UAPI: (Scripted) Disintegrate include/linux/netfilter_arp

Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
author: David Howells <dhowells@redhat.com> 2012-10-09 04:48:56 -0400
committer: David Howells <dhowells@redhat.com> 2012-10-09 04:48:56 -0400
commit: 8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 (patch)
tree: 7b2b6598a0ddc7dbe6ebcc89f900366e5a748541 /include/uapi
parent: a82014149becc68695e7f1d62a8cc1e4ae062318 (diff)
3 files changed, 234 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter_arp/Kbuild b/include/uapi/linux/netfilter_arp/Kbuild
index aafaa5aa54d4..62d5637cc0ac 100644
--- a/include/uapi/linux/netfilter_arp/Kbuild
+++ b/include/uapi/linux/netfilter_arp/Kbuild
@@ -1 +1,3 @@
 # UAPI Header export list
+header-y += arp_tables.h
+header-y += arpt_mangle.h
diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
new file mode 100644
index 000000000000..a5a86a4db6b3
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -0,0 +1,206 @@
+/*
+ *      Format of an ARP firewall descriptor
+ *
+ *      src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
+ *      network byte order.
+ *      flags are stored in host byte order (of course).
+ */
+#ifndef _UAPI_ARPTABLES_H
+#define _UAPI_ARPTABLES_H
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_arp.h>
+#include <linux/netfilter/x_tables.h>
+#ifndef __KERNEL__
+#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define arpt_entry_target xt_entry_target
+#define arpt_standard_target xt_standard_target
+#define arpt_error_target xt_error_target
+#define ARPT_CONTINUE XT_CONTINUE
+#define ARPT_RETURN XT_RETURN
+#define arpt_counters_info xt_counters_info
+#define arpt_counters xt_counters
+#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
+#define ARPT_ERROR_TARGET XT_ERROR_TARGET
+#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
+#endif
+#define ARPT_DEV_ADDR_LEN_MAX 16
+struct arpt_devaddr_info {
+        char addr[ARPT_DEV_ADDR_LEN_MAX];
+        char mask[ARPT_DEV_ADDR_LEN_MAX];
+};
+/* Yes, Virginia, you have to zero the padding. */
+struct arpt_arp {
+        /* Source and target IP addr */
+        struct in_addr src, tgt;
+        /* Mask for src and target IP addr */
+        struct in_addr smsk, tmsk;
+        /* Device hw address length, src+target device addresses */
+        __u8 arhln, arhln_mask;
+        struct arpt_devaddr_info src_devaddr;
+        struct arpt_devaddr_info tgt_devaddr;
+        /* ARP operation code. */
+        __be16 arpop, arpop_mask;
+        /* ARP hardware address and protocol address format. */
+        __be16 arhrd, arhrd_mask;
+        __be16 arpro, arpro_mask;
+        /* The protocol address length is only accepted if it is 4
+         * so there is no use in offering a way to do filtering on it.
+         */
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u16 invflags;
+};
+/* Values for "flag" field in struct arpt_ip (general arp structure).
+ * No flags defined yet.
+ */
+#define ARPT_F_MASK             0x00    /* All possible flag bits mask. */
+/* Values for "inv" field in struct arpt_arp. */
+#define ARPT_INV_VIA_IN         0x0001  /* Invert the sense of IN IFACE. */
+#define ARPT_INV_VIA_OUT        0x0002  /* Invert the sense of OUT IFACE */
+#define ARPT_INV_SRCIP          0x0004  /* Invert the sense of SRC IP. */
+#define ARPT_INV_TGTIP          0x0008  /* Invert the sense of TGT IP. */
+#define ARPT_INV_SRCDEVADDR     0x0010  /* Invert the sense of SRC DEV ADDR. */
+#define ARPT_INV_TGTDEVADDR     0x0020  /* Invert the sense of TGT DEV ADDR. */
+#define ARPT_INV_ARPOP          0x0040  /* Invert the sense of ARP OP. */
+#define ARPT_INV_ARPHRD         0x0080  /* Invert the sense of ARP HRD. */
+#define ARPT_INV_ARPPRO         0x0100  /* Invert the sense of ARP PRO. */
+#define ARPT_INV_ARPHLN         0x0200  /* Invert the sense of ARP HLN. */
+#define ARPT_INV_MASK           0x03FF  /* All possible flag bits mask. */
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general ARP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct arpt_entry
+{
+        struct arpt_arp arp;
+        /* Size of arpt_entry + matches */
+        __u16 target_offset;
+        /* Size of arpt_entry + matches + target */
+        __u16 next_offset;
+        /* Back pointer */
+        unsigned int comefrom;
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in.h before adding new number here.
+ */
+#define ARPT_BASE_CTL           96
+#define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
+#define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
+#define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
+#define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
+/* #define ARPT_SO_GET_REVISION_MATCH   (APRT_BASE_CTL + 2) */
+#define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
+#define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
+/* The argument to ARPT_SO_GET_INFO */
+struct arpt_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_ARP_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_ARP_NUMHOOKS];
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Size of entries. */
+        unsigned int size;
+};
+/* The argument to ARPT_SO_SET_REPLACE. */
+struct arpt_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Total size of new entries */
+        unsigned int size;
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_ARP_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_ARP_NUMHOOKS];
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+        /* The entries (hang off end: not really an array). */
+        struct arpt_entry entries[0];
+};
+/* The argument to ARPT_SO_GET_ENTRIES. */
+struct arpt_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* User fills this in: total entry size. */
+        unsigned int size;
+        /* The entries. */
+        struct arpt_entry entrytable[0];
+};
+/* Helper functions */
+static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+#endif /* _UAPI_ARPTABLES_H */
diff --git a/include/uapi/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h
new file mode 100644
index 000000000000..250f502902bb
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h
@@ -0,0 +1,26 @@
+#ifndef _ARPT_MANGLE_H
+#define _ARPT_MANGLE_H
+#include <linux/netfilter_arp/arp_tables.h>
+#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr)
+struct arpt_mangle
+{
+        char src_devaddr[ARPT_DEV_ADDR_LEN_MAX];
+        char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX];
+        union {
+                struct in_addr src_ip;
+        } u_s;
+        union {
+                struct in_addr tgt_ip;
+        } u_t;
+        u_int8_t flags;
+        int target;
+};
+#define ARPT_MANGLE_SDEV 0x01
+#define ARPT_MANGLE_TDEV 0x02
+#define ARPT_MANGLE_SIP 0x04
+#define ARPT_MANGLE_TIP 0x08
+#define ARPT_MANGLE_MASK 0x0f
+#endif /* _ARPT_MANGLE_H */
author	David Howells <dhowells@redhat.com>	2012-10-09 04:48:56 -0400
committer	David Howells <dhowells@redhat.com>	2012-10-09 04:48:56 -0400
commit	8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 (patch)
tree	7b2b6598a0ddc7dbe6ebcc89f900366e5a748541 /include/uapi
parent	a82014149becc68695e7f1d62a8cc1e4ae062318 (diff)

diff --git a/include/uapi/linux/netfilter_arp/Kbuild b/include/uapi/linux/netfilter_arp/Kbuild index aafaa5aa54d4..62d5637cc0ac 100644 --- a/include/uapi/linux/netfilter_arp/Kbuild +++ b/include/uapi/linux/netfilter_arp/Kbuild
@@ -1 +1,3 @@
1	# UAPI Header export list	1	# UAPI Header export list
		2	header-y += arp_tables.h
		3	header-y += arpt_mangle.h


diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h new file mode 100644 index 000000000000..a5a86a4db6b3 --- /dev/null +++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -0,0 +1,206 @@
		1	/*
		2	* Format of an ARP firewall descriptor
		3	*
		4	* src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
		5	* network byte order.
		6	* flags are stored in host byte order (of course).
		7	*/
		8
		9	#ifndef _UAPI_ARPTABLES_H
		10	#define _UAPI_ARPTABLES_H
		11
		12	#include <linux/types.h>
		13	#include <linux/compiler.h>
		14	#include <linux/netfilter_arp.h>
		15
		16	#include <linux/netfilter/x_tables.h>
		17
		18	#ifndef __KERNEL__
		19	#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
		20	#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
		21	#define arpt_entry_target xt_entry_target
		22	#define arpt_standard_target xt_standard_target
		23	#define arpt_error_target xt_error_target
		24	#define ARPT_CONTINUE XT_CONTINUE
		25	#define ARPT_RETURN XT_RETURN
		26	#define arpt_counters_info xt_counters_info
		27	#define arpt_counters xt_counters
		28	#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
		29	#define ARPT_ERROR_TARGET XT_ERROR_TARGET
		30	#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
		31	XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
		32	#endif
		33
		34	#define ARPT_DEV_ADDR_LEN_MAX 16
		35
		36	struct arpt_devaddr_info {
		37	char addr[ARPT_DEV_ADDR_LEN_MAX];
		38	char mask[ARPT_DEV_ADDR_LEN_MAX];
		39	};
		40
		41	/* Yes, Virginia, you have to zero the padding. */
		42	struct arpt_arp {
		43	/* Source and target IP addr */
		44	struct in_addr src, tgt;
		45	/* Mask for src and target IP addr */
		46	struct in_addr smsk, tmsk;
		47
		48	/* Device hw address length, src+target device addresses */
		49	__u8 arhln, arhln_mask;
		50	struct arpt_devaddr_info src_devaddr;
		51	struct arpt_devaddr_info tgt_devaddr;
		52
		53	/* ARP operation code. */
		54	__be16 arpop, arpop_mask;
		55
		56	/* ARP hardware address and protocol address format. */
		57	__be16 arhrd, arhrd_mask;
		58	__be16 arpro, arpro_mask;
		59
		60	/* The protocol address length is only accepted if it is 4
		61	* so there is no use in offering a way to do filtering on it.
		62	*/
		63
		64	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
		65	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
		66
		67	/* Flags word */
		68	__u8 flags;
		69	/* Inverse flags */
		70	__u16 invflags;
		71	};
		72
		73	/* Values for "flag" field in struct arpt_ip (general arp structure).
		74	* No flags defined yet.
		75	*/
		76	#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
		77
		78	/* Values for "inv" field in struct arpt_arp. */
		79	#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
		80	#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
		81	#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
		82	#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
		83	#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
		84	#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
		85	#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
		86	#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
		87	#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
		88	#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
		89	#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
		90
		91	/* This structure defines each of the firewall rules. Consists of 3
		92	parts which are 1) general ARP header stuff 2) match specific
		93	stuff 3) the target to perform if the rule matches */
		94	struct arpt_entry
		95	{
		96	struct arpt_arp arp;
		97
		98	/* Size of arpt_entry + matches */
		99	__u16 target_offset;
		100	/* Size of arpt_entry + matches + target */
		101	__u16 next_offset;
		102
		103	/* Back pointer */
		104	unsigned int comefrom;
		105
		106	/* Packet and byte counters. */
		107	struct xt_counters counters;
		108
		109	/* The matches (if any), then the target. */
		110	unsigned char elems[0];
		111	};
		112
		113	/*
		114	* New IP firewall options for [gs]etsockopt at the RAW IP level.
		115	* Unlike BSD Linux inherits IP options so you don't have to use a raw
		116	* socket for this. Instead we check rights in the calls.
		117	*
		118	* ATTENTION: check linux/in.h before adding new number here.
		119	*/
		120	#define ARPT_BASE_CTL 96
		121
		122	#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
		123	#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
		124	#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
		125
		126	#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
		127	#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
		128	/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */
		129	#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
		130	#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
		131
		132	/* The argument to ARPT_SO_GET_INFO */
		133	struct arpt_getinfo {
		134	/* Which table: caller fills this in. */
		135	char name[XT_TABLE_MAXNAMELEN];
		136
		137	/* Kernel fills these in. */
		138	/* Which hook entry points are valid: bitmask */
		139	unsigned int valid_hooks;
		140
		141	/* Hook entry points: one per netfilter hook. */
		142	unsigned int hook_entry[NF_ARP_NUMHOOKS];
		143
		144	/* Underflow points. */
		145	unsigned int underflow[NF_ARP_NUMHOOKS];
		146
		147	/* Number of entries */
		148	unsigned int num_entries;
		149
		150	/* Size of entries. */
		151	unsigned int size;
		152	};
		153
		154	/* The argument to ARPT_SO_SET_REPLACE. */
		155	struct arpt_replace {
		156	/* Which table. */
		157	char name[XT_TABLE_MAXNAMELEN];
		158
		159	/* Which hook entry points are valid: bitmask. You can't
		160	change this. */
		161	unsigned int valid_hooks;
		162
		163	/* Number of entries */
		164	unsigned int num_entries;
		165
		166	/* Total size of new entries */
		167	unsigned int size;
		168
		169	/* Hook entry points. */
		170	unsigned int hook_entry[NF_ARP_NUMHOOKS];
		171
		172	/* Underflow points. */
		173	unsigned int underflow[NF_ARP_NUMHOOKS];
		174
		175	/* Information about old entries: */
		176	/* Number of counters (must be equal to current number of entries). */
		177	unsigned int num_counters;
		178	/* The old entries' counters. */
		179	struct xt_counters __user *counters;
		180
		181	/* The entries (hang off end: not really an array). */
		182	struct arpt_entry entries[0];
		183	};
		184
		185	/* The argument to ARPT_SO_GET_ENTRIES. */
		186	struct arpt_get_entries {
		187	/* Which table: user fills this in. */
		188	char name[XT_TABLE_MAXNAMELEN];
		189
		190	/* User fills this in: total entry size. */
		191	unsigned int size;
		192
		193	/* The entries. */
		194	struct arpt_entry entrytable[0];
		195	};
		196
		197	/* Helper functions */
		198	static __inline__ struct xt_entry_target arpt_get_target(struct arpt_entry e)
		199	{
		200	return (void *)e + e->target_offset;
		201	}
		202
		203	/*
		204	* Main firewall chains definitions and global var's definitions.
		205	*/
		206	#endif /* _UAPI_ARPTABLES_H */


diff --git a/include/uapi/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h new file mode 100644 index 000000000000..250f502902bb --- /dev/null +++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h
@@ -0,0 +1,26 @@
		1	#ifndef _ARPT_MANGLE_H
		2	#define _ARPT_MANGLE_H
		3	#include <linux/netfilter_arp/arp_tables.h>
		4
		5	#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr)
		6	struct arpt_mangle
		7	{
		8	char src_devaddr[ARPT_DEV_ADDR_LEN_MAX];
		9	char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX];
		10	union {
		11	struct in_addr src_ip;
		12	} u_s;
		13	union {
		14	struct in_addr tgt_ip;
		15	} u_t;
		16	u_int8_t flags;
		17	int target;
		18	};
		19
		20	#define ARPT_MANGLE_SDEV 0x01
		21	#define ARPT_MANGLE_TDEV 0x02
		22	#define ARPT_MANGLE_SIP 0x04
		23	#define ARPT_MANGLE_TIP 0x08
		24	#define ARPT_MANGLE_MASK 0x0f
		25
		26	#endif /* _ARPT_MANGLE_H */