--- ebtables-v2.0/Makefile	Thu Sep 19 19:52:09 2002
+++ ebtables-v2.0.1/Makefile	Thu Oct 17 23:27:29 2002
@@ -2,8 +2,8 @@
 
 KERNEL_DIR?=/usr/src/linux
 PROGNAME:=ebtables
-PROGVERSION:="2.0"
-PROGDATE:="September 2002"
+PROGVERSION:="2.0.1"
+PROGDATE:="October 2002"
 
 MANDIR?=/usr/local/man
 CFLAGS:=-Wall -Wunused
--- ebtables-v2.0/ebtables.c	Sat Aug 24 23:01:21 2002
+++ ebtables-v2.0.1/ebtables.c	Thu Oct 17 22:51:12 2002
@@ -635,8 +635,9 @@
 			print_bug("Target not found");
 		t->print(hlp, hlp->t);
 		if (replace.flags & LIST_C)
-			printf(", count = %llu",
-			   replace.counters[entries->counter_offset + i].pcnt);
+			printf(", pcnt = %llu -- bcnt = %llu",
+			   replace.counters[entries->counter_offset + i].pcnt,
+			   replace.counters[entries->counter_offset + i].bcnt);
 		printf("\n");
 		hlp = hlp->next;
 	}
--- ebtables-v2.0/extensions/ebt_ip.c	Thu Aug 29 18:48:36 2002
+++ ebtables-v2.0.1/extensions/ebt_ip.c	Thu Oct 17 23:21:16 2002
@@ -1,7 +1,36 @@
+/*
+ *  ebtables ebt_ip: IP extension module for userspace
+ * 
+ *  Authors:
+ *   Bart De Schuymer <bart.de.schuymer@pandora.be>
+ *
+ *  Changes:
+ *    added ip-sport and ip-dport; parsing of port arguments is
+ *    based on code from iptables-1.2.7a
+ *    Innominate Security Technologies AG <mhopf@innominate.com>
+ *    September, 2002
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <getopt.h>
+#include <netdb.h>
 #include "../include/ebtables_u.h"
 #include <linux/netfilter_bridge/ebt_ip.h>
 
@@ -9,16 +38,22 @@
 #define IP_DEST   '2'
 #define IP_myTOS  '3' // include/bits/in.h seems to already define IP_TOS
 #define IP_PROTO  '4'
+#define IP_SPORT  '5'
+#define IP_DPORT  '6'
 
 static struct option opts[] =
 {
-	{ "ip-source"     , required_argument, 0, IP_SOURCE },
-	{ "ip-src"        , required_argument, 0, IP_SOURCE },
-	{ "ip-destination", required_argument, 0, IP_DEST   },
-	{ "ip-dst"        , required_argument, 0, IP_DEST   },
-	{ "ip-tos"        , required_argument, 0, IP_myTOS  },
-	{ "ip-protocol"   , required_argument, 0, IP_PROTO  },
-	{ "ip-proto"      , required_argument, 0, IP_PROTO  },
+	{ "ip-source"           , required_argument, 0, IP_SOURCE },
+	{ "ip-src"              , required_argument, 0, IP_SOURCE },
+	{ "ip-destination"      , required_argument, 0, IP_DEST   },
+	{ "ip-dst"              , required_argument, 0, IP_DEST   },
+	{ "ip-tos"              , required_argument, 0, IP_myTOS  },
+	{ "ip-protocol"         , required_argument, 0, IP_PROTO  },
+	{ "ip-proto"            , required_argument, 0, IP_PROTO  },
+	{ "ip-source-port"      , required_argument, 0, IP_SPORT  },
+	{ "ip-sport"            , required_argument, 0, IP_SPORT  },
+	{ "ip-destination-port" , required_argument, 0, IP_DPORT  },
+	{ "ip-dport"            , required_argument, 0, IP_DPORT  },
 	{ 0 }
 };
 
@@ -127,6 +162,56 @@
 	return buf;
 }
 
+// transform a protocol and service name into a port number
+static uint16_t parse_port(const char *protocol, const char *name)
+{
+	struct servent *service;
+	char *end;
+	int port;
+
+	port = strtol(name, &end, 10);
+	if (*end != '\0') {
+		if (protocol && 
+		    (service = getservbyname(name, protocol)) != NULL)
+			return ntohs(service->s_port);
+	}
+	else if (port >= 0 || port <= 0xFFFF) {
+		return port;
+	}
+	print_error("Problem with specified %s port '%s'", 
+		    protocol?protocol:"", name);
+	return 0; /* never reached */
+}
+
+static void
+parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
+{
+	char *buffer;
+	char *cp;
+	
+	buffer = strdup(portstring);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		ports[0] = ports[1] = parse_port(protocol, buffer);
+	else {
+		*cp = '\0';
+		cp++;
+		ports[0] = buffer[0] ? parse_port(protocol, buffer) : 0;
+		ports[1] = cp[0] ? parse_port(protocol, cp) : 0xFFFF;
+		
+		if (ports[0] > ports[1])
+			print_error("Invalid portrange (min > max)");
+	}
+	free(buffer);
+}
+
+static void print_port_range(uint16_t *ports)
+{
+	if (ports[0] == ports[1])
+		printf("%d ", ports[0]);
+	else
+		printf("%d:%d ", ports[0], ports[1]);
+}
+
 static void print_help()
 {
 	printf(
@@ -134,7 +219,9 @@
 "--ip-src    [!] address[/mask]: ip source specification\n"
 "--ip-dst    [!] address[/mask]: ip destination specification\n"
 "--ip-tos    [!] tos           : ip tos specification\n"
-"--ip-proto  [!] protocol      : ip protocol specification\n");
+"--ip-proto  [!] protocol      : ip protocol specification\n"
+"--ip-sport  [!] port[:port]   : tcp/udp source port or port range\n"
+"--ip-dport  [!] port[:port]   : tcp/udp destination port or port range\n");
 }
 
 static void init(struct ebt_entry_match *match)
@@ -149,6 +236,8 @@
 #define OPT_DEST   0x02
 #define OPT_TOS    0x04
 #define OPT_PROTO  0x08
+#define OPT_SPORT  0x10
+#define OPT_DPORT  0x20
 static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry,
    unsigned int *flags, struct ebt_entry_match **match)
 {
@@ -183,6 +272,27 @@
 			   &ipinfo->dmsk);
 		break;
 
+	case IP_SPORT:
+	case IP_DPORT:
+		if (c == IP_SPORT) {
+			check_option(flags, OPT_SPORT);
+			ipinfo->bitmask |= EBT_IP_SPORT;
+			if (check_inverse(optarg))
+				ipinfo->invflags |= EBT_IP_SPORT;
+		} else {
+			check_option(flags, OPT_DPORT);
+			ipinfo->bitmask |= EBT_IP_DPORT;
+			if (check_inverse(optarg))
+				ipinfo->invflags |= EBT_IP_DPORT;
+		}
+		if (optind > argc)
+			print_error("Missing port argument");
+		if (c == IP_SPORT)
+			parse_port_range(NULL, argv[optind - 1], ipinfo->sport);
+		else
+			parse_port_range(NULL, argv[optind - 1], ipinfo->dport);
+		break;
+
 	case IP_myTOS:
 		check_option(flags, OPT_TOS);
 		if (check_inverse(optarg))
@@ -219,9 +329,19 @@
    const struct ebt_entry_match *match, const char *name,
    unsigned int hookmask, unsigned int time)
 {
+ 	struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)match->data;
+
 	if (entry->ethproto != ETH_P_IP || entry->invflags & EBT_IPROTO)
 		print_error("For IP filtering the protocol must be "
 		            "specified as IPv4");
+
+ 	if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) &&
+ 		(!ipinfo->bitmask & EBT_IP_PROTO || 
+ 		ipinfo->invflags & EBT_IP_PROTO ||
+ 		(ipinfo->protocol!=IPPROTO_TCP && 
+ 			ipinfo->protocol!=IPPROTO_UDP)))
+ 		print_error("For port filtering the IP protocol must be "
+ 		            "either 6 (tcp) or 17 (udp)");
 }
 
 static void print(const struct ebt_u_entry *entry,
@@ -260,6 +380,20 @@
 			printf("! ");
 		printf("%d ", ipinfo->protocol);
 	}
+	if (ipinfo->bitmask & EBT_IP_SPORT) {
+		printf("--ip-sport ");
+		if (ipinfo->invflags & EBT_IP_SPORT) {
+			printf("! ");
+		}
+		print_port_range(ipinfo->sport);
+	}
+	if (ipinfo->bitmask & EBT_IP_DPORT) {
+		printf("--ip-dport ");
+		if (ipinfo->invflags & EBT_IP_DPORT) {
+			printf("! ");
+		}
+		print_port_range(ipinfo->dport);
+	}
 }
 
 static int compare(const struct ebt_entry_match *m1,
@@ -290,6 +424,14 @@
 	}
 	if (ipinfo1->bitmask & EBT_IP_PROTO) {
 		if (ipinfo1->protocol != ipinfo2->protocol)
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP_SPORT) {
+		if (ipinfo1->sport != ipinfo2->sport)
+			return 0;
+	}
+	if (ipinfo1->bitmask & EBT_IP_DPORT) {
+		if (ipinfo1->dport != ipinfo2->dport)
 			return 0;
 	}
 	return 1;
--- ebtables-v2.0/ebtables.8	Sun Aug 11 13:58:05 2002
+++ ebtables-v2.0.1/ebtables.8	Thu Oct 17 23:20:57 2002
@@ -153,7 +153,8 @@
 .br
 .B "--Lc"
 .br
-Puts the counter value at the end of every rule.
+Shows the counters at the end of every rule, there is a frame counter
+(pcnt) and a byte counter (bcnt).
 .br
 .B "--Lx"
 .br
@@ -371,6 +372,19 @@
 The ip protocol.
 The flag
 .B --ip-proto
+is an alias for this option.
+.TP
+.BR "--ip-source-port " "[!] \fIport\fP[:\fIport\fP]"
+The source port or port range for the ip protocols 6 (TCP) and 17
+(UDP). If the first port is omitted, "0" is assumed; if the last
+is omitted, "65535" is assumed. The flag
+.B --ip-sport
+is an alias for this option.
+.TP
+.BR "--ip-destination-port " "[!] \fIport\fP[:\fIport\fP]"
+The destination port or port range for ip protocols 6 (TCP) and
+17 (UDP). The flag
+.B --ip-dport
 is an alias for this option.
 .SS arp
 Specify arp specific fields. These will only work if the protocol equals