From d891e9e5bc309d5aeb2ab774c76b34a92085b3e7 Mon Sep 17 00:00:00 2001 From: Bart De Schuymer Date: Sat, 1 Jun 2002 19:23:47 +0000 Subject: Initial revision --- .../ebtables-v2.0_vs_2.4.18.pre2.001.diff | 11 + .../ebtables-v2.0_vs_2.4.18.pre3.001.diff | 166 ++++++++++ .../ebtables-v2.0_vs_2.4.18.pre3.002.diff | 66 ++++ .../ebtables-v2.0_vs_2.4.18.pre3.003.diff | 367 +++++++++++++++++++++ .../ebtables-v2.0_vs_2.4.18.pre3.004.diff | 252 ++++++++++++++ .../ebtables-v2.0_vs_2.4.18.pre3.005.diff | 22 ++ .../ebtables-v2.0_vs_2.4.18.pre4.001.diff | 14 + .../ebtables-v2.0_vs_2.4.18.pre5.001.diff | 51 +++ .../ebtables-v2.0_vs_2.4.18.pre6.001.diff | 12 + .../ebtables-v2.0_vs_2.4.18.pre7.001.diff | 172 ++++++++++ 10 files changed, 1133 insertions(+) create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre2.001.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.001.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.002.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.003.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.004.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.005.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre4.001.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre5.001.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre6.001.diff create mode 100644 kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre7.001.diff (limited to 'kernel/patches/incremental-patches') diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre2.001.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre2.001.diff new file mode 100644 index 0000000..ceeabe1 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre2.001.diff @@ -0,0 +1,11 @@ +--- linux/include/linux/netfilter_bridge/ebtables.h Wed Apr 10 19:44:56 2002 ++++ ebt2.0pre1/include/linux/netfilter_bridge/ebtables.h Wed Apr 10 19:30:22 2002 +@@ -108,7 +108,7 @@ + #define EBT_STANDARD_TARGET "standard" + struct ebt_standard_target + { +- struct ebt_entry_target; ++ struct ebt_entry_target target; + __u8 verdict; + }; + diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.001.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.001.diff new file mode 100644 index 0000000..db77c43 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.001.diff @@ -0,0 +1,166 @@ +Make size members of ebt_entry_* denote the size of the actual data. +This makes ebt_do_table() go faster. +19 April 2002 + +--- linux/net/bridge/netfilter/ebtables.c Fri Apr 19 20:47:12 2002 ++++ ebt2.0pre3.001/net/bridge/netfilter/ebtables.c Fri Apr 19 20:42:50 2002 +@@ -65,7 +65,7 @@ + const struct ebt_counter *c) + { + w->u.watcher->watcher(skb, in, out, w->data, +- w->watcher_size - sizeof(struct ebt_entry_watcher), c); ++ w->watcher_size, c); + // watchers don't give a verdict + return 0; + } +@@ -77,7 +77,7 @@ + const struct ebt_counter *c) + { + return m->u.match->match(skb, in, out, m->data, +- m->match_size - sizeof(struct ebt_entry_match), c); ++ m->match_size, c); + } + + static inline int ebt_dev_check(char *entry, const struct net_device *device) +@@ -197,7 +197,7 @@ + m->u.match = match; + if (match->check && + match->check(name, hook, e, m->data, +- m->match_size - sizeof(*m)) != 0) { ++ m->match_size) != 0) { + BUGPRINT("match->check failed\n"); + up(&ebt_mutex); + return -EINVAL; +@@ -228,7 +228,7 @@ + w->u.watcher = watcher; + if (watcher->check && + watcher->check(name, hook, e, w->data, +- w->watcher_size - sizeof(*w)) != 0) { ++ w->watcher_size) != 0) { + BUGPRINT("watcher->check failed\n"); + up(&ebt_mutex); + return -EINVAL; +@@ -318,7 +318,7 @@ + if (i && (*i)-- == 0) + return 1; + if (m->u.match->destroy) +- m->u.match->destroy(m->data, m->match_size - sizeof(*m)); ++ m->u.match->destroy(m->data, m->match_size); + if (m->u.match->me) + __MOD_DEC_USE_COUNT(m->u.match->me); + +@@ -331,7 +331,7 @@ + if (i && (*i)-- == 0) + return 1; + if (w->u.watcher->destroy) +- w->u.watcher->destroy(w->data, w->watcher_size - sizeof(*w)); ++ w->u.watcher->destroy(w->data, w->watcher_size); + if (w->u.watcher->me) + __MOD_DEC_USE_COUNT(w->u.watcher->me); + +@@ -411,7 +411,7 @@ + } + } else if (t->u.target->check && + t->u.target->check(name, hook, e, t->data, +- t->target_size - sizeof(*t)) != 0) { ++ t->target_size) != 0) { + if (t->u.target->me) + __MOD_DEC_USE_COUNT(t->u.target->me); + ret = -EFAULT; +@@ -440,7 +440,7 @@ + EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL); + t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); + if (t->u.target->destroy) +- t->u.target->destroy(t->data, t->target_size - sizeof(*t)); ++ t->u.target->destroy(t->data, t->target_size); + if (t->u.target->me) + __MOD_DEC_USE_COUNT(t->u.target->me); + +--- linux/include/linux/netfilter_bridge/ebtables.h Fri Apr 19 20:47:12 2002 ++++ ebt2.0pre3.001/include/linux/netfilter_bridge/ebtables.h Fri Apr 19 20:50:24 2002 +@@ -19,7 +19,7 @@ + #define EBT_TABLE_MAXNAMELEN 32 + #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN + +-/* [gs]etsockopt numbers */ ++// [gs]etsockopt numbers + #define EBT_BASE_CTL 128 + + #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) +@@ -84,7 +84,7 @@ + char name[EBT_FUNCTION_MAXNAMELEN]; + struct ebt_match *match; + } u; +- // size of this struct + size of data ++ // size of data + unsigned int match_size; + unsigned char data[0]; + }; +@@ -95,7 +95,7 @@ + char name[EBT_FUNCTION_MAXNAMELEN]; + struct ebt_watcher *watcher; + } u; +- // size of this struct + size of data ++ // size of data + unsigned int watcher_size; + unsigned char data[0]; + }; +@@ -106,7 +106,7 @@ + char name[EBT_FUNCTION_MAXNAMELEN]; + struct ebt_target *target; + } u; +- // size of this struct + size of data ++ // size of data + unsigned int target_size; + unsigned char data[0]; + }; +@@ -118,7 +118,7 @@ + __u8 verdict; + }; + +-/* one entry */ ++// one entry + struct ebt_entry { + // this needs to be the first field + __u32 bitmask; +@@ -199,8 +199,8 @@ + const void *targetdata, + unsigned int datalen); + // 0 == let it in +- int (*check)(const char *tablename, unsigned int hooknr, const struct ebt_entry *e, +- void *targetdata, unsigned int datalen); ++ int (*check)(const char *tablename, unsigned int hooknr, ++ const struct ebt_entry *e, void *targetdata, unsigned int datalen); + void (*destroy)(void *targetdata, unsigned int datalen); + struct module *me; + }; +@@ -227,7 +227,8 @@ + rwlock_t lock; + // e.g. could be the table explicitly only allows certain + // matches, targets, ... 0 == let it in +- int (*check)(const struct ebt_table_info *info, unsigned int valid_hooks); ++ int (*check)(const struct ebt_table_info *info, ++ unsigned int valid_hooks); + // the data used by the kernel + struct ebt_table_info *private; + }; +@@ -256,7 +257,8 @@ + \ + for (__i = sizeof(struct ebt_entry); \ + __i < (e)->watchers_offset; \ +- __i += __match->match_size) { \ ++ __i += __match->match_size + \ ++ sizeof(struct ebt_entry_match)) { \ + __match = (void *)(e) + __i; \ + \ + __ret = fn(__match , ## args); \ +@@ -278,7 +280,8 @@ + \ + for (__i = e->watchers_offset; \ + __i < (e)->target_offset; \ +- __i += __watcher->watcher_size) { \ ++ __i += __watcher->watcher_size + \ ++ sizeof(struct ebt_entry_watcher)) { \ + __watcher = (void *)(e) + __i; \ + \ + __ret = fn(__watcher , ## args); \ diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.002.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.002.diff new file mode 100644 index 0000000..7fb0399 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.002.diff @@ -0,0 +1,66 @@ +* Add logical bridge in/out device filtering support +* Be more paranoid about the given userspace device names + +--- linux/net/bridge/netfilter/ebtables.c Fri Apr 19 21:48:59 2002 ++++ ebt2.0pre3.002/net/bridge/netfilter/ebtables.c Fri Apr 19 23:21:22 2002 +@@ -30,6 +30,8 @@ + #include + #include + #include ++// needed for logical [in,out]-dev filtering ++#include "../br_private.h" + + // list_named_find + #define ASSERT_READ_LOCK(x) +@@ -115,6 +117,11 @@ + (point->bitmask & EBT_802_3), EBT_IPROTO) ) + && FWINV(!ebt_dev_check((char *)(point->in), in), EBT_IIN) + && FWINV(!ebt_dev_check((char *)(point->out), out), EBT_IOUT) ++ && ((!in || !in->br_port) ? 1 : FWINV(!ebt_dev_check((char *) ++ (point->logical_in), &in->br_port->br->dev), EBT_ILOGICALIN)) ++ && ((!out || !out->br_port) ? 1 : ++ FWINV(!ebt_dev_check((char *) ++ (point->logical_out), &out->br_port->br->dev), EBT_ILOGICALOUT)) + ) { + if ( (point->bitmask & EBT_SOURCEMAC) && + FWINV(!!memcmp(point->sourcemac, +@@ -363,6 +370,10 @@ + BUGPRINT("NOPROTO & 802_3 not allowed\n"); + return -EINVAL; + } ++ e->in[IFNAMSIZ - 1] = '\0'; ++ e->out[IFNAMSIZ - 1] = '\0'; ++ e->logical_in[IFNAMSIZ - 1] = '\0'; ++ e->logical_out[IFNAMSIZ - 1] = '\0'; + // what hook do we belong to? + for (i = 0; i < NF_BR_NUMHOOKS; i++) { + if ((valid_hooks & (1 << i)) == 0) +--- linux/include/linux/netfilter_bridge/ebtables.h Fri Apr 19 21:48:59 2002 ++++ ebt2.0pre3.002/include/linux/netfilter_bridge/ebtables.h Fri Apr 19 21:06:25 2002 +@@ -71,7 +71,10 @@ + #define EBT_IOUT 0x04 + #define EBT_ISOURCE 0x8 + #define EBT_IDEST 0x10 +-#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ISOURCE | EBT_IDEST) ++#define EBT_ILOGICALIN 0x20 ++#define EBT_ILOGICALOUT 0x40 ++#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ ++ | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) + + struct ebt_counter + { +@@ -124,8 +127,14 @@ + __u32 bitmask; + __u32 invflags; + __u16 ethproto; ++ // the physical in-dev + __u8 in[IFNAMSIZ]; ++ // the logical in-dev ++ __u8 logical_in[IFNAMSIZ]; ++ // the physical out-dev + __u8 out[IFNAMSIZ]; ++ // the logical out-dev ++ __u8 logical_out[IFNAMSIZ]; + __u8 sourcemac[ETH_ALEN]; + __u8 destmac[ETH_ALEN]; + // sizeof ebt_entry + matches diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.003.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.003.diff new file mode 100644 index 0000000..375d347 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.003.diff @@ -0,0 +1,367 @@ +April 22 +* add brouter support +* add --[d,s]nat-target option kernel support for the nat target + +--- linux/net/bridge/br_private.h Mon Apr 22 23:03:27 2002 ++++ ebt2.0pre3.003/net/bridge/br_private.h Mon Apr 22 22:44:20 2002 +@@ -170,7 +170,7 @@ + + /* br_input.c */ + extern int br_handle_frame_finish(struct sk_buff *skb); +-extern void br_handle_frame(struct sk_buff *skb); ++extern int br_handle_frame(struct sk_buff *skb); + + /* br_ioctl.c */ + extern void br_call_ioctl_atomic(void (*fn)(void)); +--- /dev/null Thu Aug 24 11:00:32 2000 ++++ ebt2.0pre3.003/net/bridge/netfilter/ebtable_broute.c Mon Apr 22 19:11:31 2002 +@@ -0,0 +1,80 @@ ++/* ++ * ebtable_broute ++ * ++ * Authors: ++ * Bart De Schuymer ++ * ++ * April, 2002 ++ * ++ * This table lets you choose between routing and bridging for frames ++ * entering on a bridge enslaved nic. This table is traversed before any ++ * other ebtables table. See net/bridge/br_input.c. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++// EBT_ACCEPT means the frame will be bridged ++// EBT_DROP means the frame will be routed ++static struct ebt_entries initial_chain = ++ {0, EBT_ACCEPT, 0}; ++ ++static struct ebt_replace initial_table = ++{ ++ "broute", 1 << NF_BR_BROUTING, 0, sizeof(struct ebt_entries), ++ { [NF_BR_BROUTING]&initial_chain}, {}, ++ 0, NULL, (char *)&initial_chain ++}; ++ ++static int check(const struct ebt_table_info *info, unsigned int valid_hooks) ++{ ++ if (valid_hooks & ~(1 << NF_BR_BROUTING)) ++ return -EINVAL; ++ return 0; ++} ++ ++static struct ebt_table broute_table = ++{ ++ {NULL, NULL}, "broute", &initial_table, 1 << NF_BR_BROUTING, ++ RW_LOCK_UNLOCKED, check, NULL ++}; ++ ++static unsigned int ++ebt_broute (unsigned int hook, struct sk_buff **pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ int (*okfn)(struct sk_buff *)) ++{ ++ return ebt_do_table(hook, pskb, in, out, &broute_table); ++} ++ ++static int __init init(void) ++{ ++ int ret; ++ ++ ret = ebt_register_table(&broute_table); ++ if (ret < 0) ++ return ret; ++ br_write_lock_bh(BR_NETPROTO_LOCK); ++ // in br_input.c, br_handle_frame() wants to call broute_decision() ++ broute_decision = ebt_broute; ++ br_write_unlock_bh(BR_NETPROTO_LOCK); ++ return ret; ++} ++ ++static void __exit fini(void) ++{ ++ br_write_lock_bh(BR_NETPROTO_LOCK); ++ broute_decision = NULL; ++ br_write_unlock_bh(BR_NETPROTO_LOCK); ++ ebt_unregister_table(&broute_table); ++} ++ ++module_init(init); ++module_exit(fini); ++EXPORT_NO_SYMBOLS; ++MODULE_LICENSE("GPL"); +--- linux/include/linux/if_bridge.h Thu Nov 22 20:47:12 2001 ++++ ebt2.0pre3.003/include/linux/if_bridge.h Mon Apr 22 19:29:41 2002 +@@ -102,8 +102,13 @@ + struct net_bridge_port; + + extern int (*br_ioctl_hook)(unsigned long arg); +-extern void (*br_handle_frame_hook)(struct sk_buff *skb); +- ++extern int (*br_handle_frame_hook)(struct sk_buff *skb); ++#if defined(CONFIG_BRIDGE_EBT_BROUTE) || \ ++ defined(CONFIG_BRIDGE_EBT_BROUTE_MODULE) ++extern unsigned int (*broute_decision) (unsigned int hook, struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ int (*okfn)(struct sk_buff *)); ++#endif + #endif + + #endif +--- linux/net/core/dev.c Mon Feb 25 20:38:14 2002 ++++ ebt2.0pre3.003/net/core/dev.c Sun Apr 21 18:15:38 2002 +@@ -1384,7 +1384,14 @@ + } + + #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE) +-void (*br_handle_frame_hook)(struct sk_buff *skb) = NULL; ++int (*br_handle_frame_hook)(struct sk_buff *skb) = NULL; ++#if defined(CONFIG_BRIDGE_EBT_BROUTE) || \ ++ defined(CONFIG_BRIDGE_EBT_BROUTE_MODULE) ++unsigned int (*broute_decision) (unsigned int hook, struct sk_buff **pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ int (*okfn)(struct sk_buff *)) = NULL; ++#endif + #endif + + static __inline__ int handle_bridge(struct sk_buff *skb, +@@ -1394,14 +1401,14 @@ + + if (pt_prev) { + if (!pt_prev->data) +- ret = deliver_to_old_ones(pt_prev, skb, 0); ++ deliver_to_old_ones(pt_prev, skb, 0); + else { + atomic_inc(&skb->users); +- ret = pt_prev->func(skb, skb->dev, pt_prev); ++ pt_prev->func(skb, skb->dev, pt_prev); + } + } + +- br_handle_frame_hook(skb); ++ ret = br_handle_frame_hook(skb); + return ret; + } + +@@ -1479,9 +1486,10 @@ + #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE) + if (skb->dev->br_port != NULL && + br_handle_frame_hook != NULL) { +- handle_bridge(skb, pt_prev); +- dev_put(rx_dev); +- continue; ++ if (handle_bridge(skb, pt_prev) == 0) { ++ dev_put(rx_dev); ++ continue; ++ } + } + #endif + +--- linux/net/bridge/br_input.c Mon Apr 22 23:03:27 2002 ++++ ebt2.0pre3.003/net/bridge/br_input.c Sun Apr 21 18:15:23 2002 +@@ -19,7 +19,10 @@ + #include + #include + #include "br_private.h" +- ++#if defined(CONFIG_BRIDGE_EBT_BROUTE) || \ ++ defined(CONFIG_BRIDGE_EBT_BROUTE_MODULE) ++#include ++#endif + unsigned char bridge_ula[6] = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 }; + + static int br_pass_frame_up_finish(struct sk_buff *skb) +@@ -112,7 +115,7 @@ + return 0; + } + +-void br_handle_frame(struct sk_buff *skb) ++int br_handle_frame(struct sk_buff *skb) + { + struct net_bridge *br; + unsigned char *dest; +@@ -146,23 +149,30 @@ + goto handle_special_frame; + + if (p->state == BR_STATE_FORWARDING) { ++#if defined(CONFIG_BRIDGE_EBT_BROUTE) || \ ++ defined(CONFIG_BRIDGE_EBT_BROUTE_MODULE) ++ if (broute_decision && broute_decision(NF_BR_BROUTING, &skb, ++ skb->dev, NULL, NULL) == NF_DROP) ++ return -1; ++#endif + NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, + br_handle_frame_finish); + read_unlock(&br->lock); +- return; ++ return 0; + } + + err: + read_unlock(&br->lock); + err_nolock: + kfree_skb(skb); +- return; ++ return 0; + + handle_special_frame: + if (!dest[5]) { + br_stp_handle_bpdu(skb); +- return; ++ return 0; + } + + kfree_skb(skb); ++ return 0; + } +--- linux/net/netsyms.c Mon Feb 25 20:38:14 2002 ++++ ebt2.0pre3.003/net/netsyms.c Sun Apr 21 18:15:56 2002 +@@ -228,6 +228,10 @@ + + #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE) + EXPORT_SYMBOL(br_handle_frame_hook); ++#if defined(CONFIG_BRIDGE_EBT_BROUTE) || \ ++ defined(CONFIG_BRIDGE_EBT_BROUTE_MODULE) ++EXPORT_SYMBOL(broute_decision); ++#endif + #ifdef CONFIG_INET + EXPORT_SYMBOL(br_ioctl_hook); + #endif +--- linux/include/linux/netfilter_bridge.h Tue Jun 12 04:15:27 2001 ++++ ebt2.0pre3.003/include/linux/netfilter_bridge.h Sun Apr 21 19:02:02 2002 +@@ -18,7 +18,8 @@ + #define NF_BR_LOCAL_OUT 3 + /* Packets about to hit the wire. */ + #define NF_BR_POST_ROUTING 4 +-#define NF_BR_NUMHOOKS 5 +- ++/* Not really a hook, but used for the ebtables broute table */ ++#define NF_BR_BROUTING 5 ++#define NF_BR_NUMHOOKS 6 + + #endif +--- linux/net/bridge/netfilter/Makefile Mon Apr 22 23:03:37 2002 ++++ ebt2.0pre3.003/net/bridge/netfilter/Makefile Sun Apr 21 14:17:32 2002 +@@ -14,6 +14,7 @@ + obj-$(CONFIG_BRIDGE_EBT) += ebtables.o + obj-$(CONFIG_BRIDGE_EBT_T_FILTER) += ebtable_filter.o + obj-$(CONFIG_BRIDGE_EBT_T_NAT) += ebtable_nat.o ++obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o + obj-$(CONFIG_BRIDGE_DB) += br_db.o + obj-$(CONFIG_BRIDGE_EBT_IPF) += ebt_ip.o + obj-$(CONFIG_BRIDGE_EBT_ARPF) += ebt_arp.o +--- linux/net/bridge/netfilter/Config.in Mon Apr 22 23:03:37 2002 ++++ ebt2.0pre3.003/net/bridge/netfilter/Config.in Sat Apr 20 18:08:53 2002 +@@ -4,6 +4,7 @@ + dep_tristate ' Bridge: ebtables' CONFIG_BRIDGE_EBT $CONFIG_BRIDGE + dep_tristate ' ebt: filter table support' CONFIG_BRIDGE_EBT_T_FILTER $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: nat table support' CONFIG_BRIDGE_EBT_T_NAT $CONFIG_BRIDGE_EBT ++dep_tristate ' ebt: broute table support' CONFIG_BRIDGE_EBT_BROUTE $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: LOG support' CONFIG_BRIDGE_EBT_LOG $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: IP filter support' CONFIG_BRIDGE_EBT_IPF $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: ARP filter support' CONFIG_BRIDGE_EBT_ARPF $CONFIG_BRIDGE_EBT +--- linux/net/bridge/netfilter/ebtable_nat.c Mon Apr 22 23:03:37 2002 ++++ ebt2.0pre3.003/net/bridge/netfilter/ebtable_nat.c Sat Apr 20 17:34:35 2002 +@@ -55,18 +55,16 @@ + + static unsigned int + ebt_nat_dst (unsigned int hook, struct sk_buff **pskb, +- const struct net_device *in, +- const struct net_device *out, +- int (*okfn)(struct sk_buff *)) ++ const struct net_device *in, const struct net_device *out, ++ int (*okfn)(struct sk_buff *)) + { + return ebt_do_table(hook, pskb, in, out, &frame_nat); + } + + // let snat know this frame is routed + static unsigned int ebt_clear_physin (unsigned int hook, struct sk_buff **pskb, +- const struct net_device *in, +- const struct net_device *out, +- int (*okfn)(struct sk_buff *)) ++ const struct net_device *in, const struct net_device *out, ++ int (*okfn)(struct sk_buff *)) + { + (*pskb)->physindev = NULL; + return NF_ACCEPT; +@@ -74,9 +72,8 @@ + + // let snat know this frame is bridged + static unsigned int ebt_set_physin (unsigned int hook, struct sk_buff **pskb, +- const struct net_device *in, +- const struct net_device *out, +- int (*okfn)(struct sk_buff *)) ++ const struct net_device *in, const struct net_device *out, ++ int (*okfn)(struct sk_buff *)) + { + (*pskb)->physindev = &__fake_net_device; + return NF_ACCEPT; +--- linux/net/bridge/netfilter/ebt_nat.c Mon Apr 22 23:03:37 2002 ++++ ebt2.0pre3.003/net/bridge/netfilter/ebt_nat.c Mon Apr 22 22:48:15 2002 +@@ -33,7 +33,7 @@ + } + memcpy(((**pskb).mac.ethernet)->h_source, infostuff->mac, + ETH_ALEN * sizeof(unsigned char)); +- return EBT_ACCEPT; ++ return infostuff->target; + } + + __u8 ebt_target_dnat(struct sk_buff **pskb, unsigned int hooknr, +@@ -54,29 +54,37 @@ + } + memcpy(((**pskb).mac.ethernet)->h_dest, infostuff->mac, + ETH_ALEN * sizeof(unsigned char)); +- return EBT_ACCEPT; ++ return infostuff->target; + } + + int ebt_target_snat_check(const char *tablename, unsigned int hooknr, + const struct ebt_entry *e, void *data, unsigned int datalen) + { ++ struct ebt_nat_info *infostuff = (struct ebt_nat_info *) data; ++ + if (strcmp(tablename, "nat")) + return -EINVAL; + if (datalen != sizeof(struct ebt_nat_info)) + return -EINVAL; + if (hooknr != NF_BR_POST_ROUTING) + return -EINVAL; ++ if (infostuff->target >= NUM_STANDARD_TARGETS) ++ return -EINVAL; + return 0; + } + + int ebt_target_dnat_check(const char *tablename, unsigned int hooknr, + const struct ebt_entry *e, void *data, unsigned int datalen) + { ++ struct ebt_nat_info *infostuff = (struct ebt_nat_info *) data; ++ + if (strcmp(tablename, "nat")) + return -EINVAL; + if (datalen != sizeof(struct ebt_nat_info)) + return -EINVAL; + if (hooknr != NF_BR_PRE_ROUTING && hooknr != NF_BR_LOCAL_OUT) ++ return -EINVAL; ++ if (infostuff->target >= NUM_STANDARD_TARGETS) + return -EINVAL; + return 0; + } +--- linux/include/linux/netfilter_bridge/ebt_nat.h Mon Apr 22 23:03:37 2002 ++++ ebt2.0pre3.003/include/linux/netfilter_bridge/ebt_nat.h Mon Apr 22 20:43:40 2002 +@@ -4,6 +4,8 @@ + struct ebt_nat_info + { + unsigned char mac[ETH_ALEN]; ++ // EBT_ACCEPT, EBT_DROP or EBT_CONTINUE ++ __u8 target; + }; + #define EBT_SNAT_TARGET "snat" + #define EBT_DNAT_TARGET "dnat" diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.004.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.004.diff new file mode 100644 index 0000000..6ff7f33 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.004.diff @@ -0,0 +1,252 @@ +* add redirect target +* remove some bugs from nat target +* use NF_BR_PRI_* + +--- /dev/null Thu Aug 24 11:00:32 2000 ++++ ebt2.0pre3.004/net/bridge/netfilter/ebt_redirect.c Sat Apr 27 13:09:16 2002 +@@ -0,0 +1,63 @@ ++/* ++ * ebt_redirect ++ * ++ * Authors: ++ * Bart De Schuymer ++ * ++ * April, 2002 ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static __u8 ebt_target_redirect(struct sk_buff **pskb, unsigned int hooknr, ++ const struct net_device *in, const struct net_device *out, ++ const void *data, unsigned int datalen) ++{ ++ struct ebt_redirect_info *infostuff = (struct ebt_redirect_info *) data; ++ ++ memcpy((**pskb).mac.ethernet->h_dest, in->dev_addr, ETH_ALEN); ++ (*pskb)->pkt_type = PACKET_HOST; ++ return infostuff->target; ++} ++ ++static int ebt_target_redirect_check(const char *tablename, unsigned int hooknr, ++ const struct ebt_entry *e, void *data, unsigned int datalen) ++{ ++ struct ebt_redirect_info *infostuff = (struct ebt_redirect_info *) data; ++ ++ if ( (strcmp(tablename, "nat") || hooknr != NF_BR_PRE_ROUTING) && ++ (strcmp(tablename, "broute") || hooknr != NF_BR_BROUTING) ) ++ return -EINVAL; ++ if (datalen != sizeof(struct ebt_redirect_info)) ++ return -EINVAL; ++ if (infostuff->target >= NUM_STANDARD_TARGETS) ++ return -EINVAL; ++ return 0; ++} ++ ++static struct ebt_target redirect_target = ++{ ++ {NULL, NULL}, EBT_REDIRECT_TARGET, ebt_target_redirect, ++ ebt_target_redirect_check, NULL, THIS_MODULE ++}; ++ ++static int __init init(void) ++{ ++ return ebt_register_target(&redirect_target); ++} ++ ++static void __exit fini(void) ++{ ++ ebt_unregister_target(&redirect_target); ++} ++ ++module_init(init); ++module_exit(fini); ++EXPORT_NO_SYMBOLS; ++MODULE_LICENSE("GPL"); +--- linux/include/linux/netfilter_bridge.h Sun Apr 21 19:02:02 2002 ++++ ebt2.0pre3.004/include/linux/netfilter_bridge.h Sat Apr 27 17:40:09 2002 +@@ -22,4 +22,15 @@ + #define NF_BR_BROUTING 5 + #define NF_BR_NUMHOOKS 6 + ++enum nf_br_hook_priorities { ++ NF_BR_PRI_FIRST = INT_MIN, ++ NF_BR_PRI_FILTER_BRIDGED = -200, ++ NF_BR_PRI_FILTER_OTHER = 200, ++ NF_BR_PRI_NAT_DST_BRIDGED = -300, ++ NF_BR_PRI_NAT_DST_OTHER = 100, ++ NF_BR_PRI_NAT_SRC_BRIDGED = -100, ++ NF_BR_PRI_NAT_SRC_OTHER = 300, ++ NF_BR_PRI_LAST = INT_MAX, ++}; ++ + #endif +--- linux/net/bridge/netfilter/Makefile Sun Apr 21 14:17:32 2002 ++++ ebt2.0pre3.004/net/bridge/netfilter/Makefile Tue Apr 23 22:52:25 2002 +@@ -20,5 +20,5 @@ + obj-$(CONFIG_BRIDGE_EBT_ARPF) += ebt_arp.o + obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o + obj-$(CONFIG_BRIDGE_EBT_NAT) += ebt_nat.o +- ++obj-$(CONFIG_BRIDGE_EBT_REDIRECT) += ebt_redirect.o + include $(TOPDIR)/Rules.make +--- linux/net/bridge/netfilter/Config.in Sat Apr 20 18:08:53 2002 ++++ ebt2.0pre3.004/net/bridge/netfilter/Config.in Tue Apr 23 22:51:38 2002 +@@ -9,5 +9,6 @@ + dep_tristate ' ebt: IP filter support' CONFIG_BRIDGE_EBT_IPF $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: ARP filter support' CONFIG_BRIDGE_EBT_ARPF $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: nat target support' CONFIG_BRIDGE_EBT_NAT $CONFIG_BRIDGE_EBT ++dep_tristate ' ebt: redirect target support' CONFIG_BRIDGE_EBT_REDIRECT $CONFIG_BRIDGE_EBT + dep_tristate ' Bridge: ethernet database' CONFIG_BRIDGE_DB $CONFIG_BRIDGE + +--- linux/net/bridge/netfilter/ebtable_filter.c Sat Apr 13 21:51:47 2002 ++++ ebt2.0pre3.004/net/bridge/netfilter/ebtable_filter.c Sat Apr 27 17:44:20 2002 +@@ -52,9 +52,12 @@ + } + + static struct nf_hook_ops ebt_ops_filter[] = { +- { { NULL, NULL }, ebt_hook, PF_BRIDGE, NF_BR_LOCAL_IN, -200}, +- { { NULL, NULL }, ebt_hook, PF_BRIDGE, NF_BR_FORWARD, -200}, +- { { NULL, NULL }, ebt_hook, PF_BRIDGE, NF_BR_LOCAL_OUT, 200} ++ { { NULL, NULL }, ebt_hook, PF_BRIDGE, NF_BR_LOCAL_IN, ++ NF_BR_PRI_FILTER_BRIDGED}, ++ { { NULL, NULL }, ebt_hook, PF_BRIDGE, NF_BR_FORWARD, ++ NF_BR_PRI_FILTER_BRIDGED}, ++ { { NULL, NULL }, ebt_hook, PF_BRIDGE, NF_BR_LOCAL_OUT, ++ NF_BR_PRI_FILTER_OTHER} + }; + + static int __init init(void) +--- linux/net/bridge/netfilter/ebtable_nat.c Sat Apr 20 17:34:35 2002 ++++ ebt2.0pre3.004/net/bridge/netfilter/ebtable_nat.c Sat Apr 27 17:42:28 2002 +@@ -109,12 +109,18 @@ + } + + static struct nf_hook_ops ebt_ops_nat[] = { +- { { NULL, NULL }, ebt_nat_dst, PF_BRIDGE, NF_BR_LOCAL_OUT, 100}, +- { { NULL, NULL }, ebt_nat_src, PF_BRIDGE, NF_BR_POST_ROUTING, -100}, +- { { NULL, NULL }, ebt_nat_src_route, PF_BRIDGE, NF_BR_POST_ROUTING,300}, +- { { NULL, NULL }, ebt_nat_dst, PF_BRIDGE, NF_BR_PRE_ROUTING, -300}, +- { { NULL, NULL }, ebt_clear_physin, PF_BRIDGE, NF_BR_LOCAL_OUT,200 + 1}, +- { { NULL, NULL }, ebt_set_physin, PF_BRIDGE, NF_BR_FORWARD, 200 + 1} ++ { { NULL, NULL }, ebt_nat_dst, PF_BRIDGE, NF_BR_LOCAL_OUT, ++ NF_BR_PRI_NAT_DST_OTHER}, ++ { { NULL, NULL }, ebt_nat_src, PF_BRIDGE, NF_BR_POST_ROUTING, ++ NF_BR_PRI_NAT_SRC_BRIDGED}, ++ { { NULL, NULL }, ebt_nat_src_route, PF_BRIDGE, NF_BR_POST_ROUTING, ++ NF_BR_PRI_NAT_SRC_OTHER}, ++ { { NULL, NULL }, ebt_nat_dst, PF_BRIDGE, NF_BR_PRE_ROUTING, ++ NF_BR_PRI_NAT_DST_BRIDGED}, ++ { { NULL, NULL }, ebt_clear_physin, PF_BRIDGE, NF_BR_LOCAL_OUT, ++ NF_BR_PRI_FILTER_OTHER + 1}, ++ { { NULL, NULL }, ebt_set_physin, PF_BRIDGE, NF_BR_FORWARD, ++ NF_BR_PRI_FILTER_OTHER + 1} + }; + + static int __init init(void) +--- linux/net/bridge/netfilter/ebt_nat.c Mon Apr 22 22:48:15 2002 ++++ ebt2.0pre3.004/net/bridge/netfilter/ebt_nat.c Thu Apr 25 18:49:14 2002 +@@ -15,49 +15,29 @@ + #include + #include + +-__u8 ebt_target_snat(struct sk_buff **pskb, unsigned int hooknr, ++static __u8 ebt_target_snat(struct sk_buff **pskb, unsigned int hooknr, + const struct net_device *in, const struct net_device *out, + const void *data, unsigned int datalen) + { + struct ebt_nat_info *infostuff = (struct ebt_nat_info *) data; + +- if (skb_cloned(*pskb)) { +- struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC); +- +- if (!nskb) +- return EBT_DROP; +- if ((*pskb)->sk) +- skb_set_owner_w(nskb, (*pskb)->sk); +- kfree_skb(*pskb); +- *pskb = nskb; +- } + memcpy(((**pskb).mac.ethernet)->h_source, infostuff->mac, + ETH_ALEN * sizeof(unsigned char)); + return infostuff->target; + } + +-__u8 ebt_target_dnat(struct sk_buff **pskb, unsigned int hooknr, ++static __u8 ebt_target_dnat(struct sk_buff **pskb, unsigned int hooknr, + const struct net_device *in, const struct net_device *out, + const void *data, unsigned int datalen) + { + struct ebt_nat_info *infostuff = (struct ebt_nat_info *) data; + +- if (skb_cloned(*pskb)) { +- struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC); +- +- if (!nskb) +- return EBT_DROP; +- if ((*pskb)->sk) +- skb_set_owner_w(nskb, (*pskb)->sk); +- kfree_skb(*pskb); +- *pskb = nskb; +- } + memcpy(((**pskb).mac.ethernet)->h_dest, infostuff->mac, + ETH_ALEN * sizeof(unsigned char)); + return infostuff->target; + } + +-int ebt_target_snat_check(const char *tablename, unsigned int hooknr, ++static int ebt_target_snat_check(const char *tablename, unsigned int hooknr, + const struct ebt_entry *e, void *data, unsigned int datalen) + { + struct ebt_nat_info *infostuff = (struct ebt_nat_info *) data; +@@ -73,29 +53,29 @@ + return 0; + } + +-int ebt_target_dnat_check(const char *tablename, unsigned int hooknr, ++static int ebt_target_dnat_check(const char *tablename, unsigned int hooknr, + const struct ebt_entry *e, void *data, unsigned int datalen) + { + struct ebt_nat_info *infostuff = (struct ebt_nat_info *) data; + +- if (strcmp(tablename, "nat")) ++ if ( (strcmp(tablename, "nat") || ++ (hooknr != NF_BR_PRE_ROUTING && hooknr != NF_BR_LOCAL_OUT)) && ++ (strcmp(tablename, "broute") || hooknr != NF_BR_BROUTING) ) + return -EINVAL; + if (datalen != sizeof(struct ebt_nat_info)) + return -EINVAL; +- if (hooknr != NF_BR_PRE_ROUTING && hooknr != NF_BR_LOCAL_OUT) +- return -EINVAL; + if (infostuff->target >= NUM_STANDARD_TARGETS) + return -EINVAL; + return 0; + } + +-struct ebt_target snat = ++static struct ebt_target snat = + { + {NULL, NULL}, EBT_SNAT_TARGET, ebt_target_snat, ebt_target_snat_check, + NULL, THIS_MODULE + }; + +-struct ebt_target dnat = ++static struct ebt_target dnat = + { + {NULL, NULL}, EBT_DNAT_TARGET, ebt_target_dnat, ebt_target_dnat_check, + NULL, THIS_MODULE +--- linux/net/bridge/netfilter/ebtables.c Sat Apr 20 14:05:07 2002 ++++ ebt2.0pre3.004/net/bridge/netfilter/ebtables.c Sat Apr 27 18:10:53 2002 +@@ -122,6 +122,7 @@ + && ((!out || !out->br_port) ? 1 : + FWINV(!ebt_dev_check((char *) + (point->logical_out), &out->br_port->br->dev), EBT_ILOGICALOUT)) ++ + ) { + if ( (point->bitmask & EBT_SOURCEMAC) && + FWINV(!!memcmp(point->sourcemac, diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.005.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.005.diff new file mode 100644 index 0000000..425bc53 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre3.005.diff @@ -0,0 +1,22 @@ +make redirect work for bridged traffic too + +--- ebt2.0pre3.004/net/bridge/netfilter/ebt_redirect.c Sat Apr 27 13:09:16 2002 ++++ ebt2.0pre3.005/net/bridge/netfilter/ebt_redirect.c Sat Apr 27 22:48:52 2002 +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include "../br_private.h" + + static __u8 ebt_target_redirect(struct sk_buff **pskb, unsigned int hooknr, + const struct net_device *in, const struct net_device *out, +@@ -21,7 +22,8 @@ + { + struct ebt_redirect_info *infostuff = (struct ebt_redirect_info *) data; + +- memcpy((**pskb).mac.ethernet->h_dest, in->dev_addr, ETH_ALEN); ++ memcpy((**pskb).mac.ethernet->h_dest, ++ in->br_port->br->dev.dev_addr, ETH_ALEN); + (*pskb)->pkt_type = PACKET_HOST; + return infostuff->target; + } diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre4.001.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre4.001.diff new file mode 100644 index 0000000..3699bdf --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre4.001.diff @@ -0,0 +1,14 @@ +--- /dev/null Thu Aug 24 11:00:32 2000 ++++ ebt2.0pre4/include/linux/netfilter_bridge/ebt_redirect.h Mon Apr 29 20:00:05 2002 +@@ -0,0 +1,11 @@ ++#ifndef __LINUX_BRIDGE_EBT_REDIRECT_H ++#define __LINUX_BRIDGE_EBT_REDIRECT_H ++ ++struct ebt_redirect_info ++{ ++ // EBT_ACCEPT, EBT_DROP or EBT_CONTINUE ++ __u8 target; ++}; ++#define EBT_REDIRECT_TARGET "redirect" ++ ++#endif diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre5.001.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre5.001.diff new file mode 100644 index 0000000..ba86d00 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre5.001.diff @@ -0,0 +1,51 @@ +--- linux/net/bridge/netfilter/ebtables.c Fri May 3 20:37:08 2002 ++++ ebt2.0pre5.001/net/bridge/netfilter/ebtables.c Fri May 3 20:28:46 2002 +@@ -124,17 +124,26 @@ + (point->logical_out), &out->br_port->br->dev), EBT_ILOGICALOUT)) + + ) { +- if ( (point->bitmask & EBT_SOURCEMAC) && +- FWINV(!!memcmp(point->sourcemac, +- ((**pskb).mac.ethernet)->h_source, ETH_ALEN), +- EBT_ISOURCE) ) +- goto letscontinue; ++ char hlpmac[6]; ++ int j; + +- if ( (point->bitmask & EBT_DESTMAC) && +- FWINV(!!memcmp(point->destmac, +- ((**pskb).mac.ethernet)->h_dest, ETH_ALEN), +- EBT_IDEST) ) +- goto letscontinue; ++ if (point->bitmask & EBT_SOURCEMAC) { ++ for (j = 0; j < 6; j++) ++ hlpmac[j] = ((**pskb).mac.ethernet)-> ++ h_source[j] & point->sourcemsk[j]; ++ if (FWINV(!!memcmp(point->sourcemac, hlpmac, ++ ETH_ALEN), EBT_ISOURCE) ) ++ goto letscontinue; ++ } ++ ++ if (point->bitmask & EBT_DESTMAC) { ++ for (j = 0; j < 6; j++) ++ hlpmac[j] = ((**pskb).mac.ethernet)-> ++ h_dest[j] & point->destmsk[j]; ++ if (FWINV(!!memcmp(point->destmac, hlpmac, ++ ETH_ALEN), EBT_IDEST) ) ++ goto letscontinue; ++ } + + if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, + out, counter_base + i) != 0) +--- linux/include/linux/netfilter_bridge/ebtables.h Fri May 3 20:37:08 2002 ++++ ebt2.0pre5.001/include/linux/netfilter_bridge/ebtables.h Thu May 2 19:01:09 2002 +@@ -136,7 +136,9 @@ + // the logical out-dev + __u8 logical_out[IFNAMSIZ]; + __u8 sourcemac[ETH_ALEN]; ++ __u8 sourcemsk[ETH_ALEN]; + __u8 destmac[ETH_ALEN]; ++ __u8 destmsk[ETH_ALEN]; + // sizeof ebt_entry + matches + __u16 watchers_offset; + // sizeof ebt_entry + matches + watchers diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre6.001.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre6.001.diff new file mode 100644 index 0000000..4de7890 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre6.001.diff @@ -0,0 +1,12 @@ +--- linux/net/Config.in Mon May 20 12:15:38 2002 ++++ ebt2.0pre6/net/Config.in Mon May 20 11:58:15 2002 +@@ -60,7 +60,9 @@ + source net/decnet/Config.in + fi + dep_tristate '802.1d Ethernet Bridging' CONFIG_BRIDGE $CONFIG_INET ++if [ "$CONFIG_BRIDGE" != "n" -a "$CONFIG_NETFILTER" != "n" ]; then + source net/bridge/netfilter/Config.in ++fi + if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then + if [ "$CONFIG_BRIDGE" != "n" -a "$CONFIG_NETFILTER" != "n" ]; then + bool ' netfilter (firewalling) support' CONFIG_BRIDGE_NF diff --git a/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre7.001.diff b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre7.001.diff new file mode 100644 index 0000000..edfe983 --- /dev/null +++ b/kernel/patches/incremental-patches/ebtables-v2.0_vs_2.4.18.pre7.001.diff @@ -0,0 +1,172 @@ +diff -Naur linux-2.4.18-br-nf-ebt/include/linux/netfilter_bridge/ebt_vlan.h linux/include/linux/netfilter_bridge/ebt_vlan.h +--- linux-2.4.18-br-nf-ebt/include/linux/netfilter_bridge/ebt_vlan.h Thu Jan 1 03:00:00 1970 ++++ linux/include/linux/netfilter_bridge/ebt_vlan.h Tue May 21 21:04:15 2002 +@@ -0,0 +1,18 @@ ++#ifndef __LINUX_BRIDGE_EBT_VLAN_H ++#define __LINUX_BRIDGE_EBT_VLAN_H ++ ++#define EBT_VLAN_ID 0x01 ++#define EBT_VLAN_PRIO 0x02 ++#define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO) ++#define EBT_VLAN_MATCH "vlan" ++ ++struct ebt_vlan_info { ++ __u16 id; /* VLAN ID {1-4095} */ ++ __u16 prio; /* VLAN Priority {0-7} */ ++ __u8 bitmask; /* Args bitmask bit 1=1 - ID arg, ++ bit 2=1 - Pirority arg */ ++ __u8 invflags; /* Inverse bitmask bit 1=1 - inversed ID arg, ++ bit 2=1 - inversed Pirority arg */ ++}; ++ ++#endif +diff -Naur linux-2.4.18-br-nf-ebt/net/bridge/netfilter/Config.in linux/net/bridge/netfilter/Config.in +--- linux-2.4.18-br-nf-ebt/net/bridge/netfilter/Config.in Tue May 28 19:20:41 2002 ++++ linux/net/bridge/netfilter/Config.in Tue May 28 19:22:22 2002 +@@ -8,6 +8,7 @@ + dep_tristate ' ebt: LOG support' CONFIG_BRIDGE_EBT_LOG $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: IP filter support' CONFIG_BRIDGE_EBT_IPF $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: ARP filter support' CONFIG_BRIDGE_EBT_ARPF $CONFIG_BRIDGE_EBT ++dep_tristate ' ebt: 802.1Q VLAN filter support (EXPERIMENTAL)' CONFIG_BRIDGE_EBT_VLANF $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: nat target support' CONFIG_BRIDGE_EBT_NAT $CONFIG_BRIDGE_EBT + dep_tristate ' ebt: redirect target support' CONFIG_BRIDGE_EBT_REDIRECT $CONFIG_BRIDGE_EBT + dep_tristate ' Bridge: ethernet database' CONFIG_BRIDGE_DB $CONFIG_BRIDGE +diff -Naur linux-2.4.18-br-nf-ebt/net/bridge/netfilter/Makefile linux/net/bridge/netfilter/Makefile +--- linux-2.4.18-br-nf-ebt/net/bridge/netfilter/Makefile Tue May 28 19:20:41 2002 ++++ linux/net/bridge/netfilter/Makefile Thu May 30 11:21:10 2002 +@@ -18,6 +18,7 @@ + obj-$(CONFIG_BRIDGE_DB) += br_db.o + obj-$(CONFIG_BRIDGE_EBT_IPF) += ebt_ip.o + obj-$(CONFIG_BRIDGE_EBT_ARPF) += ebt_arp.o ++obj-$(CONFIG_BRIDGE_EBT_VLANF) += ebt_vlan.o + obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o + obj-$(CONFIG_BRIDGE_EBT_NAT) += ebt_nat.o + obj-$(CONFIG_BRIDGE_EBT_REDIRECT) += ebt_redirect.o +diff -Naur linux-2.4.18-br-nf-ebt/net/bridge/netfilter/ebt_vlan.c linux/net/bridge/netfilter/ebt_vlan.c +--- linux-2.4.18-br-nf-ebt/net/bridge/netfilter/ebt_vlan.c Thu Jan 1 03:00:00 1970 ++++ linux/net/bridge/netfilter/ebt_vlan.c Wed May 29 11:48:38 2002 +@@ -0,0 +1,124 @@ ++/* ++ * ebt_vlan kernelspace ++ * ++ * Authors: ++ * Bart De Schuymer ++ * Nick Fedchik ++ * ++ * May, 2002 ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++static unsigned char debug; ++MODULE_PARM (debug, "0-1b"); ++MODULE_PARM_DESC (debug, "debug=1 is turn on debug messages"); ++ ++static int ebt_filter_vlan (const struct sk_buff *skb, ++ const struct net_device *in, ++ const struct net_device *out, ++ const void *data, ++ unsigned int datalen, ++ const struct ebt_counter *c) ++{ ++ struct ebt_vlan_info *infostuff = (struct ebt_vlan_info *) data; ++ struct vlan_ethhdr *vlanethhdr = ++ (struct vlan_ethhdr *) skb->mac.raw; ++ unsigned short v_id; ++ unsigned short v_prio; ++ ++ /* ++ * Calculate 802.1Q VLAN ID and Priority ++ * Reserved one bit (13) for CFI ++ */ ++ v_id = ntohs ((unsigned short) vlanethhdr->h_vlan_TCI) & 0xFFF; ++ v_prio = ntohs ((unsigned short) vlanethhdr->h_vlan_TCI) >> 13; ++ ++ /* ++ * Checking VLANs ++ */ ++ if (infostuff->bitmask & EBT_VLAN_ID) { /* Is VLAN ID parsed? */ ++ if (!((infostuff->id == v_id) ++ ^ !!(infostuff->invflags & EBT_VLAN_ID))) ++ return 1; ++ if (debug) ++ printk (KERN_DEBUG ++ "ebt_vlan: matched ID=%s%d (mask=%X)\n", ++ (infostuff->invflags & EBT_VLAN_ID) ? "!" : "", ++ infostuff->id, ++ (unsigned char) infostuff->bitmask); ++ } ++ /* ++ * Checking Priority ++ */ ++ if (infostuff->bitmask & EBT_VLAN_PRIO) { /* Is VLAN Prio parsed? */ ++ if (!( (infostuff->prio == v_prio) ++ ^ !!(infostuff->invflags & EBT_VLAN_PRIO))) ++ return 1; /* missed */ ++ if (debug) ++ printk (KERN_DEBUG ++ "ebt_vlan: matched Prio=%s%d (mask=%X)\n", ++ (infostuff->invflags & EBT_VLAN_PRIO) ? "!" : "", ++ infostuff->prio, ++ (unsigned char) infostuff->bitmask); ++ } ++ /* ++ * rule matched ++ */ ++ return 0; ++} ++ ++/* ++ * ebt_vlan_check() is called when userspace delivers the table to the kernel, ++ * * it is called to check that userspace doesn't give a bad table. ++ */ ++static int ebt_vlan_check (const char *tablename, unsigned int hooknr, ++ const struct ebt_entry *e, void *data, ++ unsigned int datalen) ++{ ++ struct ebt_vlan_info *infostuff = (struct ebt_vlan_info *) data; ++ ++ if (datalen != sizeof (struct ebt_vlan_info)) ++ return -EINVAL; ++ ++ if (e->ethproto != __constant_htons (ETH_P_8021Q)) ++ return -EINVAL; ++ ++ if (infostuff->bitmask & ~EBT_VLAN_MASK) { ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ ++static struct ebt_match filter_vlan = { ++ {NULL, NULL}, EBT_VLAN_MATCH, ebt_filter_vlan, ebt_vlan_check, ++ NULL, ++ THIS_MODULE ++}; ++ ++static int __init init (void) ++{ ++ printk (KERN_INFO ++ "ebt_vlan: 802.1Q VLAN matching module for EBTables\n"); ++ if (debug) ++ printk (KERN_DEBUG ++ "ebt_vlan: 802.1Q matching debug is on\n"); ++ return ebt_register_match (&filter_vlan); ++} ++ ++static void __exit fini (void) ++{ ++ ebt_unregister_match (&filter_vlan); ++} ++ ++module_init (init); ++module_exit (fini); ++EXPORT_NO_SYMBOLS; ++MODULE_AUTHOR ("Nick Fedchik "); ++MODULE_DESCRIPTION ("802.1Q VLAN matching module for ebtables, v0.1"); ++MODULE_LICENSE ("GPL"); -- cgit v1.2.3