summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ebt_ip: add support for matching IGMP typeMatthias Schiffer2018-04-112-14/+65
| | | | | | | | | | | | We already have ICMPv6 type/code matches (which can be used to distinguish different types of MLD packets). Add support for IPv4 IGMP matches in the same way. To reuse as much code as possible, the ICMP type/code handling functions are extended to allow passing a NULL code range. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebt_ip: add support for matching ICMP type and codeMatthias Schiffer2018-04-111-2/+94
| | | | | | | | We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP matches in the same way. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Move ICMP type handling functions from ebt_ip6 to useful_functions.cMatthias Schiffer2018-04-113-159/+174
| | | | | | | Allow using these functions for ebt_ip as well. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: sync linux/netfilter_bridge/ebt_ip.h with kernelMatthias Schiffer2018-04-111-3/+13
| | | | | Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix locking if LOCKDIR does not existPhil Sutter2018-01-171-4/+10
| | | | | | | | | | | The previous conversion to using flock() missed a crucial bit of code which tries to create LOCKDIR once in case opening the lock failed - This patch reestablishes the old behaviour. Reported-by: Tangchen (UVP) <tang.chen@huawei.com> Fixes: 6a826591878db ("Use flock() for --concurrent option") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use flock() for --concurrent optionPhil Sutter2017-10-242-52/+5
| | | | | | | | | | | | | | The previous locking mechanism was not atomic, hence it was possible that a killed ebtables process would leave the lock file in place which in turn made future ebtables processes wait indefinitely for the lock to become free. Fix this by using flock(). This also simplifies code quite a bit because there is no need for a custom signal handler or an __exit routine anymore. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: extensions: Constify option structGargi Sharma2017-03-2818-20/+20
| | | | | | | | | The struct of the type option is only used to initialise a field inside the ebt_u_watcher or ebt_u_target or ebt_u_match struct and is not modified anywhere. Signed-off-by: Gargi Sharma <gs051095@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Allow RETURN target rules in user defined chainsAlin Năstac2015-10-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if they're called from a base chain rather than a user defined chain. This can be used by ebtables targets that can encode a special return value to bail out if e.g. RETURN is used from a base chain. Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also copied to called user-defined-chains (i.e., a user defined chain can no longer be distinguished from a base chain): root@OpenWrt:~# ebtables -N foo root@OpenWrt:~# ebtables -A OUTPUT -j foo root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN --mark-target RETURN not allowed on base chain. This works if -A OUTPUT -j foo is omitted, but will still appear if we try to call foo from OUTPUT afterwards. After this patch we still reject '-A OUTPUT -j mark .. --mark-target RETURN'. Signed-off-by: Florian Westphal <fw@strlen.de>
* ethernetdb.h: Remove C++ specific compiler hint macro _THROWFelix Janda2015-05-211-6/+5
| | | | | | | Fixes compilation with musl libc Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: Use stdint typesFelix Janda2015-05-212-7/+7
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add kernel headers needed from v3.16Pedro Alvarez2015-03-0220-0/+860
| | | | | | | | | | | | | | Ebtables fails to compile with versions of the linux headers greater than v3.16 with this error: extensions/ebt_ulog.c:17:45: fatal error: linux/netfilter_bridge/ebt_ulog.h: No such file or directory #include <linux/netfilter_bridge/ebt_ulog.h> This patch adds netfilter_bridge headers for every supported extension, including filter.h and types.h, to avoid this problem and future problems with changes in the kernel headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* don't print IPv6 mask if it's all ones (based on patch by Mariusz Mazur ↵Bart De Schuymer2014-04-143-2/+16
| | | | <mmazur at axeos.com>)
* remove ebtables-restore binary from repositoryBart De Schuymer2013-07-311-118/+0
|
* Add --noflush command line support for ebtables-restoreSanket Shah2013-07-311-4/+25
|
* workaround for kernel regression bug: IPv6 source/destination addresses are ↵Luis Fernando2013-07-031-0/+4
| | | | potentially not matched correctly
* add info about -Wl,-no-as-neededBart De Schuymer2013-07-031-0/+2
|
* fix compilation warningPetri Gynther2013-02-241-1/+1
|
* add RARP and update iana urlBart De Schuymer2012-07-031-4/+6
|
* bump release and update program dateebtables-2.0.10-4Bart De Schuymer2011-12-151-2/+2
|
* changelog for 2.0.10-4Bart De Schuymer2011-12-151-0/+3
|
* bugfix: setting rule in first built-in chain caused setting all counters to ↵Bart De Schuymer2011-12-151-1/+1
| | | | zero (thanks to James Sinclair)
* typoBart De Schuymer2011-12-041-1/+1
|
* add changelog for v 2.0.10-3Bart De Schuymer2011-12-041-0/+3
|
* bump versionBart De Schuymer2011-12-041-1/+1
|
* fix rule counter bug (reported by James Sinclair): possible wrong ↵Bart De Schuymer2011-12-041-0/+1
| | | | initialization of counters
* add changelog for v2.0.10-2Bart De Schuymer2011-08-111-0/+6
|
* respect LDFLAGS (Peter Volkov)Bart De Schuymer2011-08-112-2/+2
|
* enable compiler optimizations, bump release numberBart De Schuymer2011-08-111-2/+2
|
* small changes to remove warnings when optimization is on (thanks to Peter ↵Bart De Schuymer2011-08-111-4/+4
| | | | Volkov)
* initialize some variables to get rid of warnings when compiling with ↵Bart De Schuymer2011-08-112-4/+4
| | | | optimization
* remove definition of __EXPORTED_HEADERS__: we use sanitized header files nowBart De Schuymer2011-08-112-2/+0
|
* add changelog for v2.0.10-1Bart De Schuymer2011-07-101-0/+15
|
* bump prog version, add LOCKDIR variable, add -Werror compile flagBart De Schuymer2011-07-101-10/+13
|
* remove compile warning, conditionally define LOCKFILEBart De Schuymer2011-07-101-0/+4
|
* define __EXPORTED_HEADERS__ to get access to kernel headersBart De Schuymer2011-07-101-1/+1
|
* add a reference to the lock fileBart De Schuymer2011-07-101-0/+1
|
* add info about the lock file compile time optionBart De Schuymer2011-07-101-3/+6
|
* remove irrelevant negative value check for the result of strtoul, found by ↵Bart De Schuymer2011-06-231-7/+0
| | | | Coverity static analysis (thanks to Jiri Popelka)
* free possible memory leak found by Coverity static analysis (Jiri Popelka)Bart De Schuymer2011-06-231-0/+2
|
* fix use-after-free issue found by Coverity static analysis (thanks to Jiri ↵Bart De Schuymer2011-06-231-2/+2
| | | | Popelka)
* fix possible issues found by Coverity static analysis (thanks to Jiri Popelka)Bart De Schuymer2011-06-231-3/+7
|
* Make the error message printed when an update of a table is rejected by the ↵Bart De Schuymer2011-06-191-3/+7
| | | | kernel
* export use_lockfdBart De Schuymer2011-06-191-0/+2
|
* add logic to support the --concurrent option: use a file lock to support ↵Bart De Schuymer2011-06-191-0/+67
| | | | concurrent scripts running ebtables
* add logic to support the --concurrent option: use a file lock to support ↵Bart De Schuymer2011-06-191-0/+14
| | | | concurrent scripts running ebtables
* add option --concurrentBart De Schuymer2011-06-191-0/+3
|
* rename the libebtc target to libebtc.so and remove the .PHONY for libebtc ↵Bart De Schuymer2011-06-191-5/+4
| | | | (thanks to Bertrand Jacquin)
* only test on errno when an error occurred (especially on mips); fix some ↵Bart De Schuymer2011-05-291-5/+5
| | | | warnings
* extend ebt_ip6 to allow matching on ipv6-icmp types/codes (by Florian Westphal)Bart De Schuymer2011-01-183-2/+240
|
* put include of ebtables_u.h higher so that __EXPORTED_HEADERS__ is definedBart De Schuymer2010-12-183-3/+3
|