Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Format of an ARP firewall descriptor | |
3 | * | |
4 | * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in | |
5 | * network byte order. | |
6 | * flags are stored in host byte order (of course). | |
7 | */ | |
8 | ||
9 | #ifndef _ARPTABLES_H | |
10 | #define _ARPTABLES_H | |
11 | ||
12 | #ifdef __KERNEL__ | |
13 | #include <linux/if.h> | |
1da177e4 LT |
14 | #include <linux/in.h> |
15 | #include <linux/if_arp.h> | |
16 | #include <linux/skbuff.h> | |
17 | #endif | |
c8942f1f | 18 | #include <linux/types.h> |
1da177e4 LT |
19 | #include <linux/compiler.h> |
20 | #include <linux/netfilter_arp.h> | |
21 | ||
2e4e6a17 HW |
22 | #include <linux/netfilter/x_tables.h> |
23 | ||
12b00c2c | 24 | #ifndef __KERNEL__ |
2e4e6a17 HW |
25 | #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN |
26 | #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN | |
87a2e70d JE |
27 | #define arpt_entry_target xt_entry_target |
28 | #define arpt_standard_target xt_standard_target | |
75f0a0fd | 29 | #define arpt_error_target xt_error_target |
243bf6e2 JE |
30 | #define ARPT_CONTINUE XT_CONTINUE |
31 | #define ARPT_RETURN XT_RETURN | |
32 | #define arpt_counters_info xt_counters_info | |
33 | #define arpt_counters xt_counters | |
34 | #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET | |
35 | #define ARPT_ERROR_TARGET XT_ERROR_TARGET | |
36 | #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ | |
37 | XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) | |
12b00c2c | 38 | #endif |
1da177e4 LT |
39 | |
40 | #define ARPT_DEV_ADDR_LEN_MAX 16 | |
41 | ||
42 | struct arpt_devaddr_info { | |
43 | char addr[ARPT_DEV_ADDR_LEN_MAX]; | |
44 | char mask[ARPT_DEV_ADDR_LEN_MAX]; | |
45 | }; | |
46 | ||
47 | /* Yes, Virginia, you have to zero the padding. */ | |
48 | struct arpt_arp { | |
49 | /* Source and target IP addr */ | |
50 | struct in_addr src, tgt; | |
51 | /* Mask for src and target IP addr */ | |
52 | struct in_addr smsk, tmsk; | |
53 | ||
54 | /* Device hw address length, src+target device addresses */ | |
7ff30c43 | 55 | __u8 arhln, arhln_mask; |
1da177e4 LT |
56 | struct arpt_devaddr_info src_devaddr; |
57 | struct arpt_devaddr_info tgt_devaddr; | |
58 | ||
59 | /* ARP operation code. */ | |
59b8bfd8 | 60 | __be16 arpop, arpop_mask; |
1da177e4 LT |
61 | |
62 | /* ARP hardware address and protocol address format. */ | |
59b8bfd8 AV |
63 | __be16 arhrd, arhrd_mask; |
64 | __be16 arpro, arpro_mask; | |
1da177e4 LT |
65 | |
66 | /* The protocol address length is only accepted if it is 4 | |
67 | * so there is no use in offering a way to do filtering on it. | |
68 | */ | |
69 | ||
70 | char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; | |
71 | unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; | |
72 | ||
73 | /* Flags word */ | |
7ff30c43 | 74 | __u8 flags; |
1da177e4 | 75 | /* Inverse flags */ |
7ff30c43 | 76 | __u16 invflags; |
1da177e4 LT |
77 | }; |
78 | ||
1da177e4 LT |
79 | /* Values for "flag" field in struct arpt_ip (general arp structure). |
80 | * No flags defined yet. | |
81 | */ | |
82 | #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ | |
83 | ||
84 | /* Values for "inv" field in struct arpt_arp. */ | |
85 | #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ | |
86 | #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ | |
87 | #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ | |
88 | #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ | |
89 | #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ | |
90 | #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ | |
91 | #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ | |
92 | #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ | |
93 | #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ | |
94 | #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ | |
95 | #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ | |
96 | ||
97 | /* This structure defines each of the firewall rules. Consists of 3 | |
98 | parts which are 1) general ARP header stuff 2) match specific | |
99 | stuff 3) the target to perform if the rule matches */ | |
100 | struct arpt_entry | |
101 | { | |
102 | struct arpt_arp arp; | |
103 | ||
104 | /* Size of arpt_entry + matches */ | |
7ff30c43 | 105 | __u16 target_offset; |
1da177e4 | 106 | /* Size of arpt_entry + matches + target */ |
7ff30c43 | 107 | __u16 next_offset; |
1da177e4 LT |
108 | |
109 | /* Back pointer */ | |
110 | unsigned int comefrom; | |
111 | ||
112 | /* Packet and byte counters. */ | |
2e4e6a17 | 113 | struct xt_counters counters; |
1da177e4 LT |
114 | |
115 | /* The matches (if any), then the target. */ | |
116 | unsigned char elems[0]; | |
117 | }; | |
118 | ||
119 | /* | |
120 | * New IP firewall options for [gs]etsockopt at the RAW IP level. | |
121 | * Unlike BSD Linux inherits IP options so you don't have to use a raw | |
122 | * socket for this. Instead we check rights in the calls. | |
b96e7ecb YK |
123 | * |
124 | * ATTENTION: check linux/in.h before adding new number here. | |
1da177e4 | 125 | */ |
b96e7ecb YK |
126 | #define ARPT_BASE_CTL 96 |
127 | ||
128 | #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) | |
129 | #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) | |
130 | #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS | |
131 | ||
132 | #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) | |
133 | #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) | |
134 | /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ | |
135 | #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) | |
136 | #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) | |
1da177e4 | 137 | |
1da177e4 | 138 | /* The argument to ARPT_SO_GET_INFO */ |
d94d9fee | 139 | struct arpt_getinfo { |
1da177e4 | 140 | /* Which table: caller fills this in. */ |
12b00c2c | 141 | char name[XT_TABLE_MAXNAMELEN]; |
1da177e4 LT |
142 | |
143 | /* Kernel fills these in. */ | |
144 | /* Which hook entry points are valid: bitmask */ | |
145 | unsigned int valid_hooks; | |
146 | ||
147 | /* Hook entry points: one per netfilter hook. */ | |
148 | unsigned int hook_entry[NF_ARP_NUMHOOKS]; | |
149 | ||
150 | /* Underflow points. */ | |
151 | unsigned int underflow[NF_ARP_NUMHOOKS]; | |
152 | ||
153 | /* Number of entries */ | |
154 | unsigned int num_entries; | |
155 | ||
156 | /* Size of entries. */ | |
157 | unsigned int size; | |
158 | }; | |
159 | ||
160 | /* The argument to ARPT_SO_SET_REPLACE. */ | |
d94d9fee | 161 | struct arpt_replace { |
1da177e4 | 162 | /* Which table. */ |
12b00c2c | 163 | char name[XT_TABLE_MAXNAMELEN]; |
1da177e4 LT |
164 | |
165 | /* Which hook entry points are valid: bitmask. You can't | |
166 | change this. */ | |
167 | unsigned int valid_hooks; | |
168 | ||
169 | /* Number of entries */ | |
170 | unsigned int num_entries; | |
171 | ||
172 | /* Total size of new entries */ | |
173 | unsigned int size; | |
174 | ||
175 | /* Hook entry points. */ | |
176 | unsigned int hook_entry[NF_ARP_NUMHOOKS]; | |
177 | ||
178 | /* Underflow points. */ | |
179 | unsigned int underflow[NF_ARP_NUMHOOKS]; | |
180 | ||
181 | /* Information about old entries: */ | |
182 | /* Number of counters (must be equal to current number of entries). */ | |
183 | unsigned int num_counters; | |
184 | /* The old entries' counters. */ | |
2e4e6a17 | 185 | struct xt_counters __user *counters; |
1da177e4 LT |
186 | |
187 | /* The entries (hang off end: not really an array). */ | |
188 | struct arpt_entry entries[0]; | |
189 | }; | |
190 | ||
1da177e4 | 191 | /* The argument to ARPT_SO_GET_ENTRIES. */ |
d94d9fee | 192 | struct arpt_get_entries { |
1da177e4 | 193 | /* Which table: user fills this in. */ |
12b00c2c | 194 | char name[XT_TABLE_MAXNAMELEN]; |
1da177e4 LT |
195 | |
196 | /* User fills this in: total entry size. */ | |
197 | unsigned int size; | |
198 | ||
199 | /* The entries. */ | |
200 | struct arpt_entry entrytable[0]; | |
201 | }; | |
202 | ||
1da177e4 | 203 | /* Helper functions */ |
87a2e70d | 204 | static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) |
1da177e4 LT |
205 | { |
206 | return (void *)e + e->target_offset; | |
207 | } | |
208 | ||
1da177e4 LT |
209 | /* |
210 | * Main firewall chains definitions and global var's definitions. | |
211 | */ | |
212 | #ifdef __KERNEL__ | |
213 | ||
3c2ad469 | 214 | /* Standard entry. */ |
d94d9fee | 215 | struct arpt_standard { |
3c2ad469 | 216 | struct arpt_entry entry; |
87a2e70d | 217 | struct xt_standard_target target; |
3c2ad469 PM |
218 | }; |
219 | ||
d94d9fee | 220 | struct arpt_error { |
3c2ad469 | 221 | struct arpt_entry entry; |
75f0a0fd | 222 | struct xt_error_target target; |
3c2ad469 PM |
223 | }; |
224 | ||
225 | #define ARPT_ENTRY_INIT(__size) \ | |
226 | { \ | |
227 | .target_offset = sizeof(struct arpt_entry), \ | |
228 | .next_offset = (__size), \ | |
229 | } | |
230 | ||
231 | #define ARPT_STANDARD_INIT(__verdict) \ | |
232 | { \ | |
233 | .entry = ARPT_ENTRY_INIT(sizeof(struct arpt_standard)), \ | |
243bf6e2 | 234 | .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ |
87a2e70d | 235 | sizeof(struct xt_standard_target)), \ |
3c2ad469 PM |
236 | .target.verdict = -(__verdict) - 1, \ |
237 | } | |
238 | ||
239 | #define ARPT_ERROR_INIT \ | |
240 | { \ | |
241 | .entry = ARPT_ENTRY_INIT(sizeof(struct arpt_error)), \ | |
243bf6e2 | 242 | .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ |
75f0a0fd | 243 | sizeof(struct xt_error_target)), \ |
3c2ad469 PM |
244 | .target.errorname = "ERROR", \ |
245 | } | |
246 | ||
e3eaa991 | 247 | extern void *arpt_alloc_initial_table(const struct xt_table *); |
4abff077 | 248 | extern struct xt_table *arpt_register_table(struct net *net, |
35aad0ff | 249 | const struct xt_table *table, |
4abff077 JE |
250 | const struct arpt_replace *repl); |
251 | extern void arpt_unregister_table(struct xt_table *table); | |
3db05fea | 252 | extern unsigned int arpt_do_table(struct sk_buff *skb, |
1da177e4 LT |
253 | unsigned int hook, |
254 | const struct net_device *in, | |
255 | const struct net_device *out, | |
4abff077 | 256 | struct xt_table *table); |
1da177e4 | 257 | |
d6a2ba07 PM |
258 | #ifdef CONFIG_COMPAT |
259 | #include <net/compat.h> | |
260 | ||
d94d9fee | 261 | struct compat_arpt_entry { |
d6a2ba07 | 262 | struct arpt_arp arp; |
7ff30c43 BH |
263 | __u16 target_offset; |
264 | __u16 next_offset; | |
d6a2ba07 PM |
265 | compat_uint_t comefrom; |
266 | struct compat_xt_counters counters; | |
267 | unsigned char elems[0]; | |
268 | }; | |
269 | ||
87a2e70d | 270 | static inline struct xt_entry_target * |
d6a2ba07 PM |
271 | compat_arpt_get_target(struct compat_arpt_entry *e) |
272 | { | |
273 | return (void *)e + e->target_offset; | |
274 | } | |
275 | ||
d6a2ba07 | 276 | #endif /* CONFIG_COMPAT */ |
1da177e4 LT |
277 | #endif /*__KERNEL__*/ |
278 | #endif /* _ARPTABLES_H */ |