This is a big patch. Hope I didn't break anything. --- ebtables-v2.0pre2.001/Makefile Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/Makefile Thu Apr 11 18:38:47 2002 @@ -2,8 +2,7 @@ KERNEL_DIR?=/usr/src/linux PROGNAME:=ebtables -PROGVERSION:="2.0pre1 (April 2002)" - +PROGVERSION:="2.0pre2.001 (April 2002)" MANDIR?=/usr/local/man CFLAGS:=-Wall -Wunused --- ebtables-v2.0pre2.001/ebtables.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/ebtables.c Wed Apr 10 22:46:27 2002 @@ -34,7 +34,8 @@ #include #include "include/ebtables_u.h" -// here are the number-name correspondences kept for the ethernet frame type field +// here are the number-name correspondences kept for the ethernet +// frame type field #define PROTOCOLFILE "/etc/etherproto" #define DATABASEHOOKNR NF_BR_NUMHOOKS @@ -81,27 +82,28 @@ // yup, all the possible target names char* standard_targets[NUM_STANDARD_TARGETS] = { - "ACCEPT" , + "ACCEPT", "DROP", "CONTINUE", }; // tells what happened to the old rules -unsigned short *counterchanges; +static unsigned short *counterchanges; // holds all the data -struct ebt_u_replace replace; +static struct ebt_u_replace replace; // the chosen table -struct ebt_u_table *table = NULL; +static struct ebt_u_table *table = NULL; // the lists of supported tables, matches, watchers and targets -struct ebt_u_table *tables = NULL; -struct ebt_u_match *matches = NULL; -struct ebt_u_watcher *watchers = NULL; -struct ebt_u_target *targets = NULL; +static struct ebt_u_table *tables = NULL; +static struct ebt_u_match *matches = NULL; +static struct ebt_u_watcher *watchers = NULL; +static struct ebt_u_target *targets = NULL; struct ebt_u_target *find_target(const char *name) { struct ebt_u_target *t = targets; + while(t && strcmp(t->name, name)) t = t->next; return t; @@ -110,6 +112,7 @@ struct ebt_u_match *find_match(const char *name) { struct ebt_u_match *m = matches; + while(m && strcmp(m->name, name)) m = m->next; return m; @@ -118,6 +121,7 @@ struct ebt_u_watcher *find_watcher(const char *name) { struct ebt_u_watcher *w = watchers; + while(w && strcmp(w->name, name)) w = w->next; return w; @@ -126,17 +130,18 @@ struct ebt_u_table *find_table(char *name) { struct ebt_u_table *t = tables; + while (t && strcmp(t->name, name)) t = t->next; return t; } -// the pointers in here are special: -// the struct ebt_target * pointer is actually a struct ebt_u_target * pointer -// instead of making yet a few other structs, we just do a cast -// we need a struct ebt_u_target pointer because we know the address of the data they -// point to won't change. We want to allow that the struct ebt_u_target.t member can -// change. +// The pointers in here are special: +// The struct ebt_target * pointer is actually a struct ebt_u_target * pointer. +// instead of making yet a few other structs, we just do a cast. +// We need a struct ebt_u_target pointer because we know the address of the data +// they point to won't change. We want to allow that the struct ebt_u_target.t +// member can change. // Same holds for the struct ebt_match and struct ebt_watcher pointers struct ebt_u_entry *new_entry; @@ -149,13 +154,14 @@ strcpy(e->out, ""); e->m_list = NULL; e->w_list = NULL; - // the init function of the standard target should have put the verdict on CONTINUE + // the init function of the standard target should have put the verdict + // on CONTINUE e->t = (struct ebt_entry_target *)find_target(EBT_STANDARD_TARGET); if (!e->t) print_bug("Couldn't load standard target\n"); } -// this doesn't free e, basically becoz it's lazy +// this doesn't free e, becoz the calling function might need e->next void free_u_entry(struct ebt_u_entry *e) { struct ebt_u_match_list *m_l, *m_l2; @@ -178,6 +184,40 @@ free(e->t); } +// the user will use the match, so put it in new_entry +static void add_match(struct ebt_u_match *m) +{ + struct ebt_u_match_list **m_list, *new; + + m->used = 1; + for (m_list = &new_entry->m_list; + *m_list; m_list = &(*m_list)->next); + new = (struct ebt_u_match_list *) + malloc(sizeof(struct ebt_u_match_list)); + if (!new) + print_memory(); + *m_list = new; + new->next = NULL; + new->m = (struct ebt_entry_match *)m; +} + +static void add_watcher(struct ebt_u_watcher *w) +{ + struct ebt_u_watcher_list **w_list; + struct ebt_u_watcher_list *new; + + w->used = 1; + for (w_list = &new_entry->w_list; + *w_list; w_list = &(*w_list)->next); + new = (struct ebt_u_watcher_list *) + malloc(sizeof(struct ebt_u_watcher_list)); + if (!new) + print_memory(); + *w_list = new; + new->next = NULL; + new->w = (struct ebt_entry_watcher *)w; +} + static int global_option_offset = 0; #define OPTION_OFFSET 256 static struct option * @@ -196,6 +236,8 @@ *options_offset = global_option_offset; merge = malloc(sizeof(struct option) * (num_new + num_old + 1)); + if (!merge) + print_memory(); memcpy(merge, oldopts, num_old * sizeof(struct option)); for (i = 0; i < num_new; i++) { merge[num_old + i] = newopts[i]; @@ -219,7 +261,8 @@ print_memory(); strcpy(m->m->u.name, m->name); m->m->match_size = size; - ebt_options = merge_options(ebt_options, m->extra_ops, &(m->option_offset)); + ebt_options = merge_options + (ebt_options, m->extra_ops, &(m->option_offset)); m->init(m->m); for (i = &matches; *i; i = &((*i)->next)); @@ -237,7 +280,8 @@ print_memory(); strcpy(w->w->u.name, w->name); w->w->watcher_size = size; - ebt_options = merge_options(ebt_options, w->extra_ops, &(w->option_offset)); + ebt_options = merge_options + (ebt_options, w->extra_ops, &(w->option_offset)); w->init(w->w); for (i = &watchers; *i; i = &((*i)->next)); @@ -255,7 +299,8 @@ print_memory(); strcpy(t->t->u.name, t->name); t->t->target_size = size; - ebt_options = merge_options(ebt_options, t->extra_ops, &(t->option_offset)); + ebt_options = merge_options + (ebt_options, t->extra_ops, &(t->option_offset)); t->init(t->t); for (i = &targets; *i; i = &((*i)->next)); t->next = NULL; @@ -292,7 +337,7 @@ return 0; } -/* helper function: processes a line of data from the file brebt_protocolnames */ +// helper function: processes a line of data from the file /etc/etherproto int get_a_line(char *buffer, char *value, FILE *ifp) { int i, hlp; @@ -314,7 +359,7 @@ // buffer[0] already contains the first letter for (i = 1; i < 21; i++) { - hlp = fscanf(ifp, "%c", buffer+i); + hlp = fscanf(ifp, "%c", buffer + i); if (hlp == EOF || hlp == 0) return -1; if (buffer[i] == '\t' || buffer[i] == ' ') break; @@ -327,7 +372,8 @@ // buffer[0] already contains the first letter for (i = 1; i < 5; i++) { hlp = fscanf(ifp, "%c", value+i); - if (value[i] == '\n' || value[i] == '\t' || value[i] == ' ' || hlp == EOF) + if (value[i] == '\n' || value[i] == '\t' || + value[i] == ' ' || hlp == EOF) break; } if (i == 5) return -1; @@ -342,7 +388,7 @@ return 0; } -/* helper function for list_em() */ +// helper function for list_em() int number_to_name(unsigned short proto, char *name) { FILE *ifp; @@ -363,13 +409,12 @@ fclose(ifp); return 0; } - return -1; } -/* helper function for list_rules() */ +// helper function for list_rules() static void list_em(int hooknr) { - int i, space = 0; + int i, j, space = 0, digits; struct ebt_u_entry *hlp; struct ebt_u_match_list *m_l; struct ebt_u_watcher_list *w_l; @@ -379,7 +424,8 @@ char name[21]; hlp = replace.hook_entry[hooknr]->entries; - printf("\nBridge chain: %s\nPolicy: %s\n", hooknames[hooknr], standard_targets[(int)(replace.hook_entry[hooknr]->policy)]); + printf("\nBridge chain: %s\nPolicy: %s\n", hooknames[hooknr], + standard_targets[replace.hook_entry[hooknr]->policy]); printf("nr. of entries: %d \n", replace.hook_entry[hooknr]->nentries); i = replace.hook_entry[hooknr]->nentries; @@ -389,19 +435,18 @@ } for (i = 0; i < replace.hook_entry[hooknr]->nentries; i++) { - int j = i + 1, space2 = 0; - // a little work to get nice rule numbers - // this can probably be done easier - so what + digits = 0; + // A little work to get nice rule numbers. while (j > 9) { - space2++; + digits++; j /= 10; } - for (j = 0; j < space - space2; j++) + for (j = 0; j < space - digits; j++) printf(" "); printf("%d. ", i + 1); - // don't print anything about the protocol if no protocol was specified - // obviously this means any protocol will do + // Don't print anything about the protocol if no protocol was + // specified, obviously this means any protocol will do. if (!(hlp->bitmask & EBT_NOPROTO)) { printf("eth proto: "); if (hlp->invflags & EBT_IPROTO) @@ -416,20 +461,20 @@ } } if (hlp->bitmask & EBT_SOURCEMAC) { - int j; printf("source mac: "); if (hlp->invflags & EBT_ISOURCE) printf("! "); for (j = 0; j < ETH_ALEN; j++) - printf("%02x%s", hlp->sourcemac[j], (j == ETH_ALEN - 1) ? ", " : ":"); + printf("%02x%s", hlp->sourcemac[j], + (j == ETH_ALEN - 1) ? ", " : ":"); } if (hlp->bitmask & EBT_DESTMAC) { - int j; printf("dest mac: "); if (hlp->invflags & EBT_IDEST) printf("! "); for (j = 0; j < ETH_ALEN; j++) - printf("%02x%s", hlp->destmac[j], (j == ETH_ALEN - 1) ? ", " : ":"); + printf("%02x%s", hlp->destmac[j], + (j == ETH_ALEN - 1) ? ", " : ":"); } if (hlp->in[0] != '\0') { if (hlp->invflags & EBT_IIN) @@ -462,9 +507,10 @@ printf("target: "); t = find_target(hlp->t->u.name); if (!t) - print_error("Target not found."); + print_bug("Target not found"); t->print(hlp, hlp->t); - printf(", count = %llu", replace.counters[replace.counter_entry[hooknr] + i].pcnt); + printf(", count = %llu", + replace.counters[replace.counter_entry[hooknr] + i].pcnt); printf("\n"); hlp = hlp->next; } @@ -492,30 +538,30 @@ struct ebt_u_watcher_list *w_l; printf( - "%s v%s\n" - "Usage:\n" - "ebtables -[ADI] chain rule-specification [options]\n" - "ebtables -P chain target\n" - "ebtables -[LFZ] [chain]\n" - "ebtables -[b] [y,n]\n" - "Commands:\n" - "--append -A chain : Append to chain\n" - "--delete -D chain : Delete matching rule from chain\n" - "--delete -D chain rulenum : Delete rule at position rulenum from chain\n" - "--insert -I chain rulenum : insert rule at position rulenum in chain\n" - "--list -L [chain] : List the rules in a chain or in all chains\n" - "--list -L "DATABASEHOOKNAME" : List the database (if present)\n" - "--flush -F [chain] : Delete all rules in chain or in all chains\n" - "--zero -Z [chain] : Put counters on zero in chain or in all chains\n" - "--policy -P chain target : Change policy on chain to target\n" - "Options:\n" - "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" - "--src -s [!] address : source mac address\n" - "--dst -d [!] address : destination mac address\n" - "--in-if -i [!] name : network input interface name\n" - "--out-if -o [!] name : network output interface name\n" - "--version -V : print package version\n" - "\n" , +"%s v%s\n" +"Usage:\n" +"ebtables -[ADI] chain rule-specification [options]\n" +"ebtables -P chain target\n" +"ebtables -[LFZ] [chain]\n" +"ebtables -[b] [y,n]\n" +"Commands:\n" +"--append -A chain : Append to chain\n" +"--delete -D chain : Delete matching rule from chain\n" +"--delete -D chain rulenum : Delete rule at position rulenum from chain\n" +"--insert -I chain rulenum : insert rule at position rulenum in chain\n" +"--list -L [chain] : List the rules in a chain or in all chains\n" +"--list -L "DATABASEHOOKNAME" : List the database (if present)\n" +"--flush -F [chain] : Delete all rules in chain or in all chains\n" +"--zero -Z [chain] : Put counters on zero in chain or in all chains\n" +"--policy -P chain target : Change policy on chain to target\n" +"Options:\n" +"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" +"--src -s [!] address : source mac address\n" +"--dst -d [!] address : destination mac address\n" +"--in-if -i [!] name : network input interface name\n" +"--out-if -o [!] name : network output interface name\n" +"--version -V : print package version\n" +"\n" , prog_name, prog_version); @@ -538,7 +584,7 @@ exit(0); } -/* execute command L */ +// execute command L static void list_rules() { int i; @@ -563,7 +609,8 @@ replace.num_counters = replace.nentries; if (replace.nentries) { // '+ 1' for the CNT_END - if ( !(counterchanges = (unsigned short *)malloc((replace.nentries + 1) * sizeof(unsigned short))) ) + if (!(counterchanges = (unsigned short *) malloc( + (replace.nentries + 1) * sizeof(unsigned short)))) print_memory(); // done nothing special to the rules for (i = 0; i < replace.nentries; i++) @@ -611,12 +658,14 @@ if (replace.hook_entry[replace.selected_hook]->nentries == 0) exit(0); oldnentries = replace.nentries; - replace.nentries = replace.nentries - replace.hook_entry[replace.selected_hook]->nentries; + replace.nentries = replace.nentries - + replace.hook_entry[replace.selected_hook]->nentries; // delete the counters belonging to the specified chain if (replace.nentries) { // +1 for CNT_END - if ( !(counterchanges = (unsigned short *)malloc((oldnentries + 1) * sizeof(unsigned short))) ) + if ( !(counterchanges = (unsigned short *) + malloc((oldnentries + 1) * sizeof(unsigned short))) ) print_memory(); cnt = counterchanges; for (i = 0; i < NF_BR_NUMHOOKS; i++) { @@ -660,23 +709,31 @@ // handle '-D chain rulenr' command if (rule_nr != -1) { - if (rule_nr > replace.hook_entry[replace.selected_hook]->nentries) + if (rule_nr > + replace.hook_entry[replace.selected_hook]->nentries) return 0; + // user starts counting from 1 return rule_nr - 1; } u_e = replace.hook_entry[replace.selected_hook]->entries; - // check for an existing rule (if there are duplicate rules, take the first occurance) - for (i = 0; i < replace.hook_entry[replace.selected_hook]->nentries; i++, u_e = u_e->next) { + // check for an existing rule (if there are duplicate rules, + // take the first occurance) + for (i = 0; i < replace.hook_entry[replace.selected_hook]->nentries; + i++, u_e = u_e->next) { if (!u_e) print_bug("Hmm, trouble"); if ( u_e->ethproto == new_entry->ethproto - && !strncmp(u_e->in, new_entry->in, IFNAMSIZ) - && !strncmp(u_e->out, new_entry->out, IFNAMSIZ) && u_e->bitmask == new_entry->bitmask) { - if (new_entry->bitmask & EBT_SOURCEMAC && strncmp(u_e->sourcemac, new_entry->sourcemac, ETH_ALEN)) + && !strcmp(u_e->in, new_entry->in) + && !strcmp(u_e->out, new_entry->out) + && u_e->bitmask == new_entry->bitmask) { + if (new_entry->bitmask & EBT_SOURCEMAC && + strcmp(u_e->sourcemac, new_entry->sourcemac)) continue; - if (new_entry->bitmask & EBT_DESTMAC && strncmp(u_e->destmac, new_entry->destmac, ETH_ALEN)) + if (new_entry->bitmask & EBT_DESTMAC && + strcmp(u_e->destmac, new_entry->destmac)) continue; - if (new_entry->bitmask != u_e->bitmask || new_entry->invflags != u_e->invflags) + if (new_entry->bitmask != u_e->bitmask || + new_entry->invflags != u_e->invflags) continue; // compare all matches m_l = new_entry->m_list; @@ -684,7 +741,8 @@ while (m_l) { m = (struct ebt_u_match *)(m_l->m); m_l2 = u_e->m_list; - while (m_l2 && strcmp(m_l2->m->u.name, m->m->u.name)) + while (m_l2 && + strcmp(m_l2->m->u.name, m->m->u.name)) m_l2 = m_l2->next; if (!m_l2 || !m->compare(m->m, m_l2->m)) goto letscontinue; @@ -707,7 +765,8 @@ while (w_l) { w = (struct ebt_u_watcher *)(w_l->w); w_l2 = u_e->w_list; - while (w_l2 && strcmp(w_l2->w->u.name, w->w->u.name)) + while (w_l2 && + strcmp(w_l2->w->u.name, w->w->u.name)) w_l2 = w_l2->next; if (!w_l2 || !w->compare(w->w, w_l2->w)) goto letscontinue; @@ -743,8 +802,10 @@ struct ebt_u_watcher_list *w_l; if (rule_nr != -1) { // command -I - if (--rule_nr > replace.hook_entry[replace.selected_hook]->nentries) - print_error("rule nr too high: %d > %d.", rule_nr, replace.hook_entry[replace.selected_hook]->nentries); + if (--rule_nr > + replace.hook_entry[replace.selected_hook]->nentries) + print_error("rule nr too high: %d > %d", rule_nr, + replace.hook_entry[replace.selected_hook]->nentries); } else rule_nr = replace.hook_entry[replace.selected_hook]->nentries; // we're adding one rule @@ -754,7 +815,8 @@ // handle counter stuff // +1 for CNT_END - if ( !(counterchanges = (unsigned short *)malloc((replace.nentries + 1) * sizeof(unsigned short))) ) + if ( !(counterchanges = (unsigned short *) + malloc((replace.nentries + 1) * sizeof(unsigned short))) ) print_memory(); cnt = counterchanges; for (i = 0; i < replace.selected_hook; i++) { @@ -813,7 +875,7 @@ struct ebt_u_entry *u_e, *u_e2; if ( (i = check_rule_exists(rule_nr)) == -1 ) - print_error("Sorry, rule does not exists."); + print_error("Sorry, rule does not exists"); // we're deleting a rule replace.num_counters = replace.nentries; @@ -827,7 +889,8 @@ } lentmp += i; // +1 for CNT_END - if ( !(counterchanges = (unsigned short *)malloc((replace.num_counters + 1) * sizeof(unsigned short))) ) + if ( !(counterchanges = (unsigned short *)malloc( + (replace.num_counters + 1) * sizeof(unsigned short))) ) print_memory(); cnt = counterchanges; for (j = 0; j < lentmp; j++) { @@ -871,8 +934,8 @@ if (zerochain == -1) { // tell main() we don't update the counters - // this results in tricking the kernel to zero his counters, naively expecting - // userspace to update its counters. Muahahaha + // this results in tricking the kernel to zero his counters, + // naively expecting userspace to update its counters. Muahahaha counterchanges = NULL; replace.num_counters = 0; } else { @@ -881,7 +944,10 @@ if (replace.hook_entry[zerochain]->nentries == 0) exit(0); - counterchanges = (unsigned short *)malloc((replace.nentries + 1) * sizeof(unsigned short)); + counterchanges = (unsigned short *) + malloc((replace.nentries + 1) * sizeof(unsigned short)); + if (!counterchanges) + print_memory(); cnt = counterchanges; for (i = 0; i < zerochain; i++) { if (!(replace.valid_hooks & (1 << i))) @@ -915,10 +981,12 @@ // 0 : database disabled (-db n) if (!(nr.nentries)) - print_error("Database not present (disabled), try ebtables --db y."); - (nr.nentries)--; - if (!nr.nentries) print_error("Database empty."); - if ( !(db = (struct brdb_dbentry *) malloc(nr.nentries * sizeof(struct brdb_dbentry))) ) + print_error("Database not present" + " (disabled), try ebtables --db y"); + nr.nentries--; + if (!nr.nentries) print_error("Database empty"); + if ( !(db = (struct brdb_dbentry *) + malloc(nr.nentries * sizeof(struct brdb_dbentry))) ) print_memory(); get_db(nr.nentries, db); @@ -931,7 +999,7 @@ "out-if : %s\n" "protocol: ", i + 1, hooknames[db->hook], db->in, db->out); if (db->ethproto == IDENTIFY802_3) - printf("NO PROTO, OLD 802.3 STYLE LENGTH FIELD\n"); + printf("802.2/802.3 STYLE LENGTH FIELD\n"); else { if (number_to_name(ntohs(db->ethproto), name)) printf("%x\n",ntohs(db->ethproto)); @@ -943,13 +1011,13 @@ exit(0); } -// handle counter and db disabling and enabling +// handle db [dis,en]abling static void allowdb(char yorn) { __u16 decision; if (yorn != 'y' && yorn != 'n') - print_error("Option [y] or [n] needed."); + print_error("Option [y] or [n] needed"); if (yorn == 'y') decision = BRDB_DB; @@ -980,7 +1048,8 @@ if (strcasecmp(buffer, name)) continue; i = (unsigned short) strtol(value, &bfr, 16); - if (*bfr != '\0') return -1; + if (*bfr != '\0') + return -1; new_entry->ethproto = i; fclose(ifp); return 0; @@ -1022,7 +1091,7 @@ void check_option(unsigned int *flags, unsigned int mask) { if (*flags & mask) - print_error("Multiple use of same option not allowed."); + print_error("Multiple use of same option not allowed"); *flags |= mask; } @@ -1040,17 +1109,21 @@ { char *buffer, allowbc = 'n'; int c, i; - int zerochain = -1; // this special one for the -Z option (we can have -Z -L ) + // this special one for the -Z option (we can have -Z -L ) + int zerochain = -1; int policy = -1; int rule_nr = -1;// used for -D chain number struct ebt_u_target *t; + struct ebt_u_match *m; + struct ebt_u_watcher *w; + struct ebt_u_match_list *m_l; + struct ebt_u_watcher_list *w_l; - // initialize the table name, OPT_ flags and selected hook + // initialize the table name, OPT_ flags, selected hook and command strcpy(replace.name, "filter"); replace.flags = 0; replace.selected_hook = -1; replace.command = 'h'; - // execute the _init functions of the extensions new_entry = (struct ebt_u_entry *)malloc(sizeof(struct ebt_u_entry)); if (!new_entry) @@ -1059,7 +1132,8 @@ initialize_entry(new_entry); // getopt saves the day - while ((c = getopt_long(argc, argv, "-A:D:I:L::Z::F::P:Vhi:o:j:p:b:s:d:t:", ebt_options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, + "-A:D:I:L::Z::F::P:Vhi:o:j:p:b:s:d:t:", ebt_options, NULL)) != -1) { switch (c) { case 'A': // add a rule @@ -1068,33 +1142,39 @@ case 'I': // insert a rule replace.command = c; if (replace.flags & OPT_COMMAND) - print_error("Multiple commands not allowed."); + print_error("Multiple commands not allowed"); replace.flags |= OPT_COMMAND; if ((replace.selected_hook = get_hooknr(optarg)) == -1) - print_error("Bad chain."); - // '-' denotes another option, if no other option it must be the (optional) rule number - if (c == 'D' && optind < argc && argv[optind][0] != '-') { + print_error("Bad chain"); + if (c == 'D' && optind < argc && + argv[optind][0] != '-') { rule_nr = strtol(argv[optind], &buffer, 10); if (*buffer != '\0' || rule_nr < 0) - print_error("Problem with the specified rule number."); + print_error("Problem with the " + "specified rule number"); optind++; } if (c == 'P') { if (optind >= argc) - print_error("No policy specified."); + print_error("No policy specified"); for (i = 0; i < 2; i++) - if (!strcmp(argv[optind], standard_targets[i])) + if (!strcmp(argv[optind], + standard_targets[i])) { policy = i; + break; + } if (policy == -1) - print_error("Wrong policy."); + print_error("Wrong policy"); optind++; } if (c == 'I') { if (optind >= argc) - print_error("No rulenr for -I specified."); + print_error("No rulenr for -I" + " specified"); rule_nr = strtol(argv[optind], &buffer, 10); if (*buffer != '\0' || rule_nr < 0) - print_error("Problem with the specified rule number."); + print_error("Problem with the specified" + " rule number"); optind++; } break; @@ -1104,24 +1184,29 @@ case 'Z': // zero counters if (c == 'Z') { if (replace.flags & OPT_ZERO) - print_error("Multiple commands not allowed."); - if ( (replace.flags & OPT_COMMAND && replace.command != 'L')) - print_error("command -Z only allowed together with command -L."); + print_error("Multiple commands" + " not allowed"); + if ( (replace.flags & OPT_COMMAND && + replace.command != 'L')) + print_error("command -Z only allowed " + "together with command -L"); replace.flags |= OPT_ZERO; } else { replace.command = c; if (replace.flags & OPT_COMMAND) - print_error("Multiple commands not allowed."); + print_error("Multiple commands" + " not allowed"); replace.flags |= OPT_COMMAND; } i = -1; if (optarg) { if ( (i = get_hooknr(optarg)) == -1 ) - print_error("Bad chain."); + print_error("Bad chain"); } else if (optind < argc && argv[optind][0] != '-') { - if ( (i = get_hooknr(argv[optind])) == -1 ) - print_error("Bad chain."); + if ((i = get_hooknr(argv[optind])) + == -1) + print_error("Bad chain"); optind++; } if (i != -1) { @@ -1135,47 +1220,34 @@ case 'V': // version replace.command = 'V'; if (replace.flags & OPT_COMMAND) - print_error("Multiple commands not allowed."); + print_error("Multiple commands not allowed"); printf("%s, %s\n", prog_name, prog_version); exit(0); case 'h': // help if (replace.flags & OPT_COMMAND) - print_error("Multiple commands not allowed."); + print_error("Multiple commands not allowed"); replace.command = 'h'; // All other arguments should be extension names while (optind < argc) { struct ebt_u_match *m; struct ebt_u_watcher *w; - if ((m = find_match(argv[optind]))) { - struct ebt_u_match_list **m_list, *new; - - m->used = 1; - for (m_list = &new_entry->m_list; *m_list; m_list = &(*m_list)->next); - new = (struct ebt_u_match_list *)malloc(sizeof(struct ebt_u_match_list)); - if (!new) - print_memory(); - *m_list = new; - new->next = NULL; - new->m = (struct ebt_entry_match *)m; - } else if ((w = find_watcher(argv[optind]))) { - struct ebt_u_watcher_list **w_list, *new; - w->used = 1; - for (w_list = &new_entry->w_list; *w_list; w_list = &(*w_list)->next); - new = (struct ebt_u_watcher_list *)malloc(sizeof(struct ebt_u_watcher_list)); - if (!new) - print_memory(); - *w_list = new; - new->next = NULL; - new->w = (struct ebt_entry_watcher *)w; - } else { + if ((m = find_match(argv[optind]))) + add_match(m); + else if ((w = find_watcher(argv[optind]))) + add_watcher(w); + else { if (!(t = find_target(argv[optind]))) - print_error("Extension %s not found.", argv[optind]); + print_error("Extension %s " + "not found", argv[optind]); if (replace.flags & OPT_JUMP) - print_error("Sorry, you can only see help for one target extension each time."); + print_error("Sorry, you can " + "only see help for one " + "target extension each time"); replace.flags |= OPT_JUMP; - new_entry->t = (struct ebt_entry_target *)t; + new_entry->t = + (struct ebt_entry_target *)t; } optind++; } @@ -1184,7 +1256,7 @@ case 't': // table check_option(&replace.flags, OPT_TABLE); if (strlen(optarg) > EBT_TABLE_MAXNAMELEN) - print_error("Table name too long."); + print_error("Table name too long"); strcpy(replace.name, optarg); break; @@ -1195,56 +1267,69 @@ case 's': // source mac case 'd': // destination mac if ((replace.flags & OPT_COMMAND) == 0) - print_error("No command specified."); - if ( replace.command != 'A' && replace.command != 'D' && replace.command != 'I') - print_error("Command and option do not match."); + print_error("No command specified"); + if ( replace.command != 'A' && + replace.command != 'D' && replace.command != 'I') + print_error("Command and option do not match"); if (c == 'i') { check_option(&replace.flags, OPT_IN); - if (replace.selected_hook == 2) - print_error("Use in-interface only in INPUT, FORWARD and PREROUTING chains."); + if (replace.selected_hook > 2) + print_error("Use in-interface only in " + "INPUT, FORWARD and PREROUTING chains"); if (check_inverse(optarg)) new_entry->invflags |= EBT_IIN; if (optind > argc) - print_error("Missing interface argument."); + print_error("No in-interface " + "specified"); if (strlen(argv[optind - 1]) >= IFNAMSIZ) - print_error("Illegal interfacelength."); - strncpy(new_entry->in, argv[optind - 1], IFNAMSIZ); + print_error("Illegal interfacelength"); + strcpy(new_entry->in, argv[optind - 1]); break; } if (c == 'o') { check_option(&replace.flags, OPT_OUT); - if (replace.selected_hook == 0) - print_error("Use out-interface only in OUTPUT, FORWARD and POSTROUTING chains."); + if (replace.selected_hook < 2) + print_error("Use out-interface only" + " in OUTPUT, FORWARD and " + "POSTROUTING chains"); if (check_inverse(optarg)) new_entry->invflags |= EBT_IOUT; if (optind > argc) - print_error("Missing interface argument."); + print_error("No out-interface " + "specified"); + if (strlen(argv[optind - 1]) >= IFNAMSIZ) - print_error("Illegal interface length."); - strncpy(new_entry->out, argv[optind - 1], IFNAMSIZ); + print_error("Illegal interface " + "length"); + strcpy(new_entry->out, argv[optind - 1]); break; } if (c == 'j') { check_option(&replace.flags, OPT_JUMP); for (i = 0; i < NUM_STANDARD_TARGETS; i++) - if (!strcmp(optarg, standard_targets[i])) { - t = find_target(EBT_STANDARD_TARGET); - ((struct ebt_standard_target *)t->t)->verdict = i; + if (!strcmp(optarg, + standard_targets[i])) { + t = find_target( + EBT_STANDARD_TARGET); + ((struct ebt_standard_target *) + t->t)->verdict = i; break; } // must be an extension then if (i == NUM_STANDARD_TARGETS) { struct ebt_u_target *t; t = find_target(optarg); - if (!t) - print_error("Illegal target name."); - new_entry->t = (struct ebt_entry_target *)t; - } else - ((struct ebt_standard_target *)(((struct ebt_u_target *)new_entry->t)->t))->verdict = i; - + // -j standard not allowed either + if (!t || t == + (struct ebt_u_target *)new_entry->t) + print_error("Illegal target " + "name"); + new_entry->t = + (struct ebt_entry_target *)t; + } break; } if (c == 's') { @@ -1253,9 +1338,12 @@ new_entry->invflags |= EBT_ISOURCE; if (optind > argc) - print_error("Missing source mac argument."); - if (getmac(argv[optind - 1], new_entry->sourcemac)) - print_error("Problem with specified source mac."); + print_error("No source mac " + "specified"); + if (getmac(argv[optind - 1], + new_entry->sourcemac)) + print_error("Problem with specified " + "source mac"); new_entry->bitmask |= EBT_SOURCEMAC; break; } @@ -1265,9 +1353,12 @@ new_entry->invflags |= EBT_IDEST; if (optind > argc) - print_error("Missing destination mac argument."); - if (getmac(argv[optind - 1], new_entry->destmac)) - print_error("Problem with specified destination mac."); + print_error("No destination mac " + "specified"); + if (getmac(argv[optind - 1], + new_entry->destmac)) + print_error("Problem with specified " + "destination mac"); new_entry->bitmask |= EBT_DESTMAC; break; } @@ -1276,22 +1367,26 @@ new_entry->invflags |= EBT_IPROTO; if (optind > argc) - print_error("Missing protocol argument."); + print_error("No protocol specified"); new_entry->bitmask &= ~((unsigned int)EBT_NOPROTO); i = strtol(argv[optind - 1], &buffer, 16); if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) - print_error("Problem with the specified protocol."); + print_error("Problem with the specified " + "protocol"); new_entry->ethproto = i; if (*buffer != '\0') if (name_to_protocol(argv[optind - 1]) == -1) - print_error("Problem with the specified protocol."); - if (new_entry->ethproto < 1536 && !(new_entry->bitmask & EBT_802_3)) - print_error("Sorry, protocols have values above or equal to 1536 (0x0600)."); + print_error("Problem with the specified" + " protocol"); + if (new_entry->ethproto < 1536 && + !(new_entry->bitmask & EBT_802_3)) + print_error("Sorry, protocols have values above" + " or equal to 1536 (0x0600)"); break; case 'b': // allow database? if (replace.flags & OPT_COMMAND) - print_error("Multiple commands not allowed."); + print_error("Multiple commands not allowed"); replace.command = c; allowbc = *optarg; break; @@ -1300,49 +1395,32 @@ // is it a target option? t = (struct ebt_u_target *)new_entry->t; - if (!(t->parse(c - t->option_offset, argv, argc, new_entry, &t->flags, &t->t))) { - struct ebt_u_match *m; - - // is it a match_option? - for (m = matches; m; m = m->next) - if (m->parse(c - m->option_offset, argv, argc, new_entry, &m->flags, &m->m)) - break; + if ((t->parse(c - t->option_offset, argv, argc, + new_entry, &t->flags, &t->t))) + continue; - if (m == NULL) { - struct ebt_u_watcher *w; + // is it a match_option? + for (m = matches; m; m = m->next) + if (m->parse(c - m->option_offset, argv, + argc, new_entry, &m->flags, &m->m)) + break; - // is it a watcher option? - for (w = watchers; w; w = w->next) - if (w->parse(c - w->option_offset, argv, argc, new_entry, &w->flags, &w->w)) - break; - - if (w == NULL) - print_error("Unknown argument."); - if (w->used == 0) { - struct ebt_u_watcher_list **w_list, *new; - w->used = 1; - for (w_list = &new_entry->w_list; *w_list; w_list = &(*w_list)->next); - new = (struct ebt_u_watcher_list *)malloc(sizeof(struct ebt_u_watcher_list)); - if (!new) - print_memory(); - *w_list = new; - new->next = NULL; - new->w = (struct ebt_entry_watcher *)w; - } - } else { - if (m->used == 0) { - struct ebt_u_match_list **m_list, *new; - m->used = 1; - for (m_list = &new_entry->m_list; *m_list; m_list = &(*m_list)->next); - new = (struct ebt_u_match_list *)malloc(sizeof(struct ebt_u_match_list)); - if (!new) - print_memory(); - *m_list = new; - new->next = NULL; - new->m = (struct ebt_entry_match *)m; - } - } + if (m != NULL) { + if (m->used == 0) + add_match(m); + continue; } + + // is it a watcher option? + for (w = watchers; w; w = w->next) + if (w->parse(c-w->option_offset, argv, + argc, new_entry, &w->flags, &w->w)) + break; + + if (w == NULL) + print_error("Unknown argument"); + if (w->used == 0) + add_watcher(w); } } @@ -1352,43 +1430,40 @@ if (replace.command == 'L' && replace.selected_hook == DATABASEHOOKNR) list_db(); - if ( (replace.flags & OPT_COMMAND) && replace.command != 'L' && replace.flags & OPT_ZERO ) - print_error("Command -Z only allowed together with command -L."); + if ( (replace.flags & OPT_COMMAND) && replace.command != 'L' && + replace.flags & OPT_ZERO ) + print_error("Command -Z only allowed together with command -L"); - if (replace.command == 'A' || replace.command == 'I' || replace.command == 'D') { + if (replace.command == 'A' || replace.command == 'I' || + replace.command == 'D') { if (replace.selected_hook == -1) - print_error("Not enough information."); + print_error("Not enough information"); } if ( !(table = find_table(replace.name)) ) - print_error("Bad table name."); + print_error("Bad table name"); // do this after parsing everything, so we can print specific info if (replace.command == 'h' && !(replace.flags & OPT_ZERO)) print_help(); // do the final checks - { - struct ebt_u_match_list *m_l = new_entry->m_list; - struct ebt_u_match *m; - struct ebt_u_watcher_list *w_l = new_entry->w_list; - struct ebt_u_watcher *w; - struct ebt_u_target *t = (struct ebt_u_target *)new_entry->t; - + m_l = new_entry->m_list; + w_l = new_entry->w_list; + t = (struct ebt_u_target *)new_entry->t; while (m_l) { m = (struct ebt_u_match *)(m_l->m); - m->final_check(new_entry, m->m, replace.name, replace.selected_hook); + m->final_check(new_entry, m->m, replace.name, + replace.selected_hook); m_l = m_l->next; } - while (w_l) { w = (struct ebt_u_watcher *)(w_l->w); - w->final_check(new_entry, w->w, replace.name, replace.selected_hook); + w->final_check(new_entry, w->w, replace.name, + replace.selected_hook); w_l = w_l->next; } - t->final_check(new_entry, t->t, replace.name, replace.selected_hook); - } // so, the extensions can work with the host endian // the kernel does not have to do this ofcourse @@ -1396,10 +1471,10 @@ // get the kernel's information get_table(&replace); - replace.nentries = replace.nentries; // check if selected_hook is a valid_hook - if (replace.selected_hook >= 0 && !(replace.valid_hooks & (1 << replace.selected_hook))) - print_error("Bad chain name."); + if (replace.selected_hook >= 0 && + !(replace.valid_hooks & (1 << replace.selected_hook))) + print_error("Bad chain name"); if (replace.command == 'P') change_policy(policy); else if (replace.command == 'L') { --- ebtables-v2.0pre2.001/communication.c Wed Apr 3 17:22:39 2002 +++ ebtables-v2.0pre2.002/communication.c Wed Apr 10 22:10:49 2002 @@ -25,12 +25,6 @@ extern char* hooknames[NF_BR_NUMHOOKS]; -void print_memory() -{ - printf("Out of memory\n"); - exit(0); -} - int sockfd = -1; void get_sockfd() @@ -38,7 +32,7 @@ if (sockfd == -1) { sockfd = socket(AF_INET, SOCK_RAW, PF_INET); if (sockfd < 0) - print_error("Problem getting a socket."); + print_error("Problem getting a socket"); } } @@ -60,7 +54,8 @@ new->nentries = u_repl->nentries; new->num_counters = u_repl->num_counters; new->counters = u_repl->counters; - memcpy(new->counter_entry, u_repl->counter_entry, sizeof(new->counter_entry)); + memcpy(new->counter_entry, u_repl->counter_entry, + sizeof(new->counter_entry)); // determine size for (i = 0; i < NF_BR_NUMHOOKS; i++) { if (!(new->valid_hooks & (1 << i))) @@ -86,7 +81,8 @@ } // a little sanity check if (j != u_repl->hook_entry[i]->nentries) - print_bug("Wrong nentries: %d != %d, hook = %s", j, u_repl->hook_entry[i]->nentries, hooknames[i]); + print_bug("Wrong nentries: %d != %d, hook = %s", j, + u_repl->hook_entry[i]->nentries, hooknames[i]); } new->entries_size = entries_size; @@ -116,7 +112,8 @@ tmp->ethproto = e->ethproto; memcpy(tmp->in, e->in, sizeof(tmp->in)); memcpy(tmp->out, e->out, sizeof(tmp->out)); - memcpy(tmp->sourcemac, e->sourcemac, sizeof(tmp->sourcemac)); + memcpy(tmp->sourcemac, e->sourcemac, + sizeof(tmp->sourcemac)); memcpy(tmp->destmac, e->destmac, sizeof(tmp->destmac)); base = p; @@ -159,11 +156,13 @@ // give the data to the kernel optlen = sizeof(struct ebt_replace) + repl->entries_size; if (setsockopt(sockfd, IPPROTO_IP, EBT_SO_SET_ENTRIES, repl, optlen)) - print_error("Couldn't update kernel chains, you probably need to insmod an extension."); + print_error("Couldn't update kernel chains, you probably need " + "to insmod an extension"); } // gets executed after deliver_table -void deliver_counters(struct ebt_u_replace *u_repl, unsigned short *counterchanges) +void +deliver_counters(struct ebt_u_replace *u_repl, unsigned short *counterchanges) { unsigned short *point; struct ebt_counter *old, *new, *newcounters; @@ -173,7 +172,8 @@ if (u_repl->nentries == 0) return; - newcounters = (struct ebt_counter *)malloc(u_repl->nentries * sizeof(struct ebt_counter)); + newcounters = (struct ebt_counter *) + malloc(u_repl->nentries * sizeof(struct ebt_counter)); if (!newcounters) print_memory(); memset(newcounters, 0, u_repl->nentries * sizeof(struct ebt_counter)); @@ -208,7 +208,8 @@ free(u_repl->counters); u_repl->counters = newcounters; u_repl->num_counters = u_repl->nentries; - optlen = u_repl->nentries * sizeof(struct ebt_counter) + sizeof(struct ebt_replace); + optlen = u_repl->nentries * sizeof(struct ebt_counter) + + sizeof(struct ebt_replace); // now put the stuff in the kernel's struct ebt_replace repl.counters = u_repl->counters; repl.num_counters = u_repl->num_counters; @@ -224,7 +225,8 @@ { struct ebt_u_match_list *new; - new = (struct ebt_u_match_list *)malloc(sizeof(struct ebt_u_match_list)); + new = (struct ebt_u_match_list *) + malloc(sizeof(struct ebt_u_match_list)); if (!new) print_memory(); new->m = (struct ebt_entry_match *)malloc(m->match_size); @@ -235,12 +237,14 @@ **l = new; *l = &new->next; if (find_match(new->m->u.name) == NULL) - print_error("Kernel match %s unsupported by userspace tool.", new->m->u.name); + print_error("Kernel match %s unsupported by userspace tool", + new->m->u.name); return 0; } static int -ebt_translate_watcher(struct ebt_entry_watcher *w, struct ebt_u_watcher_list ***l) +ebt_translate_watcher(struct ebt_entry_watcher *w, + struct ebt_u_watcher_list ***l) { struct ebt_u_watcher_list *new; @@ -255,13 +259,15 @@ **l = new; *l = &new->next; if (find_watcher(new->w->u.name) == NULL) - print_error("Kernel watcher %s unsupported by userspace tool.", new->w->u.name); + print_error("Kernel watcher %s unsupported by userspace tool", + new->w->u.name); return 0; } static int -ebt_translate_entry(struct ebt_entry *e, unsigned int *hook, int *n, int *cnt, int *totalcnt, - struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl, unsigned int valid_hooks) +ebt_translate_entry(struct ebt_entry *e, unsigned int *hook, int *n, int *cnt, + int *totalcnt, struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl, + unsigned int valid_hooks) { // an entry if (e->bitmask & EBT_ENTRY_OR_ENTRIES) { @@ -295,7 +301,8 @@ if (!new->t) print_memory(); if (find_target(t->u.name) == NULL) - print_error("Kernel target %s unsupported by userspace tool.", t->u.name); + print_error("Kernel target %s unsupported by " + "userspace tool", t->u.name); memcpy(new->t, t, t->target_size); // I love pointers @@ -304,7 +311,7 @@ (*cnt)++; (*totalcnt)++; return 0; - } else {// a new chain + } else { // a new chain int i; struct ebt_entries *entries = (struct ebt_entries *)e; struct ebt_u_entries *new; @@ -319,7 +326,8 @@ print_bug("Nr of entries in the chain is wrong"); *n = entries->nentries; *cnt = 0; - new = (struct ebt_u_entries *)malloc(sizeof(struct ebt_u_entries)); + new = (struct ebt_u_entries *) + malloc(sizeof(struct ebt_u_entries)); if (!new) print_memory(); new->nentries = entries->nentries; @@ -344,12 +352,14 @@ optlen = sizeof(struct ebt_replace); strcpy(repl.name, u_repl->name); if (getsockopt(sockfd, IPPROTO_IP, EBT_SO_GET_INFO, &repl, &optlen)) - print_bug("hmm, what is wrong??? bug#3"); + print_error("A kernel module needed by your command is probably" + " not loaded. Try insmod ebtables or the like"); if ( !(repl.entries = (char *) malloc(repl.entries_size)) ) print_memory(); if (repl.nentries) { - if (!(repl.counters = (struct ebt_counter *) malloc(repl.nentries * sizeof(struct ebt_counter))) ) + if (!(repl.counters = (struct ebt_counter *) + malloc(repl.nentries * sizeof(struct ebt_counter))) ) print_memory(); } else @@ -357,7 +367,8 @@ // we want to receive the counters repl.num_counters = repl.nentries; - optlen += repl.entries_size + repl.num_counters * sizeof(struct ebt_counter); + optlen += repl.entries_size + repl.num_counters * + sizeof(struct ebt_counter); if (getsockopt(sockfd, IPPROTO_IP, EBT_SO_GET_ENTRIES, &repl, &optlen)) print_bug("hmm, what is wrong??? bug#1"); @@ -367,12 +378,15 @@ u_repl->nentries = repl.nentries; u_repl->num_counters = repl.num_counters; u_repl->counters = repl.counters; - memcpy(u_repl->counter_entry, repl.counter_entry, sizeof(repl.counter_entry)); + memcpy(u_repl->counter_entry, repl.counter_entry, + sizeof(repl.counter_entry)); hook = -1; i = 0; // holds the expected nr. of entries for the chain j = 0; // holds the up to now counted entries for the chain - k = 0; // holds the total nr. of entries, should equal u_repl->nentries afterwards - EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry, &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks); + k = 0; // holds the total nr. of entries, + // should equal u_repl->nentries afterwards + EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry, + &hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks); if (k != u_repl->nentries) print_bug("Wrong total nentries"); } @@ -384,7 +398,8 @@ get_sockfd(); if (getsockopt(sockfd, IPPROTO_IP, BRDB_SO_GET_DBINFO, nr, &optlen)) - print_error("Sorry, br_db code probably not in kernel, try insmod br_db."); + print_error("Sorry, br_db code probably not in kernel, " + "try insmod br_db"); } void get_db(int len, struct brdb_dbentry *db) @@ -405,5 +420,6 @@ get_sockfd(); if (setsockopt(sockfd, IPPROTO_IP, BRDB_SO_SET_ALLOWDB, decision, optlen)) - print_error("Sorry, br_db code probably not in kernel, try insmod br_db."); + print_error("Sorry, br_db code probably not in kernel, " + "try insmod br_db"); } --- ebtables-v2.0pre2.001/extensions/ebt_nat.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebt_nat.c Thu Apr 11 18:12:55 2002 @@ -52,8 +52,9 @@ } #define OPT_SNAT 0x01 -static int parse_s(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_target **target) +static int parse_s(int c, char **argv, int argc, + const struct ebt_u_entry *entry, unsigned int *flags, + struct ebt_entry_target **target) { struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data; @@ -62,7 +63,7 @@ check_option(flags, OPT_SNAT); to_source_supplied = 1; if (getmac(optarg, natinfo->mac)) - print_error("Problem with specified to-source mac."); + print_error("Problem with specified to-source mac"); break; default: return 0; @@ -71,8 +72,9 @@ } #define OPT_DNAT 0x01 -static int parse_d(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_target **target) +static int parse_d(int c, char **argv, int argc, + const struct ebt_u_entry *entry, unsigned int *flags, + struct ebt_entry_target **target) { struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data; @@ -81,7 +83,8 @@ check_option(flags, OPT_DNAT); to_dest_supplied = 1; if (getmac(optarg, natinfo->mac)) - print_error("Problem with specified to-destination mac."); + print_error("Problem with specified " + "to-destination mac"); break; default: return 0; @@ -89,44 +92,52 @@ return 1; } -static void final_check_s(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook) +static void final_check_s(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target, const char *name, unsigned int hook) { if (hook != NF_BR_POST_ROUTING || strcmp(name, "nat")) - print_error("Wrong chain for SNAT."); + print_error("Wrong chain for SNAT"); if (to_source_supplied == 0) - print_error("No snat address supplied."); + print_error("No snat address supplied"); } -static void final_check_d(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook) +static void final_check_d(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target, const char *name, unsigned int hook) { - if ( (hook != NF_BR_PRE_ROUTING && hook != NF_BR_LOCAL_OUT) || strcmp(name, "nat") ) - print_error("Wrong chain for DNAT."); + if ( (hook != NF_BR_PRE_ROUTING && hook != NF_BR_LOCAL_OUT) || + strcmp(name, "nat") ) + print_error("Wrong chain for DNAT"); if (to_dest_supplied == 0) - print_error("No dnat address supplied."); + print_error("No dnat address supplied"); } -static void print_s(const struct ebt_u_entry *entry, const struct ebt_entry_target *target) +static void print_s(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target) { struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; int i; printf("snat - to: "); for (i = 0; i < ETH_ALEN; i++) - printf("%02x%s", natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); + printf("%02x%s", + natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); } -static void print_d(const struct ebt_u_entry *entry, const struct ebt_entry_target *target) +static void print_d(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target) { struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; int i; printf("dnat - to: "); for (i = 0; i < ETH_ALEN; i++) - printf("%02x%s", natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); + printf("%02x%s", + natinfo->mac[i], (i == ETH_ALEN - 1) ? "" : ":"); } -static int compare(const struct ebt_entry_target *t1, const struct ebt_entry_target *t2) +static int compare(const struct ebt_entry_target *t1, + const struct ebt_entry_target *t2) { struct ebt_nat_info *natinfo1 = (struct ebt_nat_info *)t1->data; struct ebt_nat_info *natinfo2 = (struct ebt_nat_info *)t2->data; --- ebtables-v2.0pre2.001/extensions/ebt_ip.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebt_ip.c Wed Apr 10 23:28:40 2002 @@ -40,16 +40,16 @@ return -1; *q = '\0'; onebyte = strtol(p, &end, 10); - if (*end != '\0' || onebyte >255 || onebyte < 0) + if (*end != '\0' || onebyte > 255 || onebyte < 0) return -1; - ip2[i] = (unsigned char) onebyte; + ip2[i] = (unsigned char)onebyte; p = q + 1; } onebyte = strtol(p, &end, 10); if (*end != '\0' || onebyte >255 || onebyte < 0) return -1; - ip2[3] = (unsigned char) onebyte; + ip2[3] = (unsigned char)onebyte; return 0; } @@ -88,15 +88,15 @@ *p = '\0'; i = ip_mask(p + 1, (unsigned char *)msk); if (i) - print_error("Problem with the ip mask."); + print_error("Problem with the ip mask"); } else *msk = 0xFFFFFFFF; i = undot_ip(address, (unsigned char *)addr); - *addr = *addr & *msk; if (i) - print_error("Problem with the ip address."); + print_error("Problem with the ip address"); + *addr = *addr & *msk; } // transform the ip mask into a string ready for output @@ -106,7 +106,6 @@ static char buf[20]; __u32 maskaddr, bits; - // cool hack I copied from iptables.c ... Think about it :-) maskaddr = ntohl(mask); // don't print /32 @@ -114,7 +113,7 @@ return ""; i = 32; - bits = 0xFFFFFFFEL;// case 0xFFFFFFFF has just been dealt with + bits = 0xFFFFFFFEL; // case 0xFFFFFFFF has just been dealt with while (--i >= 0 && maskaddr != bits) bits <<= 1; @@ -123,9 +122,10 @@ else if (!i) *buf = '\0'; else - /* mask was not a decent combination of 1's and 0's */ - sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0], ((unsigned char *)&mask)[1], - ((unsigned char *)&mask)[2], ((unsigned char *)&mask)[3]); + // mask was not a decent combination of 1's and 0's + sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0], + ((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2], + ((unsigned char *)&mask)[3]); return buf; } @@ -133,11 +133,11 @@ static void print_help() { printf( - "ip options:\n" - "--ip-src [!] address[/mask]: ip source specification\n" - "--ip-dst [!] address[/mask]: ip destination specification\n" - "--ip-tos [!] tos : ip tos specification\n" - "--ip-proto [!] protocol : ip protocol specification\n"); +"ip options:\n" +"--ip-src [!] address[/mask]: ip source specification\n" +"--ip-dst [!] address[/mask]: ip destination specification\n" +"--ip-tos [!] tos : ip tos specification\n" +"--ip-proto [!] protocol : ip protocol specification\n"); } static void init(struct ebt_entry_match *match) @@ -152,9 +152,8 @@ #define OPT_DEST 0x02 #define OPT_TOS 0x04 #define OPT_PROTO 0x08 -static int parse(int c, char **argv, int argc, - const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_match **match) +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, + unsigned int *flags, struct ebt_entry_match **match) { struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)(*match)->data; char *end, *buffer; @@ -163,13 +162,13 @@ switch (c) { case IP_SOURCE: check_option(flags, OPT_SOURCE); + ipinfo->bitmask |= EBT_IP_SOURCE; + case IP_DEST: - if (c == IP_DEST) + if (c == IP_DEST) { check_option(flags, OPT_DEST); - if (c == IP_SOURCE) - ipinfo->bitmask |= EBT_IP_SOURCE; - else ipinfo->bitmask |= EBT_IP_DEST; + } if (check_inverse(optarg)) { if (c == IP_SOURCE) ipinfo->invflags |= EBT_IP_SOURCE; @@ -178,34 +177,38 @@ } if (optind > argc) - print_error("Missing ip address argument."); + print_error("Missing ip address argument"); if (c == IP_SOURCE) - parse_ip_address(argv[optind - 1], &ipinfo->saddr, &ipinfo->smsk); + parse_ip_address(argv[optind - 1], &ipinfo->saddr, + &ipinfo->smsk); else - parse_ip_address(argv[optind - 1], &ipinfo->daddr, &ipinfo->dmsk); + parse_ip_address(argv[optind - 1], &ipinfo->daddr, + &ipinfo->dmsk); break; + case IP_myTOS: check_option(flags, OPT_TOS); if (check_inverse(optarg)) ipinfo->invflags |= EBT_IP_TOS; if (optind > argc) - print_error("Missing ip tos argument."); + print_error("Missing ip tos argument"); i = strtol(argv[optind - 1], &end, 16); if (i < 0 || i > 255 || *buffer != '\0') - print_error("Problem with specified ip tos."); + print_error("Problem with specified ip tos"); ipinfo->tos = i; ipinfo->bitmask |= EBT_IP_TOS; break; + case IP_PROTO: check_option(flags, OPT_PROTO); if (check_inverse(optarg)) ipinfo->invflags |= EBT_IP_PROTO; if (optind > argc) - print_error("Missing ip protocol argument."); + print_error("Missing ip protocol argument"); i = strtol(argv[optind - 1], &end, 10); if (i < 0 || i > 255 || *end != '\0') - print_error("Problem with specified ip protocol."); + print_error("Problem with specified ip protocol"); ipinfo->protocol = i; ipinfo->bitmask |= EBT_IP_PROTO; break; @@ -215,13 +218,17 @@ return 1; } -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hook) +static void final_check(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match, const char *name, unsigned int hook) { - if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || entry->ethproto != ETH_P_IP) - print_error("For IP filtering the protocol must be specified as IPV4."); + if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || + entry->ethproto != ETH_P_IP) + print_error("For IP filtering the protocol must be " + "specified as IPv4"); } -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) +static void print(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match) { struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)match->data; int j; @@ -231,7 +238,8 @@ if (ipinfo->invflags & EBT_IP_SOURCE) printf("! "); for (j = 0; j < 4; j++) - printf("%d%s", ((unsigned char *)&ipinfo->saddr)[j], (j == 3) ? "" : "."); + printf("%d%s",((unsigned char *)&ipinfo->saddr)[j], + (j == 3) ? "" : "."); printf("%s, ", mask_to_dotted(ipinfo->smsk)); } if (ipinfo->bitmask & EBT_IP_DEST) { @@ -239,7 +247,8 @@ if (ipinfo->invflags & EBT_IP_DEST) printf("! "); for (j = 0; j < 4; j++) - printf("%d%s", ((unsigned char *)&ipinfo->daddr)[j], (j == 3) ? "" : "."); + printf("%d%s", ((unsigned char *)&ipinfo->daddr)[j], + (j == 3) ? "" : "."); printf("%s, ", mask_to_dotted(ipinfo->dmsk)); } if (ipinfo->bitmask & EBT_IP_TOS) { @@ -256,7 +265,8 @@ } } -static int compare(const struct ebt_entry_match *m1, const struct ebt_entry_match *m2) +static int compare(const struct ebt_entry_match *m1, + const struct ebt_entry_match *m2) { struct ebt_ip_info *ipinfo1 = (struct ebt_ip_info *)m1->data; struct ebt_ip_info *ipinfo2 = (struct ebt_ip_info *)m2->data; --- ebtables-v2.0pre2.001/extensions/ebt_arp.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebt_arp.c Wed Apr 10 23:05:29 2002 @@ -44,20 +44,20 @@ int i = 0; printf( - "arp options:\n" - "--arp-opcode opcode : ARP opcode (integer or string)\n" - "--arp-htype type : ARP hardware type (integer or string)\n" - "--arp-ptype type : ARP protocol type (hexadecimal or string)\n" - "--arp-ip-src [!] address[/mask]: ARP ip source specification\n" - "--arp-ip-dst [!] address[/mask]: ARP ip target specification\n" - " opcode strings: \n"); +"arp options:\n" +"--arp-opcode opcode : ARP opcode (integer or string)\n" +"--arp-htype type : ARP hardware type (integer or string)\n" +"--arp-ptype type : ARP protocol type (hexadecimal or string)\n" +"--arp-ip-src [!] address[/mask]: ARP ip source specification\n" +"--arp-ip-dst [!] address[/mask]: ARP ip target specification\n" +" opcode strings: \n"); while (strcmp(opcodes[i], "")) { printf("%d = %s\n", i + 1, opcodes[i]); i++; } printf( - " hardware type string: \n 1 = Ethernet\n" - " protocol type string: \n 0x0800 = IPv4\n"); +" hardware type string: \n 1 = Ethernet\n" +" protocol type string: \n 0x0800 = IPv4\n"); } static void init(struct ebt_entry_match *match) @@ -68,7 +68,8 @@ arpinfo->bitmask = 0; } -void parse_ip_address(char *address, __u32 *addr, __u32 *msk); // defined in ebt_ip.c +// defined in ebt_ip.c +void parse_ip_address(char *address, __u32 *addr, __u32 *msk); #define OPT_OPCODE 0x01 #define OPT_HTYPE 0x02 @@ -87,15 +88,14 @@ switch (c) { case ARP_OPCODE: - check_option(flags, OPT_OPCODE); if (check_inverse(optarg)) arpinfo->invflags |= EBT_ARP_OPCODE; if (optind > argc) - print_error("Missing arp opcode argument."); + print_error("Missing arp opcode argument"); i = strtol(argv[optind - 1], &end, 10); - if (i < 0 || i > (0x1 << 16) || *end !='\0') { + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { i = 0; while (strcmp(opcodes[i], "")) { if (!strcasecmp(opcodes[i], optarg)) @@ -103,7 +103,8 @@ i++; } if (!strcmp(opcodes[i], "")) - print_error("Problem with specified arp opcode."); + print_error("Problem with specified " + "arp opcode"); } arpinfo->opcode = htons(i); arpinfo->bitmask |= EBT_ARP_OPCODE; @@ -115,13 +116,14 @@ arpinfo->invflags |= EBT_ARP_HTYPE; if (optind > argc) - print_error("Missing arp hardware type argument."); + print_error("Missing arp hardware type argument"); i = strtol(argv[optind - 1], &end, 10); - if (i < 0 || i > (0x1 << 16) || *end !='\0') { + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { if (!strcasecmp("Ethernet", argv[optind - 1])) i = 1; else - print_error("Problem with specified arp hardware type."); + print_error("Problem with specified arp " + "hardware type"); } arpinfo->htype = htons(i); arpinfo->bitmask |= EBT_ARP_HTYPE; @@ -133,13 +135,14 @@ arpinfo->invflags |= EBT_ARP_PTYPE; if (optind > argc) - print_error("Missing arp protocol type argument."); + print_error("Missing arp protocol type argument"); i = strtol(argv[optind - 1], &end, 16); - if (i < 0 || i > (0x1 << 16) || *end !='\0') { + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { if (!strcasecmp("IPv4", argv[optind - 1])) i = 0x0800; else - print_error("Problem with specified arp protocol type."); + print_error("Problem with specified arp " + "protocol type"); } arpinfo->ptype = htons(i); arpinfo->bitmask |= EBT_ARP_PTYPE; @@ -165,7 +168,7 @@ arpinfo->invflags |= EBT_ARP_DST_IP; } if (optind > argc) - print_error("Missing ip address argument."); + print_error("Missing ip address argument"); parse_ip_address(argv[optind - 1], addr, mask); break; default: @@ -174,14 +177,19 @@ return 1; } -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hook) +static void final_check(const struct ebt_u_entry *entry, +const struct ebt_entry_match *match, const char *name, unsigned int hook) { - if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || (entry->ethproto != ETH_P_ARP && entry->ethproto != ETH_P_RARP)) - print_error("For (R)ARP filtering the protocol must be specified as ARP or RARP."); + if (entry->bitmask & EBT_NOPROTO || entry->bitmask & EBT_802_3 || + (entry->ethproto != ETH_P_ARP && entry->ethproto != ETH_P_RARP)) + print_error("For (R)ARP filtering the protocol must be " + "specified as ARP or RARP"); } -char *mask_to_dotted(__u32 mask); // defined in the ebt_ip.c -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) +// defined in the ebt_ip.c +char *mask_to_dotted(__u32 mask); +static void print(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match) { struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data; int i; @@ -209,7 +217,8 @@ if (arpinfo->invflags & EBT_ARP_SRC_IP) printf("! "); for (i = 0; i < 4; i++) - printf("%d%s", ((unsigned char *)&arpinfo->saddr)[i], (i == 3) ? "" : "."); + printf("%d%s", ((unsigned char *)&arpinfo->saddr)[i], + (i == 3) ? "" : "."); printf("%s, ", mask_to_dotted(arpinfo->smsk)); } if (arpinfo->bitmask & EBT_ARP_DST_IP) { @@ -217,12 +226,14 @@ if (arpinfo->invflags & EBT_ARP_DST_IP) printf("! "); for (i = 0; i < 4; i++) - printf("%d%s", ((unsigned char *)&arpinfo->daddr)[i], (i == 3) ? "" : "."); + printf("%d%s", ((unsigned char *)&arpinfo->daddr)[i], + (i == 3) ? "" : "."); printf("%s, ", mask_to_dotted(arpinfo->dmsk)); } } -static int compare(const struct ebt_entry_match *m1, const struct ebt_entry_match *m2) +static int compare(const struct ebt_entry_match *m1, + const struct ebt_entry_match *m2) { struct ebt_arp_info *arpinfo1 = (struct ebt_arp_info *)m1->data; struct ebt_arp_info *arpinfo2 = (struct ebt_arp_info *)m2->data; --- ebtables-v2.0pre2.001/extensions/ebt_log.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebt_log.c Wed Apr 10 23:51:18 2002 @@ -9,14 +9,14 @@ // copied from syslog.h // used for the LOG target -#define LOG_EMERG 0 /* system is unusable */ -#define LOG_ALERT 1 /* action must be taken immediately */ -#define LOG_CRIT 2 /* critical conditions */ -#define LOG_ERR 3 /* error conditions */ -#define LOG_WARNING 4 /* warning conditions */ -#define LOG_NOTICE 5 /* normal but significant condition */ -#define LOG_INFO 6 /* informational */ -#define LOG_DEBUG 7 /* debug-level messages */ +#define LOG_EMERG 0 // system is unusable +#define LOG_ALERT 1 // action must be taken immediately +#define LOG_CRIT 2 // critical conditions +#define LOG_ERR 3 // error conditions +#define LOG_WARNING 4 // warning conditions +#define LOG_NOTICE 5 // normal but significant condition +#define LOG_INFO 6 // informational +#define LOG_DEBUG 7 // debug-level messages #define LOG_DEFAULT_LEVEL LOG_INFO typedef struct _code { @@ -70,16 +70,17 @@ int i; printf( - "log options:\n" - "--log : use this if you're not specifying anything\n" - "--log-level level : level = [1-8] or a string\n" - "--log-prefix prefix : max. %d chars.\n" - "--log-ip : put ip info. in the log for ip packets\n" - "--log-arp : put (r)arp info. in the log for (r)arp packets\n" +"log options:\n" +"--log : use this if you're not specifying anything\n" +"--log-level level : level = [1-8] or a string\n" +"--log-prefix prefix : max. %d chars.\n" +"--log-ip : put ip info. in the log for ip packets\n" +"--log-arp : put (r)arp info. in the log for (r)arp packets\n" , EBT_LOG_PREFIX_SIZE - 1); printf("levels:\n"); for (i = 0; i < 8; i++) - printf("%d = %s\n", eight_priority[i].c_val, eight_priority[i].c_name); + printf("%d = %s\n", eight_priority[i].c_val, + eight_priority[i].c_name); } static void init(struct ebt_entry_watcher *watcher) @@ -88,7 +89,7 @@ loginfo->bitmask = 0; loginfo->prefix[0] = '\0'; - loginfo->loglevel = 6; + loginfo->loglevel = LOG_NOTICE; } #define OPT_PREFIX 0x01 @@ -96,9 +97,8 @@ #define OPT_ARP 0x04 #define OPT_IP 0x08 #define OPT_LOG 0x10 -static int parse(int c, char **argv, int argc, - const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_watcher **watcher) +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, + unsigned int *flags, struct ebt_entry_watcher **watcher) { struct ebt_log_info *loginfo = (struct ebt_log_info *)(*watcher)->data; int i; @@ -108,9 +108,10 @@ case LOG_PREFIX: check_option(flags, OPT_PREFIX); if (strlen(optarg) > sizeof(loginfo->prefix) - 1) - print_error("Prefix too long."); + print_error("Prefix too long"); strcpy(loginfo->prefix, optarg); break; + case LOG_LEVEL: check_option(flags, OPT_LEVEL); i = strtol(optarg, &end, 16); @@ -119,16 +120,19 @@ else loginfo->loglevel = i; if (loginfo->loglevel == 9) - print_error("Problem with the log-level."); + print_error("Problem with the log-level"); break; + case LOG_IP: check_option(flags, OPT_IP); loginfo->bitmask |= EBT_LOG_IP; break; + case LOG_ARP: check_option(flags, OPT_ARP); loginfo->bitmask |= EBT_LOG_ARP; break; + case LOG_LOG: check_option(flags, OPT_LOG); break; @@ -138,16 +142,18 @@ return 1; } -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher, const char *name, unsigned int hook) +static void final_check(const struct ebt_u_entry *entry, + const struct ebt_entry_watcher *watcher, const char *name, unsigned int hook) { return; } -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher) +static void print(const struct ebt_u_entry *entry, + const struct ebt_entry_watcher *watcher) { struct ebt_log_info *loginfo = (struct ebt_log_info *)watcher->data; - printf("log: log-level = %s - log-prefix = '%s'", + printf("log: log-level = %s - log-prefix = \"%s\"", eight_priority[loginfo->loglevel].c_name, loginfo->prefix); if (loginfo->bitmask & EBT_LOG_IP) @@ -157,7 +163,8 @@ printf(" "); } -static int compare(const struct ebt_entry_watcher *w1, const struct ebt_entry_watcher *w2) +static int compare(const struct ebt_entry_watcher *w1, + const struct ebt_entry_watcher *w2) { struct ebt_log_info *loginfo1 = (struct ebt_log_info *)w1->data; struct ebt_log_info *loginfo2 = (struct ebt_log_info *)w2->data; --- ebtables-v2.0pre2.001/extensions/ebt_standard.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebt_standard.c Thu Apr 11 18:14:07 2002 @@ -19,17 +19,19 @@ ((struct ebt_standard_target *)t)->verdict = EBT_CONTINUE; } -static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_target **target) +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, + unsigned int *flags, struct ebt_entry_target **target) { return 0; } -static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook) +static void final_check(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target, const char *name, unsigned int hook) { } -static void print(const struct ebt_u_entry *entry, const struct ebt_entry_target *target) +static void print(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target) { __u8 verdict = ((struct ebt_standard_target *)target)->verdict; @@ -41,9 +43,11 @@ printf("Drop "); } -static int compare(const struct ebt_entry_target *t1, const struct ebt_entry_target *t2) +static int compare(const struct ebt_entry_target *t1, + const struct ebt_entry_target *t2) { - return ((struct ebt_standard_target *)t1)->verdict == ((struct ebt_standard_target *)t2)->verdict; + return ((struct ebt_standard_target *)t1)->verdict == + ((struct ebt_standard_target *)t2)->verdict; } static struct ebt_u_target standard = --- ebtables-v2.0pre2.001/extensions/ebtable_filter.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebtable_filter.c Thu Apr 11 18:14:40 2002 @@ -3,7 +3,8 @@ #include #include "../include/ebtables_u.h" -#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | (1 << NF_BR_LOCAL_OUT)) +#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | \ + (1 << NF_BR_LOCAL_OUT)) static void print_help(char **hn) { --- ebtables-v2.0pre2.001/extensions/ebtable_nat.c Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/extensions/ebtable_nat.c Thu Apr 11 18:14:57 2002 @@ -2,7 +2,8 @@ #include #include "../include/ebtables_u.h" -#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | (1 << NF_BR_POST_ROUTING)) +#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | \ + (1 << NF_BR_POST_ROUTING)) static void print_help(char **hn) { --- ebtables-v2.0pre2.001/ChangeLog Wed Apr 3 16:56:37 2002 +++ ebtables-v2.0pre2.002/ChangeLog Thu Apr 11 18:26:21 2002 @@ -1,3 +1,12 @@ +20020411 + * -j standard no longer works, is this cryptic? good :) + * lots of beautification. + - made some code smaller + - made everything fit within 80 columns + * fix problems with -i and -o option + * print_memory now prints useful info + * trying to see the tables when ebtables is not loaded in kernel + no longer makes this be seen as a bug. 20020403 ebtables v2.0 released, changes: * A complete rewrite, made everything modular. --- ebtables-v2.0pre2.001/include/ebtables_u.h Thu Apr 11 18:27:45 2002 +++ ebtables-v2.0pre2.002/include/ebtables_u.h Wed Apr 10 22:29:01 2002 @@ -38,20 +38,28 @@ { char name[EBT_TABLE_MAXNAMELEN]; unsigned int valid_hooks; - unsigned int nentries; // nr of rules in the table + // nr of rules in the table + unsigned int nentries; struct ebt_u_entries *hook_entry[NF_BR_NUMHOOKS]; - unsigned int counter_entry[NF_BR_NUMHOOKS]; // how many counters in front of it? - unsigned int num_counters; // nr of counters the userspace expects back - struct ebt_counter *counters; // where the kernel will put the old counters - unsigned int flags; // can be used e.g. to know if a standard option has been specified twice - char command; // we stick the specified command (e.g. -A) in here - int selected_hook; // here we stick the hook to do our thing on (can be -1 if unspecified) + // how many counters in front of it? + unsigned int counter_entry[NF_BR_NUMHOOKS]; + // nr of counters userspace expects back + unsigned int num_counters; + // where the kernel will put the old counters + struct ebt_counter *counters; + // can be used e.g. to know if a standard option + // has been specified twice + unsigned int flags; + // we stick the specified command (e.g. -A) in here + char command; + // here we stick the hook to do our thing on (can be -1 if unspecified) + int selected_hook; }; struct ebt_u_table { char name[EBT_TABLE_MAXNAMELEN]; - int (*check) (struct ebt_u_replace *repl); + int (*check)(struct ebt_u_replace *repl); void (*help)(char **); struct ebt_u_table *next; }; @@ -70,9 +78,9 @@ struct ebt_u_entry { - __u32 bitmask; // this needs to be the first field + __u32 bitmask; __u32 invflags; - __u16 ethproto; /* packet type ID field */ + __u16 ethproto; __u8 in[IFNAMSIZ]; __u8 out[IFNAMSIZ]; __u8 sourcemac[ETH_ALEN]; @@ -86,35 +94,47 @@ struct ebt_u_match { char name[EBT_FUNCTION_MAXNAMELEN]; - unsigned int size;// size of the real match data + // size of the real match data + sizeof struct ebt_match + unsigned int size; void (*help)(void); void (*init)(struct ebt_entry_match *m); int (*parse)(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, struct ebt_entry_match **match); - void (*final_check)(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hook); - void (*print)(const struct ebt_u_entry *entry, const struct ebt_entry_match *match); - int (*compare)(const struct ebt_entry_match *m1, const struct ebt_entry_match *m2); + void (*final_check)(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match, + const char *name, unsigned int hook); + void (*print)(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match); + int (*compare)(const struct ebt_entry_match *m1, + const struct ebt_entry_match *m2); const struct option *extra_ops; - unsigned int flags;// can be used e.g. to check for multiple occurance of the same option + // can be used e.g. to check for multiple occurance of the same option + unsigned int flags; unsigned int option_offset; struct ebt_entry_match *m; - unsigned int used;// if used == 1 we no longer have to add it to the match chain of the new entry + // if used == 1 we no longer have to add it to + // the match chain of the new entry + unsigned int used; struct ebt_u_match *next; }; struct ebt_u_watcher { char name[EBT_FUNCTION_MAXNAMELEN]; - unsigned int size;// size of the real match data + unsigned int size; void (*help)(void); void (*init)(struct ebt_entry_watcher *w); int (*parse)(int c, char **argv, int argc, - const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_watcher **watcher); - void (*final_check)(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watch, const char *name, unsigned int hook); - void (*print)(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher); - int (*compare)(const struct ebt_entry_watcher *w1, const struct ebt_entry_watcher *w2); + const struct ebt_u_entry *entry, unsigned int *flags, + struct ebt_entry_watcher **watcher); + void (*final_check)(const struct ebt_u_entry *entry, + const struct ebt_entry_watcher *watch, const char *name, + unsigned int hook); + void (*print)(const struct ebt_u_entry *entry, + const struct ebt_entry_watcher *watcher); + int (*compare)(const struct ebt_entry_watcher *w1, + const struct ebt_entry_watcher *w2); const struct option *extra_ops; unsigned int flags; unsigned int option_offset; @@ -126,14 +146,19 @@ struct ebt_u_target { char name[EBT_FUNCTION_MAXNAMELEN]; - unsigned int size;// size of the real match data + unsigned int size; void (*help)(void); void (*init)(struct ebt_entry_target *t); - int (*parse)(int c, char **argv, int argc, const struct ebt_u_entry *entry, unsigned int *flags, - struct ebt_entry_target **target); - void (*final_check)(const struct ebt_u_entry *entry, const struct ebt_entry_target *target, const char *name, unsigned int hook); - void (*print)(const struct ebt_u_entry *entry, const struct ebt_entry_target *target); - int (*compare)(const struct ebt_entry_target *t1, const struct ebt_entry_target *t2); + int (*parse)(int c, char **argv, int argc, + const struct ebt_u_entry *entry, unsigned int *flags, + struct ebt_entry_target **target); + void (*final_check)(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target, const char *name, + unsigned int hook); + void (*print)(const struct ebt_u_entry *entry, + const struct ebt_entry_target *target); + int (*compare)(const struct ebt_entry_target *t1, + const struct ebt_entry_target *t2); const struct option *extra_ops; unsigned int option_offset; unsigned int flags; @@ -150,19 +175,21 @@ struct ebt_u_target *find_target(const char *name); struct ebt_u_match *find_match(const char *name); struct ebt_u_watcher *find_watcher(const char *name); -void deliver_counters(struct ebt_u_replace *repl, unsigned short * counterchanges); +void deliver_counters(struct ebt_u_replace *repl, + unsigned short * counterchanges); void deliver_table(struct ebt_u_replace *repl); -void get_sockfd(); void get_dbinfo(struct brdb_dbinfo *nr); void get_db(int len, struct brdb_dbentry *db); void deliver_allowdb(__u16 *decision); -void print_memory(); -void init_extensions(); int getmac(char *from, char *to); void check_option(unsigned int *flags, unsigned int mask); int check_inverse(const char option[]); -#define print_bug(format, args...) {printf("BUG: "format"\n", ##args); exit(-1);} -#define print_error(format, args...) {printf(format"\n", ##args); exit(-1);} +#define print_bug(format, args...) \ + {printf("BUG: "format".\n", ##args); exit(-1);} +#define print_error(format, args...) {printf(format".\n", ##args); exit(-1);} +#define print_memory() {printf("Ebtables: " __FILE__ " " __FUNCTION__ \ + " %d :Out of memory.\n", __LINE__); exit(-1);} + // used for keeping the rule counters right during rule adds or deletes