diff --git a/0003-doc-Add-arptables-nft-man-pages.patch b/0003-doc-Add-arptables-nft-man-pages.patch deleted file mode 100644 index b4bae67..0000000 --- a/0003-doc-Add-arptables-nft-man-pages.patch +++ /dev/null @@ -1,486 +0,0 @@ -From 1d0089550ab9882ac90d0fc673f213c51e133552 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 13 Mar 2019 20:46:12 +0100 -Subject: [PATCH] doc: Add arptables-nft man pages - -These are 1:1 copies from legacy arptables repository. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal -(cherry picked from commit 4dbb6b9118e32a9b748ead893106de59579424f5) -Signed-off-by: Phil Sutter ---- - iptables/Makefile.am | 3 + - iptables/arptables-nft-restore.8 | 41 ++++ - iptables/arptables-nft-save.8 | 37 ++++ - iptables/arptables-nft.8 | 352 +++++++++++++++++++++++++++++++ - 4 files changed, 433 insertions(+) - create mode 100644 iptables/arptables-nft-restore.8 - create mode 100644 iptables/arptables-nft-save.8 - create mode 100644 iptables/arptables-nft.8 - -diff --git a/iptables/Makefile.am b/iptables/Makefile.am -index 581dc32ba846b..52309679d390c 100644 ---- a/iptables/Makefile.am -+++ b/iptables/Makefile.am -@@ -63,6 +63,9 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ - ip6tables-save.8 iptables-extensions.8 \ - xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ - xtables-monitor.8 -+if ENABLE_NFTABLES -+man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 -+endif - CLEANFILES = iptables.8 xtables-monitor.8 \ - xtables-config-parser.c xtables-config-syntax.c - -diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 -new file mode 100644 -index 0000000000000..4f2f623673415 ---- /dev/null -+++ b/iptables/arptables-nft-restore.8 -@@ -0,0 +1,41 @@ -+.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" "" -+.\" -+.\" Man page written by Jesper Dangaard Brouer based on a -+.\" Man page written by Harald Welte -+.\" It is based on the iptables-restore man page. -+.\" -+.\" This program is free software; you can redistribute it and/or modify -+.\" it under the terms of the GNU General Public License as published by -+.\" the Free Software Foundation; either version 2 of the License, or -+.\" (at your option) any later version. -+.\" -+.\" This program is distributed in the hope that it will be useful, -+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+.\" GNU General Public License for more details. -+.\" -+.\" You should have received a copy of the GNU General Public License -+.\" along with this program; if not, write to the Free Software -+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+.\" -+.\" -+.SH NAME -+arptables-restore \(em Restore ARP Tables -+.SH SYNOPSIS -+\fBarptables\-restore -+.SH DESCRIPTION -+.PP -+.B arptables-restore -+is used to restore ARP Tables from data specified on STDIN or -+via a file as first argument. -+Use I/O redirection provided by your shell to read from a file -+.TP -+.B arptables-restore -+flushes (deletes) all previous contents of the respective ARP Table. -+.SH BUGS -+None known as of arptables-0.0.4 release -+.SH AUTHOR -+Jesper Dangaard Brouer -+.SH SEE ALSO -+\fBarptables\-save\fP(8), \fBarptables\fP(8) -+.PP -diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 -new file mode 100644 -index 0000000000000..34791a9c087f0 ---- /dev/null -+++ b/iptables/arptables-nft-save.8 -@@ -0,0 +1,37 @@ -+.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" "" -+.\" -+.\" Man page written by Jesper Dangaard Brouer based on a -+.\" Man page written by Harald Welte -+.\" It is based on the iptables-save man page. -+.\" -+.\" This program is free software; you can redistribute it and/or modify -+.\" it under the terms of the GNU General Public License as published by -+.\" the Free Software Foundation; either version 2 of the License, or -+.\" (at your option) any later version. -+.\" -+.\" This program is distributed in the hope that it will be useful, -+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+.\" GNU General Public License for more details. -+.\" -+.\" You should have received a copy of the GNU General Public License -+.\" along with this program; if not, write to the Free Software -+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+.\" -+.\" -+.SH NAME -+arptables-save \(em dump arptables rules to stdout -+.SH SYNOPSIS -+\fBarptables\-save -+.SH DESCRIPTION -+.PP -+.B arptables-save -+is used to dump the contents of an ARP Table in easily parseable format -+to STDOUT. Use I/O-redirection provided by your shell to write to a file. -+.SH BUGS -+None known as of arptables-0.0.4 release -+.SH AUTHOR -+Jesper Dangaard Brouer -+.SH SEE ALSO -+\fBarptables\-restore\fP(8), \fBarptables\fP(8) -+.PP -diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 -new file mode 100644 -index 0000000000000..3ce99e3757004 ---- /dev/null -+++ b/iptables/arptables-nft.8 -@@ -0,0 +1,352 @@ -+.TH ARPTABLES 8 "June 2018" -+.\" -+.\" Man page originally written by Jochen Friedrich , -+.\" maintained by Bart De Schuymer. -+.\" It is based on the iptables man page. -+.\" -+.\" Iptables page by Herve Eychenne March 2000. -+.\" -+.\" This program is free software; you can redistribute it and/or modify -+.\" it under the terms of the GNU General Public License as published by -+.\" the Free Software Foundation; either version 2 of the License, or -+.\" (at your option) any later version. -+.\" -+.\" This program is distributed in the hope that it will be useful, -+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+.\" GNU General Public License for more details. -+.\" -+.\" You should have received a copy of the GNU General Public License -+.\" along with this program; if not, write to the Free Software -+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+.\" -+.\" -+.SH NAME -+arptables \- ARP table administration (legacy) -+.SH SYNOPSIS -+.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] -+.br -+.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ] -+.br -+.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ] -+.br -+.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ] -+.br -+.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain" -+.br -+.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name" -+.br -+.BR "arptables " [ "-t table" ] " -P chain target " [ options ] -+ -+.SH LEGACY -+This tool uses the old xtables/setsockopt framework, and is a legacy version -+of arptables. That means that a new, more modern tool exists with the same -+functionality using the nf_tables framework and you are encouraged to migrate now. -+The new binaries (formerly known as -compat) uses the same syntax and -+semantics than this legacy one. -+ -+You can still use this legacy tool. You should probably get some specific -+information from your Linux distribution or vendor. -+More docs are available at https://wiki.nftables.org -+ -+.SH DESCRIPTION -+.B arptables -+is a user space tool, it is used to set up and maintain the -+tables of ARP rules in the Linux kernel. These rules inspect -+the ARP frames which they see. -+.B arptables -+is analogous to the -+.B iptables -+user space tool, but -+.B arptables -+is less complicated. -+ -+.SS CHAINS -+The kernel table is used to divide functionality into -+different sets of rules. Each set of rules is called a chain. -+Each chain is an ordered list of rules that can match ARP frames. If a -+rule matches an ARP frame, then a processing specification tells -+what to do with that matching frame. The processing specification is -+called a 'target'. However, if the frame does not match the current -+rule in the chain, then the next rule in the chain is examined and so forth. -+The user can create new (user-defined) chains which can be used as the 'target' of a rule. -+ -+.SS TARGETS -+A firewall rule specifies criteria for an ARP frame and a frame -+processing specification called a target. When a frame matches a rule, -+then the next action performed by the kernel is specified by the target. -+The target can be one of these values: -+.IR ACCEPT , -+.IR DROP , -+.IR CONTINUE , -+.IR RETURN , -+an 'extension' (see below) or a user-defined chain. -+.PP -+.I ACCEPT -+means to let the frame through. -+.I DROP -+means the frame has to be dropped. -+.I CONTINUE -+means the next rule has to be checked. This can be handy to know how many -+frames pass a certain point in the chain or to log those frames. -+.I RETURN -+means stop traversing this chain and resume at the next rule in the -+previous (calling) chain. -+For the extension targets please see the -+.B "TARGET EXTENSIONS" -+section of this man page. -+.SS TABLES -+There is only one ARP table in the Linux -+kernel. The table is -+.BR filter. -+You can drop the '-t filter' argument to the arptables command. -+The -t argument must be the -+first argument on the arptables command line, if used. -+.TP -+.B "-t, --table" -+.br -+.BR filter , -+is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains: -+.B INPUT -+(for frames destined for the host), -+.B OUTPUT -+(for locally-generated frames) and -+.B FORWARD -+(for frames being forwarded by the bridge code). The -+.B FORWARD -+chain doesn't exist in Linux 2.4.X kernels. -+.br -+.br -+.SH ARPTABLES COMMAND LINE ARGUMENTS -+After the initial arptables command line argument, the remaining -+arguments can be divided into several different groups. These groups -+are commands, miscellaneous commands, rule-specifications, match-extensions, -+and watcher-extensions. -+.SS COMMANDS -+The arptables command arguments specify the actions to perform on the table -+defined with the -t argument. If you do not use the -t argument to name -+a table, the commands apply to the default filter table. -+With the exception of the -+.B "-Z" -+command, only one command may be used on the command line at a time. -+.TP -+.B "-A, --append" -+Append a rule to the end of the selected chain. -+.TP -+.B "-D, --delete" -+Delete the specified rule from the selected chain. There are two ways to -+use this command. The first is by specifying an interval of rule numbers -+to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more -+details about using negative numbers, see the -I command. The second usage is by -+specifying the complete rule as it would have been specified when it was added. -+.TP -+.B "-I, --insert" -+Insert the specified rule into the selected chain at the specified rule number. -+If the current number of rules equals N, then the specified number can be -+between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the -+same place in the chain where the rule should be inserted. The number 0 specifies -+the place past the last rule in the chain and using this number is therefore -+equivalent with using the -A command. -+.TP -+.B "-R, --replace" -+Replaces the specified rule into the selected chain at the specified rule number. -+If the current number of rules equals N, then the specified number can be -+between 1 and N. i specifies the place in the chain where the rule should be replaced. -+.TP -+.B "-P, --policy" -+Set the policy for the chain to the given target. The policy can be -+.BR ACCEPT ", " DROP " or " RETURN . -+.TP -+.B "-F, --flush" -+Flush the selected chain. If no chain is selected, then every chain will be -+flushed. Flushing the chain does not change the policy of the -+chain, however. -+.TP -+.B "-Z, --zero" -+Set the counters of the selected chain to zero. If no chain is selected, all the counters -+are set to zero. The -+.B "-Z" -+command can be used in conjunction with the -+.B "-L" -+command. -+When both the -+.B "-Z" -+and -+.B "-L" -+commands are used together in this way, the rule counters are printed on the screen -+before they are set to zero. -+.TP -+.B "-L, --list" -+List all rules in the selected chain. If no chain is selected, all chains -+are listed. -+.TP -+.B "-N, --new-chain" -+Create a new user-defined chain with the given name. The number of -+user-defined chains is unlimited. A user-defined chain name has maximum -+length of 31 characters. -+.TP -+.B "-X, --delete-chain" -+Delete the specified user-defined chain. There must be no remaining references -+to the specified chain, otherwise -+.B arptables -+will refuse to delete it. If no chain is specified, all user-defined -+chains that aren't referenced will be removed. -+.TP -+.B "-E, --rename-chain" -+Rename the specified chain to a new name. Besides renaming a user-defined -+chain, you may rename a standard chain name to a name that suits your -+taste. For example, if you like PREBRIDGING more than PREROUTING, -+then you can use the -E command to rename the PREROUTING chain. If you do -+rename one of the standard -+.B arptables -+chain names, please be sure to mention -+this fact should you post a question on the -+.B arptables -+mailing lists. -+It would be wise to use the standard name in your post. Renaming a standard -+.B arptables -+chain in this fashion has no effect on the structure or function -+of the -+.B arptables -+kernel table. -+ -+.SS MISCELLANOUS COMMANDS -+.TP -+.B "-V, --version" -+Show the version of the arptables userspace program. -+.TP -+.B "-h, --help" -+Give a brief description of the command syntax. -+.TP -+.BR "-j, --jump " "\fItarget\fP" -+The target of the rule. This is one of the following values: -+.BR ACCEPT , -+.BR DROP , -+.BR CONTINUE , -+.BR RETURN , -+a target extension (see -+.BR "TARGET EXTENSIONS" ")" -+or a user-defined chain name. -+.TP -+.BI "-c, --set-counters " "PKTS BYTES" -+This enables the administrator to initialize the packet and byte -+counters of a rule (during -+.B INSERT, -+.B APPEND, -+.B REPLACE -+operations). -+ -+.SS RULE-SPECIFICATIONS -+The following command line arguments make up a rule specification (as used -+in the add and delete commands). A "!" option before the specification -+inverts the test for that specification. Apart from these standard rule -+specifications there are some other command line arguments of interest. -+.TP -+.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP" -+The Source IP specification. -+.TP -+.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP" -+The Destination IP specification. -+.TP -+.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]" -+The source mac address. Both mask and address are written as 6 hexadecimal -+numbers separated by colons. -+.TP -+.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]" -+The destination mac address. Both mask and address are written as 6 hexadecimal -+numbers separated by colons. -+.TP -+.BR "-i, --in-interface " "[!] \fIname\fP" -+The interface via which a frame is received (for the -+.BR INPUT " and " FORWARD -+chains). The flag -+.B --in-if -+is an alias for this option. -+.TP -+.BR "-o, --out-interface " "[!] \fIname\fP" -+The interface via which a frame is going to be sent (for the -+.BR OUTPUT " and " FORWARD -+chains). The flag -+.B --out-if -+is an alias for this option. -+.TP -+.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]" -+The hardware length (nr of bytes) -+.TP -+.BR "--opcode " "\fIcode\fP[/\fImask\fP] -+The operation code (2 bytes). Available values are: -+.BR 1 = Request -+.BR 2 = Reply -+.BR 3 = Request_Reverse -+.BR 4 = Reply_Reverse -+.BR 5 = DRARP_Request -+.BR 6 = DRARP_Reply -+.BR 7 = DRARP_Error -+.BR 8 = InARP_Request -+.BR 9 = ARP_NAK . -+.TP -+.BR "--h-type " "\fItype\fP[/\fImask\fP]" -+The hardware type (2 bytes, hexadecimal). Available values are: -+.BR 1 = Ethernet . -+.TP -+.BR "--proto-type " "\fItype\fP[/\fImask\fP]" -+The protocol type (2 bytes). Available values are: -+.BR 0x800 = IPv4 . -+ -+.SS TARGET-EXTENSIONS -+.B arptables -+extensions are precompiled into the userspace tool. So there is no need -+to explicitly load them with a -m option like in -+.BR iptables . -+However, these -+extensions deal with functionality supported by supplemental kernel modules. -+.SS mangle -+.TP -+.BR "--mangle-ip-s IP address" -+Mangles Source IP Address to given value. -+.TP -+.BR "--mangle-ip-d IP address" -+Mangles Destination IP Address to given value. -+.TP -+.BR "--mangle-mac-s MAC address" -+Mangles Source MAC Address to given value. -+.TP -+.BR "--mangle-mac-d MAC address" -+Mangles Destination MAC Address to given value. -+.TP -+.BR "--mangle-target target " -+Target of ARP mangle operation -+.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ). -+.SS CLASSIFY -+This module allows you to set the skb->priority value (and thus clas- -+sify the packet into a specific CBQ class). -+ -+.TP -+.BR "--set-class major:minor" -+ -+Set the major and minor class value. The values are always -+interpreted as hexadecimal even if no 0x prefix is given. -+ -+.SS MARK -+This module allows you to set the skb->mark value (and thus classify -+the packet by the mark in u32) -+ -+.TP -+.BR "--set-mark mark" -+Set the mark value. The values are always -+interpreted as hexadecimal even if no 0x prefix is given -+ -+.TP -+.BR "--and-mark mark" -+Binary AND the mark with bits. -+ -+.TP -+.BR "--or-mark mark" -+Binary OR the mark with bits. -+ -+.SH MAILINGLISTS -+.BR "" "See " http://netfilter.org/mailinglists.html -+.SH SEE ALSO -+.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8) -+.PP -+.BR "" "See " http://ebtables.sf.net --- -2.21.0 - diff --git a/0004-doc-Adjust-arptables-man-pages.patch b/0004-doc-Adjust-arptables-man-pages.patch deleted file mode 100644 index 3bf16d5..0000000 --- a/0004-doc-Adjust-arptables-man-pages.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 2efbd30ed9f1db90b32b556d0e3df16d05281bc7 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 13 Mar 2019 20:46:13 +0100 -Subject: [PATCH] doc: Adjust arptables man pages - -Change content to suit the shipped nft-based variant. Most relevant -changes: - -* FORWARD chain is not supported -* arptables-nft-save supports a few parameters - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal -(cherry picked from commit 1a0cd997d601794c7031346063b8b77f4af2a13e) -Signed-off-by: Phil Sutter ---- - iptables/arptables-nft-restore.8 | 6 ++-- - iptables/arptables-nft-save.8 | 20 +++++++++---- - iptables/arptables-nft.8 | 48 +++++++++++++++----------------- - 3 files changed, 39 insertions(+), 35 deletions(-) - -diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 -index 4f2f623673415..09d9082cf9fd3 100644 ---- a/iptables/arptables-nft-restore.8 -+++ b/iptables/arptables-nft-restore.8 -@@ -1,4 +1,4 @@ --.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" "" -+.TH ARPTABLES-RESTORE 8 "March 2019" "" "" - .\" - .\" Man page written by Jesper Dangaard Brouer based on a - .\" Man page written by Harald Welte -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --arptables-restore \(em Restore ARP Tables -+arptables-restore \- Restore ARP Tables (nft-based) - .SH SYNOPSIS - \fBarptables\-restore - .SH DESCRIPTION -@@ -32,8 +32,6 @@ Use I/O redirection provided by your shell to read from a file - .TP - .B arptables-restore - flushes (deletes) all previous contents of the respective ARP Table. --.SH BUGS --None known as of arptables-0.0.4 release - .SH AUTHOR - Jesper Dangaard Brouer - .SH SEE ALSO -diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 -index 34791a9c087f0..905e59854cc28 100644 ---- a/iptables/arptables-nft-save.8 -+++ b/iptables/arptables-nft-save.8 -@@ -1,4 +1,4 @@ --.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" "" -+.TH ARPTABLES-SAVE 8 "March 2019" "" "" - .\" - .\" Man page written by Jesper Dangaard Brouer based on a - .\" Man page written by Harald Welte -@@ -20,16 +20,26 @@ - .\" - .\" - .SH NAME --arptables-save \(em dump arptables rules to stdout -+arptables-save \- dump arptables rules to stdout (nft-based) - .SH SYNOPSIS --\fBarptables\-save -+\fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -+.P -+\fBarptables\-save\fP [\fB\-V\fP] - .SH DESCRIPTION - .PP - .B arptables-save - is used to dump the contents of an ARP Table in easily parseable format - to STDOUT. Use I/O-redirection provided by your shell to write to a file. --.SH BUGS --None known as of arptables-0.0.4 release -+.TP -+\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP -+Specify the path to the modprobe program. By default, arptables-save will -+inspect /proc/sys/kernel/modprobe to determine the executable's path. -+.TP -+\fB\-c\fR, \fB\-\-counters\fR -+Include the current values of all packet and byte counters in the output. -+.TP -+\fB\-V\fR, \fB\-\-version\fR -+Print version information and exit. - .SH AUTHOR - Jesper Dangaard Brouer - .SH SEE ALSO -diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 -index 3ce99e3757004..ea31e0842acd4 100644 ---- a/iptables/arptables-nft.8 -+++ b/iptables/arptables-nft.8 -@@ -1,4 +1,4 @@ --.TH ARPTABLES 8 "June 2018" -+.TH ARPTABLES 8 "March 2019" - .\" - .\" Man page originally written by Jochen Friedrich , - .\" maintained by Bart De Schuymer. -@@ -22,7 +22,7 @@ - .\" - .\" - .SH NAME --arptables \- ARP table administration (legacy) -+arptables \- ARP table administration (nft-based) - .SH SYNOPSIS - .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] - .br -@@ -38,17 +38,6 @@ arptables \- ARP table administration (legacy) - .br - .BR "arptables " [ "-t table" ] " -P chain target " [ options ] - --.SH LEGACY --This tool uses the old xtables/setsockopt framework, and is a legacy version --of arptables. That means that a new, more modern tool exists with the same --functionality using the nf_tables framework and you are encouraged to migrate now. --The new binaries (formerly known as -compat) uses the same syntax and --semantics than this legacy one. -- --You can still use this legacy tool. You should probably get some specific --information from your Linux distribution or vendor. --More docs are available at https://wiki.nftables.org -- - .SH DESCRIPTION - .B arptables - is a user space tool, it is used to set up and maintain the -@@ -106,15 +95,11 @@ first argument on the arptables command line, if used. - .B "-t, --table" - .br - .BR filter , --is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains: -+is the only table and contains two built-in chains: - .B INPUT --(for frames destined for the host), -+(for frames destined for the host) and - .B OUTPUT --(for locally-generated frames) and --.B FORWARD --(for frames being forwarded by the bridge code). The --.B FORWARD --chain doesn't exist in Linux 2.4.X kernels. -+(for locally-generated frames). - .br - .br - .SH ARPTABLES COMMAND LINE ARGUMENTS -@@ -258,15 +243,15 @@ numbers separated by colons. - .TP - .BR "-i, --in-interface " "[!] \fIname\fP" - The interface via which a frame is received (for the --.BR INPUT " and " FORWARD --chains). The flag -+.B INPUT -+chain). The flag - .B --in-if - is an alias for this option. - .TP - .BR "-o, --out-interface " "[!] \fIname\fP" - The interface via which a frame is going to be sent (for the --.BR OUTPUT " and " FORWARD --chains). The flag -+.B OUTPUT -+chain). The flag - .B --out-if - is an alias for this option. - .TP -@@ -344,9 +329,20 @@ Binary AND the mark with bits. - .BR "--or-mark mark" - Binary OR the mark with bits. - -+.SH NOTES -+In this nft-based version of -+.BR arptables , -+support for -+.B FORWARD -+chain has not been implemented. Since ARP packets are "forwarded" only by Linux -+bridges, the same may be achieved using -+.B FORWARD -+chain in -+.BR ebtables . -+ - .SH MAILINGLISTS - .BR "" "See " http://netfilter.org/mailinglists.html - .SH SEE ALSO --.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8) -+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) - .PP --.BR "" "See " http://ebtables.sf.net -+.BR "" "See " https://wiki.nftables.org --- -2.21.0 - diff --git a/0005-doc-Add-ebtables-man-page.patch b/0005-doc-Add-ebtables-man-page.patch deleted file mode 100644 index a7b8203..0000000 --- a/0005-doc-Add-ebtables-man-page.patch +++ /dev/null @@ -1,1186 +0,0 @@ -From c1d57b73ccd3cd3ab09a8bb8c0d2b5afd3ceb307 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 13 Mar 2019 20:46:14 +0100 -Subject: [PATCH] doc: Add ebtables man page - -This is a 1:1 copy from legacy ebtables repository. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal -(cherry picked from commit eefd72aca33c6cdf7290da0c4a656c6768097181) -Signed-off-by: Phil Sutter ---- - iptables/Makefile.am | 3 +- - iptables/ebtables-nft.8 | 1146 +++++++++++++++++++++++++++++++++++++++ - 2 files changed, 1148 insertions(+), 1 deletion(-) - create mode 100644 iptables/ebtables-nft.8 - -diff --git a/iptables/Makefile.am b/iptables/Makefile.am -index 52309679d390c..37937b43cc310 100644 ---- a/iptables/Makefile.am -+++ b/iptables/Makefile.am -@@ -64,7 +64,8 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ - xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ - xtables-monitor.8 - if ENABLE_NFTABLES --man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 -+man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ -+ ebtables-nft.8 - endif - CLEANFILES = iptables.8 xtables-monitor.8 \ - xtables-config-parser.c xtables-config-syntax.c -diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -new file mode 100644 -index 0000000000000..55204ab91e8a4 ---- /dev/null -+++ b/iptables/ebtables-nft.8 -@@ -0,0 +1,1146 @@ -+.TH EBTABLES 8 "December 2011" -+.\" -+.\" Man page written by Bart De Schuymer -+.\" It is based on the iptables man page. -+.\" -+.\" The man page was edited, February 25th 2003, by -+.\" Greg Morgan <" dr_kludge_at_users_sourceforge_net > -+.\" -+.\" Iptables page by Herve Eychenne March 2000. -+.\" -+.\" This program is free software; you can redistribute it and/or modify -+.\" it under the terms of the GNU General Public License as published by -+.\" the Free Software Foundation; either version 2 of the License, or -+.\" (at your option) any later version. -+.\" -+.\" This program is distributed in the hope that it will be useful, -+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+.\" GNU General Public License for more details. -+.\" -+.\" You should have received a copy of the GNU General Public License -+.\" along with this program; if not, write to the Free Software -+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+.\" -+.\" -+.SH NAME -+ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy) -+.SH SYNOPSIS -+.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target" -+.br -+.BR "ebtables " [ -t " table ] " -P " chain " ACCEPT " | " DROP " | " RETURN -+.br -+.BR "ebtables " [ -t " table ] " -F " [chain]" -+.br -+.BR "ebtables " [ -t " table ] " -Z " [chain]" -+.br -+.BR "ebtables " [ -t " table ] " -L " [" -Z "] [chain] [ [" --Ln "] | [" --Lx "] ] [" --Lc "] [" --Lmac2 ] -+.br -+.BR "ebtables " [ -t " table ] " -N " chain [" "-P ACCEPT " | " DROP " | " RETURN" ] -+.br -+.BR "ebtables " [ -t " table ] " -X " [chain]" -+.br -+.BR "ebtables " [ -t " table ] " -E " old-chain-name new-chain-name" -+.br -+.BR "ebtables " [ -t " table ] " --init-table -+.br -+.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit -+.br -+.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init -+.br -+.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save -+.br -+ -+.SH LEGACY -+This tool uses the old xtables/setsockopt framework, and is a legacy version -+of ebtables. That means that a new, more modern tool exists with the same -+functionality using the nf_tables framework and you are encouraged to migrate now. -+The new binaries (known as ebtables-nft and formerly known as ebtables-compat) -+uses the same syntax and semantics than this legacy one. -+ -+You can still use this legacy tool. You should probably get some specific -+information from your Linux distribution or vendor. -+More docs are available at https://wiki.nftables.org -+ -+.SH DESCRIPTION -+.B ebtables -+is an application program used to set up and maintain the -+tables of rules (inside the Linux kernel) that inspect -+Ethernet frames. -+It is analogous to the -+.B iptables -+application, but less complicated, due to the fact that the Ethernet protocol -+is much simpler than the IP protocol. -+.SS CHAINS -+There are three ebtables tables with built-in chains in the -+Linux kernel. These tables are used to divide functionality into -+different sets of rules. Each set of rules is called a chain. -+Each chain is an ordered list of rules that can match Ethernet frames. If a -+rule matches an Ethernet frame, then a processing specification tells -+what to do with that matching frame. The processing specification is -+called a 'target'. However, if the frame does not match the current -+rule in the chain, then the next rule in the chain is examined and so forth. -+The user can create new (user-defined) chains that can be used as the 'target' -+of a rule. User-defined chains are very useful to get better performance -+over the linear traversal of the rules and are also essential for structuring -+the filtering rules into well-organized and maintainable sets of rules. -+.SS TARGETS -+A firewall rule specifies criteria for an Ethernet frame and a frame -+processing specification called a target. When a frame matches a rule, -+then the next action performed by the kernel is specified by the target. -+The target can be one of these values: -+.BR ACCEPT , -+.BR DROP , -+.BR CONTINUE , -+.BR RETURN , -+an 'extension' (see below) or a jump to a user-defined chain. -+.PP -+.B ACCEPT -+means to let the frame through. -+.B DROP -+means the frame has to be dropped. In the -+.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different" -+meanings (see the info provided for the -+.BR -t " option)." -+.B CONTINUE -+means the next rule has to be checked. This can be handy, f.e., to know how many -+frames pass a certain point in the chain, to log those frames or to apply multiple -+targets on a frame. -+.B RETURN -+means stop traversing this chain and resume at the next rule in the -+previous (calling) chain. -+For the extension targets please refer to the -+.B "TARGET EXTENSIONS" -+section of this man page. -+.SS TABLES -+As stated earlier, there are three ebtables tables in the Linux -+kernel. The table names are -+.BR filter ", " nat " and " broute . -+Of these three tables, -+the filter table is the default table that the command operates on. -+If you are working with the filter table, then you can drop the '-t filter' -+argument to the ebtables command. However, you will need to provide -+the -t argument for the other two tables. Moreover, the -t argument must be the -+first argument on the ebtables command line, if used. -+.TP -+.B "-t, --table" -+.br -+.B filter -+is the default table and contains three built-in chains: -+.B INPUT -+(for frames destined for the bridge itself, on the level of the MAC destination address), -+.B OUTPUT -+(for locally-generated or (b)routed frames) and -+.B FORWARD -+(for frames being forwarded by the bridge). -+.br -+.br -+.B nat -+is mostly used to change the mac addresses and contains three built-in chains: -+.B PREROUTING -+(for altering frames as soon as they come in), -+.B OUTPUT -+(for altering locally generated or (b)routed frames before they are bridged) and -+.B POSTROUTING -+(for altering frames as they are about to go out). A small note on the naming -+of chains PREROUTING and POSTROUTING: it would be more accurate to call them -+PREFORWARDING and POSTFORWARDING, but for all those who come from the -+iptables world to ebtables it is easier to have the same names. Note that you -+can change the name -+.BR "" ( -E ) -+if you don't like the default. -+.br -+.br -+.B broute -+is used to make a brouter, it has one built-in chain: -+.BR BROUTING . -+The targets -+.BR DROP " and " ACCEPT -+have a special meaning in the broute table (these names are used instead of -+more descriptive names to keep the implementation generic). -+.B DROP -+actually means the frame has to be routed, while -+.B ACCEPT -+means the frame has to be bridged. The -+.B BROUTING -+chain is traversed very early. However, it is only traversed by frames entering on -+a bridge port that is in forwarding state. Normally those frames -+would be bridged, but you can decide otherwise here. The -+.B redirect -+target is very handy here. -+.SH EBTABLES COMMAND LINE ARGUMENTS -+After the initial ebtables '-t table' command line argument, the remaining -+arguments can be divided into several groups. These groups -+are commands, miscellaneous commands, rule specifications, match extensions, -+watcher extensions and target extensions. -+.SS COMMANDS -+The ebtables command arguments specify the actions to perform on the table -+defined with the -t argument. If you do not use the -t argument to name -+a table, the commands apply to the default filter table. -+Only one command may be used on the command line at a time, except when -+the commands -+.BR -L " and " -Z -+are combined, the commands -+.BR -N " and " -P -+are combined, or when -+.B --atomic-file -+is used. -+.TP -+.B "-A, --append" -+Append a rule to the end of the selected chain. -+.TP -+.B "-D, --delete" -+Delete the specified rule or rules from the selected chain. There are two ways to -+use this command. The first is by specifying an interval of rule numbers -+to delete (directly after -+.BR -D ). -+Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use -+.B -L --Ln -+to list the rules with their rule number). When \fIend_nr\fP is omitted, all rules starting -+from \fIstart_nr\fP are deleted. Using negative numbers is allowed, for more -+details about using negative numbers, see the -+.B -I -+command. The second usage is by -+specifying the complete rule as it would have been specified when it was added. Only -+the first encountered rule that is the same as this specified rule, in other -+words the matching rule with the lowest (positive) rule number, is deleted. -+.TP -+.B "-C, --change-counters" -+Change the counters of the specified rule or rules from the selected chain. There are two ways to -+use this command. The first is by specifying an interval of rule numbers -+to do the changes on (directly after -+.BR -C ). -+Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use -+.B -L --Ln -+to list the rules with their rule number). The details are the same as for the -+.BR -D " command. The second usage is by" -+specifying the complete rule as it would have been specified when it was added. Only -+the counters of the first encountered rule that is the same as this specified rule, in other -+words the matching rule with the lowest (positive) rule number, are changed. -+In the first usage, the counters are specified directly after the interval specification, -+in the second usage directly after -+.BR -C . -+First the packet counter is specified, then the byte counter. If the specified counters start -+with a '+', the counter values are added to the respective current counter values. -+If the specified counters start with a '-', the counter values are decreased from the respective -+current counter values. No bounds checking is done. If the counters don't start with '+' or '-', -+the current counters are changed to the specified counters. -+.TP -+.B "-I, --insert" -+Insert the specified rule into the selected chain at the specified rule number. If the -+rule number is not specified, the rule is added at the head of the chain. -+If the current number of rules equals -+.IR N , -+then the specified number can be -+between -+.IR -N " and " N+1 . -+For a positive number -+.IR i , -+it holds that -+.IR i " and " i-N-1 -+specify the same place in the chain where the rule should be inserted. The rule number -+0 specifies the place past the last rule in the chain and using this number is therefore -+equivalent to using the -+.BR -A " command." -+Rule numbers structly smaller than 0 can be useful when more than one rule needs to be inserted -+in a chain. -+.TP -+.B "-P, --policy" -+Set the policy for the chain to the given target. The policy can be -+.BR ACCEPT ", " DROP " or " RETURN . -+.TP -+.B "-F, --flush" -+Flush the selected chain. If no chain is selected, then every chain will be -+flushed. Flushing a chain does not change the policy of the -+chain, however. -+.TP -+.B "-Z, --zero" -+Set the counters of the selected chain to zero. If no chain is selected, all the counters -+are set to zero. The -+.B "-Z" -+command can be used in conjunction with the -+.B "-L" -+command. -+When both the -+.B "-Z" -+and -+.B "-L" -+commands are used together in this way, the rule counters are printed on the screen -+before they are set to zero. -+.TP -+.B "-L, --list" -+List all rules in the selected chain. If no chain is selected, all chains -+are listed. -+.br -+The following options change the output of the -+.B "-L" -+command. -+.br -+.B "--Ln" -+.br -+Places the rule number in front of every rule. This option is incompatible with the -+.BR --Lx " option." -+.br -+.B "--Lc" -+.br -+Shows the counters at the end of each rule displayed by the -+.B "-L" -+command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed. -+The frame counter shows how many frames have matched the specific rule, the byte -+counter shows the sum of the frame sizes of these matching frames. Using this option -+.BR "" "in combination with the " --Lx " option causes the counters to be written out" -+.BR "" "in the '" -c " ' option format." -+.br -+.B "--Lx" -+.br -+Changes the output so that it produces a set of ebtables commands that construct -+the contents of the chain, when specified. -+If no chain is specified, ebtables commands to construct the contents of the -+table are given, including commands for creating the user-defined chains (if any). -+You can use this set of commands in an ebtables boot or reload -+script. For example the output could be used at system startup. -+The -+.B "--Lx" -+option is incompatible with the -+.B "--Ln" -+listing option. Using the -+.BR --Lx " option together with the " --Lc " option will cause the counters to be written out" -+.BR "" "in the '" -c " ' option format." -+.br -+.B "--Lmac2" -+.br -+Shows all MAC addresses with the same length, adding leading zeroes -+if necessary. The default representation omits leading zeroes in the addresses. -+.TP -+.B "-N, --new-chain" -+Create a new user-defined chain with the given name. The number of -+user-defined chains is limited only by the number of possible chain names. -+A user-defined chain name has a maximum -+length of 31 characters. The standard policy of the user-defined chain is -+ACCEPT. The policy of the new chain can be initialized to a different standard -+target by using the -+.B -P -+command together with the -+.B -N -+command. In this case, the chain name does not have to be specified for the -+.B -P -+command. -+.TP -+.B "-X, --delete-chain" -+Delete the specified user-defined chain. There must be no remaining references (jumps) -+to the specified chain, otherwise ebtables will refuse to delete it. If no chain is -+specified, all user-defined chains that aren't referenced will be removed. -+.TP -+.B "-E, --rename-chain" -+Rename the specified chain to a new name. Besides renaming a user-defined -+chain, you can rename a standard chain to a name that suits your -+taste. For example, if you like PREFORWARDING more than PREROUTING, -+then you can use the -E command to rename the PREROUTING chain. If you do -+rename one of the standard ebtables chain names, please be sure to mention -+this fact should you post a question on the ebtables mailing lists. -+It would be wise to use the standard name in your post. Renaming a standard -+ebtables chain in this fashion has no effect on the structure or functioning -+of the ebtables kernel table. -+.TP -+.B "--init-table" -+Replace the current table data by the initial table data. -+.TP -+.B "--atomic-init" -+Copy the kernel's initial data of the table to the specified -+file. This can be used as the first action, after which rules are added -+to the file. The file can be specified using the -+.B --atomic-file -+command or through the -+.IR EBTABLES_ATOMIC_FILE " environment variable." -+.TP -+.B "--atomic-save" -+Copy the kernel's current data of the table to the specified -+file. This can be used as the first action, after which rules are added -+to the file. The file can be specified using the -+.B --atomic-file -+command or through the -+.IR EBTABLES_ATOMIC_FILE " environment variable." -+.TP -+.B "--atomic-commit" -+Replace the kernel table data with the data contained in the specified -+file. This is a useful command that allows you to load all your rules of a -+certain table into the kernel at once, saving the kernel a lot of precious -+time and allowing atomic updates of the tables. The file which contains -+the table data is constructed by using either the -+.B "--atomic-init" -+or the -+.B "--atomic-save" -+command to generate a starting file. After that, using the -+.B "--atomic-file" -+command when constructing rules or setting the -+.IR EBTABLES_ATOMIC_FILE " environment variable" -+allows you to extend the file and build the complete table before -+committing it to the kernel. This command can be very useful in boot scripts -+to populate the ebtables tables in a fast way. -+.SS MISCELLANOUS COMMANDS -+.TP -+.B "-V, --version" -+Show the version of the ebtables userspace program. -+.TP -+.BR "-h, --help " "[\fIlist of module names\fP]" -+Give a brief description of the command syntax. Here you can also specify -+names of extensions and ebtables will try to write help about those -+extensions. E.g. -+.IR "ebtables -h snat log ip arp" . -+Specify -+.I list_extensions -+to list all extensions supported by the userspace -+utility. -+.TP -+.BR "-j, --jump " "\fItarget\fP" -+The target of the rule. This is one of the following values: -+.BR ACCEPT , -+.BR DROP , -+.BR CONTINUE , -+.BR RETURN , -+a target extension (see -+.BR "TARGET EXTENSIONS" ")" -+or a user-defined chain name. -+.TP -+.B --atomic-file "\fIfile\fP" -+Let the command operate on the specified -+.IR file . -+The data of the table to -+operate on will be extracted from the file and the result of the operation -+will be saved back into the file. If specified, this option should come -+before the command specification. An alternative that should be preferred, -+is setting the -+.IR EBTABLES_ATOMIC_FILE " environment variable." -+.TP -+.B -M, --modprobe "\fIprogram\fP" -+When talking to the kernel, use this -+.I program -+to try to automatically load missing kernel modules. -+.TP -+.B --concurrent -+Use a file lock to support concurrent scripts updating the ebtables kernel tables. -+ -+.SS -+RULE SPECIFICATIONS -+The following command line arguments make up a rule specification (as used -+in the add and delete commands). A "!" option before the specification -+inverts the test for that specification. Apart from these standard rule -+specifications there are some other command line arguments of interest. -+See both the -+.BR "MATCH EXTENSIONS" -+and the -+.BR "WATCHER EXTENSIONS" -+below. -+.TP -+.BR "-p, --protocol " "[!] \fIprotocol\fP" -+The protocol that was responsible for creating the frame. This can be a -+hexadecimal number, above -+.IR 0x0600 , -+a name (e.g. -+.I ARP -+) or -+.BR LENGTH . -+The protocol field of the Ethernet frame can be used to denote the -+length of the header (802.2/802.3 networks). When the value of that field is -+below or equals -+.IR 0x0600 , -+the value equals the size of the header and shouldn't be used as a -+protocol number. Instead, all frames where the protocol field is used as -+the length field are assumed to be of the same 'protocol'. The protocol -+name used in ebtables for these frames is -+.BR LENGTH . -+.br -+The file -+.B /etc/ethertypes -+can be used to show readable -+characters instead of hexadecimal numbers for the protocols. For example, -+.I 0x0800 -+will be represented by -+.IR IPV4 . -+The use of this file is not case sensitive. -+See that file for more information. The flag -+.B --proto -+is an alias for this option. -+.TP -+.BR "-i, --in-interface " "[!] \fIname\fP" -+The interface (bridge port) via which a frame is received (this option is useful in the -+.BR INPUT , -+.BR FORWARD , -+.BR PREROUTING " and " BROUTING -+chains). If the interface name ends with '+', then -+any interface name that begins with this name (disregarding '+') will match. -+The flag -+.B --in-if -+is an alias for this option. -+.TP -+.BR "--logical-in " "[!] \fIname\fP" -+The (logical) bridge interface via which a frame is received (this option is useful in the -+.BR INPUT , -+.BR FORWARD , -+.BR PREROUTING " and " BROUTING -+chains). -+If the interface name ends with '+', then -+any interface name that begins with this name (disregarding '+') will match. -+.TP -+.BR "-o, --out-interface " "[!] \fIname\fP" -+The interface (bridge port) via which a frame is going to be sent (this option is useful in the -+.BR OUTPUT , -+.B FORWARD -+and -+.B POSTROUTING -+chains). If the interface name ends with '+', then -+any interface name that begins with this name (disregarding '+') will match. -+The flag -+.B --out-if -+is an alias for this option. -+.TP -+.BR "--logical-out " "[!] \fIname\fP" -+The (logical) bridge interface via which a frame is going to be sent (this option -+is useful in the -+.BR OUTPUT , -+.B FORWARD -+and -+.B POSTROUTING -+chains). -+If the interface name ends with '+', then -+any interface name that begins with this name (disregarding '+') will match. -+.TP -+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]" -+The source MAC address. Both mask and address are written as 6 hexadecimal -+numbers separated by colons. Alternatively one can specify Unicast, -+Multicast, Broadcast or BGA (Bridge Group Address): -+.br -+.IR "Unicast" "=00:00:00:00:00:00/01:00:00:00:00:00," -+.IR "Multicast" "=01:00:00:00:00:00/01:00:00:00:00:00," -+.IR "Broadcast" "=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or" -+.IR "BGA" "=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff." -+Note that a broadcast -+address will also match the multicast specification. The flag -+.B --src -+is an alias for this option. -+.TP -+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]" -+The destination MAC address. See -+.B -s -+(above) for more details on MAC addresses. The flag -+.B --dst -+is an alias for this option. -+.TP -+.BR "-c, --set-counter " "\fIpcnt bcnt\fP" -+If used with -+.BR -A " or " -I ", then the packet and byte counters of the new rule will be set to -+.IR pcnt ", resp. " bcnt ". -+If used with the -+.BR -C " or " -D " commands, only rules with a packet and byte count equal to" -+.IR pcnt ", resp. " bcnt " will match." -+ -+.SS MATCH EXTENSIONS -+Ebtables extensions are dynamically loaded into the userspace tool, -+there is therefore no need to explicitly load them with a -+-m option like is done in iptables. -+These extensions deal with functionality supported by kernel modules supplemental to -+the core ebtables code. -+.SS 802_3 -+Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be specified as -+.IR "LENGTH " "(see the option " " -p " above). -+.TP -+.BR "--802_3-sap " "[!] \fIsap\fP" -+DSAP and SSAP are two one byte 802.3 fields. The bytes are always -+equal, so only one byte (hexadecimal) is needed as an argument. -+.TP -+.BR "--802_3-type " "[!] \fItype\fP" -+If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must -+be consulted to determine the payload protocol. This is a two byte -+(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are -+checked for type. -+.SS among -+Match a MAC address or MAC/IP address pair versus a list of MAC addresses -+and MAC/IP address pairs. -+A list entry has the following format: -+.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple" -+list entries are separated by a comma, specifying an IP address corresponding to -+the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address -+but different IP address (and vice versa) can be specified. If the MAC address doesn't -+match any entry from the list, the frame doesn't match the rule (unless "!" was used). -+.TP -+.BR "--among-dst " "[!] \fIlist\fP" -+Compare the MAC destination to the given list. If the Ethernet frame has type -+.IR IPv4 " or " ARP , -+then comparison with MAC/IP destination address pairs from the -+list is possible. -+.TP -+.BR "--among-src " "[!] \fIlist\fP" -+Compare the MAC source to the given list. If the Ethernet frame has type -+.IR IPv4 " or " ARP , -+then comparison with MAC/IP source address pairs from the list -+is possible. -+.TP -+.BR "--among-dst-file " "[!] \fIfile\fP" -+Same as -+.BR --among-dst " but the list is read in from the specified file." -+.TP -+.BR "--among-src-file " "[!] \fIfile\fP" -+Same as -+.BR --among-src " but the list is read in from the specified file." -+.SS arp -+Specify (R)ARP fields. The protocol must be specified as -+.IR ARP " or " RARP . -+.TP -+.BR "--arp-opcode " "[!] \fIopcode\fP" -+The (R)ARP opcode (decimal or a string, for more details see -+.BR "ebtables -h arp" ). -+.TP -+.BR "--arp-htype " "[!] \fIhardware type\fP" -+The hardware type, this can be a decimal or the string -+.I Ethernet -+(which sets -+.I type -+to 1). Most (R)ARP packets have Eternet as hardware type. -+.TP -+.BR "--arp-ptype " "[!] \fIprotocol type\fP" -+The protocol type for which the (r)arp is used (hexadecimal or the string -+.IR IPv4 , -+denoting 0x0800). -+Most (R)ARP packets have protocol type IPv4. -+.TP -+.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]" -+The (R)ARP IP source address specification. -+.TP -+.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]" -+The (R)ARP IP destination address specification. -+.TP -+.BR "--arp-mac-src " "[!] \fIaddress\fP[/\fImask\fP]" -+The (R)ARP MAC source address specification. -+.TP -+.BR "--arp-mac-dst " "[!] \fIaddress\fP[/\fImask\fP]" -+The (R)ARP MAC destination address specification. -+.TP -+.BR "" "[!]" " --arp-gratuitous" -+Checks for ARP gratuitous packets: checks equality of IPv4 source -+address and IPv4 destination address inside the ARP header. -+.SS ip -+Specify IPv4 fields. The protocol must be specified as -+.IR IPv4 . -+.TP -+.BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]" -+The source IP address. -+The flag -+.B --ip-src -+is an alias for this option. -+.TP -+.BR "--ip-destination " "[!] \fIaddress\fP[/\fImask\fP]" -+The destination IP address. -+The flag -+.B --ip-dst -+is an alias for this option. -+.TP -+.BR "--ip-tos " "[!] \fItos\fP" -+The IP type of service, in hexadecimal numbers. -+.BR IPv4 . -+.TP -+.BR "--ip-protocol " "[!] \fIprotocol\fP" -+The IP protocol. -+The flag -+.B --ip-proto -+is an alias for this option. -+.TP -+.BR "--ip-source-port " "[!] \fIport1\fP[:\fIport2\fP]" -+The source port or port range for the IP protocols 6 (TCP), 17 -+(UDP), 33 (DCCP) or 132 (SCTP). The -+.B --ip-protocol -+option must be specified as -+.IR TCP ", " UDP ", " DCCP " or " SCTP . -+If -+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." -+The flag -+.B --ip-sport -+is an alias for this option. -+.TP -+.BR "--ip-destination-port " "[!] \fIport1\fP[:\fIport2\fP]" -+The destination port or port range for ip protocols 6 (TCP), 17 -+(UDP), 33 (DCCP) or 132 (SCTP). The -+.B --ip-protocol -+option must be specified as -+.IR TCP ", " UDP ", " DCCP " or " SCTP . -+If -+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." -+The flag -+.B --ip-dport -+is an alias for this option. -+.SS ip6 -+Specify IPv6 fields. The protocol must be specified as -+.IR IPv6 . -+.TP -+.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]" -+The source IPv6 address. -+The flag -+.B --ip6-src -+is an alias for this option. -+.TP -+.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]" -+The destination IPv6 address. -+The flag -+.B --ip6-dst -+is an alias for this option. -+.TP -+.BR "--ip6-tclass " "[!] \fItclass\fP" -+The IPv6 traffic class, in hexadecimal numbers. -+.TP -+.BR "--ip6-protocol " "[!] \fIprotocol\fP" -+The IP protocol. -+The flag -+.B --ip6-proto -+is an alias for this option. -+.TP -+.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]" -+The source port or port range for the IPv6 protocols 6 (TCP), 17 -+(UDP), 33 (DCCP) or 132 (SCTP). The -+.B --ip6-protocol -+option must be specified as -+.IR TCP ", " UDP ", " DCCP " or " SCTP . -+If -+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." -+The flag -+.B --ip6-sport -+is an alias for this option. -+.TP -+.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]" -+The destination port or port range for IPv6 protocols 6 (TCP), 17 -+(UDP), 33 (DCCP) or 132 (SCTP). The -+.B --ip6-protocol -+option must be specified as -+.IR TCP ", " UDP ", " DCCP " or " SCTP . -+If -+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used." -+The flag -+.B --ip6-dport -+is an alias for this option. -+.TP -+.BR "--ip6-icmp-type " "[!] {\fItype\fP[:\fItype\fP]/\fIcode\fP[:\fIcode\fP]|\fItypename\fP}" -+Specify ipv6\-icmp type and code to match. -+Ranges for both type and code are supported. Type and code are -+separated by a slash. Valid numbers for type and range are 0 to 255. -+To match a single type including all valid codes, symbolic names can -+be used instead of numbers. The list of known type names is shown by the command -+.nf -+ ebtables \-\-help ip6 -+.fi -+This option is only valid for \-\-ip6-prococol ipv6-icmp. -+.SS limit -+This module matches at a limited rate using a token bucket filter. -+A rule using this extension will match until this limit is reached. -+It can be used with the -+.B --log -+watcher to give limited logging, for example. Its use is the same -+as the limit match of iptables. -+.TP -+.BR "--limit " "[\fIvalue\fP]" -+Maximum average matching rate: specified as a number, with an optional -+.IR /second ", " /minute ", " /hour ", or " /day " suffix; the default is " 3/hour . -+.TP -+.BR "--limit-burst " "[\fInumber\fP]" -+Maximum initial number of packets to match: this number gets recharged by -+one every time the limit specified above is not reached, up to this -+number; the default is -+.IR 5 . -+.SS mark_m -+.TP -+.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]" -+Matches frames with the given unsigned mark value. If a -+.IR value " and " mask " are specified, the logical AND of the mark value of the frame and" -+the user-specified -+.IR mask " is taken before comparing it with the" -+user-specified mark -+.IR value ". When only a mark " -+.IR value " is specified, the packet" -+only matches when the mark value of the frame equals the user-specified -+mark -+.IR value . -+If only a -+.IR mask " is specified, the logical" -+AND of the mark value of the frame and the user-specified -+.IR mask " is taken and the frame matches when the result of this logical AND is" -+non-zero. Only specifying a -+.IR mask " is useful to match multiple mark values." -+.SS pkttype -+.TP -+.BR "--pkttype-type " "[!] \fItype\fP" -+Matches on the Ethernet "class" of the frame, which is determined by the -+generic networking code. Possible values: -+.IR broadcast " (MAC destination is the broadcast address)," -+.IR multicast " (MAC destination is a multicast address)," -+.IR host " (MAC destination is the receiving network device), or " -+.IR otherhost " (none of the above)." -+.SS stp -+Specify stp BPDU (bridge protocol data unit) fields. The destination -+address -+.BR "" ( -d ") must be specified as the bridge group address" -+.IR "" ( BGA ). -+For all options for which a range of values can be specified, it holds that -+if the lower bound is omitted (but the colon is not), then the lowest possible lower bound -+for that option is used, while if the upper bound is omitted (but the colon again is not), the -+highest possible upper bound for that option is used. -+.TP -+.BR "--stp-type " "[!] \fItype\fP" -+The BPDU type (0-255), recognized non-numerical types are -+.IR config ", denoting a configuration BPDU (=0), and" -+.IR tcn ", denothing a topology change notification BPDU (=128)." -+.TP -+.BR "--stp-flags " "[!] \fIflag\fP" -+The BPDU flag (0-255), recognized non-numerical flags are -+.IR topology-change ", denoting the topology change flag (=1), and" -+.IR topology-change-ack ", denoting the topology change acknowledgement flag (=128)." -+.TP -+.BR "--stp-root-prio " "[!] [\fIprio\fP][:\fIprio\fP]" -+The root priority (0-65535) range. -+.TP -+.BR "--stp-root-addr " "[!] [\fIaddress\fP][/\fImask\fP]" -+The root mac address, see the option -+.BR -s " for more details." -+.TP -+.BR "--stp-root-cost " "[!] [\fIcost\fP][:\fIcost\fP]" -+The root path cost (0-4294967295) range. -+.TP -+.BR "--stp-sender-prio " "[!] [\fIprio\fP][:\fIprio\fP]" -+The BPDU's sender priority (0-65535) range. -+.TP -+.BR "--stp-sender-addr " "[!] [\fIaddress\fP][/\fImask\fP]" -+The BPDU's sender mac address, see the option -+.BR -s " for more details." -+.TP -+.BR "--stp-port " "[!] [\fIport\fP][:\fIport\fP]" -+The port identifier (0-65535) range. -+.TP -+.BR "--stp-msg-age " "[!] [\fIage\fP][:\fIage\fP]" -+The message age timer (0-65535) range. -+.TP -+.BR "--stp-max-age " "[!] [\fIage\fP][:\fIage\fP]" -+The max age timer (0-65535) range. -+.TP -+.BR "--stp-hello-time " "[!] [\fItime\fP][:\fItime\fP]" -+The hello time timer (0-65535) range. -+.TP -+.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]" -+The forward delay timer (0-65535) range. -+.SS string -+This module matches on a given string using some pattern matching strategy. -+.TP -+.BR "--string-algo " "\fIalgorithm\fP" -+The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) -+.TP -+.BR "--string-from " "\fIoffset\fP" -+The lowest offset from which a match can start. (default: 0) -+.TP -+.BR "--string-to " "\fIoffset\fP" -+The highest offset from which a match can start. (default: size of frame) -+.TP -+.BR "--string " "[!] \fIpattern\fP" -+Matches the given pattern. -+.TP -+.BR "--string-hex " "[!] \fIpattern\fP" -+Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|' -+.TP -+.BR "--string-icase" -+Ignore case when searching. -+.SS vlan -+Specify 802.1Q Tag Control Information fields. -+The protocol must be specified as -+.IR 802_1Q " (0x8100)." -+.TP -+.BR "--vlan-id " "[!] \fIid\fP" -+The VLAN identifier field (VID). Decimal number from 0 to 4095. -+.TP -+.BR "--vlan-prio " "[!] \fIprio\fP" -+The user priority field, a decimal number from 0 to 7. -+The VID should be set to 0 ("null VID") or unspecified -+(in the latter case the VID is deliberately set to 0). -+.TP -+.BR "--vlan-encap " "[!] \fItype\fP" -+The encapsulated Ethernet frame type/length. -+Specified as a hexadecimal -+number from 0x0000 to 0xFFFF or as a symbolic name -+from -+.BR /etc/ethertypes . -+ -+.SS WATCHER EXTENSIONS -+Watchers only look at frames passing by, they don't modify them nor decide -+to accept the frames or not. These watchers only -+see the frame if the frame matches the rule, and they see it before the -+target is executed. -+.SS log -+The log watcher writes descriptive data about a frame to the syslog. -+.TP -+.B "--log" -+.br -+Log with the default loggin options: log-level= -+.IR info , -+log-prefix="", no ip logging, no arp logging. -+.TP -+.B --log-level "\fIlevel\fP" -+.br -+Defines the logging level. For the possible values, see -+.BR "ebtables -h log" . -+The default level is -+.IR info . -+.TP -+.BR --log-prefix " \fItext\fP" -+.br -+Defines the prefix -+.I text -+to be printed at the beginning of the line with the logging information. -+.TP -+.B --log-ip -+.br -+Will log the ip information when a frame made by the ip protocol matches -+the rule. The default is no ip information logging. -+.TP -+.B --log-ip6 -+.br -+Will log the ipv6 information when a frame made by the ipv6 protocol matches -+the rule. The default is no ipv6 information logging. -+.TP -+.B --log-arp -+.br -+Will log the (r)arp information when a frame made by the (r)arp protocols -+matches the rule. The default is no (r)arp information logging. -+.SS nflog -+The nflog watcher passes the packet to the loaded logging backend -+in order to log the packet. This is usually used in combination with -+nfnetlink_log as logging backend, which will multicast the packet -+through a -+.IR netlink -+socket to the specified multicast group. One or more userspace processes -+may subscribe to the group to receive the packets. -+.TP -+.B "--nflog" -+.br -+Log with the default logging options -+.TP -+.B --nflog-group "\fInlgroup\fP" -+.br -+The netlink group (1 - 2^32-1) to which packets are (only applicable for -+nfnetlink_log). The default value is 1. -+.TP -+.B --nflog-prefix "\fIprefix\fP" -+.br -+A prefix string to include in the log message, up to 30 characters -+long, useful for distinguishing messages in the logs. -+.TP -+.B --nflog-range "\fIsize\fP" -+.br -+The number of bytes to be copied to userspace (only applicable for -+nfnetlink_log). nfnetlink_log instances may specify their own -+range, this option overrides it. -+.TP -+.B --nflog-threshold "\fIsize\fP" -+.br -+Number of packets to queue inside the kernel before sending them -+to userspace (only applicable for nfnetlink_log). Higher values -+result in less overhead per packet, but increase delay until the -+packets reach userspace. The default value is 1. -+.SS ulog -+The ulog watcher passes the packet to a userspace -+logging daemon using netlink multicast sockets. This differs -+from the log watcher in the sense that the complete packet is -+sent to userspace instead of a descriptive text and that -+netlink multicast sockets are used instead of the syslog. -+This watcher enables parsing of packets with userspace programs, the -+physical bridge in and out ports are also included in the netlink messages. -+The ulog watcher module accepts 2 parameters when the module is loaded -+into the kernel (e.g. with modprobe): -+.B nlbufsiz -+specifies how big the buffer for each netlink multicast -+group is. If you say -+.IR nlbufsiz=8192 , -+for example, up to eight kB of packets will -+get accumulated in the kernel until they are sent to userspace. It is -+not possible to allocate more than 128kB. Please also keep in mind that -+this buffer size is allocated for each nlgroup you are using, so the -+total kernel memory usage increases by that factor. The default is 4096. -+.B flushtimeout -+specifies after how many hundredths of a second the queue should be -+flushed, even if it is not full yet. The default is 10 (one tenth of -+a second). -+.TP -+.B "--ulog" -+.br -+Use the default settings: ulog-prefix="", ulog-nlgroup=1, -+ulog-cprange=4096, ulog-qthreshold=1. -+.TP -+.B --ulog-prefix "\fItext\fP" -+.br -+Defines the prefix included with the packets sent to userspace. -+.TP -+.BR --ulog-nlgroup " \fIgroup\fP" -+.br -+Defines which netlink group number to use (a number from 1 to 32). -+Make sure the netlink group numbers used for the iptables ULOG -+target differ from those used for the ebtables ulog watcher. -+The default group number is 1. -+.TP -+.BR --ulog-cprange " \fIrange\fP" -+.br -+Defines the maximum copy range to userspace, for packets matching the -+rule. The default range is 0, which means the maximum copy range is -+given by -+.BR nlbufsiz . -+A maximum copy range larger than -+128*1024 is meaningless as the packets sent to userspace have an upper -+size limit of 128*1024. -+.TP -+.BR --ulog-qthreshold " \fIthreshold\fP" -+.br -+Queue at most -+.I threshold -+number of packets before sending them to -+userspace with a netlink socket. Note that packets can be sent to -+userspace before the queue is full, this happens when the ulog -+kernel timer goes off (the frequency of this timer depends on -+.BR flushtimeout ). -+.SS TARGET EXTENSIONS -+.SS arpreply -+The -+.B arpreply -+target can be used in the -+.BR PREROUTING " chain of the " nat " table." -+If this target sees an ARP request it will automatically reply -+with an ARP reply. The used MAC address for the reply can be specified. -+The protocol must be specified as -+.IR ARP . -+When the ARP message is not an ARP request or when the ARP request isn't -+for an IP address on an Ethernet network, it is ignored by this target -+.BR "" ( CONTINUE ). -+When the ARP request is malformed, it is dropped -+.BR "" ( DROP ). -+.TP -+.BR "--arpreply-mac " "\fIaddress\fP" -+Specifies the MAC address to reply with: the Ethernet source MAC and the -+ARP payload source MAC will be filled in with this address. -+.TP -+.BR "--arpreply-target " "\fItarget\fP" -+Specifies the standard target. After sending the ARP reply, the rule still -+has to give a standard target so ebtables knows what to do with the ARP request. -+The default target -+.BR "" "is " DROP . -+.SS dnat -+The -+.B dnat -+target can only be used in the -+.BR BROUTING " chain of the " broute " table and the " -+.BR PREROUTING " and " OUTPUT " chains of the " nat " table." -+It specifies that the destination MAC address has to be changed. -+.TP -+.BR "--to-destination " "\fIaddress\fP" -+.br -+Change the destination MAC address to the specified -+.IR address . -+The flag -+.B --to-dst -+is an alias for this option. -+.TP -+.BR "--dnat-target " "\fItarget\fP" -+.br -+Specifies the standard target. After doing the dnat, the rule still has to -+give a standard target so ebtables knows what to do with the dnated frame. -+The default target is -+.BR ACCEPT . -+Making it -+.BR CONTINUE " could let you use" -+multiple target extensions on the same frame. Making it -+.BR DROP " only makes" -+sense in the -+.BR BROUTING " chain but using the " redirect " target is more logical there. " RETURN " is also allowed. Note that using " RETURN -+in a base chain is not allowed (for obvious reasons). -+.SS mark -+.BR "" "The " mark " target can be used in every chain of every table. It is possible" -+to use the marking of a frame/packet in both ebtables and iptables, -+if the bridge-nf code is compiled into the kernel. Both put the marking at the -+same place. This allows for a form of communication between ebtables and iptables. -+.TP -+.BR "--mark-set " "\fIvalue\fP" -+.br -+Mark the frame with the specified non-negative -+.IR value . -+.TP -+.BR "--mark-or " "\fIvalue\fP" -+.br -+Or the frame with the specified non-negative -+.IR value . -+.TP -+.BR "--mark-and " "\fIvalue\fP" -+.br -+And the frame with the specified non-negative -+.IR value . -+.TP -+.BR "--mark-xor " "\fIvalue\fP" -+.br -+Xor the frame with the specified non-negative -+.IR value . -+.TP -+.BR "--mark-target " "\fItarget\fP" -+.br -+Specifies the standard target. After marking the frame, the rule -+still has to give a standard target so ebtables knows what to do. -+The default target is -+.BR ACCEPT ". Making it " CONTINUE " can let you do other" -+things with the frame in subsequent rules of the chain. -+.SS redirect -+The -+.B redirect -+target will change the MAC target address to that of the bridge device the -+frame arrived on. This target can only be used in the -+.BR BROUTING " chain of the " broute " table and the " -+.BR PREROUTING " chain of the " nat " table." -+In the -+.BR BROUTING " chain, the MAC address of the bridge port is used as destination address," -+.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used." -+.TP -+.BR "--redirect-target " "\fItarget\fP" -+.br -+Specifies the standard target. After doing the MAC redirect, the rule -+still has to give a standard target so ebtables knows what to do. -+The default target is -+.BR ACCEPT ". Making it " CONTINUE " could let you use" -+multiple target extensions on the same frame. Making it -+.BR DROP " in the " BROUTING " chain will let the frames be routed. " RETURN " is also allowed. Note" -+.BR "" "that using " RETURN " in a base chain is not allowed." -+.SS snat -+The -+.B snat -+target can only be used in the -+.BR POSTROUTING " chain of the " nat " table." -+It specifies that the source MAC address has to be changed. -+.TP -+.BR "--to-source " "\fIaddress\fP" -+.br -+Changes the source MAC address to the specified -+.IR address ". The flag" -+.B --to-src -+is an alias for this option. -+.TP -+.BR "--snat-target " "\fItarget\fP" -+.br -+Specifies the standard target. After doing the snat, the rule still has -+to give a standard target so ebtables knows what to do. -+.BR "" "The default target is " ACCEPT ". Making it " CONTINUE " could let you use" -+.BR "" "multiple target extensions on the same frame. Making it " DROP " doesn't" -+.BR "" "make sense, but you could do that too. " RETURN " is also allowed. Note" -+.BR "" "that using " RETURN " in a base chain is not allowed." -+.br -+.TP -+.BR "--snat-arp " -+.br -+Also change the hardware source address inside the arp header if the packet is an -+arp message and the hardware address length in the arp header is 6 bytes. -+.br -+.SH FILES -+.I /etc/ethertypes -+.I /var/lib/ebtables/lock -+.SH ENVIRONMENT VARIABLES -+.I EBTABLES_ATOMIC_FILE -+.SH MAILINGLISTS -+.BR "" "See " http://netfilter.org/mailinglists.html -+.SH SEE ALSO -+.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8) -+.PP -+.BR "" "See " http://ebtables.sf.net --- -2.21.0 - diff --git a/0006-doc-Adjust-ebtables-man-page.patch b/0006-doc-Adjust-ebtables-man-page.patch deleted file mode 100644 index 58c2c22..0000000 --- a/0006-doc-Adjust-ebtables-man-page.patch +++ /dev/null @@ -1,275 +0,0 @@ -From a3310b304ca75f45505b89071b1537a6fcc97228 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 13 Mar 2019 20:46:15 +0100 -Subject: [PATCH] doc: Adjust ebtables man page - -Change content to match nft-variant, most notably: - -* There is no broute table, drop all references to it -* Comment out description of among and string matches, we don't support - them (yet) - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal -(cherry picked from commit 1939cbc25e6f51cebaa7a2d71c45bb312bab8668) -Signed-off-by: Phil Sutter ---- - iptables/ebtables-nft.8 | 164 ++++++++++++++++------------------------ - 1 file changed, 67 insertions(+), 97 deletions(-) - -diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index 55204ab91e8a4..db8b2ab28cca5 100644 ---- a/iptables/ebtables-nft.8 -+++ b/iptables/ebtables-nft.8 -@@ -24,7 +24,7 @@ - .\" - .\" - .SH NAME --ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy) -+ebtables \- Ethernet bridge frame table administration (nft-based) - .SH SYNOPSIS - .BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target" - .br -@@ -51,17 +51,6 @@ ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legac - .BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save - .br - --.SH LEGACY --This tool uses the old xtables/setsockopt framework, and is a legacy version --of ebtables. That means that a new, more modern tool exists with the same --functionality using the nf_tables framework and you are encouraged to migrate now. --The new binaries (known as ebtables-nft and formerly known as ebtables-compat) --uses the same syntax and semantics than this legacy one. -- --You can still use this legacy tool. You should probably get some specific --information from your Linux distribution or vendor. --More docs are available at https://wiki.nftables.org -- - .SH DESCRIPTION - .B ebtables - is an application program used to set up and maintain the -@@ -72,7 +61,7 @@ It is analogous to the - application, but less complicated, due to the fact that the Ethernet protocol - is much simpler than the IP protocol. - .SS CHAINS --There are three ebtables tables with built-in chains in the -+There are two ebtables tables with built-in chains in the - Linux kernel. These tables are used to divide functionality into - different sets of rules. Each set of rules is called a chain. - Each chain is an ordered list of rules that can match Ethernet frames. If a -@@ -98,10 +87,7 @@ an 'extension' (see below) or a jump to a user-defined chain. - .B ACCEPT - means to let the frame through. - .B DROP --means the frame has to be dropped. In the --.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different" --meanings (see the info provided for the --.BR -t " option)." -+means the frame has to be dropped. - .B CONTINUE - means the next rule has to be checked. This can be handy, f.e., to know how many - frames pass a certain point in the chain, to log those frames or to apply multiple -@@ -113,14 +99,16 @@ For the extension targets please refer to the - .B "TARGET EXTENSIONS" - section of this man page. - .SS TABLES --As stated earlier, there are three ebtables tables in the Linux -+As stated earlier, there are two ebtables tables in the Linux - kernel. The table names are --.BR filter ", " nat " and " broute . --Of these three tables, -+.BR filter " and " nat . -+Of these two tables, - the filter table is the default table that the command operates on. - If you are working with the filter table, then you can drop the '-t filter' - argument to the ebtables command. However, you will need to provide --the -t argument for the other two tables. Moreover, the -t argument must be the -+the -t argument for -+.B nat -+table. Moreover, the -t argument must be the - first argument on the ebtables command line, if used. - .TP - .B "-t, --table" -@@ -149,25 +137,6 @@ iptables world to ebtables it is easier to have the same names. Note that you - can change the name - .BR "" ( -E ) - if you don't like the default. --.br --.br --.B broute --is used to make a brouter, it has one built-in chain: --.BR BROUTING . --The targets --.BR DROP " and " ACCEPT --have a special meaning in the broute table (these names are used instead of --more descriptive names to keep the implementation generic). --.B DROP --actually means the frame has to be routed, while --.B ACCEPT --means the frame has to be bridged. The --.B BROUTING --chain is traversed very early. However, it is only traversed by frames entering on --a bridge port that is in forwarding state. Normally those frames --would be bridged, but you can decide otherwise here. The --.B redirect --target is very handy here. - .SH EBTABLES COMMAND LINE ARGUMENTS - After the initial ebtables '-t table' command line argument, the remaining - arguments can be divided into several groups. These groups -@@ -553,35 +522,35 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must - be consulted to determine the payload protocol. This is a two byte - (hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are - checked for type. --.SS among --Match a MAC address or MAC/IP address pair versus a list of MAC addresses --and MAC/IP address pairs. --A list entry has the following format: --.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple" --list entries are separated by a comma, specifying an IP address corresponding to --the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address --but different IP address (and vice versa) can be specified. If the MAC address doesn't --match any entry from the list, the frame doesn't match the rule (unless "!" was used). --.TP --.BR "--among-dst " "[!] \fIlist\fP" --Compare the MAC destination to the given list. If the Ethernet frame has type --.IR IPv4 " or " ARP , --then comparison with MAC/IP destination address pairs from the --list is possible. --.TP --.BR "--among-src " "[!] \fIlist\fP" --Compare the MAC source to the given list. If the Ethernet frame has type --.IR IPv4 " or " ARP , --then comparison with MAC/IP source address pairs from the list --is possible. --.TP --.BR "--among-dst-file " "[!] \fIfile\fP" --Same as --.BR --among-dst " but the list is read in from the specified file." --.TP --.BR "--among-src-file " "[!] \fIfile\fP" --Same as --.BR --among-src " but the list is read in from the specified file." -+.\" .SS among -+.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses -+.\" and MAC/IP address pairs. -+.\" A list entry has the following format: -+.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple" -+.\" list entries are separated by a comma, specifying an IP address corresponding to -+.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address -+.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't -+.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used). -+.\" .TP -+.\" .BR "--among-dst " "[!] \fIlist\fP" -+.\" Compare the MAC destination to the given list. If the Ethernet frame has type -+.\" .IR IPv4 " or " ARP , -+.\" then comparison with MAC/IP destination address pairs from the -+.\" list is possible. -+.\" .TP -+.\" .BR "--among-src " "[!] \fIlist\fP" -+.\" Compare the MAC source to the given list. If the Ethernet frame has type -+.\" .IR IPv4 " or " ARP , -+.\" then comparison with MAC/IP source address pairs from the list -+.\" is possible. -+.\" .TP -+.\" .BR "--among-dst-file " "[!] \fIfile\fP" -+.\" Same as -+.\" .BR --among-dst " but the list is read in from the specified file." -+.\" .TP -+.\" .BR "--among-src-file " "[!] \fIfile\fP" -+.\" Same as -+.\" .BR --among-src " but the list is read in from the specified file." - .SS arp - Specify (R)ARP fields. The protocol must be specified as - .IR ARP " or " RARP . -@@ -822,26 +791,26 @@ The hello time timer (0-65535) range. - .TP - .BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]" - The forward delay timer (0-65535) range. --.SS string --This module matches on a given string using some pattern matching strategy. --.TP --.BR "--string-algo " "\fIalgorithm\fP" --The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) --.TP --.BR "--string-from " "\fIoffset\fP" --The lowest offset from which a match can start. (default: 0) --.TP --.BR "--string-to " "\fIoffset\fP" --The highest offset from which a match can start. (default: size of frame) --.TP --.BR "--string " "[!] \fIpattern\fP" --Matches the given pattern. --.TP --.BR "--string-hex " "[!] \fIpattern\fP" --Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|' --.TP --.BR "--string-icase" --Ignore case when searching. -+.\" .SS string -+.\" This module matches on a given string using some pattern matching strategy. -+.\" .TP -+.\" .BR "--string-algo " "\fIalgorithm\fP" -+.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) -+.\" .TP -+.\" .BR "--string-from " "\fIoffset\fP" -+.\" The lowest offset from which a match can start. (default: 0) -+.\" .TP -+.\" .BR "--string-to " "\fIoffset\fP" -+.\" The highest offset from which a match can start. (default: size of frame) -+.\" .TP -+.\" .BR "--string " "[!] \fIpattern\fP" -+.\" Matches the given pattern. -+.\" .TP -+.\" .BR "--string-hex " "[!] \fIpattern\fP" -+.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|' -+.\" .TP -+.\" .BR "--string-icase" -+.\" Ignore case when searching. - .SS vlan - Specify 802.1Q Tag Control Information fields. - The protocol must be specified as -@@ -1026,7 +995,6 @@ The default target - The - .B dnat - target can only be used in the --.BR BROUTING " chain of the " broute " table and the " - .BR PREROUTING " and " OUTPUT " chains of the " nat " table." - It specifies that the destination MAC address has to be changed. - .TP -@@ -1089,11 +1057,8 @@ The - .B redirect - target will change the MAC target address to that of the bridge device the - frame arrived on. This target can only be used in the --.BR BROUTING " chain of the " broute " table and the " - .BR PREROUTING " chain of the " nat " table." --In the --.BR BROUTING " chain, the MAC address of the bridge port is used as destination address," --.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used." -+The MAC address of the bridge is used as destination address." - .TP - .BR "--redirect-target " "\fItarget\fP" - .br -@@ -1135,12 +1100,17 @@ arp message and the hardware address length in the arp header is 6 bytes. - .br - .SH FILES - .I /etc/ethertypes --.I /var/lib/ebtables/lock - .SH ENVIRONMENT VARIABLES - .I EBTABLES_ATOMIC_FILE - .SH MAILINGLISTS - .BR "" "See " http://netfilter.org/mailinglists.html -+.SH BUGS -+The version of ebtables this man page ships with does not support the -+.B broute -+table. Also there is no support for -+.BR among " and " string -+matches. And finally, this list is probably not complete. - .SH SEE ALSO --.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8) -+.BR xtables-nft "(8), " iptables "(8), " ip (8) - .PP --.BR "" "See " http://ebtables.sf.net -+.BR "" "See " https://wiki.nftables.org --- -2.21.0 - diff --git a/iptables.spec b/iptables.spec index a843584..bfebd8b 100644 --- a/iptables.spec +++ b/iptables.spec @@ -4,19 +4,33 @@ # service legacy actions (RHBZ#748134) %global legacy_actions %{_libexecdir}/initscripts/legacy-actions +# Bootstrap mode providing old and new versions of libip{4,6}tc in parallel +%global bootstrap 1 + +%if 0%{?bootstrap} +%global version_old 1.8.2 +%global iptc_so_ver_old 0 +%endif +%global iptc_so_ver 2 + Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities +URL: http://www.netfilter.org/projects/iptables Version: 1.8.3 -Release: 2%{?dist} -Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 +Release: 3%{?dist} +Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables Source6: arptables-nft-helper +%if 0%{?bootstrap} +Source7: %{url}/files/%{name}-%{version_old}.tar.bz2 +Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch +%endif + Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch -URL: http://www.netfilter.org/ # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 License: GPLv2 and Artistic Licence 2.0 and ISC @@ -115,6 +129,14 @@ nftables compatibility for iptables, arptables and ebtables. %prep %autosetup -p1 +%if 0%{?bootstrap} +%{__mkdir} -p bootstrap_ver +pushd bootstrap_ver +%{__tar} --strip-components=1 -xf %{SOURCE7} +%{__patch} -p1 <%{SOURCE8} +popd +%endif + %build ./autogen.sh CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ @@ -128,7 +150,31 @@ rm -f include/linux/types.h make %{?_smp_mflags} +%if 0%{?bootstrap} +pushd bootstrap_ver +./autogen.sh +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ +%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr + +# do not use rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +rm -f include/linux/types.h + +make %{?_smp_mflags} +popd +%endif + %install +%if 0%{?bootstrap} +%make_install -C bootstrap_ver +%{_bindir}/find %{buildroot} -xtype f -not \ + -name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print +%{_bindir}/find %{buildroot} -type l -not \ + -name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print +%endif + make install DESTDIR=%{buildroot} # remove la file(s) rm -f %{buildroot}/%{_libdir}/*.la @@ -315,8 +361,11 @@ fi %ghost %{_sbindir}/ip6tables-save %files libs -%{_libdir}/libip*tc.so.* -%{_libdir}/libxtables.so.* +%{_libdir}/libip*tc.so.%{iptc_so_ver}* +%if 0%{?bootstrap} +%{_libdir}/libip*tc.so.%{iptc_so_ver_old}* +%endif +%{_libdir}/libxtables.so.12* %files devel %dir %{_includedir}/iptables @@ -393,6 +442,12 @@ fi %changelog +* Tue Jun 25 2019 Phil Sutter - 1.8.3-3 +- Change URL to point at iptables project, not netfilter overview page +- Reuse URL value in tarball source +- Reduce globbing of library file names to expose future SONAME changes +- Add bootstrapping for libip*tc SONAME bump + * Tue Jun 25 2019 Phil Sutter - 1.8.3-2 - Install new man page for nfbpf_compile utility - Move nfnl_osf man page to utils subpackage