From 2a6775bd1d5d81c578f78d10ffe4e757153f326e Mon Sep 17 00:00:00 2001 From: Bart De Schuymer Date: Tue, 11 Nov 2003 18:51:00 +0000 Subject: update to 2.6 --- .../ebtables-hacking/ebtables-hacking-HOWTO-3.html | 44 ++++++++++------------ 1 file changed, 20 insertions(+), 24 deletions(-) (limited to 'docs/ebtables-hacking/ebtables-hacking-HOWTO-3.html') diff --git a/docs/ebtables-hacking/ebtables-hacking-HOWTO-3.html b/docs/ebtables-hacking/ebtables-hacking-HOWTO-3.html index 4b53955..d80aa2b 100644 --- a/docs/ebtables-hacking/ebtables-hacking-HOWTO-3.html +++ b/docs/ebtables-hacking/ebtables-hacking-HOWTO-3.html @@ -31,13 +31,13 @@ described now:

The name of the match, for example ip. Try to keep yourself from using capitals.

  • unsigned int size -

    The size of the match data

    +

    The size of the match data, without the extra padding needed for alignment (this is added by the generic code).

  • void (*help)(void)

    This function should print out the help information for the match, when the user asks for it with the -h <match> command. The function can expect a '\n' to have been printed right before it is executed and should end with at least one '\n'. The output should -explain the usage of the module, with its look similar to that of the standard help. +explain the usage of the module and should look similar to the standard help.

  • void (*init)(struct ebt_entry_match *m) @@ -57,7 +57,7 @@ are the same two parameters given to the main function. entry complete new rule that is being constructed. flags points to an unsigned int private to the module that can have any value the module wants. In practice it is used to contain flags for which options are already processed. match points to the data of the match, as you can see it's a double pointer, -meaning you are allowed to change the address of the match's data. +meaning you are allowed to change the address of the match's data (this is done f.e. in ebt_among.c).

  • void (*final_check)(const struct ebt_u_entry *entry,
    @@ -69,20 +69,20 @@ you should check that the user specified -p XyZ. The namehookmask contains the mask that describes from which base chains the rule can be accessed. Because this function can be called twice during the execution of the program, the value time equals 0 for the first execution and 1 for the second. In some situations -it is necessary to have this knowledge. +it is necessary to have this knowledge (see section 3.1.4 for more information).

  • void (*print)(const struct ebt_u_entry *entry,
    const struct ebt_entry_match *match)

    This function is executed when the user wants to list the rules and if a rule contains this match. The output should -be in a format the user could have used to make the rule. +be in a format the user could have used to make the rule, so that the option '--Lx' stays useful.

  • int (*compare)(const struct ebt_entry_match *m1,
    const struct ebt_entry_match *m2)

    -This function is executed when 2 rules have to be compared with eachother and both contain this match. A return value +This function is executed when 2 rules have to be compared with each other and both contain this match. A return value of 1 means the matches in both rules are the same, otherwise the return value must be 0.

    • @@ -108,7 +108,7 @@ to the previous section (mentally replace match by watcher where necessary).

    3.1.3 Targets

    -A target module is a piece of code that does a certain action when a all matches of a rule are passed and after the watchers in +A target module is a piece of code that does a certain action when all matches of a rule are passed and after the watchers in the rule (if any) are executed.

    The userspace target is contained in a struct ebt_u_target that has the same relevant fields as the match, so we refer to the first section (mentally replace match by target where necessary). @@ -153,7 +153,7 @@ use FILL_TARGET("RETURN", pos);

  • TARGET_NAME(value)

    -This macro produces the target string coreesponding to the given target value. Use this to convert a stored numeric value to a string that can be printed for +This macro produces the target string corresponding to the given target value. Use this to convert a stored numeric value to a string that can be printed for the user to read.

    • @@ -178,10 +178,11 @@ If you want to use BASE_CHAIN you must use it earlier in the functi

    Some extra explanation about the time argument of the final_check() function is perhaps needed. When a rule is added, this rule can have as target a user defined chain. It can be, for example, that introducing this new rule makes a certain target accessible from a base chain that is not allowed for that target. -Before this rule was added, this was not so, but after the rule is added this is so. Therefore, after an add or insert, all the final_check() functions of all -the modules used in all chains are called, the value of time will be set to 1. We could ofcourse be lazy and let this checking up to the kernel, but it's the +Before this rule was added, this target was not accessible from the base chain, but after the rule was added it is. +Therefore, after an add or insert, all the final_check() functions of all +the modules used in all chains are called, the value of time will be set to 1. We could of course be lazy and let this checking up to the kernel, but it's the policy of ebtables that any rejected table from the kernel is caused by an ebtables userspace bug. Userspace should make sure no invalid data can go to the kernel. This does -not mean that the kernel no longer has to check for validity, ofcourse. +not mean that the kernel no longer has to check for validity, of course.

    A complete rule: @@ -249,16 +250,15 @@ Is needed in the initialization function of a watcher module, to register its da Is needed in the initialization function of a target module, to register its data.

    -
  • int name_to_number(char *name, uint16_t *proto) +
  • struct ethertypeent *getethertypebyname(const char *name)

    -Translate a name of an Ethernet protocol to the corresponding protocol number, which is put inside the variable pointed to by proto. The -translation is done using /etc/ethertypes. The return value is as follows: 0 = success, 1 = success but the name equals "LENGTH", -1 = no translation possible. +Translate a name of an Ethernet protocol to the corresponding protocol number. The +translation is done using /etc/ethertypes.

    • -
  • int number_to_name(unsigned short proto, char *name) +
  • struct ethertypeent *getethertypebynumber(int type)

    -Translate a protocol number to a protocol name, using /etc/ethertypes. Returns 0 on success and puts the protocol name at the address pointed to -by name. This demands the name buffer to be of size at least 21. +Translate a protocol number to a protocol name, using /etc/ethertypes.

  • void check_option(unsigned int *flags, unsigned int mask) @@ -297,10 +297,6 @@ data tells the module to do, with a frame.

    The kernel match module is contained in a struct ebt_match of which its relevant fields will be discussed now:

      -
    1. struct list_head list -

      -Set this to {NULL, NULL}. -

    2. char name[EBT_FUNCTION_MAXNAMELEN]

      The name of the match, should be the same as the name of the corresponding userspace match. @@ -335,7 +331,7 @@ Always set to THIS_MODULE.

      The watchers are contained in a struct ebt_watcher, its members are basically the same as for the struct ebt_match, except that the watcher() function -(the analogue of the match() function) has no return value. +(which is analogous to the match() function) has no return value.

      3.2.3 Targets

      @@ -349,10 +345,10 @@ The target() function should make sure the decision cannot be 3.2.4 Miscellaneous

      -Macro's: +Macros:

      -Some macro's useful to ebtables kernel modules: +Some macros useful to ebtables kernel modules:

      1. FWINV(bool,invflg)

        -- cgit v1.2.3