1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
20111215
Changelog for v2.0.10-4
* really fix counter setting bug (thanks to James' persistence)
20111204
Changelog for v2.0.10-3
* fix counter setting bug (reported by James Sinclair)
20110710
Changelog for v2.0.10-2
* enable compiler optimizations (-O3)
* small changes to remove the compiler warnings due to optimization being
turned on (thanks to Peter Volkov)
* respect LDFLAGS in Makefiles (Peter Volkov)
20110710
Changelog for v2.0.10-1
* fix --among-dst-file, which translated to --among-src
(reported by Thierry Watelet)
* fix bug in test_ulog.c example
* Makefile: respect LDFLAGS during ebtables build (Peter Volkov)
* Makefile: create directories to avoid build failure when DESTDIR is
supplied (Peter Volkov)
* incorporate fixes for possible issues found by Coverity analysis
(thanks to Jiri Popelka)
* define __EXPORTED_HEADERS__ to get access to the Linux kernel headers
* extend ebt_ip6 to allow matching on ipv6-icmp types/codes (by Florian
Westphal)
* Print a more useful error message when an update of the kernel table
failed.
* Add --concurrent option, which enables using a file lock to support
concurrent scripts updating the ebtables kernel tables
20100203
Changelog for v2.0.9-2
* fix unwanted zeroing of counters in the last user-defined chain
(reported by Jon Lewis)
* fix hidden symbol compilation error when using ld directly
* fix return value checking of creat to give a correct error
message if the atomic file couldn't be created
* correct info in INSTALL about compilation of ulog
20090621
Changelog for v2.0.9 vs v2.0.8-2
* added ip6 module for filtering IPv6 traffic (Kuo-Lang Tseng,
Manohar Castelino)
* added --log-ip6 option for logging IPv6 traffic (Kuo-Lang Tseng,
Manohar Castelino)
* added nflog watcher for logging packets to userspace (Peter Warasin)
* bugfix in ebtables.sysv (Michal Soltys)
* bugfix for among match on x86-64 (reported by Pavel Emelyanov)
20061217
Since last entry:
* fixed a few reported bugs
* ebt_among --among-dst-file and --among-src-file: allow
the list to be given in a file (circumvents command line max.
line length
* ebt_nat --snat-arp: if it's an arp packet, also change the source
address in the arp header
* ebt_mark --mark-or, --mark-xor, --mark-and
20051020
Since last entry:
* ebtables modules are now located in /usr/lib/ebtables/
* added '/sbin/service ebtables' support
* added ebtables-save (thanks to Rok Papez <rok.papez@arnes.si>)
and ebtables-restore (the first one a perl script, the second
one written in c (fast))
* optimized the code for the '-A' command, making ebtables-restore
very fast.
* ebtablesd/ebtablesu is deprecated and not compiled by default
the ebtables-save/ebtables-restore scheme is much better
20050117
Since last entry:
* added ulog watcher
* made the ebtables code modular (make library functions).
* added the ebtablesd/ebtablesu scheme to allow faster
addition of rules (and to test the modular code).
* some small fixes
* added -c option (initialize counters)
* added -C option (change counters)
20031102
Since last entry:
* <grzes_at_gnu.univ.gda.pl> added arpreply and among modules
* <tommy_at_home.tig-grr.com> added limit match
20030724
* added (automatic) Sparc64 support, thanks to Michael Bellion and
Thomas Heinz from hipac.org for providing a test-box.
20030717
* added stp frames match type
20030713
* added support for deleting all user-defined chains (-X option
without specified chain)
20030601
* added --Lmac2
* <csv_at_bluetail.com> Chris Vitale: basic 802.3/802.2 filtering
(experimental, kernel files are in the CVS)
20030503
* added negative rule counter support
* bugfix: bcnt was not updated correctly
* <blancher_at_cartel-securite.fr> Cedric Blancher: add ARP MAC
matching support
* added pkttype match
20030402
* fixed check bug in ebt_ip.c (report from
joe_judge_at_guardium.com).
20030111
* fixed problem when removing a chain (report from
ykphuah_at_greenpacket.com).
* Added --help list_extensions which, well, lists the extensions
20021203
* changed the way to use the atomic operations. It's now possible
to use the EBTABLES_ATOMIC_FILE environment variable, so it's no
longer necessary to explicitly state the file name. See the man.
20021120
* changed the way of compiling. New releases will now contain their
own set of kernel includes. No more copying of kernel includes to
/usr/include/linux
* added getethertype.c (Nick) and use it. Removed name_to_number()
and number_to_name().
20021106
* added possibility to specify a rule number interval when deleting
rules
20021102
* added ! - option possibility, which is equivalent to - ! option
20021102
* since last entry: added byte counters and udp/tcp port matching
20020830
* updated the kernel files for 2.4.20-pre5 and 2.5.32
* last big cleanup of kernel and userspace code just finished
20020820
* ARP module bugfix
* IP module bugfix
* nat module bugfix
20020730
* other things done before 2.0-rc1 that I can think of,
including kernel:
* cache align counters for better smp performance
* simplify snat code
* check for --xxxx-target RETURN on base chain
* cleanup code
* minor bugfixes
20020724
* code cleanup
* bugfix for --atomic-commit
20020720
* added mark target+match
20020714
* added --atomic options
20020710
* some unlogged changes (due to lazyness)
* added --Lc, --Ln, --Lx
20020625
* user defined chains support: added -N, -X, -E options.
20020621
* some unlogged changes (due to lazyness)
* change the output for -L to make it look like it would look when
the user inputs the command.
* try to autoload modules
* some minor bugfixes
* add user defined chains support (without new commands yet,
deliberately)
* comparing rules didn't take the logical devices into account
20020520
* update help for -s and -d
* add VLAN in ethertypes
* add SYMLINK option for compiling
20020501
* allow -i and --logical-in in BROUTING
* update the manual page
* rename /etc/etherproto into /etc/ethertypes (seems to be a more
standard name)
* add MAC mask for -s and -d, also added Unicast, Multicast and
Broadcast specification for specifying a (family of) MAC
addresses.
20020427
* added broute table.
* added redirect target.
* added --redirect-target, --snat-target and --dnat-target options.
* added logical_out and logical_in
* snat bugfix (->size)
20020414
* fixed some things in the manual.
* fixed -P problem.
20020411
* -j standard no longer works, is this cryptic? good :)
* lots of beautification.
- made some code smaller
- made everything fit within 80 columns
* fix problems with -i and -o option
* print_memory now prints useful info
* trying to see the tables when ebtables is not loaded in kernel
no longer makes this be seen as a bug.
20020403
ebtables v2.0 released, changes:
* A complete rewrite, made everything modular.
* Fixed a one year old bug in br_db.c. A similar bug was present
in ebtables.c. It was visible when the number of rules got
bigger (around 90).
* Removed the option to allow/disallow counters. Frames passing
by are always counted now.
* Didn't really add any new functionality. However, it will be
_alot_ easier and prettier to do so now. Feel free to add an
extension yourself.
* There are 4 types of extensions:
- Tables.
- Matches: like iptables has.
- Watchers: these only watch frames that passed all the matches
of the rule. They don't change the frame, nor give a verdict.
The log extension is a watcher.
- Targets.
* user32/kernel64 architectures like the Sparc64 are unsupported.
If you want me to change this, give me access to such a box,
and don't pressure me.
|