diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/ebt_802_3.c | 29 | ||||
| -rw-r--r-- | extensions/ebt_among.c | 75 | ||||
| -rw-r--r-- | extensions/ebt_arp.c | 69 | ||||
| -rw-r--r-- | extensions/ebt_arpreply.c | 38 | ||||
| -rw-r--r-- | extensions/ebt_inat.c | 8 | ||||
| -rw-r--r-- | extensions/ebt_ip.c | 95 | ||||
| -rw-r--r-- | extensions/ebt_limit.c | 58 | ||||
| -rw-r--r-- | extensions/ebt_log.c | 31 | ||||
| -rw-r--r-- | extensions/ebt_mark.c | 23 | ||||
| -rw-r--r-- | extensions/ebt_mark_m.c | 23 | ||||
| -rw-r--r-- | extensions/ebt_nat.c | 48 | ||||
| -rw-r--r-- | extensions/ebt_pkttype.c | 22 | ||||
| -rw-r--r-- | extensions/ebt_redirect.c | 19 | ||||
| -rw-r--r-- | extensions/ebt_standard.c | 8 | ||||
| -rw-r--r-- | extensions/ebt_stp.c | 34 | ||||
| -rw-r--r-- | extensions/ebt_ulog.c | 46 | ||||
| -rw-r--r-- | extensions/ebt_vlan.c | 286 | ||||
| -rw-r--r-- | extensions/ebtable_broute.c | 8 | ||||
| -rw-r--r-- | extensions/ebtable_filter.c | 8 | ||||
| -rw-r--r-- | extensions/ebtable_nat.c | 8 |
20 files changed, 435 insertions, 501 deletions
diff --git a/extensions/ebt_802_3.c b/extensions/ebt_802_3.c index e0b65ee..a43d060 100644 --- a/extensions/ebt_802_3.c +++ b/extensions/ebt_802_3.c @@ -1,3 +1,11 @@ +/* 802_3 + * + * Author: + * Chris Vitale <csv@bluetail.com> + * + * May 2003 + */ + #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -43,28 +51,23 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, switch (c) { case _802_3_SAP: - ebt_check_option(flags, _802_3_SAP); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, _802_3_SAP); + if (ebt_check_inverse2(optarg)) info->invflags |= EBT_802_3_SAP; - - if (optind > argc) - ebt_print_error("Missing 802.3-sap argument"); - i = strtoul(argv[optind - 1], &end, 16); + i = strtoul(optarg, &end, 16); if (i > 255 || *end != '\0') - ebt_print_error("Problem with specified " + ebt_print_error2("Problem with specified " "sap hex value, %x",i); info->sap = i; /* one byte, so no byte order worries */ info->bitmask |= EBT_802_3_SAP; break; case _802_3_TYPE: - ebt_check_option(flags, _802_3_TYPE); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, _802_3_TYPE); + if (ebt_check_inverse2(optarg)) info->invflags |= EBT_802_3_TYPE; - if (optind > argc) - ebt_print_error("Missing 802.3-type argument"); - i = strtoul(argv[optind - 1], &end, 16); + i = strtoul(optarg, &end, 16); if (i > 65535 || *end != '\0') { - ebt_print_error("Problem with the specified " + ebt_print_error2("Problem with the specified " "type hex value, %x",i); } info->type = htons(i); diff --git a/extensions/ebt_among.c b/extensions/ebt_among.c index 1756e44..65ce481 100644 --- a/extensions/ebt_among.c +++ b/extensions/ebt_among.c @@ -1,3 +1,11 @@ +/* ebt_among + * + * Authors: + * Grzegorz Borowiak <grzes@gnu.univ.gda.pl> + * + * August, 2003 + */ + #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -9,8 +17,6 @@ #include <linux/if_ether.h> #include <linux/netfilter_bridge/ebt_among.h> -#define NODEBUG - #define AMONG_DST '1' #define AMONG_SRC '2' @@ -69,6 +75,8 @@ static struct ebt_mac_wormhash *new_wormhash(int n) struct ebt_mac_wormhash *result = (struct ebt_mac_wormhash *) malloc(size); + if (!result) + ebt_print_memory(); memset(result, 0, size); result->poolsize = n; return result; @@ -181,54 +189,53 @@ static struct ebt_mac_wormhash *create_wormhash(const char *arg) for (i = 0; i < 5; i++) { if (read_until(&pc, ":", token, 2) < 0 || token[0] == 0) { - ebt_print_error("MAC parse error: %.20s", - anchor); + ebt_print_error("MAC parse error: %.20s", anchor); + return NULL; } mac[i] = strtol(token, &endptr, 16); if (*endptr) { - ebt_print_error("MAC parse error: %.20s", - anchor); + ebt_print_error("MAC parse error: %.20s", anchor); + return NULL; } pc++; } if (read_until(&pc, "=,", token, 2) == -2 || token[0] == 0) { ebt_print_error("MAC parse error: %.20s", anchor); + return NULL; } mac[i] = strtol(token, &endptr, 16); if (*endptr) { ebt_print_error("MAC parse error: %.20s", anchor); + return NULL; } if (*pc == '=') { /* an IP follows the MAC; collect similarly to MAC */ pc++; anchor = pc; for (i = 0; i < 3; i++) { - if (read_until(&pc, ".", token, 3) < 0 - || token[0] == 0) { - ebt_print_error - ("IP parse error: %.20s", - anchor); + if (read_until(&pc, ".", token, 3) < 0 || token[0] == 0) { + ebt_print_error("IP parse error: %.20s", anchor); + return NULL; } ip[i] = strtol(token, &endptr, 10); if (*endptr) { - ebt_print_error - ("IP parse error: %.20s", - anchor); + ebt_print_error("IP parse error: %.20s", anchor); + return NULL; } pc++; } - if (read_until(&pc, ",", token, 3) == -2 - || token[0] == 0) { - ebt_print_error("IP parse error: %.20s", - anchor); + if (read_until(&pc, ",", token, 3) == -2 || token[0] == 0) { + ebt_print_error("IP parse error: %.20s", anchor); + return NULL; } ip[3] = strtol(token, &endptr, 10); if (*endptr) { - ebt_print_error("IP parse error: %.20s", - anchor); + ebt_print_error("IP parse error: %.20s", anchor); + return NULL; } if (*(uint32_t*)ip == 0) { ebt_print_error("Illegal IP 0.0.0.0"); + return NULL; } } else { /* no IP, we set it to 0.0.0.0 */ @@ -260,6 +267,7 @@ static struct ebt_mac_wormhash *create_wormhash(const char *arg) /* but first assert :-> */ if (*pc != ',') { ebt_print_error("Something went wrong; no comma...\n"); + return NULL; } pc++; @@ -295,30 +303,33 @@ static int parse(int c, char **argv, int argc, switch (c) { case AMONG_DST: case AMONG_SRC: - if (ebt_check_inverse(optarg)) { + if (c == AMONG_DST) { + ebt_check_option2(flags, OPT_DST); + } else { + ebt_check_option2(flags, OPT_SRC); + } + if (ebt_check_inverse2(optarg)) { if (c == AMONG_DST) info->bitmask |= EBT_AMONG_DST_NEG; else info->bitmask |= EBT_AMONG_SRC_NEG; } - if (optind > argc) - ebt_print_error("No MAC list specified\n"); - wh = create_wormhash(argv[optind - 1]); - old_size = sizeof(struct ebt_entry_match) + - (**match).match_size; - h = malloc((new_size = - old_size + ebt_mac_wormhash_size(wh))); + wh = create_wormhash(optarg); + if (ebt_errormsg[0] != '\0') + break; + + old_size = sizeof(struct ebt_entry_match) + (**match).match_size; + h = malloc((new_size = old_size + ebt_mac_wormhash_size(wh))); + if (!h) + ebt_print_memory(); memcpy(h, *match, old_size); - memcpy((char *) h + old_size, wh, - ebt_mac_wormhash_size(wh)); + memcpy((char *) h + old_size, wh, ebt_mac_wormhash_size(wh)); h->match_size = new_size - sizeof(struct ebt_entry_match); info = (struct ebt_among_info *) h->data; if (c == AMONG_DST) { - ebt_check_option(flags, OPT_DST); info->wh_dst_ofs = old_size - sizeof(struct ebt_entry_match); } else { - ebt_check_option(flags, OPT_SRC); info->wh_src_ofs = old_size - sizeof(struct ebt_entry_match); } diff --git a/extensions/ebt_arp.c b/extensions/ebt_arp.c index c38eec6..9eed645 100644 --- a/extensions/ebt_arp.c +++ b/extensions/ebt_arp.c @@ -1,3 +1,12 @@ +/* ebt_arp + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * Tim Gardner <timg@tpi.com> + * + * April, 2002 + */ + #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -92,20 +101,16 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, switch (c) { case ARP_OPCODE: - ebt_check_option(flags, OPT_OPCODE); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, OPT_OPCODE); + if (ebt_check_inverse2(optarg)) arpinfo->invflags |= EBT_ARP_OPCODE; - - if (optind > argc) - ebt_print_error("Missing ARP opcode argument"); - i = strtol(argv[optind - 1], &end, 10); + i = strtol(optarg, &end, 10); if (i < 0 || i >= (0x1 << 16) || *end !='\0') { for (i = 0; i < NUMOPCODES; i++) if (!strcasecmp(opcodes[i], optarg)) break; if (i == NUMOPCODES) - ebt_print_error("Problem with specified " - "ARP opcode"); + ebt_print_error2("Problem with specified ARP opcode"); i++; } arpinfo->opcode = htons(i); @@ -113,19 +118,15 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, break; case ARP_HTYPE: - ebt_check_option(flags, OPT_HTYPE); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, OPT_HTYPE); + if (ebt_check_inverse2(optarg)) arpinfo->invflags |= EBT_ARP_HTYPE; - - if (optind > argc) - ebt_print_error("Missing ARP hardware type argument"); - i = strtol(argv[optind - 1], &end, 10); + i = strtol(optarg, &end, 10); if (i < 0 || i >= (0x1 << 16) || *end !='\0') { if (!strcasecmp("Ethernet", argv[optind - 1])) i = 1; else - ebt_print_error("Problem with specified ARP " - "hardware type"); + ebt_print_error2("Problem with specified ARP hardware type"); } arpinfo->htype = htons(i); arpinfo->bitmask |= EBT_ARP_HTYPE; @@ -135,19 +136,17 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, { uint16_t proto; - ebt_check_option(flags, OPT_PTYPE); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, OPT_PTYPE); + if (ebt_check_inverse2(optarg)) arpinfo->invflags |= EBT_ARP_PTYPE; - if (optind > argc) - ebt_print_error("Missing ARP protocol type argument"); - i = strtol(argv[optind - 1], &end, 16); + i = strtol(optarg, &end, 16); if (i < 0 || i >= (0x1 << 16) || *end !='\0') { struct ethertypeent *ent; ent = getethertypebyname(argv[optind - 1]); if (!ent) - ebt_print_error("Problem with specified ARP " + ebt_print_error2("Problem with specified ARP " "protocol type"); proto = ent->e_ethertype; @@ -161,51 +160,46 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, case ARP_IP_S: case ARP_IP_D: if (c == ARP_IP_S) { - ebt_check_option(flags, OPT_IP_S); + ebt_check_option2(flags, OPT_IP_S); addr = &arpinfo->saddr; mask = &arpinfo->smsk; arpinfo->bitmask |= EBT_ARP_SRC_IP; } else { - ebt_check_option(flags, OPT_IP_D); + ebt_check_option2(flags, OPT_IP_D); addr = &arpinfo->daddr; mask = &arpinfo->dmsk; arpinfo->bitmask |= EBT_ARP_DST_IP; } - if (ebt_check_inverse(optarg)) { + if (ebt_check_inverse2(optarg)) { if (c == ARP_IP_S) arpinfo->invflags |= EBT_ARP_SRC_IP; else arpinfo->invflags |= EBT_ARP_DST_IP; } - if (optind > argc) - ebt_print_error("Missing ARP IP address argument"); - ebt_parse_ip_address(argv[optind - 1], addr, mask); + ebt_parse_ip_address(optarg, addr, mask); break; case ARP_MAC_S: case ARP_MAC_D: if (c == ARP_MAC_S) { - ebt_check_option(flags, OPT_MAC_S); + ebt_check_option2(flags, OPT_MAC_S); maddr = arpinfo->smaddr; mmask = arpinfo->smmsk; arpinfo->bitmask |= EBT_ARP_SRC_MAC; } else { - ebt_check_option(flags, OPT_MAC_D); + ebt_check_option2(flags, OPT_MAC_D); maddr = arpinfo->dmaddr; mmask = arpinfo->dmmsk; arpinfo->bitmask |= EBT_ARP_DST_MAC; } - if (ebt_check_inverse(optarg)) { + if (ebt_check_inverse2(optarg)) { if (c == ARP_MAC_S) arpinfo->invflags |= EBT_ARP_SRC_MAC; else arpinfo->invflags |= EBT_ARP_DST_MAC; } - if (optind > argc) - ebt_print_error("Missing ARP MAC address argument"); - if (ebt_get_mac_and_mask(argv[optind - 1], maddr, mmask)) - ebt_print_error("Problem with ARP MAC address " - "argument"); + if (ebt_get_mac_and_mask(optarg, maddr, mmask)) + ebt_print_error2("Problem with ARP MAC address argument"); break; default: @@ -220,8 +214,7 @@ static void final_check(const struct ebt_u_entry *entry, { if ((entry->ethproto != ETH_P_ARP && entry->ethproto != ETH_P_RARP) || entry->invflags & EBT_IPROTO) - ebt_print_error("For (R)ARP filtering the protocol must be " - "specified as ARP or RARP"); + ebt_print_error("For (R)ARP filtering the protocol must be specified as ARP or RARP"); } static void print(const struct ebt_u_entry *entry, diff --git a/extensions/ebt_arpreply.c b/extensions/ebt_arpreply.c index 9c50519..32e50b4 100644 --- a/extensions/ebt_arpreply.c +++ b/extensions/ebt_arpreply.c @@ -1,3 +1,12 @@ +/* ebt_arpreply + * + * Authors: + * Grzegorz Borowiak <grzes@gnu.univ.gda.pl> + * Bart De Schuymer <bdschuym@pandora.be> + * + * August, 2003 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -48,17 +57,16 @@ static int parse(int c, char **argv, int argc, switch (c) { case REPLY_MAC: - ebt_check_option(flags, OPT_REPLY_MAC); + ebt_check_option2(flags, OPT_REPLY_MAC); if (!(addr = ether_aton(optarg))) - ebt_print_error("Problem with specified " - "--arpreply-mac mac"); + ebt_print_error2("Problem with specified --arpreply-mac mac"); memcpy(replyinfo->mac, addr, ETH_ALEN); mac_supplied = 1; break; case REPLY_TARGET: - ebt_check_option(flags, OPT_REPLY_TARGET); + ebt_check_option2(flags, OPT_REPLY_TARGET); if (FILL_TARGET(optarg, replyinfo->target)) - ebt_print_error("Illegal --arpreply-target target"); + ebt_print_error2("Illegal --arpreply-target target"); break; default: @@ -74,17 +82,17 @@ static void final_check(const struct ebt_u_entry *entry, struct ebt_arpreply_info *replyinfo = (struct ebt_arpreply_info *)target->data; - if (entry->ethproto != ETH_P_ARP || entry->invflags & EBT_IPROTO) - ebt_print_error("For ARP replying the protocol must be " - "specified as ARP"); - if (time == 0 && mac_supplied == 0) + if (entry->ethproto != ETH_P_ARP || entry->invflags & EBT_IPROTO) { + ebt_print_error("For ARP replying the protocol must be specified as ARP"); + } else if (time == 0 && mac_supplied == 0) { ebt_print_error("No arpreply mac supplied"); - if (BASE_CHAIN && replyinfo->target == EBT_RETURN) - ebt_print_error("--arpreply-target RETURN not allowed on " - "base chain"); - CLEAR_BASE_CHAIN_BIT; - if (strcmp(name, "nat") || hookmask & ~(1 << NF_BR_PRE_ROUTING)) - ebt_print_error("arpreply only allowed in PREROUTING"); + } else if (BASE_CHAIN && replyinfo->target == EBT_RETURN) { + ebt_print_error("--arpreply-target RETURN not allowed on base chain"); + } else { + CLEAR_BASE_CHAIN_BIT; + if (strcmp(name, "nat") || hookmask & ~(1 << NF_BR_PRE_ROUTING)) + ebt_print_error("arpreply only allowed in PREROUTING"); + } } static void print(const struct ebt_u_entry *entry, diff --git a/extensions/ebt_inat.c b/extensions/ebt_inat.c index aae5cab..1aa9435 100644 --- a/extensions/ebt_inat.c +++ b/extensions/ebt_inat.c @@ -1,3 +1,11 @@ +/* ebt_inat + * + * Authors: + * Grzegorz Borowiak <grzes@gnu.univ.gda.pl> + * + * August, 2003 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> diff --git a/extensions/ebt_ip.c b/extensions/ebt_ip.c index c81e687..8e45171 100644 --- a/extensions/ebt_ip.c +++ b/extensions/ebt_ip.c @@ -1,29 +1,13 @@ -/* - * ebtables ebt_ip: IP extension module for userspace +/* ebt_ip * - * Authors: - * Bart De Schuymer <bdschuym@pandora.be> + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> * - * Changes: + * Changes: * added ip-sport and ip-dport; parsing of port arguments is * based on code from iptables-1.2.7a * Innominate Security Technologies AG <mhopf@innominate.com> * September, 2002 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * */ #include <stdio.h> @@ -76,7 +60,7 @@ static uint16_t parse_port(const char *protocol, const char *name) } ebt_print_error("Problem with specified %s port '%s'", protocol?protocol:"", name); - return 0; /* never reached */ + return 0; } static void @@ -92,7 +76,11 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) *cp = '\0'; cp++; ports[0] = buffer[0] ? parse_port(protocol, buffer) : 0; + if (ebt_errormsg[0] != '\0') + return; ports[1] = cp[0] ? parse_port(protocol, cp) : 0xFFFF; + if (ebt_errormsg[0] != '\0') + return; if (ports[0] > ports[1]) ebt_print_error("Invalid portrange (min > max)"); @@ -143,81 +131,67 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, switch (c) { case IP_SOURCE: - ebt_check_option(flags, OPT_SOURCE); + ebt_check_option2(flags, OPT_SOURCE); ipinfo->bitmask |= EBT_IP_SOURCE; case IP_DEST: if (c == IP_DEST) { - ebt_check_option(flags, OPT_DEST); + ebt_check_option2(flags, OPT_DEST); ipinfo->bitmask |= EBT_IP_DEST; } - if (ebt_check_inverse(optarg)) { + if (ebt_check_inverse2(optarg)) { if (c == IP_SOURCE) ipinfo->invflags |= EBT_IP_SOURCE; else ipinfo->invflags |= EBT_IP_DEST; } - - if (optind > argc) - ebt_print_error("Missing IP address argument"); if (c == IP_SOURCE) - ebt_parse_ip_address(argv[optind - 1], &ipinfo->saddr, - &ipinfo->smsk); + ebt_parse_ip_address(optarg, &ipinfo->saddr, &ipinfo->smsk); else - ebt_parse_ip_address(argv[optind - 1], &ipinfo->daddr, - &ipinfo->dmsk); + ebt_parse_ip_address(optarg, &ipinfo->daddr, &ipinfo->dmsk); break; case IP_SPORT: case IP_DPORT: if (c == IP_SPORT) { - ebt_check_option(flags, OPT_SPORT); + ebt_check_option2(flags, OPT_SPORT); ipinfo->bitmask |= EBT_IP_SPORT; - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) ipinfo->invflags |= EBT_IP_SPORT; } else { - ebt_check_option(flags, OPT_DPORT); + ebt_check_option2(flags, OPT_DPORT); ipinfo->bitmask |= EBT_IP_DPORT; - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) ipinfo->invflags |= EBT_IP_DPORT; } - if (optind > argc) - ebt_print_error("Missing port argument"); if (c == IP_SPORT) - parse_port_range(NULL, argv[optind - 1], ipinfo->sport); + parse_port_range(NULL, optarg, ipinfo->sport); else - parse_port_range(NULL, argv[optind - 1], ipinfo->dport); + parse_port_range(NULL, optarg, ipinfo->dport); break; case IP_myTOS: - ebt_check_option(flags, OPT_TOS); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, OPT_TOS); + if (ebt_check_inverse2(optarg)) ipinfo->invflags |= EBT_IP_TOS; - - if (optind > argc) - ebt_print_error("Missing IP tos argument"); - i = strtol(argv[optind - 1], &end, 16); + i = strtol(optarg, &end, 16); if (i < 0 || i > 255 || *end != '\0') - ebt_print_error("Problem with specified IP tos"); + ebt_print_error2("Problem with specified IP tos"); ipinfo->tos = i; ipinfo->bitmask |= EBT_IP_TOS; break; case IP_PROTO: - ebt_check_option(flags, OPT_PROTO); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, OPT_PROTO); + if (ebt_check_inverse2(optarg)) ipinfo->invflags |= EBT_IP_PROTO; - if (optind > argc) - ebt_print_error("Missing IP protocol argument"); - i = strtoul(argv[optind - 1], &end, 10); + i = strtoul(optarg, &end, 10); if (*end != '\0') { struct protoent *pe; - pe = getprotobyname(argv[optind - 1]); + pe = getprotobyname(optarg); if (pe == NULL) - ebt_print_error - ("Unknown specified IP protocol - %s", - argv[optind - 1]); + ebt_print_error("Unknown specified IP protocol - %s", argv[optind - 1]); ipinfo->protocol = pe->p_proto; } else { ipinfo->protocol = (unsigned char) i; @@ -236,11 +210,10 @@ static void final_check(const struct ebt_u_entry *entry, { struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)match->data; - if (entry->ethproto != ETH_P_IP || entry->invflags & EBT_IPROTO) + if (entry->ethproto != ETH_P_IP || entry->invflags & EBT_IPROTO) { ebt_print_error("For IP filtering the protocol must be " "specified as IPv4"); - - if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) && + } else if (ipinfo->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT) && (!(ipinfo->bitmask & EBT_IP_PROTO) || ipinfo->invflags & EBT_IP_PROTO || (ipinfo->protocol!=IPPROTO_TCP && @@ -294,16 +267,14 @@ static void print(const struct ebt_u_entry *entry, } if (ipinfo->bitmask & EBT_IP_SPORT) { printf("--ip-sport "); - if (ipinfo->invflags & EBT_IP_SPORT) { + if (ipinfo->invflags & EBT_IP_SPORT) printf("! "); - } print_port_range(ipinfo->sport); } if (ipinfo->bitmask & EBT_IP_DPORT) { printf("--ip-dport "); - if (ipinfo->invflags & EBT_IP_DPORT) { + if (ipinfo->invflags & EBT_IP_DPORT) printf("! "); - } print_port_range(ipinfo->dport); } } diff --git a/extensions/ebt_limit.c b/extensions/ebt_limit.c index 6dcd50d..5655b59 100644 --- a/extensions/ebt_limit.c +++ b/extensions/ebt_limit.c @@ -1,32 +1,33 @@ -/* Shared library add-on to ebtables to add limit support. +/* ebt_limit * - * Swipted from iptables' limit match. + * Authors: + * Tom Marshall <tommy@home.tig-grr.com> + * + * Mostly copied from iptables' limit match. + * + * September, 2003 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <getopt.h> +#include <errno.h> #include "../include/ebtables_u.h" #include <linux/netfilter_bridge/ebt_limit.h> #define EBT_LIMIT_AVG "3/hour" #define EBT_LIMIT_BURST 5 -/* from iptables.c */ -#include <errno.h> -int -string_to_number(const char *s, unsigned int min, unsigned int max, - unsigned int *ret) +int string_to_number(const char *s, unsigned int min, unsigned int max, + unsigned int *ret) { long number; char *end; - /* Handle hex, octal, etc. */ errno = 0; number = strtol(s, &end, 0); if (*end == '\0' && end != s) { - /* we parsed a number, let's see if we want this */ if (errno != ERANGE && min <= number && number <= max) { *ret = number; return 0; @@ -37,7 +38,6 @@ string_to_number(const char *s, unsigned int min, unsigned int max, #define FLAG_LIMIT 0x01 #define FLAG_LIMIT_BURST 0x02 - #define ARG_LIMIT '1' #define ARG_LIMIT_BURST '2' @@ -52,12 +52,11 @@ static void print_help(void) { printf( "limit options:\n" -"--limit avg max average match rate: default "EBT_LIMIT_AVG"\n" +"--limit avg : max average match rate: default "EBT_LIMIT_AVG"\n" " [Packets per second unless followed by \n" " /sec /minute /hour /day postfixes]\n" -"--limit-burst number number to match in a burst, -1 < number < 10001,\n" -" default %u\n" -"\n", EBT_LIMIT_BURST); +"--limit-burst number : number to match in a burst, -1 < number < 10001,\n" +" default %u\n", EBT_LIMIT_BURST); } static int parse_rate(const char *rate, u_int32_t *val) @@ -120,20 +119,19 @@ static int parse(int c, char **argv, int argc, switch(c) { case ARG_LIMIT: - ebt_check_option(flags, FLAG_LIMIT); - if (ebt_check_inverse(optarg)) - ebt_print_error("Unexpected `!' after --limit"); + ebt_check_option2(flags, FLAG_LIMIT); + if (ebt_check_inverse2(optarg)) + ebt_print_error2("Unexpected `!' after --limit"); if (!parse_rate(optarg, &r->avg)) - ebt_print_error("bad rate `%s'", optarg); + ebt_print_error2("bad rate `%s'", optarg); break; case ARG_LIMIT_BURST: - ebt_check_option(flags, FLAG_LIMIT_BURST); - if (ebt_check_inverse(optarg)) - ebt_print_error("Unexpected `!' after --limit-burst"); - + ebt_check_option2(flags, FLAG_LIMIT_BURST); + if (ebt_check_inverse2(optarg)) + ebt_print_error2("Unexpected `!' after --limit-burst"); if (string_to_number(optarg, 0, 10000, &num) == -1) - ebt_print_error("bad --limit-burst `%s'", optarg); + ebt_print_error2("bad --limit-burst `%s'", optarg); r->burst = num; break; @@ -148,7 +146,6 @@ static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_match *match, const char *name, unsigned int hookmask, unsigned int time) { - /* empty */ } struct rates @@ -177,17 +174,18 @@ static void print_rate(u_int32_t period) printf("%u/%s ", g_rates[i-1].mult / period, g_rates[i-1].name); } -/* Prints out the matchinfo. */ -static void -print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) +static void print(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match) { struct ebt_limit_info *r = (struct ebt_limit_info *)match->data; - printf("limit: avg "); print_rate(r->avg); - printf("burst %u ", r->burst); + printf("--limit "); + print_rate(r->avg); + printf("--limit-burst %u ", r->burst); } -static int compare(const struct ebt_entry_match* m1, const struct ebt_entry_match *m2) +static int compare(const struct ebt_entry_match* m1, + const struct ebt_entry_match *m2) { struct ebt_limit_info* li1 = (struct ebt_limit_info*)m1->data; struct ebt_limit_info* li2 = (struct ebt_limit_info*)m2->data; diff --git a/extensions/ebt_log.c b/extensions/ebt_log.c index f455f9f..07a5fe9 100644 --- a/extensions/ebt_log.c +++ b/extensions/ebt_log.c @@ -1,3 +1,11 @@ +/* ebt_log + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * April, 2002 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -103,35 +111,43 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, switch (c) { case LOG_PREFIX: - ebt_check_option(flags, OPT_PREFIX); + ebt_check_option2(flags, OPT_PREFIX); + if (ebt_check_inverse(optarg)) + ebt_print_error2("Unexpected `!' after --log-prefix"); if (strlen(optarg) > sizeof(loginfo->prefix) - 1) - ebt_print_error("Prefix too long"); + ebt_print_error2("Prefix too long"); strcpy(loginfo->prefix, optarg); break; case LOG_LEVEL: - ebt_check_option(flags, OPT_LEVEL); + ebt_check_option2(flags, OPT_LEVEL); i = strtol(optarg, &end, 16); if (*end != '\0' || i < 0 || i > 7) loginfo->loglevel = name_to_loglevel(optarg); else loginfo->loglevel = i; if (loginfo->loglevel == 9) - ebt_print_error("Problem with the log-level"); + ebt_print_error2("Problem with the log-level"); break; case LOG_IP: - ebt_check_option(flags, OPT_IP); + ebt_check_option2(flags, OPT_IP); + if (ebt_check_inverse(optarg)) + ebt_print_error2("Unexpected `!' after --log-ip"); loginfo->bitmask |= EBT_LOG_IP; break; case LOG_ARP: - ebt_check_option(flags, OPT_ARP); + ebt_check_option2(flags, OPT_ARP); + if (ebt_check_inverse(optarg)) + ebt_print_error2("Unexpected `!' after --log-arp"); loginfo->bitmask |= EBT_LOG_ARP; break; case LOG_LOG: - ebt_check_option(flags, OPT_LOG); + ebt_check_option2(flags, OPT_LOG); + if (ebt_check_inverse(optarg)) + ebt_print_error2("Unexpected `!' after --log"); break; default: return 0; @@ -143,7 +159,6 @@ static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher, const char *name, unsigned int hookmask, unsigned int time) { - return; } static void print(const struct ebt_u_entry *entry, diff --git a/extensions/ebt_mark.c b/extensions/ebt_mark.c index 11bcc12..c7c79aa 100644 --- a/extensions/ebt_mark.c +++ b/extensions/ebt_mark.c @@ -1,3 +1,11 @@ +/* ebt_mark + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * July, 2002 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -49,15 +57,15 @@ static int parse(int c, char **argv, int argc, switch (c) { case MARK_TARGET: - ebt_check_option(flags, OPT_MARK_TARGET); + ebt_check_option2(flags, OPT_MARK_TARGET); if (FILL_TARGET(optarg, markinfo->target)) - ebt_print_error("Illegal --mark-target target"); + ebt_print_error2("Illegal --mark-target target"); break; case MARK_SETMARK: - ebt_check_option(flags, OPT_MARK_SETMARK); + ebt_check_option2(flags, OPT_MARK_SETMARK); markinfo->mark = strtoul(optarg, &end, 0); if (*end != '\0' || end == optarg) - ebt_print_error("Bad MARK value '%s'", optarg); + ebt_print_error2("Bad MARK value '%s'", optarg); mark_supplied = 1; break; default: @@ -73,11 +81,10 @@ static void final_check(const struct ebt_u_entry *entry, struct ebt_mark_t_info *markinfo = (struct ebt_mark_t_info *)target->data; - if (time == 0 && mark_supplied == 0) + if (time == 0 && mark_supplied == 0) { ebt_print_error("No mark value supplied"); - if (BASE_CHAIN && markinfo->target == EBT_RETURN) - ebt_print_error("--mark-target RETURN not allowed on base " - "chain"); + } else if (BASE_CHAIN && markinfo->target == EBT_RETURN) + ebt_print_error("--mark-target RETURN not allowed on base chain"); } static void print(const struct ebt_u_entry *entry, diff --git a/extensions/ebt_mark_m.c b/extensions/ebt_mark_m.c index 2cc371a..8c5913e 100644 --- a/extensions/ebt_mark_m.c +++ b/extensions/ebt_mark_m.c @@ -1,3 +1,11 @@ +/* ebt_mark_m + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * July, 2002 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -40,22 +48,19 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, switch (c) { case MARK: - ebt_check_option(flags, MARK); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, MARK); + if (ebt_check_inverse2(optarg)) markinfo->invert = 1; - if (optind > argc) - ebt_print_error("No mark specified"); - markinfo->mark = strtoul(argv[optind - 1], &end, 0); + markinfo->mark = strtoul(optarg, &end, 0); markinfo->bitmask = EBT_MARK_AND; if (*end == '/') { - if (end == argv[optind - 1]) + if (end == optarg) markinfo->bitmask = EBT_MARK_OR; markinfo->mask = strtoul(end+1, &end, 0); } else markinfo->mask = 0xffffffff; - if ( *end != '\0' || end == argv[optind - 1]) - ebt_print_error("Bad mark value '%s'", - argv[optind - 1]); + if ( *end != '\0' || end == optarg) + ebt_print_error2("Bad mark value '%s'", optarg); break; default: return 0; diff --git a/extensions/ebt_nat.c b/extensions/ebt_nat.c index f2e79ca..5906ac4 100644 --- a/extensions/ebt_nat.c +++ b/extensions/ebt_nat.c @@ -1,3 +1,11 @@ +/* ebt_nat + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * June, 2002 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -73,17 +81,16 @@ static int parse_s(int c, char **argv, int argc, switch (c) { case NAT_S: - ebt_check_option(flags, OPT_SNAT); + ebt_check_option2(flags, OPT_SNAT); to_source_supplied = 1; if (!(addr = ether_aton(optarg))) - ebt_print_error("Problem with specified --to-source " - "mac"); + ebt_print_error2("Problem with specified --to-source mac"); memcpy(natinfo->mac, addr, ETH_ALEN); break; case NAT_S_TARGET: - ebt_check_option(flags, OPT_SNAT_TARGET); + ebt_check_option2(flags, OPT_SNAT_TARGET); if (FILL_TARGET(optarg, natinfo->target)) - ebt_print_error("Illegal --snat-target target"); + ebt_print_error2("Illegal --snat-target target"); break; default: return 0; @@ -102,17 +109,16 @@ static int parse_d(int c, char **argv, int argc, switch (c) { case NAT_D: - ebt_check_option(flags, OPT_DNAT); + ebt_check_option2(flags, OPT_DNAT); to_dest_supplied = 1; if (!(addr = ether_aton(optarg))) - ebt_print_error("Problem with specified " - "--to-destination mac"); + ebt_print_error2("Problem with specified --to-destination mac"); memcpy(natinfo->mac, addr, ETH_ALEN); break; case NAT_D_TARGET: - ebt_check_option(flags, OPT_DNAT_TARGET); + ebt_check_option2(flags, OPT_DNAT_TARGET); if (FILL_TARGET(optarg, natinfo->target)) - ebt_print_error("Illegal --dnat-target target"); + ebt_print_error2("Illegal --dnat-target target"); break; default: return 0; @@ -126,13 +132,14 @@ static void final_check_s(const struct ebt_u_entry *entry, { struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; - if (BASE_CHAIN && natinfo->target == EBT_RETURN) - ebt_print_error("--snat-target RETURN not allowed on base " - "chain"); + if (BASE_CHAIN && natinfo->target == EBT_RETURN) { + ebt_print_error("--snat-target RETURN not allowed on base chain"); + return; + } CLEAR_BASE_CHAIN_BIT; - if ((hookmask & ~(1 << NF_BR_POST_ROUTING)) || strcmp(name, "nat")) + if ((hookmask & ~(1 << NF_BR_POST_ROUTING)) || strcmp(name, "nat")) { ebt_print_error("Wrong chain for snat"); - if (time == 0 && to_source_supplied == 0) + } else if (time == 0 && to_source_supplied == 0) ebt_print_error("No snat address supplied"); } @@ -142,15 +149,16 @@ static void final_check_d(const struct ebt_u_entry *entry, { struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; - if (BASE_CHAIN && natinfo->target == EBT_RETURN) - ebt_print_error("--dnat-target RETURN not allowed on base " - "chain"); + if (BASE_CHAIN && natinfo->target == EBT_RETURN) { + ebt_print_error("--dnat-target RETURN not allowed on base chain"); + return; + } CLEAR_BASE_CHAIN_BIT; if (((hookmask & ~((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT))) || strcmp(name, "nat")) && - ((hookmask & ~(1 << NF_BR_BROUTING)) || strcmp(name, "broute"))) + ((hookmask & ~(1 << NF_BR_BROUTING)) || strcmp(name, "broute"))) { ebt_print_error("Wrong chain for dnat"); - if (time == 0 && to_dest_supplied == 0) + } if (time == 0 && to_dest_supplied == 0) ebt_print_error("No dnat address supplied"); } diff --git a/extensions/ebt_pkttype.c b/extensions/ebt_pkttype.c index f7893bb..7894d0d 100644 --- a/extensions/ebt_pkttype.c +++ b/extensions/ebt_pkttype.c @@ -1,9 +1,9 @@ -/* - * ebtables ebt_pkttype +/* ebt_pkttype * - * Authors: - * Bart De Schuymer <bdschuym@pandora.be> + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> * + * April, 2003 */ #include <stdio.h> @@ -38,7 +38,7 @@ static void print_help() printf( "pkttype options:\n" "--pkttype-type [!] type: class the packet belongs to\n" -"Possible values: broadcast, multicast, host, otherhost any byte value.\n"); +"Possible values: broadcast, multicast, host, otherhost, or any other byte value (which would be pretty useless).\n"); } static void init(struct ebt_entry_match *match) @@ -58,25 +58,21 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, switch (c) { case '1': ebt_check_option(flags, 1); - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) ptinfo->invert = 1; - if (optind > argc) - ebt_print_error("Missing pkttype class specification"); - - i = strtol(argv[optind - 1], &end, 16); + i = strtol(optarg, &end, 16); if (*end != '\0') { int j = 0; i = -1; while (classes[j][0]) - if (!strcasecmp(argv[optind - 1], classes[j++])) { + if (!strcasecmp(optarg, classes[j++])) { i = j - 1; break; } } if (i < 0 || i > 255) - ebt_print_error("Problem with specified pkttype class"); + ebt_print_error2("Problem with specified pkttype class"); ptinfo->pkt_type = (uint8_t)i; - break; default: return 0; diff --git a/extensions/ebt_redirect.c b/extensions/ebt_redirect.c index ba7f6b1..8630254 100644 --- a/extensions/ebt_redirect.c +++ b/extensions/ebt_redirect.c @@ -1,3 +1,11 @@ +/* ebt_redirect + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * April, 2002 + */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -38,9 +46,9 @@ static int parse(int c, char **argv, int argc, switch (c) { case REDIRECT_TARGET: - ebt_check_option(flags, OPT_REDIRECT_TARGET); + ebt_check_option2(flags, OPT_REDIRECT_TARGET); if (FILL_TARGET(optarg, redirectinfo->target)) - ebt_print_error("Illegal --redirect-target target"); + ebt_print_error2("Illegal --redirect-target target"); break; default: return 0; @@ -55,9 +63,10 @@ static void final_check(const struct ebt_u_entry *entry, struct ebt_redirect_info *redirectinfo = (struct ebt_redirect_info *)target->data; - if (BASE_CHAIN && redirectinfo->target == EBT_RETURN) - ebt_print_error("--redirect-target RETURN not allowed on " - "base chain"); + if (BASE_CHAIN && redirectinfo->target == EBT_RETURN) { + ebt_print_error("--redirect-target RETURN not allowed on base chain"); + return; + } CLEAR_BASE_CHAIN_BIT; if ( ((hookmask & ~(1 << NF_BR_PRE_ROUTING)) || strcmp(name, "nat")) && ((hookmask & ~(1 << NF_BR_BROUTING)) || strcmp(name, "broute")) ) diff --git a/extensions/ebt_standard.c b/extensions/ebt_standard.c index 4ac3dc0..1420d1d 100644 --- a/extensions/ebt_standard.c +++ b/extensions/ebt_standard.c @@ -1,3 +1,11 @@ +/* ebt_standard + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * April, 2002 + */ + #include <stdio.h> #include <stdlib.h> #include <getopt.h> diff --git a/extensions/ebt_stp.c b/extensions/ebt_stp.c index 8ed4c47..307131f 100644 --- a/extensions/ebt_stp.c +++ b/extensions/ebt_stp.c @@ -1,3 +1,11 @@ +/* ebt_stp + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * July, 2003 + */ + #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -157,38 +165,32 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, if (c < 'a' || c > ('a' + STP_NUMOPS - 1)) return 0; flag = 1 << (c - 'a'); - ebt_check_option(flags, flag); - if (ebt_check_inverse(optarg)) + ebt_check_option2(flags, flag); + if (ebt_check_inverse2(optarg)) stpinfo->invflags |= flag; - if (optind > argc) - ebt_print_error("Missing argument for --%s", opts[c-'a'].name); stpinfo->bitmask |= flag; switch (flag) { case EBT_STP_TYPE: - i = strtol(argv[optind - 1], &end, 0); + i = strtol(optarg, &end, 0); if (i < 0 || i > 255 || *end != '\0') { - if (!strcasecmp(argv[optind - 1], - BPDU_TYPE_CONFIG_STRING)) + if (!strcasecmp(optarg, BPDU_TYPE_CONFIG_STRING)) stpinfo->type = BPDU_TYPE_CONFIG; - else if (!strcasecmp(argv[optind - 1], - BPDU_TYPE_TCN_STRING)) + else if (!strcasecmp(optarg, BPDU_TYPE_TCN_STRING)) stpinfo->type = BPDU_TYPE_TCN; else - ebt_print_error("Bad --stp-type argument"); + ebt_print_error2("Bad --stp-type argument"); } else stpinfo->type = i; break; case EBT_STP_FLAGS: - i = strtol(argv[optind - 1], &end, 0); + i = strtol(optarg, &end, 0); if (i < 0 || i > 255 || *end != '\0') { - if (!strcasecmp(argv[optind - 1], - FLAG_TC_STRING)) + if (!strcasecmp(optarg, FLAG_TC_STRING)) stpinfo->config.flags = FLAG_TC; - else if (!strcasecmp(argv[optind - 1], - FLAG_TC_ACK_STRING)) + else if (!strcasecmp(optarg, FLAG_TC_ACK_STRING)) stpinfo->config.flags = FLAG_TC_ACK; else - ebt_print_error("Bad --stp-flags argument"); + ebt_print_error2("Bad --stp-flags argument"); } else stpinfo->config.flags = i; break; diff --git a/extensions/ebt_ulog.c b/extensions/ebt_ulog.c index 4af42e2..5c762b2 100644 --- a/extensions/ebt_ulog.c +++ b/extensions/ebt_ulog.c @@ -1,3 +1,11 @@ +/* ebt_ulog + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * November, 2004 + */ + #define __need_time_t #define __need_suseconds_t #include <stdio.h> @@ -65,59 +73,54 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, uloginfo = (struct ebt_ulog_info *)(*watcher)->data; switch (c) { case ULOG_PREFIX: - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) goto inverse_invalid; - ebt_check_option(flags, OPT_PREFIX); + ebt_check_option2(flags, OPT_PREFIX); if (strlen(optarg) > EBT_ULOG_PREFIX_LEN - 1) ebt_print_error("Prefix too long for ulog-prefix"); strcpy(uloginfo->prefix, optarg); break; case ULOG_NLGROUP: - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) goto inverse_invalid; - ebt_check_option(flags, OPT_NLGROUP); + ebt_check_option2(flags, OPT_NLGROUP); i = strtoul(optarg, &end, 10); if (*end != '\0') - ebt_print_error("Problem with ulog-nlgroup: %s", optarg); + ebt_print_error2("Problem with ulog-nlgroup: %s", optarg); if (i < 1 || i > EBT_ULOG_MAXNLGROUPS) - ebt_print_error("the ulog-nlgroup number must be " - "between 1 and 32"); + ebt_print_error2("the ulog-nlgroup number must be between 1 and 32"); uloginfo->nlgroup = i - 1; break; case ULOG_CPRANGE: - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) goto inverse_invalid; - ebt_check_option(flags, OPT_CPRANGE); + ebt_check_option2(flags, OPT_CPRANGE); i = strtoul(optarg, &end, 10); if (*end != '\0') { if (strcasecmp(optarg, CP_NO_LIMIT_S)) - ebt_print_error("Problem with ulog-cprange: " - "%s", optarg); + ebt_print_error2("Problem with ulog-cprange: %s", optarg); i = CP_NO_LIMIT_N; } uloginfo->cprange = i; break; case ULOG_QTHRESHOLD: - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) goto inverse_invalid; - ebt_check_option(flags, OPT_QTHRESHOLD); + ebt_check_option2(flags, OPT_QTHRESHOLD); i = strtoul(optarg, &end, 10); if (*end != '\0') - ebt_print_error("Problem with ulog-qthreshold: %s", - optarg); + ebt_print_error2("Problem with ulog-qthreshold: %s", optarg); if (i > EBT_ULOG_MAX_QLEN) - ebt_print_error("ulog-qthreshold argument %d exceeds " - "the maximum of %d", i, - EBT_ULOG_MAX_QLEN); + ebt_print_error2("ulog-qthreshold argument %d exceeds the maximum of %d", i, EBT_ULOG_MAX_QLEN); uloginfo->qthreshold = i; break; case ULOG_ULOG: - if (ebt_check_inverse(optarg)) + if (ebt_check_inverse2(optarg)) goto inverse_invalid; - ebt_check_option(flags, OPT_ULOG); + ebt_check_option2(flags, OPT_ULOG); break; default: @@ -127,14 +130,13 @@ static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, inverse_invalid: ebt_print_error("The use of '!' makes no sense for the ulog watcher"); - return 0; + return 1; } static void final_check(const struct ebt_u_entry *entry, const struct ebt_entry_watcher *watcher, const char *name, unsigned int hookmask, unsigned int time) { - return; } static void print(const struct ebt_u_entry *entry, diff --git a/extensions/ebt_vlan.c b/extensions/ebt_vlan.c index 0c94a66..21f2e22 100644 --- a/extensions/ebt_vlan.c +++ b/extensions/ebt_vlan.c @@ -1,33 +1,10 @@ -/* - * Summary: ebt_vlan - IEEE 802.1Q extension module for userspace - * - * Description: 802.1Q Virtual LAN match support module for ebtables project. - * Enables to match 802.1Q: - * 1) VLAN-tagged frames by VLAN numeric identifier (12 - bits field) - * 2) Priority-tagged frames by user_priority (3 bits field) - * 3) Encapsulated Frame by ethernet protocol type/length +/* ebt_vlan * * Authors: - * Bart De Schuymer <bart.de.schuymer@pandora.be> + * Bart De Schuymer <bdschuym@pandora.be> * Nick Fedchik <nick@fedchik.org.ua> - * June, 2002 - * - * License: GNU GPL - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * + * June, 2002 */ #include <stdio.h> @@ -40,30 +17,19 @@ #include <linux/netfilter_bridge/ebt_vlan.h> #include <linux/if_ether.h> - -#define GET_BITMASK(_MASK_) vlaninfo->bitmask & _MASK_ -#define SET_BITMASK(_MASK_) vlaninfo->bitmask |= _MASK_ -#define INV_FLAG(_inv_flag_) (vlaninfo->invflags & _inv_flag_) ? "! " : "" -#define CHECK_IF_MISSING_VALUE if (optind > argc) ebt_print_error ("Missing %s value", opts[c].name); -#define CHECK_INV_FLAG(_INDEX_) if (ebt_check_inverse (optarg)) vlaninfo->invflags |= _INDEX_; -#define CHECK_RANGE(_RANGE_) if (_RANGE_) ebt_print_error ("Invalid %s range", opts[c].name); - #define NAME_VLAN_ID "id" #define NAME_VLAN_PRIO "prio" #define NAME_VLAN_ENCAP "encap" -#define VLAN_ID 0 -#define VLAN_PRIO 1 -#define VLAN_ENCAP 2 +#define VLAN_ID '1' +#define VLAN_PRIO '2' +#define VLAN_ENCAP '3' static struct option opts[] = { - {EBT_VLAN_MATCH "-" NAME_VLAN_ID, required_argument, NULL, - VLAN_ID}, - {EBT_VLAN_MATCH "-" NAME_VLAN_PRIO, required_argument, NULL, - VLAN_PRIO}, - {EBT_VLAN_MATCH "-" NAME_VLAN_ENCAP, required_argument, NULL, - VLAN_ENCAP}, - {NULL} + {"vlan-id" , required_argument, NULL, VLAN_ID}, + {"vlan-prio" , required_argument, NULL, VLAN_PRIO}, + {"vlan-encap", required_argument, NULL, VLAN_ENCAP}, + { 0 } }; /* @@ -76,104 +42,67 @@ static struct option opts[] = { struct ethertypeent *ethent; -/* - * Print out local help by "ebtables -h <match name>" - */ - static void print_help() { -#define HELP_TITLE "802.1Q VLAN extension" - - printf(HELP_TITLE " options:\n"); - printf("--" EBT_VLAN_MATCH "-" NAME_VLAN_ID " %s" NAME_VLAN_ID - " : VLAN-tagged frame identifier, 0,1-4096 (integer), default 1\n", - OPT_VLAN_FLAGS & OPT_VLAN_ID ? "[!] " : ""); - printf("--" EBT_VLAN_MATCH "-" NAME_VLAN_PRIO " %s" NAME_VLAN_PRIO - " : Priority-tagged frame user_priority, 0-7 (integer), default 0\n", - OPT_VLAN_FLAGS & OPT_VLAN_PRIO ? "[!] " : ""); - printf("--" EBT_VLAN_MATCH "-" NAME_VLAN_ENCAP " %s" - NAME_VLAN_ENCAP - " : Encapsulated frame type (hexadecimal), default IP (0800)\n", - OPT_VLAN_FLAGS & OPT_VLAN_ENCAP ? "[!] " : ""); + printf( +"vlan options:\n" +"--vlan-id [!] id : vlan-tagged frame identifier, 0,1-4096 (integer)\n" +"--vlan-prio [!] prio : Priority-tagged frame's user priority, 0-7 (integer)\n" +"--vlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or name)\n"); } -/* - * Initialization function - */ static void init(struct ebt_entry_match *match) { - struct ebt_vlan_info *vlaninfo = - (struct ebt_vlan_info *) match->data; - /* - * Set initial values - */ - vlaninfo->id = 1; /* Default VID for VLAN-tagged 802.1Q frames */ - vlaninfo->prio = 0; - vlaninfo->encap = 0; + struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data; vlaninfo->invflags = 0; vlaninfo->bitmask = 0; } -/* - * Parse passed arguments values (ranges, flags, etc...) - * int c - parameter number from static struct option opts[] - * int argc - total amout of arguments (std argc value) - * int argv - arguments (std argv value) - * const struct ebt_u_entry *entry - default ebtables entry set - * unsigned int *flags - - * struct ebt_entry_match **match - - */ -static int -parse(int c, - char **argv, - int argc, - const struct ebt_u_entry *entry, - unsigned int *flags, struct ebt_entry_match **match) +static int parse(int c, char **argv, int argc, const struct ebt_u_entry *entry, + unsigned int *flags, struct ebt_entry_match **match) { - struct ebt_vlan_info *vlaninfo = - (struct ebt_vlan_info *) (*match)->data; + struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) (*match)->data; char *end; struct ebt_vlan_info local; switch (c) { case VLAN_ID: - ebt_check_option(flags, OPT_VLAN_ID); - CHECK_INV_FLAG(EBT_VLAN_ID); - CHECK_IF_MISSING_VALUE; - local.id = strtoul(argv[optind - 1], &end, 10); - CHECK_RANGE(local.id > 4094 || *end != '\0'); + ebt_check_option2(flags, OPT_VLAN_ID); + if (ebt_check_inverse2(optarg)) + vlaninfo->invflags |= EBT_VLAN_ID; + local.id = strtoul(optarg, &end, 10); + if (local.id > 4094 || *end != '\0') + ebt_print_error2("Invalid --vlan-id range ('%s')", optarg); vlaninfo->id = local.id; - SET_BITMASK(EBT_VLAN_ID); + vlaninfo->bitmask |= EBT_VLAN_ID; break; - case VLAN_PRIO: - ebt_check_option(flags, OPT_VLAN_PRIO); - CHECK_INV_FLAG(EBT_VLAN_PRIO); - CHECK_IF_MISSING_VALUE; - local.prio = strtoul(argv[optind - 1], &end, 10); - CHECK_RANGE(local.prio >= 8 || *end != '\0'); + ebt_check_option2(flags, OPT_VLAN_PRIO); + if (ebt_check_inverse2(optarg)) + vlaninfo->invflags |= EBT_VLAN_PRIO; + local.prio = strtoul(optarg, &end, 10); + if (local.prio >= 8 || *end != '\0') + ebt_print_error2("Invalid --vlan-prio range ('%s')", optarg); vlaninfo->prio = local.prio; - SET_BITMASK(EBT_VLAN_PRIO); + vlaninfo->bitmask |= EBT_VLAN_PRIO; break; - case VLAN_ENCAP: - ebt_check_option(flags, OPT_VLAN_ENCAP); - CHECK_INV_FLAG(EBT_VLAN_ENCAP); - CHECK_IF_MISSING_VALUE; - local.encap = strtoul(argv[optind - 1], &end, 16); + ebt_check_option2(flags, OPT_VLAN_ENCAP); + if (ebt_check_inverse2(optarg)) + vlaninfo->invflags |= EBT_VLAN_ENCAP; + local.encap = strtoul(optarg, &end, 16); if (*end != '\0') { - ethent = getethertypebyname(argv[optind - 1]); + ethent = getethertypebyname(optarg); if (ethent == NULL) - ebt_print_error("Unknown %s encap", - opts[c].name); + ebt_print_error("Unknown --vlan-encap value ('%s')", optarg); local.encap = ethent->e_ethertype; } - CHECK_RANGE(local.encap < ETH_ZLEN); + if (local.encap < ETH_ZLEN) + ebt_print_error2("Invalid --vlan-encap range ('%s')", optarg); vlaninfo->encap = htons(local.encap); - SET_BITMASK(EBT_VLAN_ENCAP); + vlaninfo->bitmask |= EBT_VLAN_ENCAP; break; - default: return 0; @@ -181,75 +110,34 @@ parse(int c, return 1; } -/* - * Final check - logical conditions - */ -static void -final_check(const struct ebt_u_entry *entry, - const struct ebt_entry_match *match, - const char *name, unsigned int hookmask, unsigned int time) +static void final_check(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match, + const char *name, unsigned int hookmask, unsigned int time) { - - struct ebt_vlan_info *vlaninfo = - (struct ebt_vlan_info *) match->data; - /* - * Specified proto isn't 802.1Q? - */ if (entry->ethproto != ETH_P_8021Q || entry->invflags & EBT_IPROTO) - ebt_print_error("For use 802.1Q extension the protocol " - "must be specified as 802_1Q"); - /* - * Check if specified vlan-encap=0x8100 (802.1Q Frame) - * when vlan-encap specified. - */ - if (GET_BITMASK(EBT_VLAN_ENCAP)) { - if (vlaninfo->encap == htons(0x8100)) - ebt_print_error("Encapsulated frame type can not be " - "802.1Q (0x8100)"); - } - - /* - * Check if specified vlan-id=0 (priority-tagged frame condition) - * when vlan-prio was specified. - */ - if (GET_BITMASK(EBT_VLAN_PRIO)) { - if (vlaninfo->id && GET_BITMASK(EBT_VLAN_ID)) - ebt_print_error("For use user_priority the specified " - "vlan-id must be 0"); - } + ebt_print_error("For vlan filtering the protocol must be specified as 802_1Q"); + + /* Check if specified vlan-id=0 (priority-tagged frame condition) + * when vlan-prio was specified. */ + /* I see no reason why a user should be prohibited to match on a perhaps impossible situation <BDS> + if (vlaninfo->bitmask & EBT_VLAN_PRIO && + vlaninfo->id && vlaninfo->bitmask & EBT_VLAN_ID) + ebt_print_error("When setting --vlan-prio the specified --vlan-id must be 0");*/ } -/* - * Print line when listing rules by ebtables -L - */ -static void -print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) +static void print(const struct ebt_u_entry *entry, + const struct ebt_entry_match *match) { - struct ebt_vlan_info *vlaninfo = - (struct ebt_vlan_info *) match->data; + struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data; - /* - * Print VLAN ID if they are specified - */ - if (GET_BITMASK(EBT_VLAN_ID)) { - printf("--%s %s%d ", - opts[VLAN_ID].name, - INV_FLAG(EBT_VLAN_ID), vlaninfo->id); + if (vlaninfo->bitmask & EBT_VLAN_ID) { + printf("--vlan-id %s%d ", (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", vlaninfo->id); } - /* - * Print user priority if they are specified - */ - if (GET_BITMASK(EBT_VLAN_PRIO)) { - printf("--%s %s%d ", - opts[VLAN_PRIO].name, - INV_FLAG(EBT_VLAN_PRIO), vlaninfo->prio); + if (vlaninfo->bitmask & EBT_VLAN_PRIO) { + printf("--vlan-prio %s%d ", (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", vlaninfo->prio); } - /* - * Print encapsulated frame type if they are specified - */ - if (GET_BITMASK(EBT_VLAN_ENCAP)) { - printf("--%s %s", - opts[VLAN_ENCAP].name, INV_FLAG(EBT_VLAN_ENCAP)); + if (vlaninfo->bitmask & EBT_VLAN_ENCAP) { + printf("--vlan-encap %s", (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : ""); ethent = getethertypebynumber(ntohs(vlaninfo->encap)); if (ethent != NULL) { printf("%s ", ethent->e_name); @@ -259,47 +147,25 @@ print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) } } - -static int -compare(const struct ebt_entry_match *vlan1, - const struct ebt_entry_match *vlan2) +static int compare(const struct ebt_entry_match *vlan1, + const struct ebt_entry_match *vlan2) { - struct ebt_vlan_info *vlaninfo1 = - (struct ebt_vlan_info *) vlan1->data; - struct ebt_vlan_info *vlaninfo2 = - (struct ebt_vlan_info *) vlan2->data; - /* - * Compare argc - */ + struct ebt_vlan_info *vlaninfo1 = (struct ebt_vlan_info *) vlan1->data; + struct ebt_vlan_info *vlaninfo2 = (struct ebt_vlan_info *) vlan2->data; + if (vlaninfo1->bitmask != vlaninfo2->bitmask) return 0; - /* - * Compare inv flags - */ if (vlaninfo1->invflags != vlaninfo2->invflags) return 0; - /* - * Compare VLAN ID if they are present - */ - if (vlaninfo1->bitmask & EBT_VLAN_ID) { - if (vlaninfo1->id != vlaninfo2->id) - return 0; - }; - /* - * Compare VLAN Prio if they are present - */ - if (vlaninfo1->bitmask & EBT_VLAN_PRIO) { - if (vlaninfo1->prio != vlaninfo2->prio) - return 0; - }; - /* - * Compare VLAN Encap if they are present - */ - if (vlaninfo1->bitmask & EBT_VLAN_ENCAP) { - if (vlaninfo1->encap != vlaninfo2->encap) - return 0; - }; - + if (vlaninfo1->bitmask & EBT_VLAN_ID && + vlaninfo1->id != vlaninfo2->id) + return 0; + if (vlaninfo1->bitmask & EBT_VLAN_PRIO && + vlaninfo1->prio != vlaninfo2->prio) + return 0; + if (vlaninfo1->bitmask & EBT_VLAN_ENCAP && + vlaninfo1->encap != vlaninfo2->encap) + return 0; return 1; } diff --git a/extensions/ebtable_broute.c b/extensions/ebtable_broute.c index 3c00962..5259355 100644 --- a/extensions/ebtable_broute.c +++ b/extensions/ebtable_broute.c @@ -1,3 +1,11 @@ +/* ebtable_broute + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * April, 2002 + */ + #include <stdio.h> #include "../include/ebtables_u.h" diff --git a/extensions/ebtable_filter.c b/extensions/ebtable_filter.c index 08f5033..e41fb84 100644 --- a/extensions/ebtable_filter.c +++ b/extensions/ebtable_filter.c @@ -1,3 +1,11 @@ +/* ebtable_filter + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * April, 2002 + */ + #include <stdio.h> #include "../include/ebtables_u.h" diff --git a/extensions/ebtable_nat.c b/extensions/ebtable_nat.c index d64e21d..b21c9dd 100644 --- a/extensions/ebtable_nat.c +++ b/extensions/ebtable_nat.c @@ -1,3 +1,11 @@ +/* ebtable_nat + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * April, 2002 + */ + #include <stdio.h> #include "../include/ebtables_u.h" |