1 |
13 |
serginhofr |
/*
|
2 |
|
|
* Format of an ARP firewall descriptor
|
3 |
|
|
*
|
4 |
|
|
* src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
|
5 |
|
|
* network byte order.
|
6 |
|
|
* flags are stored in host byte order (of course).
|
7 |
|
|
*/
|
8 |
|
|
|
9 |
|
|
#ifndef _ARPTABLES_H
|
10 |
|
|
#define _ARPTABLES_H
|
11 |
|
|
|
12 |
|
|
#include <linux/types.h>
|
13 |
|
|
|
14 |
|
|
#include <linux/netfilter_arp.h>
|
15 |
|
|
|
16 |
|
|
#include <linux/netfilter/x_tables.h>
|
17 |
|
|
|
18 |
|
|
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
|
19 |
|
|
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
|
20 |
|
|
#define arpt_entry_target xt_entry_target
|
21 |
|
|
#define arpt_standard_target xt_standard_target
|
22 |
|
|
#define arpt_error_target xt_error_target
|
23 |
|
|
#define ARPT_CONTINUE XT_CONTINUE
|
24 |
|
|
#define ARPT_RETURN XT_RETURN
|
25 |
|
|
#define arpt_counters_info xt_counters_info
|
26 |
|
|
#define arpt_counters xt_counters
|
27 |
|
|
#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
|
28 |
|
|
#define ARPT_ERROR_TARGET XT_ERROR_TARGET
|
29 |
|
|
#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
|
30 |
|
|
XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
|
31 |
|
|
|
32 |
|
|
#define ARPT_DEV_ADDR_LEN_MAX 16
|
33 |
|
|
|
34 |
|
|
struct arpt_devaddr_info {
|
35 |
|
|
char addr[ARPT_DEV_ADDR_LEN_MAX];
|
36 |
|
|
char mask[ARPT_DEV_ADDR_LEN_MAX];
|
37 |
|
|
};
|
38 |
|
|
|
39 |
|
|
/* Yes, Virginia, you have to zero the padding. */
|
40 |
|
|
struct arpt_arp {
|
41 |
|
|
/* Source and target IP addr */
|
42 |
|
|
struct in_addr src, tgt;
|
43 |
|
|
/* Mask for src and target IP addr */
|
44 |
|
|
struct in_addr smsk, tmsk;
|
45 |
|
|
|
46 |
|
|
/* Device hw address length, src+target device addresses */
|
47 |
|
|
__u8 arhln, arhln_mask;
|
48 |
|
|
struct arpt_devaddr_info src_devaddr;
|
49 |
|
|
struct arpt_devaddr_info tgt_devaddr;
|
50 |
|
|
|
51 |
|
|
/* ARP operation code. */
|
52 |
|
|
__be16 arpop, arpop_mask;
|
53 |
|
|
|
54 |
|
|
/* ARP hardware address and protocol address format. */
|
55 |
|
|
__be16 arhrd, arhrd_mask;
|
56 |
|
|
__be16 arpro, arpro_mask;
|
57 |
|
|
|
58 |
|
|
/* The protocol address length is only accepted if it is 4
|
59 |
|
|
* so there is no use in offering a way to do filtering on it.
|
60 |
|
|
*/
|
61 |
|
|
|
62 |
|
|
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
|
63 |
|
|
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
|
64 |
|
|
|
65 |
|
|
/* Flags word */
|
66 |
|
|
__u8 flags;
|
67 |
|
|
/* Inverse flags */
|
68 |
|
|
__u16 invflags;
|
69 |
|
|
};
|
70 |
|
|
|
71 |
|
|
/* Values for "flag" field in struct arpt_ip (general arp structure).
|
72 |
|
|
* No flags defined yet.
|
73 |
|
|
*/
|
74 |
|
|
#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
|
75 |
|
|
|
76 |
|
|
/* Values for "inv" field in struct arpt_arp. */
|
77 |
|
|
#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
|
78 |
|
|
#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
|
79 |
|
|
#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
|
80 |
|
|
#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
|
81 |
|
|
#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
|
82 |
|
|
#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
|
83 |
|
|
#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
|
84 |
|
|
#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
|
85 |
|
|
#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
|
86 |
|
|
#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
|
87 |
|
|
#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
|
88 |
|
|
|
89 |
|
|
/* This structure defines each of the firewall rules. Consists of 3
|
90 |
|
|
parts which are 1) general ARP header stuff 2) match specific
|
91 |
|
|
stuff 3) the target to perform if the rule matches */
|
92 |
|
|
struct arpt_entry
|
93 |
|
|
{
|
94 |
|
|
struct arpt_arp arp;
|
95 |
|
|
|
96 |
|
|
/* Size of arpt_entry + matches */
|
97 |
|
|
__u16 target_offset;
|
98 |
|
|
/* Size of arpt_entry + matches + target */
|
99 |
|
|
__u16 next_offset;
|
100 |
|
|
|
101 |
|
|
/* Back pointer */
|
102 |
|
|
unsigned int comefrom;
|
103 |
|
|
|
104 |
|
|
/* Packet and byte counters. */
|
105 |
|
|
struct xt_counters counters;
|
106 |
|
|
|
107 |
|
|
/* The matches (if any), then the target. */
|
108 |
|
|
unsigned char elems[0];
|
109 |
|
|
};
|
110 |
|
|
|
111 |
|
|
/*
|
112 |
|
|
* New IP firewall options for [gs]etsockopt at the RAW IP level.
|
113 |
|
|
* Unlike BSD Linux inherits IP options so you don't have to use a raw
|
114 |
|
|
* socket for this. Instead we check rights in the calls.
|
115 |
|
|
*
|
116 |
|
|
* ATTENTION: check linux/in.h before adding new number here.
|
117 |
|
|
*/
|
118 |
|
|
#define ARPT_BASE_CTL 96
|
119 |
|
|
|
120 |
|
|
#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
|
121 |
|
|
#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
|
122 |
|
|
#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
|
123 |
|
|
|
124 |
|
|
#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
|
125 |
|
|
#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
|
126 |
|
|
/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */
|
127 |
|
|
#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
|
128 |
|
|
#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
|
129 |
|
|
|
130 |
|
|
/* The argument to ARPT_SO_GET_INFO */
|
131 |
|
|
struct arpt_getinfo {
|
132 |
|
|
/* Which table: caller fills this in. */
|
133 |
|
|
char name[XT_TABLE_MAXNAMELEN];
|
134 |
|
|
|
135 |
|
|
/* Kernel fills these in. */
|
136 |
|
|
/* Which hook entry points are valid: bitmask */
|
137 |
|
|
unsigned int valid_hooks;
|
138 |
|
|
|
139 |
|
|
/* Hook entry points: one per netfilter hook. */
|
140 |
|
|
unsigned int hook_entry[NF_ARP_NUMHOOKS];
|
141 |
|
|
|
142 |
|
|
/* Underflow points. */
|
143 |
|
|
unsigned int underflow[NF_ARP_NUMHOOKS];
|
144 |
|
|
|
145 |
|
|
/* Number of entries */
|
146 |
|
|
unsigned int num_entries;
|
147 |
|
|
|
148 |
|
|
/* Size of entries. */
|
149 |
|
|
unsigned int size;
|
150 |
|
|
};
|
151 |
|
|
|
152 |
|
|
/* The argument to ARPT_SO_SET_REPLACE. */
|
153 |
|
|
struct arpt_replace {
|
154 |
|
|
/* Which table. */
|
155 |
|
|
char name[XT_TABLE_MAXNAMELEN];
|
156 |
|
|
|
157 |
|
|
/* Which hook entry points are valid: bitmask. You can't
|
158 |
|
|
change this. */
|
159 |
|
|
unsigned int valid_hooks;
|
160 |
|
|
|
161 |
|
|
/* Number of entries */
|
162 |
|
|
unsigned int num_entries;
|
163 |
|
|
|
164 |
|
|
/* Total size of new entries */
|
165 |
|
|
unsigned int size;
|
166 |
|
|
|
167 |
|
|
/* Hook entry points. */
|
168 |
|
|
unsigned int hook_entry[NF_ARP_NUMHOOKS];
|
169 |
|
|
|
170 |
|
|
/* Underflow points. */
|
171 |
|
|
unsigned int underflow[NF_ARP_NUMHOOKS];
|
172 |
|
|
|
173 |
|
|
/* Information about old entries: */
|
174 |
|
|
/* Number of counters (must be equal to current number of entries). */
|
175 |
|
|
unsigned int num_counters;
|
176 |
|
|
/* The old entries' counters. */
|
177 |
|
|
struct xt_counters *counters;
|
178 |
|
|
|
179 |
|
|
/* The entries (hang off end: not really an array). */
|
180 |
|
|
struct arpt_entry entries[0];
|
181 |
|
|
};
|
182 |
|
|
|
183 |
|
|
/* The argument to ARPT_SO_GET_ENTRIES. */
|
184 |
|
|
struct arpt_get_entries {
|
185 |
|
|
/* Which table: user fills this in. */
|
186 |
|
|
char name[XT_TABLE_MAXNAMELEN];
|
187 |
|
|
|
188 |
|
|
/* User fills this in: total entry size. */
|
189 |
|
|
unsigned int size;
|
190 |
|
|
|
191 |
|
|
/* The entries. */
|
192 |
|
|
struct arpt_entry entrytable[0];
|
193 |
|
|
};
|
194 |
|
|
|
195 |
|
|
/* Helper functions */
|
196 |
|
|
static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
|
197 |
|
|
{
|
198 |
|
|
return (void *)e + e->target_offset;
|
199 |
|
|
}
|
200 |
|
|
|
201 |
|
|
/*
|
202 |
|
|
* Main firewall chains definitions and global var's definitions.
|
203 |
|
|
*/
|
204 |
|
|
#endif /* _ARPTABLES_H */
|