summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart De Schuymer <bdschuym@pandora.be>2003-04-01 19:13:32 +0000
committerBart De Schuymer <bdschuym@pandora.be>2003-04-01 19:13:32 +0000
commit6e4f5e7c40632b07099a0acd12a63d7a510e2654 (patch)
tree1db7ff470481101c55f45e31e25b8863f2258d71
parent2644295e09a4378d928c739320473f7ed2ce1a5a (diff)
*** empty log message ***
-rw-r--r--userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff1796
-rw-r--r--userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gzbin0 -> 60884 bytes
2 files changed, 1796 insertions, 0 deletions
diff --git a/userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff b/userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff
new file mode 100644
index 0000000..8973955
--- /dev/null
+++ b/userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff
@@ -0,0 +1,1796 @@
+--- ebtables-v2.0.2/Makefile Sat Dec 7 13:09:40 2002
++++ ebtables-v2.0.3/Makefile Tue Apr 1 22:12:30 2003
+@@ -1,8 +1,8 @@
+ # ebtables Makefile
+
+ PROGNAME:=ebtables
+-PROGVERSION:=2.0.2
+-PROGDATE:=December\ 2002
++PROGVERSION:=2.0.3
++PROGDATE:=April\ 2003
+
+ MANDIR?=/usr/local/man
+ CFLAGS:=-Wall -Wunused
+@@ -12,20 +12,13 @@
+
+ OBJECTS:=getethertype.o ebtables.o communication.o $(EXT_OBJS)
+
+-# Use the option NONSTANDARD=y when you don't want to use the kernel includes
+-# that are included in this package. You should set KERNEL_INCLUDES to
+-# the right directory (eg /usr/src/linux/include).
+-# You should only need this when compiling the CVS or when adding new code.
+-ifeq ($(NONSTANDARD), y)
+-KERNEL_INCLUDES?=/usr/include/
+-else
+-KERNEL_INCLUDES:=include/
+-endif
+-
+-ifeq ($(ETHERTYPESPATH),)
+-ETHERTYPESPATH:=/etc/
+-endif
+-ETHERTYPESFILE:=$(ETHERTYPESPATH)ethertypes
++KERNEL_INCLUDES?=include/
++
++ETHERTYPESPATH?=/etc/
++ETHERTYPESFILE:=$(ETHERTYPESPATH)/ethertypes
++
++BINPATH?=/sbin/
++BINFILE:=$(BINPATH)ebtables
+
+ PROGSPECS:=-DPROGVERSION=\"$(PROGVERSION)\" \
+ -DPROGNAME=\"$(PROGNAME)\" \
+@@ -57,10 +50,10 @@
+
+ .PHONY: exec
+ exec: ebtables
+- install -m 0755 -o root -g root $< /sbin/ebtables
++ install -m 0755 -o root -g root $< $(BINFILE)
+
+ .PHONY: install
+-install: $(MANDIR)/man8/ebtables.8 ebtables $(ETHERTYPESFILE) exec
++install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec
+
+ .PHONY: clean
+ clean:
+--- ebtables-v2.0.2/ebtables.c Tue Dec 3 22:52:12 2002
++++ ebtables-v2.0.3/ebtables.c Tue Apr 1 20:08:15 2003
+@@ -52,6 +52,8 @@
+ #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
+ #endif
+ #define ATOMIC_ENV_VARIABLE "EBTABLES_ATOMIC_FILE"
++#define PRINT_VERSION printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n")
++
+
+ char *hooknames[NF_BR_NUMHOOKS] =
+ {
+@@ -201,8 +203,10 @@
+ strcpy(e->logical_out, "");
+ e->m_list = NULL;
+ e->w_list = NULL;
+- // the init function of the standard target should have put the verdict
+- // on CONTINUE
++ /*
++ * the init function of the standard target should have put the verdict
++ * on CONTINUE
++ */
+ e->t = (struct ebt_entry_target *)find_target(EBT_STANDARD_TARGET);
+ if (!e->t)
+ print_bug("Couldn't load standard target");
+@@ -293,7 +297,7 @@
+ merge[num_old + i].val += *options_offset;
+ }
+ memset(merge + num_old + num_new, 0, sizeof(struct option));
+- // only free dynamically allocated stuff
++ /* only free dynamically allocated stuff */
+ if (oldopts != ebt_original_options)
+ free(oldopts);
+
+@@ -398,7 +402,7 @@
+ char *buf = NULL;
+ char *argv[3];
+
+- // If they don't explicitly set it, read out of kernel
++ /* If they don't explicitly set it, read out of kernel */
+ if (!modprobe) {
+ buf = get_modprobe();
+ if (!buf)
+@@ -426,6 +430,37 @@
+ return 0;
+ }
+
++static void list_extensions()
++{
++ struct ebt_u_table *tbl = tables;
++ struct ebt_u_target *t = targets;
++ struct ebt_u_match *m = matches;
++ struct ebt_u_watcher *w = watchers;
++
++ PRINT_VERSION;
++ printf("Supported userspace extensions:\n\nSupported tables:\n");
++ while(tbl) {
++ printf("%s\n", tbl->name);
++ tbl = tbl->next;
++ }
++ printf("\nSupported targets:\n");
++ while(t) {
++ printf("%s\n", t->name);
++ t = t->next;
++ }
++ printf("\nSupported matches:\n");
++ while(m) {
++ printf("%s\n", m->name);
++ m = m->next;
++ }
++ printf("\nSupported watchers:\n");
++ while(w) {
++ printf("%s\n", w->name);
++ w = w->next;
++ }
++ exit(0);
++}
++
+ /*
+ * we use replace.flags, so we can't use the following values:
+ * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO
+@@ -465,7 +500,7 @@
+ for (i = 0; i < entries->nentries; i++) {
+ if (replace.flags & LIST_N) {
+ digits = 0;
+- // A little work to get nice rule numbers.
++ /* A little work to get nice rule numbers. */
+ j = i + 1;
+ while (j > 9) {
+ digits++;
+@@ -776,7 +811,8 @@
+ struct ebt_u_match_list *m_l;
+ struct ebt_u_watcher_list *w_l;
+
+- printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n"
++ PRINT_VERSION;
++ printf(
+ "Usage:\n"
+ "ebtables -[ADI] chain rule-specification [options]\n"
+ "ebtables -P chain target\n"
+@@ -799,7 +835,7 @@
+ "--atomic-commit : update the kernel w/t table contained in <FILE>\n"
+ "--atomic-init : put the initial kernel table into <FILE>\n"
+ "--atomic-save : put the current kernel table into <FILE>\n"
+-"--atomic file : set <FILE> to file\n\n"
++"--atomic-file file : set <FILE> to file\n\n"
+ "Options:\n"
+ "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n"
+ "--src -s [!] address[/mask]: source mac address\n"
+@@ -1140,7 +1176,7 @@
+ return -1;
+ }
+
+-// execute command A or I
++/* execute command A or I */
+ static void add_rule(int rule_nr)
+ {
+ int i, j;
+@@ -1301,7 +1337,7 @@
+ while(j--) {
+ u_e2 = *u_e;
+ *u_e = (*u_e)->next;
+- // free everything
++ /* free everything */
+ free_u_entry(u_e2);
+ free(u_e2);
+ }
+@@ -1473,14 +1509,20 @@
+ e = entries->entries;
+ j = 0;
+ while (e) {
++ int chain_jmp;
++
+ j++;
+ if (strcmp(e->t->u.name, EBT_STANDARD_TARGET)) {
+ e = e->next;
+ continue;
+ }
+- if (((struct ebt_standard_target *)e->t)->verdict == chain_nr)
++ chain_jmp = ((struct ebt_standard_target *)e->t)->verdict;
++ if (chain_jmp == chain_nr)
+ print_error("Can't delete the chain, it's referenced "
+ "in chain %s, rule %d", entries->name, j);
++ /* adjust the chain jumps when necessary */
++ if (chain_jmp > chain_nr)
++ ((struct ebt_standard_target *)e->t)->verdict--;
+ e = e->next;
+ }
+ }
+@@ -1698,7 +1740,9 @@
+ if (replace.selected_hook < NF_BR_NUMHOOKS)
+ print_error("You can't remove a standard chain");
+ /*
+- * if the chain is referenced, don't delete it
++ * if the chain is referenced, don't delete it,
++ * also decrement jumps to a chain behind the
++ * one we're deleting
+ */
+ check_for_references(replace.selected_hook - NF_BR_NUMHOOKS);
+ flush_chains();
+@@ -1791,7 +1835,7 @@
+ replace.command = 'V';
+ if (replace.flags & OPT_COMMAND)
+ print_error("Multiple commands not allowed");
+- printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n");
++ PRINT_VERSION;
+ exit(0);
+
+ case 'M': /* modprobe */
+@@ -1811,6 +1855,10 @@
+ struct ebt_u_match *m;
+ struct ebt_u_watcher *w;
+
++ if (!strcasecmp("list_extensions",
++ argv[optind]))
++ list_extensions();
++
+ if ((m = find_match(argv[optind])))
+ add_match(m);
+ else if ((w = find_watcher(argv[optind])))
+@@ -2034,7 +2082,7 @@
+ " or equal to 0x0600");
+ break;
+
+- case 4 : // Lc
++ case 4 : /* Lc */
+ check_option(&replace.flags, LIST_C);
+ if (replace.command != 'L')
+ print_error("Use --Lc with -L");
+@@ -2042,7 +2090,7 @@
+ print_error("--Lx not compatible with --Lc");
+ replace.flags |= LIST_C;
+ break;
+- case 5 : // Ln
++ case 5 : /* Ln */
+ check_option(&replace.flags, LIST_N);
+ if (replace.command != 'L')
+ print_error("Use --Ln with -L");
+@@ -2050,7 +2098,7 @@
+ print_error("--Lx not compatible with --Ln");
+ replace.flags |= LIST_N;
+ break;
+- case 6 : // Lx
++ case 6 : /* Lx */
+ check_option(&replace.flags, LIST_X);
+ if (replace.command != 'L')
+ print_error("Use --Lx with -L");
+@@ -2060,7 +2108,7 @@
+ print_error("--Lx not compatible with --Ln");
+ replace.flags |= LIST_X;
+ break;
+- case 8 : // atomic-commit
++ case 8 : /* atomic-commit */
+ replace.command = c;
+ if (replace.flags & OPT_COMMAND)
+ print_error("Multiple commands not allowed");
+--- ebtables-v2.0.2/communication.c Sat Aug 24 23:01:36 2002
++++ ebtables-v2.0.3/communication.c Tue Apr 1 20:08:23 2003
+@@ -5,11 +5,13 @@
+ *
+ */
+
+-// All the userspace/kernel communication is in this file.
+-// The other code should not have to know anything about the way the
+-// kernel likes the structure of the table data.
+-// The other code works with linked lists, lots of linked lists.
+-// So, the translation is done here.
++/*
++ * All the userspace/kernel communication is in this file.
++ * The other code should not have to know anything about the way the
++ * kernel likes the structure of the table data.
++ * The other code works with linked lists, lots of linked lists.
++ * So, the translation is done here.
++ */
+
+ #include <getopt.h>
+ #include <string.h>
+@@ -54,7 +56,7 @@
+ new->nentries = u_repl->nentries;
+ new->num_counters = u_repl->num_counters;
+ new->counters = u_repl->counters;
+- // determine nr of udc
++ /* determine nr of udc */
+ i = 0;
+ cl = u_repl->udc;
+ while (cl) {
+@@ -63,7 +65,7 @@
+ }
+ i += NF_BR_NUMHOOKS;
+ chain_offsets = (unsigned int *)malloc(i * sizeof(unsigned int));
+- // determine size
++ /* determine size */
+ i = 0;
+ cl = u_repl->udc;
+ while (1) {
+@@ -101,7 +103,7 @@
+ sizeof(struct ebt_entry_target);
+ e = e->next;
+ }
+- // a little sanity check
++ /* a little sanity check */
+ if (j != entries->nentries)
+ print_bug("Wrong nentries: %d != %d, hook = %s", j,
+ entries->nentries, entries->name);
+@@ -115,7 +117,7 @@
+ if (!new->entries)
+ print_memory();
+
+- // put everything in one block
++ /* put everything in one block */
+ p = new->entries;
+ i = 0;
+ cl = u_repl->udc;
+@@ -139,7 +141,7 @@
+ hlp->policy = entries->policy;
+ strcpy(hlp->name, entries->name);
+ hlp->counter_offset = entries->counter_offset;
+- hlp->distinguisher = 0; // make the kernel see the light
++ hlp->distinguisher = 0; /* make the kernel see the light */
+ p += sizeof(struct ebt_entries);
+ e = entries->entries;
+ while (e) {
+@@ -184,7 +186,7 @@
+ if (!strcmp(e->t->u.name, EBT_STANDARD_TARGET)) {
+ struct ebt_standard_target *st =
+ (struct ebt_standard_target *)p;
+- // translate the jump to a udc
++ /* translate the jump to a udc */
+ if (st->verdict >= 0)
+ st->verdict = chain_offsets
+ [st->verdict + NF_BR_NUMHOOKS];
+@@ -199,7 +201,7 @@
+ i++;
+ }
+
+- // sanity check
++ /* sanity check */
+ if (p - new->entries != new->entries_size)
+ print_bug("Entries_size bug");
+ free(chain_offsets);
+@@ -212,7 +214,7 @@
+ int size;
+ FILE *file;
+
+- // start from an empty file with right priviliges
++ /* start from an empty file with right priviliges */
+ command = (char *)malloc(strlen(filename) + 15);
+ if (!command)
+ print_memory();
+@@ -234,7 +236,7 @@
+ memcpy(data, repl, sizeof(struct ebt_replace));
+ memcpy(data + sizeof(struct ebt_replace), repl->entries,
+ repl->entries_size);
+- // initialize counters to zero, deliver_counters() can update them
++ /* initialize counters to zero, deliver_counters() can update them */
+ memset(data + sizeof(struct ebt_replace) + repl->entries_size,
+ 0, repl->nentries * sizeof(struct ebt_counter));
+ if (!(file = fopen(filename, "wb")))
+@@ -252,13 +254,13 @@
+ socklen_t optlen;
+ struct ebt_replace *repl;
+
+- // translate the struct ebt_u_replace to a struct ebt_replace
++ /* translate the struct ebt_u_replace to a struct ebt_replace */
+ repl = translate_user2kernel(u_repl);
+ if (u_repl->filename != NULL) {
+ store_table_in_file(u_repl->filename, repl);
+ return;
+ }
+- // give the data to the kernel
++ /* give the data to the kernel */
+ optlen = sizeof(struct ebt_replace) + repl->entries_size;
+ get_sockfd();
+ if (setsockopt(sockfd, IPPROTO_IP, EBT_SO_SET_ENTRIES, repl, optlen))
+@@ -276,7 +278,10 @@
+
+ if (!(file = fopen(filename, "r+b")))
+ print_error("Could not open file %s", filename);
+- // find out entries_size and then set the file pointer to the counters
++ /*
++ * find out entries_size and then set the file pointer to the
++ * counters
++ */
+ if (fseek(file, (char *)(&hlp.entries_size) - (char *)(&hlp), SEEK_SET)
+ || fread(&entries_size, sizeof(char), sizeof(unsigned int), file) !=
+ sizeof(unsigned int) ||
+@@ -291,9 +296,8 @@
+ fclose(file);
+ }
+
+-// gets executed after deliver_table
+-void
+-deliver_counters(struct ebt_u_replace *u_repl)
++/* gets executed after deliver_table */
++void deliver_counters(struct ebt_u_replace *u_repl)
+ {
+ unsigned short *point;
+ struct ebt_counter *old, *new, *newcounters;
+@@ -314,21 +318,23 @@
+ point = counterchanges;
+ while (*point != CNT_END) {
+ if (*point == CNT_NORM) {
+- // 'normal' rule, meaning we didn't do anything to it
+- // So, we just copy
++ /*
++ *'normal' rule, meaning we didn't do anything to it
++ * So, we just copy
++ */
+ new->pcnt = old->pcnt;
+- // we've used an old counter
++ /* we've used an old counter */
+ old++;
+- // we've set a new counter
++ /* we've set a new counter */
+ new++;
+ } else if (*point == CNT_DEL) {
+- // don't use this old counter
++ /* don't use this old counter */
+ old++;
+ } else if (*point == CNT_ADD) {
+- // new counter, let it stay 0
++ /* new counter, let it stay 0 */
+ new++;
+ } else {
+- // zero it (let it stay 0)
++ /* zero it (let it stay 0) */
+ old++;
+ new++;
+ }
+@@ -344,7 +350,7 @@
+ }
+ optlen = u_repl->nentries * sizeof(struct ebt_counter) +
+ sizeof(struct ebt_replace);
+- // now put the stuff in the kernel's struct ebt_replace
++ /* now put the stuff in the kernel's struct ebt_replace */
+ repl.counters = u_repl->counters;
+ repl.num_counters = u_repl->num_counters;
+ memcpy(repl.name, u_repl->name, sizeof(repl.name));
+@@ -406,7 +412,7 @@
+ int *totalcnt, struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl,
+ unsigned int valid_hooks, char *base)
+ {
+- // an entry
++ /* an entry */
+ if (e->bitmask & EBT_ENTRY_OR_ENTRIES) {
+ struct ebt_u_entry *new;
+ struct ebt_u_match_list **m_l;
+@@ -417,7 +423,10 @@
+ if (!new)
+ print_memory();
+ new->bitmask = e->bitmask;
+- // plain userspace code doesn't know about EBT_ENTRY_OR_ENTRIES
++ /*
++ * plain userspace code doesn't know about
++ * EBT_ENTRY_OR_ENTRIES
++ */
+ new->bitmask &= ~EBT_ENTRY_OR_ENTRIES;
+ new->invflags = e->invflags;
+ new->ethproto = e->ethproto;
+@@ -447,7 +456,7 @@
+ "userspace tool", t->u.name);
+ memcpy(new->t, t, t->target_size +
+ sizeof(struct ebt_entry_target));
+- // deal with jumps to udc
++ /* deal with jumps to udc */
+ if (!strcmp(t->u.name, EBT_STANDARD_TARGET)) {
+ char *tmp = base;
+ int verdict = ((struct ebt_standard_target *)t)->verdict;
+@@ -468,13 +477,13 @@
+ }
+ }
+
+- // I love pointers
++ /* I love pointers */
+ **u_e = new;
+ *u_e = &new->next;
+ (*cnt)++;
+ (*totalcnt)++;
+ return 0;
+- } else { // a new chain
++ } else { /* a new chain */
+ int i;
+ struct ebt_entries *entries = (struct ebt_entries *)e;
+ struct ebt_u_chain_list *cl;
+@@ -487,8 +496,8 @@
+ if (valid_hooks & (1 << i))
+ break;
+ *hook = i;
+- // makes use of fact that standard chains come before udc
+- if (i >= NF_BR_NUMHOOKS) { // udc
++ /* makes use of fact that standard chains come before udc */
++ if (i >= NF_BR_NUMHOOKS) { /* udc */
+ i -= NF_BR_NUMHOOKS;
+ cl = u_repl->udc;
+ while (i-- > 0)
+@@ -500,7 +509,7 @@
+ }
+ }
+
+-// initialize all chain headers
++/* initialize all chain headers */
+ static int
+ ebt_translate_chains(struct ebt_entry *e, unsigned int *hook,
+ struct ebt_u_replace *u_repl, unsigned int valid_hooks)
+@@ -514,10 +523,10 @@
+ for (i = *hook + 1; i < NF_BR_NUMHOOKS; i++)
+ if (valid_hooks & (1 << i))
+ break;
+- // makes use of fact that standard chains come before udc
+- if (i >= NF_BR_NUMHOOKS) { // udc
++ /* makes use of fact that standard chains come before udc */
++ if (i >= NF_BR_NUMHOOKS) { /* udc */
+ chain_list = &u_repl->udc;
+- // add in the back
++ /* add in the back */
+ while (*chain_list)
+ chain_list = &((*chain_list)->next);
+ *chain_list = (struct ebt_u_chain_list *)
+@@ -530,8 +539,10 @@
+ if (!((*chain_list)->udc))
+ print_memory();
+ new = (*chain_list)->udc;
+- // ebt_translate_entry depends on this for knowing
+- // to which chain is being jumped
++ /*
++ * ebt_translate_entry depends on this for knowing
++ * to which chain is being jumped
++ */
+ (*chain_list)->kernel_start = (char *)e;
+ } else {
+ *hook = i;
+@@ -559,7 +570,9 @@
+
+ if (!(file = fopen(filename, "r+b")))
+ print_error("Could not open file %s", filename);
+- // make sure table name is right if command isn't -L or --atomic-commit
++ /*
++ * make sure table name is right if command isn't -L or --atomic-commit
++ */
+ if (command != 'L' && command != 8) {
+ hlp = (char *)malloc(strlen(repl->name) + 1);
+ if (!hlp)
+@@ -596,7 +609,7 @@
+ print_memory();
+ } else
+ repl->counters = NULL;
+- // copy entries and counters
++ /* copy entries and counters */
+ if (fseek(file, sizeof(struct ebt_replace), SEEK_SET) ||
+ fread(repl->entries, sizeof(char), repl->entries_size, file)
+ != repl->entries_size ||
+@@ -617,7 +630,7 @@
+
+ optlen = sizeof(struct ebt_replace);
+ get_sockfd();
+- // --atomic-init || --init-table
++ /* --atomic-init || --init-table */
+ if (command == 7 || command == 11)
+ optname = EBT_SO_GET_INIT_INFO;
+ else
+@@ -635,7 +648,7 @@
+ else
+ repl->counters = NULL;
+
+- // we want to receive the counters
++ /* we want to receive the counters */
+ repl->num_counters = repl->nentries;
+ optlen += repl->entries_size + repl->num_counters *
+ sizeof(struct ebt_counter);
+@@ -658,12 +671,14 @@
+ strcpy(repl.name, u_repl->name);
+ if (u_repl->filename != NULL) {
+ retrieve_from_file(u_repl->filename, &repl, u_repl->command);
+- // -L with a wrong table name should be dealt with silently
++ /*
++ * -L with a wrong table name should be dealt with silently
++ */
+ strcpy(u_repl->name, repl.name);
+ } else if (retrieve_from_kernel(&repl, u_repl->command) == -1)
+ return -1;
+
+- // translate the struct ebt_replace to a struct ebt_u_replace
++ /* translate the struct ebt_replace to a struct ebt_u_replace */
+ u_repl->valid_hooks = repl.valid_hooks;
+ u_repl->nentries = repl.nentries;
+ u_repl->num_counters = repl.num_counters;
+@@ -672,10 +687,13 @@
+ hook = -1;
+ EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_chains,
+ &hook, u_repl, u_repl->valid_hooks);
+- i = 0; // holds the expected nr. of entries for the chain
+- j = 0; // holds the up to now counted entries for the chain
+- k = 0; // holds the total nr. of entries,
+- // should equal u_repl->nentries afterwards
++ i = 0; /* holds the expected nr. of entries for the chain */
++ j = 0; /* holds the up to now counted entries for the chain */
++ /*
++ * holds the total nr. of entries,
++ * should equal u_repl->nentries afterwards
++ */
++ k = 0;
+ hook = -1;
+ EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry,
+ &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks, repl.entries);
+--- ebtables-v2.0.2/extensions/ebt_ip.c Thu Oct 17 23:21:16 2002
++++ ebtables-v2.0.3/extensions/ebt_ip.c Tue Apr 1 09:39:24 2003
+@@ -2,7 +2,7 @@
+ * ebtables ebt_ip: IP extension module for userspace
+ *
+ * Authors:
+- * Bart De Schuymer <bart.de.schuymer@pandora.be>
++ * Bart De Schuymer <bdschuym@pandora.be>
+ *
+ * Changes:
+ * added ip-sport and ip-dport; parsing of port arguments is
+@@ -36,7 +36,7 @@
+
+ #define IP_SOURCE '1'
+ #define IP_DEST '2'
+-#define IP_myTOS '3' // include/bits/in.h seems to already define IP_TOS
++#define IP_myTOS '3' /* include/bits/in.h seems to already define IP_TOS */
+ #define IP_PROTO '4'
+ #define IP_SPORT '5'
+ #define IP_DPORT '6'
+@@ -57,7 +57,7 @@
+ { 0 }
+ };
+
+-// put the ip string into 4 bytes
++/* put the ip string into 4 bytes */
+ static int undot_ip(char *ip, unsigned char *ip2)
+ {
+ char *p, *q, *end;
+@@ -87,7 +87,7 @@
+ return 0;
+ }
+
+-// put the mask into 4 bytes
++/* put the mask into 4 bytes */
+ static int ip_mask(char *mask, unsigned char *mask2)
+ {
+ char *end;
+@@ -95,7 +95,7 @@
+ uint32_t mask22;
+
+ if (undot_ip(mask, mask2)) {
+- // not the /a.b.c.e format, maybe the /x format
++ /* not the /a.b.c.e format, maybe the /x format */
+ bits = strtol(mask, &end, 10);
+ if (*end != '\0' || bits > 32 || bits < 0)
+ return -1;
+@@ -110,12 +110,12 @@
+ return 0;
+ }
+
+-// set the ip mask and ip address
++/* set the ip mask and ip address */
+ void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk)
+ {
+ char *p;
+
+- // first the mask
++ /* first the mask */
+ if ((p = strrchr(address, '/')) != NULL) {
+ *p = '\0';
+ if (ip_mask(p + 1, (unsigned char *)msk))
+@@ -129,7 +129,7 @@
+ *addr = *addr & *msk;
+ }
+
+-// transform the ip mask into a string ready for output
++/* transform the ip mask into a string ready for output */
+ char *mask_to_dotted(uint32_t mask)
+ {
+ int i;
+@@ -138,14 +138,14 @@
+
+ maskaddr = ntohl(mask);
+
+- // don't print /32
++ /* don't print /32 */
+ if (mask == 0xFFFFFFFFL) {
+ *buf = '\0';
+ return buf;
+ }
+
+ i = 32;
+- bits = 0xFFFFFFFEL; // case 0xFFFFFFFF has just been dealt with
++ bits = 0xFFFFFFFEL; /* case 0xFFFFFFFF has just been dealt with */
+ while (--i >= 0 && maskaddr != bits)
+ bits <<= 1;
+
+@@ -154,7 +154,7 @@
+ else if (!i)
+ *buf = '\0';
+ else
+- // mask was not a decent combination of 1's and 0's
++ /* mask was not a decent combination of 1's and 0's */
+ sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0],
+ ((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2],
+ ((unsigned char *)&mask)[3]);
+@@ -162,7 +162,7 @@
+ return buf;
+ }
+
+-// transform a protocol and service name into a port number
++/* transform a protocol and service name into a port number */
+ static uint16_t parse_port(const char *protocol, const char *name)
+ {
+ struct servent *service;
+@@ -313,10 +313,19 @@
+ ipinfo->invflags |= EBT_IP_PROTO;
+ if (optind > argc)
+ print_error("Missing IP protocol argument");
+- i = strtol(argv[optind - 1], &end, 10);
+- if (i < 0 || i > 255 || *end != '\0')
+- print_error("Problem with specified IP protocol");
+- ipinfo->protocol = i;
++ (unsigned char) i = strtoul(argv[optind - 1], &end, 10);
++ if (*end != '\0') {
++ struct protoent *pe;
++
++ pe = getprotobyname(argv[optind - 1]);
++ if (pe == NULL)
++ print_error
++ ("Unknown specified IP protocol - %s",
++ argv[optind - 1]);
++ ipinfo->protocol = pe->p_proto;
++ } else {
++ ipinfo->protocol = (unsigned char) i;
++ }
+ ipinfo->bitmask |= EBT_IP_PROTO;
+ break;
+ default:
+@@ -335,13 +344,13 @@
+ print_error("For IP filtering the protocol must be "
+ "specified as IPv4");
+
+- if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) &&
+- (!ipinfo->bitmask & EBT_IP_PROTO ||
+- ipinfo->invflags & EBT_IP_PROTO ||
+- (ipinfo->protocol!=IPPROTO_TCP &&
+- ipinfo->protocol!=IPPROTO_UDP)))
+- print_error("For port filtering the IP protocol must be "
+- "either 6 (tcp) or 17 (udp)");
++ if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) &&
++ (!(ipinfo->bitmask & EBT_IP_PROTO) ||
++ ipinfo->invflags & EBT_IP_PROTO ||
++ (ipinfo->protocol!=IPPROTO_TCP &&
++ ipinfo->protocol!=IPPROTO_UDP)))
++ print_error("For port filtering the IP protocol must be "
++ "either 6 (tcp) or 17 (udp)");
+ }
+
+ static void print(const struct ebt_u_entry *entry,
+@@ -375,10 +384,17 @@
+ printf("0x%02X ", ipinfo->tos);
+ }
+ if (ipinfo->bitmask & EBT_IP_PROTO) {
++ struct protoent *pe;
++
+ printf("--ip-proto ");
+ if (ipinfo->invflags & EBT_IP_PROTO)
+ printf("! ");
+- printf("%d ", ipinfo->protocol);
++ pe = getprotobynumber(ipinfo->protocol);
++ if (pe == NULL) {
++ printf("%d ", ipinfo->protocol);
++ } else {
++ printf("%s ", pe->p_name);
++ }
+ }
+ if (ipinfo->bitmask & EBT_IP_SPORT) {
+ printf("--ip-sport ");
+@@ -427,11 +443,13 @@
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP_SPORT) {
+- if (ipinfo1->sport != ipinfo2->sport)
++ if (ipinfo1->sport[0] != ipinfo2->sport[0] ||
++ ipinfo1->sport[1] != ipinfo2->sport[1])
+ return 0;
+ }
+ if (ipinfo1->bitmask & EBT_IP_DPORT) {
+- if (ipinfo1->dport != ipinfo2->dport)
++ if (ipinfo1->dport[0] != ipinfo2->dport[0] ||
++ ipinfo1->dport[1] != ipinfo2->dport[1])
+ return 0;
+ }
+ return 1;
+--- ebtables-v2.0.2/extensions/ebt_arp.c Fri Nov 22 20:43:47 2002
++++ ebtables-v2.0.3/extensions/ebt_arp.c Fri Jan 10 00:20:17 2003
+@@ -23,7 +23,7 @@
+ };
+
+ #define NUMOPCODES 9
+-// a few names
++/* a few names */
+ static char *opcodes[] =
+ {
+ "Request",
+@@ -64,7 +64,7 @@
+ arpinfo->bitmask = 0;
+ }
+
+-// defined in ebt_ip.c
++/* defined in ebt_ip.c */
+ void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk);
+
+ #define OPT_OPCODE 0x01
+@@ -188,7 +188,7 @@
+ "specified as ARP or RARP");
+ }
+
+-// defined in the ebt_ip.c
++/* defined in the ebt_ip.c */
+ char *mask_to_dotted(uint32_t mask);
+
+ static void print(const struct ebt_u_entry *entry,
+--- ebtables-v2.0.2/extensions/ebt_log.c Sat Aug 24 15:26:34 2002
++++ ebtables-v2.0.3/extensions/ebt_log.c Fri Jan 10 00:21:41 2003
+@@ -5,16 +5,18 @@
+ #include "../include/ebtables_u.h"
+ #include <linux/netfilter_bridge/ebt_log.h>
+
+-// copied from syslog.h
+-// used for the LOG target
+-#define LOG_EMERG 0 // system is unusable
+-#define LOG_ALERT 1 // action must be taken immediately
+-#define LOG_CRIT 2 // critical conditions
+-#define LOG_ERR 3 // error conditions
+-#define LOG_WARNING 4 // warning conditions
+-#define LOG_NOTICE 5 // normal but significant condition
+-#define LOG_INFO 6 // informational
+-#define LOG_DEBUG 7 // debug-level messages
++/*
++ * copied from syslog.h
++ * used for the LOG target
++ */
++#define LOG_EMERG 0 /* system is unusable */
++#define LOG_ALERT 1 /* action must be taken immediately */
++#define LOG_CRIT 2 /* critical conditions */
++#define LOG_ERR 3 /* error conditions */
++#define LOG_WARNING 4 /* warning conditions */
++#define LOG_NOTICE 5 /* normal but significant condition */
++#define LOG_INFO 6 /* informational */
++#define LOG_DEBUG 7 /* debug-level messages */
+
+ #define LOG_DEFAULT_LEVEL LOG_INFO
+
+@@ -41,7 +43,7 @@
+ for (i = 0; i < 8; i++)
+ if (!strcmp(arg, eight_priority[i].c_name))
+ return eight_priority[i].c_val;
+- // return bad loglevel
++ /* return bad loglevel */
+ return 9;
+ }
+
+--- ebtables-v2.0.2/extensions/ebt_mark_m.c Sat Aug 24 15:26:34 2002
++++ ebtables-v2.0.3/extensions/ebt_mark_m.c Fri Jan 10 00:22:15 2003
+@@ -9,7 +9,7 @@
+
+ static struct option opts[] =
+ {
+- { "mark" , required_argument, 0, MARK },
++ { "mark", required_argument, 0, MARK },
+ { 0 }
+ };
+
+--- ebtables-v2.0.2/THANKS Sat Jun 1 21:24:51 2002
++++ ebtables-v2.0.3/THANKS Tue Apr 1 20:15:15 2003
+@@ -1,4 +1,4 @@
+-Thanks go out to:
++Special thanks go out to these early contributors:
+
+ Lennert Buytenhek
+ Rusty Russel
+--- ebtables-v2.0.2/ChangeLog Tue Dec 3 23:00:45 2002
++++ ebtables-v2.0.3/ChangeLog Tue Apr 1 20:07:24 2003
+@@ -1,3 +1,10 @@
++20030402
++ * fixed check bug in ebt_ip.c (report from
++ joe_judge_at_guardium.com).
++20030111
++ * fixed problem when removing a chain (report from
++ ykphuah_at_greenpacket.com).
++ * Added --help list_extensions which, well, lists the extensions
+ 20021203
+ * changed the way to use the atomic operations. It's now possible
+ to use the EBTABLES_ATOMIC_FILE environment variable, so it's no
+--- ebtables-v2.0.2/ebtables.8 Sat Dec 7 13:42:58 2002
++++ ebtables-v2.0.3/ebtables.8 Tue Apr 1 20:15:04 2003
+@@ -1,8 +1,11 @@
+-.TH EBTABLES 8 "03 December 2002"
++.TH EBTABLES 8 "15 March 2003"
+ .\"
+ .\" Man page written by Bart De Schuymer <bdschuym@pandora.be>
+ .\" It is based on the iptables man page.
+ .\"
++.\" The man page was edited by
++.\" Greg Morgan <" dr_kludge_at_users_sourceforge_net >
++.\"
+ .\" Iptables page by Herve Eychenne March 2000.
+ .\"
+ .\" This program is free software; you can redistribute it and/or modify
+@@ -23,46 +26,61 @@
+ .SH NAME
+ ebtables (v.2.0) \- Ethernet bridge frame table administration
+ .SH SYNOPSIS
+-.BR "ebtables -[ADI] " "chain rule-specification " [ options ]
++.BR "ebtables [-t table] -[ADI] " "chain rule-specification [match-extensions] [watcher-extensions] TARGET"
++.br
++.BR "ebtables [-t table] -P " "chain " "ACCEPT | DROP | RETURN"
+ .br
+-.BR "ebtables -P " "chain target"
++.BR "ebtables [-t table] -F [" "chain" "]"
+ .br
+-.BR "ebtables -[FLZ] [" "chain" "]"
++.BR "ebtables [-t table] -Z [" "chain" "]"
+ .br
+-.BR "ebtables -[NX] " chain
++.BR "ebtables [-t table] -L [-Z] [" chain "] [ [" --Ln "] [" --Lc "] ] " | " [" --Lx "]"
+ .br
+-.BR "ebtables -E " "old-chain-name new-chain-name"
++.BR "ebtables [-t table] -[NX] " chain
+ .br
+-.BR "ebtables --init-table"
++.BR "ebtables [-t table] -E " "old-chain-name new-chain-name"
+ .br
+-.BR "ebtables --atomic-init "
++.BR "ebtables [-t table] --init-table"
+ .br
+-.BR "ebtables --atomic-save "
++.BR "ebtables [-t table] [--atomic-file file] --atomic-commit
+ .br
+-.BR "ebtables --atomic-commit "
++.BR "ebtables [-t table] [--atomic-file file] --atomic-init"
++.br
++.BR "ebtables [-t table] [--atomic-file file] --atomic-save"
+ .br
+ .SH DESCRIPTION
+ .B ebtables
+-is used to set up, maintain, and inspect the tables of Ethernet frame
+-rules in the Linux kernel. It works analogous as iptables, but is less
+-complicated. This man page is written with the man page of iptables
+-next to it, so don't be surprised to see copied sentences and structure.
++is a user space tool, it is used to set up and maintain the
++tables of Ethernet frame rules in the Linux kernel. These rules inspect
++the Ethernet frames which they see.
++.B ebtables
++is analogous to the
++.B iptables
++user space tool, but
++.B ebtables
++is less complicated.
+
+-There are three tables with built-in chains. Each chain is a list
+-of rules which can match frames: each rule specifies what to do with a
+-frame which matches. This is called a 'target'. The tables are used to
+-divide functionality into different sets of chains.
++.SS CHAINS
++There are three Ethernet frame tables with built-in chains in the
++Linux kernel. The kernel tables are used to divide functionality into
++different sets of rules. Each set of rules is called a chain.
++Each chain is an ordered list of rules that can match Ethernet frames. If a
++rule matches an Ethernet frame, then a processing specification tells
++what to do with that matching frame. The processing specification is
++called a 'target'. However, if the frame does not match the current
++rule in the chain, then the next rule in the chain is examined and so forth.
++The user can create new (user-defined) chains which can be used as the 'target' of a rule.
+
+ .SS TARGETS
+-A firewall rule specifies criteria for a frame, and a target. If the
+-frame does not match, the next rule in the chain is the examined one; if
+-it does match, then the next thing to do is specified by the target.
+-This target can be one of these values:
++A firewall rule specifies criteria for an Ethernet frame and a frame
++processing specification called a target. When a frame matches a rule,
++then the next action performed by the kernel is specified by the target.
++The target can be one of these values:
+ .IR ACCEPT ,
+ .IR DROP ,
+ .IR CONTINUE ,
+ .IR RETURN ,
+-an extention.
++an 'extension' (see below) or a user-defined chain.
+ .PP
+ .I ACCEPT
+ means to let the frame through.
+@@ -74,26 +92,36 @@
+ .I RETURN
+ means stop traversing this chain and resume at the next rule in the
+ previous (calling) chain.
+-For the
+-other targets see the
++For the extension targets please see the
+ .B "TARGET EXTENSIONS"
+-section.
++section of this man page.
+ .SS TABLES
+-There are three tables.
++As stated earlier, there are three Ethernet frame tables in the Linux
++kernel. The tables are
++.BR filter ", " nat " and " broute .
++Of these three tables,
++the filter table is the default table that the
++.B ebtables
++command operates on.
++If you are working with the filter table, then you can drop the '-t filter'
++argument to the ebtables command. However, you will need to provide
++the -t argument for the other two tables. The -t argument must be the
++first argument on the ebtables command line, if used.
+ .TP
+ .B "-t, --table"
+-This option specifies the frame matching table which the command should
+-operate on. If specified it should be the first option. The tables are:
++.br
+ .BR filter ,
+-this is the default table and contains three chains:
++is the default table and contains three built-in chains:
+ .B INPUT
+ (for frames destined for the bridge itself),
+ .B OUTPUT
+ (for locally-generated frames) and
+ .B FORWARD
+ (for frames being bridged).
++.br
++.br
+ .BR nat ,
+-this table is used to change the mac addresses and contains three chains:
++is used to change the mac addresses and contains three built-in chains:
+ .B PREROUTING
+ (for altering frames as soon as they come in),
+ .B OUTPUT
+@@ -104,30 +132,38 @@
+ PREFORWARDING and POSTFORWARDING, but for all those who come from the
+ .BR iptables " world to " ebtables
+ it is easier to have the same names.
++.br
++.br
+ .BR broute ,
+-this table is used to make a brouter, it has one chain:
++is used to make a brouter, it has one built-in chain:
+ .BR BROUTING .
+ The targets
+ .BR DROP " and " ACCEPT
+-have special meaning in this table.
++have special meaning in the broute table.
+ .B DROP
+ actually means the frame has to be routed, while
+ .B ACCEPT
+ means the frame has to be bridged. The
+ .B BROUTING
+ chain is traversed very early. It is only traversed by frames entering on
+-a bridge enslaved nic that is in forwarding state. Normally those frames
++a bridge enslaved NIC that is in forwarding state. Normally those frames
+ would be bridged, but you can decide otherwise here. The
+ .B redirect
+ target is very handy here.
+-.SH OPTIONS
+-The options can be divided into several different groups.
++.SH EBTABLES COMMAND LINE ARGUMENTS
++After the initial ebtables -t, table command line argument, the remaining
++arguments can be divided into several different groups. These groups
++are commands, miscellaneous commands, rule-specifications, match-extensions,
++and watcher-extensions.
+ .SS COMMANDS
+-These options specify the specific actions to perform; only one of them
+-can be specified on the command line (the
+-.B -Z
+-command is an exception). All these options only apply to the selected
+-(or default) table.
++The ebtables command arguments specify the actions to perform on the table
++defined with the -t argument. If you do not use the -t argument to name
++a table, the commands apply to the default filter table.
++With the exception of both the
++.B "-Z"
++and
++.B "--atomic-file"
++commands, only one command may be used on the command line at a time.
+ .TP
+ .B "-A, --append"
+ Append a rule to the end of the selected chain.
+@@ -139,71 +175,119 @@
+ the complete rule as it would have been specified when it was added.
+ .TP
+ .B "-I, --insert"
+-Insert the specified rule into the selected chain at the specified rule number (1 meaning
+-the head of the chain).
++Insert the specified rule into the selected chain at the specified rule number.
++The number one, 1, means the head of the chain.
++.TP
++.B "-P, --policy"
++Set the policy for the chain to the given target. The policy can be
++.BR ACCEPT ", " DROP " or " RETURN .
++.TP
++.B "-F, --flush"
++Flush the selected chain. If no chain is selected, then every chain will be
++flushed. Flushing the chain does not change the policy of the
++chain, however.
++.TP
++.B "-Z, --zero"
++Set the counters of the selected chain to zero. If no chain is selected, all the counters
++are set to zero. The
++.B "-Z"
++command can be used in conjunction with the
++.B "-L"
++command.
++When both the
++.B "-Z"
++and
++.B "-L"
++commands are used together in this way, the rule counters are printed on the screen
++before they are set to zero.
+ .TP
+ .B "-L, --list"
+ List all rules in the selected chain. If no chain is selected, all chains
+ are listed.
+ .br
+-The following three options change the output:
++The following three options change the output of the
++.B "-L"
++list command:
+ .br
+ .B "--Ln"
+ .br
+-Puts rule numbers in front of every rule.
++Places the rule number in front of every rule.
+ .br
+ .B "--Lc"
+ .br
+-Shows the counters at the end of every rule, there is a frame counter
+-(pcnt) and a byte counter (bcnt).
++Shows the counters at the end of each rule displayed by the
++.B "-L"
++command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed.
+ .br
+ .B "--Lx"
+ .br
+-The output is directly usable as executable commands in a script, to be
+-run f.e. at bootup. This option is incompatible with the previous two
+-options. When no chain name was specified for the
++The output of the
++.B "--Lx"
++option may be used to create a set of
++.B ebtables
++commands. You may use this set of commands in an
++.B ebtables
++boot or reload
++script. For example the output could be used at system startup.
++The
++.B "--Lx"
++option is incompatible with both of the other
++.B "--Ln"
++and
++.B "--Lc"
++chain listing options,
++.B "-L."
++All necessary
++.B ebtables
++commands for making the current list of
++user-defined chains in the kernel and any commands issued by the user to
++rename the standard
++.B ebtables
++chains will be listed, when no chain name is
++supplied for the
+ .B "-L"
+-command, all necessary commands for making the user defined chains and
+-renaming the standard chains will be made.
+-.TP
+-.B "-F, --flush"
+-Flush the selected chain. If no chain is selected, every chain will be
+-flushed. This does not change the policy of the chain.
+-.TP
+-.B "--init-table"
+-Replace the current table data by the initial table data.
+-.TP
+-.B "-Z, --zero"
+-Put the counters of the selected chain on zero. If no chain is selected, all the counters
+-are put on zero. This can be used in conjunction with the -L command (see above).
+-This will cause the rule counters to be printed on the screen before they are put on zero.
+-.TP
+-.B "-P, --policy"
+-Set the policy for the chain to the given target. The policy can be
+-.BR ACCEPT ", " DROP " or " RETURN .
++command while using the
++.B "-Lx"
++option.
+ .TP
+ .B "-N, --new-chain"
+-Create a new user-defined chain by the given name. The number of
+-user-defined chains is unlimited. A chain name has max length of 31.
++Create a new user-defined chain with the given name. The number of
++user-defined chains is unlimited. A user-defined chain name has maximum
++length of 31 characters.
+ .TP
+ .B "-X, --delete-chain"
+-Delete the specified user-defined chain. There must be no references to the
+-chain,
++Delete the specified user-defined chain. There must be no remaining references
++to the to be deleted chain. Otherwise,
+ .B ebtables
+ will complain if there are.
+ .TP
+ .B "-E, --rename-chain"
+-Rename the specified chain to the new name. This has no effect on the
+-structure of the table. It is also allowed to rename a base chain, f.e.
+-if you like PREBRIDGING more than PREROUTING. Be sure to talk about the
+-standard chain names when you would ask a question on a mailing list.
++Rename the specified chain to a new name. Besides renaming a user-defined
++chain, you may rename a standard chain name to a name that suits your
++taste. For example, if you like PREBRIDGING more than PREROUTING,
++then you can use the -E command to rename the PREROUTING chain. If you do
++rename one of the standard
++.B ebtables
++chain names, please be sure to mention
++this fact should you post a question on the
++.B ebtables
++mailing lists.
++It would be wise to use the standard name in your post. Renaming a standard
++.B ebtables
++chain in this fashion has no effect on the structure or function
++of the
++.B ebtables
++kernel table.
++.TP
++.B "--init-table"
++Replace the current table data by the initial table data.
+ .TP
+ .B "--atomic-init"
+ Copy the kernel's initial data of the table to the specified
+ file. This can be used as the first action, after which rules are added
+ to the file. The file can be specified using the
+ .B --atomic-file
+-option or through the
++command or through the
+ .IR EBTABLES_ATOMIC_FILE " environment variable."
+ .TP
+ .B "--atomic-save"
+@@ -211,30 +295,81 @@
+ file. This can be used as the first action, after which rules are added
+ to the file. The file can be specified using the
+ .B --atomic-file
+-option or through the
++command or through the
+ .IR EBTABLES_ATOMIC_FILE " environment variable."
+ .TP
+ .B "--atomic-commit"
+ Replace the kernel table data with the data contained in the specified
+-file. This is a useful command that allows you to put all your rules of a
++file. This is a useful command that allows you to load all your rules of a
+ certain table into the kernel at once, saving the kernel a lot of precious
+ time and allowing atomic updates of the tables. The file which contains
+ the table data is constructed by using either the
+ .B "--atomic-init"
+ or the
+ .B "--atomic-save"
+-command to get a starting file. After that, using the
++command to generate a starting file. After that, using the
+ .B "--atomic-file"
+-option when constructing rules or setting the
++command when constructing rules or setting the
+ .IR EBTABLES_ATOMIC_FILE " environment variable"
+ allows you to extend the file and build the complete table before
+-commiting it to the kernel.
++committing it to the kernel.
++.TP
++.B "--atomic-file -Z"
++The counters stored in a file with, say,
++.B "--atomic-init"
++can be optionally zeroed by supplying the
++.B "-Z"
++command. You may also zero the counters by setting the
++.IR EBTABLES_ATOMIC_FILE " environment variable."
++
++.SS MISCELLANOUS COMMANDS
++.TP
++.B "-V, --version"
++Show the version of the ebtables userspace program.
++.TP
++.B "-h, --help"
++Give a brief description of the command syntax. Here you can also specify
++names of extensions and
++.B ebtables
++will try to write help about those extensions. E.g. ebtables -h snat log ip arp.
++Specify
++.I list_extensions
++to list all extensions supported by the userspace
++utility.
++.TP
++.BR "-j, --jump " "\fItarget\fP"
++The target of the rule. This is one of the following values:
++.BR ACCEPT ,
++.BR DROP ,
++.BR CONTINUE ,
++.BR RETURN ,
++a target extension (see
++.BR "TARGET EXTENSIONS" ")"
++or a user-defined chain name.
++.TP
++.B --atomic-file file
++Let the command operate on the specified file. The data of the table to
++operate on will be extracted from the file and the result of the operation
++will be saved back into the file. If specified, this option should come
++before the command specification. An alternative that should be preferred,
++is setting the
++.IR EBTABLES_ATOMIC_FILE " environment variable."
++.TP
++.B -M, --modprobe program
++When talking to the kernel, use this program to try to automatically load
++missing kernel modules.
++
+ .SS
+-PARAMETERS
+-The following parameters make up a rule specification (as used in the add
+-and delete commands). A "!" argument before the specification inverts the
+-test for that specification. Apart from these standard parameters, there are others, see
+-.BR "MATCH EXTENSIONS" .
++RULE-SPECIFICATIONS
++The following command line arguments make up a rule specification (as used
++in the add and delete commands). A "!" option before the specification
++inverts the test for that specification. Apart from these standard rule
++specifications there are some other command line arguments of interest.
++See both the
++.BR "MATCH-EXTENSIONS"
++and the
++.BR "WATCHER-EXTENSION(S)"
++below.
+ .TP
+ .BR "-p, --protocol " "[!] \fIprotocol\fP"
+ The protocol that was responsible for creating the frame. This can be a
+@@ -305,7 +440,7 @@
+ .TP
+ .BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+ The source mac address. Both mask and address are written as 6 hexadecimal
+-numbers seperated by colons. Alternatively one can specify Unicast,
++numbers separated by colons. Alternatively one can specify Unicast,
+ Multicast or Broadcast.
+ .br
+ Unicast=00:00:00:00:00:00/01:00:00:00:00:00,
+@@ -320,45 +455,36 @@
+ .B --dst
+ is an alias for this option.
+
+-.SS OTHER OPTIONS
++.SS MATCH-EXTENSIONS
++.B ebtables
++extensions are precompiled into the userspace tool. So there is no need
++to explicitly load them with a -m option like in
++.BR iptables .
++However, these
++extensions deal with functionality supported by supplemental kernel modules.
++.SS arp
++Specify arp fields. These will only work if the protocol equals
++.BR ARP " or " RARP .
+ .TP
+-.B "-V, --version"
+-Show the version of the userprogram.
++.BR "--arp-opcode " "[!] \fIopcode\fP"
++The (r)arp opcode (decimal or a string, for more details see
++.BR "ebtables -h arp" ).
+ .TP
+-.B "-h, --help"
+-Give a brief description of the command syntax. Here you can also specify
+-names of extensions and
+-.B ebtables
+-will try to write help about those extensions. E.g. ebtables -h snat log ip arp.
++.BR "--arp-htype " "[!] \fIhardware type\fP"
++The hardware type, this can be a decimal or the string "Ethernet". This
++is normally Ethernet (value 1).
+ .TP
+-.BR "-j, --jump " "\fItarget\fP"
+-The target of the rule. This is one of the following values:
+-.BR ACCEPT ,
+-.BR DROP ,
+-.BR CONTINUE ,
+-.BR RETURN ,
+-a target extension (see
+-.BR "TARGET EXTENSIONS" ")"
+-or a user defined chain name.
++.BR "--arp-ptype " "[!] \fIprotocol type\fP"
++The protocol type for which the (r)arp is used (hexadecimal or the string "IPv4").
++This is normally IPv4 (0x0800).
+ .TP
+-.B --atomic-file file
+-Let the command operate on the specified file. The data of the table to
+-operate on will be extracted from the file and the result of the operation
+-will be saved back into the file. If specified, this option should come
+-before the command specification. An alternative that should be preferred,
+-is setting the
+-.BR EBTABLES_ATOMIC_FILE "environment variable."
++.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]"
++The ARP IP source address specification.
+ .TP
+-.B -M, --modprobe program
+-When talking to the kernel, use this program to try to automatically load
+-missing kernel modules.
+-.SH MATCH EXTENSIONS
+-.B ebtables
+-extensions are precompiled into the userspace tool. So there is no need
+-to explicitly load them with a -m option like in iptables. However, these
+-extensions deal with functionality supported by supplemental kernel modules.
++.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]"
++The ARP IP destination address specification.
+ .SS ip
+-Specify ip specific fields. These will only work if the protocol equals
++Specify ip fields. These will only work if the protocol equals
+ .BR IPv4 .
+ .TP
+ .BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]"
+@@ -395,59 +521,38 @@
+ 17 (UDP). The flag
+ .B --ip-dport
+ is an alias for this option.
+-.SS arp
+-Specify arp specific fields. These will only work if the protocol equals
+-.BR ARP " or " RARP .
+-.TP
+-.BR "--arp-opcode " "[!] \fIopcode\fP"
+-The (r)arp opcode (decimal or a string, for more details see
+-.BR "ebtables -h arp" ).
+-.TP
+-.BR "--arp-htype " "[!] \fIhardware type\fP"
+-The hardware type, this can be a decimal or the string "Ethernet". This
+-is normally Ethernet (value 1).
+-.TP
+-.BR "--arp-ptype " "[!] \fIprotocol type\fP"
+-The protocol type for which the (r)arp is used (hexadecimal or the string "IPv4").
+-This is normally IPv4 (0x0800).
+-.TP
+-.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]"
+-The ARP IP source address specification.
++.SS mark_m
+ .TP
+-.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]"
+-The ARP IP destination address specification.
++.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]"
++Matches frames with the given unsigned mark value. If a mark value and
++mask is specified, the logical AND of the mark value of the frame and
++the user-specified mask is taken before comparing it with the user-specified
++mark value. If only a mask is specified (start with '/') the logical AND
++of the mark value of the frame and the user-specified mark is taken and
++the result is compared with zero.
+ .SS vlan
+-Specify 802.1Q Tag Control Information fields. These will only work if the protocol equals
+-.BR 802_1Q.
+-Also see extension help by
+-.BR "ebtables -h vlan" .
++Specify 802.1Q Tag Control Information fields.
++The protocol rule specification (frame type) should be set to
++.BR 802_1Q " (0x8100)."
+ .TP
+ .BR "--vlan-id " "[!] \fIid\fP"
+-The VLAN identifier field, VID (decimal number from 0 to 4094).
++The VLAN identifier field (VID). Decimal number from 0 to 4095.
+ .TP
+ .BR "--vlan-prio " "[!] \fIprio\fP"
+-The user_priority field, this can be a decimal number from 0 to 7.
+-Required VID to be 0 (null VID) or not specified vlan-id parameter (in this case VID deliberately be set to 0).
++The user_priority field. Decimal number from 0 to 7.
++The VID should be set to 0 ("null VID") or unspecified
++(for this case the VID is deliberately set to 0).
+ .TP
+ .BR "--vlan-encap " "[!] \fItype\fP"
+-The encapsulated Ethernet frame type/length, this can be a hexadecimal
+-number from 0x0000 to 0xFFFF.
+-Usually it's 0x0800 (IPv4). See also
+-.B /etc/ethertypes
+-file.
+-.SS mark_m
+-.TP
+-.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]"
+-Matches frames with the given unsigned mark value. If a mark value and
+-mask is specified, the logical AND of the mark value of the frame and
+-the user specified mask is taken before comparing with the user specified
+-mark value. If only a mask is specified (start with '/') the logical AND
+-of the mark value of the frame and the user specified mark is taken and
+-the result is compared with zero.
++The encapsulated Ethernet frame type/length.
++Specified as hexadecimal
++number from 0x0000 to 0xFFFF or as a symbolic name
++from
++.BR /etc/ethertypes .
+
+-.SH WATCHER EXTENSION(S)
++.SS WATCHER-EXTENSION(S)
+ Watchers are things that only look at frames passing by. These watchers only
+-see the frame if the frame passes all the matches of the rule.
++see the frame if the frame matches the rule.
+ .SS log
+ The fact that the log module is a watcher lets us log stuff while giving a target
+ by choice. Note that the log module therefore is not a target.
+@@ -477,31 +582,7 @@
+ will log the (r)arp information when a frame made by the (r)arp protocols
+ matches the rule. The default is no (r)arp information logging.
+ .SS TARGET EXTENSIONS
+-.TP
+-.B snat
+-The
+-.B snat
+-target can only be used in the
+-.BR POSTROUTING " chain of the " nat " table."
+-It specifies that the source mac address has to be changed.
+-.br
+-.BR "--to-source " "\fIaddress\fP"
+-.br
+-The flag
+-.B --to-src
+-is an alias for this option.
+-.br
+-.BR "--snat-target " "\fItarget\fP"
+-.br
+-Specifies the standard target. After doing the snat, the rule still has
+-to give a standard target so
+-.B ebtables
+-knows what to do.
+-The default target is ACCEPT. Making it CONTINUE could let you use
+-multiple target extensions on the same frame. Making it DROP doesn't
+-make sense, but you could do that too. RETURN is also allowed. Note
+-that using RETURN in a base chain is not allowed.
+-.TP
++.SS
+ .B dnat
+ The
+ .B dnat
+@@ -509,25 +590,45 @@
+ .BR BROUTING " chain of the " broute " table and the "
+ .BR PREROUTING " and " OUTPUT " chains of the " nat " table."
+ It specifies that the destination mac address has to be changed.
+-.br
++.TP
+ .BR "--to-destination " "\fIaddress\fP"
+ .br
+ The flag
+ .B --to-dst
+ is an alias for this option.
+-.br
++.TP
+ .BR "--dnat-target " "\fItarget\fP"
+ .br
+ Specifies the standard target. After doing the dnat, the rule still has to
+ give a standard target so
+ .B ebtables
+ knows what to do.
+-The default target is ACCEPT. Making it CONTINUE could let you use
++The default target is ACCEPT. Making it CONTINUE could let you use
+ multiple target extensions on the same frame. Making it DROP only makes
+ sense in the BROUTING chain but using the redirect target is more logical
+ there. RETURN is also allowed. Note
+ that using RETURN in a base chain is not allowed.
++.SS
++.B mark
++The mark target can be used in every chain of every table. It is possible
++to use the marking of a frame/packet in both ebtables and iptables,
++if the br-nf code is compiled into the kernel. Both put the marking at the
++same place. So, you can consider this fact as a feature, or as something to
++watch out for.
++.TP
++.BR "--set-mark " "\fIvalue\fP"
++.br
++Mark the frame with the specified unsigned value.
+ .TP
++.BR "--mark-target " "\fItarget\fP"
++.br
++Specifies the standard target. After marking the frame, the rule
++still has to give a standard target so
++.B ebtables
++knows what to do.
++The default target is ACCEPT. Making it CONTINUE can let you do other
++things with the frame in other rules of the chain.
++.SS
+ .B redirect
+ The
+ .B redirect
+@@ -535,37 +636,41 @@
+ frame arrived on. This target can only be used in the
+ .BR BROUTING " chain of the " broute " table and the "
+ .BR PREROUTING " chain of the " nat " table."
+-.br
++.TP
+ .BR "--redirect-target " "\fItarget\fP"
+ .br
+ Specifies the standard target. After doing the MAC redirect, the rule
+ still has to give a standard target so
+ .B ebtables
+ knows what to do.
+-The default target is ACCEPT. Making it CONTINUE could let you use
++The default target is ACCEPT. Making it CONTINUE could let you use
+ multiple target extensions on the same frame. Making it DROP in the
+ BROUTING chain will let the frames be routed. RETURN is also allowed. Note
+ that using RETURN in a base chain is not allowed.
++.SS
++.B snat
++The
++.B snat
++target can only be used in the
++.BR POSTROUTING " chain of the " nat " table."
++It specifies that the source mac address has to be changed.
+ .TP
+-.B mark
+-The mark target can be used in every chain of every table. It is possible
+-to use the marking of a frame/packet in both ebtables and iptables,
+-if the br-nf code is compiled into the kernel. Both put the marking at the
+-same place. So, you can consider this fact as a feature, or as something to
+-watch out for.
++.BR "--to-source " "\fIaddress\fP"
+ .br
+-.BR "--mark-target " "\fItarget\fP"
++The flag
++.B --to-src
++is an alias for this option.
++.TP
++.BR "--snat-target " "\fItarget\fP"
+ .br
+-Specifies the standard target. After marking the frame, the rule
+-still has to give a standard target so
++Specifies the standard target. After doing the snat, the rule still has
++to give a standard target so
+ .B ebtables
+ knows what to do.
+-The default target is ACCEPT. Making it CONTINUE can let you do other
+-things with the frame in other rules of the chain.
+-.br
+-.BR "--set-mark " "\fIvalue\fP"
+-.br
+-Mark the frame with the specified unsigned value.
++The default target is ACCEPT. Making it CONTINUE could let you use
++multiple target extensions on the same frame. Making it DROP doesn't
++make sense, but you could do that too. RETURN is also allowed. Note
++that using RETURN in a base chain is not allowed.
+ .br
+ .SH FILES
+ .I /etc/ethertypes
+@@ -573,7 +678,9 @@
+ .I EBTABLES_ATOMIC_FILE
+ .SH BUGS
+ This won't work on an architecture with a user32/kernel64 situation like the Sparc64.
+-.SH AUTHOR
+-.IR "" "Bart De Schuymer <" bdschuym@pandora.be >
++.SH MAILINGLISTS
++.I ebtables-user@lists.sourceforge.net
++.br
++.I ebtables-devel@lists.sourceforge.net
+ .SH SEE ALSO
+-.BR iptables "(8), " brctl (8)
++.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8)
+--- ebtables-v2.0.2/include/ebtables_u.h Wed Nov 20 22:05:39 2002
++++ ebtables-v2.0.3/include/ebtables_u.h Sun Jan 19 12:37:52 2003
+@@ -30,9 +30,9 @@
+ {
+ int policy;
+ unsigned int nentries;
+- // counter offset for this chain
++ /* counter offset for this chain */
+ unsigned int counter_offset;
+- // used for udc
++ /* used for udc */
+ unsigned int hook_mask;
+ char name[EBT_CHAIN_MAXNAMELEN];
+ struct ebt_u_entry *entries;
+@@ -42,7 +42,7 @@
+ {
+ struct ebt_u_entries *udc;
+ struct ebt_u_chain_list *next;
+- // this is only used internally, in communication.c
++ /* this is only used internally, in communication.c */
+ char *kernel_start;
+ };
+
+@@ -50,25 +50,29 @@
+ {
+ char name[EBT_TABLE_MAXNAMELEN];
+ unsigned int valid_hooks;
+- // nr of rules in the table
++ /* nr of rules in the table */
+ unsigned int nentries;
+ struct ebt_u_entries *hook_entry[NF_BR_NUMHOOKS];
+- // user defined chains (udc) list
++ /* user defined chains (udc) list */
+ struct ebt_u_chain_list *udc;
+- // nr of counters userspace expects back
++ /* nr of counters userspace expects back */
+ unsigned int num_counters;
+- // where the kernel will put the old counters
++ /* where the kernel will put the old counters */
+ struct ebt_counter *counters;
+- // can be used e.g. to know if a standard option
+- // has been specified twice
++ /*
++ * can be used e.g. to know if a standard option
++ * has been specified twice
++ */
+ unsigned int flags;
+- // we stick the specified command (e.g. -A) in here
++ /* we stick the specified command (e.g. -A) in here */
+ char command;
+- // here we stick the hook to do our thing on (can be -1 if unspecified)
++ /*
++ * here we stick the hook to do our thing on (can be -1 if unspecified)
++ */
+ int selected_hook;
+- // used for the atomic option
++ /* used for the atomic option */
+ char *filename;
+- // tells what happened to the old rules
++ /* tells what happened to the old rules */
+ unsigned short *counterchanges;
+ };
+
+@@ -114,7 +118,7 @@
+ struct ebt_u_match
+ {
+ char name[EBT_FUNCTION_MAXNAMELEN];
+- // size of the real match data
++ /* size of the real match data */
+ unsigned int size;
+ void (*help)(void);
+ void (*init)(struct ebt_entry_match *m);
+@@ -129,12 +133,16 @@
+ int (*compare)(const struct ebt_entry_match *m1,
+ const struct ebt_entry_match *m2);
+ const struct option *extra_ops;
+- // can be used e.g. to check for multiple occurance of the same option
++ /*
++ * can be used e.g. to check for multiple occurance of the same option
++ */
+ unsigned int flags;
+ unsigned int option_offset;
+ struct ebt_entry_match *m;
+- // if used == 1 we no longer have to add it to
+- // the match chain of the new entry
++ /*
++ * if used == 1 we no longer have to add it to
++ * the match chain of the new entry
++ */
+ unsigned int used;
+ struct ebt_u_match *next;
+ };
+@@ -204,10 +212,10 @@
+ #define print_bug(format, args...) \
+ __print_bug(__FILE__, __LINE__, format, ##args)
+ #define print_error(format,args...) {printf(format".\n",##args); exit(-1);}
+-#define print_memory() {printf("Ebtables: " __FILE__ " " __FUNCTION__ \
+- " %d :Out of memory.\n", __LINE__); exit(-1);}
++#define print_memory() {printf("Ebtables: " __FILE__ \
++ " %s %d :Out of memory.\n", __FUNCTION__, __LINE__); exit(-1);}
+
+-// used for keeping the rule counters right during rule adds or deletes
++/* used for keeping the rule counters right during rule adds or deletes */
+ #define CNT_NORM 0
+ #define CNT_DEL 1
+ #define CNT_ADD 2
+@@ -215,8 +223,10 @@
+ #define CNT_ZERO 4
+
+ extern char *standard_targets[NUM_STANDARD_TARGETS];
+-// Transforms a target string into the right integer,
+-// returns 0 on success.
++/*
++ * Transforms a target string into the right integer,
++ * returns 0 on success.
++ */
+ #define FILL_TARGET(_str, _pos) ({ \
+ int _i, _ret = 0; \
+ for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \
+@@ -229,12 +239,12 @@
+ _ret; \
+ })
+
+-// Transforms the target value to an index into standard_targets[]
++/* Transforms the target value to an index into standard_targets[] */
+ #define TARGET_INDEX(_value) (-_value - 1)
+-// Returns a target string corresponding to the value
++/* Returns a target string corresponding to the value */
+ #define TARGET_NAME(_value) (standard_targets[TARGET_INDEX(_value)])
+-// True if the hook mask denotes that the rule is in a base chain
++/* True if the hook mask denotes that the rule is in a base chain */
+ #define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS))
+-// Clear the bit in the hook_mask that tells if the rule is on a base chain
++/* Clear the bit in the hook_mask that tells if the rule is on a base chain */
+ #define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS))
+ #endif /* EBTABLES_U_H */
diff --git a/userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz b/userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz
new file mode 100644
index 0000000..7113e83
--- /dev/null
+++ b/userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz
Binary files differ