iptables-1.8.3-3

- Change URL to point at iptables project, not netfilter overview page
- Reuse URL value in tarball source
- Reduce globbing of library file names to expose future SONAME changes
- Add bootstrapping for libip*tc SONAME bump
This commit is contained in:
Phil Sutter 2019-06-25 16:26:43 +02:00
parent 28d2f32245
commit 972fb0a368
5 changed files with 60 additions and 2144 deletions

View File

@ -1,486 +0,0 @@
From 1d0089550ab9882ac90d0fc673f213c51e133552 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 13 Mar 2019 20:46:12 +0100
Subject: [PATCH] doc: Add arptables-nft man pages
These are 1:1 copies from legacy arptables repository.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 4dbb6b9118e32a9b748ead893106de59579424f5)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/Makefile.am | 3 +
iptables/arptables-nft-restore.8 | 41 ++++
iptables/arptables-nft-save.8 | 37 ++++
iptables/arptables-nft.8 | 352 +++++++++++++++++++++++++++++++
4 files changed, 433 insertions(+)
create mode 100644 iptables/arptables-nft-restore.8
create mode 100644 iptables/arptables-nft-save.8
create mode 100644 iptables/arptables-nft.8
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 581dc32ba846b..52309679d390c 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -63,6 +63,9 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
ip6tables-save.8 iptables-extensions.8 \
xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
xtables-monitor.8
+if ENABLE_NFTABLES
+man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8
+endif
CLEANFILES = iptables.8 xtables-monitor.8 \
xtables-config-parser.c xtables-config-syntax.c
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
new file mode 100644
index 0000000000000..4f2f623673415
--- /dev/null
+++ b/iptables/arptables-nft-restore.8
@@ -0,0 +1,41 @@
+.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" ""
+.\"
+.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables-restore man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables-restore \(em Restore ARP Tables
+.SH SYNOPSIS
+\fBarptables\-restore
+.SH DESCRIPTION
+.PP
+.B arptables-restore
+is used to restore ARP Tables from data specified on STDIN or
+via a file as first argument.
+Use I/O redirection provided by your shell to read from a file
+.TP
+.B arptables-restore
+flushes (deletes) all previous contents of the respective ARP Table.
+.SH BUGS
+None known as of arptables-0.0.4 release
+.SH AUTHOR
+Jesper Dangaard Brouer <brouer@redhat.com>
+.SH SEE ALSO
+\fBarptables\-save\fP(8), \fBarptables\fP(8)
+.PP
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
new file mode 100644
index 0000000000000..34791a9c087f0
--- /dev/null
+++ b/iptables/arptables-nft-save.8
@@ -0,0 +1,37 @@
+.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" ""
+.\"
+.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables-save man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables-save \(em dump arptables rules to stdout
+.SH SYNOPSIS
+\fBarptables\-save
+.SH DESCRIPTION
+.PP
+.B arptables-save
+is used to dump the contents of an ARP Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.SH BUGS
+None known as of arptables-0.0.4 release
+.SH AUTHOR
+Jesper Dangaard Brouer <brouer@redhat.com>
+.SH SEE ALSO
+\fBarptables\-restore\fP(8), \fBarptables\fP(8)
+.PP
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
new file mode 100644
index 0000000000000..3ce99e3757004
--- /dev/null
+++ b/iptables/arptables-nft.8
@@ -0,0 +1,352 @@
+.TH ARPTABLES 8 "June 2018"
+.\"
+.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
+.\" maintained by Bart De Schuymer.
+.\" It is based on the iptables man page.
+.\"
+.\" Iptables page by Herve Eychenne March 2000.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables \- ARP table administration (legacy)
+.SH SYNOPSIS
+.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
+.br
+.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
+.br
+.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
+
+.SH LEGACY
+This tool uses the old xtables/setsockopt framework, and is a legacy version
+of arptables. That means that a new, more modern tool exists with the same
+functionality using the nf_tables framework and you are encouraged to migrate now.
+The new binaries (formerly known as -compat) uses the same syntax and
+semantics than this legacy one.
+
+You can still use this legacy tool. You should probably get some specific
+information from your Linux distribution or vendor.
+More docs are available at https://wiki.nftables.org
+
+.SH DESCRIPTION
+.B arptables
+is a user space tool, it is used to set up and maintain the
+tables of ARP rules in the Linux kernel. These rules inspect
+the ARP frames which they see.
+.B arptables
+is analogous to the
+.B iptables
+user space tool, but
+.B arptables
+is less complicated.
+
+.SS CHAINS
+The kernel table is used to divide functionality into
+different sets of rules. Each set of rules is called a chain.
+Each chain is an ordered list of rules that can match ARP frames. If a
+rule matches an ARP frame, then a processing specification tells
+what to do with that matching frame. The processing specification is
+called a 'target'. However, if the frame does not match the current
+rule in the chain, then the next rule in the chain is examined and so forth.
+The user can create new (user-defined) chains which can be used as the 'target' of a rule.
+
+.SS TARGETS
+A firewall rule specifies criteria for an ARP frame and a frame
+processing specification called a target. When a frame matches a rule,
+then the next action performed by the kernel is specified by the target.
+The target can be one of these values:
+.IR ACCEPT ,
+.IR DROP ,
+.IR CONTINUE ,
+.IR RETURN ,
+an 'extension' (see below) or a user-defined chain.
+.PP
+.I ACCEPT
+means to let the frame through.
+.I DROP
+means the frame has to be dropped.
+.I CONTINUE
+means the next rule has to be checked. This can be handy to know how many
+frames pass a certain point in the chain or to log those frames.
+.I RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain.
+For the extension targets please see the
+.B "TARGET EXTENSIONS"
+section of this man page.
+.SS TABLES
+There is only one ARP table in the Linux
+kernel. The table is
+.BR filter.
+You can drop the '-t filter' argument to the arptables command.
+The -t argument must be the
+first argument on the arptables command line, if used.
+.TP
+.B "-t, --table"
+.br
+.BR filter ,
+is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains:
+.B INPUT
+(for frames destined for the host),
+.B OUTPUT
+(for locally-generated frames) and
+.B FORWARD
+(for frames being forwarded by the bridge code). The
+.B FORWARD
+chain doesn't exist in Linux 2.4.X kernels.
+.br
+.br
+.SH ARPTABLES COMMAND LINE ARGUMENTS
+After the initial arptables command line argument, the remaining
+arguments can be divided into several different groups. These groups
+are commands, miscellaneous commands, rule-specifications, match-extensions,
+and watcher-extensions.
+.SS COMMANDS
+The arptables command arguments specify the actions to perform on the table
+defined with the -t argument. If you do not use the -t argument to name
+a table, the commands apply to the default filter table.
+With the exception of the
+.B "-Z"
+command, only one command may be used on the command line at a time.
+.TP
+.B "-A, --append"
+Append a rule to the end of the selected chain.
+.TP
+.B "-D, --delete"
+Delete the specified rule from the selected chain. There are two ways to
+use this command. The first is by specifying an interval of rule numbers
+to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
+details about using negative numbers, see the -I command. The second usage is by
+specifying the complete rule as it would have been specified when it was added.
+.TP
+.B "-I, --insert"
+Insert the specified rule into the selected chain at the specified rule number.
+If the current number of rules equals N, then the specified number can be
+between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
+same place in the chain where the rule should be inserted. The number 0 specifies
+the place past the last rule in the chain and using this number is therefore
+equivalent with using the -A command.
+.TP
+.B "-R, --replace"
+Replaces the specified rule into the selected chain at the specified rule number.
+If the current number of rules equals N, then the specified number can be
+between 1 and N. i specifies the place in the chain where the rule should be replaced.
+.TP
+.B "-P, --policy"
+Set the policy for the chain to the given target. The policy can be
+.BR ACCEPT ", " DROP " or " RETURN .
+.TP
+.B "-F, --flush"
+Flush the selected chain. If no chain is selected, then every chain will be
+flushed. Flushing the chain does not change the policy of the
+chain, however.
+.TP
+.B "-Z, --zero"
+Set the counters of the selected chain to zero. If no chain is selected, all the counters
+are set to zero. The
+.B "-Z"
+command can be used in conjunction with the
+.B "-L"
+command.
+When both the
+.B "-Z"
+and
+.B "-L"
+commands are used together in this way, the rule counters are printed on the screen
+before they are set to zero.
+.TP
+.B "-L, --list"
+List all rules in the selected chain. If no chain is selected, all chains
+are listed.
+.TP
+.B "-N, --new-chain"
+Create a new user-defined chain with the given name. The number of
+user-defined chains is unlimited. A user-defined chain name has maximum
+length of 31 characters.
+.TP
+.B "-X, --delete-chain"
+Delete the specified user-defined chain. There must be no remaining references
+to the specified chain, otherwise
+.B arptables
+will refuse to delete it. If no chain is specified, all user-defined
+chains that aren't referenced will be removed.
+.TP
+.B "-E, --rename-chain"
+Rename the specified chain to a new name. Besides renaming a user-defined
+chain, you may rename a standard chain name to a name that suits your
+taste. For example, if you like PREBRIDGING more than PREROUTING,
+then you can use the -E command to rename the PREROUTING chain. If you do
+rename one of the standard
+.B arptables
+chain names, please be sure to mention
+this fact should you post a question on the
+.B arptables
+mailing lists.
+It would be wise to use the standard name in your post. Renaming a standard
+.B arptables
+chain in this fashion has no effect on the structure or function
+of the
+.B arptables
+kernel table.
+
+.SS MISCELLANOUS COMMANDS
+.TP
+.B "-V, --version"
+Show the version of the arptables userspace program.
+.TP
+.B "-h, --help"
+Give a brief description of the command syntax.
+.TP
+.BR "-j, --jump " "\fItarget\fP"
+The target of the rule. This is one of the following values:
+.BR ACCEPT ,
+.BR DROP ,
+.BR CONTINUE ,
+.BR RETURN ,
+a target extension (see
+.BR "TARGET EXTENSIONS" ")"
+or a user-defined chain name.
+.TP
+.BI "-c, --set-counters " "PKTS BYTES"
+This enables the administrator to initialize the packet and byte
+counters of a rule (during
+.B INSERT,
+.B APPEND,
+.B REPLACE
+operations).
+
+.SS RULE-SPECIFICATIONS
+The following command line arguments make up a rule specification (as used
+in the add and delete commands). A "!" option before the specification
+inverts the test for that specification. Apart from these standard rule
+specifications there are some other command line arguments of interest.
+.TP
+.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+The Source IP specification.
+.TP
+.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+The Destination IP specification.
+.TP
+.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+The source mac address. Both mask and address are written as 6 hexadecimal
+numbers separated by colons.
+.TP
+.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination mac address. Both mask and address are written as 6 hexadecimal
+numbers separated by colons.
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+The interface via which a frame is received (for the
+.BR INPUT " and " FORWARD
+chains). The flag
+.B --in-if
+is an alias for this option.
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+The interface via which a frame is going to be sent (for the
+.BR OUTPUT " and " FORWARD
+chains). The flag
+.B --out-if
+is an alias for this option.
+.TP
+.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
+The hardware length (nr of bytes)
+.TP
+.BR "--opcode " "\fIcode\fP[/\fImask\fP]
+The operation code (2 bytes). Available values are:
+.BR 1 = Request
+.BR 2 = Reply
+.BR 3 = Request_Reverse
+.BR 4 = Reply_Reverse
+.BR 5 = DRARP_Request
+.BR 6 = DRARP_Reply
+.BR 7 = DRARP_Error
+.BR 8 = InARP_Request
+.BR 9 = ARP_NAK .
+.TP
+.BR "--h-type " "\fItype\fP[/\fImask\fP]"
+The hardware type (2 bytes, hexadecimal). Available values are:
+.BR 1 = Ethernet .
+.TP
+.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
+The protocol type (2 bytes). Available values are:
+.BR 0x800 = IPv4 .
+
+.SS TARGET-EXTENSIONS
+.B arptables
+extensions are precompiled into the userspace tool. So there is no need
+to explicitly load them with a -m option like in
+.BR iptables .
+However, these
+extensions deal with functionality supported by supplemental kernel modules.
+.SS mangle
+.TP
+.BR "--mangle-ip-s IP address"
+Mangles Source IP Address to given value.
+.TP
+.BR "--mangle-ip-d IP address"
+Mangles Destination IP Address to given value.
+.TP
+.BR "--mangle-mac-s MAC address"
+Mangles Source MAC Address to given value.
+.TP
+.BR "--mangle-mac-d MAC address"
+Mangles Destination MAC Address to given value.
+.TP
+.BR "--mangle-target target "
+Target of ARP mangle operation
+.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.SS CLASSIFY
+This module allows you to set the skb->priority value (and thus clas-
+sify the packet into a specific CBQ class).
+
+.TP
+.BR "--set-class major:minor"
+
+Set the major and minor class value. The values are always
+interpreted as hexadecimal even if no 0x prefix is given.
+
+.SS MARK
+This module allows you to set the skb->mark value (and thus classify
+the packet by the mark in u32)
+
+.TP
+.BR "--set-mark mark"
+Set the mark value. The values are always
+interpreted as hexadecimal even if no 0x prefix is given
+
+.TP
+.BR "--and-mark mark"
+Binary AND the mark with bits.
+
+.TP
+.BR "--or-mark mark"
+Binary OR the mark with bits.
+
+.SH MAILINGLISTS
+.BR "" "See " http://netfilter.org/mailinglists.html
+.SH SEE ALSO
+.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8)
+.PP
+.BR "" "See " http://ebtables.sf.net
--
2.21.0

View File

@ -1,192 +0,0 @@
From 2efbd30ed9f1db90b32b556d0e3df16d05281bc7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 13 Mar 2019 20:46:13 +0100
Subject: [PATCH] doc: Adjust arptables man pages
Change content to suit the shipped nft-based variant. Most relevant
changes:
* FORWARD chain is not supported
* arptables-nft-save supports a few parameters
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 1a0cd997d601794c7031346063b8b77f4af2a13e)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/arptables-nft-restore.8 | 6 ++--
iptables/arptables-nft-save.8 | 20 +++++++++----
iptables/arptables-nft.8 | 48 +++++++++++++++-----------------
3 files changed, 39 insertions(+), 35 deletions(-)
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 4f2f623673415..09d9082cf9fd3 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -1,4 +1,4 @@
-.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" ""
+.TH ARPTABLES-RESTORE 8 "March 2019" "" ""
.\"
.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
.\" Man page written by Harald Welte <laforge@gnumonks.org>
@@ -20,7 +20,7 @@
.\"
.\"
.SH NAME
-arptables-restore \(em Restore ARP Tables
+arptables-restore \- Restore ARP Tables (nft-based)
.SH SYNOPSIS
\fBarptables\-restore
.SH DESCRIPTION
@@ -32,8 +32,6 @@ Use I/O redirection provided by your shell to read from a file
.TP
.B arptables-restore
flushes (deletes) all previous contents of the respective ARP Table.
-.SH BUGS
-None known as of arptables-0.0.4 release
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
index 34791a9c087f0..905e59854cc28 100644
--- a/iptables/arptables-nft-save.8
+++ b/iptables/arptables-nft-save.8
@@ -1,4 +1,4 @@
-.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" ""
+.TH ARPTABLES-SAVE 8 "March 2019" "" ""
.\"
.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
.\" Man page written by Harald Welte <laforge@gnumonks.org>
@@ -20,16 +20,26 @@
.\"
.\"
.SH NAME
-arptables-save \(em dump arptables rules to stdout
+arptables-save \- dump arptables rules to stdout (nft-based)
.SH SYNOPSIS
-\fBarptables\-save
+\fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+.P
+\fBarptables\-save\fP [\fB\-V\fP]
.SH DESCRIPTION
.PP
.B arptables-save
is used to dump the contents of an ARP Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.SH BUGS
-None known as of arptables-0.0.4 release
+.TP
+\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, arptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+Include the current values of all packet and byte counters in the output.
+.TP
+\fB\-V\fR, \fB\-\-version\fR
+Print version information and exit.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 3ce99e3757004..ea31e0842acd4 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -1,4 +1,4 @@
-.TH ARPTABLES 8 "June 2018"
+.TH ARPTABLES 8 "March 2019"
.\"
.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
.\" maintained by Bart De Schuymer.
@@ -22,7 +22,7 @@
.\"
.\"
.SH NAME
-arptables \- ARP table administration (legacy)
+arptables \- ARP table administration (nft-based)
.SH SYNOPSIS
.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
.br
@@ -38,17 +38,6 @@ arptables \- ARP table administration (legacy)
.br
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
-.SH LEGACY
-This tool uses the old xtables/setsockopt framework, and is a legacy version
-of arptables. That means that a new, more modern tool exists with the same
-functionality using the nf_tables framework and you are encouraged to migrate now.
-The new binaries (formerly known as -compat) uses the same syntax and
-semantics than this legacy one.
-
-You can still use this legacy tool. You should probably get some specific
-information from your Linux distribution or vendor.
-More docs are available at https://wiki.nftables.org
-
.SH DESCRIPTION
.B arptables
is a user space tool, it is used to set up and maintain the
@@ -106,15 +95,11 @@ first argument on the arptables command line, if used.
.B "-t, --table"
.br
.BR filter ,
-is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains:
+is the only table and contains two built-in chains:
.B INPUT
-(for frames destined for the host),
+(for frames destined for the host) and
.B OUTPUT
-(for locally-generated frames) and
-.B FORWARD
-(for frames being forwarded by the bridge code). The
-.B FORWARD
-chain doesn't exist in Linux 2.4.X kernels.
+(for locally-generated frames).
.br
.br
.SH ARPTABLES COMMAND LINE ARGUMENTS
@@ -258,15 +243,15 @@ numbers separated by colons.
.TP
.BR "-i, --in-interface " "[!] \fIname\fP"
The interface via which a frame is received (for the
-.BR INPUT " and " FORWARD
-chains). The flag
+.B INPUT
+chain). The flag
.B --in-if
is an alias for this option.
.TP
.BR "-o, --out-interface " "[!] \fIname\fP"
The interface via which a frame is going to be sent (for the
-.BR OUTPUT " and " FORWARD
-chains). The flag
+.B OUTPUT
+chain). The flag
.B --out-if
is an alias for this option.
.TP
@@ -344,9 +329,20 @@ Binary AND the mark with bits.
.BR "--or-mark mark"
Binary OR the mark with bits.
+.SH NOTES
+In this nft-based version of
+.BR arptables ,
+support for
+.B FORWARD
+chain has not been implemented. Since ARP packets are "forwarded" only by Linux
+bridges, the same may be achieved using
+.B FORWARD
+chain in
+.BR ebtables .
+
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH SEE ALSO
-.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8)
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
.PP
-.BR "" "See " http://ebtables.sf.net
+.BR "" "See " https://wiki.nftables.org
--
2.21.0

File diff suppressed because it is too large Load Diff

View File

@ -1,275 +0,0 @@
From a3310b304ca75f45505b89071b1537a6fcc97228 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 13 Mar 2019 20:46:15 +0100
Subject: [PATCH] doc: Adjust ebtables man page
Change content to match nft-variant, most notably:
* There is no broute table, drop all references to it
* Comment out description of among and string matches, we don't support
them (yet)
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 1939cbc25e6f51cebaa7a2d71c45bb312bab8668)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ebtables-nft.8 | 164 ++++++++++++++++------------------------
1 file changed, 67 insertions(+), 97 deletions(-)
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 55204ab91e8a4..db8b2ab28cca5 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -24,7 +24,7 @@
.\"
.\"
.SH NAME
-ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy)
+ebtables \- Ethernet bridge frame table administration (nft-based)
.SH SYNOPSIS
.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
.br
@@ -51,17 +51,6 @@ ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legac
.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
.br
-.SH LEGACY
-This tool uses the old xtables/setsockopt framework, and is a legacy version
-of ebtables. That means that a new, more modern tool exists with the same
-functionality using the nf_tables framework and you are encouraged to migrate now.
-The new binaries (known as ebtables-nft and formerly known as ebtables-compat)
-uses the same syntax and semantics than this legacy one.
-
-You can still use this legacy tool. You should probably get some specific
-information from your Linux distribution or vendor.
-More docs are available at https://wiki.nftables.org
-
.SH DESCRIPTION
.B ebtables
is an application program used to set up and maintain the
@@ -72,7 +61,7 @@ It is analogous to the
application, but less complicated, due to the fact that the Ethernet protocol
is much simpler than the IP protocol.
.SS CHAINS
-There are three ebtables tables with built-in chains in the
+There are two ebtables tables with built-in chains in the
Linux kernel. These tables are used to divide functionality into
different sets of rules. Each set of rules is called a chain.
Each chain is an ordered list of rules that can match Ethernet frames. If a
@@ -98,10 +87,7 @@ an 'extension' (see below) or a jump to a user-defined chain.
.B ACCEPT
means to let the frame through.
.B DROP
-means the frame has to be dropped. In the
-.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different"
-meanings (see the info provided for the
-.BR -t " option)."
+means the frame has to be dropped.
.B CONTINUE
means the next rule has to be checked. This can be handy, f.e., to know how many
frames pass a certain point in the chain, to log those frames or to apply multiple
@@ -113,14 +99,16 @@ For the extension targets please refer to the
.B "TARGET EXTENSIONS"
section of this man page.
.SS TABLES
-As stated earlier, there are three ebtables tables in the Linux
+As stated earlier, there are two ebtables tables in the Linux
kernel. The table names are
-.BR filter ", " nat " and " broute .
-Of these three tables,
+.BR filter " and " nat .
+Of these two tables,
the filter table is the default table that the command operates on.
If you are working with the filter table, then you can drop the '-t filter'
argument to the ebtables command. However, you will need to provide
-the -t argument for the other two tables. Moreover, the -t argument must be the
+the -t argument for
+.B nat
+table. Moreover, the -t argument must be the
first argument on the ebtables command line, if used.
.TP
.B "-t, --table"
@@ -149,25 +137,6 @@ iptables world to ebtables it is easier to have the same names. Note that you
can change the name
.BR "" ( -E )
if you don't like the default.
-.br
-.br
-.B broute
-is used to make a brouter, it has one built-in chain:
-.BR BROUTING .
-The targets
-.BR DROP " and " ACCEPT
-have a special meaning in the broute table (these names are used instead of
-more descriptive names to keep the implementation generic).
-.B DROP
-actually means the frame has to be routed, while
-.B ACCEPT
-means the frame has to be bridged. The
-.B BROUTING
-chain is traversed very early. However, it is only traversed by frames entering on
-a bridge port that is in forwarding state. Normally those frames
-would be bridged, but you can decide otherwise here. The
-.B redirect
-target is very handy here.
.SH EBTABLES COMMAND LINE ARGUMENTS
After the initial ebtables '-t table' command line argument, the remaining
arguments can be divided into several groups. These groups
@@ -553,35 +522,35 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
be consulted to determine the payload protocol. This is a two byte
(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are
checked for type.
-.SS among
-Match a MAC address or MAC/IP address pair versus a list of MAC addresses
-and MAC/IP address pairs.
-A list entry has the following format:
-.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
-list entries are separated by a comma, specifying an IP address corresponding to
-the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
-but different IP address (and vice versa) can be specified. If the MAC address doesn't
-match any entry from the list, the frame doesn't match the rule (unless "!" was used).
-.TP
-.BR "--among-dst " "[!] \fIlist\fP"
-Compare the MAC destination to the given list. If the Ethernet frame has type
-.IR IPv4 " or " ARP ,
-then comparison with MAC/IP destination address pairs from the
-list is possible.
-.TP
-.BR "--among-src " "[!] \fIlist\fP"
-Compare the MAC source to the given list. If the Ethernet frame has type
-.IR IPv4 " or " ARP ,
-then comparison with MAC/IP source address pairs from the list
-is possible.
-.TP
-.BR "--among-dst-file " "[!] \fIfile\fP"
-Same as
-.BR --among-dst " but the list is read in from the specified file."
-.TP
-.BR "--among-src-file " "[!] \fIfile\fP"
-Same as
-.BR --among-src " but the list is read in from the specified file."
+.\" .SS among
+.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses
+.\" and MAC/IP address pairs.
+.\" A list entry has the following format:
+.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
+.\" list entries are separated by a comma, specifying an IP address corresponding to
+.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
+.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't
+.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used).
+.\" .TP
+.\" .BR "--among-dst " "[!] \fIlist\fP"
+.\" Compare the MAC destination to the given list. If the Ethernet frame has type
+.\" .IR IPv4 " or " ARP ,
+.\" then comparison with MAC/IP destination address pairs from the
+.\" list is possible.
+.\" .TP
+.\" .BR "--among-src " "[!] \fIlist\fP"
+.\" Compare the MAC source to the given list. If the Ethernet frame has type
+.\" .IR IPv4 " or " ARP ,
+.\" then comparison with MAC/IP source address pairs from the list
+.\" is possible.
+.\" .TP
+.\" .BR "--among-dst-file " "[!] \fIfile\fP"
+.\" Same as
+.\" .BR --among-dst " but the list is read in from the specified file."
+.\" .TP
+.\" .BR "--among-src-file " "[!] \fIfile\fP"
+.\" Same as
+.\" .BR --among-src " but the list is read in from the specified file."
.SS arp
Specify (R)ARP fields. The protocol must be specified as
.IR ARP " or " RARP .
@@ -822,26 +791,26 @@ The hello time timer (0-65535) range.
.TP
.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
The forward delay timer (0-65535) range.
-.SS string
-This module matches on a given string using some pattern matching strategy.
-.TP
-.BR "--string-algo " "\fIalgorithm\fP"
-The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
-.TP
-.BR "--string-from " "\fIoffset\fP"
-The lowest offset from which a match can start. (default: 0)
-.TP
-.BR "--string-to " "\fIoffset\fP"
-The highest offset from which a match can start. (default: size of frame)
-.TP
-.BR "--string " "[!] \fIpattern\fP"
-Matches the given pattern.
-.TP
-.BR "--string-hex " "[!] \fIpattern\fP"
-Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
-.TP
-.BR "--string-icase"
-Ignore case when searching.
+.\" .SS string
+.\" This module matches on a given string using some pattern matching strategy.
+.\" .TP
+.\" .BR "--string-algo " "\fIalgorithm\fP"
+.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+.\" .TP
+.\" .BR "--string-from " "\fIoffset\fP"
+.\" The lowest offset from which a match can start. (default: 0)
+.\" .TP
+.\" .BR "--string-to " "\fIoffset\fP"
+.\" The highest offset from which a match can start. (default: size of frame)
+.\" .TP
+.\" .BR "--string " "[!] \fIpattern\fP"
+.\" Matches the given pattern.
+.\" .TP
+.\" .BR "--string-hex " "[!] \fIpattern\fP"
+.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
+.\" .TP
+.\" .BR "--string-icase"
+.\" Ignore case when searching.
.SS vlan
Specify 802.1Q Tag Control Information fields.
The protocol must be specified as
@@ -1026,7 +995,6 @@ The default target
The
.B dnat
target can only be used in the
-.BR BROUTING " chain of the " broute " table and the "
.BR PREROUTING " and " OUTPUT " chains of the " nat " table."
It specifies that the destination MAC address has to be changed.
.TP
@@ -1089,11 +1057,8 @@ The
.B redirect
target will change the MAC target address to that of the bridge device the
frame arrived on. This target can only be used in the
-.BR BROUTING " chain of the " broute " table and the "
.BR PREROUTING " chain of the " nat " table."
-In the
-.BR BROUTING " chain, the MAC address of the bridge port is used as destination address,"
-.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used."
+The MAC address of the bridge is used as destination address."
.TP
.BR "--redirect-target " "\fItarget\fP"
.br
@@ -1135,12 +1100,17 @@ arp message and the hardware address length in the arp header is 6 bytes.
.br
.SH FILES
.I /etc/ethertypes
-.I /var/lib/ebtables/lock
.SH ENVIRONMENT VARIABLES
.I EBTABLES_ATOMIC_FILE
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
+.SH BUGS
+The version of ebtables this man page ships with does not support the
+.B broute
+table. Also there is no support for
+.BR among " and " string
+matches. And finally, this list is probably not complete.
.SH SEE ALSO
-.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8)
+.BR xtables-nft "(8), " iptables "(8), " ip (8)
.PP
-.BR "" "See " http://ebtables.sf.net
+.BR "" "See " https://wiki.nftables.org
--
2.21.0

View File

@ -4,19 +4,33 @@
# service legacy actions (RHBZ#748134)
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
# Bootstrap mode providing old and new versions of libip{4,6}tc in parallel
%global bootstrap 1
%if 0%{?bootstrap}
%global version_old 1.8.2
%global iptc_so_ver_old 0
%endif
%global iptc_so_ver 2
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: http://www.netfilter.org/projects/iptables
Version: 1.8.3
Release: 2%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Release: 3%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
Source3: iptables.service
Source4: sysconfig_iptables
Source5: sysconfig_ip6tables
Source6: arptables-nft-helper
%if 0%{?bootstrap}
Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
%endif
Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
URL: http://www.netfilter.org/
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
License: GPLv2 and Artistic Licence 2.0 and ISC
@ -115,6 +129,14 @@ nftables compatibility for iptables, arptables and ebtables.
%prep
%autosetup -p1
%if 0%{?bootstrap}
%{__mkdir} -p bootstrap_ver
pushd bootstrap_ver
%{__tar} --strip-components=1 -xf %{SOURCE7}
%{__patch} -p1 <%{SOURCE8}
popd
%endif
%build
./autogen.sh
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
@ -128,7 +150,31 @@ rm -f include/linux/types.h
make %{?_smp_mflags}
%if 0%{?bootstrap}
pushd bootstrap_ver
./autogen.sh
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
# do not use rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
rm -f include/linux/types.h
make %{?_smp_mflags}
popd
%endif
%install
%if 0%{?bootstrap}
%make_install -C bootstrap_ver
%{_bindir}/find %{buildroot} -xtype f -not \
-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
%{_bindir}/find %{buildroot} -type l -not \
-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
%endif
make install DESTDIR=%{buildroot}
# remove la file(s)
rm -f %{buildroot}/%{_libdir}/*.la
@ -315,8 +361,11 @@ fi
%ghost %{_sbindir}/ip6tables-save
%files libs
%{_libdir}/libip*tc.so.*
%{_libdir}/libxtables.so.*
%{_libdir}/libip*tc.so.%{iptc_so_ver}*
%if 0%{?bootstrap}
%{_libdir}/libip*tc.so.%{iptc_so_ver_old}*
%endif
%{_libdir}/libxtables.so.12*
%files devel
%dir %{_includedir}/iptables
@ -393,6 +442,12 @@ fi
%changelog
* Tue Jun 25 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-3
- Change URL to point at iptables project, not netfilter overview page
- Reuse URL value in tarball source
- Reduce globbing of library file names to expose future SONAME changes
- Add bootstrapping for libip*tc SONAME bump
* Tue Jun 25 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-2
- Install new man page for nfbpf_compile utility
- Move nfnl_osf man page to utils subpackage