Make ebtables library functions
diff --git a/Makefile b/Makefile
index 2f4fec0..3c3229f 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,8 @@
include extensions/Makefile
-OBJECTS:=getethertype.o ebtables.o communication.o $(EXT_OBJS)
+OBJECTS:=getethertype.o ebtables.o communication.o libebtc.o \
+useful_functions.o $(EXT_OBJS)
KERNEL_INCLUDES?=include/
@@ -35,6 +36,12 @@
communication.o: communication.c include/ebtables_u.h
$(CC) $(CFLAGS) $(PROGSPECS) -c -o $@ $< -I$(KERNEL_INCLUDES)
+libebtc.o: libebtc.c include/ebtables_u.h
+ $(CC) $(CFLAGS) $(PROGSPECS) -c -o $@ $< -I$(KERNEL_INCLUDES)
+
+useful_functions.o: useful_functions.c include/ebtables_u.h
+ $(CC) $(CFLAGS) $(PROGSPECS) -c -o $@ $< -I$(KERNEL_INCLUDES)
+
getethertype.o: getethertype.c include/ethernetdb.h
$(CC) $(CFLAGS) $(PROGSPECS) -c -o $@ $< -Iinclude/
diff --git a/communication.c b/communication.c
index 4d02b05..7f8c531 100644
--- a/communication.c
+++ b/communication.c
@@ -255,7 +255,7 @@
free(data);
}
-void deliver_table(struct ebt_u_replace *u_repl)
+void ebt_deliver_table(struct ebt_u_replace *u_repl)
{
socklen_t optlen;
struct ebt_replace *repl;
@@ -311,14 +311,13 @@
fclose(file);
}
-/* gets executed after deliver_table */
-void deliver_counters(struct ebt_u_replace *u_repl)
+/* gets executed after ebt_deliver_table */
+void ebt_deliver_counters(struct ebt_u_replace *u_repl)
{
- unsigned short *point;
struct ebt_counter *old, *new, *newcounters;
socklen_t optlen;
struct ebt_replace repl;
- unsigned short *counterchanges = u_repl->counterchanges;
+ struct ebt_cntchanges *cc = u_repl->counterchanges;
if (u_repl->nentries == 0)
return;
@@ -330,9 +329,8 @@
memset(newcounters, 0, u_repl->nentries * sizeof(struct ebt_counter));
old = u_repl->counters;
new = newcounters;
- point = counterchanges;
- while (*point != CNT_END) {
- if (*point == CNT_NORM) {
+ while (cc) {
+ if (cc->type == CNT_NORM) {
/*
*'normal' rule, meaning we didn't do anything to it
* So, we just copy
@@ -343,10 +341,10 @@
old++;
/* we've set a new counter */
new++;
- } else if (*point == CNT_DEL) {
+ } else if (cc->type == CNT_DEL) {
/* don't use this old counter */
old++;
- } else if (*point == CNT_ADD) {
+ } else if (cc->type == CNT_ADD) {
/* new counter, let it stay 0 */
new++;
} else {
@@ -354,7 +352,7 @@
old++;
new++;
}
- point++;
+ cc = cc->next;
}
free(u_repl->counters);
@@ -393,7 +391,7 @@
new->next = NULL;
**l = new;
*l = &new->next;
- if (find_match(new->m->u.name) == NULL)
+ if (ebt_find_match(new->m->u.name) == NULL)
print_error("Kernel match %s unsupported by userspace tool",
new->m->u.name);
return 0;
@@ -417,7 +415,7 @@
new->next = NULL;
**l = new;
*l = &new->next;
- if (find_watcher(new->w->u.name) == NULL)
+ if (ebt_find_watcher(new->w->u.name) == NULL)
print_error("Kernel watcher %s unsupported by userspace tool",
new->w->u.name);
return 0;
@@ -467,7 +465,7 @@
malloc(t->target_size + sizeof(struct ebt_entry_target));
if (!new->t)
print_memory();
- if (find_target(t->u.name) == NULL)
+ if (ebt_find_target(t->u.name) == NULL)
print_error("Kernel target %s unsupported by "
"userspace tool", t->u.name);
memcpy(new->t, t, t->target_size +
@@ -604,7 +602,7 @@
print_error("File %s contains wrong table name or is corrupt",
filename);
free(hlp);
- } else if (!find_table(repl->name)) {
+ } else if (!ebt_find_table(repl->name)) {
fclose(file);
print_error("File %s contains invalid table name", filename);
}
@@ -686,11 +684,13 @@
return 0;
}
-int get_table(struct ebt_u_replace *u_repl)
+int ebt_get_table(struct ebt_u_replace *u_repl)
{
int i, j, k, hook;
struct ebt_replace repl;
struct ebt_u_entry **u_e;
+ struct ebt_cntchanges *new_cc;
+ struct ebt_cntchanges **prev_cc = &(u_repl->counterchanges);
strcpy(repl.name, u_repl->name);
if (u_repl->filename != NULL) {
@@ -708,6 +708,17 @@
u_repl->num_counters = repl.num_counters;
u_repl->counters = (struct ebt_counter *)repl.counters;
u_repl->udc = NULL;
+ u_repl->counterchanges = NULL;
+ for (i = 0; i < repl.nentries; i++) {
+ new_cc = (struct ebt_cntchanges *)
+ malloc(sizeof(struct ebt_cntchanges));
+ if (!new_cc)
+ print_memory();
+ new_cc->type = CNT_NORM;
+ new_cc->next = NULL;
+ *prev_cc = new_cc;
+ prev_cc = &(new_cc->next);
+ }
hook = -1;
EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_chains,
&hook, u_repl, u_repl->valid_hooks);
diff --git a/ebtables.c b/ebtables.c
index f0e0ab9..dfe4b81 100644
--- a/ebtables.c
+++ b/ebtables.c
@@ -34,38 +34,6 @@
#include <sys/wait.h>
/*
- * Don't use this function, use print_bug()
- */
-void __print_bug(char *file, int line, char *format, ...)
-{
- va_list l;
-
- va_start(l, format);
- printf(PROGNAME" v"PROGVERSION":%s:%d:--BUG--: \n", file, line);
- vprintf(format, l);
- printf("\n");
- va_end(l);
- exit (-1);
-}
-
-#ifndef PROC_SYS_MODPROBE
-#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
-#endif
-#define ATOMIC_ENV_VARIABLE "EBTABLES_ATOMIC_FILE"
-#define PRINT_VERSION printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n")
-
-
-char *hooknames[NF_BR_NUMHOOKS] =
-{
- [NF_BR_PRE_ROUTING]"PREROUTING",
- [NF_BR_LOCAL_IN]"INPUT",
- [NF_BR_FORWARD]"FORWARD",
- [NF_BR_LOCAL_OUT]"OUTPUT",
- [NF_BR_POST_ROUTING]"POSTROUTING",
- [NF_BR_BROUTING]"BROUTING"
-};
-
-/*
* default command line options
* do not mess around with the already assigned numbers unless
* you know what you are doing
@@ -114,23 +82,6 @@
static struct option *ebt_options = ebt_original_options;
-char* standard_targets[NUM_STANDARD_TARGETS] =
-{
- "ACCEPT",
- "DROP",
- "CONTINUE",
- "RETURN",
-};
-
-unsigned char mac_type_unicast[ETH_ALEN] = {0,0,0,0,0,0};
-unsigned char msk_type_unicast[ETH_ALEN] = {1,0,0,0,0,0};
-unsigned char mac_type_multicast[ETH_ALEN] = {1,0,0,0,0,0};
-unsigned char msk_type_multicast[ETH_ALEN] = {1,0,0,0,0,0};
-unsigned char mac_type_broadcast[ETH_ALEN] = {255,255,255,255,255,255};
-unsigned char msk_type_broadcast[ETH_ALEN] = {255,255,255,255,255,255};
-unsigned char mac_type_bridge_group[ETH_ALEN] = {0x01,0x80,0xc2,0,0,0};
-unsigned char msk_type_bridge_group[ETH_ALEN] = {255,255,255,255,255,255};
-
/*
* holds all the data
*/
@@ -140,49 +91,6 @@
* the chosen table
*/
static struct ebt_u_table *table = NULL;
-/*
- * the lists of supported tables, matches, watchers and targets
- */
-static struct ebt_u_table *tables = NULL;
-static struct ebt_u_match *matches = NULL;
-static struct ebt_u_watcher *watchers = NULL;
-static struct ebt_u_target *targets = NULL;
-
-struct ebt_u_target *find_target(const char *name)
-{
- struct ebt_u_target *t = targets;
-
- while(t && strcmp(t->name, name))
- t = t->next;
- return t;
-}
-
-struct ebt_u_match *find_match(const char *name)
-{
- struct ebt_u_match *m = matches;
-
- while(m && strcmp(m->name, name))
- m = m->next;
- return m;
-}
-
-struct ebt_u_watcher *find_watcher(const char *name)
-{
- struct ebt_u_watcher *w = watchers;
-
- while(w && strcmp(w->name, name))
- w = w->next;
- return w;
-}
-
-struct ebt_u_table *find_table(char *name)
-{
- struct ebt_u_table *t = tables;
-
- while (t && strcmp(t->name, name))
- t = t->next;
- return t;
-}
/*
* The pointers in here are special:
@@ -195,84 +103,6 @@
*/
struct ebt_u_entry *new_entry;
-static void initialize_entry(struct ebt_u_entry *e)
-{
- e->bitmask = EBT_NOPROTO;
- e->invflags = 0;
- e->ethproto = 0;
- strcpy(e->in, "");
- strcpy(e->out, "");
- strcpy(e->logical_in, "");
- strcpy(e->logical_out, "");
- e->m_list = NULL;
- e->w_list = NULL;
- /*
- * the init function of the standard target should have put the verdict
- * on CONTINUE
- */
- e->t = (struct ebt_entry_target *)find_target(EBT_STANDARD_TARGET);
- if (!e->t)
- print_bug("Couldn't load standard target");
-}
-
-/*
- * this doesn't free e, becoz the calling function might need e->next
- */
-static void free_u_entry(struct ebt_u_entry *e)
-{
- struct ebt_u_match_list *m_l, *m_l2;
- struct ebt_u_watcher_list *w_l, *w_l2;
-
- m_l = e->m_list;
- while (m_l) {
- m_l2 = m_l->next;
- free(m_l->m);
- free(m_l);
- m_l = m_l2;
- }
- w_l = e->w_list;
- while (w_l) {
- w_l2 = w_l->next;
- free(w_l->w);
- free(w_l);
- w_l = w_l2;
- }
- free(e->t);
-}
-
-/*
- * the user will use the match, so put it in new_entry
- */
-static void add_match(struct ebt_u_match *m)
-{
- struct ebt_u_match_list **m_list, *new;
-
- m->used = 1;
- for (m_list = &new_entry->m_list; *m_list; m_list = &(*m_list)->next);
- new = (struct ebt_u_match_list *)
- malloc(sizeof(struct ebt_u_match_list));
- if (!new)
- print_memory();
- *m_list = new;
- new->next = NULL;
- new->m = (struct ebt_entry_match *)m;
-}
-
-static void add_watcher(struct ebt_u_watcher *w)
-{
- struct ebt_u_watcher_list **w_list;
- struct ebt_u_watcher_list *new;
-
- w->used = 1;
- for (w_list = &new_entry->w_list; *w_list; w_list = &(*w_list)->next);
- new = (struct ebt_u_watcher_list *)
- malloc(sizeof(struct ebt_u_watcher_list));
- if (!new)
- print_memory();
- *w_list = new;
- new->next = NULL;
- new->w = (struct ebt_entry_watcher *)w;
-}
static int global_option_offset = 0;
#define OPTION_OFFSET 256
@@ -307,162 +137,22 @@
return merge;
}
-void register_match(struct ebt_u_match *m)
+static void merge_match(struct ebt_u_match *m)
{
- int size = EBT_ALIGN(m->size) + sizeof(struct ebt_entry_match);
- struct ebt_u_match **i;
-
- m->m = (struct ebt_entry_match *)malloc(size);
- if (!m->m)
- print_memory();
- strcpy(m->m->u.name, m->name);
- m->m->match_size = EBT_ALIGN(m->size);
ebt_options = merge_options
(ebt_options, m->extra_ops, &(m->option_offset));
- m->init(m->m);
-
- for (i = &matches; *i; i = &((*i)->next));
- m->next = NULL;
- *i = m;
}
-void register_watcher(struct ebt_u_watcher *w)
+static void merge_watcher(struct ebt_u_watcher *w)
{
- int size = EBT_ALIGN(w->size) + sizeof(struct ebt_entry_watcher);
- struct ebt_u_watcher **i;
-
- w->w = (struct ebt_entry_watcher *)malloc(size);
- if (!w->w)
- print_memory();
- strcpy(w->w->u.name, w->name);
- w->w->watcher_size = EBT_ALIGN(w->size);
ebt_options = merge_options
(ebt_options, w->extra_ops, &(w->option_offset));
- w->init(w->w);
-
- for (i = &watchers; *i; i = &((*i)->next));
- w->next = NULL;
- *i = w;
}
-void register_target(struct ebt_u_target *t)
+static void merge_target(struct ebt_u_target *t)
{
- int size = EBT_ALIGN(t->size) + sizeof(struct ebt_entry_target);
- struct ebt_u_target **i;
-
- t->t = (struct ebt_entry_target *)malloc(size);
- if (!t->t)
- print_memory();
- strcpy(t->t->u.name, t->name);
- t->t->target_size = EBT_ALIGN(t->size);
ebt_options = merge_options
(ebt_options, t->extra_ops, &(t->option_offset));
- t->init(t->t);
-
- for (i = &targets; *i; i = &((*i)->next));
- t->next = NULL;
- *i = t;
-}
-
-void register_table(struct ebt_u_table *t)
-{
- t->next = tables;
- tables = t;
-}
-
-const char *modprobe = NULL;
-/*
- * blatently stolen (again) from iptables.c userspace program
- * find out where the modprobe utility is located
- */
-static char *get_modprobe(void)
-{
- int procfile;
- char *ret;
-
- procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
- if (procfile < 0)
- return NULL;
-
- ret = malloc(1024);
- if (ret) {
- switch (read(procfile, ret, 1024)) {
- case -1: goto fail;
- case 1024: goto fail; /* Partial read. Wierd */
- }
- if (ret[strlen(ret)-1]=='\n')
- ret[strlen(ret)-1]=0;
- close(procfile);
- return ret;
- }
- fail:
- free(ret);
- close(procfile);
- return NULL;
-}
-
-int ebtables_insmod(const char *modname)
-{
- char *buf = NULL;
- char *argv[3];
-
- /* If they don't explicitly set it, read out of kernel */
- if (!modprobe) {
- buf = get_modprobe();
- if (!buf)
- return -1;
- modprobe = buf;
- }
-
- switch (fork()) {
- case 0:
- argv[0] = (char *)modprobe;
- argv[1] = (char *)modname;
- argv[2] = NULL;
- execv(argv[0], argv);
-
- /* not usually reached */
- exit(0);
- case -1:
- return -1;
-
- default: /* parent */
- wait(NULL);
- }
-
- free(buf);
- return 0;
-}
-
-static void list_extensions()
-{
- struct ebt_u_table *tbl = tables;
- struct ebt_u_target *t = targets;
- struct ebt_u_match *m = matches;
- struct ebt_u_watcher *w = watchers;
-
- PRINT_VERSION;
- printf("Supported userspace extensions:\n\nSupported tables:\n");
- while(tbl) {
- printf("%s\n", tbl->name);
- tbl = tbl->next;
- }
- printf("\nSupported targets:\n");
- while(t) {
- printf("%s\n", t->name);
- t = t->next;
- }
- printf("\nSupported matches:\n");
- while(m) {
- printf("%s\n", m->name);
- m = m->next;
- }
- printf("\nSupported watchers:\n");
- while(w) {
- printf("%s\n", w->name);
- w = w->next;
- }
- exit(0);
}
/*
@@ -474,42 +164,6 @@
#define LIST_X 0x10
#define LIST_MAC2 0x20
-void print_mac(const char *mac)
-{
- if (replace.flags & LIST_MAC2) {
- int j;
- for (j = 0; j < ETH_ALEN; j++)
- printf("%02x%s", (unsigned char)mac[j],
- (j==ETH_ALEN-1) ? "" : ":");
- } else
- printf("%s", ether_ntoa((struct ether_addr *) mac));
-}
-
-void print_mac_and_mask(const char *mac, const char *mask)
-{
- char hlpmsk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
-
- if (!memcmp(mac, mac_type_unicast, 6) &&
- !memcmp(mask, msk_type_unicast, 6))
- printf("Unicast");
- else if (!memcmp(mac, mac_type_multicast, 6) &&
- !memcmp(mask, msk_type_multicast, 6))
- printf("Multicast");
- else if (!memcmp(mac, mac_type_broadcast, 6) &&
- !memcmp(mask, msk_type_broadcast, 6))
- printf("Broadcast");
- else if (!memcmp(mac, mac_type_bridge_group, 6) &&
- !memcmp(mask, msk_type_bridge_group, 6))
- printf("BGA");
- else {
- print_mac(mac);
- if (memcmp(mask, hlpmsk, 6)) {
- printf("/");
- print_mac(mask);
- }
- }
-}
-
/*
* helper function for list_rules()
*/
@@ -523,14 +177,16 @@
struct ebt_u_watcher *w;
struct ebt_u_target *t;
+ if (replace.flags & LIST_MAC2)
+ ebt_printstyle_mac = 2;
hlp = entries->entries;
if (replace.flags & LIST_X && entries->policy != EBT_ACCEPT) {
printf("ebtables -t %s -P %s %s\n", replace.name,
- entries->name, standard_targets[-entries->policy - 1]);
+ entries->name, ebt_standard_targets[-entries->policy - 1]);
} else if (!(replace.flags & LIST_X)) {
printf("\nBridge chain: %s, entries: %d, policy: %s\n",
entries->name, entries->nentries,
- standard_targets[-entries->policy - 1]);
+ ebt_standard_targets[-entries->policy - 1]);
}
i = entries->nentries;
@@ -580,14 +236,14 @@
printf("-s ");
if (hlp->invflags & EBT_ISOURCE)
printf("! ");
- print_mac_and_mask(hlp->sourcemac, hlp->sourcemsk);
+ ebt_print_mac_and_mask(hlp->sourcemac, hlp->sourcemsk);
printf(" ");
}
if (hlp->bitmask & EBT_DESTMAC) {
printf("-d ");
if (hlp->invflags & EBT_IDEST)
printf("! ");
- print_mac_and_mask(hlp->destmac, hlp->destmsk);
+ ebt_print_mac_and_mask(hlp->destmac, hlp->destmsk);
printf(" ");
}
if (hlp->in[0] != '\0') {
@@ -617,7 +273,7 @@
m_l = hlp->m_list;
while (m_l) {
- m = find_match(m_l->m->u.name);
+ m = ebt_find_match(m_l->m->u.name);
if (!m)
print_bug("Match not found");
m->print(hlp, m_l->m);
@@ -625,7 +281,7 @@
}
w_l = hlp->w_list;
while (w_l) {
- w = find_watcher(w_l->w->u.name);
+ w = ebt_find_watcher(w_l->w->u.name);
if (!w)
print_bug("Watcher not found");
w->print(hlp, w_l->w);
@@ -635,7 +291,7 @@
printf("-j ");
if (strcmp(hlp->t->u.name, EBT_STANDARD_TARGET))
printf("%s ", hlp->t->u.name);
- t = find_target(hlp->t->u.name);
+ t = ebt_find_target(hlp->t->u.name);
if (!t)
print_bug("Target not found");
t->print(hlp, hlp->t);
@@ -648,158 +304,6 @@
}
}
-struct ebt_u_entries *nr_to_chain(int nr)
-{
- if (nr == -1)
- return NULL;
- if (nr < NF_BR_NUMHOOKS)
- return replace.hook_entry[nr];
- else {
- int i;
- struct ebt_u_chain_list *cl = replace.udc;
-
- i = nr - NF_BR_NUMHOOKS;
- while (i > 0 && cl) {
- cl = cl->next;
- i--;
- }
- if (cl)
- return cl->udc;
- else
- return NULL;
- }
-}
-
-static inline struct ebt_u_entries *to_chain()
-{
- return nr_to_chain(replace.selected_hook);
-}
-
-struct ebt_u_stack
-{
- int chain_nr;
- int n;
- struct ebt_u_entry *e;
- struct ebt_u_entries *entries;
-};
-
-static void check_for_loops()
-{
- int chain_nr , i, j , k, sp = 0, verdict;
- struct ebt_u_entries *entries, *entries2;
- struct ebt_u_stack *stack = NULL;
- struct ebt_u_entry *e;
-
- i = -1;
- /*
- * initialize hook_mask to 0
- */
- while (1) {
- i++;
- if (i < NF_BR_NUMHOOKS && !(replace.valid_hooks & (1 << i)))
- continue;
- entries = nr_to_chain(i);
- if (!entries)
- break;
- entries->hook_mask = 0;
- }
- if (i > NF_BR_NUMHOOKS) {
- stack = (struct ebt_u_stack *)malloc((i - NF_BR_NUMHOOKS) *
- sizeof(struct ebt_u_stack));
- if (!stack)
- print_memory();
- }
-
- /*
- * check for loops, starting from every base chain
- */
- for (i = 0; i < NF_BR_NUMHOOKS; i++) {
- if (!(replace.valid_hooks & (1 << i)))
- continue;
- entries = nr_to_chain(i);
- /*
- * (1 << NF_BR_NUMHOOKS) implies it's a standard chain
- * (usefull in the final_check() funtions)
- */
- entries->hook_mask = (1 << i) | (1 << NF_BR_NUMHOOKS);
- chain_nr = i;
-
- e = entries->entries;
- for (j = 0; j < entries->nentries; j++) {
- if (strcmp(e->t->u.name, EBT_STANDARD_TARGET))
- goto letscontinue;
- verdict = ((struct ebt_standard_target *)(e->t))->verdict;
- if (verdict < 0)
- goto letscontinue;
- entries2 = nr_to_chain(verdict + NF_BR_NUMHOOKS);
- entries2->hook_mask |= entries->hook_mask;
- /*
- * now see if we've been here before
- */
- for (k = 0; k < sp; k++)
- if (stack[k].chain_nr == verdict + NF_BR_NUMHOOKS)
- print_error("Loop from chain %s to chain %s",
- nr_to_chain(chain_nr)->name,
- nr_to_chain(stack[k].chain_nr)->name);
- /*
- * jump to the chain, make sure we know how to get back
- */
- stack[sp].chain_nr = chain_nr;
- stack[sp].n = j;
- stack[sp].entries = entries;
- stack[sp].e = e;
- sp++;
- j = -1;
- e = entries2->entries;
- chain_nr = verdict + NF_BR_NUMHOOKS;
- entries = entries2;
- continue;
-letscontinue:
- e = e->next;
- }
- /*
- * we are at the end of a standard chain
- */
- if (sp == 0)
- continue;
- /*
- * go back to the chain one level higher
- */
- sp--;
- j = stack[sp].n;
- chain_nr = stack[sp].chain_nr;
- e = stack[sp].e;
- entries = stack[sp].entries;
- goto letscontinue;
- }
- free(stack);
- return;
-}
-
-/*
- * parse the chain name and return the corresponding nr
- * returns -1 on failure
- */
-int get_hooknr(char* arg)
-{
- int i;
- struct ebt_u_chain_list *cl = replace.udc;
-
- for (i = 0; i < NF_BR_NUMHOOKS; i++) {
- if (!(replace.valid_hooks & (1 << i)))
- continue;
- if (!strcmp(arg, replace.hook_entry[i]->name))
- return i;
- }
- while(cl) {
- if (!strcmp(arg, cl->udc->name))
- return i;
- i++;
- cl = cl->next;
- }
- return -1;
-}
-
static void print_help()
{
struct ebt_u_match_list *m_l;
@@ -859,7 +363,7 @@
((struct ebt_u_target *)new_entry->t)->help();
printf("\n");
if (table->help)
- table->help(hooknames);
+ table->help(ebt_hooknames);
exit(0);
}
@@ -872,8 +376,8 @@
if (!(replace.flags & LIST_X))
printf("Bridge table: %s\n", table->name);
- if (replace.selected_hook != -1) {
- list_em(to_chain());
+ if (replace.selected_chain != -1) {
+ list_em(ebt_to_chain(&replace));
} else {
struct ebt_u_chain_list *cl = replace.udc;
@@ -889,9 +393,10 @@
cl = replace.udc;
for (i = 0; i < NF_BR_NUMHOOKS; i++)
if (replace.valid_hooks & (1 << i) &&
- strcmp(replace.hook_entry[i]->name, hooknames[i]))
+ strcmp(replace.hook_entry[i]->name,
+ ebt_hooknames[i]))
printf("ebtables -t %s -E %s %s\n",
- replace.name, hooknames[i],
+ replace.name, ebt_hooknames[i],
replace.hook_entry[i]->name);
}
i = 0;
@@ -911,768 +416,6 @@
}
}
-static void counters_nochange()
-{
- int i;
-
- replace.num_counters = replace.nentries;
- if (replace.nentries) {
- /*
- * '+ 1' for the CNT_END
- */
- if (!(replace.counterchanges = (unsigned short *) malloc(
- (replace.nentries + 1) * sizeof(unsigned short))))
- print_memory();
- /*
- * done nothing special to the rules
- */
- for (i = 0; i < replace.nentries; i++)
- replace.counterchanges[i] = CNT_NORM;
- replace.counterchanges[replace.nentries] = CNT_END;
- }
- else
- replace.counterchanges = NULL;
-}
-
-/*
- * execute command P
- */
-static void change_policy(int policy)
-{
- struct ebt_u_entries *entries = to_chain();
-
- /*
- * don't do anything if the policy is the same
- */
- if (entries->policy != policy) {
- entries->policy = policy;
- counters_nochange();
- } else
- exit(0);
-}
-
-/*
- * flush one chain or the complete table
- * -1 == nothing to do
- * 0 == give back to kernel
- */
-static int flush_chains()
-{
- int i, j, oldnentries, numdel;
- unsigned short *cnt;
- struct ebt_u_entry *u_e, *tmp;
- struct ebt_u_entries *entries = to_chain();
-
- /*
- * flush whole table
- */
- if (!entries) {
- if (replace.nentries == 0)
- return -1;
- replace.nentries = 0;
- /*
- * no need for the kernel to give us counters back
- */
- replace.num_counters = 0;
-
- /*
- * free everything and zero (n)entries
- */
- i = -1;
- while (1) {
- i++;
- entries = nr_to_chain(i);
- if (!entries) {
- if (i < NF_BR_NUMHOOKS)
- continue;
- else
- break;
- }
- entries->nentries = 0;
- entries->counter_offset = 0;
- u_e = entries->entries;
- entries->entries = NULL;
- while (u_e) {
- free_u_entry(u_e);
- tmp = u_e->next;
- free(u_e);
- u_e = tmp;
- }
- }
- return 0;
- }
-
- if (entries->nentries == 0)
- return -1;
- oldnentries = replace.nentries;
- replace.nentries -= entries->nentries;
- numdel = entries->nentries;
-
- if (replace.nentries) {
- /*
- * +1 for CNT_END
- */
- if ( !(replace.counterchanges = (unsigned short *)
- malloc((oldnentries + 1) * sizeof(unsigned short))) )
- print_memory();
- }
- /*
- * delete the counters belonging to the specified chain,
- * update counter_offset
- */
- i = -1;
- cnt = replace.counterchanges;
- while (1) {
- i++;
- entries = nr_to_chain(i);
- if (!entries) {
- if (i < NF_BR_NUMHOOKS)
- continue;
- else
- break;
- }
- if (i > replace.selected_hook)
- entries->counter_offset -= numdel;
- if (replace.nentries) {
- for (j = 0; j < entries->nentries; j++) {
- if (i == replace.selected_hook)
- *cnt = CNT_DEL;
- else
- *cnt = CNT_NORM;
- cnt++;
- }
- }
- }
-
- if (replace.nentries) {
- *cnt = CNT_END;
- replace.num_counters = oldnentries;
- } else
- replace.num_counters = 0;
-
- entries = to_chain();
- entries->nentries = 0;
- u_e = entries->entries;
- while (u_e) {
- free_u_entry(u_e);
- tmp = u_e->next;
- free(u_e);
- u_e = tmp;
- }
- entries->entries = NULL;
- return 0;
-}
-
-/*
- * -1 == no match
- */
-static int check_rule_exists(int rule_nr)
-{
- struct ebt_u_entry *u_e;
- struct ebt_u_match_list *m_l, *m_l2;
- struct ebt_u_match *m;
- struct ebt_u_watcher_list *w_l, *w_l2;
- struct ebt_u_watcher *w;
- struct ebt_u_target *t = (struct ebt_u_target *)new_entry->t;
- struct ebt_u_entries *entries = to_chain();
- int i, j, k;
-
- /*
- * handle '-D chain rulenr' command
- */
- if (rule_nr != 0) {
- if (rule_nr > entries->nentries)
- return -1;
- /*
- * user starts counting from 1
- */
- return rule_nr - 1;
- }
- u_e = entries->entries;
- /*
- * check for an existing rule (if there are duplicate rules,
- * take the first occurance)
- */
- for (i = 0; i < entries->nentries; i++, u_e = u_e->next) {
- if (!u_e)
- print_bug("Hmm, trouble");
- if (u_e->ethproto != new_entry->ethproto)
- continue;
- if (strcmp(u_e->in, new_entry->in))
- continue;
- if (strcmp(u_e->out, new_entry->out))
- continue;
- if (strcmp(u_e->logical_in, new_entry->logical_in))
- continue;
- if (strcmp(u_e->logical_out, new_entry->logical_out))
- continue;
- if (new_entry->bitmask & EBT_SOURCEMAC &&
- memcmp(u_e->sourcemac, new_entry->sourcemac, ETH_ALEN))
- continue;
- if (new_entry->bitmask & EBT_DESTMAC &&
- memcmp(u_e->destmac, new_entry->destmac, ETH_ALEN))
- continue;
- if (new_entry->bitmask != u_e->bitmask ||
- new_entry->invflags != u_e->invflags)
- continue;
- /*
- * compare all matches
- */
- m_l = new_entry->m_list;
- j = 0;
- while (m_l) {
- m = (struct ebt_u_match *)(m_l->m);
- m_l2 = u_e->m_list;
- while (m_l2 && strcmp(m_l2->m->u.name, m->m->u.name))
- m_l2 = m_l2->next;
- if (!m_l2 || !m->compare(m->m, m_l2->m))
- goto letscontinue;
- j++;
- m_l = m_l->next;
- }
- /*
- * now be sure they have the same nr of matches
- */
- k = 0;
- m_l = u_e->m_list;
- while (m_l) {
- k++;
- m_l = m_l->next;
- }
- if (j != k)
- continue;
-
- /*
- * compare all watchers
- */
- w_l = new_entry->w_list;
- j = 0;
- while (w_l) {
- w = (struct ebt_u_watcher *)(w_l->w);
- w_l2 = u_e->w_list;
- while (w_l2 && strcmp(w_l2->w->u.name, w->w->u.name))
- w_l2 = w_l2->next;
- if (!w_l2 || !w->compare(w->w, w_l2->w))
- goto letscontinue;
- j++;
- w_l = w_l->next;
- }
- k = 0;
- w_l = u_e->w_list;
- while (w_l) {
- k++;
- w_l = w_l->next;
- }
- if (j != k)
- continue;
- if (strcmp(t->t->u.name, u_e->t->u.name))
- continue;
- if (!t->compare(t->t, u_e->t))
- continue;
- return i;
-letscontinue:
- }
- return -1;
-}
-
-/* execute command A or I */
-static void add_rule(int rule_nr)
-{
- int i, j;
- struct ebt_u_entry **u_e;
- unsigned short *cnt;
- struct ebt_u_match_list *m_l;
- struct ebt_u_watcher_list *w_l;
- struct ebt_u_entries *entries = to_chain(), *entries2;
-
- if (rule_nr <= 0)
- rule_nr += entries->nentries;
- else
- rule_nr--;
- if (rule_nr > entries->nentries || rule_nr < 0)
- print_error("The specified rule number is incorrect");
- /*
- * we're adding one rule
- */
- replace.num_counters = replace.nentries;
- replace.nentries++;
- entries->nentries++;
-
- /*
- * handle counter stuff
- * +1 for CNT_END
- */
- if ( !(replace.counterchanges = (unsigned short *)
- malloc((replace.nentries + 1) * sizeof(unsigned short))) )
- print_memory();
- cnt = replace.counterchanges;
- for (i = 0; i < replace.selected_hook; i++) {
- if (i < NF_BR_NUMHOOKS && !(replace.valid_hooks & (1 << i)))
- continue;
- entries2 = nr_to_chain(i);
- for (j = 0; j < entries2->nentries; j++) {
- *cnt = CNT_NORM;
- cnt++;
- }
- }
- for (i = 0; i < rule_nr; i++) {
- *cnt = CNT_NORM;
- cnt++;
- }
- *cnt = CNT_ADD;
- cnt++;
- while (cnt != replace.counterchanges + replace.nentries) {
- *cnt = CNT_NORM;
- cnt++;
- }
- *cnt = CNT_END;
-
- /*
- * go to the right position in the chain
- */
- u_e = &entries->entries;
- for (i = 0; i < rule_nr; i++)
- u_e = &(*u_e)->next;
- /*
- * insert the rule
- */
- new_entry->next = *u_e;
- *u_e = new_entry;
-
- /*
- * put the ebt_[match, watcher, target] pointers in place
- */
- m_l = new_entry->m_list;
- while (m_l) {
- m_l->m = ((struct ebt_u_match *)m_l->m)->m;
- m_l = m_l->next;
- }
- w_l = new_entry->w_list;
- while (w_l) {
- w_l->w = ((struct ebt_u_watcher *)w_l->w)->w;
- w_l = w_l->next;
- }
- new_entry->t = ((struct ebt_u_target *)new_entry->t)->t;
-
- /*
- * update the counter_offset of chains behind this one
- */
- i = replace.selected_hook;
- while (1) {
- i++;
- entries = nr_to_chain(i);
- if (!entries) {
- if (i < NF_BR_NUMHOOKS)
- continue;
- else
- break;
- } else
- entries->counter_offset++;
- }
-}
-
-/*
- * execute command D
- */
-static void delete_rule(int begin, int end)
-{
- int j, lentmp = 0, nr_deletes;
- unsigned short *cnt;
- struct ebt_u_entry **u_e, *u_e2;
- struct ebt_u_entries *entries = to_chain(), *entries2;
-
- if (begin < 0)
- begin += entries->nentries + 1;
- if (end < 0)
- end += entries->nentries + 1;
-
- if (begin < 0 || begin > end || end > entries->nentries)
- print_error("Sorry, wrong rule numbers");
-
- if ((begin = check_rule_exists(begin)) == -1 ||
- (end = check_rule_exists(end)) == -1)
- print_error("Sorry, rule does not exist");
-
- /*
- * we're deleting rules
- */
- replace.num_counters = replace.nentries;
- nr_deletes = end - begin + 1;
- replace.nentries -= nr_deletes;
- entries->nentries -= nr_deletes;
-
- if (replace.nentries) {
- for (j = 0; j < replace.selected_hook; j++) {
- if (j < NF_BR_NUMHOOKS &&
- !(replace.valid_hooks & (1 << j)))
- continue;
- entries2 = nr_to_chain(j);
- lentmp += entries2->nentries;
- }
- lentmp += begin;
- /*
- * +1 for CNT_END
- */
- if ( !(replace.counterchanges = (unsigned short *)malloc(
- (replace.num_counters + 1) * sizeof(unsigned short))) )
- print_memory();
- cnt = replace.counterchanges;
- for (j = 0; j < lentmp; j++, cnt++)
- *cnt = CNT_NORM;
- for (j = 0; j < nr_deletes; j++, cnt++)
- *cnt = CNT_DEL;
-
- for (j = 0; j < replace.num_counters - lentmp - nr_deletes;
- j++, cnt++)
- *cnt = CNT_NORM;
-
- *cnt = CNT_END;
- }
- else
- replace.num_counters = 0;
-
- /*
- * go to the right position in the chain
- */
- u_e = &entries->entries;
- for (j = 0; j < begin; j++)
- u_e = &(*u_e)->next;
- /*
- * remove the rules
- */
- j = nr_deletes;
- while(j--) {
- u_e2 = *u_e;
- *u_e = (*u_e)->next;
- /* free everything */
- free_u_entry(u_e2);
- free(u_e2);
- }
-
- /*
- * update the counter_offset of chains behind this one
- */
- j = replace.selected_hook;
- while (1) {
- j++;
- entries = nr_to_chain(j);
- if (!entries) {
- if (j < NF_BR_NUMHOOKS)
- continue;
- else
- break;
- } else
- entries->counter_offset -= nr_deletes;
- }
-}
-
-/*
- * execute command Z
- */
-static void zero_counters(int zerochain)
-{
-
- if (zerochain == -1) {
- /*
- * tell main() we don't update the counters
- * this results in tricking the kernel to zero its counters,
- * naively expecting userspace to update its counters. Muahahaha
- */
- replace.counterchanges = NULL;
- replace.num_counters = 0;
- } else {
- int i, j;
- unsigned short *cnt;
- struct ebt_u_entries *entries = nr_to_chain(zerochain), *e2;
-
- if (entries->nentries == 0)
- exit(0);
- replace.counterchanges = (unsigned short *)
- malloc((replace.nentries + 1) * sizeof(unsigned short));
- if (!replace.counterchanges)
- print_memory();
- cnt = replace.counterchanges;
- for (i = 0; i < zerochain; i++) {
- if (i < NF_BR_NUMHOOKS &&
- !(replace.valid_hooks & (1 << i)))
- continue;
- e2 = nr_to_chain(i);
- for (j = 0; j < e2->nentries; j++) {
- *cnt = CNT_NORM;
- cnt++;
- }
- }
- for (i = 0; i < entries->nentries; i++) {
- *cnt = CNT_ZERO;
- cnt++;
- }
- while (cnt != replace.counterchanges + replace.nentries) {
- *cnt = CNT_NORM;
- cnt++;
- }
- *cnt = CNT_END;
- }
-}
-
-/*
- * Checks the type for validity and calls getethertypebynumber()
- */
-struct ethertypeent *parseethertypebynumber(int type)
-{
- if (type < 1536)
- print_error("Ethernet protocols have values >= 0x0600");
- if (type > 0xffff)
- print_error("Ethernet protocols have values <= 0xffff");
- return getethertypebynumber(type);
-}
-
-/*
- * put the mac address into 6 (ETH_ALEN) bytes
- * returns 0 on success
- */
-int get_mac_and_mask(char *from, char *to, char *mask)
-{
- char *p;
- int i;
- struct ether_addr *addr;
-
- if (strcasecmp(from, "Unicast") == 0) {
- memcpy(to, mac_type_unicast, ETH_ALEN);
- memcpy(mask, msk_type_unicast, ETH_ALEN);
- return 0;
- }
- if (strcasecmp(from, "Multicast") == 0) {
- memcpy(to, mac_type_multicast, ETH_ALEN);
- memcpy(mask, msk_type_multicast, ETH_ALEN);
- return 0;
- }
- if (strcasecmp(from, "Broadcast") == 0) {
- memcpy(to, mac_type_broadcast, ETH_ALEN);
- memcpy(mask, msk_type_broadcast, ETH_ALEN);
- return 0;
- }
- if (strcasecmp(from, "BGA") == 0) {
- memcpy(to, mac_type_bridge_group, ETH_ALEN);
- memcpy(mask, msk_type_bridge_group, ETH_ALEN);
- return 0;
- }
- if ( (p = strrchr(from, '/')) != NULL) {
- *p = '\0';
- if (!(addr = ether_aton(p + 1)))
- return -1;
- memcpy(mask, addr, ETH_ALEN);
- } else
- memset(mask, 0xff, ETH_ALEN);
- if (!(addr = ether_aton(from)))
- return -1;
- memcpy(to, addr, ETH_ALEN);
- for (i = 0; i < ETH_ALEN; i++)
- to[i] &= mask[i];
- return 0;
-}
-
-/*
- * executes the final_check() function for all extensions used by the rule
- */
-static void do_final_checks(struct ebt_u_entry *e, struct ebt_u_entries *entries)
-{
- struct ebt_u_match_list *m_l;
- struct ebt_u_watcher_list *w_l;
- struct ebt_u_target *t;
- struct ebt_u_match *m;
- struct ebt_u_watcher *w;
-
- m_l = e->m_list;
- w_l = e->w_list;
- while (m_l) {
- m = find_match(m_l->m->u.name);
- m->final_check(e, m_l->m, replace.name,
- entries->hook_mask, 1);
- m_l = m_l->next;
- }
- while (w_l) {
- w = find_watcher(w_l->w->u.name);
- w->final_check(e, w_l->w, replace.name,
- entries->hook_mask, 1);
- w_l = w_l->next;
- }
- t = find_target(e->t->u.name);
- t->final_check(e, e->t, replace.name,
- entries->hook_mask, 1);
-}
-
-/*
- * used for the -X command
- * type = 0 => update chain jumps
- * type = 1 => check for reference
- */
-static int iterate_entries(int chain_nr, int silent, int type)
-{
- int i = -1, j;
- struct ebt_u_entries *entries;
- struct ebt_u_entry *e;
-
- while (1) {
- i++;
- entries = nr_to_chain(i);
- if (!entries) {
- if (i < NF_BR_NUMHOOKS)
- continue;
- else
- break;
- }
- e = entries->entries;
- j = 0;
- while (e) {
- int chain_jmp;
-
- j++;
- if (strcmp(e->t->u.name, EBT_STANDARD_TARGET)) {
- e = e->next;
- continue;
- }
- chain_jmp = ((struct ebt_standard_target *)e->t)->verdict;
- switch (type) {
- case 1:
- if (chain_jmp == chain_nr) {
- if (silent)
- return 1;
- print_error("Can't delete the chain, it's referenced "
- "in chain %s, rule %d", entries->name, j);
- }
- break;
- case 0:
- /* adjust the chain jumps when necessary */
- if (chain_jmp > chain_nr)
- ((struct ebt_standard_target *)e->t)->verdict--;
- break;
- } /* end switch */
- e = e->next;
- }
- }
- return 0;
-}
-
-static void decrease_chain_jumps(int chain_nr)
-{
- iterate_entries(chain_nr, 1, 0);
-}
-
-static int check_for_references(int chain_nr, int silent)
-{
- return iterate_entries(chain_nr, silent, 1);
-}
-
-static int *determine_referenced_chains(int *n)
-{
- int *nrs, i = 0, j = 0;
-
- *n = 0;
- while (nr_to_chain(i + NF_BR_NUMHOOKS)) {
- if (check_for_references(i, 1))
- (*n)++;
- i++;
- }
- if (*n == 0)
- return NULL;
- nrs = malloc(*n * sizeof(int));
- i = 0;
- while (nr_to_chain(i + NF_BR_NUMHOOKS)) {
- if (check_for_references(i, 1)) {
- nrs[j] = i;
- j++;
- }
- i++;
- }
- return nrs;
-}
-
-static void remove_udc(int udc_nr)
-{
- struct ebt_u_chain_list *cl, **cl2;
- struct ebt_u_entries *entries;
- struct ebt_u_entry *u_e, *tmp;
-
- /* first free the rules */
- entries = nr_to_chain(udc_nr + NF_BR_NUMHOOKS);
- u_e = entries->entries;
- while (u_e) {
- free_u_entry(u_e);
- tmp = u_e->next;
- free(u_e);
- u_e = tmp;
- }
-
- /* next, remove the chain */
- cl2 = &(replace.udc);
- while ((*cl2)->udc != entries)
- cl2 = &((*cl2)->next);
- cl = (*cl2);
- (*cl2) = (*cl2)->next;
- free(cl->udc);
- free(cl);
-}
-
-/* Removes all udc that aren't referenced at the time of execution */
-static void delete_all_user_chains()
-{
- struct ebt_u_chain_list *chain;
- int *ref, nr_ref, chain_nr = 0, counter_offset, i;
- struct ebt_u_entries *entries;
-
- /* initialize counterchanges */
- counters_nochange();
-
- ref = determine_referenced_chains(&nr_ref);
-
- chain = replace.udc;
- counter_offset = 0;
- /* skip the standard chains */
- for (i = 0; i < NF_BR_NUMHOOKS; i++)
- if ((entries = nr_to_chain(i)) != NULL)
- counter_offset += entries->nentries;
-
- /* first update chain jumps and counterchanges */
- while (chain) {
- int nentries;
-
- nentries = chain->udc->nentries;
- for (i = 0; i < nr_ref; i++)
- if (ref[i] == chain_nr)
- goto letscontinue;
- decrease_chain_jumps(chain_nr);
- for (i = counter_offset; i < counter_offset + nentries; i++)
- replace.counterchanges[i] = CNT_DEL;
- replace.nentries -= nentries;
-letscontinue:
- counter_offset += nentries;
- chain = chain->next;
- chain_nr++;
- }
- chain = replace.udc;
- chain_nr = -1;
- /* next, remove the chains, update the counter offset of
- * non-removed chains */
- counter_offset = 0;
- while (chain) {
- int real_cn = 0;
-
- chain_nr++;
- for (i = 0; i < nr_ref; i++)
- if (ref[i] == chain_nr)
- break;
- if (i != nr_ref) {
- real_cn++;
- chain->udc->counter_offset -= counter_offset;
- chain = chain->next;
- continue;
- }
- counter_offset += chain->udc->nentries;
- chain = chain->next;
- remove_udc(real_cn);
- }
-}
-
static int parse_delete_rule(const char *argv, int *rule_nr, int *rule_nr_end)
{
char *colon = strchr(argv, ':'), *buffer;
@@ -1699,47 +442,6 @@
return 0;
}
-static int invert = 0;
-int check_inverse(const char option[])
-{
- if (strcmp(option, "!") == 0) {
- if (invert == 1)
- print_error("double use of '!' not allowed");
- optind++;
- invert = 1;
- return 1;
- }
- return invert;
-}
-
-void check_option(unsigned int *flags, unsigned int mask)
-{
- if (*flags & mask)
- print_error("Multiple use of same option not allowed");
- *flags |= mask;
-}
-
-static void get_kernel_table()
-{
- if ( !(table = find_table(replace.name)) )
- print_error("Bad table name");
- /*
- * get the kernel's information
- */
- if (get_table(&replace)) {
- ebtables_insmod("ebtables");
- if (get_table(&replace))
- print_error("The kernel doesn't support the ebtables "
- "%s table", replace.name);
- }
- /*
- * when listing a table contained in a file, we don't demand that
- * the user knows the table's name
- */
- if ( !(table = find_table(replace.name)) )
- print_error("Bad table name");
-}
-
#define print_if_l_error print_error("Interface name length must be less " \
"than %d", IFNAMSIZ)
#define OPT_COMMAND 0x01
@@ -1774,13 +476,17 @@
opterr = 0;
+ ebt_iterate_matches(merge_match);
+ ebt_iterate_watchers(merge_watcher);
+ ebt_iterate_targets(merge_target);
+
replace.filename = getenv(ATOMIC_ENV_VARIABLE);
/*
* initialize the table name, OPT_ flags, selected hook and command
*/
strcpy(replace.name, "filter");
replace.flags = 0;
- replace.selected_hook = -1;
+ replace.selected_chain = -1;
replace.command = 'h';
replace.counterchanges = NULL;
@@ -1790,7 +496,8 @@
/*
* put some sane values in our new entry
*/
- initialize_entry(new_entry);
+ ebt_initialize_entry(new_entry);
+ new_entry->replace = &replace;
/*
* The scenario induced by this loop makes that:
@@ -1816,56 +523,22 @@
if (replace.flags & OPT_COMMAND)
print_error("Multiple commands not allowed");
replace.flags |= OPT_COMMAND;
- get_kernel_table();
+ ebt_get_kernel_table(&replace, table);
if (optarg && (optarg[0] == '-' ||
!strcmp(optarg, "!")))
print_error("No chain name specified");
if (c == 'N') {
- struct ebt_u_chain_list *cl, **cl2;
-
- if (get_hooknr(optarg) != -1)
- print_error("Chain %s already exists",
- optarg);
- if (find_target(optarg))
- print_error("Target with name %s exists"
- , optarg);
- if (strlen(optarg) >= EBT_CHAIN_MAXNAMELEN)
- print_error("Chain name length can't exceed %d",
- EBT_CHAIN_MAXNAMELEN - 1);
- cl = (struct ebt_u_chain_list *)
- malloc(sizeof(struct ebt_u_chain_list));
- if (!cl)
- print_memory();
- cl->next = NULL;
- cl->udc = (struct ebt_u_entries *)
- malloc(sizeof(struct ebt_u_entries));
- if (!cl->udc)
- print_memory();
- cl->udc->nentries = 0;
- cl->udc->policy = EBT_ACCEPT;
- cl->udc->counter_offset = replace.nentries;
- cl->udc->hook_mask = 0;
- strcpy(cl->udc->name, optarg);
- cl->udc->entries = NULL;
- cl->kernel_start = NULL;
- /*
- * put the new chain at the end
- */
- cl2 = &replace.udc;
- while (*cl2)
- cl2 = &((*cl2)->next);
- *cl2 = cl;
- counters_nochange();
+ ebt_new_chain(&replace, optarg, EBT_ACCEPT);
break;
}
if (c == 'X') {
char *opt;
- int udc_nr;
if (!optarg && (optind >= argc ||
(argv[optind][0] == '-'
&& strcmp(argv[optind], "!")))) {
- delete_all_user_chains();
+ replace.selected_chain = -1;
+ ebt_delete_chain(&replace);
break;
}
if (optarg)
@@ -1874,25 +547,15 @@
opt = argv[optind];
optind++;
}
- if ((replace.selected_hook = get_hooknr(opt)) == -1)
+ if ((replace.selected_chain =
+ ebt_get_chainnr(&replace, opt)) == -1)
print_error("Chain %s doesn't exist", optarg);
- if (replace.selected_hook < NF_BR_NUMHOOKS)
- print_error("You can't remove a standard chain");
- /*
- * if the chain is referenced, don't delete it,
- * also decrement jumps to a chain behind the
- * one we're deleting
- */
- udc_nr=replace.selected_hook-NF_BR_NUMHOOKS;
- check_for_references(udc_nr, 0);
- decrease_chain_jumps(udc_nr);
- if (flush_chains() == -1)
- counters_nochange();
- remove_udc(udc_nr);
+ ebt_delete_chain(&replace);
break;
}
- if ((replace.selected_hook = get_hooknr(optarg)) == -1)
+ if ((replace.selected_chain =
+ ebt_get_chainnr(&replace, optarg)) == -1)
print_error("Chain %s doesn't exist", optarg);
if (c == 'E') {
if (optind >= argc || argv[optind][0] == '-' ||
@@ -1901,15 +564,13 @@
if (strlen(argv[optind]) >= EBT_CHAIN_MAXNAMELEN)
print_error("Chain name len can't exceed %d",
EBT_CHAIN_MAXNAMELEN - 1);
- if (get_hooknr(argv[optind]) != -1)
+ if (ebt_get_chainnr(&replace, argv[optind]) != -1)
print_error("Chain %s already exists",
argv[optind]);
- if (find_target(argv[optind]))
+ if (ebt_find_target(argv[optind]))
print_error("Target with name %s exists"
, argv[optind]);
- entries = to_chain();
- strcpy(entries->name, argv[optind]);
- counters_nochange();
+ ebt_rename_chain(&replace, argv[optind]);
optind++;
break;
}
@@ -1940,7 +601,7 @@
policy = 0;
for (i = 0; i < NUM_STANDARD_TARGETS; i++)
if (!strcmp(argv[optind],
- standard_targets[i])) {
+ ebt_standard_targets[i])) {
policy = -i -1;
if (policy == EBT_CONTINUE)
policy = 0;
@@ -1971,14 +632,15 @@
" not allowed");
replace.flags |= OPT_COMMAND;
}
- get_kernel_table();
+ ebt_get_kernel_table(&replace, table);
i = -1;
if (optarg) {
- if ( (i = get_hooknr(optarg)) == -1 )
+ if ( (i = ebt_get_chainnr(&replace, optarg)) == -1 )
print_error("Bad chain");
} else
if (optind < argc && argv[optind][0] != '-') {
- if ((i = get_hooknr(argv[optind])) == -1)
+ if ((i = ebt_get_chainnr(&replace,
+ argv[optind])) == -1)
print_error("Bad chain");
optind++;
}
@@ -1986,7 +648,7 @@
if (c == 'Z')
zerochain = i;
else
- replace.selected_hook = i;
+ replace.selected_chain = i;
}
break;
@@ -2000,7 +662,7 @@
case 'M': /* modprobe */
if (replace.command != 'h')
print_error("Please put the -M option earlier");
- modprobe = optarg;
+ ebt_modprobe = optarg;
break;
case 'h': /* help */
@@ -2016,14 +678,14 @@
if (!strcasecmp("list_extensions",
argv[optind]))
- list_extensions();
+ ebt_list_extensions();
- if ((m = find_match(argv[optind])))
- add_match(m);
- else if ((w = find_watcher(argv[optind])))
- add_watcher(w);
+ if ((m = ebt_find_match(argv[optind])))
+ ebt_add_match(new_entry, m);
+ else if ((w = ebt_find_watcher(argv[optind])))
+ ebt_add_watcher(new_entry, w);
else {
- if (!(t = find_target(argv[optind])))
+ if (!(t = ebt_find_target(argv[optind])))
print_error("Extension %s "
"not found", argv[optind]);
if (replace.flags & OPT_JUMP)
@@ -2041,7 +703,7 @@
case 't': /* table */
if (replace.command != 'h')
print_error("Please put the -t option first");
- check_option(&replace.flags, OPT_TABLE);
+ ebt_check_option(&replace.flags, OPT_TABLE);
if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
print_error("Table name too long");
strcpy(replace.name, optarg);
@@ -2061,13 +723,13 @@
replace.command != 'D' && replace.command != 'I')
print_error("Command and option do not match");
if (c == 'i') {
- check_option(&replace.flags, OPT_IN);
- if (replace.selected_hook > 2 &&
- replace.selected_hook < NF_BR_BROUTING)
+ ebt_check_option(&replace.flags, OPT_IN);
+ if (replace.selected_chain > 2 &&
+ replace.selected_chain < NF_BR_BROUTING)
print_error("Use in-interface only in "
"INPUT, FORWARD, PREROUTING and"
"BROUTING chains");
- if (check_inverse(optarg))
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_IIN;
if (optind > argc)
@@ -2079,13 +741,13 @@
break;
}
if (c == 2) {
- check_option(&replace.flags, OPT_LOGICALIN);
- if (replace.selected_hook > 2 &&
- replace.selected_hook < NF_BR_BROUTING)
+ ebt_check_option(&replace.flags, OPT_LOGICALIN);
+ if (replace.selected_chain > 2 &&
+ replace.selected_chain < NF_BR_BROUTING)
print_error("Use logical in-interface "
"only in INPUT, FORWARD, "
"PREROUTING and BROUTING chains");
- if (check_inverse(optarg))
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_ILOGICALIN;
if (optind > argc)
@@ -2097,12 +759,12 @@
break;
}
if (c == 'o') {
- check_option(&replace.flags, OPT_OUT);
- if (replace.selected_hook < 2)
+ ebt_check_option(&replace.flags, OPT_OUT);
+ if (replace.selected_chain < 2)
print_error("Use out-interface only"
" in OUTPUT, FORWARD and "
"POSTROUTING chains");
- if (check_inverse(optarg))
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_IOUT;
if (optind > argc)
@@ -2115,12 +777,12 @@
break;
}
if (c == 3) {
- check_option(&replace.flags, OPT_LOGICALOUT);
- if (replace.selected_hook < 2)
+ ebt_check_option(&replace.flags, OPT_LOGICALOUT);
+ if (replace.selected_chain < 2)
print_error("Use logical out-interface "
"only in OUTPUT, FORWARD and "
"POSTROUTING chains");
- if (check_inverse(optarg))
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_ILOGICALOUT;
if (optind > argc)
@@ -2134,40 +796,38 @@
break;
}
if (c == 'j') {
- check_option(&replace.flags, OPT_JUMP);
+ ebt_check_option(&replace.flags, OPT_JUMP);
for (i = 0; i < NUM_STANDARD_TARGETS; i++)
if (!strcmp(optarg,
- standard_targets[i])) {
- t = find_target(
+ ebt_standard_targets[i])) {
+ t = ebt_find_target(
EBT_STANDARD_TARGET);
((struct ebt_standard_target *)
t->t)->verdict = -i - 1;
break;
}
if (-i - 1 == EBT_RETURN) {
- if (replace.selected_hook < NF_BR_NUMHOOKS)
+ if (replace.selected_chain < NF_BR_NUMHOOKS)
print_error("Return target"
" only for user defined chains");
}
if (i != NUM_STANDARD_TARGETS)
break;
- if ((i = get_hooknr(optarg)) != -1) {
- if (i < NF_BR_NUMHOOKS)
- print_error("don't jump"
- " to a standard chain");
- t = find_target(
- EBT_STANDARD_TARGET);
- ((struct ebt_standard_target *)
- t->t)->verdict = i - NF_BR_NUMHOOKS;
- break;
- }
- else {
+ if ((i = ebt_get_chainnr(&replace, optarg)) != -1) {
+ if (i < NF_BR_NUMHOOKS)
+ print_error("don't jump"
+ " to a standard chain");
+ t = ebt_find_target(EBT_STANDARD_TARGET);
+ ((struct ebt_standard_target *)
+ t->t)->verdict = i - NF_BR_NUMHOOKS;
+ break;
+ } else {
/*
* must be an extension then
*/
struct ebt_u_target *t;
- t = find_target(optarg);
+ t = ebt_find_target(optarg);
/*
* -j standard not allowed either
*/
@@ -2181,14 +841,14 @@
break;
}
if (c == 's') {
- check_option(&replace.flags, OPT_SOURCE);
- if (check_inverse(optarg))
+ ebt_check_option(&replace.flags, OPT_SOURCE);
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_ISOURCE;
if (optind > argc)
print_error("No source mac "
"specified");
- if (get_mac_and_mask(argv[optind - 1],
+ if (ebt_get_mac_and_mask(argv[optind - 1],
new_entry->sourcemac, new_entry->sourcemsk))
print_error("Problem with specified "
"source mac");
@@ -2196,22 +856,22 @@
break;
}
if (c == 'd') {
- check_option(&replace.flags, OPT_DEST);
- if (check_inverse(optarg))
+ ebt_check_option(&replace.flags, OPT_DEST);
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_IDEST;
if (optind > argc)
print_error("No destination mac "
"specified");
- if (get_mac_and_mask(argv[optind - 1],
+ if (ebt_get_mac_and_mask(argv[optind - 1],
new_entry->destmac, new_entry->destmsk))
print_error("Problem with specified "
"destination mac");
new_entry->bitmask |= EBT_DESTMAC;
break;
}
- check_option(&replace.flags, OPT_PROTOCOL);
- if (check_inverse(optarg))
+ ebt_check_option(&replace.flags, OPT_PROTOCOL);
+ if (ebt_check_inverse(optarg))
new_entry->invflags |= EBT_IPROTO;
if (optind > argc)
@@ -2242,7 +902,7 @@
break;
case 4 : /* Lc */
- check_option(&replace.flags, LIST_C);
+ ebt_check_option(&replace.flags, LIST_C);
if (replace.command != 'L')
print_error("Use --Lc with -L");
if (replace.flags & LIST_X)
@@ -2250,7 +910,7 @@
replace.flags |= LIST_C;
break;
case 5 : /* Ln */
- check_option(&replace.flags, LIST_N);
+ ebt_check_option(&replace.flags, LIST_N);
if (replace.command != 'L')
print_error("Use --Ln with -L");
if (replace.flags & LIST_X)
@@ -2258,7 +918,7 @@
replace.flags |= LIST_N;
break;
case 6 : /* Lx */
- check_option(&replace.flags, LIST_X);
+ ebt_check_option(&replace.flags, LIST_X);
if (replace.command != 'L')
print_error("Use --Lx with -L");
if (replace.flags & LIST_C)
@@ -2268,7 +928,7 @@
replace.flags |= LIST_X;
break;
case 12 : /* Lmac2 */
- check_option(&replace.flags, LIST_MAC2);
+ ebt_check_option(&replace.flags, LIST_MAC2);
if (replace.command != 'L')
print_error("Use --Lmac2 with -L");
replace.flags |= LIST_MAC2;
@@ -2283,14 +943,7 @@
/*
* get the information from the file
*/
- get_table(&replace);
- if (replace.nentries) {
- replace.counterchanges = (unsigned short *)
- malloc(sizeof(unsigned short) * (replace.nentries + 1));
- for (i = 0; i < replace.nentries; i++)
- replace.counterchanges[i] = CNT_NORM;
- replace.counterchanges[i] = CNT_END;
- }
+ ebt_get_table(&replace);
/*
* we don't want the kernel giving us its counters, they would
* overwrite the counters extracted from the file
@@ -2317,16 +970,9 @@
tmp = replace.filename;
/* get the kernel table */
replace.filename = NULL;
- get_kernel_table();
+ ebt_get_kernel_table(&replace, table);
replace.filename = tmp;
}
- if (replace.nentries) {
- replace.counterchanges = (unsigned short *)
- malloc(sizeof(unsigned short) * (replace.nentries + 1));
- for (i = 0; i < replace.nentries; i++)
- replace.counterchanges[i] = CNT_NORM;
- replace.counterchanges[i] = CNT_END;
- }
break;
case 9 : /* atomic */
if (replace.flags & OPT_COMMAND)
@@ -2338,11 +984,11 @@
break;
case 1 :
if (!strcmp(optarg, "!"))
- check_inverse(optarg);
+ ebt_check_inverse(optarg);
else
print_error("Bad argument : %s", optarg);
/*
- * check_inverse() did optind++
+ * ebt_check_inverse() did optind++
*/
optind--;
continue;
@@ -2358,38 +1004,42 @@
/*
* is it a match_option?
*/
- for (m = matches; m; m = m->next)
+ for (m = ebt_matches; m; m = m->next)
if (m->parse(c - m->option_offset, argv,
argc, new_entry, &m->flags, &m->m))
break;
if (m != NULL) {
- if (m->used == 0)
- add_match(m);
+ if (m->used == 0) {
+ ebt_add_match(new_entry, m);
+ m->used = 1;
+ }
goto check_extension;
}
/*
* is it a watcher option?
*/
- for (w = watchers; w; w = w->next)
+ for (w = ebt_watchers; w; w = w->next)
if (w->parse(c-w->option_offset, argv,
argc, new_entry, &w->flags, &w->w))
break;
if (w == NULL)
print_error("Unknown argument");
- if (w->used == 0)
- add_watcher(w);
+ if (w->used == 0) {
+ ebt_add_watcher(new_entry, w);
+ w->used = 1;
+ }
check_extension:
if (replace.command != 'A' && replace.command != 'I' &&
replace.command != 'D')
print_error("Extensions only for -A, -I and -D");
}
- invert = 0;
+ ebt_invert = 0;
}
- if ( !table && !(table = find_table(replace.name)) )
+ if ( !table && !(table = ebt_find_table(replace.name)) )
print_error("Bad table name");
if ( (replace.flags & OPT_COMMAND) && replace.command != 'L' &&
@@ -2410,8 +1060,8 @@
/*
* this will put the hook_mask right for the chains
*/
- check_for_loops();
- entries = to_chain();
+ ebt_check_for_loops(&replace);
+ entries = ebt_to_chain(&replace);
m_l = new_entry->m_list;
w_l = new_entry->w_list;
t = (struct ebt_u_target *)new_entry->t;
@@ -2432,31 +1082,32 @@
}
/*
* so, the extensions can work with the host endian
- * the kernel does not have to do this ofcourse
+ * the kernel does not have to do this of course
*/
new_entry->ethproto = htons(new_entry->ethproto);
if (replace.command == 'P') {
- if (replace.selected_hook < NF_BR_NUMHOOKS &&
+ if (replace.selected_chain < NF_BR_NUMHOOKS &&
policy == EBT_RETURN)
print_error("Policy RETURN only allowed for user "
"defined chains");
- change_policy(policy);
+ ebt_change_policy(&replace, policy);
} else if (replace.command == 'L') {
list_rules();
- if (replace.flags & OPT_ZERO)
- zero_counters(zerochain);
- else
+ if (replace.flags & OPT_ZERO) {
+ replace.selected_chain = zerochain;
+ ebt_zero_counters(&replace);
+ } else
exit(0);
}
- if (replace.flags & OPT_ZERO)
- zero_counters(zerochain);
- else if (replace.command == 'F') {
- if (flush_chains() == -1)
- exit(0);
- } else if (replace.command == 'A' || replace.command == 'I') {
- add_rule(rule_nr);
- check_for_loops();
+ if (replace.flags & OPT_ZERO) {
+ replace.selected_chain = zerochain;
+ ebt_zero_counters(&replace);
+ } else if (replace.command == 'F')
+ ebt_flush_chains(&replace);
+ else if (replace.command == 'A' || replace.command == 'I') {
+ ebt_add_rule(&replace, new_entry, rule_nr);
+ ebt_check_for_loops(&replace);
/*
* do the final_check(), for all entries
* needed when adding a rule that has a chain target
@@ -2466,7 +1117,7 @@
struct ebt_u_entry *e;
i++;
- entries = nr_to_chain(i);
+ entries = ebt_nr_to_chain(&replace, i);
if (!entries) {
if (i < NF_BR_NUMHOOKS)
continue;
@@ -2479,13 +1130,13 @@
* userspace extensions use host endian
*/
e->ethproto = ntohs(e->ethproto);
- do_final_checks(e, entries);
+ ebt_do_final_checks(&replace, e, entries);
e->ethproto = htons(e->ethproto);
e = e->next;
}
}
} else if (replace.command == 'D')
- delete_rule(rule_nr, rule_nr_end);
+ ebt_delete_rule(&replace, new_entry, rule_nr, rule_nr_end);
/*
* commands -N, -E, -X, --atomic-commit, --atomic-commit, --atomic-save,
* --init-table fall through
@@ -2494,9 +1145,9 @@
if (table->check)
table->check(&replace);
- deliver_table(&replace);
+ ebt_deliver_table(&replace);
if (replace.counterchanges)
- deliver_counters(&replace);
+ ebt_deliver_counters(&replace);
return 0;
}
diff --git a/extensions/ebt_802_3.c b/extensions/ebt_802_3.c
index 52b05aa..f76b20a 100644
--- a/extensions/ebt_802_3.c
+++ b/extensions/ebt_802_3.c
@@ -43,8 +43,8 @@
switch (c) {
case _802_3_SAP:
- check_option(flags, _802_3_SAP);
- if (check_inverse(optarg))
+ ebt_check_option(flags, _802_3_SAP);
+ if (ebt_check_inverse(optarg))
info->invflags |= EBT_802_3_SAP;
if (optind > argc)
@@ -57,8 +57,8 @@
info->bitmask |= EBT_802_3_SAP;
break;
case _802_3_TYPE:
- check_option(flags, _802_3_TYPE);
- if (check_inverse(optarg))
+ ebt_check_option(flags, _802_3_TYPE);
+ if (ebt_check_inverse(optarg))
info->invflags |= EBT_802_3_TYPE;
if (optind > argc)
print_error("Missing 802.3-type argument");
@@ -141,5 +141,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_match(&_802_3_match);
+ ebt_register_match(&_802_3_match);
}
diff --git a/extensions/ebt_among.c b/extensions/ebt_among.c
index b865ca2..9427038 100644
--- a/extensions/ebt_among.c
+++ b/extensions/ebt_among.c
@@ -41,8 +41,8 @@
{
printf(
"`among' options:\n"
-"--among-dst [!] list : matches if ether dst is in list\n"
-"--among-src [!] list : matches if ether src is in list\n"
+"--among-dst [!] list : matches if ether dst is in list\n"
+"--among-src [!] list : matches if ether src is in list\n"
"list has form:\n"
" xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip]"
",...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]\n"
@@ -295,7 +295,7 @@
switch (c) {
case AMONG_DST:
case AMONG_SRC:
- if (check_inverse(optarg)) {
+ if (ebt_check_inverse(optarg)) {
if (c == AMONG_DST)
info->bitmask |= EBT_AMONG_DST_NEG;
else
@@ -314,11 +314,11 @@
h->match_size = new_size - sizeof(struct ebt_entry_match);
info = (struct ebt_among_info *) h->data;
if (c == AMONG_DST) {
- check_option(flags, OPT_DST);
+ ebt_check_option(flags, OPT_DST);
info->wh_dst_ofs =
old_size - sizeof(struct ebt_entry_match);
} else {
- check_option(flags, OPT_SRC);
+ ebt_check_option(flags, OPT_SRC);
info->wh_src_ofs =
old_size - sizeof(struct ebt_entry_match);
}
@@ -364,7 +364,7 @@
const struct ebt_mac_wormhash_tuple *p;
p = (const struct ebt_mac_wormhash_tuple *)(&wh->pool[i]);
- print_mac(((const char *) &p->cmp[0]) + 2);
+ ebt_print_mac(((const char *) &p->cmp[0]) + 2);
if (p->ip) {
ip = (unsigned char *) &p->ip;
printf("=%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
@@ -439,5 +439,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_match(&among_match);
+ ebt_register_match(&among_match);
}
diff --git a/extensions/ebt_arp.c b/extensions/ebt_arp.c
index 7b00b78..a60d6a7 100644
--- a/extensions/ebt_arp.c
+++ b/extensions/ebt_arp.c
@@ -71,11 +71,6 @@
arpinfo->bitmask = 0;
}
-/* defined in ebt_ip.c */
-void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk);
-
-/* defined in ebtables.c */
-int get_mac_and_mask(char *from, char *to, char *mask);
#define OPT_OPCODE 0x01
#define OPT_HTYPE 0x02
@@ -97,8 +92,8 @@
switch (c) {
case ARP_OPCODE:
- check_option(flags, OPT_OPCODE);
- if (check_inverse(optarg))
+ ebt_check_option(flags, OPT_OPCODE);
+ if (ebt_check_inverse(optarg))
arpinfo->invflags |= EBT_ARP_OPCODE;
if (optind > argc)
@@ -118,8 +113,8 @@
break;
case ARP_HTYPE:
- check_option(flags, OPT_HTYPE);
- if (check_inverse(optarg))
+ ebt_check_option(flags, OPT_HTYPE);
+ if (ebt_check_inverse(optarg))
arpinfo->invflags |= EBT_ARP_HTYPE;
if (optind > argc)
@@ -140,8 +135,8 @@
{
uint16_t proto;
- check_option(flags, OPT_PTYPE);
- if (check_inverse(optarg))
+ ebt_check_option(flags, OPT_PTYPE);
+ if (ebt_check_inverse(optarg))
arpinfo->invflags |= EBT_ARP_PTYPE;
if (optind > argc)
@@ -166,17 +161,17 @@
case ARP_IP_S:
case ARP_IP_D:
if (c == ARP_IP_S) {
- check_option(flags, OPT_IP_S);
+ ebt_check_option(flags, OPT_IP_S);
addr = &arpinfo->saddr;
mask = &arpinfo->smsk;
arpinfo->bitmask |= EBT_ARP_SRC_IP;
} else {
- check_option(flags, OPT_IP_D);
+ ebt_check_option(flags, OPT_IP_D);
addr = &arpinfo->daddr;
mask = &arpinfo->dmsk;
arpinfo->bitmask |= EBT_ARP_DST_IP;
}
- if (check_inverse(optarg)) {
+ if (ebt_check_inverse(optarg)) {
if (c == ARP_IP_S)
arpinfo->invflags |= EBT_ARP_SRC_IP;
else
@@ -184,23 +179,23 @@
}
if (optind > argc)
print_error("Missing ARP IP address argument");
- parse_ip_address(argv[optind - 1], addr, mask);
+ ebt_parse_ip_address(argv[optind - 1], addr, mask);
break;
case ARP_MAC_S:
case ARP_MAC_D:
if (c == ARP_MAC_S) {
- check_option(flags, OPT_MAC_S);
+ ebt_check_option(flags, OPT_MAC_S);
maddr = arpinfo->smaddr;
mmask = arpinfo->smmsk;
arpinfo->bitmask |= EBT_ARP_SRC_MAC;
} else {
- check_option(flags, OPT_MAC_D);
+ ebt_check_option(flags, OPT_MAC_D);
maddr = arpinfo->dmaddr;
mmask = arpinfo->dmmsk;
arpinfo->bitmask |= EBT_ARP_DST_MAC;
}
- if (check_inverse(optarg)) {
+ if (ebt_check_inverse(optarg)) {
if (c == ARP_MAC_S)
arpinfo->invflags |= EBT_ARP_SRC_MAC;
else
@@ -208,7 +203,7 @@
}
if (optind > argc)
print_error("Missing ARP MAC address argument");
- if (get_mac_and_mask(argv[optind - 1], maddr, mmask))
+ if (ebt_get_mac_and_mask(argv[optind - 1], maddr, mmask))
print_error("Problem with ARP MAC address argument");
break;
@@ -228,9 +223,6 @@
"specified as ARP or RARP");
}
-/* defined in the ebt_ip.c */
-char *mask_to_dotted(uint32_t mask);
-
static void print(const struct ebt_u_entry *entry,
const struct ebt_entry_match *match)
{
@@ -272,7 +264,7 @@
for (i = 0; i < 4; i++)
printf("%d%s", ((unsigned char *)&arpinfo->saddr)[i],
(i == 3) ? "" : ".");
- printf("%s ", mask_to_dotted(arpinfo->smsk));
+ printf("%s ", ebt_mask_to_dotted(arpinfo->smsk));
}
if (arpinfo->bitmask & EBT_ARP_DST_IP) {
printf("--arp-ip-dst ");
@@ -281,20 +273,20 @@
for (i = 0; i < 4; i++)
printf("%d%s", ((unsigned char *)&arpinfo->daddr)[i],
(i == 3) ? "" : ".");
- printf("%s ", mask_to_dotted(arpinfo->dmsk));
+ printf("%s ", ebt_mask_to_dotted(arpinfo->dmsk));
}
if (arpinfo->bitmask & EBT_ARP_SRC_MAC) {
printf("--arp-mac-src ");
if (arpinfo->invflags & EBT_ARP_SRC_MAC)
printf("! ");
- print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);
+ ebt_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);
printf(" ");
}
if (arpinfo->bitmask & EBT_ARP_DST_MAC) {
printf("--arp-mac-dst ");
if (arpinfo->invflags & EBT_ARP_DST_MAC)
printf("! ");
- print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);
+ ebt_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);
printf(" ");
}
}
@@ -364,5 +356,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_match(&arp_match);
+ ebt_register_match(&arp_match);
}
diff --git a/extensions/ebt_arpreply.c b/extensions/ebt_arpreply.c
index 7e5f113..d524253 100644
--- a/extensions/ebt_arpreply.c
+++ b/extensions/ebt_arpreply.c
@@ -48,7 +48,7 @@
switch (c) {
case REPLY_MAC:
- check_option(flags, OPT_REPLY_MAC);
+ ebt_check_option(flags, OPT_REPLY_MAC);
if (!(addr = ether_aton(optarg)))
print_error("Problem with specified "
"--arpreply-mac mac");
@@ -56,7 +56,7 @@
mac_supplied = 1;
break;
case REPLY_TARGET:
- check_option(flags, OPT_REPLY_TARGET);
+ ebt_check_option(flags, OPT_REPLY_TARGET);
if (FILL_TARGET(optarg, replyinfo->target))
print_error("Illegal --arpreply-target target");
break;
@@ -94,7 +94,7 @@
(struct ebt_arpreply_info *)target->data;
printf("--arpreply-mac ");
- print_mac(replyinfo->mac);
+ ebt_print_mac(replyinfo->mac);
if (replyinfo->target == EBT_DROP)
return;
printf(" --arpreply-target %s", TARGET_NAME(replyinfo->target));
@@ -128,5 +128,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_target(&arpreply_target);
+ ebt_register_target(&arpreply_target);
}
diff --git a/extensions/ebt_ip.c b/extensions/ebt_ip.c
index b836bae..f93b8b9 100644
--- a/extensions/ebt_ip.c
+++ b/extensions/ebt_ip.c
@@ -57,111 +57,7 @@
{ 0 }
};
-/* put the ip string into 4 bytes */
-static int undot_ip(char *ip, unsigned char *ip2)
-{
- char *p, *q, *end;
- long int onebyte;
- int i;
- char buf[20];
-
- strncpy(buf, ip, sizeof(buf) - 1);
-
- p = buf;
- for (i = 0; i < 3; i++) {
- if ((q = strchr(p, '.')) == NULL)
- return -1;
- *q = '\0';
- onebyte = strtol(p, &end, 10);
- if (*end != '\0' || onebyte > 255 || onebyte < 0)
- return -1;
- ip2[i] = (unsigned char)onebyte;
- p = q + 1;
- }
-
- onebyte = strtol(p, &end, 10);
- if (*end != '\0' || onebyte > 255 || onebyte < 0)
- return -1;
- ip2[3] = (unsigned char)onebyte;
-
- return 0;
-}
-
/* put the mask into 4 bytes */
-static int ip_mask(char *mask, unsigned char *mask2)
-{
- char *end;
- long int bits;
- uint32_t mask22;
-
- if (undot_ip(mask, mask2)) {
- /* not the /a.b.c.e format, maybe the /x format */
- bits = strtol(mask, &end, 10);
- if (*end != '\0' || bits > 32 || bits < 0)
- return -1;
- if (bits != 0) {
- mask22 = htonl(0xFFFFFFFF << (32 - bits));
- memcpy(mask2, &mask22, 4);
- } else {
- mask22 = 0xFFFFFFFF;
- memcpy(mask2, &mask22, 4);
- }
- }
- return 0;
-}
-
-/* set the ip mask and ip address */
-void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk)
-{
- char *p;
-
- /* first the mask */
- if ((p = strrchr(address, '/')) != NULL) {
- *p = '\0';
- if (ip_mask(p + 1, (unsigned char *)msk))
- print_error("Problem with the IP mask");
- }
- else
- *msk = 0xFFFFFFFF;
-
- if (undot_ip(address, (unsigned char *)addr))
- print_error("Problem with the IP address");
- *addr = *addr & *msk;
-}
-
-/* transform the ip mask into a string ready for output */
-char *mask_to_dotted(uint32_t mask)
-{
- int i;
- static char buf[20];
- uint32_t maskaddr, bits;
-
- maskaddr = ntohl(mask);
-
- /* don't print /32 */
- if (mask == 0xFFFFFFFFL) {
- *buf = '\0';
- return buf;
- }
-
- i = 32;
- bits = 0xFFFFFFFEL; /* case 0xFFFFFFFF has just been dealt with */
- while (--i >= 0 && maskaddr != bits)
- bits <<= 1;
-
- if (i > 0)
- sprintf(buf, "/%d", i);
- else if (!i)
- *buf = '\0';
- else
- /* mask was not a decent combination of 1's and 0's */
- sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0],
- ((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2],
- ((unsigned char *)&mask)[3]);
-
- return buf;
-}
-
/* transform a protocol and service name into a port number */
static uint16_t parse_port(const char *protocol, const char *name)
{
@@ -247,15 +143,15 @@
switch (c) {
case IP_SOURCE:
- check_option(flags, OPT_SOURCE);
+ ebt_check_option(flags, OPT_SOURCE);
ipinfo->bitmask |= EBT_IP_SOURCE;
case IP_DEST:
if (c == IP_DEST) {
- check_option(flags, OPT_DEST);
+ ebt_check_option(flags, OPT_DEST);
ipinfo->bitmask |= EBT_IP_DEST;
}
- if (check_inverse(optarg)) {
+ if (ebt_check_inverse(optarg)) {
if (c == IP_SOURCE)
ipinfo->invflags |= EBT_IP_SOURCE;
else
@@ -265,24 +161,24 @@
if (optind > argc)
print_error("Missing IP address argument");
if (c == IP_SOURCE)
- parse_ip_address(argv[optind - 1], &ipinfo->saddr,
+ ebt_parse_ip_address(argv[optind - 1], &ipinfo->saddr,
&ipinfo->smsk);
else
- parse_ip_address(argv[optind - 1], &ipinfo->daddr,
+ ebt_parse_ip_address(argv[optind - 1], &ipinfo->daddr,
&ipinfo->dmsk);
break;
case IP_SPORT:
case IP_DPORT:
if (c == IP_SPORT) {
- check_option(flags, OPT_SPORT);
+ ebt_check_option(flags, OPT_SPORT);
ipinfo->bitmask |= EBT_IP_SPORT;
- if (check_inverse(optarg))
+ if (ebt_check_inverse(optarg))
ipinfo->invflags |= EBT_IP_SPORT;
} else {
- check_option(flags, OPT_DPORT);
+ ebt_check_option(flags, OPT_DPORT);
ipinfo->bitmask |= EBT_IP_DPORT;
- if (check_inverse(optarg))
+ if (ebt_check_inverse(optarg))
ipinfo->invflags |= EBT_IP_DPORT;
}
if (optind > argc)
@@ -294,8 +190,8 @@
break;
case IP_myTOS:
- check_option(flags, OPT_TOS);
- if (check_inverse(optarg))
+ ebt_check_option(flags, OPT_TOS);
+ if (ebt_check_inverse(optarg))
ipinfo->invflags |= EBT_IP_TOS;
if (optind > argc)
@@ -308,8 +204,8 @@
break;
case IP_PROTO:
- check_option(flags, OPT_PROTO);
- if (check_inverse(optarg))
+ ebt_check_option(flags, OPT_PROTO);
+ if (ebt_check_inverse(optarg))
ipinfo->invflags |= EBT_IP_PROTO;
if (optind > argc)
print_error("Missing IP protocol argument");
@@ -366,7 +262,7 @@
for (j = 0; j < 4; j++)
printf("%d%s",((unsigned char *)&ipinfo->saddr)[j],
(j == 3) ? "" : ".");
- printf("%s ", mask_to_dotted(ipinfo->smsk));
+ printf("%s ", ebt_mask_to_dotted(ipinfo->smsk));
}
if (ipinfo->bitmask & EBT_IP_DEST) {
printf("--ip-dst ");
@@ -375,7 +271,7 @@
for (j = 0; j < 4; j++)
printf("%d%s", ((unsigned char *)&ipinfo->daddr)[j],
(j == 3) ? "" : ".");
- printf("%s ", mask_to_dotted(ipinfo->dmsk));
+ printf("%s ", ebt_mask_to_dotted(ipinfo->dmsk));
}
if (ipinfo->bitmask & EBT_IP_TOS) {
printf("--ip-tos ");
@@ -471,5 +367,5 @@
static void _init(void) __attribute((constructor));
static void _init(void)
{
- register_match(&ip_match);
+ ebt_register_match(&ip_match);
}
diff --git a/extensions/ebt_limit.c b/extensions/ebt_limit.c
index bf322b8..490686d 100644
--- a/extensions/ebt_limit.c
+++ b/extensions/ebt_limit.c
@@ -120,16 +120,16 @@
switch(c) {
case ARG_LIMIT:
- check_option(flags, FLAG_LIMIT);
- if (check_inverse(optarg))
+ ebt_check_option(flags, FLAG_LIMIT);
+ if (ebt_check_inverse(optarg))
print_error("Unexpected `!' after --limit");
if (!parse_rate(optarg, &r->avg))
print_error("bad rate `%s'", optarg);
break;
case ARG_LIMIT_BURST:
- check_option(flags, FLAG_LIMIT_BURST);
- if (check_inverse(optarg))
+ ebt_check_option(flags, FLAG_LIMIT_BURST);
+ if (ebt_check_inverse(optarg))
print_error("Unexpected `!' after --limit-burst");
if (string_to_number(optarg, 0, 10000, &num) == -1)
@@ -217,5 +217,5 @@
static void _init(void) __attribute((constructor));
static void _init(void)
{
- register_match(&limit_match);
+ ebt_register_match(&limit_match);
}
diff --git a/extensions/ebt_log.c b/extensions/ebt_log.c
index 2892348..953211e 100644
--- a/extensions/ebt_log.c
+++ b/extensions/ebt_log.c
@@ -103,14 +103,14 @@
switch (c) {
case LOG_PREFIX:
- check_option(flags, OPT_PREFIX);
+ ebt_check_option(flags, OPT_PREFIX);
if (strlen(optarg) > sizeof(loginfo->prefix) - 1)
print_error("Prefix too long");
strcpy(loginfo->prefix, optarg);
break;
case LOG_LEVEL:
- check_option(flags, OPT_LEVEL);
+ ebt_check_option(flags, OPT_LEVEL);
i = strtol(optarg, &end, 16);
if (*end != '\0' || i < 0 || i > 7)
loginfo->loglevel = name_to_loglevel(optarg);
@@ -121,17 +121,17 @@
break;
case LOG_IP:
- check_option(flags, OPT_IP);
+ ebt_check_option(flags, OPT_IP);
loginfo->bitmask |= EBT_LOG_IP;
break;
case LOG_ARP:
- check_option(flags, OPT_ARP);
+ ebt_check_option(flags, OPT_ARP);
loginfo->bitmask |= EBT_LOG_ARP;
break;
case LOG_LOG:
- check_option(flags, OPT_LOG);
+ ebt_check_option(flags, OPT_LOG);
break;
default:
return 0;
@@ -190,5 +190,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_watcher(&log_watcher);
+ ebt_register_watcher(&log_watcher);
}
diff --git a/extensions/ebt_mark.c b/extensions/ebt_mark.c
index 6fa26f8..c40b9fd 100644
--- a/extensions/ebt_mark.c
+++ b/extensions/ebt_mark.c
@@ -46,12 +46,12 @@
switch (c) {
case MARK_TARGET:
- check_option(flags, OPT_MARK_TARGET);
+ ebt_check_option(flags, OPT_MARK_TARGET);
if (FILL_TARGET(optarg, markinfo->target))
print_error("Illegal --mark-target target");
break;
case MARK_SETMARK:
- check_option(flags, OPT_MARK_SETMARK);
+ ebt_check_option(flags, OPT_MARK_SETMARK);
markinfo->mark = strtoul(optarg, &end, 0);
if (*end != '\0' || end == optarg)
print_error("Bad MARK value '%s'", optarg);
@@ -116,5 +116,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_target(&mark_target);
+ ebt_register_target(&mark_target);
}
diff --git a/extensions/ebt_mark_m.c b/extensions/ebt_mark_m.c
index 0d14d76..1c18d9e 100644
--- a/extensions/ebt_mark_m.c
+++ b/extensions/ebt_mark_m.c
@@ -40,8 +40,8 @@
switch (c) {
case MARK:
- check_option(flags, MARK);
- if (check_inverse(optarg))
+ ebt_check_option(flags, MARK);
+ if (ebt_check_inverse(optarg))
markinfo->invert = 1;
if (optind > argc)
print_error("No mark specified");
@@ -118,5 +118,5 @@
static void _init(void) __attribute((constructor));
static void _init(void)
{
- register_match(&mark_match);
+ ebt_register_match(&mark_match);
}
diff --git a/extensions/ebt_nat.c b/extensions/ebt_nat.c
index 04c6f0f..16e1842 100644
--- a/extensions/ebt_nat.c
+++ b/extensions/ebt_nat.c
@@ -73,14 +73,14 @@
switch (c) {
case NAT_S:
- check_option(flags, OPT_SNAT);
+ ebt_check_option(flags, OPT_SNAT);
to_source_supplied = 1;
if (!(addr = ether_aton(optarg)))
print_error("Problem with specified --to-source mac");
memcpy(natinfo->mac, addr, ETH_ALEN);
break;
case NAT_S_TARGET:
- check_option(flags, OPT_SNAT_TARGET);
+ ebt_check_option(flags, OPT_SNAT_TARGET);
if (FILL_TARGET(optarg, natinfo->target))
print_error("Illegal --snat-target target");
break;
@@ -101,7 +101,7 @@
switch (c) {
case NAT_D:
- check_option(flags, OPT_DNAT);
+ ebt_check_option(flags, OPT_DNAT);
to_dest_supplied = 1;
if (!(addr = ether_aton(optarg)))
print_error("Problem with specified "
@@ -109,7 +109,7 @@
memcpy(natinfo->mac, addr, ETH_ALEN);
break;
case NAT_D_TARGET:
- check_option(flags, OPT_DNAT_TARGET);
+ ebt_check_option(flags, OPT_DNAT_TARGET);
if (FILL_TARGET(optarg, natinfo->target))
print_error("Illegal --dnat-target target");
break;
@@ -157,7 +157,7 @@
struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data;
printf("--to-src ");
- print_mac(natinfo->mac);
+ ebt_print_mac(natinfo->mac);
printf(" --snat-target %s", TARGET_NAME(natinfo->target));
}
@@ -167,7 +167,7 @@
struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data;
printf("--to-dst ");
- print_mac(natinfo->mac);
+ ebt_print_mac(natinfo->mac);
printf(" --dnat-target %s", TARGET_NAME(natinfo->target));
}
@@ -210,6 +210,6 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_target(&snat_target);
- register_target(&dnat_target);
+ ebt_register_target(&snat_target);
+ ebt_register_target(&dnat_target);
}
diff --git a/extensions/ebt_pkttype.c b/extensions/ebt_pkttype.c
index 73f6e62..35bac29 100644
--- a/extensions/ebt_pkttype.c
+++ b/extensions/ebt_pkttype.c
@@ -57,8 +57,8 @@
switch (c) {
case '1':
- check_option(flags, 1);
- if (check_inverse(optarg))
+ ebt_check_option(flags, 1);
+ if (ebt_check_inverse(optarg))
ptinfo->invert = 1;
if (optind > argc)
print_error("Missing pkttype class specification");
@@ -132,5 +132,5 @@
static void _init(void) __attribute((constructor));
static void _init(void)
{
- register_match(&pkttype_match);
+ ebt_register_match(&pkttype_match);
}
diff --git a/extensions/ebt_redirect.c b/extensions/ebt_redirect.c
index 432e58d..82feaa9 100644
--- a/extensions/ebt_redirect.c
+++ b/extensions/ebt_redirect.c
@@ -38,7 +38,7 @@
switch (c) {
case REDIRECT_TARGET:
- check_option(flags, OPT_REDIRECT_TARGET);
+ ebt_check_option(flags, OPT_REDIRECT_TARGET);
if (FILL_TARGET(optarg, redirectinfo->target))
print_error("Illegal --redirect-target target");
break;
@@ -102,5 +102,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_target(&redirect_target);
+ ebt_register_target(&redirect_target);
}
diff --git a/extensions/ebt_standard.c b/extensions/ebt_standard.c
index 6a260eb..7ee454b 100644
--- a/extensions/ebt_standard.c
+++ b/extensions/ebt_standard.c
@@ -31,8 +31,6 @@
{
}
-struct ebt_u_entries *nr_to_chain(int nr);
-
static void print(const struct ebt_u_entry *entry,
const struct ebt_entry_target *target)
{
@@ -41,7 +39,8 @@
if (verdict >= 0) {
struct ebt_u_entries *entries;
- entries = nr_to_chain(verdict + NF_BR_NUMHOOKS);
+ entries = ebt_nr_to_chain(entry->replace,
+ verdict + NF_BR_NUMHOOKS);
printf("%s", entries->name);
return;
}
@@ -81,5 +80,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_target(&standard);
+ ebt_register_target(&standard);
}
diff --git a/extensions/ebt_stp.c b/extensions/ebt_stp.c
index 391b89e..60f2cc8 100644
--- a/extensions/ebt_stp.c
+++ b/extensions/ebt_stp.c
@@ -78,10 +78,6 @@
stpinfo->bitmask = 0;
}
-/* defined in ebtables.c */
-int get_mac_and_mask(char *from, char *to, char *mask);
-void print_mac_and_mask(const char *mac, const char *mask);
-
#define determine_value(p,s) \
{ \
uint32_t _tmp2; \
@@ -135,8 +131,8 @@
if (c < 'a' || c > ('a' + STP_NUMOPS - 1))
return 0;
flag = 1 << (c - 'a');
- check_option(flags, flag);
- if (check_inverse(optarg))
+ ebt_check_option(flags, flag);
+ if (ebt_check_inverse(optarg))
stpinfo->invflags |= flag;
if (optind > argc)
print_error("Missing argument for --%s", opts[c-'a'].name);
@@ -211,12 +207,12 @@
print_error("Bad STP config forward delay range");
break;
case EBT_STP_ROOTADDR:
- if (get_mac_and_mask(argv[optind-1],
+ if (ebt_get_mac_and_mask(argv[optind-1],
stpinfo->config.root_addr, stpinfo->config.root_addrmsk))
print_error("Bad STP config root address");
break;
case EBT_STP_SENDERADDR:
- if (get_mac_and_mask(argv[optind-1], stpinfo->config.sender_addr,
+ if (ebt_get_mac_and_mask(argv[optind-1], stpinfo->config.sender_addr,
stpinfo->config.sender_addrmsk))
print_error("Bad STP config sender address");
break;
@@ -269,13 +265,13 @@
} else if (EBT_STP_ROOTPRIO == (1 << i))
print_range(c->root_priol, c->root_priou);
else if (EBT_STP_ROOTADDR == (1 << i))
- print_mac_and_mask(c->root_addr, c->root_addrmsk);
+ ebt_print_mac_and_mask(c->root_addr, c->root_addrmsk);
else if (EBT_STP_ROOTCOST == (1 << i))
print_range(c->root_costl, c->root_costu);
else if (EBT_STP_SENDERPRIO == (1 << i))
print_range(c->sender_priol, c->sender_priou);
else if (EBT_STP_SENDERADDR == (1 << i))
- print_mac_and_mask(c->sender_addr, c->sender_addrmsk);
+ ebt_print_mac_and_mask(c->sender_addr, c->sender_addrmsk);
else if (EBT_STP_PORT == (1 << i))
print_range(c->portl, c->portu);
else if (EBT_STP_MSGAGE == (1 << i))
@@ -312,5 +308,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_match(&stp_match);
+ ebt_register_match(&stp_match);
}
diff --git a/extensions/ebt_vlan.c b/extensions/ebt_vlan.c
index 198f537..5a8a912 100644
--- a/extensions/ebt_vlan.c
+++ b/extensions/ebt_vlan.c
@@ -45,7 +45,7 @@
#define SET_BITMASK(_MASK_) vlaninfo->bitmask |= _MASK_
#define INV_FLAG(_inv_flag_) (vlaninfo->invflags & _inv_flag_) ? "! " : ""
#define CHECK_IF_MISSING_VALUE if (optind > argc) print_error ("Missing %s value", opts[c].name);
-#define CHECK_INV_FLAG(_INDEX_) if (check_inverse (optarg)) vlaninfo->invflags |= _INDEX_;
+#define CHECK_INV_FLAG(_INDEX_) if (ebt_check_inverse (optarg)) vlaninfo->invflags |= _INDEX_;
#define CHECK_RANGE(_RANGE_) if (_RANGE_) print_error ("Invalid %s range", opts[c].name);
#define NAME_VLAN_ID "id"
@@ -138,7 +138,7 @@
switch (c) {
case VLAN_ID:
- check_option(flags, OPT_VLAN_ID);
+ ebt_check_option(flags, OPT_VLAN_ID);
CHECK_INV_FLAG(EBT_VLAN_ID);
CHECK_IF_MISSING_VALUE;
(unsigned short) local.id =
@@ -149,7 +149,7 @@
break;
case VLAN_PRIO:
- check_option(flags, OPT_VLAN_PRIO);
+ ebt_check_option(flags, OPT_VLAN_PRIO);
CHECK_INV_FLAG(EBT_VLAN_PRIO);
CHECK_IF_MISSING_VALUE;
(unsigned char) local.prio =
@@ -160,7 +160,7 @@
break;
case VLAN_ENCAP:
- check_option(flags, OPT_VLAN_ENCAP);
+ ebt_check_option(flags, OPT_VLAN_ENCAP);
CHECK_INV_FLAG(EBT_VLAN_ENCAP);
CHECK_IF_MISSING_VALUE;
(unsigned short) local.encap =
@@ -321,5 +321,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_match(&vlan_match);
+ ebt_register_match(&vlan_match);
}
diff --git a/extensions/ebtable_broute.c b/extensions/ebtable_broute.c
index 155d9ce..362183a 100644
--- a/extensions/ebtable_broute.c
+++ b/extensions/ebtable_broute.c
@@ -2,7 +2,7 @@
#include "../include/ebtables_u.h"
-static void print_help(char **hn)
+static void print_help(const char **hn)
{
printf("Supported chain for the broute table:\n");
printf("%s\n",hn[NF_BR_BROUTING]);
@@ -18,5 +18,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_table(&table);
+ ebt_register_table(&table);
}
diff --git a/extensions/ebtable_filter.c b/extensions/ebtable_filter.c
index 724198c..904a857 100644
--- a/extensions/ebtable_filter.c
+++ b/extensions/ebtable_filter.c
@@ -4,7 +4,7 @@
#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | \
(1 << NF_BR_LOCAL_OUT))
-static void print_help(char **hn)
+static void print_help(const char **hn)
{
int i;
@@ -24,5 +24,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_table(&table);
+ ebt_register_table(&table);
}
diff --git a/extensions/ebtable_nat.c b/extensions/ebtable_nat.c
index 7998e7d..b151dc5 100644
--- a/extensions/ebtable_nat.c
+++ b/extensions/ebtable_nat.c
@@ -4,7 +4,7 @@
#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | \
(1 << NF_BR_POST_ROUTING))
-static void print_help(char **hn)
+static void print_help(const char **hn)
{
int i;
@@ -25,5 +25,5 @@
static void _init(void) __attribute__ ((constructor));
static void _init(void)
{
- register_table(&table);
+ ebt_register_table(&table);
}
diff --git a/include/ebtables_u.h b/include/ebtables_u.h
index 914a0f9..77d1e50 100644
--- a/include/ebtables_u.h
+++ b/include/ebtables_u.h
@@ -30,6 +30,7 @@
#define EBT_MIN_ALIGN (__alignof__(struct ebt_entry_target))
#endif
#define EBT_ALIGN(s) (((s) + (EBT_MIN_ALIGN-1)) & ~(EBT_MIN_ALIGN-1))
+#define ERRORMSG_MAXLEN 128
struct ebt_u_entries
{
@@ -51,6 +52,13 @@
char *kernel_start;
};
+struct ebt_cntchanges;
+struct ebt_cntchanges
+{
+ unsigned short type;
+ struct ebt_cntchanges *next;
+};
+
struct ebt_u_replace
{
char name[EBT_TABLE_MAXNAMELEN];
@@ -72,20 +80,20 @@
/* we stick the specified command (e.g. -A) in here */
char command;
/*
- * here we stick the hook to do our thing on (can be -1 if unspecified)
+ * here we stick the chain to do our thing on (can be -1 if unspecified)
*/
- int selected_hook;
+ int selected_chain;
/* used for the atomic option */
char *filename;
/* tells what happened to the old rules */
- unsigned short *counterchanges;
+ struct ebt_cntchanges *counterchanges;
};
struct ebt_u_table
{
char name[EBT_TABLE_MAXNAMELEN];
void (*check)(struct ebt_u_replace *repl);
- void (*help)(char **);
+ void (*help)(const char **);
struct ebt_u_table *next;
};
@@ -118,6 +126,8 @@
struct ebt_u_watcher_list *w_list;
struct ebt_entry_target *t;
struct ebt_u_entry *next;
+ /* needed f.e. to find out the name of the udc when listing -j */
+ struct ebt_u_replace *replace;
};
struct ebt_u_match
@@ -147,6 +157,7 @@
/*
* if used == 1 we no longer have to add it to
* the match chain of the new entry
+ * be sure to put it back on 0 when finished
*/
unsigned int used;
struct ebt_u_match *next;
@@ -200,60 +211,128 @@
struct ebt_u_target *next;
};
-void register_table(struct ebt_u_table *);
-void register_match(struct ebt_u_match *);
-void register_watcher(struct ebt_u_watcher *);
-void register_target(struct ebt_u_target *t);
-int get_table(struct ebt_u_replace *repl);
-struct ebt_u_target *find_target(const char *name);
-struct ebt_u_match *find_match(const char *name);
-struct ebt_u_watcher *find_watcher(const char *name);
-struct ebt_u_table *find_table(char *name);
-void deliver_counters(struct ebt_u_replace *repl);
-void deliver_table(struct ebt_u_replace *repl);
-void check_option(unsigned int *flags, unsigned int mask);
-int check_inverse(const char option[]);
-void print_mac(const char *mac);
-void print_mac_and_mask(const char *mac, const char *mask);
+/* libebtc.c */
+
+extern struct ebt_u_table *ebt_tables;
+extern struct ebt_u_match *ebt_matches;
+extern struct ebt_u_watcher *ebt_watchers;
+extern struct ebt_u_target *ebt_targets;
+
+void ebt_register_table(struct ebt_u_table *);
+void ebt_register_match(struct ebt_u_match *);
+void ebt_register_watcher(struct ebt_u_watcher *);
+void ebt_register_target(struct ebt_u_target *t);
+void ebt_get_kernel_table(struct ebt_u_replace *replace,
+ struct ebt_u_table *table);
+struct ebt_u_target *ebt_find_target(const char *name);
+struct ebt_u_match *ebt_find_match(const char *name);
+struct ebt_u_watcher *ebt_find_watcher(const char *name);
+struct ebt_u_table *ebt_find_table(const char *name);
int ebtables_insmod(const char *modname);
+void ebt_list_extensions();
+void ebt_initialize_entry(struct ebt_u_entry *e);
+void ebt_free_u_entry(struct ebt_u_entry *e);
+struct ebt_u_entries *ebt_name_to_chain(const struct ebt_u_replace *replace,
+ const char* arg);
+struct ebt_u_entries *ebt_nr_to_chain(const struct ebt_u_replace *replace,
+ int nr);
+struct ebt_u_entries *ebt_to_chain(const struct ebt_u_replace *replace);
+struct ebt_u_entries *ebt_name_to_chain(const struct ebt_u_replace *replace,
+ const char* arg);
+int ebt_get_chainnr(const struct ebt_u_replace *replace, const char* arg);
+/**/
+void ebt_change_policy(struct ebt_u_replace *replace, int policy);
+void ebt_flush_chains(struct ebt_u_replace *replace);
+int ebt_check_rule_exists(struct ebt_u_replace *replace,
+ struct ebt_u_entry *new_entry);
+void ebt_add_rule(struct ebt_u_replace *replace, struct ebt_u_entry *new_entry,
+ int rule_nr);
+void ebt_delete_rule(struct ebt_u_replace *replace,
+ struct ebt_u_entry *new_entry, int begin, int end);
+void ebt_zero_counters(struct ebt_u_replace *replace);
+void ebt_new_chain(struct ebt_u_replace *replace, const char *name, int policy);
+void ebt_delete_chain(struct ebt_u_replace *replace);
+void ebt_rename_chain(struct ebt_u_replace *replace, const char *name);
+/**/
+void ebt_do_final_checks(struct ebt_u_replace *replace, struct ebt_u_entry *e,
+ struct ebt_u_entries *entries);
+int ebt_check_for_references(struct ebt_u_replace *replace);
+int ebt_check_for_references2(struct ebt_u_replace *replace, int chain_nr);
+void ebt_check_for_loops(struct ebt_u_replace *replace);
+void ebt_add_match(struct ebt_u_entry *new_entry, struct ebt_u_match *m);
+void ebt_add_watcher(struct ebt_u_entry *new_entry, struct ebt_u_watcher *w);
+void ebt_iterate_matches(void (*f)(struct ebt_u_match *));
+void ebt_iterate_watchers(void (*f)(struct ebt_u_watcher *));
+void ebt_iterate_targets(void (*f)(struct ebt_u_target *));
void __print_bug(char *file, int line, char *format, ...);
+void __print_error(char *format, ...);
+
+/* communication.c */
+
+int ebt_get_table(struct ebt_u_replace *repl);
+void ebt_deliver_counters(struct ebt_u_replace *repl);
+void ebt_deliver_table(struct ebt_u_replace *repl);
+
+/* useful_functions.c */
+
+extern int ebt_invert;
+void ebt_check_option(unsigned int *flags, unsigned int mask);
+int ebt_check_inverse(const char option[]);
+void ebt_print_mac(const char *mac);
+void ebt_print_mac_and_mask(const char *mac, const char *mask);
+int ebt_get_mac_and_mask(char *from, char *to, char *mask);
+void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk);
+char *ebt_mask_to_dotted(uint32_t mask);
+
+struct ethertypeent *parseethertypebynumber(int type);
+
#define print_bug(format, args...) \
__print_bug(__FILE__, __LINE__, format, ##args)
-#define print_error(format,args...) {printf(format,##args);\
- printf(".\n");exit(-1);}
+#define print_error(format,args...) __print_error(format, ##args);
#define print_memory() {printf("Ebtables: " __FILE__ \
" %s %d :Out of memory.\n", __FUNCTION__, __LINE__); exit(-1);}
/* used for keeping the rule counters right during rule adds or deletes */
-#define CNT_NORM 0
-#define CNT_DEL 1
-#define CNT_ADD 2
-#define CNT_END 3
-#define CNT_ZERO 4
+#define CNT_NORM 0
+#define CNT_DEL 1
+#define CNT_ADD 2
+#define CNT_OWRITE 3
+#define CNT_ZERO 4
-extern char *standard_targets[NUM_STANDARD_TARGETS];
+extern const char *ebt_hooknames[NF_BR_NUMHOOKS];
+extern const char *ebt_standard_targets[NUM_STANDARD_TARGETS];
+extern char ebt_errormsg[ERRORMSG_MAXLEN];
+extern char *ebt_modprobe;
+extern int ebt_silent;
+extern int ebt_printstyle_mac;
+
/*
* Transforms a target string into the right integer,
* returns 0 on success.
*/
-#define FILL_TARGET(_str, _pos) ({ \
- int _i, _ret = 0; \
- for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \
- if (!strcmp(_str, standard_targets[_i])) {\
- _pos = -_i - 1; \
- break; \
- } \
- if (_i == NUM_STANDARD_TARGETS) \
- _ret = 1; \
- _ret; \
+#define FILL_TARGET(_str, _pos) ({ \
+ int _i, _ret = 0; \
+ for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \
+ if (!strcmp(_str, ebt_standard_targets[_i])) {\
+ _pos = -_i - 1; \
+ break; \
+ } \
+ if (_i == NUM_STANDARD_TARGETS) \
+ _ret = 1; \
+ _ret; \
})
/* Transforms the target value to an index into standard_targets[] */
#define TARGET_INDEX(_value) (-_value - 1)
/* Returns a target string corresponding to the value */
-#define TARGET_NAME(_value) (standard_targets[TARGET_INDEX(_value)])
+#define TARGET_NAME(_value) (ebt_standard_targets[TARGET_INDEX(_value)])
/* True if the hook mask denotes that the rule is in a base chain */
#define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS))
/* Clear the bit in the hook_mask that tells if the rule is on a base chain */
#define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS))
+#define PRINT_VERSION printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n")
+#ifndef PROC_SYS_MODPROBE
+#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
+#endif
+#define ATOMIC_ENV_VARIABLE "EBTABLES_ATOMIC_FILE"
#endif /* EBTABLES_U_H */