the ip mask into a string ready for output |
| @@ -106,7 +106,6 @@ |
| static char buf[20]; |
| __u32 maskaddr, bits; |
| |
| - // cool hack I copied from iptables.c ... Think about it :-) |
| maskaddr = ntohl(mask); |
| |
| // don't print /32 |
| @@ -114,7 +113,7 @@ |
| return ""; |
| |
| i = 32; |
| - bits = 0xFFFFFFFEL;// case 0xFFFFFFFF has just been dealt with |
| + bits = 0xFFFFFFFEL; // case 0xFFFFFFFF has just been dealt with |
| while (--i >= 0 && maskaddr != bits) |
| bits <<= 1; |
| |
| @@ -123,9 +122,10 @@ |
| else if (!i) |
| *buf = '\0'; |
| else |
| - /* mask was not a decent combination of 1's and 0's */ |
| - sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0], ((unsigned char *)&mask)[1], |
| - ((unsigned char *)&mask)[2], ((unsigned char *)&mask)[3]); |
| + // mask was not a decent combination of 1's and 0's |
| + sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0], |
| + ((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2], |
| + ((unsigned char *)&mask)[3]); |
| |
| return buf; |
| } |
| @@ -133,11 +133,11 @@ |
| static void print_help() |
| { |
| printf( |
| - "ip options:\n" |
| - "--ip-src [!] address[/mask]: ip source specification\n" |
| - "--ip-dst [!] address[/mask]: ip destination specification\n" |
| - "--ip-tos [!] tos : ip tos specification\n" |
| - "--ip-proto [!] protocol : ip protocol specification\n"); |
| +"ip options:\n" |
| +"--ip-src [!] address[/mask]: ip source specification\n" |
| +"--ip-dst [!] address[/mask]: ip destination specification\n" |
| +"--ip-tos [!] tos : ip tos specification\n" |
| +"--ip-proto [!] protocol : ip protocol specification\n"); |
| } |
| |
| static void init(struct ebt_entry_match *match) |
| @@ -152,9 +152,8 @@ |
| #define OPT_DEST 0x02 |
| #define OPT_TOS 0x04 |
| #define OPT_PROTO 0x08 |
| -static int parse(int c, char **argv, int argc, |
| - const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_match **match) |
| +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, |
| + unsigned int *flags, struct ebt_entry_match **match) |
| { |
| struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)(*match)->data; |
| char *end, *buffer; |
| @@ -163,13 +162,13 @@ |
| switch (c) { |
| case IP_SOURCE: |
| check_option(flags, OPT_SOURCE); |
| + ipinfo->bitmask |= EBT_IP_SOURCE; |
| + |
| case IP_DEST: |
| - if (c == IP_DEST) |
| + if (c == IP_DEST) { |
| check_option(flags, OPT_DEST); |
| - if (c == IP_SOURCE) |
| - ipinfo->bitmask |= EBT_IP_SOURCE; |
| - else |
| ipinfo->bitmask |= EBT_IP_DEST; |
| + } |
| if (check_inverse(optarg)) { |
| if (c == IP_SOURCE) |
| ipinfo->invflags |= EBT_IP_SOURCE; |
| @@ -178,34 +177,38 @@ |
| } |
| |
| if (optind > argc) |
| - print_error("Missing ip address argument."); |
| + print_error("Missing ip address argument"); |
| if (c == IP_SOURCE) |
| - parse_ip_address(argv[optind - 1], &ipinfo->saddr, &ipinfo->smsk); |
| + parse_ip_address(argv[optind - 1], &ipinfo->saddr, |
| + &ipinfo->smsk); |
| else |
| - parse_ip_address(argv[optind - 1], &ipinfo->daddr, &ipinfo->dmsk); |
| + parse_ip_address(argv[optind - 1], &ipinfo->daddr, |
| + &ipinfo->dmsk); |
| break; |
| + |
| case IP_myTOS: |
| check_option(flags, OPT_TOS); |
| if (check_inverse(optarg)) |
| ipinfo->invflags |= EBT_IP_TOS; |
| |
| if (optind > argc) |
| - print_error("Missing ip tos argument."); |
| + print_error("Missing ip tos argument"); |
| i = strtol(argv[optind - 1], &end, 16); |
| if (i < 0 || i > 255 || *buffer != '\0') |
| - print_error("Problem with specified ip tos."); |
| + print_error("Problem with specified ip tos"); |
| ipinfo->tos = i; |
| ipinfo->bitmask |= EBT_IP_TOS; |
| break; |
| + |
| case IP_PROTO: |
| check_option(flags, OPT_PROTO); |
| if (check_inverse(optarg)) |
| ipinfo->invflags |= EBT_IP_PROTO; |
| if (optind > argc) |
| - print_error("Missing ip protocol argument."); |
| + print_error("Missing ip protocol argument"); |
| i = strtol(argv[optind - 1], &end, 10); |
| if (i < 0 || i > 255 || *end != '\0') |
| - print_error("Problem with specified ip protocol."); |
| + print_error("Problem with specified ip protocol"); |
| ipinfo->protocol = i; |
| ipinfo->bitmask |= EBT_IP_PROTO; |
| break; |
| @@ -215,13 +218,17 @@ |
| return 1; |
| } |
| |
| -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hook) |
| +static void final_check(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_match *match, const char *name, unsigned int hook) |
| { |
| - if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || entry->ethproto != ETH_P_IP) |
| - print_error("For IP filtering the protocol must be specified as IPV4."); |
| + if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || |
| + entry->ethproto != ETH_P_IP) |
| + print_error("For IP filtering the protocol must be " |
| + "specified as IPv4"); |
| } |
| |
| -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) |
| +static void print(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_match *match) |
| { |
| struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)match->data; |
| int j; |
| @@ -231,7 +238,8 @@ |
| if (ipinfo->invflags & EBT_IP_SOURCE) |
| printf("! "); |
| for (j = 0; j < 4; j++) |
| - printf("%d%s", ((unsigned char *)&ipinfo->saddr)[j], (j == 3) ? "" : "."); |
| + printf("%d%s",((unsigned char *)&ipinfo->saddr)[j], |
| + (j == 3) ? "" : "."); |
| printf("%s, ", mask_to_dotted(ipinfo->smsk)); |
| } |
| if (ipinfo->bitmask & EBT_IP_DEST) { |
| @@ -239,7 +247,8 @@ |
| if (ipinfo->invflags & EBT_IP_DEST) |
| printf("! "); |
| for (j = 0; j < 4; j++) |
| - printf("%d%s", ((unsigned char *)&ipinfo->daddr)[j], (j == 3) ? "" : "."); |
| + printf("%d%s", ((unsigned char *)&ipinfo->daddr)[j], |
| + (j == 3) ? "" : "."); |
| printf("%s, ", mask_to_dotted(ipinfo->dmsk)); |
| } |
| if (ipinfo->bitmask & EBT_IP_TOS) { |
| @@ -256,7 +265,8 @@ |
| } |
| } |
| |
| -static int compare(const struct ebt_entry_match *m1, const struct ebt_entry_match *m2) |
| +static int compare(const struct ebt_entry_match *m1, |
| + const struct ebt_entry_match *m2) |
| { |
| struct ebt_ip_info *ipinfo1 = (struct ebt_ip_info *)m1->data; |
| struct ebt_ip_info *ipinfo2 = (struct ebt_ip_info *)m2->data; |
| --- ebtables-v2.0pre2.001/extensions/ebt_arp.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebt_arp.c Wed Apr 10 23:05:29 2002 |
| @@ -44,20 +44,20 @@ |
| int i = 0; |
| |
| printf( |
| - "arp options:\n" |
| - "--arp-opcode opcode : ARP opcode (integer or string)\n" |
| - "--arp-htype type : ARP hardware type (integer or string)\n" |
| - "--arp-ptype type : ARP protocol type (hexadecimal or string)\n" |
| - "--arp-ip-src [!] address[/mask]: ARP ip source specification\n" |
| - "--arp-ip-dst [!] address[/mask]: ARP ip target specification\n" |
| - " opcode strings: \n"); |
| +"arp options:\n" |
| +"--arp-opcode opcode : ARP opcode (integer or string)\n" |
| +"--arp-htype type : ARP hardware type (integer or string)\n" |
| +"--arp-ptype type : ARP protocol type (hexadecimal or string)\n" |
| +"--arp-ip-src [!] address[/mask]: ARP ip source specification\n" |
| +"--arp-ip-dst [!] address[/mask]: ARP ip target specification\n" |
| +" opcode strings: \n"); |
| while (strcmp(opcodes[i], "")) { |
| printf("%d = %s\n", i + 1, opcodes[i]); |
| i++; |
| } |
| printf( |
| - " hardware type string: \n 1 = Ethernet\n" |
| - " protocol type string: \n 0x0800 = IPv4\n"); |
| +" hardware type string: \n 1 = Ethernet\n" |
| +" protocol type string: \n 0x0800 = IPv4\n"); |
| } |
| |
| static void init(struct ebt_entry_match *match) |
| @@ -68,7 +68,8 @@ |
| arpinfo->bitmask = 0; |
| } |
| |
| -void parse_ip_address(char *address, __u32 *addr, __u32 *msk); // defined in ebt_ip.c |
| +// defined in ebt_ip.c |
| +void parse_ip_address(char *address, __u32 *addr, __u32 *msk); |
| |
| #define OPT_OPCODE 0x01 |
| #define OPT_HTYPE 0x02 |
| @@ -87,15 +88,14 @@ |
| |
| switch (c) { |
| case ARP_OPCODE: |
| - |
| check_option(flags, OPT_OPCODE); |
| if (check_inverse(optarg)) |
| arpinfo->invflags |= EBT_ARP_OPCODE; |
| |
| if (optind > argc) |
| - print_error("Missing arp opcode argument."); |
| + print_error("Missing arp opcode argument"); |
| i = strtol(argv[optind - 1], &end, 10); |
| - if (i < 0 || i > (0x1 << 16) || *end !='\0') { |
| + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { |
| i = 0; |
| while (strcmp(opcodes[i], "")) { |
| if (!strcasecmp(opcodes[i], optarg)) |
| @@ -103,7 +103,8 @@ |
| i++; |
| } |
| if (!strcmp(opcodes[i], "")) |
| - print_error("Problem with specified arp opcode."); |
| + print_error("Problem with specified " |
| + "arp opcode"); |
| } |
| arpinfo->opcode = htons(i); |
| arpinfo->bitmask |= EBT_ARP_OPCODE; |
| @@ -115,13 +116,14 @@ |
| arpinfo->invflags |= EBT_ARP_HTYPE; |
| |
| if (optind > argc) |
| - print_error("Missing arp hardware type argument."); |
| + print_error("Missing arp hardware type argument"); |
| i = strtol(argv[optind - 1], &end, 10); |
| - if (i < 0 || i > (0x1 << 16) || *end !='\0') { |
| + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { |
| if (!strcasecmp("Ethernet", argv[optind - 1])) |
| i = 1; |
| else |
| - print_error("Problem with specified arp hardware type."); |
| + print_error("Problem with specified arp " |
| + "hardware type"); |
| } |
| arpinfo->htype = htons(i); |
| arpinfo->bitmask |= EBT_ARP_HTYPE; |
| @@ -133,13 +135,14 @@ |
| arpinfo->invflags |= EBT_ARP_PTYPE; |
| |
| if (optind > argc) |
| - print_error("Missing arp protocol type argument."); |
| + print_error("Missing arp protocol type argument"); |
| i = strtol(argv[optind - 1], &end, 16); |
| - if (i < 0 || i > (0x1 << 16) || *end !='\0') { |
| + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { |
| if (!strcasecmp("IPv4", argv[optind - 1])) |
| i = 0x0800; |
| else |
| - print_error("Problem with specified arp protocol type."); |
| + print_error("Problem with specified arp " |
| + "protocol type"); |
| } |
| arpinfo->ptype = htons(i); |
| arpinfo->bitmask |= EBT_ARP_PTYPE; |
| @@ -165,7 +168,7 @@ |
| arpinfo->invflags |= EBT_ARP_DST_IP; |
| } |
| if (optind > argc) |
| - print_error("Missing ip address argument."); |
| + print_error("Missing ip address argument"); |
| parse_ip_address(argv[optind - 1], addr, mask); |
| break; |
| default: |
| @@ -174,14 +177,19 @@ |
| return 1; |
| } |
| |
| -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hook) |
| +static void final_check(const struct ebt_u_entry *entry, |
| +const struct ebt_entry_match *match, const char *name, unsigned int hook) |
| { |
| - if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || (entry->ethproto != ETH_P_ARP && entry->ethproto != ETH_P_RARP)) |
| - print_error("For (R)ARP filtering the protocol must be specified as ARP or RARP."); |
| + if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || |
| + (entry->ethproto != ETH_P_ARP && entry->ethproto != ETH_P_RARP)) |
| + print_error("For (R)ARP filtering the protocol must be " |
| + "specified as ARP or RARP"); |
| } |
| |
| -char *mask_to_dotted(__u32 mask); // defined in the ebt_ip.c |
| -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) |
| +// defined in the ebt_ip.c |
| +char *mask_to_dotted(__u32 mask); |
| +static void print(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_match *match) |
| { |
| struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data; |
| int i; |
| @@ -209,7 +217,8 @@ |
| if (arpinfo->invflags & EBT_ARP_SRC_IP) |
| printf("! "); |
| for (i = 0; i < 4; i++) |
| - printf("%d%s", ((unsigned char *)&arpinfo->saddr)[i], (i == 3) ? "" : "."); |
| + printf("%d%s", ((unsigned char *)&arpinfo->saddr)[i], |
| + (i == 3) ? "" : "."); |
| printf("%s, ", mask_to_dotted(arpinfo->smsk)); |
| } |
| if (arpinfo->bitmask & EBT_ARP_DST_IP) { |
| @@ -217,12 +226,14 @@ |
| if (arpinfo->invflags & EBT_ARP_DST_IP) |
| printf("! "); |
| for (i = 0; i < 4; i++) |
| - printf("%d%s", ((unsigned char *)&arpinfo->daddr)[i], (i == 3) ? "" : "."); |
| + printf("%d%s", ((unsigned char *)&arpinfo->daddr)[i], |
| + (i == 3) ? "" : "."); |
| printf("%s, ", mask_to_dotted(arpinfo->dmsk)); |
| } |
| } |
| |
| -static int compare(const struct ebt_entry_match *m1, const struct ebt_entry_match *m2) |
| +static int compare(const struct ebt_entry_match *m1, |
| + const struct ebt_entry_match *m2) |
| { |
| struct ebt_arp_info *arpinfo1 = (struct ebt_arp_info *)m1->data; |
| struct ebt_arp_info *arpinfo2 = (struct ebt_arp_info *)m2->data; |
| --- ebtables-v2.0pre2.001/extensions/ebt_log.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebt_log.c Wed Apr 10 23:51:18 2002 |
| @@ -9,14 +9,14 @@ |
| |
| // copied from syslog.h |
| // used for the LOG target |
| -#define LOG_EMERG 0 /* system is unusable */ |
| -#define LOG_ALERT 1 /* action must be taken immediately */ |
| -#define LOG_CRIT 2 /* critical conditions */ |
| -#define LOG_ERR 3 /* error conditions */ |
| -#define LOG_WARNING 4 /* warning conditions */ |
| -#define LOG_NOTICE 5 /* normal but significant condition */ |
| -#define LOG_INFO 6 /* informational */ |
| -#define LOG_DEBUG 7 /* debug-level messages */ |
| +#define LOG_EMERG 0 // system is unusable |
| +#define LOG_ALERT 1 // action must be taken immediately |
| +#define LOG_CRIT 2 // critical conditions |
| +#define LOG_ERR 3 // error conditions |
| +#define LOG_WARNING 4 // warning conditions |
| +#define LOG_NOTICE 5 // normal but significant condition |
| +#define LOG_INFO 6 // informational |
| +#define LOG_DEBUG 7 // debug-level messages |
| #define LOG_DEFAULT_LEVEL LOG_INFO |
| |
| typedef struct _code { |
| @@ -70,16 +70,17 @@ |
| int i; |
| |
| printf( |
| - "log options:\n" |
| - "--log : use this if you're not specifying anything\n" |
| - "--log-level level : level = [1-8] or a string\n" |
| - "--log-prefix prefix : max. %d chars.\n" |
| - "--log-ip : put ip info. in the log for ip packets\n" |
| - "--log-arp : put (r)arp info. in the log for (r)arp packets\n" |
| +"log options:\n" |
| +"--log : use this if you're not specifying anything\n" |
| +"--log-level level : level = [1-8] or a string\n" |
| +"--log-prefix prefix : max. %d chars.\n" |
| +"--log-ip : put ip info. in the log for ip packets\n" |
| +"--log-arp : put (r)arp info. in the log for (r)arp packets\n" |
| , EBT_LOG_PREFIX_SIZE - 1); |
| printf("levels:\n"); |
| for (i = 0; i < 8; i++) |
| - printf("%d = %s\n", eight_priority[i].c_val, eight_priority[i].c_name); |
| + printf("%d = %s\n", eight_priority[i].c_val, |
| + eight_priority[i].c_name); |
| } |
| |
| static void init(struct ebt_entry_watcher *watcher) |
| @@ -88,7 +89,7 @@ |
| |
| loginfo->bitmask = 0; |
| loginfo->prefix[0] = '\0'; |
| - loginfo->loglevel = 6; |
| + loginfo->loglevel = LOG_NOTICE; |
| } |
| |
| #define OPT_PREFIX 0x01 |
| @@ -96,9 +97,8 @@ |
| #define OPT_ARP 0x04 |
| #define OPT_IP 0x08 |
| #define OPT_LOG 0x10 |
| -static int parse(int c, char **argv, int argc, |
| - const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_watcher **watcher) |
| +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, |
| + unsigned int *flags, struct ebt_entry_watcher **watcher) |
| { |
| struct ebt_log_info *loginfo = (struct ebt_log_info *)(*watcher)->data; |
| int i; |
| @@ -108,9 +108,10 @@ |
| case LOG_PREFIX: |
| check_option(flags, OPT_PREFIX); |
| if (strlen(optarg) > sizeof(loginfo->prefix) - 1) |
| - print_error("Prefix too long."); |
| + print_error("Prefix too long"); |
| strcpy(loginfo->prefix, optarg); |
| break; |
| + |
| case LOG_LEVEL: |
| check_option(flags, OPT_LEVEL); |
| i = strtol(optarg, &end, 16); |
| @@ -119,16 +120,19 @@ |
| else |
| loginfo->loglevel = i; |
| if (loginfo->loglevel == 9) |
| - print_error("Problem with the log-level."); |
| + print_error("Problem with the log-level"); |
| break; |
| + |
| case LOG_IP: |
| check_option(flags, OPT_IP); |
| loginfo->bitmask |= EBT_LOG_IP; |
| break; |
| + |
| case LOG_ARP: |
| check_option(flags, OPT_ARP); |
| loginfo->bitmask |= EBT_LOG_ARP; |
| break; |
| + |
| case LOG_LOG: |
| check_option(flags, OPT_LOG); |
| break; |
| @@ -138,16 +142,18 @@ |
| return 1; |
| } |
| |
| -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher, const char *name, unsigned int hook) |
| +static void final_check(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_watcher *watcher, const char *name, unsigned int hook) |
| { |
| return; |
| } |
| |
| -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher) |
| +static void print(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_watcher *watcher) |
| { |
| struct ebt_log_info *loginfo = (struct ebt_log_info *)watcher->data; |
| |
| - printf("log: log-level = %s - log-prefix = '%s'", |
| + printf("log: log-level = %s - log-prefix = \"%s\"", |
| eight_priority[loginfo->loglevel].c_name, |
| loginfo->prefix); |
| if (loginfo->bitmask & EBT_LOG_IP) |
| @@ -157,7 +163,8 @@ |
| printf(" "); |
| } |
| |
| -static int compare(const struct ebt_entry_watcher *w1, const struct ebt_entry_watcher *w2) |
| +static int compare(const struct ebt_entry_watcher *w1, |
| + const struct ebt_entry_watcher *w2) |
| { |
| struct ebt_log_info *loginfo1 = (struct ebt_log_info *)w1->data; |
| struct ebt_log_info *loginfo2 = (struct ebt_log_info *)w2->data; |
| --- ebtables-v2.0pre2.001/extensions/ebt_standard.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebt_standard.c Thu Apr 11 18:14:07 2002 |
| @@ -19,17 +19,19 @@ |
| ((struct ebt_standard_target *)t)->verdict = EBT_CONTINUE; |
| } |
| |
| -static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_target **target) |
| +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, |
| + unsigned int *flags, struct ebt_entry_target **target) |
| { |
| return 0; |
| } |
| |
| -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook) |
| +static void final_check(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target, const char *name, unsigned int hook) |
| { |
| } |
| |
| -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_target *target) |
| +static void print(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target) |
| { |
| __u8 verdict = ((struct ebt_standard_target *)target)->verdict; |
| |
| @@ -41,9 +43,11 @@ |
| printf("Drop "); |
| } |
| |
| -static int compare(const struct ebt_entry_target *t1, const struct ebt_entry_target *t2) |
| +static int compare(const struct ebt_entry_target *t1, |
| + const struct ebt_entry_target *t2) |
| { |
| - return ((struct ebt_standard_target *)t1)->verdict == ((struct ebt_standard_target *)t2)->verdict; |
| + return ((struct ebt_standard_target *)t1)->verdict == |
| + ((struct ebt_standard_target *)t2)->verdict; |
| } |
| |
| static struct ebt_u_target standard = |
| --- ebtables-v2.0pre2.001/extensions/ebtable_filter.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebtable_filter.c Thu Apr 11 18:14:40 2002 |
| @@ -3,7 +3,8 @@ |
| #include <linux/netfilter_bridge/ebtables.h> |
| #include "../include/ebtables_u.h" |
| |
| -#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | (1 << NF_BR_LOCAL_OUT)) |
| +#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | \ |
| + (1 << NF_BR_LOCAL_OUT)) |
| |
| static void print_help(char **hn) |
| { |
| --- ebtables-v2.0pre2.001/extensions/ebtable_nat.c Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/extensions/ebtable_nat.c Thu Apr 11 18:14:57 2002 |
| @@ -2,7 +2,8 @@ |
| #include <sys/socket.h> |
| #include "../include/ebtables_u.h" |
| |
| -#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | (1 << NF_BR_POST_ROUTING)) |
| +#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | \ |
| + (1 << NF_BR_POST_ROUTING)) |
| |
| static void print_help(char **hn) |
| { |
| --- ebtables-v2.0pre2.001/ChangeLog Wed Apr 3 16:56:37 2002 |
| +++ ebtables-v2.0pre2.002/ChangeLog Thu Apr 11 18:26:21 2002 |
| @@ -1,3 +1,12 @@ |
| +20020411 |
| + * -j standard no longer works, is this cryptic? good :) |
| + * lots of beautification. |
| + - made some code smaller |
| + - made everything fit within 80 columns |
| + * fix problems with -i and -o option |
| + * print_memory now prints useful info |
| + * trying to see the tables when ebtables is not loaded in kernel |
| + no longer makes this be seen as a bug. |
| 20020403 |
| ebtables v2.0 released, changes: |
| * A complete rewrite, made everything modular. |
| --- ebtables-v2.0pre2.001/include/ebtables_u.h Thu Apr 11 18:27:45 2002 |
| +++ ebtables-v2.0pre2.002/include/ebtables_u.h Wed Apr 10 22:29:01 2002 |
| @@ -38,20 +38,28 @@ |
| { |
| char name[EBT_TABLE_MAXNAMELEN]; |
| unsigned int valid_hooks; |
| - unsigned int nentries; // nr of rules in the table |
| + // nr of rules in the table |
| + unsigned int nentries; |
| struct ebt_u_entries *hook_entry[NF_BR_NUMHOOKS]; |
| - unsigned int counter_entry[NF_BR_NUMHOOKS]; // how many counters in front of it? |
| - unsigned int num_counters; // nr of counters the userspace expects back |
| - struct ebt_counter *counters; // where the kernel will put the old counters |
| - unsigned int flags; // can be used e.g. to know if a standard option has been specified twice |
| - char command; // we stick the specified command (e.g. -A) in here |
| - int selected_hook; // here we stick the hook to do our thing on (can be -1 if unspecified) |
| + // how many counters in front of it? |
| + unsigned int counter_entry[NF_BR_NUMHOOKS]; |
| + // nr of counters userspace expects back |
| + unsigned int num_counters; |
| + // where the kernel will put the old counters |
| + struct ebt_counter *counters; |
| + // can be used e.g. to know if a standard option |
| + // has been specified twice |
| + unsigned int flags; |
| + // we stick the specified command (e.g. -A) in here |
| + char command; |
| + // here we stick the hook to do our thing on (can be -1 if unspecified) |
| + int selected_hook; |
| }; |
| |
| struct ebt_u_table |
| { |
| char name[EBT_TABLE_MAXNAMELEN]; |
| - int (*check) (struct ebt_u_replace *repl); |
| + int (*check)(struct ebt_u_replace *repl); |
| void (*help)(char **); |
| struct ebt_u_table *next; |
| }; |
| @@ -70,9 +78,9 @@ |
| |
| struct ebt_u_entry |
| { |
| - __u32 bitmask; // this needs to be the first field |
| + __u32 bitmask; |
| __u32 invflags; |
| - __u16 ethproto; /* packet type ID field */ |
| + __u16 ethproto; |
| __u8 in[IFNAMSIZ]; |
| __u8 out[IFNAMSIZ]; |
| __u8 sourcemac[ETH_ALEN]; |
| @@ -86,35 +94,47 @@ |
| struct ebt_u_match |
| { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| - unsigned int size;// size of the real match data |
| + // size of the real match data + sizeof struct ebt_match |
| + unsigned int size; |
| void (*help)(void); |
| void (*init)(struct ebt_entry_match *m); |
| int (*parse)(int c, char **argv, int argc, |
| const struct ebt_u_entry *entry, unsigned int *flags, |
| struct ebt_entry_match **match); |
| - void (*final_check)(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hook); |
| - void (*print)(const struct ebt_u_entry *entry, const struct ebt_entry_match *match); |
| - int (*compare)(const struct ebt_entry_match *m1, const struct ebt_entry_match *m2); |
| + void (*final_check)(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_match *match, |
| + const char *name, unsigned int hook); |
| + void (*print)(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_match *match); |
| + int (*compare)(const struct ebt_entry_match *m1, |
| + const struct ebt_entry_match *m2); |
| const struct option *extra_ops; |
| - unsigned int flags;// can be used e.g. to check for multiple occurance of the same option |
| + // can be used e.g. to check for multiple occurance of the same option |
| + unsigned int flags; |
| unsigned int option_offset; |
| struct ebt_entry_match *m; |
| - unsigned int used;// if used == 1 we no longer have to add it to the match chain of the new entry |
| + // if used == 1 we no longer have to add it to |
| + // the match chain of the new entry |
| + unsigned int used; |
| struct ebt_u_match *next; |
| }; |
| |
| struct ebt_u_watcher |
| { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| - unsigned int size;// size of the real match data |
| + unsigned int size; |
| void (*help)(void); |
| void (*init)(struct ebt_entry_watcher *w); |
| int (*parse)(int c, char **argv, int argc, |
| - const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_watcher **watcher); |
| - void (*final_check)(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watch, const char *name, unsigned int hook); |
| - void (*print)(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher); |
| - int (*compare)(const struct ebt_entry_watcher *w1, const struct ebt_entry_watcher *w2); |
| + const struct ebt_u_entry *entry, unsigned int *flags, |
| + struct ebt_entry_watcher **watcher); |
| + void (*final_check)(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_watcher *watch, const char *name, |
| + unsigned int hook); |
| + void (*print)(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_watcher *watcher); |
| + int (*compare)(const struct ebt_entry_watcher *w1, |
| + const struct ebt_entry_watcher *w2); |
| const struct option *extra_ops; |
| unsigned int flags; |
| unsigned int option_offset; |
| @@ -126,14 +146,19 @@ |
| struct ebt_u_target |
| { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| - unsigned int size;// size of the real match data |
| + unsigned int size; |
| void (*help)(void); |
| void (*init)(struct ebt_entry_target *t); |
| - int (*parse)(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, |
| - struct ebt_entry_target **target); |
| - void (*final_check)(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook); |
| - void (*print)(const struct ebt_u_entry *entry, const struct ebt_entry_target *target); |
| - int (*compare)(const struct ebt_entry_target *t1, const struct ebt_entry_target *t2); |
| + int (*parse)(int c, char **argv, int argc, |
| + const struct ebt_u_entry *entry, unsigned int *flags, |
| + struct ebt_entry_target **target); |
| + void (*final_check)(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target, const char *name, |
| + unsigned int hook); |
| + void (*print)(const struct ebt_u_entry *entry, |
| + const struct ebt_entry_target *target); |
| + int (*compare)(const struct ebt_entry_target *t1, |
| + const struct ebt_entry_target *t2); |
| const struct option *extra_ops; |
| unsigned int option_offset; |
| unsigned int flags; |
| @@ -150,19 +175,21 @@ |
| struct ebt_u_target *find_target(const char *name); |
| struct ebt_u_match *find_match(const char *name); |
| struct ebt_u_watcher *find_watcher(const char *name); |
| -void deliver_counters(struct ebt_u_replace *repl, unsigned short * counterchanges); |
| +void deliver_counters(struct ebt_u_replace *repl, |
| + unsigned short * counterchanges); |
| void deliver_table(struct ebt_u_replace *repl); |
| -void get_sockfd(); |
| void get_dbinfo(struct brdb_dbinfo *nr); |
| void get_db(int len, struct brdb_dbentry *db); |
| void deliver_allowdb(__u16 *decision); |
| -void print_memory(); |
| -void init_extensions(); |
| int getmac(char *from, char *to); |
| void check_option(unsigned int *flags, unsigned int mask); |
| int check_inverse(const char option[]); |
| -#define print_bug(format, args...) {printf("BUG: "format"\n", ##args); exit(-1);} |
| -#define print_error(format, args...) {printf(format"\n", ##args); exit(-1);} |
| +#define print_bug(format, args...) \ |
| + {printf("BUG: "format".\n", ##args); exit(-1);} |
| +#define print_error(format, args...) {printf(format".\n", ##args); exit(-1);} |
| +#define print_memory() {printf("Ebtables: " __FILE__ " " __FUNCTION__ \ |
| + " %d :Out of memory.\n", __LINE__); exit(-1);} |
| + |
| |
| |
| // used for keeping the rule counters right during rule adds or deletes |