| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The ebtables initialization is easier, and, judging from the "static"
recipe in Makefile, that calling ebt_*_register ahead of main is
safe.
This means that a static build won't need the pseudomain hack,
and that -nostartfiles can also go away.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Prepare for autoconf-based substitution of macros in the file.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling /usr/bin/install with -o/-g will attempt to chown, and fail
if unsuccessful, which makes an unprivileged install with DESTDIR a
futile attempt always.
Drop it, because /usr/bin/install chowns to the current running user
*anyway*, which means when root calls `make install`, it will do the
right thing as before.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
56993546c805 ("extensions: fix build failure on fc28") eliminated a gcc
warning that strncpy could make a string w/out a NUL terminator.
snprintf guarantees NUL-termination (so fixes that possibility). But,
snprintf may discard data to make room for the NUL. This patch errors
straight away in that eventuality.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
make fails via:
extensions/ebt_string.c: In function ‘parse’:
extensions/ebt_string.c:171:3: error: ‘strncpy’ specified bound 16 equals destination size [-Werror=stringop-truncation]
strncpy(info->algo, optarg, XT_STRING_MAX_ALGO_NAME_SIZE);
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
<linux/netfilter_bridge/ebtables.h> again and import a new ebtables.h
from the kernel tree that has the "revision" field.
With this, include/ebtables.h is (again) used by no source file, and
so can be removed.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit b1cdae87f25021eb835872d86d6e7206bd421c3f, make fails thusly:
> libebtc.c: In function 'ebt_reinit_extensions':
> libebtc.c:275:11: error: 'union <anonymous>' has no member named 'revision'
> m->m->u.revision = m->revision;
> ^
> libebtc.c: In function 'ebt_check_rule_exists':
> libebtc.c:555:21: error: 'union <anonymous>' has no member named 'revision'
> m_l2->m->u.revision != m->m->u.revision)) {
> ^
> libebtc.c:555:41: error: 'union <anonymous>' has no member named 'revision'
> m_l2->m->u.revision != m->m->u.revision)) {
> ^
> libebtc.c: In function 'ebt_register_match':
> libebtc.c:1215:9: error: 'union <anonymous>' has no member named 'revision'
> m->m->u.revision = m->revision;
> ^
The cause of this failure is that the commit updated include/ebtables.h but
libebtc.c uses include/linux/netfilter_bridge/ebtables.h via
include/ebtables_u.h (gcc -E -C verifies this).
The 2 versions of ebtables.h looked to me to be otherwise close enough, so
amended ebtables_u.h to use the newer one.
Makefile insists on being warning-free, so cleared up warnings. Apart from
unused variables, there was also the issue that the diagnostic macro
ebt_print_error2 *returns* (i.e. makes its caller return) and returns -1. This
is unsuitable for use in functions which do not return a value, so introduced
ebt_print_error3 to do this.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Conflicting definitions of struct ethhdr between the kernel and musl
libc provides headers causes a build failure:
In file included from .../usr/include/netinet/ether.h:8:0,
from useful_functions.c:28:
.../usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
struct ethhdr {
^~~~~~
In file included from include/linux/netfilter_bridge.h:8:0,
from include/linux/netfilter_bridge/ebtables.h:17,
from include/ebtables_u.h:27,
from useful_functions.c:25:
include/linux/if_ether.h:119:8: note: originally defined here
struct ethhdr {
^~~~~~
Recent enough versions kernel headers allow the libc to suppress
conflicting kernel definitions. Include the libc proivded
netinet/ether.h before kernel headers to suppress the conflicting
definition of struct ethhdr.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is part of a proposal to add a string filter to
ebtables, which would be similar to the string filter in
iptables.
Like iptables, the ebtables filter uses the xt_string module,
however some modifications have been made for this to work
correctly.
Currently ebtables assumes that the revision number of all match
modules is 0. The xt_string module doesn't register a match with
revision 0 so the solution is to modify ebtables to allow
extensions to specify a revision number, similar to iptables.
This gets passed down to the kernel, which is then able to find
the match module correctly.
Signed-off-by: Bernie Harris <bernie.harris@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We already have ICMPv6 type/code matches (which can be used to distinguish
different types of MLD packets). Add support for IPv4 IGMP matches in the
same way.
To reuse as much code as possible, the ICMP type/code handling functions
are extended to allow passing a NULL code range.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP
matches in the same way.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Allow using these functions for ebt_ip as well.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The previous conversion to using flock() missed a crucial bit of code
which tries to create LOCKDIR once in case opening the lock failed -
This patch reestablishes the old behaviour.
Reported-by: Tangchen (UVP) <tang.chen@huawei.com>
Fixes: 6a826591878db ("Use flock() for --concurrent option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous locking mechanism was not atomic, hence it was possible
that a killed ebtables process would leave the lock file in place which
in turn made future ebtables processes wait indefinitely for the lock to
become free.
Fix this by using flock(). This also simplifies code quite a bit because
there is no need for a custom signal handler or an __exit routine
anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The struct of the type option is only used to initialise a field
inside the ebt_u_watcher or ebt_u_target or ebt_u_match struct and
is not modified anywhere.
Signed-off-by: Gargi Sharma <gs051095@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if
they're called from a base chain rather than a user defined chain.
This can be used by ebtables targets that can encode a special return
value to bail out if e.g. RETURN is used from a base chain.
Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also
copied to called user-defined-chains (i.e., a user defined chain can no
longer be distinguished from a base chain):
root@OpenWrt:~# ebtables -N foo
root@OpenWrt:~# ebtables -A OUTPUT -j foo
root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
--mark-target RETURN not allowed on base chain.
This works if -A OUTPUT -j foo is omitted, but will still appear
if we try to call foo from OUTPUT afterwards.
After this patch we still reject
'-A OUTPUT -j mark .. --mark-target RETURN'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Fixes compilation with musl libc
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ebtables fails to compile with versions of the linux headers greater
than v3.16 with this error:
extensions/ebt_ulog.c:17:45: fatal error: linux/netfilter_bridge/ebt_ulog.h: No such file or directory
#include <linux/netfilter_bridge/ebt_ulog.h>
This patch adds netfilter_bridge headers for every supported
extension, including filter.h and types.h, to avoid this problem and
future problems with changes in the kernel headers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
<mmazur at axeos.com>)
|
| |
|
| |
|
|
|
|
| |
potentially not matched correctly
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
zero (thanks to James Sinclair)
|
| |
|
| |
|
| |
|
|
|
|
| |
initialization of counters
|
| |
|
| |
|
| |
|
|
|
|
| |
Volkov)
|
|
|
|
| |
optimization
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Coverity static analysis (thanks to Jiri Popelka)
|
| |
|
|
|
|
| |
Popelka)
|