From 6e4f5e7c40632b07099a0acd12a63d7a510e2654 Mon Sep 17 00:00:00 2001 From: Bart De Schuymer Date: Tue, 1 Apr 2003 19:13:32 +0000 Subject: *** empty log message *** --- .../v2.0/ebtables-v2.0.3.001.diff | 1796 ++++++++++++++++++++ .../patches/zipped/v2.0/ebtables-v2.0.3.tar.gz | Bin 0 -> 60884 bytes 2 files changed, 1796 insertions(+) create mode 100644 userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff create mode 100644 userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz (limited to 'userspace') diff --git a/userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff b/userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff new file mode 100644 index 0000000..8973955 --- /dev/null +++ b/userspace/patches/incremental-patches/v2.0/ebtables-v2.0.3.001.diff @@ -0,0 +1,1796 @@ +--- ebtables-v2.0.2/Makefile Sat Dec 7 13:09:40 2002 ++++ ebtables-v2.0.3/Makefile Tue Apr 1 22:12:30 2003 +@@ -1,8 +1,8 @@ + # ebtables Makefile + + PROGNAME:=ebtables +-PROGVERSION:=2.0.2 +-PROGDATE:=December\ 2002 ++PROGVERSION:=2.0.3 ++PROGDATE:=April\ 2003 + + MANDIR?=/usr/local/man + CFLAGS:=-Wall -Wunused +@@ -12,20 +12,13 @@ + + OBJECTS:=getethertype.o ebtables.o communication.o $(EXT_OBJS) + +-# Use the option NONSTANDARD=y when you don't want to use the kernel includes +-# that are included in this package. You should set KERNEL_INCLUDES to +-# the right directory (eg /usr/src/linux/include). +-# You should only need this when compiling the CVS or when adding new code. +-ifeq ($(NONSTANDARD), y) +-KERNEL_INCLUDES?=/usr/include/ +-else +-KERNEL_INCLUDES:=include/ +-endif +- +-ifeq ($(ETHERTYPESPATH),) +-ETHERTYPESPATH:=/etc/ +-endif +-ETHERTYPESFILE:=$(ETHERTYPESPATH)ethertypes ++KERNEL_INCLUDES?=include/ ++ ++ETHERTYPESPATH?=/etc/ ++ETHERTYPESFILE:=$(ETHERTYPESPATH)/ethertypes ++ ++BINPATH?=/sbin/ ++BINFILE:=$(BINPATH)ebtables + + PROGSPECS:=-DPROGVERSION=\"$(PROGVERSION)\" \ + -DPROGNAME=\"$(PROGNAME)\" \ +@@ -57,10 +50,10 @@ + + .PHONY: exec + exec: ebtables +- install -m 0755 -o root -g root $< /sbin/ebtables ++ install -m 0755 -o root -g root $< $(BINFILE) + + .PHONY: install +-install: $(MANDIR)/man8/ebtables.8 ebtables $(ETHERTYPESFILE) exec ++install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec + + .PHONY: clean + clean: +--- ebtables-v2.0.2/ebtables.c Tue Dec 3 22:52:12 2002 ++++ ebtables-v2.0.3/ebtables.c Tue Apr 1 20:08:15 2003 +@@ -52,6 +52,8 @@ + #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" + #endif + #define ATOMIC_ENV_VARIABLE "EBTABLES_ATOMIC_FILE" ++#define PRINT_VERSION printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n") ++ + + char *hooknames[NF_BR_NUMHOOKS] = + { +@@ -201,8 +203,10 @@ + strcpy(e->logical_out, ""); + e->m_list = NULL; + e->w_list = NULL; +- // the init function of the standard target should have put the verdict +- // on CONTINUE ++ /* ++ * the init function of the standard target should have put the verdict ++ * on CONTINUE ++ */ + e->t = (struct ebt_entry_target *)find_target(EBT_STANDARD_TARGET); + if (!e->t) + print_bug("Couldn't load standard target"); +@@ -293,7 +297,7 @@ + merge[num_old + i].val += *options_offset; + } + memset(merge + num_old + num_new, 0, sizeof(struct option)); +- // only free dynamically allocated stuff ++ /* only free dynamically allocated stuff */ + if (oldopts != ebt_original_options) + free(oldopts); + +@@ -398,7 +402,7 @@ + char *buf = NULL; + char *argv[3]; + +- // If they don't explicitly set it, read out of kernel ++ /* If they don't explicitly set it, read out of kernel */ + if (!modprobe) { + buf = get_modprobe(); + if (!buf) +@@ -426,6 +430,37 @@ + return 0; + } + ++static void list_extensions() ++{ ++ struct ebt_u_table *tbl = tables; ++ struct ebt_u_target *t = targets; ++ struct ebt_u_match *m = matches; ++ struct ebt_u_watcher *w = watchers; ++ ++ PRINT_VERSION; ++ printf("Supported userspace extensions:\n\nSupported tables:\n"); ++ while(tbl) { ++ printf("%s\n", tbl->name); ++ tbl = tbl->next; ++ } ++ printf("\nSupported targets:\n"); ++ while(t) { ++ printf("%s\n", t->name); ++ t = t->next; ++ } ++ printf("\nSupported matches:\n"); ++ while(m) { ++ printf("%s\n", m->name); ++ m = m->next; ++ } ++ printf("\nSupported watchers:\n"); ++ while(w) { ++ printf("%s\n", w->name); ++ w = w->next; ++ } ++ exit(0); ++} ++ + /* + * we use replace.flags, so we can't use the following values: + * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO +@@ -465,7 +500,7 @@ + for (i = 0; i < entries->nentries; i++) { + if (replace.flags & LIST_N) { + digits = 0; +- // A little work to get nice rule numbers. ++ /* A little work to get nice rule numbers. */ + j = i + 1; + while (j > 9) { + digits++; +@@ -776,7 +811,8 @@ + struct ebt_u_match_list *m_l; + struct ebt_u_watcher_list *w_l; + +- printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n" ++ PRINT_VERSION; ++ printf( + "Usage:\n" + "ebtables -[ADI] chain rule-specification [options]\n" + "ebtables -P chain target\n" +@@ -799,7 +835,7 @@ + "--atomic-commit : update the kernel w/t table contained in \n" + "--atomic-init : put the initial kernel table into \n" + "--atomic-save : put the current kernel table into \n" +-"--atomic file : set to file\n\n" ++"--atomic-file file : set to file\n\n" + "Options:\n" + "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" + "--src -s [!] address[/mask]: source mac address\n" +@@ -1140,7 +1176,7 @@ + return -1; + } + +-// execute command A or I ++/* execute command A or I */ + static void add_rule(int rule_nr) + { + int i, j; +@@ -1301,7 +1337,7 @@ + while(j--) { + u_e2 = *u_e; + *u_e = (*u_e)->next; +- // free everything ++ /* free everything */ + free_u_entry(u_e2); + free(u_e2); + } +@@ -1473,14 +1509,20 @@ + e = entries->entries; + j = 0; + while (e) { ++ int chain_jmp; ++ + j++; + if (strcmp(e->t->u.name, EBT_STANDARD_TARGET)) { + e = e->next; + continue; + } +- if (((struct ebt_standard_target *)e->t)->verdict == chain_nr) ++ chain_jmp = ((struct ebt_standard_target *)e->t)->verdict; ++ if (chain_jmp == chain_nr) + print_error("Can't delete the chain, it's referenced " + "in chain %s, rule %d", entries->name, j); ++ /* adjust the chain jumps when necessary */ ++ if (chain_jmp > chain_nr) ++ ((struct ebt_standard_target *)e->t)->verdict--; + e = e->next; + } + } +@@ -1698,7 +1740,9 @@ + if (replace.selected_hook < NF_BR_NUMHOOKS) + print_error("You can't remove a standard chain"); + /* +- * if the chain is referenced, don't delete it ++ * if the chain is referenced, don't delete it, ++ * also decrement jumps to a chain behind the ++ * one we're deleting + */ + check_for_references(replace.selected_hook - NF_BR_NUMHOOKS); + flush_chains(); +@@ -1791,7 +1835,7 @@ + replace.command = 'V'; + if (replace.flags & OPT_COMMAND) + print_error("Multiple commands not allowed"); +- printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n"); ++ PRINT_VERSION; + exit(0); + + case 'M': /* modprobe */ +@@ -1811,6 +1855,10 @@ + struct ebt_u_match *m; + struct ebt_u_watcher *w; + ++ if (!strcasecmp("list_extensions", ++ argv[optind])) ++ list_extensions(); ++ + if ((m = find_match(argv[optind]))) + add_match(m); + else if ((w = find_watcher(argv[optind]))) +@@ -2034,7 +2082,7 @@ + " or equal to 0x0600"); + break; + +- case 4 : // Lc ++ case 4 : /* Lc */ + check_option(&replace.flags, LIST_C); + if (replace.command != 'L') + print_error("Use --Lc with -L"); +@@ -2042,7 +2090,7 @@ + print_error("--Lx not compatible with --Lc"); + replace.flags |= LIST_C; + break; +- case 5 : // Ln ++ case 5 : /* Ln */ + check_option(&replace.flags, LIST_N); + if (replace.command != 'L') + print_error("Use --Ln with -L"); +@@ -2050,7 +2098,7 @@ + print_error("--Lx not compatible with --Ln"); + replace.flags |= LIST_N; + break; +- case 6 : // Lx ++ case 6 : /* Lx */ + check_option(&replace.flags, LIST_X); + if (replace.command != 'L') + print_error("Use --Lx with -L"); +@@ -2060,7 +2108,7 @@ + print_error("--Lx not compatible with --Ln"); + replace.flags |= LIST_X; + break; +- case 8 : // atomic-commit ++ case 8 : /* atomic-commit */ + replace.command = c; + if (replace.flags & OPT_COMMAND) + print_error("Multiple commands not allowed"); +--- ebtables-v2.0.2/communication.c Sat Aug 24 23:01:36 2002 ++++ ebtables-v2.0.3/communication.c Tue Apr 1 20:08:23 2003 +@@ -5,11 +5,13 @@ + * + */ + +-// All the userspace/kernel communication is in this file. +-// The other code should not have to know anything about the way the +-// kernel likes the structure of the table data. +-// The other code works with linked lists, lots of linked lists. +-// So, the translation is done here. ++/* ++ * All the userspace/kernel communication is in this file. ++ * The other code should not have to know anything about the way the ++ * kernel likes the structure of the table data. ++ * The other code works with linked lists, lots of linked lists. ++ * So, the translation is done here. ++ */ + + #include + #include +@@ -54,7 +56,7 @@ + new->nentries = u_repl->nentries; + new->num_counters = u_repl->num_counters; + new->counters = u_repl->counters; +- // determine nr of udc ++ /* determine nr of udc */ + i = 0; + cl = u_repl->udc; + while (cl) { +@@ -63,7 +65,7 @@ + } + i += NF_BR_NUMHOOKS; + chain_offsets = (unsigned int *)malloc(i * sizeof(unsigned int)); +- // determine size ++ /* determine size */ + i = 0; + cl = u_repl->udc; + while (1) { +@@ -101,7 +103,7 @@ + sizeof(struct ebt_entry_target); + e = e->next; + } +- // a little sanity check ++ /* a little sanity check */ + if (j != entries->nentries) + print_bug("Wrong nentries: %d != %d, hook = %s", j, + entries->nentries, entries->name); +@@ -115,7 +117,7 @@ + if (!new->entries) + print_memory(); + +- // put everything in one block ++ /* put everything in one block */ + p = new->entries; + i = 0; + cl = u_repl->udc; +@@ -139,7 +141,7 @@ + hlp->policy = entries->policy; + strcpy(hlp->name, entries->name); + hlp->counter_offset = entries->counter_offset; +- hlp->distinguisher = 0; // make the kernel see the light ++ hlp->distinguisher = 0; /* make the kernel see the light */ + p += sizeof(struct ebt_entries); + e = entries->entries; + while (e) { +@@ -184,7 +186,7 @@ + if (!strcmp(e->t->u.name, EBT_STANDARD_TARGET)) { + struct ebt_standard_target *st = + (struct ebt_standard_target *)p; +- // translate the jump to a udc ++ /* translate the jump to a udc */ + if (st->verdict >= 0) + st->verdict = chain_offsets + [st->verdict + NF_BR_NUMHOOKS]; +@@ -199,7 +201,7 @@ + i++; + } + +- // sanity check ++ /* sanity check */ + if (p - new->entries != new->entries_size) + print_bug("Entries_size bug"); + free(chain_offsets); +@@ -212,7 +214,7 @@ + int size; + FILE *file; + +- // start from an empty file with right priviliges ++ /* start from an empty file with right priviliges */ + command = (char *)malloc(strlen(filename) + 15); + if (!command) + print_memory(); +@@ -234,7 +236,7 @@ + memcpy(data, repl, sizeof(struct ebt_replace)); + memcpy(data + sizeof(struct ebt_replace), repl->entries, + repl->entries_size); +- // initialize counters to zero, deliver_counters() can update them ++ /* initialize counters to zero, deliver_counters() can update them */ + memset(data + sizeof(struct ebt_replace) + repl->entries_size, + 0, repl->nentries * sizeof(struct ebt_counter)); + if (!(file = fopen(filename, "wb"))) +@@ -252,13 +254,13 @@ + socklen_t optlen; + struct ebt_replace *repl; + +- // translate the struct ebt_u_replace to a struct ebt_replace ++ /* translate the struct ebt_u_replace to a struct ebt_replace */ + repl = translate_user2kernel(u_repl); + if (u_repl->filename != NULL) { + store_table_in_file(u_repl->filename, repl); + return; + } +- // give the data to the kernel ++ /* give the data to the kernel */ + optlen = sizeof(struct ebt_replace) + repl->entries_size; + get_sockfd(); + if (setsockopt(sockfd, IPPROTO_IP, EBT_SO_SET_ENTRIES, repl, optlen)) +@@ -276,7 +278,10 @@ + + if (!(file = fopen(filename, "r+b"))) + print_error("Could not open file %s", filename); +- // find out entries_size and then set the file pointer to the counters ++ /* ++ * find out entries_size and then set the file pointer to the ++ * counters ++ */ + if (fseek(file, (char *)(&hlp.entries_size) - (char *)(&hlp), SEEK_SET) + || fread(&entries_size, sizeof(char), sizeof(unsigned int), file) != + sizeof(unsigned int) || +@@ -291,9 +296,8 @@ + fclose(file); + } + +-// gets executed after deliver_table +-void +-deliver_counters(struct ebt_u_replace *u_repl) ++/* gets executed after deliver_table */ ++void deliver_counters(struct ebt_u_replace *u_repl) + { + unsigned short *point; + struct ebt_counter *old, *new, *newcounters; +@@ -314,21 +318,23 @@ + point = counterchanges; + while (*point != CNT_END) { + if (*point == CNT_NORM) { +- // 'normal' rule, meaning we didn't do anything to it +- // So, we just copy ++ /* ++ *'normal' rule, meaning we didn't do anything to it ++ * So, we just copy ++ */ + new->pcnt = old->pcnt; +- // we've used an old counter ++ /* we've used an old counter */ + old++; +- // we've set a new counter ++ /* we've set a new counter */ + new++; + } else if (*point == CNT_DEL) { +- // don't use this old counter ++ /* don't use this old counter */ + old++; + } else if (*point == CNT_ADD) { +- // new counter, let it stay 0 ++ /* new counter, let it stay 0 */ + new++; + } else { +- // zero it (let it stay 0) ++ /* zero it (let it stay 0) */ + old++; + new++; + } +@@ -344,7 +350,7 @@ + } + optlen = u_repl->nentries * sizeof(struct ebt_counter) + + sizeof(struct ebt_replace); +- // now put the stuff in the kernel's struct ebt_replace ++ /* now put the stuff in the kernel's struct ebt_replace */ + repl.counters = u_repl->counters; + repl.num_counters = u_repl->num_counters; + memcpy(repl.name, u_repl->name, sizeof(repl.name)); +@@ -406,7 +412,7 @@ + int *totalcnt, struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl, + unsigned int valid_hooks, char *base) + { +- // an entry ++ /* an entry */ + if (e->bitmask & EBT_ENTRY_OR_ENTRIES) { + struct ebt_u_entry *new; + struct ebt_u_match_list **m_l; +@@ -417,7 +423,10 @@ + if (!new) + print_memory(); + new->bitmask = e->bitmask; +- // plain userspace code doesn't know about EBT_ENTRY_OR_ENTRIES ++ /* ++ * plain userspace code doesn't know about ++ * EBT_ENTRY_OR_ENTRIES ++ */ + new->bitmask &= ~EBT_ENTRY_OR_ENTRIES; + new->invflags = e->invflags; + new->ethproto = e->ethproto; +@@ -447,7 +456,7 @@ + "userspace tool", t->u.name); + memcpy(new->t, t, t->target_size + + sizeof(struct ebt_entry_target)); +- // deal with jumps to udc ++ /* deal with jumps to udc */ + if (!strcmp(t->u.name, EBT_STANDARD_TARGET)) { + char *tmp = base; + int verdict = ((struct ebt_standard_target *)t)->verdict; +@@ -468,13 +477,13 @@ + } + } + +- // I love pointers ++ /* I love pointers */ + **u_e = new; + *u_e = &new->next; + (*cnt)++; + (*totalcnt)++; + return 0; +- } else { // a new chain ++ } else { /* a new chain */ + int i; + struct ebt_entries *entries = (struct ebt_entries *)e; + struct ebt_u_chain_list *cl; +@@ -487,8 +496,8 @@ + if (valid_hooks & (1 << i)) + break; + *hook = i; +- // makes use of fact that standard chains come before udc +- if (i >= NF_BR_NUMHOOKS) { // udc ++ /* makes use of fact that standard chains come before udc */ ++ if (i >= NF_BR_NUMHOOKS) { /* udc */ + i -= NF_BR_NUMHOOKS; + cl = u_repl->udc; + while (i-- > 0) +@@ -500,7 +509,7 @@ + } + } + +-// initialize all chain headers ++/* initialize all chain headers */ + static int + ebt_translate_chains(struct ebt_entry *e, unsigned int *hook, + struct ebt_u_replace *u_repl, unsigned int valid_hooks) +@@ -514,10 +523,10 @@ + for (i = *hook + 1; i < NF_BR_NUMHOOKS; i++) + if (valid_hooks & (1 << i)) + break; +- // makes use of fact that standard chains come before udc +- if (i >= NF_BR_NUMHOOKS) { // udc ++ /* makes use of fact that standard chains come before udc */ ++ if (i >= NF_BR_NUMHOOKS) { /* udc */ + chain_list = &u_repl->udc; +- // add in the back ++ /* add in the back */ + while (*chain_list) + chain_list = &((*chain_list)->next); + *chain_list = (struct ebt_u_chain_list *) +@@ -530,8 +539,10 @@ + if (!((*chain_list)->udc)) + print_memory(); + new = (*chain_list)->udc; +- // ebt_translate_entry depends on this for knowing +- // to which chain is being jumped ++ /* ++ * ebt_translate_entry depends on this for knowing ++ * to which chain is being jumped ++ */ + (*chain_list)->kernel_start = (char *)e; + } else { + *hook = i; +@@ -559,7 +570,9 @@ + + if (!(file = fopen(filename, "r+b"))) + print_error("Could not open file %s", filename); +- // make sure table name is right if command isn't -L or --atomic-commit ++ /* ++ * make sure table name is right if command isn't -L or --atomic-commit ++ */ + if (command != 'L' && command != 8) { + hlp = (char *)malloc(strlen(repl->name) + 1); + if (!hlp) +@@ -596,7 +609,7 @@ + print_memory(); + } else + repl->counters = NULL; +- // copy entries and counters ++ /* copy entries and counters */ + if (fseek(file, sizeof(struct ebt_replace), SEEK_SET) || + fread(repl->entries, sizeof(char), repl->entries_size, file) + != repl->entries_size || +@@ -617,7 +630,7 @@ + + optlen = sizeof(struct ebt_replace); + get_sockfd(); +- // --atomic-init || --init-table ++ /* --atomic-init || --init-table */ + if (command == 7 || command == 11) + optname = EBT_SO_GET_INIT_INFO; + else +@@ -635,7 +648,7 @@ + else + repl->counters = NULL; + +- // we want to receive the counters ++ /* we want to receive the counters */ + repl->num_counters = repl->nentries; + optlen += repl->entries_size + repl->num_counters * + sizeof(struct ebt_counter); +@@ -658,12 +671,14 @@ + strcpy(repl.name, u_repl->name); + if (u_repl->filename != NULL) { + retrieve_from_file(u_repl->filename, &repl, u_repl->command); +- // -L with a wrong table name should be dealt with silently ++ /* ++ * -L with a wrong table name should be dealt with silently ++ */ + strcpy(u_repl->name, repl.name); + } else if (retrieve_from_kernel(&repl, u_repl->command) == -1) + return -1; + +- // translate the struct ebt_replace to a struct ebt_u_replace ++ /* translate the struct ebt_replace to a struct ebt_u_replace */ + u_repl->valid_hooks = repl.valid_hooks; + u_repl->nentries = repl.nentries; + u_repl->num_counters = repl.num_counters; +@@ -672,10 +687,13 @@ + hook = -1; + EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_chains, + &hook, u_repl, u_repl->valid_hooks); +- i = 0; // holds the expected nr. of entries for the chain +- j = 0; // holds the up to now counted entries for the chain +- k = 0; // holds the total nr. of entries, +- // should equal u_repl->nentries afterwards ++ i = 0; /* holds the expected nr. of entries for the chain */ ++ j = 0; /* holds the up to now counted entries for the chain */ ++ /* ++ * holds the total nr. of entries, ++ * should equal u_repl->nentries afterwards ++ */ ++ k = 0; + hook = -1; + EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry, + &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks, repl.entries); +--- ebtables-v2.0.2/extensions/ebt_ip.c Thu Oct 17 23:21:16 2002 ++++ ebtables-v2.0.3/extensions/ebt_ip.c Tue Apr 1 09:39:24 2003 +@@ -2,7 +2,7 @@ + * ebtables ebt_ip: IP extension module for userspace + * + * Authors: +- * Bart De Schuymer ++ * Bart De Schuymer + * + * Changes: + * added ip-sport and ip-dport; parsing of port arguments is +@@ -36,7 +36,7 @@ + + #define IP_SOURCE '1' + #define IP_DEST '2' +-#define IP_myTOS '3' // include/bits/in.h seems to already define IP_TOS ++#define IP_myTOS '3' /* include/bits/in.h seems to already define IP_TOS */ + #define IP_PROTO '4' + #define IP_SPORT '5' + #define IP_DPORT '6' +@@ -57,7 +57,7 @@ + { 0 } + }; + +-// put the ip string into 4 bytes ++/* put the ip string into 4 bytes */ + static int undot_ip(char *ip, unsigned char *ip2) + { + char *p, *q, *end; +@@ -87,7 +87,7 @@ + return 0; + } + +-// put the mask into 4 bytes ++/* put the mask into 4 bytes */ + static int ip_mask(char *mask, unsigned char *mask2) + { + char *end; +@@ -95,7 +95,7 @@ + uint32_t mask22; + + if (undot_ip(mask, mask2)) { +- // not the /a.b.c.e format, maybe the /x format ++ /* not the /a.b.c.e format, maybe the /x format */ + bits = strtol(mask, &end, 10); + if (*end != '\0' || bits > 32 || bits < 0) + return -1; +@@ -110,12 +110,12 @@ + return 0; + } + +-// set the ip mask and ip address ++/* set the ip mask and ip address */ + void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) + { + char *p; + +- // first the mask ++ /* first the mask */ + if ((p = strrchr(address, '/')) != NULL) { + *p = '\0'; + if (ip_mask(p + 1, (unsigned char *)msk)) +@@ -129,7 +129,7 @@ + *addr = *addr & *msk; + } + +-// transform the ip mask into a string ready for output ++/* transform the ip mask into a string ready for output */ + char *mask_to_dotted(uint32_t mask) + { + int i; +@@ -138,14 +138,14 @@ + + maskaddr = ntohl(mask); + +- // don't print /32 ++ /* don't print /32 */ + if (mask == 0xFFFFFFFFL) { + *buf = '\0'; + return buf; + } + + i = 32; +- bits = 0xFFFFFFFEL; // case 0xFFFFFFFF has just been dealt with ++ bits = 0xFFFFFFFEL; /* case 0xFFFFFFFF has just been dealt with */ + while (--i >= 0 && maskaddr != bits) + bits <<= 1; + +@@ -154,7 +154,7 @@ + else if (!i) + *buf = '\0'; + else +- // mask was not a decent combination of 1's and 0's ++ /* mask was not a decent combination of 1's and 0's */ + sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0], + ((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2], + ((unsigned char *)&mask)[3]); +@@ -162,7 +162,7 @@ + return buf; + } + +-// transform a protocol and service name into a port number ++/* transform a protocol and service name into a port number */ + static uint16_t parse_port(const char *protocol, const char *name) + { + struct servent *service; +@@ -313,10 +313,19 @@ + ipinfo->invflags |= EBT_IP_PROTO; + if (optind > argc) + print_error("Missing IP protocol argument"); +- i = strtol(argv[optind - 1], &end, 10); +- if (i < 0 || i > 255 || *end != '\0') +- print_error("Problem with specified IP protocol"); +- ipinfo->protocol = i; ++ (unsigned char) i = strtoul(argv[optind - 1], &end, 10); ++ if (*end != '\0') { ++ struct protoent *pe; ++ ++ pe = getprotobyname(argv[optind - 1]); ++ if (pe == NULL) ++ print_error ++ ("Unknown specified IP protocol - %s", ++ argv[optind - 1]); ++ ipinfo->protocol = pe->p_proto; ++ } else { ++ ipinfo->protocol = (unsigned char) i; ++ } + ipinfo->bitmask |= EBT_IP_PROTO; + break; + default: +@@ -335,13 +344,13 @@ + print_error("For IP filtering the protocol must be " + "specified as IPv4"); + +- if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) && +- (!ipinfo->bitmask & EBT_IP_PROTO || +- ipinfo->invflags & EBT_IP_PROTO || +- (ipinfo->protocol!=IPPROTO_TCP && +- ipinfo->protocol!=IPPROTO_UDP))) +- print_error("For port filtering the IP protocol must be " +- "either 6 (tcp) or 17 (udp)"); ++ if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) && ++ (!(ipinfo->bitmask & EBT_IP_PROTO) || ++ ipinfo->invflags & EBT_IP_PROTO || ++ (ipinfo->protocol!=IPPROTO_TCP && ++ ipinfo->protocol!=IPPROTO_UDP))) ++ print_error("For port filtering the IP protocol must be " ++ "either 6 (tcp) or 17 (udp)"); + } + + static void print(const struct ebt_u_entry *entry, +@@ -375,10 +384,17 @@ + printf("0x%02X ", ipinfo->tos); + } + if (ipinfo->bitmask & EBT_IP_PROTO) { ++ struct protoent *pe; ++ + printf("--ip-proto "); + if (ipinfo->invflags & EBT_IP_PROTO) + printf("! "); +- printf("%d ", ipinfo->protocol); ++ pe = getprotobynumber(ipinfo->protocol); ++ if (pe == NULL) { ++ printf("%d ", ipinfo->protocol); ++ } else { ++ printf("%s ", pe->p_name); ++ } + } + if (ipinfo->bitmask & EBT_IP_SPORT) { + printf("--ip-sport "); +@@ -427,11 +443,13 @@ + return 0; + } + if (ipinfo1->bitmask & EBT_IP_SPORT) { +- if (ipinfo1->sport != ipinfo2->sport) ++ if (ipinfo1->sport[0] != ipinfo2->sport[0] || ++ ipinfo1->sport[1] != ipinfo2->sport[1]) + return 0; + } + if (ipinfo1->bitmask & EBT_IP_DPORT) { +- if (ipinfo1->dport != ipinfo2->dport) ++ if (ipinfo1->dport[0] != ipinfo2->dport[0] || ++ ipinfo1->dport[1] != ipinfo2->dport[1]) + return 0; + } + return 1; +--- ebtables-v2.0.2/extensions/ebt_arp.c Fri Nov 22 20:43:47 2002 ++++ ebtables-v2.0.3/extensions/ebt_arp.c Fri Jan 10 00:20:17 2003 +@@ -23,7 +23,7 @@ + }; + + #define NUMOPCODES 9 +-// a few names ++/* a few names */ + static char *opcodes[] = + { + "Request", +@@ -64,7 +64,7 @@ + arpinfo->bitmask = 0; + } + +-// defined in ebt_ip.c ++/* defined in ebt_ip.c */ + void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk); + + #define OPT_OPCODE 0x01 +@@ -188,7 +188,7 @@ + "specified as ARP or RARP"); + } + +-// defined in the ebt_ip.c ++/* defined in the ebt_ip.c */ + char *mask_to_dotted(uint32_t mask); + + static void print(const struct ebt_u_entry *entry, +--- ebtables-v2.0.2/extensions/ebt_log.c Sat Aug 24 15:26:34 2002 ++++ ebtables-v2.0.3/extensions/ebt_log.c Fri Jan 10 00:21:41 2003 +@@ -5,16 +5,18 @@ + #include "../include/ebtables_u.h" + #include + +-// copied from syslog.h +-// used for the LOG target +-#define LOG_EMERG 0 // system is unusable +-#define LOG_ALERT 1 // action must be taken immediately +-#define LOG_CRIT 2 // critical conditions +-#define LOG_ERR 3 // error conditions +-#define LOG_WARNING 4 // warning conditions +-#define LOG_NOTICE 5 // normal but significant condition +-#define LOG_INFO 6 // informational +-#define LOG_DEBUG 7 // debug-level messages ++/* ++ * copied from syslog.h ++ * used for the LOG target ++ */ ++#define LOG_EMERG 0 /* system is unusable */ ++#define LOG_ALERT 1 /* action must be taken immediately */ ++#define LOG_CRIT 2 /* critical conditions */ ++#define LOG_ERR 3 /* error conditions */ ++#define LOG_WARNING 4 /* warning conditions */ ++#define LOG_NOTICE 5 /* normal but significant condition */ ++#define LOG_INFO 6 /* informational */ ++#define LOG_DEBUG 7 /* debug-level messages */ + + #define LOG_DEFAULT_LEVEL LOG_INFO + +@@ -41,7 +43,7 @@ + for (i = 0; i < 8; i++) + if (!strcmp(arg, eight_priority[i].c_name)) + return eight_priority[i].c_val; +- // return bad loglevel ++ /* return bad loglevel */ + return 9; + } + +--- ebtables-v2.0.2/extensions/ebt_mark_m.c Sat Aug 24 15:26:34 2002 ++++ ebtables-v2.0.3/extensions/ebt_mark_m.c Fri Jan 10 00:22:15 2003 +@@ -9,7 +9,7 @@ + + static struct option opts[] = + { +- { "mark" , required_argument, 0, MARK }, ++ { "mark", required_argument, 0, MARK }, + { 0 } + }; + +--- ebtables-v2.0.2/THANKS Sat Jun 1 21:24:51 2002 ++++ ebtables-v2.0.3/THANKS Tue Apr 1 20:15:15 2003 +@@ -1,4 +1,4 @@ +-Thanks go out to: ++Special thanks go out to these early contributors: + + Lennert Buytenhek + Rusty Russel +--- ebtables-v2.0.2/ChangeLog Tue Dec 3 23:00:45 2002 ++++ ebtables-v2.0.3/ChangeLog Tue Apr 1 20:07:24 2003 +@@ -1,3 +1,10 @@ ++20030402 ++ * fixed check bug in ebt_ip.c (report from ++ joe_judge_at_guardium.com). ++20030111 ++ * fixed problem when removing a chain (report from ++ ykphuah_at_greenpacket.com). ++ * Added --help list_extensions which, well, lists the extensions + 20021203 + * changed the way to use the atomic operations. It's now possible + to use the EBTABLES_ATOMIC_FILE environment variable, so it's no +--- ebtables-v2.0.2/ebtables.8 Sat Dec 7 13:42:58 2002 ++++ ebtables-v2.0.3/ebtables.8 Tue Apr 1 20:15:04 2003 +@@ -1,8 +1,11 @@ +-.TH EBTABLES 8 "03 December 2002" ++.TH EBTABLES 8 "15 March 2003" + .\" + .\" Man page written by Bart De Schuymer + .\" It is based on the iptables man page. + .\" ++.\" The man page was edited by ++.\" Greg Morgan <" dr_kludge_at_users_sourceforge_net > ++.\" + .\" Iptables page by Herve Eychenne March 2000. + .\" + .\" This program is free software; you can redistribute it and/or modify +@@ -23,46 +26,61 @@ + .SH NAME + ebtables (v.2.0) \- Ethernet bridge frame table administration + .SH SYNOPSIS +-.BR "ebtables -[ADI] " "chain rule-specification " [ options ] ++.BR "ebtables [-t table] -[ADI] " "chain rule-specification [match-extensions] [watcher-extensions] TARGET" ++.br ++.BR "ebtables [-t table] -P " "chain " "ACCEPT | DROP | RETURN" + .br +-.BR "ebtables -P " "chain target" ++.BR "ebtables [-t table] -F [" "chain" "]" + .br +-.BR "ebtables -[FLZ] [" "chain" "]" ++.BR "ebtables [-t table] -Z [" "chain" "]" + .br +-.BR "ebtables -[NX] " chain ++.BR "ebtables [-t table] -L [-Z] [" chain "] [ [" --Ln "] [" --Lc "] ] " | " [" --Lx "]" + .br +-.BR "ebtables -E " "old-chain-name new-chain-name" ++.BR "ebtables [-t table] -[NX] " chain + .br +-.BR "ebtables --init-table" ++.BR "ebtables [-t table] -E " "old-chain-name new-chain-name" + .br +-.BR "ebtables --atomic-init " ++.BR "ebtables [-t table] --init-table" + .br +-.BR "ebtables --atomic-save " ++.BR "ebtables [-t table] [--atomic-file file] --atomic-commit + .br +-.BR "ebtables --atomic-commit " ++.BR "ebtables [-t table] [--atomic-file file] --atomic-init" ++.br ++.BR "ebtables [-t table] [--atomic-file file] --atomic-save" + .br + .SH DESCRIPTION + .B ebtables +-is used to set up, maintain, and inspect the tables of Ethernet frame +-rules in the Linux kernel. It works analogous as iptables, but is less +-complicated. This man page is written with the man page of iptables +-next to it, so don't be surprised to see copied sentences and structure. ++is a user space tool, it is used to set up and maintain the ++tables of Ethernet frame rules in the Linux kernel. These rules inspect ++the Ethernet frames which they see. ++.B ebtables ++is analogous to the ++.B iptables ++user space tool, but ++.B ebtables ++is less complicated. + +-There are three tables with built-in chains. Each chain is a list +-of rules which can match frames: each rule specifies what to do with a +-frame which matches. This is called a 'target'. The tables are used to +-divide functionality into different sets of chains. ++.SS CHAINS ++There are three Ethernet frame tables with built-in chains in the ++Linux kernel. The kernel tables are used to divide functionality into ++different sets of rules. Each set of rules is called a chain. ++Each chain is an ordered list of rules that can match Ethernet frames. If a ++rule matches an Ethernet frame, then a processing specification tells ++what to do with that matching frame. The processing specification is ++called a 'target'. However, if the frame does not match the current ++rule in the chain, then the next rule in the chain is examined and so forth. ++The user can create new (user-defined) chains which can be used as the 'target' of a rule. + + .SS TARGETS +-A firewall rule specifies criteria for a frame, and a target. If the +-frame does not match, the next rule in the chain is the examined one; if +-it does match, then the next thing to do is specified by the target. +-This target can be one of these values: ++A firewall rule specifies criteria for an Ethernet frame and a frame ++processing specification called a target. When a frame matches a rule, ++then the next action performed by the kernel is specified by the target. ++The target can be one of these values: + .IR ACCEPT , + .IR DROP , + .IR CONTINUE , + .IR RETURN , +-an extention. ++an 'extension' (see below) or a user-defined chain. + .PP + .I ACCEPT + means to let the frame through. +@@ -74,26 +92,36 @@ + .I RETURN + means stop traversing this chain and resume at the next rule in the + previous (calling) chain. +-For the +-other targets see the ++For the extension targets please see the + .B "TARGET EXTENSIONS" +-section. ++section of this man page. + .SS TABLES +-There are three tables. ++As stated earlier, there are three Ethernet frame tables in the Linux ++kernel. The tables are ++.BR filter ", " nat " and " broute . ++Of these three tables, ++the filter table is the default table that the ++.B ebtables ++command operates on. ++If you are working with the filter table, then you can drop the '-t filter' ++argument to the ebtables command. However, you will need to provide ++the -t argument for the other two tables. The -t argument must be the ++first argument on the ebtables command line, if used. + .TP + .B "-t, --table" +-This option specifies the frame matching table which the command should +-operate on. If specified it should be the first option. The tables are: ++.br + .BR filter , +-this is the default table and contains three chains: ++is the default table and contains three built-in chains: + .B INPUT + (for frames destined for the bridge itself), + .B OUTPUT + (for locally-generated frames) and + .B FORWARD + (for frames being bridged). ++.br ++.br + .BR nat , +-this table is used to change the mac addresses and contains three chains: ++is used to change the mac addresses and contains three built-in chains: + .B PREROUTING + (for altering frames as soon as they come in), + .B OUTPUT +@@ -104,30 +132,38 @@ + PREFORWARDING and POSTFORWARDING, but for all those who come from the + .BR iptables " world to " ebtables + it is easier to have the same names. ++.br ++.br + .BR broute , +-this table is used to make a brouter, it has one chain: ++is used to make a brouter, it has one built-in chain: + .BR BROUTING . + The targets + .BR DROP " and " ACCEPT +-have special meaning in this table. ++have special meaning in the broute table. + .B DROP + actually means the frame has to be routed, while + .B ACCEPT + means the frame has to be bridged. The + .B BROUTING + chain is traversed very early. It is only traversed by frames entering on +-a bridge enslaved nic that is in forwarding state. Normally those frames ++a bridge enslaved NIC that is in forwarding state. Normally those frames + would be bridged, but you can decide otherwise here. The + .B redirect + target is very handy here. +-.SH OPTIONS +-The options can be divided into several different groups. ++.SH EBTABLES COMMAND LINE ARGUMENTS ++After the initial ebtables -t, table command line argument, the remaining ++arguments can be divided into several different groups. These groups ++are commands, miscellaneous commands, rule-specifications, match-extensions, ++and watcher-extensions. + .SS COMMANDS +-These options specify the specific actions to perform; only one of them +-can be specified on the command line (the +-.B -Z +-command is an exception). All these options only apply to the selected +-(or default) table. ++The ebtables command arguments specify the actions to perform on the table ++defined with the -t argument. If you do not use the -t argument to name ++a table, the commands apply to the default filter table. ++With the exception of both the ++.B "-Z" ++and ++.B "--atomic-file" ++commands, only one command may be used on the command line at a time. + .TP + .B "-A, --append" + Append a rule to the end of the selected chain. +@@ -139,71 +175,119 @@ + the complete rule as it would have been specified when it was added. + .TP + .B "-I, --insert" +-Insert the specified rule into the selected chain at the specified rule number (1 meaning +-the head of the chain). ++Insert the specified rule into the selected chain at the specified rule number. ++The number one, 1, means the head of the chain. ++.TP ++.B "-P, --policy" ++Set the policy for the chain to the given target. The policy can be ++.BR ACCEPT ", " DROP " or " RETURN . ++.TP ++.B "-F, --flush" ++Flush the selected chain. If no chain is selected, then every chain will be ++flushed. Flushing the chain does not change the policy of the ++chain, however. ++.TP ++.B "-Z, --zero" ++Set the counters of the selected chain to zero. If no chain is selected, all the counters ++are set to zero. The ++.B "-Z" ++command can be used in conjunction with the ++.B "-L" ++command. ++When both the ++.B "-Z" ++and ++.B "-L" ++commands are used together in this way, the rule counters are printed on the screen ++before they are set to zero. + .TP + .B "-L, --list" + List all rules in the selected chain. If no chain is selected, all chains + are listed. + .br +-The following three options change the output: ++The following three options change the output of the ++.B "-L" ++list command: + .br + .B "--Ln" + .br +-Puts rule numbers in front of every rule. ++Places the rule number in front of every rule. + .br + .B "--Lc" + .br +-Shows the counters at the end of every rule, there is a frame counter +-(pcnt) and a byte counter (bcnt). ++Shows the counters at the end of each rule displayed by the ++.B "-L" ++command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed. + .br + .B "--Lx" + .br +-The output is directly usable as executable commands in a script, to be +-run f.e. at bootup. This option is incompatible with the previous two +-options. When no chain name was specified for the ++The output of the ++.B "--Lx" ++option may be used to create a set of ++.B ebtables ++commands. You may use this set of commands in an ++.B ebtables ++boot or reload ++script. For example the output could be used at system startup. ++The ++.B "--Lx" ++option is incompatible with both of the other ++.B "--Ln" ++and ++.B "--Lc" ++chain listing options, ++.B "-L." ++All necessary ++.B ebtables ++commands for making the current list of ++user-defined chains in the kernel and any commands issued by the user to ++rename the standard ++.B ebtables ++chains will be listed, when no chain name is ++supplied for the + .B "-L" +-command, all necessary commands for making the user defined chains and +-renaming the standard chains will be made. +-.TP +-.B "-F, --flush" +-Flush the selected chain. If no chain is selected, every chain will be +-flushed. This does not change the policy of the chain. +-.TP +-.B "--init-table" +-Replace the current table data by the initial table data. +-.TP +-.B "-Z, --zero" +-Put the counters of the selected chain on zero. If no chain is selected, all the counters +-are put on zero. This can be used in conjunction with the -L command (see above). +-This will cause the rule counters to be printed on the screen before they are put on zero. +-.TP +-.B "-P, --policy" +-Set the policy for the chain to the given target. The policy can be +-.BR ACCEPT ", " DROP " or " RETURN . ++command while using the ++.B "-Lx" ++option. + .TP + .B "-N, --new-chain" +-Create a new user-defined chain by the given name. The number of +-user-defined chains is unlimited. A chain name has max length of 31. ++Create a new user-defined chain with the given name. The number of ++user-defined chains is unlimited. A user-defined chain name has maximum ++length of 31 characters. + .TP + .B "-X, --delete-chain" +-Delete the specified user-defined chain. There must be no references to the +-chain, ++Delete the specified user-defined chain. There must be no remaining references ++to the to be deleted chain. Otherwise, + .B ebtables + will complain if there are. + .TP + .B "-E, --rename-chain" +-Rename the specified chain to the new name. This has no effect on the +-structure of the table. It is also allowed to rename a base chain, f.e. +-if you like PREBRIDGING more than PREROUTING. Be sure to talk about the +-standard chain names when you would ask a question on a mailing list. ++Rename the specified chain to a new name. Besides renaming a user-defined ++chain, you may rename a standard chain name to a name that suits your ++taste. For example, if you like PREBRIDGING more than PREROUTING, ++then you can use the -E command to rename the PREROUTING chain. If you do ++rename one of the standard ++.B ebtables ++chain names, please be sure to mention ++this fact should you post a question on the ++.B ebtables ++mailing lists. ++It would be wise to use the standard name in your post. Renaming a standard ++.B ebtables ++chain in this fashion has no effect on the structure or function ++of the ++.B ebtables ++kernel table. ++.TP ++.B "--init-table" ++Replace the current table data by the initial table data. + .TP + .B "--atomic-init" + Copy the kernel's initial data of the table to the specified + file. This can be used as the first action, after which rules are added + to the file. The file can be specified using the + .B --atomic-file +-option or through the ++command or through the + .IR EBTABLES_ATOMIC_FILE " environment variable." + .TP + .B "--atomic-save" +@@ -211,30 +295,81 @@ + file. This can be used as the first action, after which rules are added + to the file. The file can be specified using the + .B --atomic-file +-option or through the ++command or through the + .IR EBTABLES_ATOMIC_FILE " environment variable." + .TP + .B "--atomic-commit" + Replace the kernel table data with the data contained in the specified +-file. This is a useful command that allows you to put all your rules of a ++file. This is a useful command that allows you to load all your rules of a + certain table into the kernel at once, saving the kernel a lot of precious + time and allowing atomic updates of the tables. The file which contains + the table data is constructed by using either the + .B "--atomic-init" + or the + .B "--atomic-save" +-command to get a starting file. After that, using the ++command to generate a starting file. After that, using the + .B "--atomic-file" +-option when constructing rules or setting the ++command when constructing rules or setting the + .IR EBTABLES_ATOMIC_FILE " environment variable" + allows you to extend the file and build the complete table before +-commiting it to the kernel. ++committing it to the kernel. ++.TP ++.B "--atomic-file -Z" ++The counters stored in a file with, say, ++.B "--atomic-init" ++can be optionally zeroed by supplying the ++.B "-Z" ++command. You may also zero the counters by setting the ++.IR EBTABLES_ATOMIC_FILE " environment variable." ++ ++.SS MISCELLANOUS COMMANDS ++.TP ++.B "-V, --version" ++Show the version of the ebtables userspace program. ++.TP ++.B "-h, --help" ++Give a brief description of the command syntax. Here you can also specify ++names of extensions and ++.B ebtables ++will try to write help about those extensions. E.g. ebtables -h snat log ip arp. ++Specify ++.I list_extensions ++to list all extensions supported by the userspace ++utility. ++.TP ++.BR "-j, --jump " "\fItarget\fP" ++The target of the rule. This is one of the following values: ++.BR ACCEPT , ++.BR DROP , ++.BR CONTINUE , ++.BR RETURN , ++a target extension (see ++.BR "TARGET EXTENSIONS" ")" ++or a user-defined chain name. ++.TP ++.B --atomic-file file ++Let the command operate on the specified file. The data of the table to ++operate on will be extracted from the file and the result of the operation ++will be saved back into the file. If specified, this option should come ++before the command specification. An alternative that should be preferred, ++is setting the ++.IR EBTABLES_ATOMIC_FILE " environment variable." ++.TP ++.B -M, --modprobe program ++When talking to the kernel, use this program to try to automatically load ++missing kernel modules. ++ + .SS +-PARAMETERS +-The following parameters make up a rule specification (as used in the add +-and delete commands). A "!" argument before the specification inverts the +-test for that specification. Apart from these standard parameters, there are others, see +-.BR "MATCH EXTENSIONS" . ++RULE-SPECIFICATIONS ++The following command line arguments make up a rule specification (as used ++in the add and delete commands). A "!" option before the specification ++inverts the test for that specification. Apart from these standard rule ++specifications there are some other command line arguments of interest. ++See both the ++.BR "MATCH-EXTENSIONS" ++and the ++.BR "WATCHER-EXTENSION(S)" ++below. + .TP + .BR "-p, --protocol " "[!] \fIprotocol\fP" + The protocol that was responsible for creating the frame. This can be a +@@ -305,7 +440,7 @@ + .TP + .BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" + The source mac address. Both mask and address are written as 6 hexadecimal +-numbers seperated by colons. Alternatively one can specify Unicast, ++numbers separated by colons. Alternatively one can specify Unicast, + Multicast or Broadcast. + .br + Unicast=00:00:00:00:00:00/01:00:00:00:00:00, +@@ -320,45 +455,36 @@ + .B --dst + is an alias for this option. + +-.SS OTHER OPTIONS ++.SS MATCH-EXTENSIONS ++.B ebtables ++extensions are precompiled into the userspace tool. So there is no need ++to explicitly load them with a -m option like in ++.BR iptables . ++However, these ++extensions deal with functionality supported by supplemental kernel modules. ++.SS arp ++Specify arp fields. These will only work if the protocol equals ++.BR ARP " or " RARP . + .TP +-.B "-V, --version" +-Show the version of the userprogram. ++.BR "--arp-opcode " "[!] \fIopcode\fP" ++The (r)arp opcode (decimal or a string, for more details see ++.BR "ebtables -h arp" ). + .TP +-.B "-h, --help" +-Give a brief description of the command syntax. Here you can also specify +-names of extensions and +-.B ebtables +-will try to write help about those extensions. E.g. ebtables -h snat log ip arp. ++.BR "--arp-htype " "[!] \fIhardware type\fP" ++The hardware type, this can be a decimal or the string "Ethernet". This ++is normally Ethernet (value 1). + .TP +-.BR "-j, --jump " "\fItarget\fP" +-The target of the rule. This is one of the following values: +-.BR ACCEPT , +-.BR DROP , +-.BR CONTINUE , +-.BR RETURN , +-a target extension (see +-.BR "TARGET EXTENSIONS" ")" +-or a user defined chain name. ++.BR "--arp-ptype " "[!] \fIprotocol type\fP" ++The protocol type for which the (r)arp is used (hexadecimal or the string "IPv4"). ++This is normally IPv4 (0x0800). + .TP +-.B --atomic-file file +-Let the command operate on the specified file. The data of the table to +-operate on will be extracted from the file and the result of the operation +-will be saved back into the file. If specified, this option should come +-before the command specification. An alternative that should be preferred, +-is setting the +-.BR EBTABLES_ATOMIC_FILE "environment variable." ++.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]" ++The ARP IP source address specification. + .TP +-.B -M, --modprobe program +-When talking to the kernel, use this program to try to automatically load +-missing kernel modules. +-.SH MATCH EXTENSIONS +-.B ebtables +-extensions are precompiled into the userspace tool. So there is no need +-to explicitly load them with a -m option like in iptables. However, these +-extensions deal with functionality supported by supplemental kernel modules. ++.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]" ++The ARP IP destination address specification. + .SS ip +-Specify ip specific fields. These will only work if the protocol equals ++Specify ip fields. These will only work if the protocol equals + .BR IPv4 . + .TP + .BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]" +@@ -395,59 +521,38 @@ + 17 (UDP). The flag + .B --ip-dport + is an alias for this option. +-.SS arp +-Specify arp specific fields. These will only work if the protocol equals +-.BR ARP " or " RARP . +-.TP +-.BR "--arp-opcode " "[!] \fIopcode\fP" +-The (r)arp opcode (decimal or a string, for more details see +-.BR "ebtables -h arp" ). +-.TP +-.BR "--arp-htype " "[!] \fIhardware type\fP" +-The hardware type, this can be a decimal or the string "Ethernet". This +-is normally Ethernet (value 1). +-.TP +-.BR "--arp-ptype " "[!] \fIprotocol type\fP" +-The protocol type for which the (r)arp is used (hexadecimal or the string "IPv4"). +-This is normally IPv4 (0x0800). +-.TP +-.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]" +-The ARP IP source address specification. ++.SS mark_m + .TP +-.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]" +-The ARP IP destination address specification. ++.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]" ++Matches frames with the given unsigned mark value. If a mark value and ++mask is specified, the logical AND of the mark value of the frame and ++the user-specified mask is taken before comparing it with the user-specified ++mark value. If only a mask is specified (start with '/') the logical AND ++of the mark value of the frame and the user-specified mark is taken and ++the result is compared with zero. + .SS vlan +-Specify 802.1Q Tag Control Information fields. These will only work if the protocol equals +-.BR 802_1Q. +-Also see extension help by +-.BR "ebtables -h vlan" . ++Specify 802.1Q Tag Control Information fields. ++The protocol rule specification (frame type) should be set to ++.BR 802_1Q " (0x8100)." + .TP + .BR "--vlan-id " "[!] \fIid\fP" +-The VLAN identifier field, VID (decimal number from 0 to 4094). ++The VLAN identifier field (VID). Decimal number from 0 to 4095. + .TP + .BR "--vlan-prio " "[!] \fIprio\fP" +-The user_priority field, this can be a decimal number from 0 to 7. +-Required VID to be 0 (null VID) or not specified vlan-id parameter (in this case VID deliberately be set to 0). ++The user_priority field. Decimal number from 0 to 7. ++The VID should be set to 0 ("null VID") or unspecified ++(for this case the VID is deliberately set to 0). + .TP + .BR "--vlan-encap " "[!] \fItype\fP" +-The encapsulated Ethernet frame type/length, this can be a hexadecimal +-number from 0x0000 to 0xFFFF. +-Usually it's 0x0800 (IPv4). See also +-.B /etc/ethertypes +-file. +-.SS mark_m +-.TP +-.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]" +-Matches frames with the given unsigned mark value. If a mark value and +-mask is specified, the logical AND of the mark value of the frame and +-the user specified mask is taken before comparing with the user specified +-mark value. If only a mask is specified (start with '/') the logical AND +-of the mark value of the frame and the user specified mark is taken and +-the result is compared with zero. ++The encapsulated Ethernet frame type/length. ++Specified as hexadecimal ++number from 0x0000 to 0xFFFF or as a symbolic name ++from ++.BR /etc/ethertypes . + +-.SH WATCHER EXTENSION(S) ++.SS WATCHER-EXTENSION(S) + Watchers are things that only look at frames passing by. These watchers only +-see the frame if the frame passes all the matches of the rule. ++see the frame if the frame matches the rule. + .SS log + The fact that the log module is a watcher lets us log stuff while giving a target + by choice. Note that the log module therefore is not a target. +@@ -477,31 +582,7 @@ + will log the (r)arp information when a frame made by the (r)arp protocols + matches the rule. The default is no (r)arp information logging. + .SS TARGET EXTENSIONS +-.TP +-.B snat +-The +-.B snat +-target can only be used in the +-.BR POSTROUTING " chain of the " nat " table." +-It specifies that the source mac address has to be changed. +-.br +-.BR "--to-source " "\fIaddress\fP" +-.br +-The flag +-.B --to-src +-is an alias for this option. +-.br +-.BR "--snat-target " "\fItarget\fP" +-.br +-Specifies the standard target. After doing the snat, the rule still has +-to give a standard target so +-.B ebtables +-knows what to do. +-The default target is ACCEPT. Making it CONTINUE could let you use +-multiple target extensions on the same frame. Making it DROP doesn't +-make sense, but you could do that too. RETURN is also allowed. Note +-that using RETURN in a base chain is not allowed. +-.TP ++.SS + .B dnat + The + .B dnat +@@ -509,25 +590,45 @@ + .BR BROUTING " chain of the " broute " table and the " + .BR PREROUTING " and " OUTPUT " chains of the " nat " table." + It specifies that the destination mac address has to be changed. +-.br ++.TP + .BR "--to-destination " "\fIaddress\fP" + .br + The flag + .B --to-dst + is an alias for this option. +-.br ++.TP + .BR "--dnat-target " "\fItarget\fP" + .br + Specifies the standard target. After doing the dnat, the rule still has to + give a standard target so + .B ebtables + knows what to do. +-The default target is ACCEPT. Making it CONTINUE could let you use ++The default target is ACCEPT. Making it CONTINUE could let you use + multiple target extensions on the same frame. Making it DROP only makes + sense in the BROUTING chain but using the redirect target is more logical + there. RETURN is also allowed. Note + that using RETURN in a base chain is not allowed. ++.SS ++.B mark ++The mark target can be used in every chain of every table. It is possible ++to use the marking of a frame/packet in both ebtables and iptables, ++if the br-nf code is compiled into the kernel. Both put the marking at the ++same place. So, you can consider this fact as a feature, or as something to ++watch out for. ++.TP ++.BR "--set-mark " "\fIvalue\fP" ++.br ++Mark the frame with the specified unsigned value. + .TP ++.BR "--mark-target " "\fItarget\fP" ++.br ++Specifies the standard target. After marking the frame, the rule ++still has to give a standard target so ++.B ebtables ++knows what to do. ++The default target is ACCEPT. Making it CONTINUE can let you do other ++things with the frame in other rules of the chain. ++.SS + .B redirect + The + .B redirect +@@ -535,37 +636,41 @@ + frame arrived on. This target can only be used in the + .BR BROUTING " chain of the " broute " table and the " + .BR PREROUTING " chain of the " nat " table." +-.br ++.TP + .BR "--redirect-target " "\fItarget\fP" + .br + Specifies the standard target. After doing the MAC redirect, the rule + still has to give a standard target so + .B ebtables + knows what to do. +-The default target is ACCEPT. Making it CONTINUE could let you use ++The default target is ACCEPT. Making it CONTINUE could let you use + multiple target extensions on the same frame. Making it DROP in the + BROUTING chain will let the frames be routed. RETURN is also allowed. Note + that using RETURN in a base chain is not allowed. ++.SS ++.B snat ++The ++.B snat ++target can only be used in the ++.BR POSTROUTING " chain of the " nat " table." ++It specifies that the source mac address has to be changed. + .TP +-.B mark +-The mark target can be used in every chain of every table. It is possible +-to use the marking of a frame/packet in both ebtables and iptables, +-if the br-nf code is compiled into the kernel. Both put the marking at the +-same place. So, you can consider this fact as a feature, or as something to +-watch out for. ++.BR "--to-source " "\fIaddress\fP" + .br +-.BR "--mark-target " "\fItarget\fP" ++The flag ++.B --to-src ++is an alias for this option. ++.TP ++.BR "--snat-target " "\fItarget\fP" + .br +-Specifies the standard target. After marking the frame, the rule +-still has to give a standard target so ++Specifies the standard target. After doing the snat, the rule still has ++to give a standard target so + .B ebtables + knows what to do. +-The default target is ACCEPT. Making it CONTINUE can let you do other +-things with the frame in other rules of the chain. +-.br +-.BR "--set-mark " "\fIvalue\fP" +-.br +-Mark the frame with the specified unsigned value. ++The default target is ACCEPT. Making it CONTINUE could let you use ++multiple target extensions on the same frame. Making it DROP doesn't ++make sense, but you could do that too. RETURN is also allowed. Note ++that using RETURN in a base chain is not allowed. + .br + .SH FILES + .I /etc/ethertypes +@@ -573,7 +678,9 @@ + .I EBTABLES_ATOMIC_FILE + .SH BUGS + This won't work on an architecture with a user32/kernel64 situation like the Sparc64. +-.SH AUTHOR +-.IR "" "Bart De Schuymer <" bdschuym@pandora.be > ++.SH MAILINGLISTS ++.I ebtables-user@lists.sourceforge.net ++.br ++.I ebtables-devel@lists.sourceforge.net + .SH SEE ALSO +-.BR iptables "(8), " brctl (8) ++.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8) +--- ebtables-v2.0.2/include/ebtables_u.h Wed Nov 20 22:05:39 2002 ++++ ebtables-v2.0.3/include/ebtables_u.h Sun Jan 19 12:37:52 2003 +@@ -30,9 +30,9 @@ + { + int policy; + unsigned int nentries; +- // counter offset for this chain ++ /* counter offset for this chain */ + unsigned int counter_offset; +- // used for udc ++ /* used for udc */ + unsigned int hook_mask; + char name[EBT_CHAIN_MAXNAMELEN]; + struct ebt_u_entry *entries; +@@ -42,7 +42,7 @@ + { + struct ebt_u_entries *udc; + struct ebt_u_chain_list *next; +- // this is only used internally, in communication.c ++ /* this is only used internally, in communication.c */ + char *kernel_start; + }; + +@@ -50,25 +50,29 @@ + { + char name[EBT_TABLE_MAXNAMELEN]; + unsigned int valid_hooks; +- // nr of rules in the table ++ /* nr of rules in the table */ + unsigned int nentries; + struct ebt_u_entries *hook_entry[NF_BR_NUMHOOKS]; +- // user defined chains (udc) list ++ /* user defined chains (udc) list */ + struct ebt_u_chain_list *udc; +- // nr of counters userspace expects back ++ /* nr of counters userspace expects back */ + unsigned int num_counters; +- // where the kernel will put the old counters ++ /* where the kernel will put the old counters */ + struct ebt_counter *counters; +- // can be used e.g. to know if a standard option +- // has been specified twice ++ /* ++ * can be used e.g. to know if a standard option ++ * has been specified twice ++ */ + unsigned int flags; +- // we stick the specified command (e.g. -A) in here ++ /* we stick the specified command (e.g. -A) in here */ + char command; +- // here we stick the hook to do our thing on (can be -1 if unspecified) ++ /* ++ * here we stick the hook to do our thing on (can be -1 if unspecified) ++ */ + int selected_hook; +- // used for the atomic option ++ /* used for the atomic option */ + char *filename; +- // tells what happened to the old rules ++ /* tells what happened to the old rules */ + unsigned short *counterchanges; + }; + +@@ -114,7 +118,7 @@ + struct ebt_u_match + { + char name[EBT_FUNCTION_MAXNAMELEN]; +- // size of the real match data ++ /* size of the real match data */ + unsigned int size; + void (*help)(void); + void (*init)(struct ebt_entry_match *m); +@@ -129,12 +133,16 @@ + int (*compare)(const struct ebt_entry_match *m1, + const struct ebt_entry_match *m2); + const struct option *extra_ops; +- // can be used e.g. to check for multiple occurance of the same option ++ /* ++ * can be used e.g. to check for multiple occurance of the same option ++ */ + unsigned int flags; + unsigned int option_offset; + struct ebt_entry_match *m; +- // if used == 1 we no longer have to add it to +- // the match chain of the new entry ++ /* ++ * if used == 1 we no longer have to add it to ++ * the match chain of the new entry ++ */ + unsigned int used; + struct ebt_u_match *next; + }; +@@ -204,10 +212,10 @@ + #define print_bug(format, args...) \ + __print_bug(__FILE__, __LINE__, format, ##args) + #define print_error(format,args...) {printf(format".\n",##args); exit(-1);} +-#define print_memory() {printf("Ebtables: " __FILE__ " " __FUNCTION__ \ +- " %d :Out of memory.\n", __LINE__); exit(-1);} ++#define print_memory() {printf("Ebtables: " __FILE__ \ ++ " %s %d :Out of memory.\n", __FUNCTION__, __LINE__); exit(-1);} + +-// used for keeping the rule counters right during rule adds or deletes ++/* used for keeping the rule counters right during rule adds or deletes */ + #define CNT_NORM 0 + #define CNT_DEL 1 + #define CNT_ADD 2 +@@ -215,8 +223,10 @@ + #define CNT_ZERO 4 + + extern char *standard_targets[NUM_STANDARD_TARGETS]; +-// Transforms a target string into the right integer, +-// returns 0 on success. ++/* ++ * Transforms a target string into the right integer, ++ * returns 0 on success. ++ */ + #define FILL_TARGET(_str, _pos) ({ \ + int _i, _ret = 0; \ + for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \ +@@ -229,12 +239,12 @@ + _ret; \ + }) + +-// Transforms the target value to an index into standard_targets[] ++/* Transforms the target value to an index into standard_targets[] */ + #define TARGET_INDEX(_value) (-_value - 1) +-// Returns a target string corresponding to the value ++/* Returns a target string corresponding to the value */ + #define TARGET_NAME(_value) (standard_targets[TARGET_INDEX(_value)]) +-// True if the hook mask denotes that the rule is in a base chain ++/* True if the hook mask denotes that the rule is in a base chain */ + #define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) +-// Clear the bit in the hook_mask that tells if the rule is on a base chain ++/* Clear the bit in the hook_mask that tells if the rule is on a base chain */ + #define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) + #endif /* EBTABLES_U_H */ diff --git a/userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz b/userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz new file mode 100644 index 0000000..7113e83 Binary files /dev/null and b/userspace/patches/zipped/v2.0/ebtables-v2.0.3.tar.gz differ -- cgit v1.2.3