* Add logical bridge in/out device filtering support
* Be more paranoid about the given userspace device names

--- linux/net/bridge/netfilter/ebtables.c	Fri Apr 19 21:48:59 2002
+++ ebt2.0pre3.002/net/bridge/netfilter/ebtables.c	Fri Apr 19 23:21:22 2002
@@ -30,6 +30,8 @@
 #include <asm/uaccess.h>
 #include <linux/smp.h>
 #include <net/sock.h>
+// needed for logical [in,out]-dev filtering
+#include "../br_private.h"
 
 // list_named_find
 #define ASSERT_READ_LOCK(x)
@@ -115,6 +117,11 @@
 		      (point->bitmask & EBT_802_3), EBT_IPROTO) )
 		   && FWINV(!ebt_dev_check((char *)(point->in), in), EBT_IIN)
 		   && FWINV(!ebt_dev_check((char *)(point->out), out), EBT_IOUT)
+		   && ((!in || !in->br_port) ? 1 : FWINV(!ebt_dev_check((char *)
+		      (point->logical_in), &in->br_port->br->dev), EBT_ILOGICALIN))
+		   && ((!out || !out->br_port) ? 1 :
+		       FWINV(!ebt_dev_check((char *)
+		      (point->logical_out), &out->br_port->br->dev), EBT_ILOGICALOUT))
 		) {
 			if ( (point->bitmask & EBT_SOURCEMAC) &&
 			   FWINV(!!memcmp(point->sourcemac,
@@ -363,6 +370,10 @@
 		BUGPRINT("NOPROTO & 802_3 not allowed\n");
 		return -EINVAL;
 	}
+	e->in[IFNAMSIZ - 1] = '\0';
+	e->out[IFNAMSIZ - 1] = '\0';
+	e->logical_in[IFNAMSIZ - 1] = '\0';
+	e->logical_out[IFNAMSIZ - 1] = '\0';
 	// what hook do we belong to?
 	for (i = 0; i < NF_BR_NUMHOOKS; i++) {
 		if ((valid_hooks & (1 << i)) == 0)
--- linux/include/linux/netfilter_bridge/ebtables.h	Fri Apr 19 21:48:59 2002
+++ ebt2.0pre3.002/include/linux/netfilter_bridge/ebtables.h	Fri Apr 19 21:06:25 2002
@@ -71,7 +71,10 @@
 #define EBT_IOUT 0x04
 #define EBT_ISOURCE 0x8
 #define EBT_IDEST 0x10
-#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ISOURCE | EBT_IDEST)
+#define EBT_ILOGICALIN 0x20
+#define EBT_ILOGICALOUT 0x40
+#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
+   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
 
 struct ebt_counter
 {
@@ -124,8 +127,14 @@
 	__u32 bitmask;
 	__u32 invflags;
 	__u16 ethproto;
+	// the physical in-dev
 	__u8 in[IFNAMSIZ];
+	// the logical in-dev
+	__u8 logical_in[IFNAMSIZ];
+	// the physical out-dev
 	__u8 out[IFNAMSIZ];
+	// the logical out-dev
+	__u8 logical_out[IFNAMSIZ];
 	__u8 sourcemac[ETH_ALEN];
 	__u8 destmac[ETH_ALEN];
 	// sizeof ebt_entry + matches