-2

include/linux/netfilter_arp/Kbuild

reviewed

··· 1 1 - header-y += arp_tables.h 2 2 - header-y += arpt_mangle.h

+1 -199

include/linux/netfilter_arp/arp_tables.h

reviewed

··· 5 5 * network byte order. 6 6 * flags are stored in host byte order (of course). 7 7 */ 8 8 - 9 8 #ifndef _ARPTABLES_H 10 9 #define _ARPTABLES_H 11 10 12 12 - #ifdef __KERNEL__ 13 11 #include <linux/if.h> 14 12 #include <linux/in.h> 15 13 #include <linux/if_arp.h> 16 14 #include <linux/skbuff.h> 17 17 - #endif 18 18 - #include <linux/types.h> 19 19 - #include <linux/compiler.h> 20 20 - #include <linux/netfilter_arp.h> 21 21 - 22 22 - #include <linux/netfilter/x_tables.h> 23 23 - 24 24 - #ifndef __KERNEL__ 25 25 - #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 26 26 - #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 27 27 - #define arpt_entry_target xt_entry_target 28 28 - #define arpt_standard_target xt_standard_target 29 29 - #define arpt_error_target xt_error_target 30 30 - #define ARPT_CONTINUE XT_CONTINUE 31 31 - #define ARPT_RETURN XT_RETURN 32 32 - #define arpt_counters_info xt_counters_info 33 33 - #define arpt_counters xt_counters 34 34 - #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET 35 35 - #define ARPT_ERROR_TARGET XT_ERROR_TARGET 36 36 - #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ 37 37 - XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) 38 38 - #endif 39 39 - 40 40 - #define ARPT_DEV_ADDR_LEN_MAX 16 41 41 - 42 42 - struct arpt_devaddr_info { 43 43 - char addr[ARPT_DEV_ADDR_LEN_MAX]; 44 44 - char mask[ARPT_DEV_ADDR_LEN_MAX]; 45 45 - }; 46 46 - 47 47 - /* Yes, Virginia, you have to zero the padding. */ 48 48 - struct arpt_arp { 49 49 - /* Source and target IP addr */ 50 50 - struct in_addr src, tgt; 51 51 - /* Mask for src and target IP addr */ 52 52 - struct in_addr smsk, tmsk; 53 53 - 54 54 - /* Device hw address length, src+target device addresses */ 55 55 - __u8 arhln, arhln_mask; 56 56 - struct arpt_devaddr_info src_devaddr; 57 57 - struct arpt_devaddr_info tgt_devaddr; 58 58 - 59 59 - /* ARP operation code. */ 60 60 - __be16 arpop, arpop_mask; 61 61 - 62 62 - /* ARP hardware address and protocol address format. */ 63 63 - __be16 arhrd, arhrd_mask; 64 64 - __be16 arpro, arpro_mask; 65 65 - 66 66 - /* The protocol address length is only accepted if it is 4 67 67 - * so there is no use in offering a way to do filtering on it. 68 68 - */ 69 69 - 70 70 - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 71 71 - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 72 72 - 73 73 - /* Flags word */ 74 74 - __u8 flags; 75 75 - /* Inverse flags */ 76 76 - __u16 invflags; 77 77 - }; 78 78 - 79 79 - /* Values for "flag" field in struct arpt_ip (general arp structure). 80 80 - * No flags defined yet. 81 81 - */ 82 82 - #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ 83 83 - 84 84 - /* Values for "inv" field in struct arpt_arp. */ 85 85 - #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ 86 86 - #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ 87 87 - #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ 88 88 - #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ 89 89 - #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ 90 90 - #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ 91 91 - #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ 92 92 - #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ 93 93 - #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ 94 94 - #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ 95 95 - #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ 96 96 - 97 97 - /* This structure defines each of the firewall rules. Consists of 3 98 98 - parts which are 1) general ARP header stuff 2) match specific 99 99 - stuff 3) the target to perform if the rule matches */ 100 100 - struct arpt_entry 101 101 - { 102 102 - struct arpt_arp arp; 103 103 - 104 104 - /* Size of arpt_entry + matches */ 105 105 - __u16 target_offset; 106 106 - /* Size of arpt_entry + matches + target */ 107 107 - __u16 next_offset; 108 108 - 109 109 - /* Back pointer */ 110 110 - unsigned int comefrom; 111 111 - 112 112 - /* Packet and byte counters. */ 113 113 - struct xt_counters counters; 114 114 - 115 115 - /* The matches (if any), then the target. */ 116 116 - unsigned char elems[0]; 117 117 - }; 118 118 - 119 119 - /* 120 120 - * New IP firewall options for [gs]etsockopt at the RAW IP level. 121 121 - * Unlike BSD Linux inherits IP options so you don't have to use a raw 122 122 - * socket for this. Instead we check rights in the calls. 123 123 - * 124 124 - * ATTENTION: check linux/in.h before adding new number here. 125 125 - */ 126 126 - #define ARPT_BASE_CTL 96 127 127 - 128 128 - #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) 129 129 - #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) 130 130 - #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS 131 131 - 132 132 - #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) 133 133 - #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) 134 134 - /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ 135 135 - #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) 136 136 - #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) 137 137 - 138 138 - /* The argument to ARPT_SO_GET_INFO */ 139 139 - struct arpt_getinfo { 140 140 - /* Which table: caller fills this in. */ 141 141 - char name[XT_TABLE_MAXNAMELEN]; 142 142 - 143 143 - /* Kernel fills these in. */ 144 144 - /* Which hook entry points are valid: bitmask */ 145 145 - unsigned int valid_hooks; 146 146 - 147 147 - /* Hook entry points: one per netfilter hook. */ 148 148 - unsigned int hook_entry[NF_ARP_NUMHOOKS]; 149 149 - 150 150 - /* Underflow points. */ 151 151 - unsigned int underflow[NF_ARP_NUMHOOKS]; 152 152 - 153 153 - /* Number of entries */ 154 154 - unsigned int num_entries; 155 155 - 156 156 - /* Size of entries. */ 157 157 - unsigned int size; 158 158 - }; 159 159 - 160 160 - /* The argument to ARPT_SO_SET_REPLACE. */ 161 161 - struct arpt_replace { 162 162 - /* Which table. */ 163 163 - char name[XT_TABLE_MAXNAMELEN]; 164 164 - 165 165 - /* Which hook entry points are valid: bitmask. You can't 166 166 - change this. */ 167 167 - unsigned int valid_hooks; 168 168 - 169 169 - /* Number of entries */ 170 170 - unsigned int num_entries; 171 171 - 172 172 - /* Total size of new entries */ 173 173 - unsigned int size; 174 174 - 175 175 - /* Hook entry points. */ 176 176 - unsigned int hook_entry[NF_ARP_NUMHOOKS]; 177 177 - 178 178 - /* Underflow points. */ 179 179 - unsigned int underflow[NF_ARP_NUMHOOKS]; 180 180 - 181 181 - /* Information about old entries: */ 182 182 - /* Number of counters (must be equal to current number of entries). */ 183 183 - unsigned int num_counters; 184 184 - /* The old entries' counters. */ 185 185 - struct xt_counters __user *counters; 186 186 - 187 187 - /* The entries (hang off end: not really an array). */ 188 188 - struct arpt_entry entries[0]; 189 189 - }; 190 190 - 191 191 - /* The argument to ARPT_SO_GET_ENTRIES. */ 192 192 - struct arpt_get_entries { 193 193 - /* Which table: user fills this in. */ 194 194 - char name[XT_TABLE_MAXNAMELEN]; 195 195 - 196 196 - /* User fills this in: total entry size. */ 197 197 - unsigned int size; 198 198 - 199 199 - /* The entries. */ 200 200 - struct arpt_entry entrytable[0]; 201 201 - }; 202 202 - 203 203 - /* Helper functions */ 204 204 - static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) 205 205 - { 206 206 - return (void *)e + e->target_offset; 207 207 - } 208 208 - 209 209 - /* 210 210 - * Main firewall chains definitions and global var's definitions. 211 211 - */ 212 212 - #ifdef __KERNEL__ 15 15 + #include <uapi/linux/netfilter_arp/arp_tables.h> 213 16 214 17 /* Standard entry. */ 215 18 struct arpt_standard { ··· 77 274 } 78 275 79 276 #endif /* CONFIG_COMPAT */ 80 80 - #endif /*__KERNEL__*/ 81 277 #endif /* _ARPTABLES_H */

include/linux/netfilter_arp/arpt_mangle.h include/uapi/linux/netfilter_arp/arpt_mangle.h

reviewed

+2

include/uapi/linux/netfilter_arp/Kbuild

reviewed

··· 1 1 # UAPI Header export list 2 2 + header-y += arp_tables.h 3 3 + header-y += arpt_mangle.h

+206

include/uapi/linux/netfilter_arp/arp_tables.h

reviewed

··· 1 1 + /* 2 2 + * Format of an ARP firewall descriptor 3 3 + * 4 4 + * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in 5 5 + * network byte order. 6 6 + * flags are stored in host byte order (of course). 7 7 + */ 8 8 + 9 9 + #ifndef _UAPI_ARPTABLES_H 10 10 + #define _UAPI_ARPTABLES_H 11 11 + 12 12 + #include <linux/types.h> 13 13 + #include <linux/compiler.h> 14 14 + #include <linux/netfilter_arp.h> 15 15 + 16 16 + #include <linux/netfilter/x_tables.h> 17 17 + 18 18 + #ifndef __KERNEL__ 19 19 + #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 20 20 + #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 21 21 + #define arpt_entry_target xt_entry_target 22 22 + #define arpt_standard_target xt_standard_target 23 23 + #define arpt_error_target xt_error_target 24 24 + #define ARPT_CONTINUE XT_CONTINUE 25 25 + #define ARPT_RETURN XT_RETURN 26 26 + #define arpt_counters_info xt_counters_info 27 27 + #define arpt_counters xt_counters 28 28 + #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET 29 29 + #define ARPT_ERROR_TARGET XT_ERROR_TARGET 30 30 + #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ 31 31 + XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) 32 32 + #endif 33 33 + 34 34 + #define ARPT_DEV_ADDR_LEN_MAX 16 35 35 + 36 36 + struct arpt_devaddr_info { 37 37 + char addr[ARPT_DEV_ADDR_LEN_MAX]; 38 38 + char mask[ARPT_DEV_ADDR_LEN_MAX]; 39 39 + }; 40 40 + 41 41 + /* Yes, Virginia, you have to zero the padding. */ 42 42 + struct arpt_arp { 43 43 + /* Source and target IP addr */ 44 44 + struct in_addr src, tgt; 45 45 + /* Mask for src and target IP addr */ 46 46 + struct in_addr smsk, tmsk; 47 47 + 48 48 + /* Device hw address length, src+target device addresses */ 49 49 + __u8 arhln, arhln_mask; 50 50 + struct arpt_devaddr_info src_devaddr; 51 51 + struct arpt_devaddr_info tgt_devaddr; 52 52 + 53 53 + /* ARP operation code. */ 54 54 + __be16 arpop, arpop_mask; 55 55 + 56 56 + /* ARP hardware address and protocol address format. */ 57 57 + __be16 arhrd, arhrd_mask; 58 58 + __be16 arpro, arpro_mask; 59 59 + 60 60 + /* The protocol address length is only accepted if it is 4 61 61 + * so there is no use in offering a way to do filtering on it. 62 62 + */ 63 63 + 64 64 + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 65 65 + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 66 66 + 67 67 + /* Flags word */ 68 68 + __u8 flags; 69 69 + /* Inverse flags */ 70 70 + __u16 invflags; 71 71 + }; 72 72 + 73 73 + /* Values for "flag" field in struct arpt_ip (general arp structure). 74 74 + * No flags defined yet. 75 75 + */ 76 76 + #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ 77 77 + 78 78 + /* Values for "inv" field in struct arpt_arp. */ 79 79 + #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ 80 80 + #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ 81 81 + #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ 82 82 + #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ 83 83 + #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ 84 84 + #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ 85 85 + #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ 86 86 + #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ 87 87 + #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ 88 88 + #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ 89 89 + #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ 90 90 + 91 91 + /* This structure defines each of the firewall rules. Consists of 3 92 92 + parts which are 1) general ARP header stuff 2) match specific 93 93 + stuff 3) the target to perform if the rule matches */ 94 94 + struct arpt_entry 95 95 + { 96 96 + struct arpt_arp arp; 97 97 + 98 98 + /* Size of arpt_entry + matches */ 99 99 + __u16 target_offset; 100 100 + /* Size of arpt_entry + matches + target */ 101 101 + __u16 next_offset; 102 102 + 103 103 + /* Back pointer */ 104 104 + unsigned int comefrom; 105 105 + 106 106 + /* Packet and byte counters. */ 107 107 + struct xt_counters counters; 108 108 + 109 109 + /* The matches (if any), then the target. */ 110 110 + unsigned char elems[0]; 111 111 + }; 112 112 + 113 113 + /* 114 114 + * New IP firewall options for [gs]etsockopt at the RAW IP level. 115 115 + * Unlike BSD Linux inherits IP options so you don't have to use a raw 116 116 + * socket for this. Instead we check rights in the calls. 117 117 + * 118 118 + * ATTENTION: check linux/in.h before adding new number here. 119 119 + */ 120 120 + #define ARPT_BASE_CTL 96 121 121 + 122 122 + #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) 123 123 + #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) 124 124 + #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS 125 125 + 126 126 + #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) 127 127 + #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) 128 128 + /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ 129 129 + #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) 130 130 + #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) 131 131 + 132 132 + /* The argument to ARPT_SO_GET_INFO */ 133 133 + struct arpt_getinfo { 134 134 + /* Which table: caller fills this in. */ 135 135 + char name[XT_TABLE_MAXNAMELEN]; 136 136 + 137 137 + /* Kernel fills these in. */ 138 138 + /* Which hook entry points are valid: bitmask */ 139 139 + unsigned int valid_hooks; 140 140 + 141 141 + /* Hook entry points: one per netfilter hook. */ 142 142 + unsigned int hook_entry[NF_ARP_NUMHOOKS]; 143 143 + 144 144 + /* Underflow points. */ 145 145 + unsigned int underflow[NF_ARP_NUMHOOKS]; 146 146 + 147 147 + /* Number of entries */ 148 148 + unsigned int num_entries; 149 149 + 150 150 + /* Size of entries. */ 151 151 + unsigned int size; 152 152 + }; 153 153 + 154 154 + /* The argument to ARPT_SO_SET_REPLACE. */ 155 155 + struct arpt_replace { 156 156 + /* Which table. */ 157 157 + char name[XT_TABLE_MAXNAMELEN]; 158 158 + 159 159 + /* Which hook entry points are valid: bitmask. You can't 160 160 + change this. */ 161 161 + unsigned int valid_hooks; 162 162 + 163 163 + /* Number of entries */ 164 164 + unsigned int num_entries; 165 165 + 166 166 + /* Total size of new entries */ 167 167 + unsigned int size; 168 168 + 169 169 + /* Hook entry points. */ 170 170 + unsigned int hook_entry[NF_ARP_NUMHOOKS]; 171 171 + 172 172 + /* Underflow points. */ 173 173 + unsigned int underflow[NF_ARP_NUMHOOKS]; 174 174 + 175 175 + /* Information about old entries: */ 176 176 + /* Number of counters (must be equal to current number of entries). */ 177 177 + unsigned int num_counters; 178 178 + /* The old entries' counters. */ 179 179 + struct xt_counters __user *counters; 180 180 + 181 181 + /* The entries (hang off end: not really an array). */ 182 182 + struct arpt_entry entries[0]; 183 183 + }; 184 184 + 185 185 + /* The argument to ARPT_SO_GET_ENTRIES. */ 186 186 + struct arpt_get_entries { 187 187 + /* Which table: user fills this in. */ 188 188 + char name[XT_TABLE_MAXNAMELEN]; 189 189 + 190 190 + /* User fills this in: total entry size. */ 191 191 + unsigned int size; 192 192 + 193 193 + /* The entries. */ 194 194 + struct arpt_entry entrytable[0]; 195 195 + }; 196 196 + 197 197 + /* Helper functions */ 198 198 + static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) 199 199 + { 200 200 + return (void *)e + e->target_offset; 201 201 + } 202 202 + 203 203 + /* 204 204 + * Main firewall chains definitions and global var's definitions. 205 205 + */ 206 206 + #endif /* _UAPI_ARPTABLES_H */