2 * Format of an ARP firewall descriptor
4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
6 * flags are stored in host byte order (of course).
14 #include <linux/types.h>
16 #include <linux/if_arp.h>
17 #include <linux/skbuff.h>
19 #include <linux/compiler.h>
20 #include <linux/netfilter_arp.h>
22 #include <linux/netfilter/x_tables.h>
24 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
25 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
26 #define arpt_target xt_target
27 #define arpt_table xt_table
29 #define ARPT_DEV_ADDR_LEN_MAX 16
31 struct arpt_devaddr_info {
32 char addr[ARPT_DEV_ADDR_LEN_MAX];
33 char mask[ARPT_DEV_ADDR_LEN_MAX];
36 /* Yes, Virginia, you have to zero the padding. */
38 /* Source and target IP addr */
39 struct in_addr src, tgt;
40 /* Mask for src and target IP addr */
41 struct in_addr smsk, tmsk;
43 /* Device hw address length, src+target device addresses */
44 u_int8_t arhln, arhln_mask;
45 struct arpt_devaddr_info src_devaddr;
46 struct arpt_devaddr_info tgt_devaddr;
48 /* ARP operation code. */
49 u_int16_t arpop, arpop_mask;
51 /* ARP hardware address and protocol address format. */
52 u_int16_t arhrd, arhrd_mask;
53 u_int16_t arpro, arpro_mask;
55 /* The protocol address length is only accepted if it is 4
56 * so there is no use in offering a way to do filtering on it.
59 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
60 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
68 struct arpt_entry_target
72 u_int16_t target_size;
74 /* Used by userspace */
75 char name[ARPT_FUNCTION_MAXNAMELEN-1];
79 u_int16_t target_size;
81 /* Used inside the kernel */
82 struct arpt_target *target;
86 u_int16_t target_size;
89 unsigned char data[0];
92 struct arpt_standard_target
94 struct arpt_entry_target target;
98 /* Values for "flag" field in struct arpt_ip (general arp structure).
99 * No flags defined yet.
101 #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
103 /* Values for "inv" field in struct arpt_arp. */
104 #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
105 #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
106 #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
107 #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
108 #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
109 #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
110 #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
111 #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
112 #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
113 #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
114 #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
116 /* This structure defines each of the firewall rules. Consists of 3
117 parts which are 1) general ARP header stuff 2) match specific
118 stuff 3) the target to perform if the rule matches */
123 /* Size of arpt_entry + matches */
124 u_int16_t target_offset;
125 /* Size of arpt_entry + matches + target */
126 u_int16_t next_offset;
129 unsigned int comefrom;
131 /* Packet and byte counters. */
132 struct xt_counters counters;
134 /* The matches (if any), then the target. */
135 unsigned char elems[0];
139 * New IP firewall options for [gs]etsockopt at the RAW IP level.
140 * Unlike BSD Linux inherits IP options so you don't have to use a raw
141 * socket for this. Instead we check rights in the calls.
143 #define ARPT_CTL_OFFSET 32
144 #define ARPT_BASE_CTL (XT_BASE_CTL+ARPT_CTL_OFFSET)
146 #define ARPT_SO_SET_REPLACE (XT_SO_SET_REPLACE+ARPT_CTL_OFFSET)
147 #define ARPT_SO_SET_ADD_COUNTERS (XT_SO_SET_ADD_COUNTERS+ARPT_CTL_OFFSET)
148 #define ARPT_SO_SET_MAX (XT_SO_SET_MAX+ARPT_CTL_OFFSET)
150 #define ARPT_SO_GET_INFO (XT_SO_GET_INFO+ARPT_CTL_OFFSET)
151 #define ARPT_SO_GET_ENTRIES (XT_SO_GET_ENTRIES+ARPT_CTL_OFFSET)
152 /* #define ARPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH */
153 #define ARPT_SO_GET_REVISION_TARGET (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
154 #define ARPT_SO_GET_MAX (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
156 /* CONTINUE verdict for targets */
157 #define ARPT_CONTINUE XT_CONTINUE
159 /* For standard target */
160 #define ARPT_RETURN XT_RETURN
162 /* The argument to ARPT_SO_GET_INFO */
165 /* Which table: caller fills this in. */
166 char name[ARPT_TABLE_MAXNAMELEN];
168 /* Kernel fills these in. */
169 /* Which hook entry points are valid: bitmask */
170 unsigned int valid_hooks;
172 /* Hook entry points: one per netfilter hook. */
173 unsigned int hook_entry[NF_ARP_NUMHOOKS];
175 /* Underflow points. */
176 unsigned int underflow[NF_ARP_NUMHOOKS];
178 /* Number of entries */
179 unsigned int num_entries;
181 /* Size of entries. */
185 /* The argument to ARPT_SO_SET_REPLACE. */
189 char name[ARPT_TABLE_MAXNAMELEN];
191 /* Which hook entry points are valid: bitmask. You can't
193 unsigned int valid_hooks;
195 /* Number of entries */
196 unsigned int num_entries;
198 /* Total size of new entries */
201 /* Hook entry points. */
202 unsigned int hook_entry[NF_ARP_NUMHOOKS];
204 /* Underflow points. */
205 unsigned int underflow[NF_ARP_NUMHOOKS];
207 /* Information about old entries: */
208 /* Number of counters (must be equal to current number of entries). */
209 unsigned int num_counters;
210 /* The old entries' counters. */
211 struct xt_counters __user *counters;
213 /* The entries (hang off end: not really an array). */
214 struct arpt_entry entries[0];
217 /* The argument to ARPT_SO_ADD_COUNTERS. */
218 #define arpt_counters_info xt_counters_info
219 #define arpt_counters xt_counters
221 /* The argument to ARPT_SO_GET_ENTRIES. */
222 struct arpt_get_entries
224 /* Which table: user fills this in. */
225 char name[ARPT_TABLE_MAXNAMELEN];
227 /* User fills this in: total entry size. */
231 struct arpt_entry entrytable[0];
234 /* Standard return verdict, or do jump. */
235 #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
237 #define ARPT_ERROR_TARGET XT_ERROR_TARGET
239 /* Helper functions */
240 static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
242 return (void *)e + e->target_offset;
245 /* fn returns 0 to continue iteration */
246 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
250 struct arpt_entry *__entry; \
252 for (__i = 0; __i < (size); __i += __entry->next_offset) { \
253 __entry = (void *)(entries) + __i; \
255 __ret = fn(__entry , ## args); \
263 * Main firewall chains definitions and global var's definitions.
267 #define arpt_register_target(tgt) xt_register_target(NF_ARP, tgt)
268 #define arpt_unregister_target(tgt) xt_unregister_target(NF_ARP, tgt)
270 extern int arpt_register_table(struct arpt_table *table,
271 const struct arpt_replace *repl);
272 extern void arpt_unregister_table(struct arpt_table *table);
273 extern unsigned int arpt_do_table(struct sk_buff **pskb,
275 const struct net_device *in,
276 const struct net_device *out,
277 struct arpt_table *table,
280 #define ARPT_ALIGN(s) (((s) + (__alignof__(struct arpt_entry)-1)) & ~(__alignof__(struct arpt_entry)-1))
281 #endif /*__KERNEL__*/
282 #endif /* _ARPTABLES_H */