2 * Format of an ARP firewall descriptor
4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
6 * flags are stored in host byte order (of course).
12 #include <linux/types.h>
14 #include <linux/netfilter_arp.h>
16 #include <linux/netfilter/x_tables.h>
18 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
19 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
21 #define ARPT_DEV_ADDR_LEN_MAX 16
23 struct arpt_devaddr_info
{
24 char addr
[ARPT_DEV_ADDR_LEN_MAX
];
25 char mask
[ARPT_DEV_ADDR_LEN_MAX
];
28 /* Yes, Virginia, you have to zero the padding. */
30 /* Source and target IP addr */
31 struct in_addr src
, tgt
;
32 /* Mask for src and target IP addr */
33 struct in_addr smsk
, tmsk
;
35 /* Device hw address length, src+target device addresses */
36 u_int8_t arhln
, arhln_mask
;
37 struct arpt_devaddr_info src_devaddr
;
38 struct arpt_devaddr_info tgt_devaddr
;
40 /* ARP operation code. */
41 __be16 arpop
, arpop_mask
;
43 /* ARP hardware address and protocol address format. */
44 __be16 arhrd
, arhrd_mask
;
45 __be16 arpro
, arpro_mask
;
47 /* The protocol address length is only accepted if it is 4
48 * so there is no use in offering a way to do filtering on it.
51 char iniface
[IFNAMSIZ
], outiface
[IFNAMSIZ
];
52 unsigned char iniface_mask
[IFNAMSIZ
], outiface_mask
[IFNAMSIZ
];
60 #define arpt_entry_target xt_entry_target
61 #define arpt_standard_target xt_standard_target
63 /* Values for "flag" field in struct arpt_ip (general arp structure).
64 * No flags defined yet.
66 #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
68 /* Values for "inv" field in struct arpt_arp. */
69 #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
70 #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
71 #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
72 #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
73 #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
74 #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
75 #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
76 #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
77 #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
78 #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
79 #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
81 /* This structure defines each of the firewall rules. Consists of 3
82 parts which are 1) general ARP header stuff 2) match specific
83 stuff 3) the target to perform if the rule matches */
88 /* Size of arpt_entry + matches */
89 u_int16_t target_offset
;
90 /* Size of arpt_entry + matches + target */
91 u_int16_t next_offset
;
94 unsigned int comefrom
;
96 /* Packet and byte counters. */
97 struct xt_counters counters
;
99 /* The matches (if any), then the target. */
100 unsigned char elems
[0];
104 * New IP firewall options for [gs]etsockopt at the RAW IP level.
105 * Unlike BSD Linux inherits IP options so you don't have to use a raw
106 * socket for this. Instead we check rights in the calls.
108 * ATTENTION: check linux/in.h before adding new number here.
110 #define ARPT_BASE_CTL 96
112 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
113 #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
114 #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
116 #define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
117 #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
118 /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */
119 #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
120 #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
122 /* CONTINUE verdict for targets */
123 #define ARPT_CONTINUE XT_CONTINUE
125 /* For standard target */
126 #define ARPT_RETURN XT_RETURN
128 /* The argument to ARPT_SO_GET_INFO */
129 struct arpt_getinfo
{
130 /* Which table: caller fills this in. */
131 char name
[ARPT_TABLE_MAXNAMELEN
];
133 /* Kernel fills these in. */
134 /* Which hook entry points are valid: bitmask */
135 unsigned int valid_hooks
;
137 /* Hook entry points: one per netfilter hook. */
138 unsigned int hook_entry
[NF_ARP_NUMHOOKS
];
140 /* Underflow points. */
141 unsigned int underflow
[NF_ARP_NUMHOOKS
];
143 /* Number of entries */
144 unsigned int num_entries
;
146 /* Size of entries. */
150 /* The argument to ARPT_SO_SET_REPLACE. */
151 struct arpt_replace
{
153 char name
[ARPT_TABLE_MAXNAMELEN
];
155 /* Which hook entry points are valid: bitmask. You can't
157 unsigned int valid_hooks
;
159 /* Number of entries */
160 unsigned int num_entries
;
162 /* Total size of new entries */
165 /* Hook entry points. */
166 unsigned int hook_entry
[NF_ARP_NUMHOOKS
];
168 /* Underflow points. */
169 unsigned int underflow
[NF_ARP_NUMHOOKS
];
171 /* Information about old entries: */
172 /* Number of counters (must be equal to current number of entries). */
173 unsigned int num_counters
;
174 /* The old entries' counters. */
175 struct xt_counters
*counters
;
177 /* The entries (hang off end: not really an array). */
178 struct arpt_entry entries
[0];
181 /* The argument to ARPT_SO_ADD_COUNTERS. */
182 #define arpt_counters_info xt_counters_info
183 #define arpt_counters xt_counters
185 /* The argument to ARPT_SO_GET_ENTRIES. */
186 struct arpt_get_entries
{
187 /* Which table: user fills this in. */
188 char name
[ARPT_TABLE_MAXNAMELEN
];
190 /* User fills this in: total entry size. */
194 struct arpt_entry entrytable
[0];
197 /* Standard return verdict, or do jump. */
198 #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
200 #define ARPT_ERROR_TARGET XT_ERROR_TARGET
202 /* Helper functions */
203 static __inline__
struct arpt_entry_target
*arpt_get_target(struct arpt_entry
*e
)
205 return (void *)e
+ e
->target_offset
;
208 /* fn returns 0 to continue iteration */
209 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
210 XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
213 * Main firewall chains definitions and global var's definitions.
215 #endif /* _ARPTABLES_H */