From 51c612a0d8298229fa35fb6b1ea272ee446b1032 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Mon, 15 Apr 2019 18:18:25 +0200 Subject: [PATCH] iptables-1.8.2-1 - New upstream version 1.8.2 - Integrate ebtables and arptables save/restore scripts with alternatives - Add nft-specific ebtables and arptables man pages - Move /etc/sysconfig/ip*tables-config files into services sub-package --- ...apply-Use-mktemp-instead-of-tempfile.patch | 35 + ...mat-security-fixes-in-libip-6-t_icmp.patch | 60 + 0003-doc-Add-arptables-nft-man-pages.patch | 486 +++++++ 0004-doc-Adjust-arptables-man-pages.patch | 192 +++ 0005-doc-Add-ebtables-man-page.patch | 1186 +++++++++++++++++ 0006-doc-Adjust-ebtables-man-page.patch | 275 ++++ arptables-nft-helper | 68 + iptables-1.6.0-iptables-apply_mktemp.patch | 21 - iptables-1.8.0-xtables-nft-multi.patch | 15 - iptables.spec | 105 +- 10 files changed, 2383 insertions(+), 60 deletions(-) create mode 100644 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch create mode 100644 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch create mode 100644 0003-doc-Add-arptables-nft-man-pages.patch create mode 100644 0004-doc-Adjust-arptables-man-pages.patch create mode 100644 0005-doc-Add-ebtables-man-page.patch create mode 100644 0006-doc-Adjust-ebtables-man-page.patch create mode 100644 arptables-nft-helper delete mode 100644 iptables-1.6.0-iptables-apply_mktemp.patch delete mode 100644 iptables-1.8.0-xtables-nft-multi.patch diff --git a/0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch b/0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch new file mode 100644 index 0000000..b6e1712 --- /dev/null +++ b/0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch @@ -0,0 +1,35 @@ +From 1dba0d0a2c9c269dc5ed9e7d841b8ecb9dc060af Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 Apr 2019 18:02:19 +0200 +Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile + +Signed-off-by: Phil Sutter +--- + iptables/iptables-apply | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/iptables/iptables-apply b/iptables/iptables-apply +index 819ca4a459c42..a685b6bbcd7dc 100755 +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then + exit 2 + fi + +-COMMANDS=(tempfile "$SAVE" "$RESTORE") ++COMMANDS=(mktemp "$SAVE" "$RESTORE") + + for cmd in "${COMMANDS[@]}"; do + if ! command -v $cmd >/dev/null; then +@@ -122,7 +122,7 @@ done + + umask 0700 + +-TMPFILE=$(tempfile -p iptap) ++TMPFILE=$(mktemp) + trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \ + FPE USR1 SEGV USR2 PIPE ALRM TERM + +-- +2.21.0 + diff --git a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch new file mode 100644 index 0000000..1bdbbd1 --- /dev/null +++ b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch @@ -0,0 +1,60 @@ +From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= +Date: Wed, 14 Nov 2018 07:35:28 +0100 +Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +introduced support for gcc feature to check format string against passed +argument. This commit adds missing bits to extenstions's libipt_icmp.c +and libip6t_icmp6.c that were causing build to fail. + +Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +Signed-off-by: Adam Gołębiowski +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Phil Sutter +--- + extensions/libip6t_icmp6.c | 4 ++-- + extensions/libipt_icmp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c +index 45a71875722c4..cc7bfaeb72fd7 100644 +--- a/extensions/libip6t_icmp6.c ++++ b/extensions/libip6t_icmp6.c +@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + type_name = icmp6_type_xlate(icmptype); + + if (type_name) { +- xt_xlate_add(xl, type_name); ++ xt_xlate_add(xl, "%s", type_name); + } else { + for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) + if (icmpv6_codes[i].type == icmptype && +@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + break; + + if (i != ARRAY_SIZE(icmpv6_codes)) +- xt_xlate_add(xl, icmpv6_codes[i].name); ++ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); + else + return 0; + } +diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c +index 5418997668d4c..e76257c54708c 100644 +--- a/extensions/libipt_icmp.c ++++ b/extensions/libipt_icmp.c +@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + if (icmp_codes[i].type == icmptype && + icmp_codes[i].code_min == code_min && + icmp_codes[i].code_max == code_max) { +- xt_xlate_add(xl, icmp_codes[i].name); ++ xt_xlate_add(xl, "%s", icmp_codes[i].name); + return 1; + } + } +-- +2.21.0 + diff --git a/0003-doc-Add-arptables-nft-man-pages.patch b/0003-doc-Add-arptables-nft-man-pages.patch new file mode 100644 index 0000000..b4bae67 --- /dev/null +++ b/0003-doc-Add-arptables-nft-man-pages.patch @@ -0,0 +1,486 @@ +From 1d0089550ab9882ac90d0fc673f213c51e133552 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 13 Mar 2019 20:46:12 +0100 +Subject: [PATCH] doc: Add arptables-nft man pages + +These are 1:1 copies from legacy arptables repository. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +(cherry picked from commit 4dbb6b9118e32a9b748ead893106de59579424f5) +Signed-off-by: Phil Sutter +--- + iptables/Makefile.am | 3 + + iptables/arptables-nft-restore.8 | 41 ++++ + iptables/arptables-nft-save.8 | 37 ++++ + iptables/arptables-nft.8 | 352 +++++++++++++++++++++++++++++++ + 4 files changed, 433 insertions(+) + create mode 100644 iptables/arptables-nft-restore.8 + create mode 100644 iptables/arptables-nft-save.8 + create mode 100644 iptables/arptables-nft.8 + +diff --git a/iptables/Makefile.am b/iptables/Makefile.am +index 581dc32ba846b..52309679d390c 100644 +--- a/iptables/Makefile.am ++++ b/iptables/Makefile.am +@@ -63,6 +63,9 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ + ip6tables-save.8 iptables-extensions.8 \ + xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ + xtables-monitor.8 ++if ENABLE_NFTABLES ++man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 ++endif + CLEANFILES = iptables.8 xtables-monitor.8 \ + xtables-config-parser.c xtables-config-syntax.c + +diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 +new file mode 100644 +index 0000000000000..4f2f623673415 +--- /dev/null ++++ b/iptables/arptables-nft-restore.8 +@@ -0,0 +1,41 @@ ++.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" "" ++.\" ++.\" Man page written by Jesper Dangaard Brouer based on a ++.\" Man page written by Harald Welte ++.\" It is based on the iptables-restore man page. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables-restore \(em Restore ARP Tables ++.SH SYNOPSIS ++\fBarptables\-restore ++.SH DESCRIPTION ++.PP ++.B arptables-restore ++is used to restore ARP Tables from data specified on STDIN or ++via a file as first argument. ++Use I/O redirection provided by your shell to read from a file ++.TP ++.B arptables-restore ++flushes (deletes) all previous contents of the respective ARP Table. ++.SH BUGS ++None known as of arptables-0.0.4 release ++.SH AUTHOR ++Jesper Dangaard Brouer ++.SH SEE ALSO ++\fBarptables\-save\fP(8), \fBarptables\fP(8) ++.PP +diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 +new file mode 100644 +index 0000000000000..34791a9c087f0 +--- /dev/null ++++ b/iptables/arptables-nft-save.8 +@@ -0,0 +1,37 @@ ++.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" "" ++.\" ++.\" Man page written by Jesper Dangaard Brouer based on a ++.\" Man page written by Harald Welte ++.\" It is based on the iptables-save man page. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables-save \(em dump arptables rules to stdout ++.SH SYNOPSIS ++\fBarptables\-save ++.SH DESCRIPTION ++.PP ++.B arptables-save ++is used to dump the contents of an ARP Table in easily parseable format ++to STDOUT. Use I/O-redirection provided by your shell to write to a file. ++.SH BUGS ++None known as of arptables-0.0.4 release ++.SH AUTHOR ++Jesper Dangaard Brouer ++.SH SEE ALSO ++\fBarptables\-restore\fP(8), \fBarptables\fP(8) ++.PP +diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 +new file mode 100644 +index 0000000000000..3ce99e3757004 +--- /dev/null ++++ b/iptables/arptables-nft.8 +@@ -0,0 +1,352 @@ ++.TH ARPTABLES 8 "June 2018" ++.\" ++.\" Man page originally written by Jochen Friedrich , ++.\" maintained by Bart De Schuymer. ++.\" It is based on the iptables man page. ++.\" ++.\" Iptables page by Herve Eychenne March 2000. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables \- ARP table administration (legacy) ++.SH SYNOPSIS ++.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] ++.br ++.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ] ++.br ++.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ] ++.br ++.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ] ++.br ++.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain" ++.br ++.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name" ++.br ++.BR "arptables " [ "-t table" ] " -P chain target " [ options ] ++ ++.SH LEGACY ++This tool uses the old xtables/setsockopt framework, and is a legacy version ++of arptables. That means that a new, more modern tool exists with the same ++functionality using the nf_tables framework and you are encouraged to migrate now. ++The new binaries (formerly known as -compat) uses the same syntax and ++semantics than this legacy one. ++ ++You can still use this legacy tool. You should probably get some specific ++information from your Linux distribution or vendor. ++More docs are available at https://wiki.nftables.org ++ ++.SH DESCRIPTION ++.B arptables ++is a user space tool, it is used to set up and maintain the ++tables of ARP rules in the Linux kernel. These rules inspect ++the ARP frames which they see. ++.B arptables ++is analogous to the ++.B iptables ++user space tool, but ++.B arptables ++is less complicated. ++ ++.SS CHAINS ++The kernel table is used to divide functionality into ++different sets of rules. Each set of rules is called a chain. ++Each chain is an ordered list of rules that can match ARP frames. If a ++rule matches an ARP frame, then a processing specification tells ++what to do with that matching frame. The processing specification is ++called a 'target'. However, if the frame does not match the current ++rule in the chain, then the next rule in the chain is examined and so forth. ++The user can create new (user-defined) chains which can be used as the 'target' of a rule. ++ ++.SS TARGETS ++A firewall rule specifies criteria for an ARP frame and a frame ++processing specification called a target. When a frame matches a rule, ++then the next action performed by the kernel is specified by the target. ++The target can be one of these values: ++.IR ACCEPT , ++.IR DROP , ++.IR CONTINUE , ++.IR RETURN , ++an 'extension' (see below) or a user-defined chain. ++.PP ++.I ACCEPT ++means to let the frame through. ++.I DROP ++means the frame has to be dropped. ++.I CONTINUE ++means the next rule has to be checked. This can be handy to know how many ++frames pass a certain point in the chain or to log those frames. ++.I RETURN ++means stop traversing this chain and resume at the next rule in the ++previous (calling) chain. ++For the extension targets please see the ++.B "TARGET EXTENSIONS" ++section of this man page. ++.SS TABLES ++There is only one ARP table in the Linux ++kernel. The table is ++.BR filter. ++You can drop the '-t filter' argument to the arptables command. ++The -t argument must be the ++first argument on the arptables command line, if used. ++.TP ++.B "-t, --table" ++.br ++.BR filter , ++is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains: ++.B INPUT ++(for frames destined for the host), ++.B OUTPUT ++(for locally-generated frames) and ++.B FORWARD ++(for frames being forwarded by the bridge code). The ++.B FORWARD ++chain doesn't exist in Linux 2.4.X kernels. ++.br ++.br ++.SH ARPTABLES COMMAND LINE ARGUMENTS ++After the initial arptables command line argument, the remaining ++arguments can be divided into several different groups. These groups ++are commands, miscellaneous commands, rule-specifications, match-extensions, ++and watcher-extensions. ++.SS COMMANDS ++The arptables command arguments specify the actions to perform on the table ++defined with the -t argument. If you do not use the -t argument to name ++a table, the commands apply to the default filter table. ++With the exception of the ++.B "-Z" ++command, only one command may be used on the command line at a time. ++.TP ++.B "-A, --append" ++Append a rule to the end of the selected chain. ++.TP ++.B "-D, --delete" ++Delete the specified rule from the selected chain. There are two ways to ++use this command. The first is by specifying an interval of rule numbers ++to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more ++details about using negative numbers, see the -I command. The second usage is by ++specifying the complete rule as it would have been specified when it was added. ++.TP ++.B "-I, --insert" ++Insert the specified rule into the selected chain at the specified rule number. ++If the current number of rules equals N, then the specified number can be ++between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the ++same place in the chain where the rule should be inserted. The number 0 specifies ++the place past the last rule in the chain and using this number is therefore ++equivalent with using the -A command. ++.TP ++.B "-R, --replace" ++Replaces the specified rule into the selected chain at the specified rule number. ++If the current number of rules equals N, then the specified number can be ++between 1 and N. i specifies the place in the chain where the rule should be replaced. ++.TP ++.B "-P, --policy" ++Set the policy for the chain to the given target. The policy can be ++.BR ACCEPT ", " DROP " or " RETURN . ++.TP ++.B "-F, --flush" ++Flush the selected chain. If no chain is selected, then every chain will be ++flushed. Flushing the chain does not change the policy of the ++chain, however. ++.TP ++.B "-Z, --zero" ++Set the counters of the selected chain to zero. If no chain is selected, all the counters ++are set to zero. The ++.B "-Z" ++command can be used in conjunction with the ++.B "-L" ++command. ++When both the ++.B "-Z" ++and ++.B "-L" ++commands are used together in this way, the rule counters are printed on the screen ++before they are set to zero. ++.TP ++.B "-L, --list" ++List all rules in the selected chain. If no chain is selected, all chains ++are listed. ++.TP ++.B "-N, --new-chain" ++Create a new user-defined chain with the given name. The number of ++user-defined chains is unlimited. A user-defined chain name has maximum ++length of 31 characters. ++.TP ++.B "-X, --delete-chain" ++Delete the specified user-defined chain. There must be no remaining references ++to the specified chain, otherwise ++.B arptables ++will refuse to delete it. If no chain is specified, all user-defined ++chains that aren't referenced will be removed. ++.TP ++.B "-E, --rename-chain" ++Rename the specified chain to a new name. Besides renaming a user-defined ++chain, you may rename a standard chain name to a name that suits your ++taste. For example, if you like PREBRIDGING more than PREROUTING, ++then you can use the -E command to rename the PREROUTING chain. If you do ++rename one of the standard ++.B arptables ++chain names, please be sure to mention ++this fact should you post a question on the ++.B arptables ++mailing lists. ++It would be wise to use the standard name in your post. Renaming a standard ++.B arptables ++chain in this fashion has no effect on the structure or function ++of the ++.B arptables ++kernel table. ++ ++.SS MISCELLANOUS COMMANDS ++.TP ++.B "-V, --version" ++Show the version of the arptables userspace program. ++.TP ++.B "-h, --help" ++Give a brief description of the command syntax. ++.TP ++.BR "-j, --jump " "\fItarget\fP" ++The target of the rule. This is one of the following values: ++.BR ACCEPT , ++.BR DROP , ++.BR CONTINUE , ++.BR RETURN , ++a target extension (see ++.BR "TARGET EXTENSIONS" ")" ++or a user-defined chain name. ++.TP ++.BI "-c, --set-counters " "PKTS BYTES" ++This enables the administrator to initialize the packet and byte ++counters of a rule (during ++.B INSERT, ++.B APPEND, ++.B REPLACE ++operations). ++ ++.SS RULE-SPECIFICATIONS ++The following command line arguments make up a rule specification (as used ++in the add and delete commands). A "!" option before the specification ++inverts the test for that specification. Apart from these standard rule ++specifications there are some other command line arguments of interest. ++.TP ++.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP" ++The Source IP specification. ++.TP ++.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP" ++The Destination IP specification. ++.TP ++.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]" ++The source mac address. Both mask and address are written as 6 hexadecimal ++numbers separated by colons. ++.TP ++.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]" ++The destination mac address. Both mask and address are written as 6 hexadecimal ++numbers separated by colons. ++.TP ++.BR "-i, --in-interface " "[!] \fIname\fP" ++The interface via which a frame is received (for the ++.BR INPUT " and " FORWARD ++chains). The flag ++.B --in-if ++is an alias for this option. ++.TP ++.BR "-o, --out-interface " "[!] \fIname\fP" ++The interface via which a frame is going to be sent (for the ++.BR OUTPUT " and " FORWARD ++chains). The flag ++.B --out-if ++is an alias for this option. ++.TP ++.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]" ++The hardware length (nr of bytes) ++.TP ++.BR "--opcode " "\fIcode\fP[/\fImask\fP] ++The operation code (2 bytes). Available values are: ++.BR 1 = Request ++.BR 2 = Reply ++.BR 3 = Request_Reverse ++.BR 4 = Reply_Reverse ++.BR 5 = DRARP_Request ++.BR 6 = DRARP_Reply ++.BR 7 = DRARP_Error ++.BR 8 = InARP_Request ++.BR 9 = ARP_NAK . ++.TP ++.BR "--h-type " "\fItype\fP[/\fImask\fP]" ++The hardware type (2 bytes, hexadecimal). Available values are: ++.BR 1 = Ethernet . ++.TP ++.BR "--proto-type " "\fItype\fP[/\fImask\fP]" ++The protocol type (2 bytes). Available values are: ++.BR 0x800 = IPv4 . ++ ++.SS TARGET-EXTENSIONS ++.B arptables ++extensions are precompiled into the userspace tool. So there is no need ++to explicitly load them with a -m option like in ++.BR iptables . ++However, these ++extensions deal with functionality supported by supplemental kernel modules. ++.SS mangle ++.TP ++.BR "--mangle-ip-s IP address" ++Mangles Source IP Address to given value. ++.TP ++.BR "--mangle-ip-d IP address" ++Mangles Destination IP Address to given value. ++.TP ++.BR "--mangle-mac-s MAC address" ++Mangles Source MAC Address to given value. ++.TP ++.BR "--mangle-mac-d MAC address" ++Mangles Destination MAC Address to given value. ++.TP ++.BR "--mangle-target target " ++Target of ARP mangle operation ++.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ). ++.SS CLASSIFY ++This module allows you to set the skb->priority value (and thus clas- ++sify the packet into a specific CBQ class). ++ ++.TP ++.BR "--set-class major:minor" ++ ++Set the major and minor class value. The values are always ++interpreted as hexadecimal even if no 0x prefix is given. ++ ++.SS MARK ++This module allows you to set the skb->mark value (and thus classify ++the packet by the mark in u32) ++ ++.TP ++.BR "--set-mark mark" ++Set the mark value. The values are always ++interpreted as hexadecimal even if no 0x prefix is given ++ ++.TP ++.BR "--and-mark mark" ++Binary AND the mark with bits. ++ ++.TP ++.BR "--or-mark mark" ++Binary OR the mark with bits. ++ ++.SH MAILINGLISTS ++.BR "" "See " http://netfilter.org/mailinglists.html ++.SH SEE ALSO ++.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8) ++.PP ++.BR "" "See " http://ebtables.sf.net +-- +2.21.0 + diff --git a/0004-doc-Adjust-arptables-man-pages.patch b/0004-doc-Adjust-arptables-man-pages.patch new file mode 100644 index 0000000..3bf16d5 --- /dev/null +++ b/0004-doc-Adjust-arptables-man-pages.patch @@ -0,0 +1,192 @@ +From 2efbd30ed9f1db90b32b556d0e3df16d05281bc7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 13 Mar 2019 20:46:13 +0100 +Subject: [PATCH] doc: Adjust arptables man pages + +Change content to suit the shipped nft-based variant. Most relevant +changes: + +* FORWARD chain is not supported +* arptables-nft-save supports a few parameters + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +(cherry picked from commit 1a0cd997d601794c7031346063b8b77f4af2a13e) +Signed-off-by: Phil Sutter +--- + iptables/arptables-nft-restore.8 | 6 ++-- + iptables/arptables-nft-save.8 | 20 +++++++++---- + iptables/arptables-nft.8 | 48 +++++++++++++++----------------- + 3 files changed, 39 insertions(+), 35 deletions(-) + +diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 +index 4f2f623673415..09d9082cf9fd3 100644 +--- a/iptables/arptables-nft-restore.8 ++++ b/iptables/arptables-nft-restore.8 +@@ -1,4 +1,4 @@ +-.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" "" ++.TH ARPTABLES-RESTORE 8 "March 2019" "" "" + .\" + .\" Man page written by Jesper Dangaard Brouer based on a + .\" Man page written by Harald Welte +@@ -20,7 +20,7 @@ + .\" + .\" + .SH NAME +-arptables-restore \(em Restore ARP Tables ++arptables-restore \- Restore ARP Tables (nft-based) + .SH SYNOPSIS + \fBarptables\-restore + .SH DESCRIPTION +@@ -32,8 +32,6 @@ Use I/O redirection provided by your shell to read from a file + .TP + .B arptables-restore + flushes (deletes) all previous contents of the respective ARP Table. +-.SH BUGS +-None known as of arptables-0.0.4 release + .SH AUTHOR + Jesper Dangaard Brouer + .SH SEE ALSO +diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 +index 34791a9c087f0..905e59854cc28 100644 +--- a/iptables/arptables-nft-save.8 ++++ b/iptables/arptables-nft-save.8 +@@ -1,4 +1,4 @@ +-.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" "" ++.TH ARPTABLES-SAVE 8 "March 2019" "" "" + .\" + .\" Man page written by Jesper Dangaard Brouer based on a + .\" Man page written by Harald Welte +@@ -20,16 +20,26 @@ + .\" + .\" + .SH NAME +-arptables-save \(em dump arptables rules to stdout ++arptables-save \- dump arptables rules to stdout (nft-based) + .SH SYNOPSIS +-\fBarptables\-save ++\fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] ++.P ++\fBarptables\-save\fP [\fB\-V\fP] + .SH DESCRIPTION + .PP + .B arptables-save + is used to dump the contents of an ARP Table in easily parseable format + to STDOUT. Use I/O-redirection provided by your shell to write to a file. +-.SH BUGS +-None known as of arptables-0.0.4 release ++.TP ++\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP ++Specify the path to the modprobe program. By default, arptables-save will ++inspect /proc/sys/kernel/modprobe to determine the executable's path. ++.TP ++\fB\-c\fR, \fB\-\-counters\fR ++Include the current values of all packet and byte counters in the output. ++.TP ++\fB\-V\fR, \fB\-\-version\fR ++Print version information and exit. + .SH AUTHOR + Jesper Dangaard Brouer + .SH SEE ALSO +diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 +index 3ce99e3757004..ea31e0842acd4 100644 +--- a/iptables/arptables-nft.8 ++++ b/iptables/arptables-nft.8 +@@ -1,4 +1,4 @@ +-.TH ARPTABLES 8 "June 2018" ++.TH ARPTABLES 8 "March 2019" + .\" + .\" Man page originally written by Jochen Friedrich , + .\" maintained by Bart De Schuymer. +@@ -22,7 +22,7 @@ + .\" + .\" + .SH NAME +-arptables \- ARP table administration (legacy) ++arptables \- ARP table administration (nft-based) + .SH SYNOPSIS + .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] + .br +@@ -38,17 +38,6 @@ arptables \- ARP table administration (legacy) + .br + .BR "arptables " [ "-t table" ] " -P chain target " [ options ] + +-.SH LEGACY +-This tool uses the old xtables/setsockopt framework, and is a legacy version +-of arptables. That means that a new, more modern tool exists with the same +-functionality using the nf_tables framework and you are encouraged to migrate now. +-The new binaries (formerly known as -compat) uses the same syntax and +-semantics than this legacy one. +- +-You can still use this legacy tool. You should probably get some specific +-information from your Linux distribution or vendor. +-More docs are available at https://wiki.nftables.org +- + .SH DESCRIPTION + .B arptables + is a user space tool, it is used to set up and maintain the +@@ -106,15 +95,11 @@ first argument on the arptables command line, if used. + .B "-t, --table" + .br + .BR filter , +-is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains: ++is the only table and contains two built-in chains: + .B INPUT +-(for frames destined for the host), ++(for frames destined for the host) and + .B OUTPUT +-(for locally-generated frames) and +-.B FORWARD +-(for frames being forwarded by the bridge code). The +-.B FORWARD +-chain doesn't exist in Linux 2.4.X kernels. ++(for locally-generated frames). + .br + .br + .SH ARPTABLES COMMAND LINE ARGUMENTS +@@ -258,15 +243,15 @@ numbers separated by colons. + .TP + .BR "-i, --in-interface " "[!] \fIname\fP" + The interface via which a frame is received (for the +-.BR INPUT " and " FORWARD +-chains). The flag ++.B INPUT ++chain). The flag + .B --in-if + is an alias for this option. + .TP + .BR "-o, --out-interface " "[!] \fIname\fP" + The interface via which a frame is going to be sent (for the +-.BR OUTPUT " and " FORWARD +-chains). The flag ++.B OUTPUT ++chain). The flag + .B --out-if + is an alias for this option. + .TP +@@ -344,9 +329,20 @@ Binary AND the mark with bits. + .BR "--or-mark mark" + Binary OR the mark with bits. + ++.SH NOTES ++In this nft-based version of ++.BR arptables , ++support for ++.B FORWARD ++chain has not been implemented. Since ARP packets are "forwarded" only by Linux ++bridges, the same may be achieved using ++.B FORWARD ++chain in ++.BR ebtables . ++ + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH SEE ALSO +-.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8) ++.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) + .PP +-.BR "" "See " http://ebtables.sf.net ++.BR "" "See " https://wiki.nftables.org +-- +2.21.0 + diff --git a/0005-doc-Add-ebtables-man-page.patch b/0005-doc-Add-ebtables-man-page.patch new file mode 100644 index 0000000..a7b8203 --- /dev/null +++ b/0005-doc-Add-ebtables-man-page.patch @@ -0,0 +1,1186 @@ +From c1d57b73ccd3cd3ab09a8bb8c0d2b5afd3ceb307 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 13 Mar 2019 20:46:14 +0100 +Subject: [PATCH] doc: Add ebtables man page + +This is a 1:1 copy from legacy ebtables repository. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +(cherry picked from commit eefd72aca33c6cdf7290da0c4a656c6768097181) +Signed-off-by: Phil Sutter +--- + iptables/Makefile.am | 3 +- + iptables/ebtables-nft.8 | 1146 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 1148 insertions(+), 1 deletion(-) + create mode 100644 iptables/ebtables-nft.8 + +diff --git a/iptables/Makefile.am b/iptables/Makefile.am +index 52309679d390c..37937b43cc310 100644 +--- a/iptables/Makefile.am ++++ b/iptables/Makefile.am +@@ -64,7 +64,8 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ + xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ + xtables-monitor.8 + if ENABLE_NFTABLES +-man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 ++man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ ++ ebtables-nft.8 + endif + CLEANFILES = iptables.8 xtables-monitor.8 \ + xtables-config-parser.c xtables-config-syntax.c +diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 +new file mode 100644 +index 0000000000000..55204ab91e8a4 +--- /dev/null ++++ b/iptables/ebtables-nft.8 +@@ -0,0 +1,1146 @@ ++.TH EBTABLES 8 "December 2011" ++.\" ++.\" Man page written by Bart De Schuymer ++.\" It is based on the iptables man page. ++.\" ++.\" The man page was edited, February 25th 2003, by ++.\" Greg Morgan <" dr_kludge_at_users_sourceforge_net > ++.\" ++.\" Iptables page by Herve Eychenne March 2000. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy) ++.SH SYNOPSIS ++.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target" ++.br ++.BR "ebtables " [ -t " table ] " -P " chain " ACCEPT " | " DROP " | " RETURN ++.br ++.BR "ebtables " [ -t " table ] " -F " [chain]" ++.br ++.BR "ebtables " [ -t " table ] " -Z " [chain]" ++.br ++.BR "ebtables " [ -t " table ] " -L " [" -Z "] [chain] [ [" --Ln "] | [" --Lx "] ] [" --Lc "] [" --Lmac2 ] ++.br ++.BR "ebtables " [ -t " table ] " -N " chain [" "-P ACCEPT " | " DROP " | " RETURN" ] ++.br ++.BR "ebtables " [ -t " table ] " -X " [chain]" ++.br ++.BR "ebtables " [ -t " table ] " -E " old-chain-name new-chain-name" ++.br ++.BR "ebtables " [ -t " table ] " --init-table ++.br ++.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit ++.br ++.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init ++.br ++.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save ++.br ++ ++.SH LEGACY ++This tool uses the old xtables/setsockopt framework, and is a legacy version ++of ebtables. That means that a new, more modern tool exists with the same ++functionality using the nf_tables framework and you are encouraged to migrate now. ++The new binaries (known as ebtables-nft and formerly known as ebtables-compat) ++uses the same syntax and semantics than this legacy one. ++ ++You can still use this legacy tool. You should probably get some specific ++information from your Linux distribution or vendor. ++More docs are available at https://wiki.nftables.org ++ ++.SH DESCRIPTION ++.B ebtables ++is an application program used to set up and maintain the ++tables of rules (inside the Linux kernel) that inspect ++Ethernet frames. ++It is analogous to the ++.B iptables ++application, but less complicated, due to the fact that the Ethernet protocol ++is much simpler than the IP protocol. ++.SS CHAINS ++There are three ebtables tables with built-in chains in the ++Linux kernel. These tables are used to divide functionality into ++different sets of rules. Each set of rules is called a chain. ++Each chain is an ordered list of rules that can match Ethernet frames. If a ++rule matches an Ethernet frame, then a processing specification tells ++what to do with that matching frame. The processing specification is ++called a 'target'. However, if the frame does not match the current ++rule in the chain, then the next rule in the chain is examined and so forth. ++The user can create new (user-defined) chains that can be used as the 'target' ++of a rule. User-defined chains are very useful to get better performance ++over the linear traversal of the rules and are also essential for structuring ++the filtering rules into well-organized and maintainable sets of rules. ++.SS TARGETS ++A firewall rule specifies criteria for an Ethernet frame and a frame ++processing specification called a target. When a frame matches a rule, ++then the next action performed by the kernel is specified by the target. ++The target can be one of these values: ++.BR ACCEPT , ++.BR DROP , ++.BR CONTINUE , ++.BR RETURN , ++an 'extension' (see below) or a jump to a user-defined chain. ++.PP ++.B ACCEPT ++means to let the frame through. ++.B DROP ++means the frame has to be dropped. In the ++.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different" ++meanings (see the info provided for the ++.BR -t " option)." ++.B CONTINUE ++means the next rule has to be checked. This can be handy, f.e., to know how many ++frames pass a certain point in the chain, to log those frames or to apply multiple ++targets on a frame. ++.B RETURN ++means stop traversing this chain and resume at the next rule in the ++previous (calling) chain. ++For the extension targets please refer to the ++.B "TARGET EXTENSIONS" ++section of this man page. ++.SS TABLES ++As stated earlier, there are three ebtables tables in the Linux ++kernel. The table names are ++.BR filter ", " nat " and " broute . ++Of these three tables, ++the filter table is the default table that the command operates on. ++If you are working with the filter table, then you can drop the '-t filter' ++argument to the ebtables command. However, you will need to provide ++the -t argument for the other two tables. Moreover, the -t argument must be the ++first argument on the ebtables command line, if used. ++.TP ++.B "-t, --table" ++.br ++.B filter ++is the default table and contains three built-in chains: ++.B INPUT ++(for frames destined for the bridge itself, on the level of the MAC destination address), ++.B OUTPUT ++(for locally-generated or (b)routed frames) and ++.B FORWARD ++(for frames being forwarded by the bridge). ++.br ++.br ++.B nat ++is mostly used to change the mac addresses and contains three built-in chains: ++.B PREROUTING ++(for altering frames as soon as they come in), ++.B OUTPUT ++(for altering locally generated or (b)routed frames before they are bridged) and ++.B POSTROUTING ++(for altering frames as they are about to go out). A small note on the naming ++of chains PREROUTING and POSTROUTING: it would be more accurate to call them ++PREFORWARDING and POSTFORWARDING, but for all those who come from the ++iptables world to ebtables it is easier to have the same names. Note that you ++can change the name ++.BR "" ( -E ) ++if you don't like the default. ++.br ++.br ++.B broute ++is used to make a brouter, it has one built-in chain: ++.BR BROUTING . ++The targets ++.BR DROP " and " ACCEPT ++have a special meaning in the broute table (these names are used instead of ++more descriptive names to keep the implementation generic). ++.B DROP ++actually means the frame has to be routed, while ++.B ACCEPT ++means the frame has to be bridged. The ++.B BROUTING ++chain is traversed very early. However, it is only traversed by frames entering on ++a bridge port that is in forwarding state. Normally those frames ++would be bridged, but you can decide otherwise here. The ++.B redirect ++target is very handy here. ++.SH EBTABLES COMMAND LINE ARGUMENTS ++After the initial ebtables '-t table' command line argument, the remaining ++arguments can be divided into several groups. These groups ++are commands, miscellaneous commands, rule specifications, match extensions, ++watcher extensions and target extensions. ++.SS COMMANDS ++The ebtables command arguments specify the actions to perform on the table ++defined with the -t argument. If you do not use the -t argument to name ++a table, the commands apply to the default filter table. ++Only one command may be used on the command line at a time, except when ++the commands ++.BR -L " and " -Z ++are combined, the commands ++.BR -N " and " -P ++are combined, or when ++.B --atomic-file ++is used. ++.TP ++.B "-A, --append" ++Append a rule to the end of the selected chain. ++.TP ++.B "-D, --delete" ++Delete the specified rule or rules from the selected chain. There are two ways to ++use this command. The first is by specifying an interval of rule numbers ++to delete (directly after ++.BR -D ). ++Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use ++.B -L --Ln ++to list the rules with their rule number). When \fIend_nr\fP is omitted, all rules starting ++from \fIstart_nr\fP are deleted. Using negative numbers is allowed, for more ++details about using negative numbers, see the ++.B -I ++command. The second usage is by ++specifying the complete rule as it would have been specified when it was added. Only ++the first encountered rule that is the same as this specified rule, in other ++words the matching rule with the lowest (positive) rule number, is deleted. ++.TP ++.B "-C, --change-counters" ++Change the counters of the specified rule or rules from the selected chain. There are two ways to ++use this command. The first is by specifying an interval of rule numbers ++to do the changes on (directly after ++.BR -C ). ++Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use ++.B -L --Ln ++to list the rules with their rule number). The details are the same as for the ++.BR -D " command. The second usage is by" ++specifying the complete rule as it would have been specified when it was added. Only ++the counters of the first encountered rule that is the same as this specified rule, in other ++words the matching rule with the lowest (positive) rule number, are changed. ++In the first usage, the counters are specified directly after the interval specification, ++in the second usage directly after ++.BR -C . ++First the packet counter is specified, then the byte counter. If the specified counters start ++with a '+', the counter values are added to the respective current counter values. ++If the specified counters start with a '-', the counter values are decreased from the respective ++current counter values. No bounds checking is done. If the counters don't start with '+' or '-', ++the current counters are changed to the specified counters. ++.TP ++.B "-I, --insert" ++Insert the specified rule into the selected chain at the specified rule number. If the ++rule number is not specified, the rule is added at the head of the chain. ++If the current number of rules equals ++.IR N , ++then the specified number can be ++between ++.IR -N " and " N+1 . ++For a positive number ++.IR i , ++it holds that ++.IR i " and " i-N-1 ++specify the same place in the chain where the rule should be inserted. The rule number ++0 specifies the place past the last rule in the chain and using this number is therefore ++equivalent to using the ++.BR -A " command." ++Rule numbers structly smaller than 0 can be useful when more than one rule needs to be inserted ++in a chain. ++.TP ++.B "-P, --policy" ++Set the policy for the chain to the given target. The policy can be ++.BR ACCEPT ", " DROP " or " RETURN . ++.TP ++.B "-F, --flush" ++Flush the selected chain. If no chain is selected, then every chain will be ++flushed. Flushing a chain does not change the policy of the ++chain, however. ++.TP ++.B "-Z, --zero" ++Set the counters of the selected chain to zero. If no chain is selected, all the counters ++are set to zero. The ++.B "-Z" ++command can be used in conjunction with the ++.B "-L" ++command. ++When both the ++.B "-Z" ++and ++.B "-L" ++commands are used together in this way, the rule counters are printed on the screen ++before they are set to zero. ++.TP ++.B "-L, --list" ++List all rules in the selected chain. If no chain is selected, all chains ++are listed. ++.br ++The following options change the output of the ++.B "-L" ++command. ++.br ++.B "--Ln" ++.br ++Places the rule number in front of every rule. This option is incompatible with the ++.BR --Lx " option." ++.br ++.B "--Lc" ++.br ++Shows the counters at the end of each rule displayed by the ++.B "-L" ++command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed. ++The frame counter shows how many frames have matched the specific rule, the byte ++counter shows the sum of the frame sizes of these matching frames. Using this option ++.BR "" "in combination with the " --Lx " option causes the counters to be written out" ++.BR "" "in the '" -c " ' option format." ++.br ++.B "--Lx" ++.br ++Changes the output so that it produces a set of ebtables commands that construct ++the contents of the chain, when specified. ++If no chain is specified, ebtables commands to construct the contents of the ++table are given, including commands for creating the user-defined chains (if any). ++You can use this set of commands in an ebtables boot or reload ++script. For example the output could be used at system startup. ++The ++.B "--Lx" ++option is incompatible with the ++.B "--Ln" ++listing option. Using the ++.BR --Lx " option together with the " --Lc " option will cause the counters to be written out" ++.BR "" "in the '" -c " ' option format." ++.br ++.B "--Lmac2" ++.br ++Shows all MAC addresses with the same length, adding leading zeroes ++if necessary. The default representation omits leading zeroes in the addresses. ++.TP ++.B "-N, --new-chain" ++Create a new user-defined chain with the given name. The number of ++user-defined chains is limited only by the number of possible chain names. ++A user-defined chain name has a maximum ++length of 31 characters. The standard policy of the user-defined chain is ++ACCEPT. The policy of the new chain can be initialized to a different standard ++target by using the ++.B -P ++command together with the ++.B -N ++command. In this case, the chain name does not have to be specified for the ++.B -P ++command. ++.TP ++.B "-X, --delete-chain" ++Delete the specified user-defined chain. There must be no remaining references (jumps) ++to the specified chain, otherwise ebtables will refuse to delete it. If no chain is ++specified, all user-defined chains that aren't referenced will be removed. ++.TP ++.B "-E, --rename-chain" ++Rename the specified chain to a new name. Besides renaming a user-defined ++chain, you can rename a standard chain to a name that suits your ++taste. For example, if you like PREFORWARDING more than PREROUTING, ++then you can use the -E command to rename the PREROUTING chain. If you do ++rename one of the standard ebtables chain names, please be sure to mention ++this fact should you post a question on the ebtables mailing lists. ++It would be wise to use the standard name in your post. Renaming a standard ++ebtables chain in this fashion has no effect on the structure or functioning ++of the ebtables kernel table. ++.TP ++.B "--init-table" ++Replace the current table data by the initial table data. ++.TP ++.B "--atomic-init" ++Copy the kernel's initial data of the table to the specified ++file. This can be used as the first action, after which rules are added ++to the file. The file can be specified using the ++.B --atomic-file ++command or through the ++.IR EBTABLES_ATOMIC_FILE " environment variable." ++.TP ++.B "--atomic-save" ++Copy the kernel's current data of the table to the specified ++file. This can be used as the first action, after which rules are added ++to the file. The file can be specified using the ++.B --atomic-file ++command or through the ++.IR EBTABLES_ATOMIC_FILE " environment variable." ++.TP ++.B "--atomic-commit" ++Replace the kernel table data with the data contained in the specified ++file. This is a useful command that allows you to load all your rules of a ++certain table into the kernel at once, saving the kernel a lot of precious ++time and allowing atomic updates of the tables. The file which contains ++the table data is constructed by using either the ++.B "--atomic-init" ++or the ++.B "--atomic-save" ++command to generate a starting file. After that, using the ++.B "--atomic-file" ++command when constructing rules or setting the ++.IR EBTABLES_ATOMIC_FILE " environment variable" ++allows you to extend the file and build the complete table before ++committing it to the kernel. This command can be very useful in boot scripts ++to populate the ebtables tables in a fast way. ++.SS MISCELLANOUS COMMANDS ++.TP ++.B "-V, --version" ++Show the version of the ebtables userspace program. ++.TP ++.BR "-h, --help " "[\fIlist of module names\fP]" ++Give a brief description of the command syntax. Here you can also specify ++names of extensions and ebtables will try to write help about those ++extensions. E.g. ++.IR "ebtables -h snat log ip arp" . ++Specify ++.I list_extensions ++to list all extensions supported by the userspace ++utility. ++.TP ++.BR "-j, --jump " "\fItarget\fP" ++The target of the rule. This is one of the following values: ++.BR ACCEPT , ++.BR DROP , ++.BR CONTINUE , ++.BR RETURN , ++a target extension (see ++.BR "TARGET EXTENSIONS" ")" ++or a user-defined chain name. ++.TP ++.B --atomic-file "\fIfile\fP" ++Let the command operate on the specified ++.IR file . ++The data of the table to ++operate on will be extracted from the file and the result of the operation ++will be saved back into the file. If specified, this option should come ++before the command specification. An alternative that should be preferred, ++is setting the ++.IR EBTABLES_ATOMIC_FILE " environment variable." ++.TP ++.B -M, --modprobe "\fIprogram\fP" ++When talking to the kernel, use this ++.I program ++to try to automatically load missing kernel modules. ++.TP ++.B --concurrent ++Use a file lock to support concurrent scripts updating the ebtables kernel tables. ++ ++.SS ++RULE SPECIFICATIONS ++The following command line arguments make up a rule specification (as used ++in the add and delete commands). A "!" option before the specification ++inverts the test for that specification. Apart from these standard rule ++specifications there are some other command line arguments of interest. ++See both the ++.BR "MATCH EXTENSIONS" ++and the ++.BR "WATCHER EXTENSIONS" ++below. ++.TP ++.BR "-p, --protocol " "[!] \fIprotocol\fP" ++The protocol that was responsible for creating the frame. This can be a ++hexadecimal number, above ++.IR 0x0600 , ++a name (e.g. ++.I ARP ++) or ++.BR LENGTH . ++The protocol field of the Ethernet frame can be used to denote the ++length of the header (802.2/802.3 networks). When the value of that field is ++below or equals ++.IR 0x0600 , ++the value equals the size of the header and shouldn't be used as a ++protocol number. Instead, all frames where the protocol field is used as ++the length field are assumed to be of the same 'protocol'. The protocol ++name used in ebtables for these frames is ++.BR LENGTH . ++.br ++The file ++.B /etc/ethertypes ++can be used to show readable ++characters instead of hexadecimal numbers for the protocols. For example, ++.I 0x0800 ++will be represented by ++.IR IPV4 . ++The use of this file is not case sensitive. ++See that file for more information. The flag ++.B --proto ++is an alias for this option. ++.TP ++.BR "-i, --in-interface " "[!] \fIname\fP" ++The interface (bridge port) via which a frame is received (this option is useful in the ++.BR INPUT , ++.BR FORWARD , ++.BR PREROUTING " and " BROUTING ++chains). If the interface name ends with '+', then ++any interface name that begins with this name (disregarding '+') will match. ++The flag ++.B --in-if ++is an alias for this option. ++.TP ++.BR "--logical-in " "[!] \fIname\fP" ++The (logical) bridge interface via which a frame is received (this option is useful in the ++.BR INPUT , ++.BR FORWARD , ++.BR PREROUTING " and " BROUTING ++chains). ++If the interface name ends with '+', then ++any interface name that begins with this name (disregarding '+') will match. ++.TP ++.BR "-o, --out-interface " "[!] \fIname\fP" ++The interface (bridge port) via which a frame is going to be sent (this option is useful in the ++.BR OUTPUT , ++.B FORWARD ++and ++.B POSTROUTING ++chains). If the interface name ends with '+', then ++any interface name that begins with this name (disregarding '+') will match. ++The flag ++.B --out-if ++is an alias for this option. ++.TP ++.BR "--logical-out " "[!] \fIname\fP" ++The (logical) bridge interface via which a frame is going to be sent (this option ++is useful in the ++.BR OUTPUT , ++.B FORWARD ++and ++.B POSTROUTING ++chains). ++If the interface name ends with '+', then ++any interface name that begins with this name (disregarding '+') will match. ++.TP ++.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" ++The source MAC address. Both mask and address are written as 6 hexadecimal ++numbers separated by colons. Alternatively one can specify Unicast, ++Multicast, Broadcast or BGA (Bridge Group Address): ++.br ++.IR "Unicast" "=00:00:00:00:00:00/01:00:00:00:00:00," ++.IR "Multicast" "=01:00:00:00:00:00/01:00:00:00:00:00," ++.IR "Broadcast" "=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or" ++.IR "BGA" "=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff." ++Note that a broadcast ++address will also match the multicast specification. The flag ++.B --src ++is an alias for this option. ++.TP ++.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" ++The destination MAC address. See ++.B -s ++(above) for more details on MAC addresses. The flag ++.B --dst ++is an alias for this option. ++.TP ++.BR "-c, --set-counter " "\fIpcnt bcnt\fP" ++If used with ++.BR -A " or " -I ", then the packet and byte counters of the new rule will be set to ++.IR pcnt ", resp. " bcnt ". ++If used with the ++.BR -C " or " -D " commands, only rules with a packet and byte count equal to" ++.IR pcnt ", resp. " bcnt " will match." ++ ++.SS MATCH EXTENSIONS ++Ebtables extensions are dynamically loaded into the userspace tool, ++there is therefore no need to explicitly load them with a ++-m option like is done in iptables. ++These extensions deal with functionality supported by kernel modules supplemental to ++the core ebtables code. ++.SS 802_3 ++Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be specified as ++.IR "LENGTH " "(see the option " " -p " above). ++.TP ++.BR "--802_3-sap " "[!] \fIsap\fP" ++DSAP and SSAP are two one byte 802.3 fields. The bytes are always ++equal, so only one byte (hexadecimal) is needed as an argument. ++.TP ++.BR "--802_3-type " "[!] \fItype\fP" ++If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must ++be consulted to determine the payload protocol. This is a two byte ++(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are ++checked for type. ++.SS among ++Match a MAC address or MAC/IP address pair versus a list of MAC addresses ++and MAC/IP address pairs. ++A list entry has the following format: ++.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple" ++list entries are separated by a comma, specifying an IP address corresponding to ++the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address ++but different IP address (and vice versa) can be specified. If the MAC address doesn't ++match any entry from the list, the frame doesn't match the rule (unless "!" was used). ++.TP ++.BR "--among-dst " "[!] \fIlist\fP" ++Compare the MAC destination to the given list. If the Ethernet frame has type ++.IR IPv4 " or " ARP , ++then comparison with MAC/IP destination address pairs from the ++list is possible. ++.TP ++.BR "--among-src " "[!] \fIlist\fP" ++Compare the MAC source to the given list. If the Ethernet frame has type ++.IR IPv4 " or " ARP , ++then comparison with MAC/IP source address pairs from the list ++is possible. ++.TP ++.BR "--among-dst-file " "[!] \fIfile\fP" ++Same as ++.BR --among-dst " but the list is read in from the specified file." ++.TP ++.BR "--among-src-file " "[!] \fIfile\fP" ++Same as ++.BR --among-src " but the list is read in from the specified file." ++.SS arp ++Specify (R)ARP fields. The protocol must be specified as ++.IR ARP " or " RARP . ++.TP ++.BR "--arp-opcode " "[!] \fIopcode\fP" ++The (R)ARP opcode (decimal or a string, for more details see ++.BR "ebtables -h arp" ). ++.TP ++.BR "--arp-htype " "[!] \fIhardware type\fP" ++The hardware type, this can be a decimal or the string ++.I Ethernet ++(which sets ++.I type ++to 1). Most (R)ARP packets have Eternet as hardware type. ++.TP ++.BR "--arp-ptype " "[!] \fIprotocol type\fP" ++The protocol type for which the (r)arp is used (hexadecimal or the string ++.IR IPv4 , ++denoting 0x0800). ++Most (R)ARP packets have protocol type IPv4. ++.TP ++.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]" ++The (R)ARP IP source address specification. ++.TP ++.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]" ++The (R)ARP IP destination address specification. ++.TP ++.BR "--arp-mac-src " "[!] \fIaddress\fP[/\fImask\fP]" ++The (R)ARP MAC source address specification. ++.TP ++.BR "--arp-mac-dst " "[!] \fIaddress\fP[/\fImask\fP]" ++The (R)ARP MAC destination address specification. ++.TP ++.BR "" "[!]" " --arp-gratuitous" ++Checks for ARP gratuitous packets: checks equality of IPv4 source ++address and IPv4 destination address inside the ARP header. ++.SS ip ++Specify IPv4 fields. The protocol must be specified as ++.IR IPv4 . ++.TP ++.BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]" ++The source IP address. ++The flag ++.B --ip-src ++is an alias for this option. ++.TP ++.BR "--ip-destination " "[!] \fIaddress\fP[/\fImask\fP]" ++The destination IP address. ++The flag ++.B --ip-dst ++is an alias for this option. ++.TP ++.BR "--ip-tos " "[!] \fItos\fP" ++The IP type of service, in hexadecimal numbers. ++.BR IPv4 . ++.TP ++.BR "--ip-protocol " "[!] \fIprotocol\fP" ++The IP protocol. ++The flag ++.B --ip-proto ++is an alias for this option. ++.TP ++.BR "--ip-source-port " "[!] \fIport1\fP[:\fIport2\fP]" ++The source port or port range for the IP protocols 6 (TCP), 17 ++(UDP), 33 (DCCP) or 132 (SCTP). The ++.B --ip-protocol ++option must be specified as ++.IR TCP ", " UDP ", " DCCP " or " SCTP . ++If ++.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." ++The flag ++.B --ip-sport ++is an alias for this option. ++.TP ++.BR "--ip-destination-port " "[!] \fIport1\fP[:\fIport2\fP]" ++The destination port or port range for ip protocols 6 (TCP), 17 ++(UDP), 33 (DCCP) or 132 (SCTP). The ++.B --ip-protocol ++option must be specified as ++.IR TCP ", " UDP ", " DCCP " or " SCTP . ++If ++.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." ++The flag ++.B --ip-dport ++is an alias for this option. ++.SS ip6 ++Specify IPv6 fields. The protocol must be specified as ++.IR IPv6 . ++.TP ++.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]" ++The source IPv6 address. ++The flag ++.B --ip6-src ++is an alias for this option. ++.TP ++.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]" ++The destination IPv6 address. ++The flag ++.B --ip6-dst ++is an alias for this option. ++.TP ++.BR "--ip6-tclass " "[!] \fItclass\fP" ++The IPv6 traffic class, in hexadecimal numbers. ++.TP ++.BR "--ip6-protocol " "[!] \fIprotocol\fP" ++The IP protocol. ++The flag ++.B --ip6-proto ++is an alias for this option. ++.TP ++.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]" ++The source port or port range for the IPv6 protocols 6 (TCP), 17 ++(UDP), 33 (DCCP) or 132 (SCTP). The ++.B --ip6-protocol ++option must be specified as ++.IR TCP ", " UDP ", " DCCP " or " SCTP . ++If ++.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." ++The flag ++.B --ip6-sport ++is an alias for this option. ++.TP ++.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]" ++The destination port or port range for IPv6 protocols 6 (TCP), 17 ++(UDP), 33 (DCCP) or 132 (SCTP). The ++.B --ip6-protocol ++option must be specified as ++.IR TCP ", " UDP ", " DCCP " or " SCTP . ++If ++.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." ++The flag ++.B --ip6-dport ++is an alias for this option. ++.TP ++.BR "--ip6-icmp-type " "[!] {\fItype\fP[:\fItype\fP]/\fIcode\fP[:\fIcode\fP]|\fItypename\fP}" ++Specify ipv6\-icmp type and code to match. ++Ranges for both type and code are supported. Type and code are ++separated by a slash. Valid numbers for type and range are 0 to 255. ++To match a single type including all valid codes, symbolic names can ++be used instead of numbers. The list of known type names is shown by the command ++.nf ++ ebtables \-\-help ip6 ++.fi ++This option is only valid for \-\-ip6-prococol ipv6-icmp. ++.SS limit ++This module matches at a limited rate using a token bucket filter. ++A rule using this extension will match until this limit is reached. ++It can be used with the ++.B --log ++watcher to give limited logging, for example. Its use is the same ++as the limit match of iptables. ++.TP ++.BR "--limit " "[\fIvalue\fP]" ++Maximum average matching rate: specified as a number, with an optional ++.IR /second ", " /minute ", " /hour ", or " /day " suffix; the default is " 3/hour . ++.TP ++.BR "--limit-burst " "[\fInumber\fP]" ++Maximum initial number of packets to match: this number gets recharged by ++one every time the limit specified above is not reached, up to this ++number; the default is ++.IR 5 . ++.SS mark_m ++.TP ++.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]" ++Matches frames with the given unsigned mark value. If a ++.IR value " and " mask " are specified, the logical AND of the mark value of the frame and" ++the user-specified ++.IR mask " is taken before comparing it with the" ++user-specified mark ++.IR value ". When only a mark " ++.IR value " is specified, the packet" ++only matches when the mark value of the frame equals the user-specified ++mark ++.IR value . ++If only a ++.IR mask " is specified, the logical" ++AND of the mark value of the frame and the user-specified ++.IR mask " is taken and the frame matches when the result of this logical AND is" ++non-zero. Only specifying a ++.IR mask " is useful to match multiple mark values." ++.SS pkttype ++.TP ++.BR "--pkttype-type " "[!] \fItype\fP" ++Matches on the Ethernet "class" of the frame, which is determined by the ++generic networking code. Possible values: ++.IR broadcast " (MAC destination is the broadcast address)," ++.IR multicast " (MAC destination is a multicast address)," ++.IR host " (MAC destination is the receiving network device), or " ++.IR otherhost " (none of the above)." ++.SS stp ++Specify stp BPDU (bridge protocol data unit) fields. The destination ++address ++.BR "" ( -d ") must be specified as the bridge group address" ++.IR "" ( BGA ). ++For all options for which a range of values can be specified, it holds that ++if the lower bound is omitted (but the colon is not), then the lowest possible lower bound ++for that option is used, while if the upper bound is omitted (but the colon again is not), the ++highest possible upper bound for that option is used. ++.TP ++.BR "--stp-type " "[!] \fItype\fP" ++The BPDU type (0-255), recognized non-numerical types are ++.IR config ", denoting a configuration BPDU (=0), and" ++.IR tcn ", denothing a topology change notification BPDU (=128)." ++.TP ++.BR "--stp-flags " "[!] \fIflag\fP" ++The BPDU flag (0-255), recognized non-numerical flags are ++.IR topology-change ", denoting the topology change flag (=1), and" ++.IR topology-change-ack ", denoting the topology change acknowledgement flag (=128)." ++.TP ++.BR "--stp-root-prio " "[!] [\fIprio\fP][:\fIprio\fP]" ++The root priority (0-65535) range. ++.TP ++.BR "--stp-root-addr " "[!] [\fIaddress\fP][/\fImask\fP]" ++The root mac address, see the option ++.BR -s " for more details." ++.TP ++.BR "--stp-root-cost " "[!] [\fIcost\fP][:\fIcost\fP]" ++The root path cost (0-4294967295) range. ++.TP ++.BR "--stp-sender-prio " "[!] [\fIprio\fP][:\fIprio\fP]" ++The BPDU's sender priority (0-65535) range. ++.TP ++.BR "--stp-sender-addr " "[!] [\fIaddress\fP][/\fImask\fP]" ++The BPDU's sender mac address, see the option ++.BR -s " for more details." ++.TP ++.BR "--stp-port " "[!] [\fIport\fP][:\fIport\fP]" ++The port identifier (0-65535) range. ++.TP ++.BR "--stp-msg-age " "[!] [\fIage\fP][:\fIage\fP]" ++The message age timer (0-65535) range. ++.TP ++.BR "--stp-max-age " "[!] [\fIage\fP][:\fIage\fP]" ++The max age timer (0-65535) range. ++.TP ++.BR "--stp-hello-time " "[!] [\fItime\fP][:\fItime\fP]" ++The hello time timer (0-65535) range. ++.TP ++.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]" ++The forward delay timer (0-65535) range. ++.SS string ++This module matches on a given string using some pattern matching strategy. ++.TP ++.BR "--string-algo " "\fIalgorithm\fP" ++The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) ++.TP ++.BR "--string-from " "\fIoffset\fP" ++The lowest offset from which a match can start. (default: 0) ++.TP ++.BR "--string-to " "\fIoffset\fP" ++The highest offset from which a match can start. (default: size of frame) ++.TP ++.BR "--string " "[!] \fIpattern\fP" ++Matches the given pattern. ++.TP ++.BR "--string-hex " "[!] \fIpattern\fP" ++Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|' ++.TP ++.BR "--string-icase" ++Ignore case when searching. ++.SS vlan ++Specify 802.1Q Tag Control Information fields. ++The protocol must be specified as ++.IR 802_1Q " (0x8100)." ++.TP ++.BR "--vlan-id " "[!] \fIid\fP" ++The VLAN identifier field (VID). Decimal number from 0 to 4095. ++.TP ++.BR "--vlan-prio " "[!] \fIprio\fP" ++The user priority field, a decimal number from 0 to 7. ++The VID should be set to 0 ("null VID") or unspecified ++(in the latter case the VID is deliberately set to 0). ++.TP ++.BR "--vlan-encap " "[!] \fItype\fP" ++The encapsulated Ethernet frame type/length. ++Specified as a hexadecimal ++number from 0x0000 to 0xFFFF or as a symbolic name ++from ++.BR /etc/ethertypes . ++ ++.SS WATCHER EXTENSIONS ++Watchers only look at frames passing by, they don't modify them nor decide ++to accept the frames or not. These watchers only ++see the frame if the frame matches the rule, and they see it before the ++target is executed. ++.SS log ++The log watcher writes descriptive data about a frame to the syslog. ++.TP ++.B "--log" ++.br ++Log with the default loggin options: log-level= ++.IR info , ++log-prefix="", no ip logging, no arp logging. ++.TP ++.B --log-level "\fIlevel\fP" ++.br ++Defines the logging level. For the possible values, see ++.BR "ebtables -h log" . ++The default level is ++.IR info . ++.TP ++.BR --log-prefix " \fItext\fP" ++.br ++Defines the prefix ++.I text ++to be printed at the beginning of the line with the logging information. ++.TP ++.B --log-ip ++.br ++Will log the ip information when a frame made by the ip protocol matches ++the rule. The default is no ip information logging. ++.TP ++.B --log-ip6 ++.br ++Will log the ipv6 information when a frame made by the ipv6 protocol matches ++the rule. The default is no ipv6 information logging. ++.TP ++.B --log-arp ++.br ++Will log the (r)arp information when a frame made by the (r)arp protocols ++matches the rule. The default is no (r)arp information logging. ++.SS nflog ++The nflog watcher passes the packet to the loaded logging backend ++in order to log the packet. This is usually used in combination with ++nfnetlink_log as logging backend, which will multicast the packet ++through a ++.IR netlink ++socket to the specified multicast group. One or more userspace processes ++may subscribe to the group to receive the packets. ++.TP ++.B "--nflog" ++.br ++Log with the default logging options ++.TP ++.B --nflog-group "\fInlgroup\fP" ++.br ++The netlink group (1 - 2^32-1) to which packets are (only applicable for ++nfnetlink_log). The default value is 1. ++.TP ++.B --nflog-prefix "\fIprefix\fP" ++.br ++A prefix string to include in the log message, up to 30 characters ++long, useful for distinguishing messages in the logs. ++.TP ++.B --nflog-range "\fIsize\fP" ++.br ++The number of bytes to be copied to userspace (only applicable for ++nfnetlink_log). nfnetlink_log instances may specify their own ++range, this option overrides it. ++.TP ++.B --nflog-threshold "\fIsize\fP" ++.br ++Number of packets to queue inside the kernel before sending them ++to userspace (only applicable for nfnetlink_log). Higher values ++result in less overhead per packet, but increase delay until the ++packets reach userspace. The default value is 1. ++.SS ulog ++The ulog watcher passes the packet to a userspace ++logging daemon using netlink multicast sockets. This differs ++from the log watcher in the sense that the complete packet is ++sent to userspace instead of a descriptive text and that ++netlink multicast sockets are used instead of the syslog. ++This watcher enables parsing of packets with userspace programs, the ++physical bridge in and out ports are also included in the netlink messages. ++The ulog watcher module accepts 2 parameters when the module is loaded ++into the kernel (e.g. with modprobe): ++.B nlbufsiz ++specifies how big the buffer for each netlink multicast ++group is. If you say ++.IR nlbufsiz=8192 , ++for example, up to eight kB of packets will ++get accumulated in the kernel until they are sent to userspace. It is ++not possible to allocate more than 128kB. Please also keep in mind that ++this buffer size is allocated for each nlgroup you are using, so the ++total kernel memory usage increases by that factor. The default is 4096. ++.B flushtimeout ++specifies after how many hundredths of a second the queue should be ++flushed, even if it is not full yet. The default is 10 (one tenth of ++a second). ++.TP ++.B "--ulog" ++.br ++Use the default settings: ulog-prefix="", ulog-nlgroup=1, ++ulog-cprange=4096, ulog-qthreshold=1. ++.TP ++.B --ulog-prefix "\fItext\fP" ++.br ++Defines the prefix included with the packets sent to userspace. ++.TP ++.BR --ulog-nlgroup " \fIgroup\fP" ++.br ++Defines which netlink group number to use (a number from 1 to 32). ++Make sure the netlink group numbers used for the iptables ULOG ++target differ from those used for the ebtables ulog watcher. ++The default group number is 1. ++.TP ++.BR --ulog-cprange " \fIrange\fP" ++.br ++Defines the maximum copy range to userspace, for packets matching the ++rule. The default range is 0, which means the maximum copy range is ++given by ++.BR nlbufsiz . ++A maximum copy range larger than ++128*1024 is meaningless as the packets sent to userspace have an upper ++size limit of 128*1024. ++.TP ++.BR --ulog-qthreshold " \fIthreshold\fP" ++.br ++Queue at most ++.I threshold ++number of packets before sending them to ++userspace with a netlink socket. Note that packets can be sent to ++userspace before the queue is full, this happens when the ulog ++kernel timer goes off (the frequency of this timer depends on ++.BR flushtimeout ). ++.SS TARGET EXTENSIONS ++.SS arpreply ++The ++.B arpreply ++target can be used in the ++.BR PREROUTING " chain of the " nat " table." ++If this target sees an ARP request it will automatically reply ++with an ARP reply. The used MAC address for the reply can be specified. ++The protocol must be specified as ++.IR ARP . ++When the ARP message is not an ARP request or when the ARP request isn't ++for an IP address on an Ethernet network, it is ignored by this target ++.BR "" ( CONTINUE ). ++When the ARP request is malformed, it is dropped ++.BR "" ( DROP ). ++.TP ++.BR "--arpreply-mac " "\fIaddress\fP" ++Specifies the MAC address to reply with: the Ethernet source MAC and the ++ARP payload source MAC will be filled in with this address. ++.TP ++.BR "--arpreply-target " "\fItarget\fP" ++Specifies the standard target. After sending the ARP reply, the rule still ++has to give a standard target so ebtables knows what to do with the ARP request. ++The default target ++.BR "" "is " DROP . ++.SS dnat ++The ++.B dnat ++target can only be used in the ++.BR BROUTING " chain of the " broute " table and the " ++.BR PREROUTING " and " OUTPUT " chains of the " nat " table." ++It specifies that the destination MAC address has to be changed. ++.TP ++.BR "--to-destination " "\fIaddress\fP" ++.br ++Change the destination MAC address to the specified ++.IR address . ++The flag ++.B --to-dst ++is an alias for this option. ++.TP ++.BR "--dnat-target " "\fItarget\fP" ++.br ++Specifies the standard target. After doing the dnat, the rule still has to ++give a standard target so ebtables knows what to do with the dnated frame. ++The default target is ++.BR ACCEPT . ++Making it ++.BR CONTINUE " could let you use" ++multiple target extensions on the same frame. Making it ++.BR DROP " only makes" ++sense in the ++.BR BROUTING " chain but using the " redirect " target is more logical there. " RETURN " is also allowed. Note that using " RETURN ++in a base chain is not allowed (for obvious reasons). ++.SS mark ++.BR "" "The " mark " target can be used in every chain of every table. It is possible" ++to use the marking of a frame/packet in both ebtables and iptables, ++if the bridge-nf code is compiled into the kernel. Both put the marking at the ++same place. This allows for a form of communication between ebtables and iptables. ++.TP ++.BR "--mark-set " "\fIvalue\fP" ++.br ++Mark the frame with the specified non-negative ++.IR value . ++.TP ++.BR "--mark-or " "\fIvalue\fP" ++.br ++Or the frame with the specified non-negative ++.IR value . ++.TP ++.BR "--mark-and " "\fIvalue\fP" ++.br ++And the frame with the specified non-negative ++.IR value . ++.TP ++.BR "--mark-xor " "\fIvalue\fP" ++.br ++Xor the frame with the specified non-negative ++.IR value . ++.TP ++.BR "--mark-target " "\fItarget\fP" ++.br ++Specifies the standard target. After marking the frame, the rule ++still has to give a standard target so ebtables knows what to do. ++The default target is ++.BR ACCEPT ". Making it " CONTINUE " can let you do other" ++things with the frame in subsequent rules of the chain. ++.SS redirect ++The ++.B redirect ++target will change the MAC target address to that of the bridge device the ++frame arrived on. This target can only be used in the ++.BR BROUTING " chain of the " broute " table and the " ++.BR PREROUTING " chain of the " nat " table." ++In the ++.BR BROUTING " chain, the MAC address of the bridge port is used as destination address," ++.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used." ++.TP ++.BR "--redirect-target " "\fItarget\fP" ++.br ++Specifies the standard target. After doing the MAC redirect, the rule ++still has to give a standard target so ebtables knows what to do. ++The default target is ++.BR ACCEPT ". Making it " CONTINUE " could let you use" ++multiple target extensions on the same frame. Making it ++.BR DROP " in the " BROUTING " chain will let the frames be routed. " RETURN " is also allowed. Note" ++.BR "" "that using " RETURN " in a base chain is not allowed." ++.SS snat ++The ++.B snat ++target can only be used in the ++.BR POSTROUTING " chain of the " nat " table." ++It specifies that the source MAC address has to be changed. ++.TP ++.BR "--to-source " "\fIaddress\fP" ++.br ++Changes the source MAC address to the specified ++.IR address ". The flag" ++.B --to-src ++is an alias for this option. ++.TP ++.BR "--snat-target " "\fItarget\fP" ++.br ++Specifies the standard target. After doing the snat, the rule still has ++to give a standard target so ebtables knows what to do. ++.BR "" "The default target is " ACCEPT ". Making it " CONTINUE " could let you use" ++.BR "" "multiple target extensions on the same frame. Making it " DROP " doesn't" ++.BR "" "make sense, but you could do that too. " RETURN " is also allowed. Note" ++.BR "" "that using " RETURN " in a base chain is not allowed." ++.br ++.TP ++.BR "--snat-arp " ++.br ++Also change the hardware source address inside the arp header if the packet is an ++arp message and the hardware address length in the arp header is 6 bytes. ++.br ++.SH FILES ++.I /etc/ethertypes ++.I /var/lib/ebtables/lock ++.SH ENVIRONMENT VARIABLES ++.I EBTABLES_ATOMIC_FILE ++.SH MAILINGLISTS ++.BR "" "See " http://netfilter.org/mailinglists.html ++.SH SEE ALSO ++.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8) ++.PP ++.BR "" "See " http://ebtables.sf.net +-- +2.21.0 + diff --git a/0006-doc-Adjust-ebtables-man-page.patch b/0006-doc-Adjust-ebtables-man-page.patch new file mode 100644 index 0000000..58c2c22 --- /dev/null +++ b/0006-doc-Adjust-ebtables-man-page.patch @@ -0,0 +1,275 @@ +From a3310b304ca75f45505b89071b1537a6fcc97228 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 13 Mar 2019 20:46:15 +0100 +Subject: [PATCH] doc: Adjust ebtables man page + +Change content to match nft-variant, most notably: + +* There is no broute table, drop all references to it +* Comment out description of among and string matches, we don't support + them (yet) + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +(cherry picked from commit 1939cbc25e6f51cebaa7a2d71c45bb312bab8668) +Signed-off-by: Phil Sutter +--- + iptables/ebtables-nft.8 | 164 ++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 97 deletions(-) + +diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 +index 55204ab91e8a4..db8b2ab28cca5 100644 +--- a/iptables/ebtables-nft.8 ++++ b/iptables/ebtables-nft.8 +@@ -24,7 +24,7 @@ + .\" + .\" + .SH NAME +-ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy) ++ebtables \- Ethernet bridge frame table administration (nft-based) + .SH SYNOPSIS + .BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target" + .br +@@ -51,17 +51,6 @@ ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legac + .BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save + .br + +-.SH LEGACY +-This tool uses the old xtables/setsockopt framework, and is a legacy version +-of ebtables. That means that a new, more modern tool exists with the same +-functionality using the nf_tables framework and you are encouraged to migrate now. +-The new binaries (known as ebtables-nft and formerly known as ebtables-compat) +-uses the same syntax and semantics than this legacy one. +- +-You can still use this legacy tool. You should probably get some specific +-information from your Linux distribution or vendor. +-More docs are available at https://wiki.nftables.org +- + .SH DESCRIPTION + .B ebtables + is an application program used to set up and maintain the +@@ -72,7 +61,7 @@ It is analogous to the + application, but less complicated, due to the fact that the Ethernet protocol + is much simpler than the IP protocol. + .SS CHAINS +-There are three ebtables tables with built-in chains in the ++There are two ebtables tables with built-in chains in the + Linux kernel. These tables are used to divide functionality into + different sets of rules. Each set of rules is called a chain. + Each chain is an ordered list of rules that can match Ethernet frames. If a +@@ -98,10 +87,7 @@ an 'extension' (see below) or a jump to a user-defined chain. + .B ACCEPT + means to let the frame through. + .B DROP +-means the frame has to be dropped. In the +-.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different" +-meanings (see the info provided for the +-.BR -t " option)." ++means the frame has to be dropped. + .B CONTINUE + means the next rule has to be checked. This can be handy, f.e., to know how many + frames pass a certain point in the chain, to log those frames or to apply multiple +@@ -113,14 +99,16 @@ For the extension targets please refer to the + .B "TARGET EXTENSIONS" + section of this man page. + .SS TABLES +-As stated earlier, there are three ebtables tables in the Linux ++As stated earlier, there are two ebtables tables in the Linux + kernel. The table names are +-.BR filter ", " nat " and " broute . +-Of these three tables, ++.BR filter " and " nat . ++Of these two tables, + the filter table is the default table that the command operates on. + If you are working with the filter table, then you can drop the '-t filter' + argument to the ebtables command. However, you will need to provide +-the -t argument for the other two tables. Moreover, the -t argument must be the ++the -t argument for ++.B nat ++table. Moreover, the -t argument must be the + first argument on the ebtables command line, if used. + .TP + .B "-t, --table" +@@ -149,25 +137,6 @@ iptables world to ebtables it is easier to have the same names. Note that you + can change the name + .BR "" ( -E ) + if you don't like the default. +-.br +-.br +-.B broute +-is used to make a brouter, it has one built-in chain: +-.BR BROUTING . +-The targets +-.BR DROP " and " ACCEPT +-have a special meaning in the broute table (these names are used instead of +-more descriptive names to keep the implementation generic). +-.B DROP +-actually means the frame has to be routed, while +-.B ACCEPT +-means the frame has to be bridged. The +-.B BROUTING +-chain is traversed very early. However, it is only traversed by frames entering on +-a bridge port that is in forwarding state. Normally those frames +-would be bridged, but you can decide otherwise here. The +-.B redirect +-target is very handy here. + .SH EBTABLES COMMAND LINE ARGUMENTS + After the initial ebtables '-t table' command line argument, the remaining + arguments can be divided into several groups. These groups +@@ -553,35 +522,35 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must + be consulted to determine the payload protocol. This is a two byte + (hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are + checked for type. +-.SS among +-Match a MAC address or MAC/IP address pair versus a list of MAC addresses +-and MAC/IP address pairs. +-A list entry has the following format: +-.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple" +-list entries are separated by a comma, specifying an IP address corresponding to +-the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address +-but different IP address (and vice versa) can be specified. If the MAC address doesn't +-match any entry from the list, the frame doesn't match the rule (unless "!" was used). +-.TP +-.BR "--among-dst " "[!] \fIlist\fP" +-Compare the MAC destination to the given list. If the Ethernet frame has type +-.IR IPv4 " or " ARP , +-then comparison with MAC/IP destination address pairs from the +-list is possible. +-.TP +-.BR "--among-src " "[!] \fIlist\fP" +-Compare the MAC source to the given list. If the Ethernet frame has type +-.IR IPv4 " or " ARP , +-then comparison with MAC/IP source address pairs from the list +-is possible. +-.TP +-.BR "--among-dst-file " "[!] \fIfile\fP" +-Same as +-.BR --among-dst " but the list is read in from the specified file." +-.TP +-.BR "--among-src-file " "[!] \fIfile\fP" +-Same as +-.BR --among-src " but the list is read in from the specified file." ++.\" .SS among ++.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses ++.\" and MAC/IP address pairs. ++.\" A list entry has the following format: ++.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple" ++.\" list entries are separated by a comma, specifying an IP address corresponding to ++.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address ++.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't ++.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used). ++.\" .TP ++.\" .BR "--among-dst " "[!] \fIlist\fP" ++.\" Compare the MAC destination to the given list. If the Ethernet frame has type ++.\" .IR IPv4 " or " ARP , ++.\" then comparison with MAC/IP destination address pairs from the ++.\" list is possible. ++.\" .TP ++.\" .BR "--among-src " "[!] \fIlist\fP" ++.\" Compare the MAC source to the given list. If the Ethernet frame has type ++.\" .IR IPv4 " or " ARP , ++.\" then comparison with MAC/IP source address pairs from the list ++.\" is possible. ++.\" .TP ++.\" .BR "--among-dst-file " "[!] \fIfile\fP" ++.\" Same as ++.\" .BR --among-dst " but the list is read in from the specified file." ++.\" .TP ++.\" .BR "--among-src-file " "[!] \fIfile\fP" ++.\" Same as ++.\" .BR --among-src " but the list is read in from the specified file." + .SS arp + Specify (R)ARP fields. The protocol must be specified as + .IR ARP " or " RARP . +@@ -822,26 +791,26 @@ The hello time timer (0-65535) range. + .TP + .BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]" + The forward delay timer (0-65535) range. +-.SS string +-This module matches on a given string using some pattern matching strategy. +-.TP +-.BR "--string-algo " "\fIalgorithm\fP" +-The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) +-.TP +-.BR "--string-from " "\fIoffset\fP" +-The lowest offset from which a match can start. (default: 0) +-.TP +-.BR "--string-to " "\fIoffset\fP" +-The highest offset from which a match can start. (default: size of frame) +-.TP +-.BR "--string " "[!] \fIpattern\fP" +-Matches the given pattern. +-.TP +-.BR "--string-hex " "[!] \fIpattern\fP" +-Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|' +-.TP +-.BR "--string-icase" +-Ignore case when searching. ++.\" .SS string ++.\" This module matches on a given string using some pattern matching strategy. ++.\" .TP ++.\" .BR "--string-algo " "\fIalgorithm\fP" ++.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) ++.\" .TP ++.\" .BR "--string-from " "\fIoffset\fP" ++.\" The lowest offset from which a match can start. (default: 0) ++.\" .TP ++.\" .BR "--string-to " "\fIoffset\fP" ++.\" The highest offset from which a match can start. (default: size of frame) ++.\" .TP ++.\" .BR "--string " "[!] \fIpattern\fP" ++.\" Matches the given pattern. ++.\" .TP ++.\" .BR "--string-hex " "[!] \fIpattern\fP" ++.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|' ++.\" .TP ++.\" .BR "--string-icase" ++.\" Ignore case when searching. + .SS vlan + Specify 802.1Q Tag Control Information fields. + The protocol must be specified as +@@ -1026,7 +995,6 @@ The default target + The + .B dnat + target can only be used in the +-.BR BROUTING " chain of the " broute " table and the " + .BR PREROUTING " and " OUTPUT " chains of the " nat " table." + It specifies that the destination MAC address has to be changed. + .TP +@@ -1089,11 +1057,8 @@ The + .B redirect + target will change the MAC target address to that of the bridge device the + frame arrived on. This target can only be used in the +-.BR BROUTING " chain of the " broute " table and the " + .BR PREROUTING " chain of the " nat " table." +-In the +-.BR BROUTING " chain, the MAC address of the bridge port is used as destination address," +-.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used." ++The MAC address of the bridge is used as destination address." + .TP + .BR "--redirect-target " "\fItarget\fP" + .br +@@ -1135,12 +1100,17 @@ arp message and the hardware address length in the arp header is 6 bytes. + .br + .SH FILES + .I /etc/ethertypes +-.I /var/lib/ebtables/lock + .SH ENVIRONMENT VARIABLES + .I EBTABLES_ATOMIC_FILE + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html ++.SH BUGS ++The version of ebtables this man page ships with does not support the ++.B broute ++table. Also there is no support for ++.BR among " and " string ++matches. And finally, this list is probably not complete. + .SH SEE ALSO +-.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8) ++.BR xtables-nft "(8), " iptables "(8), " ip (8) + .PP +-.BR "" "See " http://ebtables.sf.net ++.BR "" "See " https://wiki.nftables.org +-- +2.21.0 + diff --git a/arptables-nft-helper b/arptables-nft-helper new file mode 100644 index 0000000..8bb0629 --- /dev/null +++ b/arptables-nft-helper @@ -0,0 +1,68 @@ +#!/bin/sh +# config: /etc/sysconfig/arptables + +# Source 'em up +. /etc/init.d/functions + +ARPTABLES_CONFIG=/etc/sysconfig/arptables + +start() { + if [ ! -x /usr/sbin/arptables ]; then + exit 4 + fi + + # don't do squat if we don't have the config file + if [ -f $ARPTABLES_CONFIG ]; then + echo -n $"Applying arptables firewall rules: " + /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ + success || \ + failure + echo + touch /var/lock/subsys/arptables + else + failure + echo + echo $"Configuration file /etc/sysconfig/arptables missing" + exit 6 + fi +} + +stop() { + echo -n $"Removing user defined chains:" + arptables -X && success || failure + echo -n $"Flushing all chains:" + arptables -F && success || failure + echo -n $"Resetting built-in chains to the default ACCEPT policy:" + arptables -P INPUT ACCEPT && \ + arptables -P OUTPUT ACCEPT && \ + success || \ + failure + echo + rm -f /var/lock/subsys/arptables +} + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +restart|reload) + # "restart" is really just "start" as this isn't a daemon, + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy + start + ;; + +condrestart|try-restart|force-reload) + [ -e /var/lock/subsys/arptables ] && start + ;; + +*) + exit 2 +esac + +exit 0 diff --git a/iptables-1.6.0-iptables-apply_mktemp.patch b/iptables-1.6.0-iptables-apply_mktemp.patch deleted file mode 100644 index 607a611..0000000 --- a/iptables-1.6.0-iptables-apply_mktemp.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply ---- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp 2015-12-09 13:55:06.000000000 +0100 -+++ iptables-1.6.0/iptables/iptables-apply 2016-04-13 17:44:07.130453958 +0200 -@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then - exit 2 - fi - --COMMANDS=(tempfile "$SAVE" "$RESTORE") -+COMMANDS=(mktemp "$SAVE" "$RESTORE") - - for cmd in "${COMMANDS[@]}"; do - if ! command -v $cmd >/dev/null; then -@@ -122,7 +122,7 @@ done - - umask 0700 - --TMPFILE=$(tempfile -p iptap) -+TMPFILE=$(mktemp) - trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 - - if ! "$SAVE" >"$TMPFILE"; then diff --git a/iptables-1.8.0-xtables-nft-multi.patch b/iptables-1.8.0-xtables-nft-multi.patch deleted file mode 100644 index f1f5ab8..0000000 --- a/iptables-1.8.0-xtables-nft-multi.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c -index 187da81e9f59b..03690a56edb72 100644 ---- a/iptables/xtables-nft-multi.c -+++ b/iptables/xtables-nft-multi.c -@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = { - {"iptables-restore-translate", xtables_ip4_xlate_restore_main}, - {"ip6tables-restore-translate", xtables_ip6_xlate_restore_main}, - {"arptables", xtables_arp_main}, -+ {"arptables-nft", xtables_arp_main}, - {"ebtables-translate", xtables_eb_xlate_main}, - {"ebtables", xtables_eb_main}, -+ {"ebtables-nft", xtables_eb_main}, - {"xtables-monitor", xtables_monitor_main}, - {NULL}, - }; diff --git a/iptables.spec b/iptables.spec index f1a077c..26996e1 100644 --- a/iptables.spec +++ b/iptables.spec @@ -6,16 +6,21 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities -Version: 1.8.0 -Release: 5%{?dist} +Version: 1.8.2 +Release: 1%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables -Patch1: iptables-1.6.0-iptables-apply_mktemp.patch -Patch2: iptables-1.8.0-xtables-nft-multi.patch +Source6: arptables-nft-helper +Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch +Patch2: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch +Patch3: 0003-doc-Add-arptables-nft-man-pages.patch +Patch4: 0004-doc-Adjust-arptables-man-pages.patch +Patch5: 0005-doc-Add-ebtables-man-page.patch +Patch6: 0006-doc-Adjust-ebtables-man-page.patch URL: http://www.netfilter.org/ # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -38,6 +43,10 @@ BuildRequires: pkgconfig(libmnl) >= 1.0 BuildRequires: pkgconfig(libnftnl) >= 1.0.5 # libpcap-devel for nfbpf_compile BuildRequires: libpcap-devel +BuildRequires: autogen +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool Requires: %{name}-libs%{?_isa} = %{version}-%{release} %if 0%{?fedora} > 24 Conflicts: setup < 2.10.4-1 @@ -102,16 +111,16 @@ Currently only provides nfnl_osf with the pf.os database. Summary: nftables compatibility for iptables, arptables and ebtables Requires: %{name} = %{version}-%{release} Obsoletes: iptables-compat < 1.6.2-4 +Provides: arptables-helper %description nft nftables compatibility for iptables, arptables and ebtables. %prep -%setup -q -%patch1 -p1 -b .iptables-apply_mktemp -%patch2 -p1 -b .iptables-xtables_nft_multi +%autosetup -p1 %build +./autogen.sh CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ %configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr @@ -184,14 +193,14 @@ install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/ rm -f %{buildroot}%{_sysconfdir}/ethertypes %endif -# rename ebtables and arptables to avoid conflicts -mv %{buildroot}%{_sbindir}/ebtables %{buildroot}%{_sbindir}/ebtables-nft -mv %{buildroot}%{_sbindir}/arptables %{buildroot}%{_sbindir}/arptables-nft +install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/ +touch %{buildroot}%{_libexecdir}/arptables-helper -touch %{buildroot}%{_sbindir}/ebtables -touch %{buildroot}%{_sbindir}/arptables -touch %{buildroot}%{_sbindir}/iptables -touch %{buildroot}%{_sbindir}/ip6tables +# prepare for alternatives +touch %{buildroot}%{_mandir}/man8/arptables.8 +touch %{buildroot}%{_mandir}/man8/arptables-save.8 +touch %{buildroot}%{_mandir}/man8/arptables-restore.8 +touch %{buildroot}%{_mandir}/man8/ebtables.8 %ldconfig_scriptlets @@ -233,13 +242,44 @@ pfx6=%{_sbindir}/ip6tables --slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \ --slave $pfx6-save ip6tables-save $pfx6-nft-save -for cmd in ebtables arptables; do - if [ "$(readlink -e %{_sbindir}/$cmd)" == %{_sbindir}/$cmd ]; then - rm -f %{_sbindir}/$cmd +pfx=%{_sbindir}/ebtables +manpfx=%{_mandir}/man8/ebtables +for sfx in "" "-restore" "-save"; do + if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then + rm -f $pfx$sfx fi - %{_sbindir}/update-alternatives --install \ - %{_sbindir}/$cmd $cmd %{_sbindir}/$cmd-nft 5 done +if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then + rm -f $manpfx.8.gz +fi +%{_sbindir}/update-alternatives --install \ + $pfx ebtables $pfx-nft 5 \ + --slave $pfx-save ebtables-save $pfx-nft-save \ + --slave $pfx-restore ebtables-restore $pfx-nft-restore \ + --slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz + +pfx=%{_sbindir}/arptables +manpfx=%{_mandir}/man8/arptables +lepfx=%{_libexecdir}/arptables +for sfx in "" "-restore" "-save"; do + if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then + rm -f $pfx$sfx + fi + if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then + rm -f $manpfx$sfx.8.gz + fi +done +if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then + rm -f $lepfx-helper +fi +%{_sbindir}/update-alternatives --install \ + $pfx arptables $pfx-nft 5 \ + --slave $pfx-save arptables-save $pfx-nft-save \ + --slave $pfx-restore arptables-restore $pfx-nft-restore \ + --slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \ + --slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \ + --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \ + --slave $lepfx-helper arptables-helper $lepfx-nft-helper %postun nft if [ $1 -eq 0 ]; then @@ -253,8 +293,6 @@ fi %{!?_licensedir:%global license %%doc} %license COPYING %doc INCOMPATIBILITIES -%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config -%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config %if 0%{?fedora} <= 24 %{_sysconfdir}/ethertypes %endif @@ -306,6 +344,8 @@ fi %{script_path}/ip6tables.init %config(noreplace) %{_sysconfdir}/sysconfig/iptables %config(noreplace) %{_sysconfdir}/sysconfig/ip6tables +%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config +%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config %{_unitdir}/iptables.service %{_unitdir}/ip6tables.service %dir %{legacy_actions}/iptables @@ -328,13 +368,14 @@ fi %{_sbindir}/ip6tables-nft* %{_sbindir}/ip6tables-restore-translate %{_sbindir}/ip6tables-translate -%{_sbindir}/ebtables-nft -%{_sbindir}/arptables-nft +%{_sbindir}/ebtables-nft* +%{_sbindir}/arptables-nft* %{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-monitor +%{_libexecdir}/arptables-nft-helper %{_mandir}/man8/xtables-monitor* -%{_mandir}/man8/xtables-nft* %{_mandir}/man8/xtables-translate* +%{_mandir}/man8/*-nft* %ghost %{_sbindir}/iptables %ghost %{_sbindir}/iptables-restore %ghost %{_sbindir}/iptables-save @@ -342,9 +383,25 @@ fi %ghost %{_sbindir}/ip6tables-restore %ghost %{_sbindir}/ip6tables-save %ghost %{_sbindir}/ebtables +%ghost %{_sbindir}/ebtables-save +%ghost %{_sbindir}/ebtables-restore %ghost %{_sbindir}/arptables +%ghost %{_sbindir}/arptables-save +%ghost %{_sbindir}/arptables-restore +%ghost %{_libexecdir}/arptables-helper +%ghost %{_mandir}/man8/arptables.8.gz +%ghost %{_mandir}/man8/arptables-save.8.gz +%ghost %{_mandir}/man8/arptables-restore.8.gz +%ghost %{_mandir}/man8/ebtables.8.gz + %changelog +* Mon Apr 15 2019 Phil Sutter - 1.8.2-1 +- New upstream version 1.8.2 +- Integrate ebtables and arptables save/restore scripts with alternatives +- Add nft-specific ebtables and arptables man pages +- Move /etc/sysconfig/ip*tables-config files into services sub-package + * Fri Feb 01 2019 Fedora Release Engineering - 1.8.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild