summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart De Schuymer <bdschuym@pandora.be>2004-10-24 07:36:15 +0000
committerBart De Schuymer <bdschuym@pandora.be>2004-10-24 07:36:15 +0000
commit37d520d0178875ce6ee0477a77b89827d7c062d2 (patch)
tree938a88221a5f2defe3be274eab079dc39ca67711
parent1b4ccfa221a3bd538109eceafed1e9c8c0951156 (diff)
add wildcard support for interface names
-rw-r--r--ebtables.812
-rw-r--r--ebtables.c40
2 files changed, 47 insertions, 5 deletions
diff --git a/ebtables.8 b/ebtables.8
index 79014b6..b51e4c6 100644
--- a/ebtables.8
+++ b/ebtables.8
@@ -71,7 +71,9 @@ rule matches an Ethernet frame, then a processing specification tells
what to do with that matching frame. The processing specification is
called a 'target'. However, if the frame does not match the current
rule in the chain, then the next rule in the chain is examined and so forth.
-The user can create new (user-defined) chains which can be used as the 'target' of a rule.
+The user can create new (user-defined) chains which can be used as the 'target'
+of a rule. User-defined chains are very useful to get better performance
+over the linear traversal of the rules.
.SS TARGETS
A firewall rule specifies criteria for an Ethernet frame and a frame
@@ -430,6 +432,8 @@ The interface via which a frame is received (for the
chains). The flag
.B --in-if
is an alias for this option.
+If the interface name ends with '+', then
+any interface name that begins with this name will match.
.TP
.BR "--logical-in " "[!] \fIname\fP"
The (logical) bridge interface via which a frame is received (for the
@@ -437,6 +441,8 @@ The (logical) bridge interface via which a frame is received (for the
.BR FORWARD ,
.BR PREROUTING " and " BROUTING
chains).
+If the interface name ends with '+', then
+any interface name that begins with this name will match.
.TP
.BR "-o, --out-interface " "[!] \fIname\fP"
The interface via which a frame is going to be sent (for the
@@ -447,6 +453,8 @@ and
chains). The flag
.B --out-if
is an alias for this option.
+If the interface name ends with '+', then
+any interface name that begins with this name will match.
.TP
.BR "--logical-out " "[!] \fIname\fP"
The (logical) bridge interface via which a frame is going to be sent (for
@@ -456,6 +464,8 @@ the
and
.B POSTROUTING
chains).
+If the interface name ends with '+', then
+any interface name that begins with this name will match.
.TP
.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
The source mac address. Both mask and address are written as 6 hexadecimal
diff --git a/ebtables.c b/ebtables.c
index 58dad06..266ed8e 100644
--- a/ebtables.c
+++ b/ebtables.c
@@ -155,6 +155,19 @@ static void merge_target(struct ebt_u_target *t)
(ebt_options, t->extra_ops, &(t->option_offset));
}
+/* be backwards compatible, so don't use '+' in kernel */
+#define IF_WILDCARD 1
+static void print_iface(const char *iface)
+{
+ char *c;
+
+ if ((c = strchr(iface, IF_WILDCARD)))
+ *c = '+';
+ printf("%s ", iface);
+ if (c)
+ *c = IF_WILDCARD;
+}
+
/*
* we use replace.flags, so we can't use the following values:
* 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO
@@ -251,25 +264,25 @@ static void list_em(struct ebt_u_entries *entries)
printf("-i ");
if (hlp->invflags & EBT_IIN)
printf("! ");
- printf("%s ", hlp->in);
+ print_iface(hlp->in);
}
if (hlp->logical_in[0] != '\0') {
printf("--logical-in ");
if (hlp->invflags & EBT_ILOGICALIN)
printf("! ");
- printf("%s ", hlp->logical_in);
+ print_iface(hlp->logical_in);
}
if (hlp->logical_out[0] != '\0') {
printf("--logical-out ");
if (hlp->invflags & EBT_ILOGICALOUT)
printf("! ");
- printf("%s ", hlp->logical_out);
+ print_iface(hlp->logical_out);
}
if (hlp->out[0] != '\0') {
printf("-o ");
if (hlp->invflags & EBT_IOUT)
printf("! ");
- printf("%s ", hlp->out);
+ print_iface(hlp->out);
}
m_l = hlp->m_list;
@@ -442,6 +455,19 @@ static int parse_delete_rule(const char *argv, int *rule_nr, int *rule_nr_end)
return 0;
}
+static void parse_iface(char *iface, char *option)
+{
+ char *c;
+
+ if ((c = strchr(iface, '+'))) {
+ if (*(c + 1) != '\0') {
+ ebt_print_error("Spurious characters after '+' "
+ "wildcard for %s", option);
+ } else
+ *c = IF_WILDCARD;
+ }
+}
+
#define print_if_l_error ebt_print_error("Interface name length must be less " \
"than %d", IFNAMSIZ)
#define OPT_COMMAND 0x01
@@ -773,6 +799,7 @@ handle_P:
if (strlen(argv[optind - 1]) >= IFNAMSIZ)
print_if_l_error;
strcpy(new_entry->in, argv[optind - 1]);
+ parse_iface(new_entry->in, "-i");
break;
}
if (c == 2) {
@@ -792,6 +819,8 @@ handle_P:
if (strlen(argv[optind - 1]) >= IFNAMSIZ)
print_if_l_error;
strcpy(new_entry->logical_in, argv[optind - 1]);
+ parse_iface(new_entry->logical_in,
+ "--logical-in");
break;
}
if (c == 'o') {
@@ -810,6 +839,7 @@ handle_P:
if (strlen(argv[optind - 1]) >= IFNAMSIZ)
print_if_l_error;
strcpy(new_entry->out, argv[optind - 1]);
+ parse_iface(new_entry->out, "-o");
break;
}
if (c == 3) {
@@ -831,6 +861,8 @@ handle_P:
print_if_l_error;
strcpy(new_entry->logical_out,
argv[optind - 1]);
+ parse_iface(new_entry->logical_out,
+ "--logical-out");
break;
}
if (c == 'j') {