1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
|
--- ebtables-v2.0pre3.003/ebtables.c Sat Apr 27 16:57:47 2002
+++ ebtables-v2.0pre3.004/ebtables.c Wed Apr 24 19:47:02 2002
@@ -63,8 +63,8 @@
{ "policy" , required_argument, 0, 'P' },
{ "in-interface" , required_argument, 0, 'i' },
{ "in-if" , required_argument, 0, 'i' },
- { "logical-in" , required_argument, 0, 1 },
- { "logical-out" , required_argument, 0, 2 },
+ { "logical-in" , required_argument, 0, 2 },
+ { "logical-out" , required_argument, 0, 3 },
{ "out-interface" , required_argument, 0, 'o' },
{ "out-if" , required_argument, 0, 'o' },
{ "version" , no_argument , 0, 'V' },
@@ -155,6 +155,8 @@
e->ethproto = 0;
strcpy(e->in, "");
strcpy(e->out, "");
+ strcpy(e->logical_in, "");
+ strcpy(e->logical_out, "");
e->m_list = NULL;
e->w_list = NULL;
// the init function of the standard target should have put the verdict
@@ -1278,9 +1280,9 @@
break;
case 'i': // input interface
- case 1 : // logical input interface
+ case 2 : // logical input interface
case 'o': // output interface
- case 2 : // logical output interface
+ case 3 : // logical output interface
case 'j': // target
case 'p': // net family protocol
case 's': // source mac
@@ -1306,7 +1308,7 @@
strcpy(new_entry->in, argv[optind - 1]);
break;
}
- if (c == 1) {
+ if (c == 2) {
check_option(&replace.flags, OPT_LOGICALIN);
if (replace.selected_hook > 2)
print_error("Use logical in-interface "
@@ -1342,7 +1344,7 @@
strcpy(new_entry->out, argv[optind - 1]);
break;
}
- if (c == 2) {
+ if (c == 3) {
check_option(&replace.flags, OPT_LOGICALOUT);
if (replace.selected_hook < 2)
print_error("Use logical out-interface "
--- /dev/null Thu Aug 24 11:00:32 2000
+++ ebtables-v2.0pre3.004/extensions/ebt_redirect.c Sat Apr 27 17:18:16 2002
@@ -0,0 +1,109 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_redirect.h>
+
+extern char *standard_targets[NUM_STANDARD_TARGETS];
+
+#define REDIRECT_TARGET '1'
+static struct option opts[] =
+{
+ { "redirect-target" , required_argument, 0, REDIRECT_TARGET },
+ { 0 }
+};
+
+static void print_help()
+{
+ printf(
+ "redirect option:\n"
+ " --redirect-target target : ACCEPT, DROP or CONTINUE\n");
+}
+
+static void init(struct ebt_entry_target *target)
+{
+ struct ebt_redirect_info *redirectinfo =
+ (struct ebt_redirect_info *)target->data;
+
+ redirectinfo->target = EBT_ACCEPT;
+ return;
+}
+
+
+#define OPT_REDIRECT_TARGET 0x01
+static int parse(int c, char **argv, int argc,
+ const struct ebt_u_entry *entry, unsigned int *flags,
+ struct ebt_entry_target **target)
+{
+ int i;
+ struct ebt_redirect_info *redirectinfo =
+ (struct ebt_redirect_info *)(*target)->data;
+
+ switch (c) {
+ case REDIRECT_TARGET:
+ check_option(flags, OPT_REDIRECT_TARGET);
+ for (i = 0; i < NUM_STANDARD_TARGETS; i++)
+ if (!strcmp(optarg, standard_targets[i])) {
+ redirectinfo->target = i;
+ break;
+ }
+ if (i == NUM_STANDARD_TARGETS)
+ print_error("Illegal --redirect-target target");
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target, const char *name, unsigned int hook)
+{
+ if ( (hook != NF_BR_PRE_ROUTING || strcmp(name, "nat")) &&
+ (hook != NF_BR_BROUTING || strcmp(name, "broute")) )
+ print_error("Wrong chain for redirect");
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target)
+{
+ struct ebt_redirect_info *redirectinfo =
+ (struct ebt_redirect_info *)target->data;
+
+ printf("redirect");
+ printf(" --redirect-target %s", standard_targets[redirectinfo->target]);
+}
+
+static int compare(const struct ebt_entry_target *t1,
+ const struct ebt_entry_target *t2)
+{
+ struct ebt_redirect_info *redirectinfo1 =
+ (struct ebt_redirect_info *)t1->data;
+ struct ebt_redirect_info *redirectinfo2 =
+ (struct ebt_redirect_info *)t2->data;
+
+ return redirectinfo1->target == redirectinfo2->target;
+}
+
+static struct ebt_u_target redirect_target =
+{
+ EBT_REDIRECT_TARGET,
+ sizeof(struct ebt_redirect_info),
+ print_help,
+ init,
+ parse,
+ final_check,
+ print,
+ compare,
+ opts,
+};
+
+static void _init(void) __attribute__ ((constructor));
+static void _init(void)
+{
+ register_target(&redirect_target);
+}
--- ebtables-v2.0pre3.003/extensions/ebt_nat.c Sat Apr 27 16:57:41 2002
+++ ebtables-v2.0pre3.004/extensions/ebt_nat.c Sat Apr 27 17:16:19 2002
@@ -8,54 +8,71 @@
#include "../include/ebtables_u.h"
#include <linux/netfilter_bridge/ebt_nat.h>
+extern char *standard_targets[NUM_STANDARD_TARGETS];
+
int to_source_supplied, to_dest_supplied;
#define NAT_S '1'
#define NAT_D '1'
+#define NAT_S_TARGET '2'
+#define NAT_D_TARGET '2'
static struct option opts_s[] =
{
{ "to-source" , required_argument, 0, NAT_S },
{ "to-src" , required_argument, 0, NAT_S },
- { 0 },
+ { "snat-target" , required_argument, 0, NAT_S_TARGET },
+ { 0 }
};
static struct option opts_d[] =
{
{ "to-destination", required_argument, 0, NAT_D },
{ "to-dst" , required_argument, 0, NAT_D },
+ { "dnat-target" , required_argument, 0, NAT_D_TARGET },
{ 0 }
};
static void print_help_s()
{
printf(
- "snat option:\n"
- " --to-src address : MAC address to map source to\n");
+ "snat options:\n"
+ " --to-src address : MAC address to map source to\n"
+ " --snat-target target : ACCEPT, DROP or CONTINUE\n");
}
static void print_help_d()
{
printf(
- "dnat option:\n"
- " --to-dst address : MAC address to map destination to\n");
+ "dnat options:\n"
+ " --to-dst address : MAC address to map destination to\n"
+ " --dnat-target target : ACCEPT, DROP or CONTINUE\n");
}
static void init_s(struct ebt_entry_target *target)
{
+ struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data;
+
to_source_supplied = 0;
+ natinfo->target = EBT_ACCEPT;
return;
}
static void init_d(struct ebt_entry_target *target)
{
+ struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data;
+
to_dest_supplied = 0;
+ natinfo->target = EBT_ACCEPT;
+ return;
}
-#define OPT_SNAT 0x01
+#define OPT_SNAT 0x01
+#define OPT_SNAT_TARGET 0x02
static int parse_s(int c, char **argv, int argc,
const struct ebt_u_entry *entry, unsigned int *flags,
struct ebt_entry_target **target)
{
+ int i;
struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data;
switch (c) {
@@ -65,17 +82,29 @@
if (getmac(optarg, natinfo->mac))
print_error("Problem with specified to-source mac");
break;
+ case NAT_S_TARGET:
+ check_option(flags, OPT_SNAT_TARGET);
+ for (i = 0; i < NUM_STANDARD_TARGETS; i++)
+ if (!strcmp(optarg, standard_targets[i])) {
+ natinfo->target = i;
+ break;
+ }
+ if (i == NUM_STANDARD_TARGETS)
+ print_error("Illegal --snat-target target");
+ break;
default:
- return 0;
+ return 0;
}
return 1;
}
-#define OPT_DNAT 0x01
+#define OPT_DNAT 0x01
+#define OPT_DNAT_TARGET 0x02
static int parse_d(int c, char **argv, int argc,
const struct ebt_u_entry *entry, unsigned int *flags,
struct ebt_entry_target **target)
{
+ int i;
struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data;
switch (c) {
@@ -86,8 +115,18 @@
print_error("Problem with specified "
"to-destination mac");
break;
+ case NAT_D_TARGET:
+ check_option(flags, OPT_DNAT_TARGET);
+ for (i = 0; i < NUM_STANDARD_TARGETS; i++)
+ if (!strcmp(optarg, standard_targets[i])) {
+ natinfo->target = i;
+ break;
+ }
+ if (i == NUM_STANDARD_TARGETS)
+ print_error("Illegal --dnat-target target");
+ break;
default:
- return 0;
+ return 0;
}
return 1;
}
@@ -96,18 +135,18 @@
const struct ebt_entry_target *target, const char *name, unsigned int hook)
{
if (hook != NF_BR_POST_ROUTING || strcmp(name, "nat"))
- print_error("Wrong chain for SNAT");
+ print_error("Wrong chain for snat");
if (to_source_supplied == 0)
print_error("No snat address supplied");
-
}
static void final_check_d(const struct ebt_u_entry *entry,
const struct ebt_entry_target *target, const char *name, unsigned int hook)
{
- if ( (hook != NF_BR_PRE_ROUTING && hook != NF_BR_LOCAL_OUT) ||
- strcmp(name, "nat") )
- print_error("Wrong chain for DNAT");
+ if ( ((hook != NF_BR_PRE_ROUTING && hook != NF_BR_LOCAL_OUT) ||
+ strcmp(name, "nat")) &&
+ (hook != NF_BR_BROUTING || strcmp(name, "broute")) )
+ print_error("Wrong chain for dnat");
if (to_dest_supplied == 0)
print_error("No dnat address supplied");
}
@@ -122,6 +161,7 @@
for (i = 0; i < ETH_ALEN; i++)
printf("%02x%s",
natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":");
+ printf(" --snat-target %s", standard_targets[natinfo->target]);
}
static void print_d(const struct ebt_u_entry *entry,
@@ -134,6 +174,7 @@
for (i = 0; i < ETH_ALEN; i++)
printf("%02x%s",
natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":");
+ printf(" --dnat-target %s", standard_targets[natinfo->target]);
}
static int compare(const struct ebt_entry_target *t1,
@@ -142,13 +183,15 @@
struct ebt_nat_info *natinfo1 = (struct ebt_nat_info *)t1->data;
struct ebt_nat_info *natinfo2 = (struct ebt_nat_info *)t2->data;
- return !memcmp(natinfo1->mac, natinfo2->mac, sizeof(natinfo1->mac));
+
+ return !memcmp(natinfo1->mac, natinfo2->mac, sizeof(natinfo1->mac)) &&
+ natinfo1->target == natinfo2->target;
}
static struct ebt_u_target snat_target =
{
EBT_SNAT_TARGET,
- sizeof(struct ebt_nat_info) + sizeof(struct ebt_entry_target),
+ sizeof(struct ebt_nat_info),
print_help_s,
init_s,
parse_s,
--- ebtables-v2.0pre3.003/extensions/Makefile Sat Apr 6 21:56:53 2002
+++ ebtables-v2.0pre3.004/extensions/Makefile Tue Apr 23 22:46:21 2002
@@ -1,7 +1,7 @@
#! /usr/bin/make
-EXT_FUNC+=nat arp ip standard log
-EXT_TABLES+=filter nat
+EXT_FUNC+=nat arp ip standard log redirect
+EXT_TABLES+=filter nat broute
EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
--- ebtables-v2.0pre3.003/ChangeLog Sun Apr 14 14:15:59 2002
+++ ebtables-v2.0pre3.004/ChangeLog Sat Apr 27 17:24:26 2002
@@ -1,3 +1,9 @@
+20020427
+ * added broute table.
+ * added redirect target.
+ * added --redirect-target, --snat-target and --dnat-target options.
+ * added logical_out and logical_in
+ * snat bugfix (->size)
20020414
* fixed some things in the manual.
* fixed -P problem.
--- ebtables-v2.0pre3.003/ebtables.8 Sat Apr 27 16:57:44 2002
+++ ebtables-v2.0pre3.004/ebtables.8 Sat Apr 27 13:33:37 2002
@@ -1,4 +1,4 @@
-.TH EBTABLES 8 "14 April 2002"
+.TH EBTABLES 8 "27 April 2002"
.\"
.\" Man page written by Bart De Schuymer <bart.de.schuymer@pandora.be>
.\" It is based on the iptables man page.
@@ -40,7 +40,7 @@
complicated. This man page is written with the man page of iptables
next to it, so don't be surprised to see copied sentences and structure.
-There are two tables with each three built-in chains. Each chain is a list
+There are three tables with built-in chains. Each chain is a list
of rules which can match frames: each rule specifies what to do with a
frame which matches. This is called a 'target'. The tables are used to
divide functionality into different sets of chains.
@@ -66,7 +66,7 @@
.B "TARGET EXTENSIONS"
section.
.SS TABLES
-There are two tables.
+There are three tables.
.TP
.B "-t, --table"
This option specifies the frame matching table which the command should
@@ -90,6 +90,22 @@
of chains POSTROUTING and PREROUTING: it would be more accurate to call them
PREFORWARDING and POSTFORWARDING, but for all those who come from the iptables
world to ebtables it is easier to have the same names.
+.BR broute ,
+this table is used to make a brouter, it has one chain:
+.BR BROUTING .
+The targets
+.BR DROP and ACCEPT
+have special meaning in this table.
+.B DROP
+actually means the frame has to be routed, while
+.B ACCEPT
+means the frame has to be bridged. The
+.B BROUTING
+chain is traversed very early. It is only traversed by frames entering on
+a bridge enslaved nic that is in forwarding state. Normally those frames
+would be bridged, but you can decide otherwise here. The
+.B redirect
+target is very handy here.
.SH OPTIONS
The options can be divided into several different groups.
.SS COMMANDS
@@ -334,13 +350,21 @@
The flag
.B --to-src
is an alias for this option.
+.br
+.BR "--snat-target " "\fItarget\fP"
+.br
+Specifies the standard target. After doing the snat, the rule still has
+to give a standard target so ebtables knows what to do.
+The default target is ACCEPT. Making it CONTINUE could let you use
+multiple target extensions on the same frame. Making it DROP doesn't
+make sense, but you could do that too.
.TP
.B dnat
The
.B dnat
target can only be used in the
-.BR PREROUTING " and the
-.BR OUTPUT " chains of the " nat " table."
+.BR BROUTING " chain of the " broute " table and the "
+.BR PREROUTING " and " OUTPUT " chains of the " nat " table."
It specifies that the destination mac address has to be changed.
.br
.BR "--to-destination " "\fIaddress\fP"
@@ -348,6 +372,31 @@
The flag
.B --to-dst
is an alias for this option.
+.br
+.BR "--dnat-target " "\fItarget\fP"
+.br
+Specifies the standard target. After doing the dnat, the rule still has to
+give a standard target so ebtables knows what to do.
+The default target is ACCEPT. Making it CONTINUE could let you use
+multiple target extensions on the same frame. Making it DROP only makes
+sense in the BROUTING chain but using the redirect target is more logical
+there.
+.TP
+.B redirect
+The
+.B redirect
+target will change the MAC target address to that of the physical nic the
+frame arrived on. This target can only be used in the
+.BR BROUTING " chain of the " broute " table and the "
+.BR PREROUTING " chain of the " nat " table."
+.br
+.BR "--redirect-target " "\fItarget\fP"
+.br
+Specifies the standard target. After doing the MAC redirect, the rule
+still has to give a standard target so ebtables knows what to do.
+The default target is ACCEPT. Making it CONTINUE could let you use
+multiple target extensions on the same frame. Making it DROP in the
+BROUTING chain will let the frames be routed.
.SH FILES
.I /etc/etherproto
.SH BUGS
|
