diff options
author | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-04-16 18:20:36 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-04-16 18:20:36 -0400 |
commit | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (patch) | |
tree | 0bba044c4ce775e45a88a51686b5d9f90697ea9d /include/linux/netfilter_arp |
Linux-2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!
Diffstat (limited to 'include/linux/netfilter_arp')
-rw-r--r-- | include/linux/netfilter_arp/arp_tables.h | 340 | ||||
-rw-r--r-- | include/linux/netfilter_arp/arpt_mangle.h | 26 |
2 files changed, 366 insertions, 0 deletions
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h new file mode 100644 index 00000000000..d759a637bde --- /dev/null +++ b/include/linux/netfilter_arp/arp_tables.h | |||
@@ -0,0 +1,340 @@ | |||
1 | /* | ||
2 | * Format of an ARP firewall descriptor | ||
3 | * | ||
4 | * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in | ||
5 | * network byte order. | ||
6 | * flags are stored in host byte order (of course). | ||
7 | */ | ||
8 | |||
9 | #ifndef _ARPTABLES_H | ||
10 | #define _ARPTABLES_H | ||
11 | |||
12 | #ifdef __KERNEL__ | ||
13 | #include <linux/if.h> | ||
14 | #include <linux/types.h> | ||
15 | #include <linux/in.h> | ||
16 | #include <linux/if_arp.h> | ||
17 | #include <linux/skbuff.h> | ||
18 | #endif | ||
19 | #include <linux/compiler.h> | ||
20 | #include <linux/netfilter_arp.h> | ||
21 | |||
22 | #define ARPT_FUNCTION_MAXNAMELEN 30 | ||
23 | #define ARPT_TABLE_MAXNAMELEN 32 | ||
24 | |||
25 | #define ARPT_DEV_ADDR_LEN_MAX 16 | ||
26 | |||
27 | struct arpt_devaddr_info { | ||
28 | char addr[ARPT_DEV_ADDR_LEN_MAX]; | ||
29 | char mask[ARPT_DEV_ADDR_LEN_MAX]; | ||
30 | }; | ||
31 | |||
32 | /* Yes, Virginia, you have to zero the padding. */ | ||
33 | struct arpt_arp { | ||
34 | /* Source and target IP addr */ | ||
35 | struct in_addr src, tgt; | ||
36 | /* Mask for src and target IP addr */ | ||
37 | struct in_addr smsk, tmsk; | ||
38 | |||
39 | /* Device hw address length, src+target device addresses */ | ||
40 | u_int8_t arhln, arhln_mask; | ||
41 | struct arpt_devaddr_info src_devaddr; | ||
42 | struct arpt_devaddr_info tgt_devaddr; | ||
43 | |||
44 | /* ARP operation code. */ | ||
45 | u_int16_t arpop, arpop_mask; | ||
46 | |||
47 | /* ARP hardware address and protocol address format. */ | ||
48 | u_int16_t arhrd, arhrd_mask; | ||
49 | u_int16_t arpro, arpro_mask; | ||
50 | |||
51 | /* The protocol address length is only accepted if it is 4 | ||
52 | * so there is no use in offering a way to do filtering on it. | ||
53 | */ | ||
54 | |||
55 | char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; | ||
56 | unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; | ||
57 | |||
58 | /* Flags word */ | ||
59 | u_int8_t flags; | ||
60 | /* Inverse flags */ | ||
61 | u_int16_t invflags; | ||
62 | }; | ||
63 | |||
64 | struct arpt_entry_target | ||
65 | { | ||
66 | union { | ||
67 | struct { | ||
68 | u_int16_t target_size; | ||
69 | |||
70 | /* Used by userspace */ | ||
71 | char name[ARPT_FUNCTION_MAXNAMELEN]; | ||
72 | } user; | ||
73 | struct { | ||
74 | u_int16_t target_size; | ||
75 | |||
76 | /* Used inside the kernel */ | ||
77 | struct arpt_target *target; | ||
78 | } kernel; | ||
79 | |||
80 | /* Total length */ | ||
81 | u_int16_t target_size; | ||
82 | } u; | ||
83 | |||
84 | unsigned char data[0]; | ||
85 | }; | ||
86 | |||
87 | struct arpt_standard_target | ||
88 | { | ||
89 | struct arpt_entry_target target; | ||
90 | int verdict; | ||
91 | }; | ||
92 | |||
93 | struct arpt_counters | ||
94 | { | ||
95 | u_int64_t pcnt, bcnt; /* Packet and byte counters */ | ||
96 | }; | ||
97 | |||
98 | /* Values for "flag" field in struct arpt_ip (general arp structure). | ||
99 | * No flags defined yet. | ||
100 | */ | ||
101 | #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ | ||
102 | |||
103 | /* Values for "inv" field in struct arpt_arp. */ | ||
104 | #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ | ||
105 | #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ | ||
106 | #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ | ||
107 | #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ | ||
108 | #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ | ||
109 | #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ | ||
110 | #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ | ||
111 | #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ | ||
112 | #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ | ||
113 | #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ | ||
114 | #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ | ||
115 | |||
116 | /* This structure defines each of the firewall rules. Consists of 3 | ||
117 | parts which are 1) general ARP header stuff 2) match specific | ||
118 | stuff 3) the target to perform if the rule matches */ | ||
119 | struct arpt_entry | ||
120 | { | ||
121 | struct arpt_arp arp; | ||
122 | |||
123 | /* Size of arpt_entry + matches */ | ||
124 | u_int16_t target_offset; | ||
125 | /* Size of arpt_entry + matches + target */ | ||
126 | u_int16_t next_offset; | ||
127 | |||
128 | /* Back pointer */ | ||
129 | unsigned int comefrom; | ||
130 | |||
131 | /* Packet and byte counters. */ | ||
132 | struct arpt_counters counters; | ||
133 | |||
134 | /* The matches (if any), then the target. */ | ||
135 | unsigned char elems[0]; | ||
136 | }; | ||
137 | |||
138 | /* | ||
139 | * New IP firewall options for [gs]etsockopt at the RAW IP level. | ||
140 | * Unlike BSD Linux inherits IP options so you don't have to use a raw | ||
141 | * socket for this. Instead we check rights in the calls. | ||
142 | */ | ||
143 | #define ARPT_BASE_CTL 96 /* base for firewall socket options */ | ||
144 | |||
145 | #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) | ||
146 | #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) | ||
147 | #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS | ||
148 | |||
149 | #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) | ||
150 | #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) | ||
151 | #define ARPT_SO_GET_MAX ARPT_SO_GET_ENTRIES | ||
152 | |||
153 | /* CONTINUE verdict for targets */ | ||
154 | #define ARPT_CONTINUE 0xFFFFFFFF | ||
155 | |||
156 | /* For standard target */ | ||
157 | #define ARPT_RETURN (-NF_REPEAT - 1) | ||
158 | |||
159 | /* The argument to ARPT_SO_GET_INFO */ | ||
160 | struct arpt_getinfo | ||
161 | { | ||
162 | /* Which table: caller fills this in. */ | ||
163 | char name[ARPT_TABLE_MAXNAMELEN]; | ||
164 | |||
165 | /* Kernel fills these in. */ | ||
166 | /* Which hook entry points are valid: bitmask */ | ||
167 | unsigned int valid_hooks; | ||
168 | |||
169 | /* Hook entry points: one per netfilter hook. */ | ||
170 | unsigned int hook_entry[NF_ARP_NUMHOOKS]; | ||
171 | |||
172 | /* Underflow points. */ | ||
173 | unsigned int underflow[NF_ARP_NUMHOOKS]; | ||
174 | |||
175 | /* Number of entries */ | ||
176 | unsigned int num_entries; | ||
177 | |||
178 | /* Size of entries. */ | ||
179 | unsigned int size; | ||
180 | }; | ||
181 | |||
182 | /* The argument to ARPT_SO_SET_REPLACE. */ | ||
183 | struct arpt_replace | ||
184 | { | ||
185 | /* Which table. */ | ||
186 | char name[ARPT_TABLE_MAXNAMELEN]; | ||
187 | |||
188 | /* Which hook entry points are valid: bitmask. You can't | ||
189 | change this. */ | ||
190 | unsigned int valid_hooks; | ||
191 | |||
192 | /* Number of entries */ | ||
193 | unsigned int num_entries; | ||
194 | |||
195 | /* Total size of new entries */ | ||
196 | unsigned int size; | ||
197 | |||
198 | /* Hook entry points. */ | ||
199 | unsigned int hook_entry[NF_ARP_NUMHOOKS]; | ||
200 | |||
201 | /* Underflow points. */ | ||
202 | unsigned int underflow[NF_ARP_NUMHOOKS]; | ||
203 | |||
204 | /* Information about old entries: */ | ||
205 | /* Number of counters (must be equal to current number of entries). */ | ||
206 | unsigned int num_counters; | ||
207 | /* The old entries' counters. */ | ||
208 | struct arpt_counters __user *counters; | ||
209 | |||
210 | /* The entries (hang off end: not really an array). */ | ||
211 | struct arpt_entry entries[0]; | ||
212 | }; | ||
213 | |||
214 | /* The argument to ARPT_SO_ADD_COUNTERS. */ | ||
215 | struct arpt_counters_info | ||
216 | { | ||
217 | /* Which table. */ | ||
218 | char name[ARPT_TABLE_MAXNAMELEN]; | ||
219 | |||
220 | unsigned int num_counters; | ||
221 | |||
222 | /* The counters (actually `number' of these). */ | ||
223 | struct arpt_counters counters[0]; | ||
224 | }; | ||
225 | |||
226 | /* The argument to ARPT_SO_GET_ENTRIES. */ | ||
227 | struct arpt_get_entries | ||
228 | { | ||
229 | /* Which table: user fills this in. */ | ||
230 | char name[ARPT_TABLE_MAXNAMELEN]; | ||
231 | |||
232 | /* User fills this in: total entry size. */ | ||
233 | unsigned int size; | ||
234 | |||
235 | /* The entries. */ | ||
236 | struct arpt_entry entrytable[0]; | ||
237 | }; | ||
238 | |||
239 | /* Standard return verdict, or do jump. */ | ||
240 | #define ARPT_STANDARD_TARGET "" | ||
241 | /* Error verdict. */ | ||
242 | #define ARPT_ERROR_TARGET "ERROR" | ||
243 | |||
244 | /* Helper functions */ | ||
245 | static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e) | ||
246 | { | ||
247 | return (void *)e + e->target_offset; | ||
248 | } | ||
249 | |||
250 | /* fn returns 0 to continue iteration */ | ||
251 | #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ | ||
252 | ({ \ | ||
253 | unsigned int __i; \ | ||
254 | int __ret = 0; \ | ||
255 | struct arpt_entry *__entry; \ | ||
256 | \ | ||
257 | for (__i = 0; __i < (size); __i += __entry->next_offset) { \ | ||
258 | __entry = (void *)(entries) + __i; \ | ||
259 | \ | ||
260 | __ret = fn(__entry , ## args); \ | ||
261 | if (__ret != 0) \ | ||
262 | break; \ | ||
263 | } \ | ||
264 | __ret; \ | ||
265 | }) | ||
266 | |||
267 | /* | ||
268 | * Main firewall chains definitions and global var's definitions. | ||
269 | */ | ||
270 | #ifdef __KERNEL__ | ||
271 | |||
272 | /* Registration hooks for targets. */ | ||
273 | struct arpt_target | ||
274 | { | ||
275 | struct list_head list; | ||
276 | |||
277 | const char name[ARPT_FUNCTION_MAXNAMELEN]; | ||
278 | |||
279 | /* Returns verdict. */ | ||
280 | unsigned int (*target)(struct sk_buff **pskb, | ||
281 | unsigned int hooknum, | ||
282 | const struct net_device *in, | ||
283 | const struct net_device *out, | ||
284 | const void *targinfo, | ||
285 | void *userdata); | ||
286 | |||
287 | /* Called when user tries to insert an entry of this type: | ||
288 | hook_mask is a bitmask of hooks from which it can be | ||
289 | called. */ | ||
290 | /* Should return true or false. */ | ||
291 | int (*checkentry)(const char *tablename, | ||
292 | const struct arpt_entry *e, | ||
293 | void *targinfo, | ||
294 | unsigned int targinfosize, | ||
295 | unsigned int hook_mask); | ||
296 | |||
297 | /* Called when entry of this type deleted. */ | ||
298 | void (*destroy)(void *targinfo, unsigned int targinfosize); | ||
299 | |||
300 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | ||
301 | struct module *me; | ||
302 | }; | ||
303 | |||
304 | extern int arpt_register_target(struct arpt_target *target); | ||
305 | extern void arpt_unregister_target(struct arpt_target *target); | ||
306 | |||
307 | /* Furniture shopping... */ | ||
308 | struct arpt_table | ||
309 | { | ||
310 | struct list_head list; | ||
311 | |||
312 | /* A unique name... */ | ||
313 | char name[ARPT_TABLE_MAXNAMELEN]; | ||
314 | |||
315 | /* What hooks you will enter on */ | ||
316 | unsigned int valid_hooks; | ||
317 | |||
318 | /* Lock for the curtain */ | ||
319 | rwlock_t lock; | ||
320 | |||
321 | /* Man behind the curtain... */ | ||
322 | struct arpt_table_info *private; | ||
323 | |||
324 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | ||
325 | struct module *me; | ||
326 | }; | ||
327 | |||
328 | extern int arpt_register_table(struct arpt_table *table, | ||
329 | const struct arpt_replace *repl); | ||
330 | extern void arpt_unregister_table(struct arpt_table *table); | ||
331 | extern unsigned int arpt_do_table(struct sk_buff **pskb, | ||
332 | unsigned int hook, | ||
333 | const struct net_device *in, | ||
334 | const struct net_device *out, | ||
335 | struct arpt_table *table, | ||
336 | void *userdata); | ||
337 | |||
338 | #define ARPT_ALIGN(s) (((s) + (__alignof__(struct arpt_entry)-1)) & ~(__alignof__(struct arpt_entry)-1)) | ||
339 | #endif /*__KERNEL__*/ | ||
340 | #endif /* _ARPTABLES_H */ | ||
diff --git a/include/linux/netfilter_arp/arpt_mangle.h b/include/linux/netfilter_arp/arpt_mangle.h new file mode 100644 index 00000000000..250f502902b --- /dev/null +++ b/include/linux/netfilter_arp/arpt_mangle.h | |||
@@ -0,0 +1,26 @@ | |||
1 | #ifndef _ARPT_MANGLE_H | ||
2 | #define _ARPT_MANGLE_H | ||
3 | #include <linux/netfilter_arp/arp_tables.h> | ||
4 | |||
5 | #define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr) | ||
6 | struct arpt_mangle | ||
7 | { | ||
8 | char src_devaddr[ARPT_DEV_ADDR_LEN_MAX]; | ||
9 | char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX]; | ||
10 | union { | ||
11 | struct in_addr src_ip; | ||
12 | } u_s; | ||
13 | union { | ||
14 | struct in_addr tgt_ip; | ||
15 | } u_t; | ||
16 | u_int8_t flags; | ||
17 | int target; | ||
18 | }; | ||
19 | |||
20 | #define ARPT_MANGLE_SDEV 0x01 | ||
21 | #define ARPT_MANGLE_TDEV 0x02 | ||
22 | #define ARPT_MANGLE_SIP 0x04 | ||
23 | #define ARPT_MANGLE_TIP 0x08 | ||
24 | #define ARPT_MANGLE_MASK 0x0f | ||
25 | |||
26 | #endif /* _ARPT_MANGLE_H */ | ||