net/bridge/netfilter/ebt_arp.c

   1 /*
   2  *  ebt_arp
   3  *
   4  *      Authors:
   5  *      Bart De Schuymer <bdschuym@pandora.be>
   6  *      Tim Gardner <timg@tpi.com>
   7  *
   8  *  April, 2002
   9  *
  10  */
  11 #include <linux/if_arp.h>
  12 #include <linux/if_ether.h>
  13 #include <linux/module.h>
  14 #include <linux/netfilter/x_tables.h>
  15 #include <linux/netfilter_bridge/ebtables.h>
  16 #include <linux/netfilter_bridge/ebt_arp.h>
  17
  18 static bool
  19 ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
  20 {
  21         const struct ebt_arp_info *info = par->matchinfo;
  22         const struct arphdr *ah;
  23         struct arphdr _arph;
  24
  25         ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
  26         if (ah == NULL)
  27                 return false;
  28         if ((info->bitmask & EBT_ARP_OPCODE) &&
  29             NF_INVF(info, EBT_ARP_OPCODE, info->opcode != ah->ar_op))
  30                 return false;
  31         if ((info->bitmask & EBT_ARP_HTYPE) &&
  32             NF_INVF(info, EBT_ARP_HTYPE, info->htype != ah->ar_hrd))
  33                 return false;
  34         if ((info->bitmask & EBT_ARP_PTYPE) &&
  35             NF_INVF(info, EBT_ARP_PTYPE, info->ptype != ah->ar_pro))
  36                 return false;
  37
  38         if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) {
  39                 const __be32 *sap, *dap;
  40                 __be32 saddr, daddr;
  41
  42                 if (ah->ar_pln != sizeof(__be32) || ah->ar_pro != htons(ETH_P_IP))
  43                         return false;
  44                 sap = skb_header_pointer(skb, sizeof(struct arphdr) +
  45                                         ah->ar_hln, sizeof(saddr),
  46                                         &saddr);
  47                 if (sap == NULL)
  48                         return false;
  49                 dap = skb_header_pointer(skb, sizeof(struct arphdr) +
  50                                         2*ah->ar_hln+sizeof(saddr),
  51                                         sizeof(daddr), &daddr);
  52                 if (dap == NULL)
  53                         return false;
  54                 if ((info->bitmask & EBT_ARP_SRC_IP) &&
  55                     NF_INVF(info, EBT_ARP_SRC_IP,
  56                             info->saddr != (*sap & info->smsk)))
  57                         return false;
  58                 if ((info->bitmask & EBT_ARP_DST_IP) &&
  59                     NF_INVF(info, EBT_ARP_DST_IP,
  60                             info->daddr != (*dap & info->dmsk)))
  61                         return false;
  62                 if ((info->bitmask & EBT_ARP_GRAT) &&
  63                     NF_INVF(info, EBT_ARP_GRAT, *dap != *sap))
  64                         return false;
  65         }
  66
  67         if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) {
  68                 const unsigned char *mp;
  69                 unsigned char _mac[ETH_ALEN];
  70
  71                 if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER))
  72                         return false;
  73                 if (info->bitmask & EBT_ARP_SRC_MAC) {
  74                         mp = skb_header_pointer(skb, sizeof(struct arphdr),
  75                                                 sizeof(_mac), &_mac);
  76                         if (mp == NULL)
  77                                 return false;
  78                         if (NF_INVF(info, EBT_ARP_SRC_MAC,
  79                                     !ether_addr_equal_masked(mp, info->smaddr,
  80                                                              info->smmsk)))
  81                                 return false;
  82                 }
  83
  84                 if (info->bitmask & EBT_ARP_DST_MAC) {
  85                         mp = skb_header_pointer(skb, sizeof(struct arphdr) +
  86                                                 ah->ar_hln + ah->ar_pln,
  87                                                 sizeof(_mac), &_mac);
  88                         if (mp == NULL)
  89                                 return false;
  90                         if (NF_INVF(info, EBT_ARP_DST_MAC,
  91                                     !ether_addr_equal_masked(mp, info->dmaddr,
  92                                                              info->dmmsk)))
  93                                 return false;
  94                 }
  95         }
  96
  97         return true;
  98 }
  99
 100 static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
 101 {
 102         const struct ebt_arp_info *info = par->matchinfo;
 103         const struct ebt_entry *e = par->entryinfo;
 104
 105         if ((e->ethproto != htons(ETH_P_ARP) &&
 106            e->ethproto != htons(ETH_P_RARP)) ||
 107            e->invflags & EBT_IPROTO)
 108                 return -EINVAL;
 109         if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
 110                 return -EINVAL;
 111         return 0;
 112 }
 113
 114 static struct xt_match ebt_arp_mt_reg __read_mostly = {
 115         .name           = "arp",
 116         .revision       = 0,
 117         .family         = NFPROTO_BRIDGE,
 118         .match          = ebt_arp_mt,
 119         .checkentry     = ebt_arp_mt_check,
 120         .matchsize      = sizeof(struct ebt_arp_info),
 121         .me             = THIS_MODULE,
 122 };
 123
 124 static int __init ebt_arp_init(void)
 125 {
 126         return xt_register_match(&ebt_arp_mt_reg);
 127 }
 128
 129 static void __exit ebt_arp_fini(void)
 130 {
 131         xt_unregister_match(&ebt_arp_mt_reg);
 132 }
 133
 134 module_init(ebt_arp_init);
 135 module_exit(ebt_arp_fini);
 136 MODULE_DESCRIPTION("Ebtables: ARP protocol packet match");
 137 MODULE_LICENSE("GPL");