packages/ebtables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 10:37:43 -04:00
commit 08b6a51975
13 changed files with 855 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
0001-add-RARP-and-update-iana-url.patch Normal file
View File

@ -0,0 +1,44 @@
From 908d41de58d46262e719fff778950a6f893a02f8 Mon Sep 17 00:00:00 2001
From: Bart De Schuymer <bdschuym@pandora.be>
Date: Tue, 3 Jul 2012 18:47:32 +0000
Subject: [PATCH 01/16] add RARP and update iana url
---
userspace/ebtables2/ethertypes | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
index 5e700f663987..813177b74588 100644
--- a/ethertypes
+++ b/ethertypes
@@ -5,6 +5,7 @@
#
# This list could be found on:
# http://www.iana.org/assignments/ethernet-numbers
+# http://www.iana.org/assignments/ieee-802-numbers
#
# <name> <hexnumber> <alias1>...<alias35> #Comment
#
@@ -21,15 +22,16 @@ LAT 6004 # DEC LAT
DIAG 6005 # DEC Diagnostics
CUST 6006 # DEC Customer use
SCA 6007 # DEC Systems Comms Arch
-TEB 6558 # Trans Ether Bridging [RFC1701]
-RAW_FR 6559 # Raw Frame Relay [RFC1701]
+TEB 6558 # Trans Ether Bridging [RFC1701]
+RAW_FR 6559 # Raw Frame Relay [RFC1701]
+RARP 8035 # Reverse ARP [RFC903]
AARP 80F3 # Appletalk AARP
-ATALK 809B # Appletalk
+ATALK 809B # Appletalk
802_1Q 8100 8021q 1q 802.1q dot1q # 802.1Q Virtual LAN tagged frame
IPX 8137 # Novell IPX
NetBEUI 8191 # NetBEUI
IPv6 86DD ip6 # IP version 6
-PPP 880B # PPP
+PPP 880B # PPP
ATMMPOA 884C # MultiProtocol over ATM
PPP_DISC 8863 # PPPoE discovery messages
PPP_SES 8864 # PPPoE session messages
--
1.8.5.3

157
ebtables-2.0.0-audit.patch Normal file
View File

@ -0,0 +1,157 @@
--- ebtables2.orig/extensions/ebt_AUDIT.c 1970-01-01 01:00:00.000000000 +0100
+++ ebtables2.orig/extensions/ebt_AUDIT.c 2011-01-07 10:53:46.680329228 +0100
@@ -0,0 +1,110 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter/xt_AUDIT.h>
+
+#define AUDIT_TYPE '1'
+static struct option opts[] =
+{
+ { "audit-type" , required_argument, 0, AUDIT_TYPE },
+ { 0 }
+};
+
+static void print_help()
+{
+ printf(
+ "AUDIT target options:\n"
+ " --audit-type TYPE : Set action type to record.\n");
+}
+
+static void init(struct ebt_entry_target *target)
+{
+ struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) target->data;
+
+ info->type = 0;
+}
+
+static int parse(int c, char **argv, int argc,
+ const struct ebt_u_entry *entry, unsigned int *flags,
+ struct ebt_entry_target **target)
+{
+ struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) (*target)->data;
+
+ switch (c) {
+ case AUDIT_TYPE:
+ ebt_check_option2(flags, AUDIT_TYPE);
+
+ if (!strcasecmp(optarg, "accept"))
+ info->type = XT_AUDIT_TYPE_ACCEPT;
+ else if (!strcasecmp(optarg, "drop"))
+ info->type = XT_AUDIT_TYPE_DROP;
+ else if (!strcasecmp(optarg, "reject"))
+ info->type = XT_AUDIT_TYPE_REJECT;
+ else
+ ebt_print_error2("Bad action type value `%s'", optarg);
+
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match, const char *name,
+ unsigned int hookmask, unsigned int time)
+{
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target)
+{
+ const struct xt_AUDIT_info *info =
+ (const struct xt_AUDIT_info *) target->data;
+
+ printf("--audit-type ");
+
+ switch(info->type) {
+ case XT_AUDIT_TYPE_ACCEPT:
+ printf("accept");
+ break;
+ case XT_AUDIT_TYPE_DROP:
+ printf("drop");
+ break;
+ case XT_AUDIT_TYPE_REJECT:
+ printf("reject");
+ break;
+ }
+}
+
+static int compare(const struct ebt_entry_target *t1,
+ const struct ebt_entry_target *t2)
+{
+ const struct xt_AUDIT_info *info1 =
+ (const struct xt_AUDIT_info *) t1->data;
+ const struct xt_AUDIT_info *info2 =
+ (const struct xt_AUDIT_info *) t2->data;
+
+ return info1->type == info2->type;
+}
+
+static struct ebt_u_target AUDIT_target =
+{
+ .name = "AUDIT",
+ .size = sizeof(struct xt_AUDIT_info),
+ .help = print_help,
+ .init = init,
+ .parse = parse,
+ .final_check = final_check,
+ .print = print,
+ .compare = compare,
+ .extra_ops = opts,
+};
+
+void _init(void)
+{
+ ebt_register_target(&AUDIT_target);
+}
--- ebtables2.orig/extensions/Makefile 2011-01-07 10:55:28.077246240 +0100
+++ ebtables2.orig/extensions/Makefile 2011-01-07 10:53:46.686329230 +0100
@@ -1,7 +1,7 @@
#! /usr/bin/make
EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
- pkttype stp among limit ulog nflog
+ pkttype stp among limit ulog nflog AUDIT
EXT_TABLES+=filter nat broute
EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
--- a/include/linux/netfilter/xt_AUDIT.h
+++ a/include/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
+/*
+ * Header file for iptables xt_AUDIT target
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _XT_AUDIT_TARGET_H
+#define _XT_AUDIT_TARGET_H
+
+#include <linux/types.h>
+
+enum {
+ XT_AUDIT_TYPE_ACCEPT = 0,
+ XT_AUDIT_TYPE_DROP,
+ XT_AUDIT_TYPE_REJECT,
+ __XT_AUDIT_TYPE_MAX,
+};
+
+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
+
+struct xt_AUDIT_info {
+ __u8 type; /* XT_AUDIT_TYPE_* */
+};
+
+#endif /* _XT_AUDIT_TARGET_H */

16
ebtables-2.0.10-linkfix.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up ebtables-v2.0.10-4/extensions/Makefile.linkfix ebtables-v2.0.10-4/extensions/Makefile
--- ebtables-v2.0.10-4/extensions/Makefile.linkfix 2011-12-15 15:02:47.000000000 -0500
+++ ebtables-v2.0.10-4/extensions/Makefile 2012-04-05 15:52:09.563511746 -0400
@@ -9,9 +9,10 @@ EXT_LIBS+=$(foreach T,$(EXT_FUNC), exten
EXT_LIBS+=$(foreach T,$(EXT_TABLES), extensions/libebtable_$(T).so)
EXT_LIBSI+=$(foreach T,$(EXT_FUNC), -lebt_$(T))
EXT_LIBSI+=$(foreach T,$(EXT_TABLES), -lebtable_$(T))
+EXT_LDFLAGS+=-L. -lebtc
-extensions/ebt_%.so: extensions/ebt_%.o
- $(CC) $(LDFLAGS) -shared -o $@ -lc $< -nostartfiles
+extensions/ebt_%.so: extensions/ebt_%.o libebtc.so
+ $(CC) $(LDFLAGS) $(EXT_LDFLAGS) -shared -o $@ -lc $< -nostartfiles
extensions/libebt_%.so: extensions/ebt_%.so
mv $< $@

50
ebtables-2.0.10-lockdirfix.patch Normal file
View File

@ -0,0 +1,50 @@
diff -up ebtables-v2.0.10-4/ebtables.8.lockdirfix ebtables-v2.0.10-4/ebtables.8
--- ebtables-v2.0.10-4/ebtables.8.lockdirfix 2016-01-18 11:13:21.707069702 -0500
+++ ebtables-v2.0.10-4/ebtables.8 2016-01-18 11:13:40.554953365 -0500
@@ -1103,7 +1103,7 @@ arp message and the hardware address len
.br
.SH FILES
.I /etc/ethertypes
-.I /var/lib/ebtables/lock
+.I /run/ebtables.lock
.SH ENVIRONMENT VARIABLES
.I EBTABLES_ATOMIC_FILE
.SH MAILINGLISTS
diff -up ebtables-v2.0.10-4/INSTALL.lockdirfix ebtables-v2.0.10-4/INSTALL
--- ebtables-v2.0.10-4/INSTALL.lockdirfix 2016-01-18 11:15:31.458268826 -0500
+++ ebtables-v2.0.10-4/INSTALL 2016-01-18 11:15:53.890130367 -0500
@@ -31,7 +31,7 @@ WHAT GETS INSTALLED AND WHAT OPTIONS ARE
copied to /etc/rc.d/init.d (change with option INITDIR)
- The ebtables configuration file (ebtables-config) is copied to /etc/sysconfig
- ebtables can use a lock file to enable concurrent execution of the ebtables
- tool. The standard location of the lock file is /var/lib/ebtables/lock.
+ tool. The standard location of the lock file is /run/ebtables.lock.
Include LOCKFILE=<<path-to-file>> if you want to use another file.
That's all
diff -up ebtables-v2.0.10-4/libebtc.c.lockdirfix ebtables-v2.0.10-4/libebtc.c
--- ebtables-v2.0.10-4/libebtc.c.lockdirfix 2016-01-18 11:12:14.347485472 -0500
+++ ebtables-v2.0.10-4/libebtc.c 2016-01-18 11:13:06.515163472 -0500
@@ -134,8 +134,8 @@ void ebt_list_extensions()
}
#ifndef LOCKFILE
-#define LOCKDIR "/var/lib/ebtables"
-#define LOCKFILE LOCKDIR"/lock"
+#define LOCKDIR "/run"
+#define LOCKFILE LOCKDIR"/ebtables.lock"
#endif
static int lockfd = -1, locked;
int use_lockfd;
diff -up ebtables-v2.0.10-4/Makefile.lockdirfix ebtables-v2.0.10-4/Makefile
--- ebtables-v2.0.10-4/Makefile.lockdirfix 2016-01-18 11:14:10.715767201 -0500
+++ ebtables-v2.0.10-4/Makefile 2016-01-18 11:15:20.506336425 -0500
@@ -5,7 +5,7 @@ PROGRELEASE:=4
PROGVERSION_:=2.0.10
PROGVERSION:=$(PROGVERSION_)-$(PROGRELEASE)
PROGDATE:=December\ 2011
-LOCKFILE?=/var/lib/ebtables/lock
+LOCKFILE?=/run/ebtables.lock
LOCKDIR:=$(shell echo $(LOCKFILE) | sed 's/\(.*\)\/.*/\1/')/
# default paths

69
ebtables-2.0.10-noflush.patch Normal file
View File

@ -0,0 +1,69 @@
commit 3a25ae2361da048f24524d8e63d70f4cd40444f3
Author: Sanket Shah <sanket.shah@cyberoam.com>
Date: Wed Jul 31 21:40:08 2013 +0200
Add --noflush command line support for ebtables-restore
diff --git a/ebtables-restore.c b/ebtables-restore.c
index ea02960..bb4d0cf 100644
--- a/ebtables-restore.c
+++ b/ebtables-restore.c
@@ -22,13 +22,25 @@
#include <string.h>
#include <errno.h>
#include <unistd.h>
+#include <getopt.h>
#include "include/ebtables_u.h"
+static const struct option options[] = {
+ {.name = "noflush", .has_arg = 0, .val = 'n'},
+ { 0 }
+};
+
static struct ebt_u_replace replace[3];
void ebt_early_init_once();
#define OPT_KERNELDATA 0x800 /* Also defined in ebtables.c */
+static void print_usage()
+{
+ fprintf(stderr, "Usage: ebtables-restore [ --noflush ]\n");
+ exit(1);
+}
+
static void copy_table_names()
{
strcpy(replace[0].name, "filter");
@@ -41,11 +53,20 @@ static void copy_table_names()
int main(int argc_, char *argv_[])
{
char *argv[EBTD_ARGC_MAX], cmdline[EBTD_CMDLINE_MAXLN];
- int i, offset, quotemode = 0, argc, table_nr = -1, line = 0, whitespace;
+ int i, offset, quotemode = 0, argc, table_nr = -1, line = 0, whitespace, c, flush = 1;
char ebtables_str[] = "ebtables";
- if (argc_ != 1)
- ebtrest_print_error("options are not supported");
+ while ((c = getopt_long(argc_, argv_, "n", options, NULL)) != -1) {
+ switch(c) {
+ case 'n':
+ flush = 0;
+ break;
+ default:
+ print_usage();
+ break;
+ }
+ }
+
ebt_silent = 0;
copy_table_names();
ebt_early_init_once();
@@ -68,7 +89,7 @@ int main(int argc_, char *argv_[])
ebtrest_print_error("table '%s' was not recognized", cmdline+1);
table_nr = i;
replace[table_nr].command = 11;
- ebt_get_kernel_table(&replace[table_nr], 1);
+ ebt_get_kernel_table(&replace[table_nr], flush);
replace[table_nr].command = 0;
replace[table_nr].flags = OPT_KERNELDATA; /* Prevent do_command from initialising replace */
continue;

66
ebtables-2.0.10-norootinst.patch Normal file
View File

@ -0,0 +1,66 @@
diff -up ebtables-v2.0.10-1/Makefile.orig ebtables-v2.0.10-1/Makefile
--- ebtables-v2.0.10-1/Makefile.orig 2011-07-10 05:28:52.000000000 -0400
+++ ebtables-v2.0.10-1/Makefile 2011-07-11 10:45:00.323426448 -0400
@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
scripts: ebtables-save ebtables.sysv ebtables-config
cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
mkdir -p $(DESTDIR)$(BINDIR)
- install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
+ install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
+ if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
- if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
+ if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
$(MANDIR)/man8/ebtables.8: ebtables.8
mkdir -p $(DESTDIR)$(@D)
sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
- install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
+ install -m 0644 ebtables.8_ $(DESTDIR)$@
rm -f ebtables.8_
$(DESTDIR)$(ETHERTYPESFILE): ethertypes
mkdir -p $(@D)
- install -m 0644 -o root -g root $< $@
+ install -m 0644 $< $@
.PHONY: exec
exec: ebtables ebtables-restore
mkdir -p $(DESTDIR)$(BINDIR)
- install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
- install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
+ install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
+ install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
.PHONY: install
install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
@@ -205,18 +205,18 @@ release:
rm -f extensions/ebt_inat.c
rm -rf $(CVSDIRS)
mkdir -p include/linux/netfilter_bridge
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/
# To keep possible compile error complaints about undefined ETH_P_8021Q
# off my back
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/if_ether.h include/linux/
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/types.h include/linux/
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \
include/linux/netfilter_bridge/
- install -m 0644 -o root -g root \
+ install -m 0644 \
include/ebtables.h include/linux/netfilter_bridge/
make clean
touch *

106
ebtables-2.0.9-lsb.patch Normal file
View File

@ -0,0 +1,106 @@
diff -up ebtables-v2.0.9-1/ebtables.sysv.lsb ebtables-v2.0.9-1/ebtables.sysv
--- ebtables-v2.0.9-1/ebtables.sysv.lsb 2010-01-15 11:39:31.000000000 +0100
+++ ebtables-v2.0.9-1/ebtables.sysv 2010-01-15 12:52:24.000000000 +0100
@@ -18,9 +18,9 @@ source /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
-[ -x __EXEC_PATH__/ebtables ] || exit 1
-[ -x __EXEC_PATH__/ebtables-save ] || exit 1
-[ -x __EXEC_PATH__/ebtables-restore ] || exit 1
+[ -x __EXEC_PATH__/ebtables ] || exit 5
+[ -x __EXEC_PATH__/ebtables-save ] || exit 5
+[ -x __EXEC_PATH__/ebtables-restore ] || exit 5
RETVAL=0
prog="ebtables"
@@ -39,6 +39,7 @@ config=__SYSCONFIG__/$prog-config
[ -f "$config" ] && . "$config"
start() {
+ [ "$EUID" != "0" ] && exit 4
echo -n $"Starting $desc ($prog): "
if [ "$EBTABLES_BINARY_FORMAT" = "yes" ]; then
for table in $(ls __SYSCONFIG__/ebtables.* 2>/dev/null | sed -e 's/.*ebtables\.//' -e '/save/d' ); do
@@ -50,7 +51,7 @@ start() {
if [ $RETVAL -eq 0 ]; then
success "$prog startup"
- rm -f /var/lock/subsys/$prog
+ touch "/var/lock/subsys/$prog"
else
failure "$prog startup"
fi
@@ -58,6 +59,7 @@ start() {
}
stop() {
+ [ "$EUID" != "0" ] && exit 4
echo -n $"Stopping $desc ($prog): "
for table in $(grep '^ebtable_' /proc/modules | sed -e 's/ebtable_\([^ ]*\).*/\1/'); do
__EXEC_PATH__/ebtables -t $table --init-table || RETVAL=1
@@ -71,7 +73,7 @@ stop() {
if [ $RETVAL -eq 0 ]; then
success "$prog shutdown"
- rm -f /var/lock/subsys/$prog
+ rm -f "/var/lock/subsys/$prog"
else
failure "$prog shutdown"
fi
@@ -79,11 +81,13 @@ stop() {
}
restart() {
+ [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
stop
start
}
save() {
+ [ "$EUID" != "0" ] && exit 4
echo -n $"Saving $desc ($prog): "
if [ "$EBTABLES_TEXT_FORMAT" = "yes" ]; then
if [ -e __SYSCONFIG__/ebtables ]; then
@@ -116,30 +120,34 @@ save() {
case "$1" in
start)
+ [ -f "/var/lock/subsys/$prog" ] && exit 0
start
;;
stop)
[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
stop
;;
- restart|reload)
- [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
+ restart|force-reload)
restart
;;
- condrestart)
- [ -e /var/lock/subsys/$prog ] && restart
- RETVAL=$?
+ reload)
+ [ ! -f "/var/lock/subsys/$prog" ] && exit 7
+ restart
+ ;;
+ condrestart|try-restart)
+ [ ! -e "/var/lock/subsys/$prog" ] && exit 0
+ restart
;;
save)
save
;;
status)
+ [ -f "/var/lock/subsys/$prog" ] && RETVAL=0 || RETVAL=3
__EXEC_PATH__/ebtables-save
- RETVAL=$?
;;
*)
echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
- RETVAL=1
+ RETVAL=2
esac
exit $RETVAL

43
ebtables-save Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
EBTABLES="/sbin/ebtables"
[ -x "$EBTABLES" ] || exit 1
echo "# Generated by ebtables-save v1.0 on $(date)"
cnt=""
[ "x$EBTABLES_SAVE_COUNTER" = "xyes" ] && cnt="--Lc"
for table_name in $(grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//); do
table=$($EBTABLES -t $table_name -L $cnt)
[ $? -eq 0 ] || { echo "$table"; exit -1; }
chain=""
rules=""
while read line; do
[ -z "$line" ] && continue
case "$line" in
Bridge\ table:\ *)
echo "*${line:14}"
;;
Bridge\ chain:\ *)
chain="${line:14}"
chain="${chain%%,*}"
policy="${line##*policy: }"
echo ":$chain $policy"
;;
*)
if [ "$cnt" = "--Lc" ]; then
line=${line/, pcnt \=/ -c}
line=${line/-- bcnt \=/}
fi
rules="$rules-A $chain $line\n"
;;
esac
done <<EOF
$table
EOF
echo -e $rules
done

113
ebtables-use-flock-for-concurrent-option.patch Normal file
View File

@ -0,0 +1,113 @@
Subject: [ebtables PATCH] Use flock() for --concurrent option
From: https://patchwork.ozlabs.org/
The previous locking mechanism was not atomic, hence it was possible
that a killed ebtables process would leave the lock file in place which
in turn made future ebtables processes wait indefinitely for the lock to
become free.
Fix this by using flock(). This also simplifies code quite a bit because
there is no need for a custom signal handler or an __exit routine
anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
diff -Nur ebtables-v2.0.10-4_orig/ebtables.c ebtables-v2.0.10-4/ebtables.c
--- ebtables-v2.0.10-4_orig/ebtables.c 2019-09-24 15:24:49.560000000 +0800
+++ ebtables-v2.0.10-4/ebtables.c 2019-09-24 15:28:35.324000000 +0800
@@ -528,12 +528,6 @@
ebt_iterate_targets(merge_target);
}
-/* signal handler, installed when the option --concurrent is specified. */
-static void sighandler(int signum)
-{
- exit(-1);
-}
-
/* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
int do_command(int argc, char *argv[], int exec_style,
struct ebt_u_replace *replace_)
@@ -1047,8 +1041,6 @@
strcpy(replace->filename, optarg);
break;
case 13 : /* concurrent */
- signal(SIGINT, sighandler);
- signal(SIGTERM, sighandler);
use_lockfd = 1;
break;
case 1 :
diff -Nur ebtables-v2.0.10-4_orig/libebtc.c ebtables-v2.0.10-4/libebtc.c
--- ebtables-v2.0.10-4_orig/libebtc.c 2019-09-24 15:24:49.564000000 +0800
+++ ebtables-v2.0.10-4/libebtc.c 2019-09-24 15:34:02.592000000 +0800
@@ -31,6 +31,7 @@
#include "include/ethernetdb.h"
#include <unistd.h>
#include <fcntl.h>
+#include <sys/file.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -137,58 +138,17 @@
#define LOCKDIR "/run"
#define LOCKFILE LOCKDIR"/ebtables.lock"
#endif
-static int lockfd = -1, locked;
int use_lockfd;
/* Returns 0 on success, -1 when the file is locked by another process
* or -2 on any other error. */
static int lock_file()
{
- int try = 0;
- int ret = 0;
- sigset_t sigset;
-
-tryagain:
- /* the SIGINT handler will call unlock_file. To make sure the state
- * of the variable locked is correct, we need to temporarily mask the
- * SIGINT interrupt. */
- sigemptyset(&sigset);
- sigaddset(&sigset, SIGINT);
- sigprocmask(SIG_BLOCK, &sigset, NULL);
- lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
- if (lockfd < 0) {
- if (errno == EEXIST)
- ret = -1;
- else if (try == 1)
- ret = -2;
- else {
- if (mkdir(LOCKDIR, 00700))
- ret = -2;
- else {
- try = 1;
- goto tryagain;
- }
- }
- } else {
- close(lockfd);
- locked = 1;
- }
- sigprocmask(SIG_UNBLOCK, &sigset, NULL);
- return ret;
+int fd = open(LOCKFILE, O_CREAT, 00600);
+ if (fd < 0)
+ return -2;
+ return flock(fd, LOCK_EX);
}
-void unlock_file()
-{
- if (locked) {
- remove(LOCKFILE);
- locked = 0;
- }
-}
-
-void __attribute__ ((destructor)) onexit()
-{
- if (use_lockfd)
- unlock_file();
-}
/* Get the table from the kernel or from a binary file
* init: 1 = ask the kernel for the initial contents of a table, i.e. the
* way it looks when the table is insmod'ed

BIN
ebtables-v2.0.10-4.tar.gz Normal file
View File

Binary file not shown.

11
ebtables.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Ethernet Bridge Filtering tables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ebtables start
ExecStop=/usr/libexec/ebtables stop
[Install]
WantedBy=multi-user.target

106
ebtables.spec Normal file
View File

@ -0,0 +1,106 @@
%global ebminor 4
Name: ebtables
Version: 2.0.10
Release: 30
Summary: A filtering tool for a Linux-based bridging firewall
License: GPLv2+
URL: http://ebtables.sourceforge.net/
Source0: http://downloads.sourceforge.net/ebtables/ebtables-v%{version}-%{ebminor}.tar.gz
Source1: ebtables-save
Source2: ebtables.systemd
Source3: ebtables.service
#patches from fedora/redhat repository
Patch0001: ebtables-2.0.10-norootinst.patch
Patch0002: ebtables-2.0.9-lsb.patch
Patch0003: ebtables-2.0.10-linkfix.patch
Patch0004: ebtables-2.0.0-audit.patch
Patch0005: 0001-add-RARP-and-update-iana-url.patch
Patch0006: ebtables-2.0.10-lockdirfix.patch
Patch0007: ebtables-2.0.10-noflush.patch
# patch0008 from https://patchwork.ozlabs.org
Patch0008: ebtables-use-flock-for-concurrent-option.patch
BuildRequires: systemd
Requires: systemd %{_sbindir}/update-alternatives
Conflicts: setup < 2.10.4-1
%description
The ebtables program is a filtering tool for a Linux-based bridging firewall.It enables transparent filtering of network traffic passing through a Linux bridge.The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers.
The ebtables tool can be combined with the other Linux filtering tools to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.
%package help
Summary: help documents for ebtables
%description help
Help package contains some doc and man help files for ebtables.
%prep
%autosetup -n %{name}-v%{version}-%{ebminor} -p1
f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f
%build
%make_build CFLAGS="${RPM_OPT_FLAGS}" LIBDIR="/%{_lib}/ebtables" BINDIR="%{_sbindir}" MANDIR="%{_mandir}" LDFLAGS="${RPM_LD_FLAGS} -Wl,-z,now"
%install
install -d %{buildroot}{%{_initrddir},%{_unitdir},%{_libexecdir},%{_sysconfdir}/sysconfig}
install -p %{SOURCE3} %{buildroot}%{_unitdir}/
chmod -x %{buildroot}%{_unitdir}/*.service
install -m0755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables
%make_install LIBDIR="/%{_lib}/ebtables" BINDIR="%{_sbindir}" MANDIR="%{_mandir}"
touch %{buildroot}%{_sysconfdir}/sysconfig/{ebtables.nat,ebtables.filter,ebtables.broute}
rm -f %{buildroot}%{_sbindir}/ebtables-save
install %{SOURCE1} %{buildroot}%{_sbindir}/ebtables-save
mv %{buildroot}/%{_lib}/ebtables/libebtc.so %{buildroot}/%{_lib}/
mv %{buildroot}%{_sbindir}/ebtables %{buildroot}%{_sbindir}/ebtables-legacy
touch %{buildroot}%{_sbindir}/ebtables
%post
%systemd_post ebtables.service
%?ldconfig
if [ "$(readlink -e %{_sbindir}/ebtables)" == %{_sbindir}/ebtables ]; then
rm -f %{_sbindir}/ebtables
fi
%{_sbindir}/update-alternatives --install %{_sbindir}/ebtables ebtables %{_sbindir}/ebtables-legacy 10
%preun
%systemd_preun ebtables.service
%postun
%systemd_postun_with_restart ebtables.service
%?ldconfig
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove ebtables %{_sbindir}/ebtables-legacy
fi
%files
%license COPYING
%{_unitdir}/ebtables.service
%{_libexecdir}/ebtables
/%{_lib}/libebtc.so
/%{_lib}/ebtables/
%{_sbindir}/ebtables-*
%exclude %{_initrddir}
%exclude %{_sysconfdir}/ethertypes
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
%ghost %{_sbindir}/ebtables
%ghost %{_sysconfdir}/sysconfig/{ebtables.filter,ebtables.nat,ebtables.broute}
%files help
%doc ChangeLog THANKS
%doc %{_mandir}/man8/ebtables.8*
%changelog
* Thu Sep 24 2019 gaoguanghui <gaoguanghui1@huawei.com> - 2.0.10-30
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:this patch made future ebtables processes wait indefinitely for the lock to
become free
* Mon Sep 16 2019 yanzhihua <yanzhihua4@huawei.com> - 2.0.10-29
- Package init

74
ebtables.systemd Normal file
View File

@ -0,0 +1,74 @@
#!/bin/bash
RETVAL=0
initialize() {
# Initialize $TYPE tables
echo -n $" $TYPE tables: "
if [ -r /etc/sysconfig/ebtables.$TYPE ]; then
/sbin/ebtables -t $TYPE --atomic-file /etc/sysconfig/ebtables.$TYPE --atomic-commit > /dev/null || RETVAL=1
else
echo -n "not configured"
fi
if [ $RETVAL -eq 0 ]; then
echo -n $"[ OK ]"
echo -ne "\r"
else
echo -n $"[FAILED]"
echo -ne "\r"
fi
}
case $1 in
start)
# Initialize filter tables
TYPE=filter
initialize
# Initialize NAT tables
echo
TYPE=nat
initialize
# Initialize broute tables
echo
TYPE=broute
initialize
;;
stop)
/sbin/ebtables -t filter --init-table || RETVAL=1
/sbin/ebtables -t nat --init-table || RETVAL=1
/sbin/ebtables -t broute --init-table || RETVAL=1
for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -f1 -d' ') ebtables; do
/sbin/rmmod $mod || RETVAL=1
done
if [ $RETVAL -eq 0 ]; then
echo -n $"[ OK ]"
echo -ne "\r"
else
echo -n $"[FAILED]"
echo -ne "\r"
fi
;;
save)
echo -n $"Saving Ethernet bridge filtering (ebtables): "
/sbin/ebtables -t filter --atomic-file /etc/sysconfig/ebtables.filter --atomic-save || RETVAL=1
/sbin/ebtables -t nat --atomic-file /etc/sysconfig/ebtables.nat --atomic-save || RETVAL=1
/sbin/ebtables -t broute --atomic-file /etc/sysconfig/ebtables.broute --atomic-save || RETVAL=1
if [ $RETVAL -eq 0 ]; then
echo -n $"[ OK ]"
echo -ne "\r"
else
echo -n $"[FAILED]"
echo -ne "\r"
fi
;;
*)
echo "usage: ${0##*/} {start|stop|save}" >&2
exit 1
;;
esac
# vim:set ts=2 sw=2 ft=sh et: