summaryrefslogtreecommitdiffstats
path: root/libebtc.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: Add string filter to ebtablesBernie Harris2018-04-271-1/+5
| | | | | | | | | | | | | | | | | | | | This patch is part of a proposal to add a string filter to ebtables, which would be similar to the string filter in iptables. Like iptables, the ebtables filter uses the xt_string module, however some modifications have been made for this to work correctly. Currently ebtables assumes that the revision number of all match modules is 0. The xt_string module doesn't register a match with revision 0 so the solution is to modify ebtables to allow extensions to specify a revision number, similar to iptables. This gets passed down to the kernel, which is then able to find the match module correctly. Signed-off-by: Bernie Harris <bernie.harris@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix locking if LOCKDIR does not existPhil Sutter2018-01-171-4/+10
| | | | | | | | | | | The previous conversion to using flock() missed a crucial bit of code which tries to create LOCKDIR once in case opening the lock failed - This patch reestablishes the old behaviour. Reported-by: Tangchen (UVP) <tang.chen@huawei.com> Fixes: 6a826591878db ("Use flock() for --concurrent option") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use flock() for --concurrent optionPhil Sutter2017-10-241-44/+5
| | | | | | | | | | | | | | The previous locking mechanism was not atomic, hence it was possible that a killed ebtables process would leave the lock file in place which in turn made future ebtables processes wait indefinitely for the lock to become free. Fix this by using flock(). This also simplifies code quite a bit because there is no need for a custom signal handler or an __exit routine anymore. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Allow RETURN target rules in user defined chainsAlin Năstac2015-10-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if they're called from a base chain rather than a user defined chain. This can be used by ebtables targets that can encode a special return value to bail out if e.g. RETURN is used from a base chain. Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also copied to called user-defined-chains (i.e., a user defined chain can no longer be distinguished from a base chain): root@OpenWrt:~# ebtables -N foo root@OpenWrt:~# ebtables -A OUTPUT -j foo root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN --mark-target RETURN not allowed on base chain. This works if -A OUTPUT -j foo is omitted, but will still appear if we try to call foo from OUTPUT afterwards. After this patch we still reject '-A OUTPUT -j mark .. --mark-target RETURN'. Signed-off-by: Florian Westphal <fw@strlen.de>
* remove compile warning, conditionally define LOCKFILEBart De Schuymer2011-07-101-0/+4
|
* fix use-after-free issue found by Coverity static analysis (thanks to Jiri ↵Bart De Schuymer2011-06-231-2/+2
| | | | Popelka)
* add logic to support the --concurrent option: use a file lock to support ↵Bart De Schuymer2011-06-191-0/+67
| | | | concurrent scripts running ebtables
* speedup checking for loopsBart De Schuymer2007-02-111-2/+5
|
* fix -X bugBart De Schuymer2006-07-311-8/+11
|
* bugfixBart De Schuymer2006-07-281-1/+1
|
* init hook_mask when no udcBart De Schuymer2006-01-231-4/+6
|
* send bug messages to stderrBart De Schuymer2005-11-091-3/+3
|
* fix -DBart De Schuymer2005-10-241-1/+4
|
* minor changesBart De Schuymer2005-10-011-11/+0
|
* cleanupBart De Schuymer2005-09-281-2/+2
|
* bugfixBart De Schuymer2005-09-011-0/+1
|
* bugfixBart De Schuymer2005-08-301-5/+5
|
* put rules in doubly linked listBart De Schuymer2005-08-281-49/+51
|
* put reference to cc in each entryBart De Schuymer2005-08-281-196/+75
|
* make array of chainsBart De Schuymer2005-08-271-245/+106
|
* trivial cleanupsBart De Schuymer2005-08-121-2/+8
|
* cleanupBart De Schuymer2005-07-161-27/+24
|
* more cleanupBart De Schuymer2005-03-281-68/+57
|
* complete -c and -C implementationBart De Schuymer2005-02-141-16/+37
|
* general cleanup + add -C and -cBart De Schuymer2005-02-081-27/+94
|
* add '.' after messagesBart De Schuymer2005-01-241-1/+1
|
* really zero countersBart De Schuymer2005-01-241-0/+24
|
* add new counter schemeBart De Schuymer2005-01-231-0/+1
|
* add ebtablesu scheme, along with general cleanupBart De Schuymer2005-01-191-314/+221
|
* Fix problem with udcBart De Schuymer2004-12-161-1/+1
|
* gcc doesn't like a label at the end.. tssBart De Schuymer2004-09-091-1/+1
|
* add shared librariesBart De Schuymer2004-01-211-43/+69
|
* ebtables library functionsBart De Schuymer2004-01-141-0/+1499