Commit | Line | Data |
---|---|---|
6f52b16c | 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
8922082a DH |
2 | /* |
3 | * Format of an ARP firewall descriptor | |
4 | * | |
5 | * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in | |
6 | * network byte order. | |
7 | * flags are stored in host byte order (of course). | |
8 | */ | |
9 | ||
10 | #ifndef _UAPI_ARPTABLES_H | |
11 | #define _UAPI_ARPTABLES_H | |
12 | ||
13 | #include <linux/types.h> | |
14 | #include <linux/compiler.h> | |
1ffad83d | 15 | #include <linux/if.h> |
8922082a DH |
16 | #include <linux/netfilter_arp.h> |
17 | ||
18 | #include <linux/netfilter/x_tables.h> | |
19 | ||
20 | #ifndef __KERNEL__ | |
21 | #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN | |
22 | #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN | |
23 | #define arpt_entry_target xt_entry_target | |
24 | #define arpt_standard_target xt_standard_target | |
25 | #define arpt_error_target xt_error_target | |
26 | #define ARPT_CONTINUE XT_CONTINUE | |
27 | #define ARPT_RETURN XT_RETURN | |
28 | #define arpt_counters_info xt_counters_info | |
29 | #define arpt_counters xt_counters | |
30 | #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET | |
31 | #define ARPT_ERROR_TARGET XT_ERROR_TARGET | |
32 | #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ | |
33 | XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) | |
34 | #endif | |
35 | ||
36 | #define ARPT_DEV_ADDR_LEN_MAX 16 | |
37 | ||
38 | struct arpt_devaddr_info { | |
39 | char addr[ARPT_DEV_ADDR_LEN_MAX]; | |
40 | char mask[ARPT_DEV_ADDR_LEN_MAX]; | |
41 | }; | |
42 | ||
43 | /* Yes, Virginia, you have to zero the padding. */ | |
44 | struct arpt_arp { | |
45 | /* Source and target IP addr */ | |
46 | struct in_addr src, tgt; | |
47 | /* Mask for src and target IP addr */ | |
48 | struct in_addr smsk, tmsk; | |
49 | ||
50 | /* Device hw address length, src+target device addresses */ | |
51 | __u8 arhln, arhln_mask; | |
52 | struct arpt_devaddr_info src_devaddr; | |
53 | struct arpt_devaddr_info tgt_devaddr; | |
54 | ||
55 | /* ARP operation code. */ | |
56 | __be16 arpop, arpop_mask; | |
57 | ||
58 | /* ARP hardware address and protocol address format. */ | |
59 | __be16 arhrd, arhrd_mask; | |
60 | __be16 arpro, arpro_mask; | |
61 | ||
62 | /* The protocol address length is only accepted if it is 4 | |
63 | * so there is no use in offering a way to do filtering on it. | |
64 | */ | |
65 | ||
66 | char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; | |
67 | unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; | |
68 | ||
69 | /* Flags word */ | |
70 | __u8 flags; | |
71 | /* Inverse flags */ | |
72 | __u16 invflags; | |
73 | }; | |
74 | ||
75 | /* Values for "flag" field in struct arpt_ip (general arp structure). | |
76 | * No flags defined yet. | |
77 | */ | |
78 | #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ | |
79 | ||
80 | /* Values for "inv" field in struct arpt_arp. */ | |
81 | #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ | |
82 | #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ | |
83 | #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ | |
84 | #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ | |
85 | #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ | |
86 | #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ | |
87 | #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ | |
88 | #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ | |
89 | #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ | |
90 | #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ | |
91 | #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ | |
92 | ||
93 | /* This structure defines each of the firewall rules. Consists of 3 | |
94 | parts which are 1) general ARP header stuff 2) match specific | |
95 | stuff 3) the target to perform if the rule matches */ | |
96 | struct arpt_entry | |
97 | { | |
98 | struct arpt_arp arp; | |
99 | ||
100 | /* Size of arpt_entry + matches */ | |
101 | __u16 target_offset; | |
102 | /* Size of arpt_entry + matches + target */ | |
103 | __u16 next_offset; | |
104 | ||
105 | /* Back pointer */ | |
106 | unsigned int comefrom; | |
107 | ||
108 | /* Packet and byte counters. */ | |
109 | struct xt_counters counters; | |
110 | ||
111 | /* The matches (if any), then the target. */ | |
112 | unsigned char elems[0]; | |
113 | }; | |
114 | ||
115 | /* | |
116 | * New IP firewall options for [gs]etsockopt at the RAW IP level. | |
117 | * Unlike BSD Linux inherits IP options so you don't have to use a raw | |
118 | * socket for this. Instead we check rights in the calls. | |
119 | * | |
120 | * ATTENTION: check linux/in.h before adding new number here. | |
121 | */ | |
122 | #define ARPT_BASE_CTL 96 | |
123 | ||
124 | #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) | |
125 | #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) | |
126 | #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS | |
127 | ||
128 | #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) | |
129 | #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) | |
130 | /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ | |
131 | #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) | |
132 | #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) | |
133 | ||
134 | /* The argument to ARPT_SO_GET_INFO */ | |
135 | struct arpt_getinfo { | |
136 | /* Which table: caller fills this in. */ | |
137 | char name[XT_TABLE_MAXNAMELEN]; | |
138 | ||
139 | /* Kernel fills these in. */ | |
140 | /* Which hook entry points are valid: bitmask */ | |
141 | unsigned int valid_hooks; | |
142 | ||
143 | /* Hook entry points: one per netfilter hook. */ | |
144 | unsigned int hook_entry[NF_ARP_NUMHOOKS]; | |
145 | ||
146 | /* Underflow points. */ | |
147 | unsigned int underflow[NF_ARP_NUMHOOKS]; | |
148 | ||
149 | /* Number of entries */ | |
150 | unsigned int num_entries; | |
151 | ||
152 | /* Size of entries. */ | |
153 | unsigned int size; | |
154 | }; | |
155 | ||
156 | /* The argument to ARPT_SO_SET_REPLACE. */ | |
157 | struct arpt_replace { | |
158 | /* Which table. */ | |
159 | char name[XT_TABLE_MAXNAMELEN]; | |
160 | ||
161 | /* Which hook entry points are valid: bitmask. You can't | |
162 | change this. */ | |
163 | unsigned int valid_hooks; | |
164 | ||
165 | /* Number of entries */ | |
166 | unsigned int num_entries; | |
167 | ||
168 | /* Total size of new entries */ | |
169 | unsigned int size; | |
170 | ||
171 | /* Hook entry points. */ | |
172 | unsigned int hook_entry[NF_ARP_NUMHOOKS]; | |
173 | ||
174 | /* Underflow points. */ | |
175 | unsigned int underflow[NF_ARP_NUMHOOKS]; | |
176 | ||
177 | /* Information about old entries: */ | |
178 | /* Number of counters (must be equal to current number of entries). */ | |
179 | unsigned int num_counters; | |
180 | /* The old entries' counters. */ | |
181 | struct xt_counters __user *counters; | |
182 | ||
183 | /* The entries (hang off end: not really an array). */ | |
184 | struct arpt_entry entries[0]; | |
185 | }; | |
186 | ||
187 | /* The argument to ARPT_SO_GET_ENTRIES. */ | |
188 | struct arpt_get_entries { | |
189 | /* Which table: user fills this in. */ | |
190 | char name[XT_TABLE_MAXNAMELEN]; | |
191 | ||
192 | /* User fills this in: total entry size. */ | |
193 | unsigned int size; | |
194 | ||
195 | /* The entries. */ | |
196 | struct arpt_entry entrytable[0]; | |
197 | }; | |
198 | ||
199 | /* Helper functions */ | |
200 | static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) | |
201 | { | |
d6547f2a | 202 | return (struct xt_entry_target *)((char *)e + e->target_offset); |
8922082a DH |
203 | } |
204 | ||
205 | /* | |
206 | * Main firewall chains definitions and global var's definitions. | |
207 | */ | |
208 | #endif /* _UAPI_ARPTABLES_H */ |