diff mbox series

ebtables-nft: introduce '-m <match_ext>' option

Message ID 20200619142912.19390-2-crosser@average.org
State Not Applicable
Delegated to: Pablo Neira
Headers show
Series ebtables-nft: introduce '-m <match_ext>' option | expand

Commit Message

Eugene Crosser June 19, 2020, 2:29 p.m. UTC
From: Eugene Crosser <evgenii.cherkashin@cloud.ionos.com>

`iptables` command has an option '-m' to dynamically load match
extentions (shared objects in the <lib-path>/xtables directory).
`ebtables` command has no such option, making it impossible to add new
extentions without recompiling the program.

This patch adds functionality of dynamic loading of match extentions,
bringing `ebtables` command on par with `iptables` command. (Note that
dynamic loading of _target_ extentions works in `ebtables` the same way
as in `iptables` out of the box.)

Signed-off-by: Eugene Crosser <crosser@average.org>
 iptables/ebtables-nft.8 | 6 +++---
 iptables/xtables-eb.c   | 5 ++++-
 2 files changed, 7 insertions(+), 4 deletions(-)
diff mbox series


diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 1fa5ad93..181f742d 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -504,9 +504,9 @@  If used with the
 .IR pcnt ", resp. " bcnt " will match."
-Ebtables extensions are dynamically loaded into the userspace tool,
-there is therefore no need to explicitly load them with a
--m option like is done in iptables.
+Standard ebtables extensions are dynamically loaded into the userspace tool,
+while custom extentions need to explicitly loaded with a
+-m option like it is done in iptables.
 These extensions deal with functionality supported by kernel modules supplemental to
 the core ebtables code.
 .SS 802_3
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 6641a21a..d4bf336e 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -800,7 +800,7 @@  int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
 	/* Getopt saves the day */
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
+	   "-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:m:", opts, NULL)) != -1) {
 		cs.c = c;
 		cs.invert = ebt_invert;
 		switch (c) {
@@ -1100,6 +1100,9 @@  print_zero:
 					      "Sorry, protocols have values above or equal to 0x0600");
+		case 'm':
+			ebt_load_match(optarg);
+			break;
 		case 4  : /* Lc */
 			ebt_check_option2(&flags, LIST_C);
 			if (command != 'L')