LXR linux/include/uapi/linux/netfilter_arp/arp

   1/*
   2 *      Format of an ARP firewall descriptor
   3 *
   4 *      src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
   5 *      network byte order.
   6 *      flags are stored in host byte order (of course).
   7 */
   8
   9#ifndef _UAPI_ARPTABLES_H
  10#define _UAPI_ARPTABLES_H
  11
  12#include <linux/types.h>
  13#include <linux/compiler.h>
  14#include <linux/if.h>
  15#include <linux/netfilter_arp.h>
  16
  17#include <linux/netfilter/x_tables.h>
  18
  19#ifndef __KERNEL__
  20#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
  21#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
  22#define arpt_entry_target xt_entry_target
  23#define arpt_standard_target xt_standard_target
  24#define arpt_error_target xt_error_target
  25#define ARPT_CONTINUE XT_CONTINUE
  26#define ARPT_RETURN XT_RETURN
  27#define arpt_counters_info xt_counters_info
  28#define arpt_counters xt_counters
  29#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
  30#define ARPT_ERROR_TARGET XT_ERROR_TARGET
  31#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
  32        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
  33#endif
  34
  35#define ARPT_DEV_ADDR_LEN_MAX 16
  36
  37struct arpt_devaddr_info {
  38        char addr[ARPT_DEV_ADDR_LEN_MAX];
  39        char mask[ARPT_DEV_ADDR_LEN_MAX];
  40};
  41
  42/* Yes, Virginia, you have to zero the padding. */
  43struct arpt_arp {
  44        /* Source and target IP addr */
  45        struct in_addr src, tgt;
  46        /* Mask for src and target IP addr */
  47        struct in_addr smsk, tmsk;
  48
  49        /* Device hw address length, src+target device addresses */
  50        __u8 arhln, arhln_mask;
  51        struct arpt_devaddr_info src_devaddr;
  52        struct arpt_devaddr_info tgt_devaddr;
  53
  54        /* ARP operation code. */
  55        __be16 arpop, arpop_mask;
  56
  57        /* ARP hardware address and protocol address format. */
  58        __be16 arhrd, arhrd_mask;
  59        __be16 arpro, arpro_mask;
  60
  61        /* The protocol address length is only accepted if it is 4
  62         * so there is no use in offering a way to do filtering on it.
  63         */
  64
  65        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
  66        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
  67
  68        /* Flags word */
  69        __u8 flags;
  70        /* Inverse flags */
  71        __u16 invflags;
  72};
  73
  74/* Values for "flag" field in struct arpt_ip (general arp structure).
  75 * No flags defined yet.
  76 */
  77#define ARPT_F_MASK             0x00    /* All possible flag bits mask. */
  78
  79/* Values for "inv" field in struct arpt_arp. */
  80#define ARPT_INV_VIA_IN         0x0001  /* Invert the sense of IN IFACE. */
  81#define ARPT_INV_VIA_OUT        0x0002  /* Invert the sense of OUT IFACE */
  82#define ARPT_INV_SRCIP          0x0004  /* Invert the sense of SRC IP. */
  83#define ARPT_INV_TGTIP          0x0008  /* Invert the sense of TGT IP. */
  84#define ARPT_INV_SRCDEVADDR     0x0010  /* Invert the sense of SRC DEV ADDR. */
  85#define ARPT_INV_TGTDEVADDR     0x0020  /* Invert the sense of TGT DEV ADDR. */
  86#define ARPT_INV_ARPOP          0x0040  /* Invert the sense of ARP OP. */
  87#define ARPT_INV_ARPHRD         0x0080  /* Invert the sense of ARP HRD. */
  88#define ARPT_INV_ARPPRO         0x0100  /* Invert the sense of ARP PRO. */
  89#define ARPT_INV_ARPHLN         0x0200  /* Invert the sense of ARP HLN. */
  90#define ARPT_INV_MASK           0x03FF  /* All possible flag bits mask. */
  91
  92/* This structure defines each of the firewall rules.  Consists of 3
  93   parts which are 1) general ARP header stuff 2) match specific
  94   stuff 3) the target to perform if the rule matches */
  95struct arpt_entry
  96{
  97        struct arpt_arp arp;
  98
  99        /* Size of arpt_entry + matches */
 100        __u16 target_offset;
 101        /* Size of arpt_entry + matches + target */
 102        __u16 next_offset;
 103
 104        /* Back pointer */
 105        unsigned int comefrom;
 106
 107        /* Packet and byte counters. */
 108        struct xt_counters counters;
 109
 110        /* The matches (if any), then the target. */
 111        unsigned char elems[0];
 112};
 113
 114/*
 115 * New IP firewall options for [gs]etsockopt at the RAW IP level.
 116 * Unlike BSD Linux inherits IP options so you don't have to use a raw
 117 * socket for this. Instead we check rights in the calls.
 118 *
 119 * ATTENTION: check linux/in.h before adding new number here.
 120 */
 121#define ARPT_BASE_CTL           96
 122
 123#define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
 124#define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
 125#define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
 126
 127#define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
 128#define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
 129/* #define ARPT_SO_GET_REVISION_MATCH   (APRT_BASE_CTL + 2) */
 130#define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
 131#define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
 132
 133/* The argument to ARPT_SO_GET_INFO */
 134struct arpt_getinfo {
 135        /* Which table: caller fills this in. */
 136        char name[XT_TABLE_MAXNAMELEN];
 137
 138        /* Kernel fills these in. */
 139        /* Which hook entry points are valid: bitmask */
 140        unsigned int valid_hooks;
 141
 142        /* Hook entry points: one per netfilter hook. */
 143        unsigned int hook_entry[NF_ARP_NUMHOOKS];
 144
 145        /* Underflow points. */
 146        unsigned int underflow[NF_ARP_NUMHOOKS];
 147
 148        /* Number of entries */
 149        unsigned int num_entries;
 150
 151        /* Size of entries. */
 152        unsigned int size;
 153};
 154
 155/* The argument to ARPT_SO_SET_REPLACE. */
 156struct arpt_replace {
 157        /* Which table. */
 158        char name[XT_TABLE_MAXNAMELEN];
 159
 160        /* Which hook entry points are valid: bitmask.  You can't
 161           change this. */
 162        unsigned int valid_hooks;
 163
 164        /* Number of entries */
 165        unsigned int num_entries;
 166
 167        /* Total size of new entries */
 168        unsigned int size;
 169
 170        /* Hook entry points. */
 171        unsigned int hook_entry[NF_ARP_NUMHOOKS];
 172
 173        /* Underflow points. */
 174        unsigned int underflow[NF_ARP_NUMHOOKS];
 175
 176        /* Information about old entries: */
 177        /* Number of counters (must be equal to current number of entries). */
 178        unsigned int num_counters;
 179        /* The old entries' counters. */
 180        struct xt_counters __user *counters;
 181
 182        /* The entries (hang off end: not really an array). */
 183        struct arpt_entry entries[0];
 184};
 185
 186/* The argument to ARPT_SO_GET_ENTRIES. */
 187struct arpt_get_entries {
 188        /* Which table: user fills this in. */
 189        char name[XT_TABLE_MAXNAMELEN];
 190
 191        /* User fills this in: total entry size. */
 192        unsigned int size;
 193
 194        /* The entries. */
 195        struct arpt_entry entrytable[0];
 196};
 197
 198/* Helper functions */
 199static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
 200{
 201        return (void *)e + e->target_offset;
 202}
 203
 204/*
 205 *      Main firewall chains definitions and global var's definitions.
 206 */
 207#endif /* _UAPI_ARPTABLES_H */
 208