1 /* 2 * Format of an ARP firewall descriptor 3 * 4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in 5 * network byte order. 6 * flags are stored in host byte order (of course). 7 */ 8 9 #ifndef _ARPTABLES_H 10 #define _ARPTABLES_H 11 12 #include <linux/netfilter_arp.h> 13 14 #include <linux/netfilter/x_tables.h> 15 16 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 17 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 18 #define arpt_target xt_target 19 #define arpt_table xt_table 20 21 #define ARPT_DEV_ADDR_LEN_MAX 16 22 23 struct arpt_devaddr_info { 24 char addr[ARPT_DEV_ADDR_LEN_MAX]; 25 char mask[ARPT_DEV_ADDR_LEN_MAX]; 26 }; 27 28 /* Yes, Virginia, you have to zero the padding. */ 29 struct arpt_arp { 30 /* Source and target IP addr */ 31 struct in_addr src, tgt; 32 /* Mask for src and target IP addr */ 33 struct in_addr smsk, tmsk; 34 35 /* Device hw address length, src+target device addresses */ 36 u_int8_t arhln, arhln_mask; 37 struct arpt_devaddr_info src_devaddr; 38 struct arpt_devaddr_info tgt_devaddr; 39 40 /* ARP operation code. */ 41 __be16 arpop, arpop_mask; 42 43 /* ARP hardware address and protocol address format. */ 44 __be16 arhrd, arhrd_mask; 45 __be16 arpro, arpro_mask; 46 47 /* The protocol address length is only accepted if it is 4 48 * so there is no use in offering a way to do filtering on it. 49 */ 50 51 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 52 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 53 54 /* Flags word */ 55 u_int8_t flags; 56 /* Inverse flags */ 57 u_int16_t invflags; 58 }; 59 60 #define arpt_entry_target xt_entry_target 61 #define arpt_standard_target xt_standard_target 62 63 /* Values for "flag" field in struct arpt_ip (general arp structure). 64 * No flags defined yet. 65 */ 66 #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ 67 68 /* Values for "inv" field in struct arpt_arp. */ 69 #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ 70 #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ 71 #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ 72 #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ 73 #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ 74 #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ 75 #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ 76 #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ 77 #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ 78 #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ 79 #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ 80 81 /* This structure defines each of the firewall rules. Consists of 3 82 parts which are 1) general ARP header stuff 2) match specific 83 stuff 3) the target to perform if the rule matches */ 84 struct arpt_entry 85 { 86 struct arpt_arp arp; 87 88 /* Size of arpt_entry + matches */ 89 u_int16_t target_offset; 90 /* Size of arpt_entry + matches + target */ 91 u_int16_t next_offset; 92 93 /* Back pointer */ 94 unsigned int comefrom; 95 96 /* Packet and byte counters. */ 97 struct xt_counters counters; 98 99 /* The matches (if any), then the target. */ 100 unsigned char elems[0]; 101 }; 102 103 /* 104 * New IP firewall options for [gs]etsockopt at the RAW IP level. 105 * Unlike BSD Linux inherits IP options so you don't have to use a raw 106 * socket for this. Instead we check rights in the calls. 107 * 108 * ATTENTION: check linux/in.h before adding new number here. 109 */ 110 #define ARPT_BASE_CTL 96 111 112 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) 113 #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) 114 #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS 115 116 #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) 117 #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) 118 /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ 119 #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) 120 #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) 121 122 /* CONTINUE verdict for targets */ 123 #define ARPT_CONTINUE XT_CONTINUE 124 125 /* For standard target */ 126 #define ARPT_RETURN XT_RETURN 127 128 /* The argument to ARPT_SO_GET_INFO */ 129 struct arpt_getinfo 130 { 131 /* Which table: caller fills this in. */ 132 char name[ARPT_TABLE_MAXNAMELEN]; 133 134 /* Kernel fills these in. */ 135 /* Which hook entry points are valid: bitmask */ 136 unsigned int valid_hooks; 137 138 /* Hook entry points: one per netfilter hook. */ 139 unsigned int hook_entry[NF_ARP_NUMHOOKS]; 140 141 /* Underflow points. */ 142 unsigned int underflow[NF_ARP_NUMHOOKS]; 143 144 /* Number of entries */ 145 unsigned int num_entries; 146 147 /* Size of entries. */ 148 unsigned int size; 149 }; 150 151 /* The argument to ARPT_SO_SET_REPLACE. */ 152 struct arpt_replace 153 { 154 /* Which table. */ 155 char name[ARPT_TABLE_MAXNAMELEN]; 156 157 /* Which hook entry points are valid: bitmask. You can't 158 change this. */ 159 unsigned int valid_hooks; 160 161 /* Number of entries */ 162 unsigned int num_entries; 163 164 /* Total size of new entries */ 165 unsigned int size; 166 167 /* Hook entry points. */ 168 unsigned int hook_entry[NF_ARP_NUMHOOKS]; 169 170 /* Underflow points. */ 171 unsigned int underflow[NF_ARP_NUMHOOKS]; 172 173 /* Information about old entries: */ 174 /* Number of counters (must be equal to current number of entries). */ 175 unsigned int num_counters; 176 /* The old entries' counters. */ 177 struct xt_counters *counters; 178 179 /* The entries (hang off end: not really an array). */ 180 struct arpt_entry entries[0]; 181 }; 182 183 /* The argument to ARPT_SO_ADD_COUNTERS. */ 184 #define arpt_counters_info xt_counters_info 185 #define arpt_counters xt_counters 186 187 /* The argument to ARPT_SO_GET_ENTRIES. */ 188 struct arpt_get_entries 189 { 190 /* Which table: user fills this in. */ 191 char name[ARPT_TABLE_MAXNAMELEN]; 192 193 /* User fills this in: total entry size. */ 194 unsigned int size; 195 196 /* The entries. */ 197 struct arpt_entry entrytable[0]; 198 }; 199 200 /* Standard return verdict, or do jump. */ 201 #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET 202 /* Error verdict. */ 203 #define ARPT_ERROR_TARGET XT_ERROR_TARGET 204 205 /* Helper functions */ 206 static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e) 207 { 208 return (void *)e + e->target_offset; 209 } 210 211 /* fn returns 0 to continue iteration */ 212 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ 213 ({ \ 214 unsigned int __i; \ 215 int __ret = 0; \ 216 struct arpt_entry *__entry; \ 217 \ 218 for (__i = 0; __i < (size); __i += __entry->next_offset) { \ 219 __entry = (void *)(entries) + __i; \ 220 \ 221 __ret = fn(__entry , ## args); \ 222 if (__ret != 0) \ 223 break; \ 224 } \ 225 __ret; \ 226 }) 227 228 /* 229 * Main firewall chains definitions and global var's definitions. 230 */ 231 #endif /* _ARPTABLES_H */ 232