[deliverable/linux.git] / include / linux / netfilter_arp / arp_tables.h

/*
 * 	Format of an ARP firewall descriptor
 *
 * 	src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
 *	network byte order.
 * 	flags are stored in host byte order (of course).
 */

#ifndef _ARPTABLES_H
#define _ARPTABLES_H

#ifdef __KERNEL__
#include <linux/if.h>
#include <linux/in.h>
#include <linux/if_arp.h>
#include <linux/skbuff.h>
#endif
#include <linux/types.h>
#include <linux/compiler.h>
#include <linux/netfilter_arp.h>

#include <linux/netfilter/x_tables.h>

#ifndef __KERNEL__
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define arpt_entry_target xt_entry_target
#define arpt_standard_target xt_standard_target
#define arpt_error_target xt_error_target
#define ARPT_CONTINUE XT_CONTINUE
#define ARPT_RETURN XT_RETURN
#define arpt_counters_info xt_counters_info
#define arpt_counters xt_counters
#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
#define ARPT_ERROR_TARGET XT_ERROR_TARGET
#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
	XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
#endif

#define ARPT_DEV_ADDR_LEN_MAX 16

struct arpt_devaddr_info {
	char addr[ARPT_DEV_ADDR_LEN_MAX];
	char mask[ARPT_DEV_ADDR_LEN_MAX];
};

/* Yes, Virginia, you have to zero the padding. */
struct arpt_arp {
	/* Source and target IP addr */
	struct in_addr src, tgt;
	/* Mask for src and target IP addr */
	struct in_addr smsk, tmsk;

	/* Device hw address length, src+target device addresses */
	__u8 arhln, arhln_mask;
	struct arpt_devaddr_info src_devaddr;
	struct arpt_devaddr_info tgt_devaddr;

	/* ARP operation code. */
	__be16 arpop, arpop_mask;

	/* ARP hardware address and protocol address format. */
	__be16 arhrd, arhrd_mask;
	__be16 arpro, arpro_mask;

	/* The protocol address length is only accepted if it is 4
	 * so there is no use in offering a way to do filtering on it.
	 */

	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];

	/* Flags word */
	__u8 flags;
	/* Inverse flags */
	__u16 invflags;
};

/* Values for "flag" field in struct arpt_ip (general arp structure).
 * No flags defined yet.
 */
#define ARPT_F_MASK		0x00	/* All possible flag bits mask. */

/* Values for "inv" field in struct arpt_arp. */
#define ARPT_INV_VIA_IN		0x0001	/* Invert the sense of IN IFACE. */
#define ARPT_INV_VIA_OUT	0x0002	/* Invert the sense of OUT IFACE */
#define ARPT_INV_SRCIP		0x0004	/* Invert the sense of SRC IP. */
#define ARPT_INV_TGTIP		0x0008	/* Invert the sense of TGT IP. */
#define ARPT_INV_SRCDEVADDR	0x0010	/* Invert the sense of SRC DEV ADDR. */
#define ARPT_INV_TGTDEVADDR	0x0020	/* Invert the sense of TGT DEV ADDR. */
#define ARPT_INV_ARPOP		0x0040	/* Invert the sense of ARP OP. */
#define ARPT_INV_ARPHRD		0x0080	/* Invert the sense of ARP HRD. */
#define ARPT_INV_ARPPRO		0x0100	/* Invert the sense of ARP PRO. */
#define ARPT_INV_ARPHLN		0x0200	/* Invert the sense of ARP HLN. */
#define ARPT_INV_MASK		0x03FF	/* All possible flag bits mask. */

/* This structure defines each of the firewall rules.  Consists of 3
   parts which are 1) general ARP header stuff 2) match specific
   stuff 3) the target to perform if the rule matches */
struct arpt_entry
{
	struct arpt_arp arp;

	/* Size of arpt_entry + matches */
	__u16 target_offset;
	/* Size of arpt_entry + matches + target */
	__u16 next_offset;

	/* Back pointer */
	unsigned int comefrom;

	/* Packet and byte counters. */
	struct xt_counters counters;

	/* The matches (if any), then the target. */
	unsigned char elems[0];
};

/*
 * New IP firewall options for [gs]etsockopt at the RAW IP level.
 * Unlike BSD Linux inherits IP options so you don't have to use a raw
 * socket for this. Instead we check rights in the calls.
 *
 * ATTENTION: check linux/in.h before adding new number here.
 */
#define ARPT_BASE_CTL		96

#define ARPT_SO_SET_REPLACE		(ARPT_BASE_CTL)
#define ARPT_SO_SET_ADD_COUNTERS	(ARPT_BASE_CTL + 1)
#define ARPT_SO_SET_MAX			ARPT_SO_SET_ADD_COUNTERS

#define ARPT_SO_GET_INFO		(ARPT_BASE_CTL)
#define ARPT_SO_GET_ENTRIES		(ARPT_BASE_CTL + 1)
/* #define ARPT_SO_GET_REVISION_MATCH	(APRT_BASE_CTL + 2) */
#define ARPT_SO_GET_REVISION_TARGET	(ARPT_BASE_CTL + 3)
#define ARPT_SO_GET_MAX			(ARPT_SO_GET_REVISION_TARGET)

/* The argument to ARPT_SO_GET_INFO */
struct arpt_getinfo {
	/* Which table: caller fills this in. */
	char name[XT_TABLE_MAXNAMELEN];

	/* Kernel fills these in. */
	/* Which hook entry points are valid: bitmask */
	unsigned int valid_hooks;

	/* Hook entry points: one per netfilter hook. */
	unsigned int hook_entry[NF_ARP_NUMHOOKS];

	/* Underflow points. */
	unsigned int underflow[NF_ARP_NUMHOOKS];

	/* Number of entries */
	unsigned int num_entries;

	/* Size of entries. */
	unsigned int size;
};

/* The argument to ARPT_SO_SET_REPLACE. */
struct arpt_replace {
	/* Which table. */
	char name[XT_TABLE_MAXNAMELEN];

	/* Which hook entry points are valid: bitmask.  You can't
           change this. */
	unsigned int valid_hooks;

	/* Number of entries */
	unsigned int num_entries;

	/* Total size of new entries */
	unsigned int size;

	/* Hook entry points. */
	unsigned int hook_entry[NF_ARP_NUMHOOKS];

	/* Underflow points. */
	unsigned int underflow[NF_ARP_NUMHOOKS];

	/* Information about old entries: */
	/* Number of counters (must be equal to current number of entries). */
	unsigned int num_counters;
	/* The old entries' counters. */
	struct xt_counters __user *counters;

	/* The entries (hang off end: not really an array). */
	struct arpt_entry entries[0];
};

/* The argument to ARPT_SO_GET_ENTRIES. */
struct arpt_get_entries {
	/* Which table: user fills this in. */
	char name[XT_TABLE_MAXNAMELEN];

	/* User fills this in: total entry size. */
	unsigned int size;

	/* The entries. */
	struct arpt_entry entrytable[0];
};

/* Helper functions */
static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
{
	return (void *)e + e->target_offset;
}

/*
 *	Main firewall chains definitions and global var's definitions.
 */
#ifdef __KERNEL__

/* Standard entry. */
struct arpt_standard {
	struct arpt_entry entry;
	struct xt_standard_target target;
};

struct arpt_error {
	struct arpt_entry entry;
	struct xt_error_target target;
};

#define ARPT_ENTRY_INIT(__size)						       \
{									       \
	.target_offset	= sizeof(struct arpt_entry),			       \
	.next_offset	= (__size),					       \
}

#define ARPT_STANDARD_INIT(__verdict)					       \
{									       \
	.entry		= ARPT_ENTRY_INIT(sizeof(struct arpt_standard)),       \
	.target		= XT_TARGET_INIT(XT_STANDARD_TARGET,		       \
					 sizeof(struct xt_standard_target)), \
	.target.verdict	= -(__verdict) - 1,				       \
}

#define ARPT_ERROR_INIT							       \
{									       \
	.entry		= ARPT_ENTRY_INIT(sizeof(struct arpt_error)),	       \
	.target		= XT_TARGET_INIT(XT_ERROR_TARGET,		       \
					 sizeof(struct xt_error_target)),      \
	.target.errorname = "ERROR",					       \
}

extern void *arpt_alloc_initial_table(const struct xt_table *);
extern struct xt_table *arpt_register_table(struct net *net,
					    const struct xt_table *table,
					    const struct arpt_replace *repl);
extern void arpt_unregister_table(struct xt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
				  unsigned int hook,
				  const struct net_device *in,
				  const struct net_device *out,
				  struct xt_table *table);

#ifdef CONFIG_COMPAT
#include <net/compat.h>

struct compat_arpt_entry {
	struct arpt_arp arp;
	__u16 target_offset;
	__u16 next_offset;
	compat_uint_t comefrom;
	struct compat_xt_counters counters;
	unsigned char elems[0];
};

static inline struct xt_entry_target *
compat_arpt_get_target(struct compat_arpt_entry *e)
{
	return (void *)e + e->target_offset;
}

#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _ARPTABLES_H */
Commit	Line	Data
1da177e4 LT	1	/*
	2	* Format of an ARP firewall descriptor
	3	*
	4	* src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
	5	* network byte order.
	6	* flags are stored in host byte order (of course).
	7	*/
	8
	9	#ifndef _ARPTABLES_H
	10	#define _ARPTABLES_H
	11
	12	#ifdef __KERNEL__
	13	#include <linux/if.h>
1da177e4 LT	14	#include <linux/in.h>
	15	#include <linux/if_arp.h>
	16	#include <linux/skbuff.h>
	17	#endif
c8942f1f	18	#include <linux/types.h>
1da177e4 LT	19	#include <linux/compiler.h>
	20	#include <linux/netfilter_arp.h>
	21
2e4e6a17 HW	22	#include <linux/netfilter/x_tables.h>
2e4e6a17 HW	23
12b00c2c	24	#ifndef __KERNEL__
2e4e6a17 HW	25	#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
2e4e6a17 HW	26	#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
87a2e70d JE	27	#define arpt_entry_target xt_entry_target
87a2e70d JE	28	#define arpt_standard_target xt_standard_target
75f0a0fd	29	#define arpt_error_target xt_error_target
243bf6e2 JE	30	#define ARPT_CONTINUE XT_CONTINUE
	31	#define ARPT_RETURN XT_RETURN
	32	#define arpt_counters_info xt_counters_info
	33	#define arpt_counters xt_counters
	34	#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
	35	#define ARPT_ERROR_TARGET XT_ERROR_TARGET
	36	#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
	37	XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
12b00c2c	38	#endif
1da177e4 LT	39
	40	#define ARPT_DEV_ADDR_LEN_MAX 16
	41
	42	struct arpt_devaddr_info {
	43	char addr[ARPT_DEV_ADDR_LEN_MAX];
	44	char mask[ARPT_DEV_ADDR_LEN_MAX];
	45	};
	46
	47	/* Yes, Virginia, you have to zero the padding. */
	48	struct arpt_arp {
	49	/* Source and target IP addr */
	50	struct in_addr src, tgt;
	51	/* Mask for src and target IP addr */
	52	struct in_addr smsk, tmsk;
	53
	54	/* Device hw address length, src+target device addresses */
7ff30c43	55	__u8 arhln, arhln_mask;
1da177e4 LT	56	struct arpt_devaddr_info src_devaddr;
	57	struct arpt_devaddr_info tgt_devaddr;
	58
	59	/* ARP operation code. */
59b8bfd8	60	__be16 arpop, arpop_mask;
1da177e4 LT	61
1da177e4 LT	62	/* ARP hardware address and protocol address format. */
59b8bfd8 AV	63	__be16 arhrd, arhrd_mask;
59b8bfd8 AV	64	__be16 arpro, arpro_mask;
1da177e4 LT	65
	66	/* The protocol address length is only accepted if it is 4
	67	* so there is no use in offering a way to do filtering on it.
	68	*/
	69
	70	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
	71	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
	72
	73	/* Flags word */
7ff30c43	74	__u8 flags;
1da177e4	75	/* Inverse flags */
7ff30c43	76	__u16 invflags;
1da177e4 LT	77	};
1da177e4 LT	78
1da177e4 LT	79	/* Values for "flag" field in struct arpt_ip (general arp structure).
	80	* No flags defined yet.
	81	*/
	82	#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
	83
	84	/* Values for "inv" field in struct arpt_arp. */
	85	#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
	86	#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
	87	#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
	88	#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
	89	#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
	90	#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
	91	#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
	92	#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
	93	#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
	94	#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
	95	#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
	96
	97	/* This structure defines each of the firewall rules. Consists of 3
	98	parts which are 1) general ARP header stuff 2) match specific
	99	stuff 3) the target to perform if the rule matches */
	100	struct arpt_entry
	101	{
	102	struct arpt_arp arp;
	103
	104	/* Size of arpt_entry + matches */
7ff30c43	105	__u16 target_offset;
1da177e4	106	/* Size of arpt_entry + matches + target */
7ff30c43	107	__u16 next_offset;
1da177e4 LT	108
	109	/* Back pointer */
	110	unsigned int comefrom;
	111
	112	/* Packet and byte counters. */
2e4e6a17	113	struct xt_counters counters;
1da177e4 LT	114
	115	/* The matches (if any), then the target. */
	116	unsigned char elems[0];
	117	};
	118
	119	/*
	120	* New IP firewall options for [gs]etsockopt at the RAW IP level.
	121	* Unlike BSD Linux inherits IP options so you don't have to use a raw
	122	* socket for this. Instead we check rights in the calls.
b96e7ecb YK	123	*
b96e7ecb YK	124	* ATTENTION: check linux/in.h before adding new number here.
1da177e4	125	*/
b96e7ecb YK	126	#define ARPT_BASE_CTL 96
	127
	128	#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
	129	#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
	130	#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
	131
	132	#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
	133	#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
	134	/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */
	135	#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
	136	#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
1da177e4	137
1da177e4	138	/* The argument to ARPT_SO_GET_INFO */
d94d9fee	139	struct arpt_getinfo {
1da177e4	140	/* Which table: caller fills this in. */
12b00c2c	141	char name[XT_TABLE_MAXNAMELEN];
1da177e4 LT	142
	143	/* Kernel fills these in. */
	144	/* Which hook entry points are valid: bitmask */
	145	unsigned int valid_hooks;
	146
	147	/* Hook entry points: one per netfilter hook. */
	148	unsigned int hook_entry[NF_ARP_NUMHOOKS];
	149
	150	/* Underflow points. */
	151	unsigned int underflow[NF_ARP_NUMHOOKS];
	152
	153	/* Number of entries */
	154	unsigned int num_entries;
	155
	156	/* Size of entries. */
	157	unsigned int size;
	158	};
	159
	160	/* The argument to ARPT_SO_SET_REPLACE. */
d94d9fee	161	struct arpt_replace {
1da177e4	162	/* Which table. */
12b00c2c	163	char name[XT_TABLE_MAXNAMELEN];
1da177e4 LT	164
	165	/* Which hook entry points are valid: bitmask. You can't
	166	change this. */
	167	unsigned int valid_hooks;
	168
	169	/* Number of entries */
	170	unsigned int num_entries;
	171
	172	/* Total size of new entries */
	173	unsigned int size;
	174
	175	/* Hook entry points. */
	176	unsigned int hook_entry[NF_ARP_NUMHOOKS];
	177
	178	/* Underflow points. */
	179	unsigned int underflow[NF_ARP_NUMHOOKS];
	180
	181	/* Information about old entries: */
	182	/* Number of counters (must be equal to current number of entries). */
	183	unsigned int num_counters;
	184	/* The old entries' counters. */
2e4e6a17	185	struct xt_counters __user *counters;
1da177e4 LT	186
	187	/* The entries (hang off end: not really an array). */
	188	struct arpt_entry entries[0];
	189	};
	190
1da177e4	191	/* The argument to ARPT_SO_GET_ENTRIES. */
d94d9fee	192	struct arpt_get_entries {
1da177e4	193	/* Which table: user fills this in. */
12b00c2c	194	char name[XT_TABLE_MAXNAMELEN];
1da177e4 LT	195
	196	/* User fills this in: total entry size. */
	197	unsigned int size;
	198
	199	/* The entries. */
	200	struct arpt_entry entrytable[0];
	201	};
	202
1da177e4	203	/* Helper functions */
87a2e70d	204	static __inline__ struct xt_entry_target arpt_get_target(struct arpt_entry e)
1da177e4 LT	205	{
	206	return (void *)e + e->target_offset;
	207	}
	208
1da177e4 LT	209	/*
	210	* Main firewall chains definitions and global var's definitions.
	211	*/
	212	#ifdef __KERNEL__
	213
3c2ad469	214	/* Standard entry. */
d94d9fee	215	struct arpt_standard {
3c2ad469	216	struct arpt_entry entry;
87a2e70d	217	struct xt_standard_target target;
3c2ad469 PM	218	};
3c2ad469 PM	219
d94d9fee	220	struct arpt_error {
3c2ad469	221	struct arpt_entry entry;
75f0a0fd	222	struct xt_error_target target;
3c2ad469 PM	223	};
	224
	225	#define ARPT_ENTRY_INIT(__size) \
	226	{ \
	227	.target_offset = sizeof(struct arpt_entry), \
	228	.next_offset = (__size), \
	229	}
	230
	231	#define ARPT_STANDARD_INIT(__verdict) \
	232	{ \
	233	.entry = ARPT_ENTRY_INIT(sizeof(struct arpt_standard)), \
243bf6e2	234	.target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
87a2e70d	235	sizeof(struct xt_standard_target)), \
3c2ad469 PM	236	.target.verdict = -(__verdict) - 1, \
	237	}
	238
	239	#define ARPT_ERROR_INIT \
	240	{ \
	241	.entry = ARPT_ENTRY_INIT(sizeof(struct arpt_error)), \
243bf6e2	242	.target = XT_TARGET_INIT(XT_ERROR_TARGET, \
75f0a0fd	243	sizeof(struct xt_error_target)), \
3c2ad469 PM	244	.target.errorname = "ERROR", \
	245	}
	246
e3eaa991	247	extern void arpt_alloc_initial_table(const struct xt_table );
4abff077	248	extern struct xt_table arpt_register_table(struct net net,
35aad0ff	249	const struct xt_table *table,
4abff077 JE	250	const struct arpt_replace *repl);
4abff077 JE	251	extern void arpt_unregister_table(struct xt_table *table);
3db05fea	252	extern unsigned int arpt_do_table(struct sk_buff *skb,
1da177e4 LT	253	unsigned int hook,
	254	const struct net_device *in,
	255	const struct net_device *out,
4abff077	256	struct xt_table *table);
1da177e4	257
d6a2ba07 PM	258	#ifdef CONFIG_COMPAT
	259	#include <net/compat.h>
	260
d94d9fee	261	struct compat_arpt_entry {
d6a2ba07	262	struct arpt_arp arp;
7ff30c43 BH	263	__u16 target_offset;
7ff30c43 BH	264	__u16 next_offset;
d6a2ba07 PM	265	compat_uint_t comefrom;
	266	struct compat_xt_counters counters;
	267	unsigned char elems[0];
	268	};
	269
87a2e70d	270	static inline struct xt_entry_target *
d6a2ba07 PM	271	compat_arpt_get_target(struct compat_arpt_entry *e)
	272	{
	273	return (void *)e + e->target_offset;
	274	}
	275
d6a2ba07	276	#endif /* CONFIG_COMPAT */
1da177e4 LT	277	#endif /__KERNEL__/
1da177e4 LT	278	#endif /* _ARPTABLES_H */