1 /* 2 * Format of an ARP firewall descriptor 3 * 4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in 5 * network byte order. 6 * flags are stored in host byte order (of course). 7 */ 8 9 #ifndef _UAPI_ARPTABLES_H 10 #define _UAPI_ARPTABLES_H 11 12 #include <linux/types.h> 13 #include <linux/compiler.h> 14 #include <linux/if.h> 15 #include <linux/netfilter_arp.h> 16 17 #include <linux/netfilter/x_tables.h> 18 19 #ifndef __KERNEL__ 20 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 21 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 22 #define arpt_entry_target xt_entry_target 23 #define arpt_standard_target xt_standard_target 24 #define arpt_error_target xt_error_target 25 #define ARPT_CONTINUE XT_CONTINUE 26 #define ARPT_RETURN XT_RETURN 27 #define arpt_counters_info xt_counters_info 28 #define arpt_counters xt_counters 29 #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET 30 #define ARPT_ERROR_TARGET XT_ERROR_TARGET 31 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ 32 XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) 33 #endif 34 35 #define ARPT_DEV_ADDR_LEN_MAX 16 36 37 struct arpt_devaddr_info { 38 char addr[ARPT_DEV_ADDR_LEN_MAX]; 39 char mask[ARPT_DEV_ADDR_LEN_MAX]; 40 }; 41 42 /* Yes, Virginia, you have to zero the padding. */ 43 struct arpt_arp { 44 /* Source and target IP addr */ 45 struct in_addr src, tgt; 46 /* Mask for src and target IP addr */ 47 struct in_addr smsk, tmsk; 48 49 /* Device hw address length, src+target device addresses */ 50 __u8 arhln, arhln_mask; 51 struct arpt_devaddr_info src_devaddr; 52 struct arpt_devaddr_info tgt_devaddr; 53 54 /* ARP operation code. */ 55 __be16 arpop, arpop_mask; 56 57 /* ARP hardware address and protocol address format. */ 58 __be16 arhrd, arhrd_mask; 59 __be16 arpro, arpro_mask; 60 61 /* The protocol address length is only accepted if it is 4 62 * so there is no use in offering a way to do filtering on it. 63 */ 64 65 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 66 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 67 68 /* Flags word */ 69 __u8 flags; 70 /* Inverse flags */ 71 __u16 invflags; 72 }; 73 74 /* Values for "flag" field in struct arpt_ip (general arp structure). 75 * No flags defined yet. 76 */ 77 #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ 78 79 /* Values for "inv" field in struct arpt_arp. */ 80 #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ 81 #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ 82 #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ 83 #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ 84 #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ 85 #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ 86 #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ 87 #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ 88 #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ 89 #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ 90 #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ 91 92 /* This structure defines each of the firewall rules. Consists of 3 93 parts which are 1) general ARP header stuff 2) match specific 94 stuff 3) the target to perform if the rule matches */ 95 struct arpt_entry 96 { 97 struct arpt_arp arp; 98 99 /* Size of arpt_entry + matches */ 100 __u16 target_offset; 101 /* Size of arpt_entry + matches + target */ 102 __u16 next_offset; 103 104 /* Back pointer */ 105 unsigned int comefrom; 106 107 /* Packet and byte counters. */ 108 struct xt_counters counters; 109 110 /* The matches (if any), then the target. */ 111 unsigned char elems[0]; 112 }; 113 114 /* 115 * New IP firewall options for [gs]etsockopt at the RAW IP level. 116 * Unlike BSD Linux inherits IP options so you don't have to use a raw 117 * socket for this. Instead we check rights in the calls. 118 * 119 * ATTENTION: check linux/in.h before adding new number here. 120 */ 121 #define ARPT_BASE_CTL 96 122 123 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) 124 #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) 125 #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS 126 127 #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) 128 #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) 129 /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ 130 #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) 131 #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) 132 133 /* The argument to ARPT_SO_GET_INFO */ 134 struct arpt_getinfo { 135 /* Which table: caller fills this in. */ 136 char name[XT_TABLE_MAXNAMELEN]; 137 138 /* Kernel fills these in. */ 139 /* Which hook entry points are valid: bitmask */ 140 unsigned int valid_hooks; 141 142 /* Hook entry points: one per netfilter hook. */ 143 unsigned int hook_entry[NF_ARP_NUMHOOKS]; 144 145 /* Underflow points. */ 146 unsigned int underflow[NF_ARP_NUMHOOKS]; 147 148 /* Number of entries */ 149 unsigned int num_entries; 150 151 /* Size of entries. */ 152 unsigned int size; 153 }; 154 155 /* The argument to ARPT_SO_SET_REPLACE. */ 156 struct arpt_replace { 157 /* Which table. */ 158 char name[XT_TABLE_MAXNAMELEN]; 159 160 /* Which hook entry points are valid: bitmask. You can't 161 change this. */ 162 unsigned int valid_hooks; 163 164 /* Number of entries */ 165 unsigned int num_entries; 166 167 /* Total size of new entries */ 168 unsigned int size; 169 170 /* Hook entry points. */ 171 unsigned int hook_entry[NF_ARP_NUMHOOKS]; 172 173 /* Underflow points. */ 174 unsigned int underflow[NF_ARP_NUMHOOKS]; 175 176 /* Information about old entries: */ 177 /* Number of counters (must be equal to current number of entries). */ 178 unsigned int num_counters; 179 /* The old entries' counters. */ 180 struct xt_counters __user *counters; 181 182 /* The entries (hang off end: not really an array). */ 183 struct arpt_entry entries[0]; 184 }; 185 186 /* The argument to ARPT_SO_GET_ENTRIES. */ 187 struct arpt_get_entries { 188 /* Which table: user fills this in. */ 189 char name[XT_TABLE_MAXNAMELEN]; 190 191 /* User fills this in: total entry size. */ 192 unsigned int size; 193 194 /* The entries. */ 195 struct arpt_entry entrytable[0]; 196 }; 197 198 /* Helper functions */ 199 static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) 200 { 201 return (void *)e + e->target_offset; 202 } 203 204 /* 205 * Main firewall chains definitions and global var's definitions. 206 */ 207 #endif /* _UAPI_ARPTABLES_H */ 208