| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The "allstatic" target produces a statically linked (or standalone)
binary, in contrast to "static" which produces a dynamically linked
binary with libebtc baked in.
Signed-off-by: Justin Swartz <justin.swartz@risingedge.co.za>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, `make static` results in the following error:
undefined reference to `main'
I took a guess at what 'static' is supposed to produce, and thought it
would make sense to use the main definition from ebtables-standalone.c.
Also, producing 'static' by linking against a libebtc.a results in a
non-functional program (immediate segmentation fault). This is because
the initialization functions defined in libebtc.a aren't linked into
the result program. I ran into issues trying to use the --whole-archive
linker option with libtool, so I figured linking in the libebtc object
files directly was the simplest approach.
Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Rule insertion may fail on systems where libc doesn't provided zeroed
memory via malloc (which is legal).
IOW, this was never guaranteed to work correctly.
Add a xzalloc wrapper to do error checking and zeroing and then
use it in libebtc.
Reported-and-tested-by: Senthil Kumar Balasubramanian <senthilb@qubercomm.com>
Diagnosed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our customer reported a following issue:
If '--concurrent' was passed to ebtables command behind other arguments,
'--concurrent' will not take effect sometimes; for a simple example,
ebtables -L --concurrent. This is becuase the handling of '--concurrent'
is implemented in a passing-order-dependent way.
Fixed this problem as Pablo Neira Ayuso suggested by simply spewing
an error like following:
./ebtables-legacy -L --concurrent
Please put the --concurrent option first.
Signed-off-by: Firo Yang <firo.yang@suse.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the following commit[1] from kernel, if '/var/lib/ebtables' was
mounted with a NFS filesystem, ebtables command will hit the following
error:
mount | grep nfs
x.x.x.x:/var/lib/ebtables on /var/lib/ebtables type nfs4 [...]
/usr/sbin/ebtables --concurrent -L
Trying to obtain lock /var/lib/ebtables/lock
Trying to obtain lock /var/lib/ebtables/lock
Trying to obtain lock /var/lib/ebtables/lock
Trying to obtain lock /var/lib/ebtables/lock
[...]
In order to fix this problem, add 'O_WRONLY' to match the requirement of
that kernel commit[1].
[1]: 55725513b5ef ("NFSv4: Ensure that we check lock exclusive/shared type against open modes")
Signed-off-by: Firo Yang <firo.yang@suse.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise the fd will leak to subprocesses (e.g. modprobe). That's
mostly benign, but it may trigger an SELinux denial when the modprobe
process transitions to another domain.
Fixes: 8b5594d7c21f ("add logic to support the --concurrent option: use a file lock to support concurrent scripts running ebtables")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Because the sed command was not matching the trailing @, it
was left in the manpage, leading to
NAME
ebtables-legacy (2.0.11@) - Ethernet bridge frame table administration (legacy)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This config was used by sysv init script, so is a leftover.
Fixes: b43f3ff0a6180 ("ebtables: drop sysvinit script")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Due to a typo, 127bit prefixes were omitted instead of 128bit ones.
Reported-by: Laine Stump <laine@redhat.com>
Fixes: a88e4b4ac1a1b ("Print IPv6 prefixes in CIDR notation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Apparently, dirname() modifies the buffer passed to it. Given a
read-only location, this leads to a segfault. Use a buffer initialized
(and tailored) to the content of LOCKFILE macro at compile-time instead.
Fixes: f45756c1ca3b5 ("Allow customizing lockfile location at configure time")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This is a barn find from Fedora package, actually spooking around in
various places in the internet. No idea who wrote it, but it seems to be
used. So add it for the time being.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Users may pass LOCKFILE=/some/path/to/file when calling configure to
make libebtc use that path for its lockfile.
To simplify things, drop LOCKDIR completely and instead call dirname()
when trying to create the parent directory.
Given that we always define LOCKFILE via compiler flag, drop the
fallback define from libebtc.c.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Sources contained in there are built from toplevel Makefile.am. This
seems like a leftover from commit 131920089dc21 ("build: move to
automake").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fixes: 6218f812d894f ("ebtables: legacy renaming")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
According to RFC4291, IPv6 prefixes are represented in CIDR notation.
While the use of a "netmask" notation is not explicitly denied, its
existence merely stems from applying IPv4 standards to IPv6. This is not
necessarily correct.
Therefore change printing of IPv6 prefixes to use CIDR notation as long
as the address mask's bits are left contiguous.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This configuration file belongs to downstream distributions.
Also, it's unmaintained.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This file is for packging in th RPM format. Clearly don't belong here.
Also, it is unmaintained.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The original ebtables tool is now the legacy version, let's rename it.
A more uptodate client of the ebtables tool is provided in the iptables
tarball (ebtables-nft). The new tool was formerly known as ebtables-compat.
The new -legacy binary has no problem if called via a symlink with the
'ebtables' name, so users can still name this binary with whatever name.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Boolean AND was applied instead of binary one, causing the exclamation
mark to be printed whenever info->bitmask was non-zero. In practice,
this leads to incorrect output if e.g. --among-src was given with an
inverted match as well as --among-dst with a non-inverted one. Output
would then list both matches as inverted.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
ebtablesd.c:55:43: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The ebtables initialization is easier, and, judging from the "static"
recipe in Makefile, that calling ebt_*_register ahead of main is
safe.
This means that a static build won't need the pseudomain hack,
and that -nostartfiles can also go away.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Prepare for autoconf-based substitution of macros in the file.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Calling /usr/bin/install with -o/-g will attempt to chown, and fail
if unsuccessful, which makes an unprivileged install with DESTDIR a
futile attempt always.
Drop it, because /usr/bin/install chowns to the current running user
*anyway*, which means when root calls `make install`, it will do the
right thing as before.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
56993546c805 ("extensions: fix build failure on fc28") eliminated a gcc
warning that strncpy could make a string w/out a NUL terminator.
snprintf guarantees NUL-termination (so fixes that possibility). But,
snprintf may discard data to make room for the NUL. This patch errors
straight away in that eventuality.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
make fails via:
extensions/ebt_string.c: In function ‘parse’:
extensions/ebt_string.c:171:3: error: ‘strncpy’ specified bound 16 equals destination size [-Werror=stringop-truncation]
strncpy(info->algo, optarg, XT_STRING_MAX_ALGO_NAME_SIZE);
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
<linux/netfilter_bridge/ebtables.h> again and import a new ebtables.h
from the kernel tree that has the "revision" field.
With this, include/ebtables.h is (again) used by no source file, and
so can be removed.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit b1cdae87f25021eb835872d86d6e7206bd421c3f, make fails thusly:
> libebtc.c: In function 'ebt_reinit_extensions':
> libebtc.c:275:11: error: 'union <anonymous>' has no member named 'revision'
> m->m->u.revision = m->revision;
> ^
> libebtc.c: In function 'ebt_check_rule_exists':
> libebtc.c:555:21: error: 'union <anonymous>' has no member named 'revision'
> m_l2->m->u.revision != m->m->u.revision)) {
> ^
> libebtc.c:555:41: error: 'union <anonymous>' has no member named 'revision'
> m_l2->m->u.revision != m->m->u.revision)) {
> ^
> libebtc.c: In function 'ebt_register_match':
> libebtc.c:1215:9: error: 'union <anonymous>' has no member named 'revision'
> m->m->u.revision = m->revision;
> ^
The cause of this failure is that the commit updated include/ebtables.h but
libebtc.c uses include/linux/netfilter_bridge/ebtables.h via
include/ebtables_u.h (gcc -E -C verifies this).
The 2 versions of ebtables.h looked to me to be otherwise close enough, so
amended ebtables_u.h to use the newer one.
Makefile insists on being warning-free, so cleared up warnings. Apart from
unused variables, there was also the issue that the diagnostic macro
ebt_print_error2 *returns* (i.e. makes its caller return) and returns -1. This
is unsuitable for use in functions which do not return a value, so introduced
ebt_print_error3 to do this.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Conflicting definitions of struct ethhdr between the kernel and musl
libc provides headers causes a build failure:
In file included from .../usr/include/netinet/ether.h:8:0,
from useful_functions.c:28:
.../usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
struct ethhdr {
^~~~~~
In file included from include/linux/netfilter_bridge.h:8:0,
from include/linux/netfilter_bridge/ebtables.h:17,
from include/ebtables_u.h:27,
from useful_functions.c:25:
include/linux/if_ether.h:119:8: note: originally defined here
struct ethhdr {
^~~~~~
Recent enough versions kernel headers allow the libc to suppress
conflicting kernel definitions. Include the libc proivded
netinet/ether.h before kernel headers to suppress the conflicting
definition of struct ethhdr.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is part of a proposal to add a string filter to
ebtables, which would be similar to the string filter in
iptables.
Like iptables, the ebtables filter uses the xt_string module,
however some modifications have been made for this to work
correctly.
Currently ebtables assumes that the revision number of all match
modules is 0. The xt_string module doesn't register a match with
revision 0 so the solution is to modify ebtables to allow
extensions to specify a revision number, similar to iptables.
This gets passed down to the kernel, which is then able to find
the match module correctly.
Signed-off-by: Bernie Harris <bernie.harris@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We already have ICMPv6 type/code matches (which can be used to distinguish
different types of MLD packets). Add support for IPv4 IGMP matches in the
same way.
To reuse as much code as possible, the ICMP type/code handling functions
are extended to allow passing a NULL code range.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP
matches in the same way.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Allow using these functions for ebt_ip as well.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The previous conversion to using flock() missed a crucial bit of code
which tries to create LOCKDIR once in case opening the lock failed -
This patch reestablishes the old behaviour.
Reported-by: Tangchen (UVP) <tang.chen@huawei.com>
Fixes: 6a826591878db ("Use flock() for --concurrent option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous locking mechanism was not atomic, hence it was possible
that a killed ebtables process would leave the lock file in place which
in turn made future ebtables processes wait indefinitely for the lock to
become free.
Fix this by using flock(). This also simplifies code quite a bit because
there is no need for a custom signal handler or an __exit routine
anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The struct of the type option is only used to initialise a field
inside the ebt_u_watcher or ebt_u_target or ebt_u_match struct and
is not modified anywhere.
Signed-off-by: Gargi Sharma <gs051095@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if
they're called from a base chain rather than a user defined chain.
This can be used by ebtables targets that can encode a special return
value to bail out if e.g. RETURN is used from a base chain.
Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also
copied to called user-defined-chains (i.e., a user defined chain can no
longer be distinguished from a base chain):
root@OpenWrt:~# ebtables -N foo
root@OpenWrt:~# ebtables -A OUTPUT -j foo
root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
--mark-target RETURN not allowed on base chain.
This works if -A OUTPUT -j foo is omitted, but will still appear
if we try to call foo from OUTPUT afterwards.
After this patch we still reject
'-A OUTPUT -j mark .. --mark-target RETURN'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Fixes compilation with musl libc
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ebtables fails to compile with versions of the linux headers greater
than v3.16 with this error:
extensions/ebt_ulog.c:17:45: fatal error: linux/netfilter_bridge/ebt_ulog.h: No such file or directory
#include <linux/netfilter_bridge/ebt_ulog.h>
This patch adds netfilter_bridge headers for every supported
extension, including filter.h and types.h, to avoid this problem and
future problems with changes in the kernel headers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
<mmazur at axeos.com>)
|
| | |
|
| | |
|
| |
|
|
| |
potentially not matched correctly
|
| | |
|
| | |
|
