| --- ebtables-v2.0.2/Makefile Sat Dec 7 13:09:40 2002 |
| +++ ebtables-v2.0.3/Makefile Tue Apr 1 22:12:30 2003 |
| @@ -1,8 +1,8 @@ |
| # ebtables Makefile |
| |
| PROGNAME:=ebtables |
| -PROGVERSION:=2.0.2 |
| -PROGDATE:=December\ 2002 |
| +PROGVERSION:=2.0.3 |
| +PROGDATE:=April\ 2003 |
| |
| MANDIR?=/usr/local/man |
| CFLAGS:=-Wall -Wunused |
| @@ -12,20 +12,13 @@ |
| |
| OBJECTS:=getethertype.o ebtables.o communication.o $(EXT_OBJS) |
| |
| -# Use the option NONSTANDARD=y when you don't want to use the kernel includes |
| -# that are included in this package. You should set KERNEL_INCLUDES to |
| -# the right directory (eg /usr/src/linux/include). |
| -# You should only need this when compiling the CVS or when adding new code. |
| -ifeq ($(NONSTANDARD), y) |
| -KERNEL_INCLUDES?=/usr/include/ |
| -else |
| -KERNEL_INCLUDES:=include/ |
| -endif |
| - |
| -ifeq ($(ETHERTYPESPATH),) |
| -ETHERTYPESPATH:=/etc/ |
| -endif |
| -ETHERTYPESFILE:=$(ETHERTYPESPATH)ethertypes |
| +KERNEL_INCLUDES?=include/ |
| + |
| +ETHERTYPESPATH?=/etc/ |
| +ETHERTYPESFILE:=$(ETHERTYPESPATH)/ethertypes |
| + |
| +BINPATH?=/sbin/ |
| +BINFILE:=$(BINPATH)ebtables |
| |
| PROGSPECS:=-DPROGVERSION=\"$(PROGVERSION)\" \ |
| -DPROGNAME=\"$(PROGNAME)\" \ |
| @@ -57,10 +50,10 @@ |
| |
| .PHONY: exec |
| exec: ebtables |
| - install -m 0755 -o root -g root $< /sbin/ebtables |
| + install -m 0755 -o root -g root $< $(BINFILE) |
| |
| .PHONY: install |
| -install: $(MANDIR)/man8/ebtables.8 ebtables $(ETHERTYPESFILE) exec |
| +install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec |
| |
| .PHONY: clean |
| clean: |
| --- ebtables-v2.0.2/ebtables.c Tue Dec 3 22:52:12 2002 |
| +++ ebtables-v2.0.3/ebtables.c Tue Apr 1 20:08:15 2003 |
| @@ -52,6 +52,8 @@ |
| #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" |
| #endif |
| #define ATOMIC_ENV_VARIABLE "EBTABLES_ATOMIC_FILE" |
| +#define PRINT_VERSION printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n") |
| + |
| |
| char *hooknames[NF_BR_NUMHOOKS] = |
| { |
| @@ -201,8 +203,10 @@ |
| strcpy(e->logical_out, ""); |
| e->m_list = NULL; |
| e->w_list = NULL; |
| - // the init function of the standard target should have put the verdict |
| - // on CONTINUE |
| + /* |
| + * the init function of the standard target should have put the verdict |
| + * on CONTINUE |
| + */ |
| e->t = (struct ebt_entry_target *)find_target(EBT_STANDARD_TARGET); |
| if (!e->t) |
| print_bug("Couldn't load standard target"); |
| @@ -293,7 +297,7 @@ |
| merge[num_old + i].val += *options_offset; |
| } |
| memset(merge + num_old + num_new, 0, sizeof(struct option)); |
| - // only free dynamically allocated stuff |
| + /* only free dynamically allocated stuff */ |
| if (oldopts != ebt_original_options) |
| free(oldopts); |
| |
| @@ -398,7 +402,7 @@ |
| char *buf = NULL; |
| char *argv[3]; |
| |
| - // If they don't explicitly set it, read out of kernel |
| + /* If they don't explicitly set it, read out of kernel */ |
| if (!modprobe) { |
| buf = get_modprobe(); |
| if (!buf) |
| @@ -426,6 +430,37 @@ |
| return 0; |
| } |
| |
| +static void list_extensions() |
| +{ |
| + struct ebt_u_table *tbl = tables; |
| + struct ebt_u_target *t = targets; |
| + struct ebt_u_match *m = matches; |
| + struct ebt_u_watcher *w = watchers; |
| + |
| + PRINT_VERSION; |
| + printf("Supported userspace extensions:\n\nSupported tables:\n"); |
| + while(tbl) { |
| + printf("%s\n", tbl->name); |
| + tbl = tbl->next; |
| + } |
| + printf("\nSupported targets:\n"); |
| + while(t) { |
| + printf("%s\n", t->name); |
| + t = t->next; |
| + } |
| + printf("\nSupported matches:\n"); |
| + while(m) { |
| + printf("%s\n", m->name); |
| + m = m->next; |
| + } |
| + printf("\nSupported watchers:\n"); |
| + while(w) { |
| + printf("%s\n", w->name); |
| + w = w->next; |
| + } |
| + exit(0); |
| +} |
| + |
| /* |
| * we use replace.flags, so we can't use the following values: |
| * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO |
| @@ -465,7 +500,7 @@ |
| for (i = 0; i < entries->nentries; i++) { |
| if (replace.flags & LIST_N) { |
| digits = 0; |
| - // A little work to get nice rule numbers. |
| + /* A little work to get nice rule numbers. */ |
| j = i + 1; |
| while (j > 9) { |
| digits++; |
| @@ -776,7 +811,8 @@ |
| struct ebt_u_match_list *m_l; |
| struct ebt_u_watcher_list *w_l; |
| |
| - printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n" |
| + PRINT_VERSION; |
| + printf( |
| "Usage:\n" |
| "ebtables -[ADI] chain rule-specification [options]\n" |
| "ebtables -P chain target\n" |
| @@ -799,7 +835,7 @@ |
| "--atomic-commit : update the kernel w/t table contained in <FILE>\n" |
| "--atomic-init : put the initial kernel table into <FILE>\n" |
| "--atomic-save : put the current kernel table into <FILE>\n" |
| -"--atomic file : set <FILE> to file\n\n" |
| +"--atomic-file file : set <FILE> to file\n\n" |
| "Options:\n" |
| "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" |
| "--src -s [!] address[/mask]: source mac address\n" |
| @@ -1140,7 +1176,7 @@ |
| return -1; |
| } |
| |
| -// execute command A or I |
| +/* execute command A or I */ |
| static void add_rule(int rule_nr) |
| { |
| int i, j; |
| @@ -1301,7 +1337,7 @@ |
| while(j--) { |
| u_e2 = *u_e; |
| *u_e = (*u_e)->next; |
| - // free everything |
| + /* free everything */ |
| free_u_entry(u_e2); |
| free(u_e2); |
| } |
| @@ -1473,14 +1509,20 @@ |
| e = entries->entries; |
| j = 0; |
| while (e) { |
| + int chain_jmp; |
| + |
| j++; |
| if (strcmp(e->t->u.name, EBT_STANDARD_TARGET)) { |
| e = e->next; |
| continue; |
| } |
| - if (((struct ebt_standard_target *)e->t)->verdict == chain_nr) |
| + chain_jmp = ((struct ebt_standard_target *)e->t)->verdict; |
| + if (chain_jmp == chain_nr) |
| print_error("Can't delete the chain, it's referenced " |
| "in chain %s, rule %d", entries->name, j); |
| + /* adjust the chain jumps when necessary */ |
| + if (chain_jmp > chain_nr) |
| + ((struct ebt_standard_target *)e->t)->verdict--; |
| e = e->next; |
| } |
| } |
| @@ -1698,7 +1740,9 @@ |
| if (replace.selected_hook < NF_BR_NUMHOOKS) |
| print_error("You can't remove a standard chain"); |
| /* |
| - * if the chain is referenced, don't delete it |
| + * if the chain is referenced, don't delete it, |
| + * also decrement jumps to a chain behind the |
| + * one we're deleting |
| */ |
| check_for_references(replace.selected_hook - NF_BR_NUMHOOKS); |
| flush_chains(); |
| @@ -1791,7 +1835,7 @@ |
| replace.command = 'V'; |
| if (replace.flags & OPT_COMMAND) |
| print_error("Multiple commands not allowed"); |
| - printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n"); |
| + PRINT_VERSION; |
| exit(0); |
| |
| case 'M': /* modprobe */ |
| @@ -1811,6 +1855,10 @@ |
| struct ebt_u_match *m; |
| struct ebt_u_watcher *w; |
| |
| + if (!strcasecmp("list_extensions", |
| + argv[optind])) |
| + list_extensions(); |
| + |
| if ((m = find_match(argv[optind]))) |
| add_match(m); |
| else if ((w = find_watcher(argv[optind]))) |
| @@ -2034,7 +2082,7 @@ |
| " or equal to 0x0600"); |
| break; |
| |
| - case 4 : // Lc |
| + case 4 : /* Lc */ |
| check_option(&replace.flags, LIST_C); |
| if (replace.command != 'L') |
| print_error("Use --Lc with -L"); |
| @@ -2042,7 +2090,7 @@ |
| print_error("--Lx not compatible with --Lc"); |
| replace.flags |= LIST_C; |
| break; |
| - case 5 : // Ln |
| + case 5 : /* Ln */ |
| check_option(&replace.flags, LIST_N); |
| if (replace.command != 'L') |
| print_error("Use --Ln with -L"); |
| @@ -2050,7 +2098,7 @@ |
| print_error("--Lx not compatible with --Ln"); |
| replace.flags |= LIST_N; |
| break; |
| - case 6 : // Lx |
| + case 6 : /* Lx */ |
| check_option(&replace.flags, LIST_X); |
| if (replace.command != 'L') |
| print_error("Use --Lx with -L"); |
| @@ -2060,7 +2108,7 @@ |
| print_error("--Lx not compatible with --Ln"); |
| replace.flags |= LIST_X; |
| break; |
| - case 8 : // atomic-commit |
| + case 8 : /* atomic-commit */ |
| replace.command = c; |
| if (replace.flags & OPT_COMMAND) |
| print_error("Multiple commands not allowed"); |
| --- ebtables-v2.0.2/communication.c Sat Aug 24 23:01:36 2002 |
| +++ ebtables-v2.0.3/communication.c Tue Apr 1 20:08:23 2003 |
| @@ -5,11 +5,13 @@ |
| * |
| */ |
| |
| -// All the userspace/kernel communication is in this file. |
| -// The other code should not have to know anything about the way the |
| -// kernel likes the structure of the table data. |
| -// The other code works with linked lists, lots of linked lists. |
| -// So, the translation is done here. |
| +/* |
| + * All the userspace/kernel communication is in this file. |
| + * The other code should not have to know anything about the way the |
| + * kernel likes the structure of the table data. |
| + * The other code works with linked lists, lots of linked lists. |
| + * So, the translation is done here. |
| + */ |
| |
| #include <getopt.h> |
| #include <string.h> |
| @@ -54,7 +56,7 @@ |
| new->nentries = u_repl->nentries; |
| new->num_counters = u_repl->num_counters; |
| new->counters = u_repl->counters; |
| - // determine nr of udc |
| + /* determine nr of udc */ |
| i = 0; |
| cl = u_repl->udc; |
| while (cl) { |
| @@ -63,7 +65,7 @@ |
| } |
| i += NF_BR_NUMHOOKS; |
| chain_offsets = (unsigned int *)malloc(i * sizeof(unsigned int)); |
| - // determine size |
| + /* determine size */ |
| i = 0; |
| cl = u_repl->udc; |
| while (1) { |
| @@ -101,7 +103,7 @@ |
| sizeof(struct ebt_entry_target); |
| e = e->next; |
| } |
| - // a little sanity check |
| + /* a little sanity check */ |
| if (j != entries->nentries) |
| print_bug("Wrong nentries: %d != %d, hook = %s", j, |
| entries->nentries, entries->name); |
| @@ -115,7 +117,7 @@ |
| if (!new->entries) |
| print_memory(); |
| |
| - // put everything in one block |
| + /* put everything in one block */ |
| p = new->entries; |
| i = 0; |
| cl = u_repl->udc; |
| @@ -139,7 +141,7 @@ |
| hlp->policy = entries->policy; |
| strcpy(hlp->name, entries->name); |
| hlp->counter_offset = entries->counter_offset; |
| - hlp->distinguisher = 0; // make the kernel see the light |
| + hlp->distinguisher = 0; /* make the kernel see the light */ |
| p += sizeof(struct ebt_entries); |
| e = entries->entries; |
| while (e) { |
| @@ -184,7 +186,7 @@ |
| if (!strcmp(e->t->u.name, EBT_STANDARD_TARGET)) { |
| struct ebt_standard_target *st = |
| (struct ebt_standard_target *)p; |
| - // translate the jump to a udc |
| + /* translate the jump to a udc */ |
| if (st->verdict >= 0) |
| st->verdict = chain_offsets |
| [st->verdict + NF_BR_NUMHOOKS]; |
| @@ -199,7 +201,7 @@ |
| i++; |
| } |
| |
| - // sanity check |
| + /* sanity check */ |
| if (p - new->entries != new->entries_size) |
| print_bug("Entries_size bug"); |
| free(chain_offsets); |
| @@ -212,7 +214,7 @@ |
| int size; |
| FILE *file; |
| |
| - // start from an empty file with right priviliges |
| + /* start from an empty file with right priviliges */ |
| command = (char *)malloc(strlen(filename) + 15); |
| if (!command) |
| print_memory(); |
| @@ -234,7 +236,7 @@ |
| memcpy(data, repl, sizeof(struct ebt_replace)); |
| memcpy(data + sizeof(struct ebt_replace), repl->entries, |
| repl->entries_size); |
| - // initialize counters to zero, deliver_counters() can update them |
| + /* initialize counters to zero, deliver_counters() can update them */ |
| memset(data + sizeof(struct ebt_replace) + repl->entries_size, |
| 0, repl->nentries * sizeof(struct ebt_counter)); |
| if (!(file = fopen(filename, "wb"))) |
| @@ -252,13 +254,13 @@ |
| socklen_t optlen; |
| struct ebt_replace *repl; |
| |
| - // translate the struct ebt_u_replace to a struct ebt_replace |
| + /* translate the struct ebt_u_replace to a struct ebt_replace */ |
| repl = translate_user2kernel(u_repl); |
| if (u_repl->filename != NULL) { |
| store_table_in_file(u_repl->filename, repl); |
| return; |
| } |
| - // give the data to the kernel |
| + /* give the data to the kernel */ |
| optlen = sizeof(struct ebt_replace) + repl->entries_size; |
| get_sockfd(); |
| if (setsockopt(sockfd, IPPROTO_IP, EBT_SO_SET_ENTRIES, repl, optlen)) |
| @@ -276,7 +278,10 @@ |
| |
| if (!(file = fopen(filename, "r+b"))) |
| print_error("Could not open file %s", filename); |
| - // find out entries_size and then set the file pointer to the counters |
| + /* |
| + * find out entries_size and then set the file pointer to the |
| + * counters |
| + */ |
| if (fseek(file, (char *)(&hlp.entries_size) - (char *)(&hlp), SEEK_SET) |
| || fread(&entries_size, sizeof(char), sizeof(unsigned int), file) != |
| sizeof(unsigned int) || |
| @@ -291,9 +296,8 @@ |
| fclose(file); |
| } |
| |
| -// gets executed after deliver_table |
| -void |
| -deliver_counters(struct ebt_u_replace *u_repl) |
| +/* gets executed after deliver_table */ |
| +void deliver_counters(struct ebt_u_replace *u_repl) |
| { |
| unsigned short *point; |
| struct ebt_counter *old, *new, *newcounters; |
| @@ -314,21 +318,23 @@ |
| point = counterchanges; |
| while (*point != CNT_END) { |
| if (*point == CNT_NORM) { |
| - // 'normal' rule, meaning we didn't do anything to it |
| - // So, we just copy |
| + /* |
| + *'normal' rule, meaning we didn't do anything to it |
| + * So, we just copy |
| + */ |
| new->pcnt = old->pcnt; |
| - // we've used an old counter |
| + /* we've used an old counter */ |
| old++; |
| - // we've set a new counter |
| + /* we've set a new counter */ |
| new++; |
| } else if (*point == CNT_DEL) { |
| - // don't use this old counter |
| + /* don't use this old counter */ |
| old++; |
| } else if (*point == CNT_ADD) { |
| - // new counter, let it stay 0 |
| + /* new counter, let it stay 0 */ |
| new++; |
| } else { |
| - // zero it (let it stay 0) |
| + /* zero it (let it stay 0) */ |
| old++; |
| new++; |
| } |
| @@ -344,7 +350,7 @@ |
| } |
| optlen = u_repl->nentries * sizeof(struct ebt_counter) + |
| sizeof(struct ebt_replace); |
| - // now put the stuff in the kernel's struct ebt_replace |
| + /* now put the stuff in the kernel's struct ebt_replace */ |
| repl.counters = u_repl->counters; |
| repl.num_counters = u_repl->num_counters; |
| memcpy(repl.name, u_repl->name, sizeof(repl.name)); |
| @@ -406,7 +412,7 @@ |
| int *totalcnt, struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl, |
| unsigned int valid_hooks, char *base) |
| { |
| - // an entry |
| + /* an entry */ |
| if (e->bitmask & EBT_ENTRY_OR_ENTRIES) { |
| struct ebt_u_entry *new; |
| struct ebt_u_match_list **m_l; |
| @@ -417,7 +423,10 @@ |
| if (!new) |
| print_memory(); |
| new->bitmask = e->bitmask; |
| - // plain userspace code doesn't know about EBT_ENTRY_OR_ENTRIES |
| + /* |
| + * plain userspace code doesn't know about |
| + * EBT_ENTRY_OR_ENTRIES |
| + */ |
| new->bitmask &= ~EBT_ENTRY_OR_ENTRIES; |
| new->invflags = e->invflags; |
| new->ethproto = e->ethproto; |
| @@ -447,7 +456,7 @@ |
| "userspace tool", t->u.name); |
| memcpy(new->t, t, t->target_size + |
| sizeof(struct ebt_entry_target)); |
| - // deal with jumps to udc |
| + /* deal with jumps to udc */ |
| if (!strcmp(t->u.name, EBT_STANDARD_TARGET)) { |
| char *tmp = base; |
| int verdict = ((struct ebt_standard_target *)t)->verdict; |
| @@ -468,13 +477,13 @@ |
| } |
| } |
| |
| - // I love pointers |
| + /* I love pointers */ |
| **u_e = new; |
| *u_e = &new->next; |
| (*cnt)++; |
| (*totalcnt)++; |
| return 0; |
| - } else { // a new chain |
| + } else { /* a new chain */ |
| int i; |
| struct ebt_entries *entries = (struct ebt_entries *)e; |
| struct ebt_u_chain_list *cl; |
| @@ -487,8 +496,8 @@ |
| if (valid_hooks & (1 << i)) |
| break; |
| *hook = i; |
| - // makes use of fact that standard chains come before udc |
| - if (i >= NF_BR_NUMHOOKS) { // udc |
| + /* makes use of fact that standard chains come before udc */ |
| + if (i >= NF_BR_NUMHOOKS) { /* udc */ |
| i -= NF_BR_NUMHOOKS; |
| cl = u_repl->udc; |
| while (i-- > 0) |
| @@ -500,7 +509,7 @@ |
| } |
| } |
| |
| -// initialize all chain headers |
| +/* initialize all chain headers */ |
| static int |
| ebt_translate_chains(struct ebt_entry *e, unsigned int *hook, |
| struct ebt_u_replace *u_repl, unsigned int valid_hooks) |
| @@ -514,10 +523,10 @@ |
| for (i = *hook + 1; i < NF_BR_NUMHOOKS; i++) |
| if (valid_hooks & (1 << i)) |
| break; |
| - // makes use of fact that standard chains come before udc |
| - if (i >= NF_BR_NUMHOOKS) { // udc |
| + /* makes use of fact that standard chains come before udc */ |
| + if (i >= NF_BR_NUMHOOKS) { /* udc */ |
| chain_list = &u_repl->udc; |
| - // add in the back |
| + /* add in the back */ |
| while (*chain_list) |
| chain_list = &((*chain_list)->next); |
| *chain_list = (struct ebt_u_chain_list *) |
| @@ -530,8 +539,10 @@ |
| if (!((*chain_list)->udc)) |
| print_memory(); |
| new = (*chain_list)->udc; |
| - // ebt_translate_entry depends on this for knowing |
| - // to which chain is being jumped |
| + /* |
| + * ebt_translate_entry depends on this for knowing |
| + * to which chain is being jumped |
| + */ |
| (*chain_list)->kernel_start = (char *)e; |
| } else { |
| *hook = i; |
| @@ -559,7 +570,9 @@ |
| |
| if (!(file = fopen(filename, "r+b"))) |
| print_error("Could not open file %s", filename); |
| - // make sure table name is right if command isn't -L or --atomic-commit |
| + /* |
| + * make sure table name is right if command isn't -L or --atomic-commit |
| + */ |
| if (command != 'L' && command != 8) { |
| hlp = (char *)malloc(strlen(repl->name) + 1); |
| if (!hlp) |
| @@ -596,7 +609,7 @@ |
| print_memory(); |
| } else |
| repl->counters = NULL; |
| - // copy entries and counters |
| + /* copy entries and counters */ |
| if (fseek(file, sizeof(struct ebt_replace), SEEK_SET) || |
| fread(repl->entries, sizeof(char), repl->entries_size, file) |
| != repl->entries_size || |
| @@ -617,7 +630,7 @@ |
| |
| optlen = sizeof(struct ebt_replace); |
| get_sockfd(); |
| - // --atomic-init || --init-table |
| + /* --atomic-init || --init-table */ |
| if (command == 7 || command == 11) |
| optname = EBT_SO_GET_INIT_INFO; |
| else |
| @@ -635,7 +648,7 @@ |
| else |
| repl->counters = NULL; |
| |
| - // we want to receive the counters |
| + /* we want to receive the counters */ |
| repl->num_counters = repl->nentries; |
| optlen += repl->entries_size + repl->num_counters * |
| sizeof(struct ebt_counter); |
| @@ -658,12 +671,14 @@ |
| strcpy(repl.name, u_repl->name); |
| if (u_repl->filename != NULL) { |
| retrieve_from_file(u_repl->filename, &repl, u_repl->command); |
| - // -L with a wrong table name should be dealt with silently |
| + /* |
| + * -L with a wrong table name should be dealt with silently |
| + */ |
| strcpy(u_repl->name, repl.name); |
| } else if (retrieve_from_kernel(&repl, u_repl->command) == -1) |
| return -1; |
| |
| - // translate the struct ebt_replace to a struct ebt_u_replace |
| + /* translate the struct ebt_replace to a struct ebt_u_replace */ |
| u_repl->valid_hooks = repl.valid_hooks; |
| u_repl->nentries = repl.nentries; |
| u_repl->num_counters = repl.num_counters; |
| @@ -672,10 +687,13 @@ |
| hook = -1; |
| EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_chains, |
| &hook, u_repl, u_repl->valid_hooks); |
| - i = 0; // holds the expected nr. of entries for the chain |
| - j = 0; // holds the up to now counted entries for the chain |
| - k = 0; // holds the total nr. of entries, |
| - // should equal u_repl->nentries afterwards |
| + i = 0; /* holds the expected nr. of entries for the chain */ |
| + j = 0; /* holds the up to now counted entries for the chain */ |
| + /* |
| + * holds the total nr. of entries, |
| + * should equal u_repl->nentries afterwards |
| + */ |
| + k = 0; |
| hook = -1; |
| EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry, |
| &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks, repl.entries); |
| --- ebtables-v2.0.2/extensions/ebt_ip.c Thu Oct 17 23:21:16 2002 |
| +++ ebtables-v2.0.3/extensions/ebt_ip.c Tue Apr 1 09:39:24 2003 |
| @@ -2,7 +2,7 @@ |
| * ebtables ebt_ip: IP extension module for userspace |
| * |
| * Authors: |
| - * Bart De Schuymer <bart.de.schuymer@pandora.be> |
| + * Bart De Schuymer <bdschuym@pandora.be> |
| * |
| * Changes: |
| * added ip-sport and ip-dport; parsing of port arguments is |
| @@ -36,7 +36,7 @@ |
| |
| #define IP_SOURCE '1' |
| #define IP_DEST '2' |
| -#define IP_myTOS '3' // include/bits/in.h seems to already define IP_TOS |
| +#define IP_myTOS '3' /* include/bits/in.h seems to already define IP_TOS */ |
| #define IP_PROTO '4' |
| #define IP_SPORT '5' |
| #define IP_DPORT '6' |
| @@ -57,7 +57,7 @@ |
| { 0 } |
| }; |
| |
| -// put the ip string into 4 bytes |
| +/* put the ip string into 4 bytes */ |
| static int undot_ip(char *ip, unsigned char *ip2) |
| { |
| char *p, *q, *end; |
| @@ -87,7 +87,7 @@ |
| return 0; |
| } |
| |
| -// put the mask into 4 bytes |
| +/* put the mask into 4 bytes */ |
| static int ip_mask(char *mask, unsigned char *mask2) |
| { |
| char *end; |
| @@ -95,7 +95,7 @@ |
| uint32_t mask22; |
| |
| if (undot_ip(mask, mask2)) { |
| - // not the /a.b.c.e format, maybe the /x format |
| + /* not the /a.b.c.e format, maybe the /x format */ |
| bits = strtol(mask, &end, 10); |
| if (*end != '\0' || bits > 32 || bits < 0) |
| return -1; |
| @@ -110,12 +110,12 @@ |
| return 0; |
| } |
| |
| -// set the ip mask and ip address |
| +/* set the ip mask and ip address */ |
| void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) |
| { |
| char *p; |
| |
| - // first the mask |
| + /* first the mask */ |
| if ((p = strrchr(address, '/')) != NULL) { |
| *p = '\0'; |
| if (ip_mask(p + 1, (unsigned char *)msk)) |
| @@ -129,7 +129,7 @@ |
| *addr = *addr & *msk; |
| } |
| |
| -// transform the ip mask into a string ready for output |
| +/* transform the ip mask into a string ready for output */ |
| char *mask_to_dotted(uint32_t mask) |
| { |
| int i; |
| @@ -138,14 +138,14 @@ |
| |
| maskaddr = ntohl(mask); |
| |
| - // don't print /32 |
| + /* don't print /32 */ |
| if (mask == 0xFFFFFFFFL) { |
| *buf = '\0'; |
| return buf; |
| } |
| |
| i = 32; |
| - bits = 0xFFFFFFFEL; // case 0xFFFFFFFF has just been dealt with |
| + bits = 0xFFFFFFFEL; /* case 0xFFFFFFFF has just been dealt with */ |
| while (--i >= 0 && maskaddr != bits) |
| bits <<= 1; |
| |
| @@ -154,7 +154,7 @@ |
| else if (!i) |
| *buf = '\0'; |
| else |
| - // mask was not a decent combination of 1's and 0's |
| + /* mask was not a decent combination of 1's and 0's */ |
| sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0], |
| ((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2], |
| ((unsigned char *)&mask)[3]); |
| @@ -162,7 +162,7 @@ |
| return buf; |
| } |
| |
| -// transform a protocol and service name into a port number |
| +/* transform a protocol and service name into a port number */ |
| static uint16_t parse_port(const char *protocol, const char *name) |
| { |
| struct servent *service; |
| @@ -313,10 +313,19 @@ |
| ipinfo->invflags |= EBT_IP_PROTO; |
| if (optind > argc) |
| print_error("Missing IP protocol argument"); |
| - i = strtol(argv[optind - 1], &end, 10); |
| - if (i < 0 || i > 255 || *end != '\0') |
| - print_error("Problem with specified IP protocol"); |
| - ipinfo->protocol = i; |
| + (unsigned char) i = strtoul(argv[optind - 1], &end, 10); |
| + if (*end != '\0') { |
| + struct protoent *pe; |
| + |
| + pe = getprotobyname(argv[optind - 1]); |
| + if (pe == NULL) |
| + print_error |
| + ("Unknown specified IP protocol - %s", |
| + argv[optind - 1]); |
| + ipinfo->protocol = pe->p_proto; |
| + } else { |
| + ipinfo->protocol = (unsigned char) i; |
| + } |
| ipinfo->bitmask |= EBT_IP_PROTO; |
| break; |
| default: |
| @@ -335,13 +344,13 @@ |
| print_error("For IP filtering the protocol must be " |
| "specified as IPv4"); |
| |
| - if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) && |
| - (!ipinfo->bitmask & EBT_IP_PROTO || |
| - ipinfo->invflags & EBT_IP_PROTO || |
| - (ipinfo->protocol!=IPPROTO_TCP && |
| - ipinfo->protocol!=IPPROTO_UDP))) |
| - print_error("For port filtering the IP protocol must be " |
| - "either 6 (tcp) or 17 (udp)"); |
| + if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) && |
| + (!(ipinfo->bitmask & EBT_IP_PROTO) || |
| + ipinfo->invflags & EBT_IP_PROTO || |
| + (ipinfo->protocol!=IPPROTO_TCP && |
| + ipinfo->protocol!=IPPROTO_UDP))) |
| + print_error("For port filtering the IP protocol must be " |
| + "either 6 (tcp) or 17 (udp)"); |
| } |
| |
| static void print(const struct ebt_u_entry *entry, |
| @@ -375,10 +384,17 @@ |
| printf("0x%02X ", ipinfo->tos); |
| } |
| if (ipinfo->bitmask & EBT_IP_PROTO) { |
| + struct protoent *pe; |
| + |
| printf("--ip-proto "); |
| if (ipinfo->invflags & EBT_IP_PROTO) |
| printf("! "); |
| - printf("%d ", ipinfo->protocol); |
| + pe = getprotobynumber(ipinfo->protocol); |
| + if (pe == NULL) { |
| + printf("%d ", ipinfo->protocol); |
| + } else { |
| + printf("%s ", pe->p_name); |
| + } |
| } |
| if (ipinfo->bitmask & EBT_IP_SPORT) { |
| printf("--ip-sport "); |
| @@ -427,11 +443,13 @@ |
| return 0; |
| } |
| if (ipinfo1->bitmask & EBT_IP_SPORT) { |
| - if (ipinfo1->sport != ipinfo2->sport) |
| + if (ipinfo1->sport[0] != ipinfo2->sport[0] || |
| + ipinfo1->sport[1] != ipinfo2->sport[1]) |
| return 0; |
| } |
| if (ipinfo1->bitmask & EBT_IP_DPORT) { |
| - if (ipinfo1->dport != ipinfo2->dport) |
| + if (ipinfo1->dport[0] != ipinfo2->dport[0] || |
| + ipinfo1->dport[1] != ipinfo2->dport[1]) |
| return 0; |
| } |
| return 1; |
| --- ebtables-v2.0.2/extensions/ebt_arp.c Fri Nov 22 20:43:47 2002 |
| +++ ebtables-v2.0.3/extensions/ebt_arp.c Fri Jan 10 00:20:17 2003 |
| @@ -23,7 +23,7 @@ |
| }; |
| |
| #define NUMOPCODES 9 |
| -// a few names |
| +/* a few names */ |
| static char *opcodes[] = |
| { |
| "Request", |
| @@ -64,7 +64,7 @@ |
| arpinfo->bitmask = 0; |
| } |
| |
| -// defined in ebt_ip.c |
| +/* defined in ebt_ip.c */ |
| void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk); |
| |
| #define OPT_OPCODE 0x01 |
| @@ -188,7 +188,7 @@ |
| "specified as ARP or RARP"); |
| } |
| |
| -// defined in the ebt_ip.c |
| +/* defined in the ebt_ip.c */ |
| char *mask_to_dotted(uint32_t mask); |
| |
| static void print(const struct ebt_u_entry *entry, |
| --- ebtables-v2.0.2/extensions/ebt_log.c Sat Aug 24 15:26:34 2002 |
| +++ ebtables-v2.0.3/extensions/ebt_log.c Fri Jan 10 00:21:41 2003 |
| @@ -5,16 +5,18 @@ |
| #include "../include/ebtables_u.h" |
| #include <linux/netfilter_bridge/ebt_log.h> |
| |
| -// copied from syslog.h |
| -// used for the LOG target |
| -#define LOG_EMERG 0 // system is unusable |
| -#define LOG_ALERT 1 // action must be taken immediately |
| -#define LOG_CRIT 2 // critical conditions |
| -#define LOG_ERR 3 // error conditions |
| -#define LOG_WARNING 4 // warning conditions |
| -#define LOG_NOTICE 5 // normal but significant condition |
| -#define LOG_INFO 6 // informational |
| -#define LOG_DEBUG 7 // debug-level messages |
| +/* |
| + * copied from syslog.h |
| + * used for the LOG target |
| + */ |
| +#define LOG_EMERG 0 /* system is unusable */ |
| +#define LOG_ALERT 1 /* action must be taken immediately */ |
| +#define LOG_CRIT 2 /* critical conditions */ |
| +#define LOG_ERR 3 /* error conditions */ |
| +#define LOG_WARNING 4 /* warning conditions */ |
| +#define LOG_NOTICE 5 /* normal but significant condition */ |
| +#define LOG_INFO 6 /* informational */ |
| +#define LOG_DEBUG 7 /* debug-level messages */ |
| |
| #define LOG_DEFAULT_LEVEL LOG_INFO |
| |
| @@ -41,7 +43,7 @@ |
| for (i = 0; i < 8; i++) |
| if (!strcmp(arg, eight_priority[i].c_name)) |
| return eight_priority[i].c_val; |
| - // return bad loglevel |
| + /* return bad loglevel */ |
| return 9; |
| } |
| |
| --- ebtables-v2.0.2/extensions/ebt_mark_m.c Sat Aug 24 15:26:34 2002 |
| +++ ebtables-v2.0.3/extensions/ebt_mark_m.c Fri Jan 10 00:22:15 2003 |
| @@ -9,7 +9,7 @@ |
| |
| static struct option opts[] = |
| { |
| - { "mark" , required_argument, 0, MARK }, |
| + { "mark", required_argument, 0, MARK }, |
| { 0 } |
| }; |
| |
| --- ebtables-v2.0.2/THANKS Sat Jun 1 21:24:51 2002 |
| +++ ebtables-v2.0.3/THANKS Tue Apr 1 20:15:15 2003 |
| @@ -1,4 +1,4 @@ |
| -Thanks go out to: |
| +Special thanks go out to these early contributors: |
| |
| Lennert Buytenhek |
| Rusty Russel |
| --- ebtables-v2.0.2/ChangeLog Tue Dec 3 23:00:45 2002 |
| +++ ebtables-v2.0.3/ChangeLog Tue Apr 1 20:07:24 2003 |
| @@ -1,3 +1,10 @@ |
| +20030402 |
| + * fixed check bug in ebt_ip.c (report from |
| + joe_judge_at_guardium.com). |
| +20030111 |
| + * fixed problem when removing a chain (report from |
| + ykphuah_at_greenpacket.com). |
| + * Added --help list_extensions which, well, lists the extensions |
| 20021203 |
| * changed the way to use the atomic operations. It's now possible |
| to use the EBTABLES_ATOMIC_FILE environment variable, so it's no |
| --- ebtables-v2.0.2/ebtables.8 Sat Dec 7 13:42:58 2002 |
| +++ ebtables-v2.0.3/ebtables.8 Tue Apr 1 20:15:04 2003 |
| @@ -1,8 +1,11 @@ |
| -.TH EBTABLES 8 "03 December 2002" |
| +.TH EBTABLES 8 "15 March 2003" |
| .\" |
| .\" Man page written by Bart De Schuymer <bdschuym@pandora.be> |
| .\" It is based on the iptables man page. |
| .\" |
| +.\" The man page was edited by |
| +.\" Greg Morgan <" dr_kludge_at_users_sourceforge_net > |
| +.\" |
| .\" Iptables page by Herve Eychenne March 2000. |
| .\" |
| .\" This program is free software; you can redistribute it and/or modify |
| @@ -23,46 +26,61 @@ |
| .SH NAME |
| ebtables (v.2.0) \- Ethernet bridge frame table administration |
| .SH SYNOPSIS |
| -.BR "ebtables -[ADI] " "chain rule-specification " [ options ] |
| +.BR "ebtables [-t table] -[ADI] " "chain rule-specification [match-extensions] [watcher-extensions] TARGET" |
| +.br |
| +.BR "ebtables [-t table] -P " "chain " "ACCEPT | DROP | RETURN" |
| .br |
| -.BR "ebtables -P " "chain target" |
| +.BR "ebtables [-t table] -F [" "chain" "]" |
| .br |
| -.BR "ebtables -[FLZ] [" "chain" "]" |
| +.BR "ebtables [-t table] -Z [" "chain" "]" |
| .br |
| -.BR "ebtables -[NX] " chain |
| +.BR "ebtables [-t table] -L [-Z] [" chain "] [ [" --Ln "] [" --Lc "] ] " | " [" --Lx "]" |
| .br |
| -.BR "ebtables -E " "old-chain-name new-chain-name" |
| +.BR "ebtables [-t table] -[NX] " chain |
| .br |
| -.BR "ebtables --init-table" |
| +.BR "ebtables [-t table] -E " "old-chain-name new-chain-name" |
| .br |
| -.BR "ebtables --atomic-init " |
| +.BR "ebtables [-t table] --init-table" |
| .br |
| -.BR "ebtables --atomic-save " |
| +.BR "ebtables [-t table] [--atomic-file file] --atomic-commit |
| .br |
| -.BR "ebtables --atomic-commit " |
| +.BR "ebtables [-t table] [--atomic-file file] --atomic-init" |
| +.br |
| +.BR "ebtables [-t table] [--atomic-file file] --atomic-save" |
| .br |
| .SH DESCRIPTION |
| .B ebtables |
| -is used to set up, maintain, and inspect the tables of Ethernet frame |
| -rules in the Linux kernel. It works analogous as iptables, but is less |
| -complicated. This man page is written with the man page of iptables |
| -next to it, so don't be surprised to see copied sentences and structure. |
| +is a user space tool, it is used to set up and maintain the |
| +tables of Ethernet frame rules in the Linux kernel. These rules inspect |
| +the Ethernet frames which they see. |
| +.B ebtables |
| +is analogous to the |
| +.B iptables |
| +user space tool, but |
| +.B ebtables |
| +is less complicated. |
| |
| -There are three tables with built-in chains. Each chain is a list |
| -of rules which can match frames: each rule specifies what to do with a |
| -frame which matches. This is called a 'target'. The tables are used to |
| -divide functionality into different sets of chains. |
| +.SS CHAINS |
| +There are three Ethernet frame tables with built-in chains in the |
| +Linux kernel. The kernel tables are used to divide functionality into |
| +different sets of rules. Each set of rules is called a chain. |
| +Each chain is an ordered list of rules that can match Ethernet frames. If a |
| +rule matches an Ethernet frame, then a processing specification tells |
| +what to do with that matching frame. The processing specification is |
| +called a 'target'. However, if the frame does not match the current |
| +rule in the chain, then the next rule in the chain is examined and so forth. |
| +The user can create new (user-defined) chains which can be used as the 'target' of a rule. |
| |
| .SS TARGETS |
| -A firewall rule specifies criteria for a frame, and a target. If the |
| -frame does not match, the next rule in the chain is the examined one; if |
| -it does match, then the next thing to do is specified by the target. |
| -This target can be one of these values: |
| +A firewall rule specifies criteria for an Ethernet frame and a frame |
| +processing specification called a target. When a frame matches a rule, |
| +then the next action performed by the kernel is specified by the target. |
| +The target can be one of these values: |
| .IR ACCEPT , |
| .IR DROP , |
| .IR CONTINUE , |
| .IR RETURN , |
| -an extention. |
| +an 'extension' (see below) or a user-defined chain. |
| .PP |
| .I ACCEPT |
| means to let the frame through. |
| @@ -74,26 +92,36 @@ |
| .I RETURN |
| means stop traversing this chain and resume at the next rule in the |
| previous (calling) chain. |
| -For the |
| -other targets see the |
| +For the extension targets please see the |
| .B "TARGET EXTENSIONS" |
| -section. |
| +section of this man page. |
| .SS TABLES |
| -There are three tables. |
| +As stated earlier, there are three Ethernet frame tables in the Linux |
| +kernel. The tables are |
| +.BR filter ", " nat " and " broute . |
| +Of these three tables, |
| +the filter table is the default table that the |
| +.B ebtables |
| +command operates on. |
| +If you are working with the filter table, then you can drop the '-t filter' |
| +argument to the ebtables command. However, you will need to provide |
| +the -t argument for the other two tables. The -t argument must be the |
| +first argument on the ebtables command line, if used. |
| .TP |
| .B "-t, --table" |
| -This option specifies the frame matching table which the command should |
| -operate on. If specified it should be the first option. The tables are: |
| +.br |
| .BR filter , |
| -this is the default table and contains three chains: |
| +is the default table and contains three built-in chains: |
| .B INPUT |
| (for frames destined for the bridge itself), |
| .B OUTPUT |
| (for locally-generated frames) and |
| .B FORWARD |
| (for frames being bridged). |
| +.br |
| +.br |
| .BR nat , |
| -this table is used to change the mac addresses and contains three chains: |
| +is used to change the mac addresses and contains three built-in chains: |
| .B PREROUTING |
| (for altering frames as soon as they come in), |
| .B OUTPUT |
| @@ -104,30 +132,38 @@ |
| PREFORWARDING and POSTFORWARDING, but for all those who come from the |
| .BR iptables " world to " ebtables |
| it is easier to have the same names. |
| +.br |
| +.br |
| .BR broute , |
| -this table is used to make a brouter, it has one chain: |
| +is used to make a brouter, it has one built-in chain: |
| .BR BROUTING . |
| The targets |
| .BR DROP " and " ACCEPT |
| -have special meaning in this table. |
| +have special meaning in the broute table. |
| .B DROP |
| actually means the frame has to be routed, while |
| .B ACCEPT |
| means the frame has to be bridged. The |
| .B BROUTING |
| chain is traversed very early. It is only traversed by frames entering on |
| -a bridge enslaved nic that is in forwarding state. Normally those frames |
| +a bridge enslaved NIC that is in forwarding state. Normally those frames |
| would be bridged, but you can decide otherwise here. The |
| .B redirect |
| target is very handy here. |
| -.SH OPTIONS |
| -The options can be divided into several different groups. |
| +.SH EBTABLES COMMAND LINE ARGUMENTS |
| +After the initial ebtables -t, table command line argument, the remaining |
| +arguments can be divided into several different groups. These groups |
| +are commands, miscellaneous commands, rule-specifications, match-extensions, |
| +and watcher-extensions. |
| .SS COMMANDS |
| -These options specify the specific actions to perform; only one of them |
| -can be specified on the command line (the |
| -.B -Z |
| -command is an exception). All these options only apply to the selected |
| -(or default) table. |
| +The ebtables command arguments specify the actions to perform on the table |
| +defined with the -t argument. If you do not use the -t argument to name |
| +a table, the commands apply to the default filter table. |
| +With the exception of both the |
| +.B "-Z" |
| +and |
| +.B "--atomic-file" |
| +commands, only one command may be used on the command line at a time. |
| .TP |
| .B "-A, --append" |
| Append a rule to the end of the selected chain. |
| @@ -139,71 +175,119 @@ |
| the complete rule as it would have been specified when it was added. |
| .TP |
| .B "-I, --insert" |
| -Insert the specified rule into the selected chain at the specified rule number (1 meaning |
| -the head of the chain). |
| +Insert the specified rule into the selected chain at the specified rule number. |
| +The number one, 1, means the head of the chain. |
| +.TP |
| +.B "-P, --policy" |
| +Set the policy for the chain to the given target. The policy can be |
| +.BR ACCEPT ", " DROP " or " RETURN . |
| +.TP |
| +.B "-F, --flush" |
| +Flush the selected chain. If no chain is selected, then every chain will be |
| +flushed. Flushing the chain does not change the policy of the |
| +chain, however. |
| +.TP |
| +.B "-Z, --zero" |
| +Set the counters of the selected chain to zero. If no chain is selected, all the counters |
| +are set to zero. The |
| +.B "-Z" |
| +command can be used in conjunction with the |
| +.B "-L" |
| +command. |
| +When both the |
| +.B "-Z" |
| +and |
| +.B "-L" |
| +commands are used together in this way, the rule counters are printed on the screen |
| +before they are set to zero. |
| .TP |
| .B "-L, --list" |
| List all rules in the selected chain. If no chain is selected, all chains |
| are listed. |
| .br |
| -The following three options change the output: |
| +The following three options change the output of the |
| +.B "-L" |
| +list command: |
| .br |
| .B "--Ln" |
| .br |
| -Puts rule numbers in front of every rule. |
| +Places the rule number in front of every rule. |
| .br |
| .B "--Lc" |
| .br |
| -Shows the counters at the end of every rule, there is a frame counter |
| -(pcnt) and a byte counter (bcnt). |
| +Shows the counters at the end of each rule displayed by the |
| +.B "-L" |
| +command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed. |
| .br |
| .B "--Lx" |
| .br |
| -The output is directly usable as executable commands in a script, to be |
| -run f.e. at bootup. This option is incompatible with the previous two |
| -options. When no chain name was specified for the |
| +The output of the |
| +.B "--Lx" |
| +option may be used to create a set of |
| +.B ebtables |
| +commands. You may use this set of commands in an |
| +.B ebtables |
| +boot or reload |
| +script. For example the output could be used at system startup. |
| +The |
| +.B "--Lx" |
| +option is incompatible with both of the other |
| +.B "--Ln" |
| +and |
| +.B "--Lc" |
| +chain listing options, |
| +.B "-L." |
| +All necessary |
| +.B ebtables |
| +commands for making the current list of |
| +user-defined chains in the kernel and any commands issued by the user to |
| +rename the standard |
| +.B ebtables |
| +chains will be listed, when no chain name is |
| +supplied for the |
| .B "-L" |
| -command, all necessary commands for making the user defined chains and |
| -renaming the standard chains will be made. |
| -.TP |
| -.B "-F, --flush" |
| -Flush the selected chain. If no chain is selected, every chain will be |
| -flushed. This does not change the policy of the chain. |
| -.TP |
| -.B "--init-table" |
| -Replace the current table data by the initial table data. |
| -.TP |
| -.B "-Z, --zero" |
| -Put the counters of the selected chain on zero. If no chain is selected, all the counters |
| -are put on zero. This can be used in conjunction with the -L command (see above). |
| -This will cause the rule counters to be printed on the screen before they are put on zero. |
| -.TP |
| -.B "-P, --policy" |
| -Set the policy for the chain to the given target. The policy can be |
| -.BR ACCEPT ", " DROP " or " RETURN . |
| +command while using the |
| +.B "-Lx" |
| +option. |
| .TP |
| .B "-N, --new-chain" |
| -Create a new user-defined chain by the given name. The number of |
| -user-defined chains is unlimited. A chain name has max length of 31. |
| +Create a new user-defined chain with the given name. The number of |
| +user-defined chains is unlimited. A user-defined chain name has maximum |
| +length of 31 characters. |
| .TP |
| .B "-X, --delete-chain" |
| -Delete the specified user-defined chain. There must be no references to the |
| -chain, |
| +Delete the specified user-defined chain. There must be no remaining references |
| +to the to be deleted chain. Otherwise, |
| .B ebtables |
| will complain if there are. |
| .TP |
| .B "-E, --rename-chain" |
| -Rename the specified chain to the new name. This has no effect on the |
| -structure of the table. It is also allowed to rename a base chain, f.e. |
| -if you like PREBRIDGING more than PREROUTING. Be sure to talk about the |
| -standard chain names when you would ask a question on a mailing list. |
| +Rename the specified chain to a new name. Besides renaming a user-defined |
| +chain, you may rename a standard chain name to a name that suits your |
| +taste. For example, if you like PREBRIDGING more than PREROUTING, |
| +then you can use the -E command to rename the PREROUTING chain. If you do |
| +rename one of the standard |
| +.B ebtables |
| +chain names, please be sure to mention |
| +this fact should you post a question on the |
| +.B ebtables |
| +mailing lists. |
| +It would be wise to use the standard name in your post. Renaming a standard |
| +.B ebtables |
| +chain in this fashion has no effect on the structure or function |
| +of the |
| +.B ebtables |
| +kernel table. |
| +.TP |
| +.B "--init-table" |
| +Replace the current table data by the initial table data. |
| .TP |
| .B "--atomic-init" |
| Copy the kernel's initial data of the table to the specified |
| file. This can be used as the first action, after which rules are added |
| to the file. The file can be specified using the |
| .B --atomic-file |
| -option or through the |
| +command or through the |
| .IR EBTABLES_ATOMIC_FILE " environment variable." |
| .TP |
| .B "--atomic-save" |
| @@ -211,30 +295,81 @@ |
| file. This can be used as the first action, after which rules are added |
| to the file. The file can be specified using the |
| .B --atomic-file |
| -option or through the |
| +command or through the |
| .IR EBTABLES_ATOMIC_FILE " environment variable." |
| .TP |
| .B "--atomic-commit" |
| Replace the kernel table data with the data contained in the specified |
| -file. This is a useful command that allows you to put all your rules of a |
| +file. This is a useful command that allows you to load all your rules of a |
| certain table into the kernel at once, saving the kernel a lot of precious |
| time and allowing atomic updates of the tables. The file which contains |
| the table data is constructed by using either the |
| .B "--atomic-init" |
| or the |
| .B "--atomic-save" |
| -command to get a starting file. After that, using the |
| +command to generate a starting file. After that, using the |
| .B "--atomic-file" |
| -option when constructing rules or setting the |
| +command when constructing rules or setting the |
| .IR EBTABLES_ATOMIC_FILE " environment variable" |
| allows you to extend the file and build the complete table before |
| -commiting it to the kernel. |
| +committing it to the kernel. |
| +.TP |
| +.B "--atomic-file -Z" |
| +The counters stored in a file with, say, |
| +.B "--atomic-init" |
| +can be optionally zeroed by supplying the |
| +.B "-Z" |
| +command. You may also zero the counters by setting the |
| +.IR EBTABLES_ATOMIC_FILE " environment variable." |
| + |
| +.SS MISCELLANOUS COMMANDS |
| +.TP |
| +.B "-V, --version" |
| +Show the version of the ebtables userspace program. |
| +.TP |
| +.B "-h, --help" |
| +Give a brief description of the command syntax. Here you can also specify |
| +names of extensions and |
| +.B ebtables |
| +will try to write help about those extensions. E.g. ebtables -h snat log ip arp. |
| +Specify |
| +.I list_extensions |
| +to list all extensions supported by the userspace |
| +utility. |
| +.TP |
| +.BR "-j, --jump " "\fItarget\fP" |
| +The target of the rule. This is one of the following values: |
| +.BR ACCEPT , |
| +.BR DROP , |
| +.BR CONTINUE , |
| +.BR RETURN , |
| +a target extension (see |
| +.BR "TARGET EXTENSIONS" ")" |
| +or a user-defined chain name. |
| +.TP |
| +.B --atomic-file file |
| +Let the command operate on the specified file. The data of the table to |
| +operate on will be extracted from the file and the result of the operation |
| +will be saved back into the file. If specified, this option should come |
| +before the command specification. An alternative that should be preferred, |
| +is setting the |
| +.IR EBTABLES_ATOMIC_FILE " environment variable." |
| +.TP |
| +.B -M, --modprobe program |
| +When talking to the kernel, use this program to try to automatically load |
| +missing kernel modules. |
| + |
| .SS |
| -PARAMETERS |
| -The following parameters make up a rule specification (as used in the add |
| -and delete commands). A "!" argument before the specification inverts the |
| -test for that specification. Apart from these standard parameters, there are others, see |
| -.BR "MATCH EXTENSIONS" . |
| +RULE-SPECIFICATIONS |
| +The following command line arguments make up a rule specification (as used |
| +in the add and delete commands). A "!" option before the specification |
| +inverts the test for that specification. Apart from these standard rule |
| +specifications there are some other command line arguments of interest. |
| +See both the |
| +.BR "MATCH-EXTENSIONS" |
| +and the |
| +.BR "WATCHER-EXTENSION(S)" |
| +below. |
| .TP |
| .BR "-p, --protocol " "[!] \fIprotocol\fP" |
| The protocol that was responsible for creating the frame. This can be a |
| @@ -305,7 +440,7 @@ |
| .TP |
| .BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" |
| The source mac address. Both mask and address are written as 6 hexadecimal |
| -numbers seperated by colons. Alternatively one can specify Unicast, |
| +numbers separated by colons. Alternatively one can specify Unicast, |
| Multicast or Broadcast. |
| .br |
| Unicast=00:00:00:00:00:00/01:00:00:00:00:00, |
| @@ -320,45 +455,36 @@ |
| .B --dst |
| is an alias for this option. |
| |
| -.SS OTHER OPTIONS |
| +.SS MATCH-EXTENSIONS |
| +.B ebtables |
| +extensions are precompiled into the userspace tool. So there is no need |
| +to explicitly load them with a -m option like in |
| +.BR iptables . |
| +However, these |
| +extensions deal with functionality supported by supplemental kernel modules. |
| +.SS arp |
| +Specify arp fields. These will only work if the protocol equals |
| +.BR ARP " or " RARP . |
| .TP |
| -.B "-V, --version" |
| -Show the version of the userprogram. |
| +.BR "--arp-opcode " "[!] \fIopcode\fP" |
| +The (r)arp opcode (decimal or a string, for more details see |
| +.BR "ebtables -h arp" ). |
| .TP |
| -.B "-h, --help" |
| -Give a brief description of the command syntax. Here you can also specify |
| -names of extensions and |
| -.B ebtables |
| -will try to write help about those extensions. E.g. ebtables -h snat log ip arp. |
| +.BR "--arp-htype " "[!] \fIhardware type\fP" |
| +The hardware type, this can be a decimal or the string "Ethernet". This |
| +is normally Ethernet (value 1). |
| .TP |
| -.BR "-j, --jump " "\fItarget\fP" |
| -The target of the rule. This is one of the following values: |
| -.BR ACCEPT , |
| -.BR DROP , |
| -.BR CONTINUE , |
| -.BR RETURN , |
| -a target extension (see |
| -.BR "TARGET EXTENSIONS" ")" |
| -or a user defined chain name. |
| +.BR "--arp-ptype " "[!] \fIprotocol type\fP" |
| +The protocol type for which the (r)arp is used (hexadecimal or the string "IPv4"). |
| +This is normally IPv4 (0x0800). |
| .TP |
| -.B --atomic-file file |
| -Let the command operate on the specified file. The data of the table to |
| -operate on will be extracted from the file and the result of the operation |
| -will be saved back into the file. If specified, this option should come |
| -before the command specification. An alternative that should be preferred, |
| -is setting the |
| -.BR EBTABLES_ATOMIC_FILE "environment variable." |
| +.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]" |
| +The ARP IP source address specification. |
| .TP |
| -.B -M, --modprobe program |
| -When talking to the kernel, use this program to try to automatically load |
| -missing kernel modules. |
| -.SH MATCH EXTENSIONS |
| -.B ebtables |
| -extensions are precompiled into the userspace tool. So there is no need |
| -to explicitly load them with a -m option like in iptables. However, these |
| -extensions deal with functionality supported by supplemental kernel modules. |
| +.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]" |
| +The ARP IP destination address specification. |
| .SS ip |
| -Specify ip specific fields. These will only work if the protocol equals |
| +Specify ip fields. These will only work if the protocol equals |
| .BR IPv4 . |
| .TP |
| .BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]" |
| @@ -395,59 +521,38 @@ |
| 17 (UDP). The flag |
| .B --ip-dport |
| is an alias for this option. |
| -.SS arp |
| -Specify arp specific fields. These will only work if the protocol equals |
| -.BR ARP " or " RARP . |
| -.TP |
| -.BR "--arp-opcode " "[!] \fIopcode\fP" |
| -The (r)arp opcode (decimal or a string, for more details see |
| -.BR "ebtables -h arp" ). |
| -.TP |
| -.BR "--arp-htype " "[!] \fIhardware type\fP" |
| -The hardware type, this can be a decimal or the string "Ethernet". This |
| -is normally Ethernet (value 1). |
| -.TP |
| -.BR "--arp-ptype " "[!] \fIprotocol type\fP" |
| -The protocol type for which the (r)arp is used (hexadecimal or the string "IPv4"). |
| -This is normally IPv4 (0x0800). |
| -.TP |
| -.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]" |
| -The ARP IP source address specification. |
| +.SS mark_m |
| .TP |
| -.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]" |
| -The ARP IP destination address specification. |
| +.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]" |
| +Matches frames with the given unsigned mark value. If a mark value and |
| +mask is specified, the logical AND of the mark value of the frame and |
| +the user-specified mask is taken before comparing it with the user-specified |
| +mark value. If only a mask is specified (start with '/') the logical AND |
| +of the mark value of the frame and the user-specified mark is taken and |
| +the result is compared with zero. |
| .SS vlan |
| -Specify 802.1Q Tag Control Information fields. These will only work if the protocol equals |
| -.BR 802_1Q. |
| -Also see extension help by |
| -.BR "ebtables -h vlan" . |
| +Specify 802.1Q Tag Control Information fields. |
| +The protocol rule specification (frame type) should be set to |
| +.BR 802_1Q " (0x8100)." |
| .TP |
| .BR "--vlan-id " "[!] \fIid\fP" |
| -The VLAN identifier field, VID (decimal number from 0 to 4094). |
| +The VLAN identifier field (VID). Decimal number from 0 to 4095. |
| .TP |
| .BR "--vlan-prio " "[!] \fIprio\fP" |
| -The user_priority field, this can be a decimal number from 0 to 7. |
| -Required VID to be 0 (null VID) or not specified vlan-id parameter (in this case VID deliberately be set to 0). |
| +The user_priority field. Decimal number from 0 to 7. |
| +The VID should be set to 0 ("null VID") or unspecified |
| +(for this case the VID is deliberately set to 0). |
| .TP |
| .BR "--vlan-encap " "[!] \fItype\fP" |
| -The encapsulated Ethernet frame type/length, this can be a hexadecimal |
| -number from 0x0000 to 0xFFFF. |
| -Usually it's 0x0800 (IPv4). See also |
| -.B /etc/ethertypes |
| -file. |
| -.SS mark_m |
| -.TP |
| -.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]" |
| -Matches frames with the given unsigned mark value. If a mark value and |
| -mask is specified, the logical AND of the mark value of the frame and |
| -the user specified mask is taken before comparing with the user specified |
| -mark value. If only a mask is specified (start with '/') the logical AND |
| -of the mark value of the frame and the user specified mark is taken and |
| -the result is compared with zero. |
| +The encapsulated Ethernet frame type/length. |
| +Specified as hexadecimal |
| +number from 0x0000 to 0xFFFF or as a symbolic name |
| +from |
| +.BR /etc/ethertypes . |
| |
| -.SH WATCHER EXTENSION(S) |
| +.SS WATCHER-EXTENSION(S) |
| Watchers are things that only look at frames passing by. These watchers only |
| -see the frame if the frame passes all the matches of the rule. |
| +see the frame if the frame matches the rule. |
| .SS log |
| The fact that the log module is a watcher lets us log stuff while giving a target |
| by choice. Note that the log module therefore is not a target. |
| @@ -477,31 +582,7 @@ |
| will log the (r)arp information when a frame made by the (r)arp protocols |
| matches the rule. The default is no (r)arp information logging. |
| .SS TARGET EXTENSIONS |
| -.TP |
| -.B snat |
| -The |
| -.B snat |
| -target can only be used in the |
| -.BR POSTROUTING " chain of the " nat " table." |
| -It specifies that the source mac address has to be changed. |
| -.br |
| -.BR "--to-source " "\fIaddress\fP" |
| -.br |
| -The flag |
| -.B --to-src |
| -is an alias for this option. |
| -.br |
| -.BR "--snat-target " "\fItarget\fP" |
| -.br |
| -Specifies the standard target. After doing the snat, the rule still has |
| -to give a standard target so |
| -.B ebtables |
| -knows what to do. |
| -The default target is ACCEPT. Making it CONTINUE could let you use |
| -multiple target extensions on the same frame. Making it DROP doesn't |
| -make sense, but you could do that too. RETURN is also allowed. Note |
| -that using RETURN in a base chain is not allowed. |
| -.TP |
| +.SS |
| .B dnat |
| The |
| .B dnat |
| @@ -509,25 +590,45 @@ |
| .BR BROUTING " chain of the " broute " table and the " |
| .BR PREROUTING " and " OUTPUT " chains of the " nat " table." |
| It specifies that the destination mac address has to be changed. |
| -.br |
| +.TP |
| .BR "--to-destination " "\fIaddress\fP" |
| .br |
| The flag |
| .B --to-dst |
| is an alias for this option. |
| -.br |
| +.TP |
| .BR "--dnat-target " "\fItarget\fP" |
| .br |
| Specifies the standard target. After doing the dnat, the rule still has to |
| give a standard target so |
| .B ebtables |
| knows what to do. |
| -The default target is ACCEPT. Making it CONTINUE could let you use |
| +The default target is ACCEPT. Making it CONTINUE could let you use |
| multiple target extensions on the same frame. Making it DROP only makes |
| sense in the BROUTING chain but using the redirect target is more logical |
| there. RETURN is also allowed. Note |
| that using RETURN in a base chain is not allowed. |
| +.SS |
| +.B mark |
| +The mark target can be used in every chain of every table. It is possible |
| +to use the marking of a frame/packet in both ebtables and iptables, |
| +if the br-nf code is compiled into the kernel. Both put the marking at the |
| +same place. So, you can consider this fact as a feature, or as something to |
| +watch out for. |
| +.TP |
| +.BR "--set-mark " "\fIvalue\fP" |
| +.br |
| +Mark the frame with the specified unsigned value. |
| .TP |
| +.BR "--mark-target " "\fItarget\fP" |
| +.br |
| +Specifies the standard target. After marking the frame, the rule |
| +still has to give a standard target so |
| +.B ebtables |
| +knows what to do. |
| +The default target is ACCEPT. Making it CONTINUE can let you do other |
| +things with the frame in other rules of the chain. |
| +.SS |
| .B redirect |
| The |
| .B redirect |
| @@ -535,37 +636,41 @@ |
| frame arrived on. This target can only be used in the |
| .BR BROUTING " chain of the " broute " table and the " |
| .BR PREROUTING " chain of the " nat " table." |
| -.br |
| +.TP |
| .BR "--redirect-target " "\fItarget\fP" |
| .br |
| Specifies the standard target. After doing the MAC redirect, the rule |
| still has to give a standard target so |
| .B ebtables |
| knows what to do. |
| -The default target is ACCEPT. Making it CONTINUE could let you use |
| +The default target is ACCEPT. Making it CONTINUE could let you use |
| multiple target extensions on the same frame. Making it DROP in the |
| BROUTING chain will let the frames be routed. RETURN is also allowed. Note |
| that using RETURN in a base chain is not allowed. |
| +.SS |
| +.B snat |
| +The |
| +.B snat |
| +target can only be used in the |
| +.BR POSTROUTING " chain of the " nat " table." |
| +It specifies that the source mac address has to be changed. |
| .TP |
| -.B mark |
| -The mark target can be used in every chain of every table. It is possible |
| -to use the marking of a frame/packet in both ebtables and iptables, |
| -if the br-nf code is compiled into the kernel. Both put the marking at the |
| -same place. So, you can consider this fact as a feature, or as something to |
| -watch out for. |
| +.BR "--to-source " "\fIaddress\fP" |
| .br |
| -.BR "--mark-target " "\fItarget\fP" |
| +The flag |
| +.B --to-src |
| +is an alias for this option. |
| +.TP |
| +.BR "--snat-target " "\fItarget\fP" |
| .br |
| -Specifies the standard target. After marking the frame, the rule |
| -still has to give a standard target so |
| +Specifies the standard target. After doing the snat, the rule still has |
| +to give a standard target so |
| .B ebtables |
| knows what to do. |
| -The default target is ACCEPT. Making it CONTINUE can let you do other |
| -things with the frame in other rules of the chain. |
| -.br |
| -.BR "--set-mark " "\fIvalue\fP" |
| -.br |
| -Mark the frame with the specified unsigned value. |
| +The default target is ACCEPT. Making it CONTINUE could let you use |
| +multiple target extensions on the same frame. Making it DROP doesn't |
| +make sense, but you could do that too. RETURN is also allowed. Note |
| +that using RETURN in a base chain is not allowed. |
| .br |
| .SH FILES |
| .I /etc/ethertypes |
| @@ -573,7 +678,9 @@ |
| .I EBTABLES_ATOMIC_FILE |
| .SH BUGS |
| This won't work on an architecture with a user32/kernel64 situation like the Sparc64. |
| -.SH AUTHOR |
| -.IR "" "Bart De Schuymer <" bdschuym@pandora.be > |
| +.SH MAILINGLISTS |
| +.I ebtables-user@lists.sourceforge.net |
| +.br |
| +.I ebtables-devel@lists.sourceforge.net |
| .SH SEE ALSO |
| -.BR iptables "(8), " brctl (8) |
| +.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8) |
| --- ebtables-v2.0.2/include/ebtables_u.h Wed Nov 20 22:05:39 2002 |
| +++ ebtables-v2.0.3/include/ebtables_u.h Sun Jan 19 12:37:52 2003 |
| @@ -30,9 +30,9 @@ |
| { |
| int policy; |
| unsigned int nentries; |
| - // counter offset for this chain |
| + /* counter offset for this chain */ |
| unsigned int counter_offset; |
| - // used for udc |
| + /* used for udc */ |
| unsigned int hook_mask; |
| char name[EBT_CHAIN_MAXNAMELEN]; |
| struct ebt_u_entry *entries; |
| @@ -42,7 +42,7 @@ |
| { |
| struct ebt_u_entries *udc; |
| struct ebt_u_chain_list *next; |
| - // this is only used internally, in communication.c |
| + /* this is only used internally, in communication.c */ |
| char *kernel_start; |
| }; |
| |
| @@ -50,25 +50,29 @@ |
| { |
| char name[EBT_TABLE_MAXNAMELEN]; |
| unsigned int valid_hooks; |
| - // nr of rules in the table |
| + /* nr of rules in the table */ |
| unsigned int nentries; |
| struct ebt_u_entries *hook_entry[NF_BR_NUMHOOKS]; |
| - // user defined chains (udc) list |
| + /* user defined chains (udc) list */ |
| struct ebt_u_chain_list *udc; |
| - // nr of counters userspace expects back |
| + /* nr of counters userspace expects back */ |
| unsigned int num_counters; |
| - // where the kernel will put the old counters |
| + /* where the kernel will put the old counters */ |
| struct ebt_counter *counters; |
| - // can be used e.g. to know if a standard option |
| - // has been specified twice |
| + /* |
| + * can be used e.g. to know if a standard option |
| + * has been specified twice |
| + */ |
| unsigned int flags; |
| - // we stick the specified command (e.g. -A) in here |
| + /* we stick the specified command (e.g. -A) in here */ |
| char command; |
| - // here we stick the hook to do our thing on (can be -1 if unspecified) |
| + /* |
| + * here we stick the hook to do our thing on (can be -1 if unspecified) |
| + */ |
| int selected_hook; |
| - // used for the atomic option |
| + /* used for the atomic option */ |
| char *filename; |
| - // tells what happened to the old rules |
| + /* tells what happened to the old rules */ |
| unsigned short *counterchanges; |
| }; |
| |
| @@ -114,7 +118,7 @@ |
| struct ebt_u_match |
| { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| - // size of the real match data |
| + /* size of the real match data */ |
| unsigned int size; |
| void (*help)(void); |
| void (*init)(struct ebt_entry_match *m); |
| @@ -129,12 +133,16 @@ |
| int (*compare)(const struct ebt_entry_match *m1, |
| const struct ebt_entry_match *m2); |
| const struct option *extra_ops; |
| - // can be used e.g. to check for multiple occurance of the same option |
| + /* |
| + * can be used e.g. to check for multiple occurance of the same option |
| + */ |
| unsigned int flags; |
| unsigned int option_offset; |
| struct ebt_entry_match *m; |
| - // if used == 1 we no longer have to add it to |
| - // the match chain of the new entry |
| + /* |
| + * if used == 1 we no longer have to add it to |
| + * the match chain of the new entry |
| + */ |
| unsigned int used; |
| struct ebt_u_match *next; |
| }; |
| @@ -204,10 +212,10 @@ |
| #define print_bug(format, args...) \ |
| __print_bug(__FILE__, __LINE__, format, ##args) |
| #define print_error(format,args...) {printf(format".\n",##args); exit(-1);} |
| -#define print_memory() {printf("Ebtables: " __FILE__ " " __FUNCTION__ \ |
| - " %d :Out of memory.\n", __LINE__); exit(-1);} |
| +#define print_memory() {printf("Ebtables: " __FILE__ \ |
| + " %s %d :Out of memory.\n", __FUNCTION__, __LINE__); exit(-1);} |
| |
| -// used for keeping the rule counters right during rule adds or deletes |
| +/* used for keeping the rule counters right during rule adds or deletes */ |
| #define CNT_NORM 0 |
| #define CNT_DEL 1 |
| #define CNT_ADD 2 |
| @@ -215,8 +223,10 @@ |
| #define CNT_ZERO 4 |
| |
| extern char *standard_targets[NUM_STANDARD_TARGETS]; |
| -// Transforms a target string into the right integer, |
| -// returns 0 on success. |
| +/* |
| + * Transforms a target string into the right integer, |
| + * returns 0 on success. |
| + */ |
| #define FILL_TARGET(_str, _pos) ({ \ |
| int _i, _ret = 0; \ |
| for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \ |
| @@ -229,12 +239,12 @@ |
| _ret; \ |
| }) |
| |
| -// Transforms the target value to an index into standard_targets[] |
| +/* Transforms the target value to an index into standard_targets[] */ |
| #define TARGET_INDEX(_value) (-_value - 1) |
| -// Returns a target string corresponding to the value |
| +/* Returns a target string corresponding to the value */ |
| #define TARGET_NAME(_value) (standard_targets[TARGET_INDEX(_value)]) |
| -// True if the hook mask denotes that the rule is in a base chain |
| +/* True if the hook mask denotes that the rule is in a base chain */ |
| #define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) |
| -// Clear the bit in the hook_mask that tells if the rule is on a base chain |
| +/* Clear the bit in the hook_mask that tells if the rule is on a base chain */ |
| #define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) |
| #endif /* EBTABLES_U_H */ |