1 /*
2 * Format of an ARP firewall descriptor
3 *
4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
5 * network byte order.
6 * flags are stored in host byte order (of course).
7 */
8
9 #ifndef _ARPTABLES_H
10 #define _ARPTABLES_H
11
12 #ifdef __KERNEL__
13 #include <linux/if.h>
14 #include <linux/types.h>
15 #include <linux/in.h>
16 #include <linux/if_arp.h>
17 #include <linux/skbuff.h>
18 #endif
19
20 #include <linux/netfilter_arp.h>
21
22 #define ARPT_FUNCTION_MAXNAMELEN 30
23 #define ARPT_TABLE_MAXNAMELEN 32
24
25 #define ARPT_DEV_ADDR_LEN_MAX 16
26
27 struct arpt_devaddr_info {
28 char addr[ARPT_DEV_ADDR_LEN_MAX];
29 char mask[ARPT_DEV_ADDR_LEN_MAX];
30 };
31
32 /* Yes, Virginia, you have to zero the padding. */
33 struct arpt_arp {
34 /* Source and target IP addr */
35 struct in_addr src, tgt;
36 /* Mask for src and target IP addr */
37 struct in_addr smsk, tmsk;
38
39 /* Device hw address length, src+target device addresses */
40 u_int8_t arhln, arhln_mask;
41 struct arpt_devaddr_info src_devaddr;
42 struct arpt_devaddr_info tgt_devaddr;
43
44 /* ARP operation code. */
45 u_int16_t arpop, arpop_mask;
46
47 /* ARP hardware address and protocol address format. */
48 u_int16_t arhrd, arhrd_mask;
49 u_int16_t arpro, arpro_mask;
50
51 /* The protocol address length is only accepted if it is 4
52 * so there is no use in offering a way to do filtering on it.
53 */
54
55 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
56 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
57
58 /* Flags word */
59 u_int8_t flags;
60 /* Inverse flags */
61 u_int16_t invflags;
62 };
63
64 struct arpt_entry_target
65 {
66 union {
67 struct {
68 u_int16_t target_size;
69
70 /* Used by userspace */
71 char name[ARPT_FUNCTION_MAXNAMELEN];
72 } user;
73 struct {
74 u_int16_t target_size;
75
76 /* Used inside the kernel */
77 struct arpt_target *target;
78 } kernel;
79
80 /* Total length */
81 u_int16_t target_size;
82 } u;
83
84 unsigned char data[0];
85 };
86
87 struct arpt_standard_target
88 {
89 struct arpt_entry_target target;
90 int verdict;
91 };
92
93 struct arpt_counters
94 {
95 u_int64_t pcnt, bcnt; /* Packet and byte counters */
96 };
97
98 /* Values for "flag" field in struct arpt_ip (general arp structure).
99 * No flags defined yet.
100 */
101 #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
102
103 /* Values for "inv" field in struct arpt_arp. */
104 #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
105 #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
106 #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
107 #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
108 #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
109 #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
110 #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
111 #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
112 #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
113 #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
114 #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
115
116 /* This structure defines each of the firewall rules. Consists of 3
117 parts which are 1) general ARP header stuff 2) match specific
118 stuff 3) the target to perform if the rule matches */
119 struct arpt_entry
120 {
121 struct arpt_arp arp;
122
123 /* Size of arpt_entry + matches */
124 u_int16_t target_offset;
125 /* Size of arpt_entry + matches + target */
126 u_int16_t next_offset;
127
128 /* Back pointer */
129 unsigned int comefrom;
130
131 /* Packet and byte counters. */
132 struct arpt_counters counters;
133
134 /* The matches (if any), then the target. */
135 unsigned char elems[0];
136 };
137
138 /*
139 * New IP firewall options for [gs]etsockopt at the RAW IP level.
140 * Unlike BSD Linux inherits IP options so you don't have to use a raw
141 * socket for this. Instead we check rights in the calls.
142 */
143 #define ARPT_BASE_CTL 96 /* base for firewall socket options */
144
145 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
146 #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
147 #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
148
149 #define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
150 #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
151 #define ARPT_SO_GET_MAX ARPT_SO_GET_ENTRIES
152
153 /* CONTINUE verdict for targets */
154 #define ARPT_CONTINUE 0xFFFFFFFF
155
156 /* For standard target */
157 #define ARPT_RETURN (-NF_MAX_VERDICT - 1)
158
159 /* The argument to ARPT_SO_GET_INFO */
160 struct arpt_getinfo
161 {
162 /* Which table: caller fills this in. */
163 char name[ARPT_TABLE_MAXNAMELEN];
164
165 /* Kernel fills these in. */
166 /* Which hook entry points are valid: bitmask */
167 unsigned int valid_hooks;
168
169 /* Hook entry points: one per netfilter hook. */
170 unsigned int hook_entry[NF_ARP_NUMHOOKS];
171
172 /* Underflow points. */
173 unsigned int underflow[NF_ARP_NUMHOOKS];
174
175 /* Number of entries */
176 unsigned int num_entries;
177
178 /* Size of entries. */
179 unsigned int size;
180 };
181
182 /* The argument to ARPT_SO_SET_REPLACE. */
183 struct arpt_replace
184 {
185 /* Which table. */
186 char name[ARPT_TABLE_MAXNAMELEN];
187
188 /* Which hook entry points are valid: bitmask. You can't
189 change this. */
190 unsigned int valid_hooks;
191
192 /* Number of entries */
193 unsigned int num_entries;
194
195 /* Total size of new entries */
196 unsigned int size;
197
198 /* Hook entry points. */
199 unsigned int hook_entry[NF_ARP_NUMHOOKS];
200
201 /* Underflow points. */
202 unsigned int underflow[NF_ARP_NUMHOOKS];
203
204 /* Information about old entries: */
205 /* Number of counters (must be equal to current number of entries). */
206 unsigned int num_counters;
207 /* The old entries' counters. */
208 struct arpt_counters *counters;
209
210 /* The entries (hang off end: not really an array). */
211 struct arpt_entry entries[0];
212 };
213
214 /* The argument to ARPT_SO_ADD_COUNTERS. */
215 struct arpt_counters_info
216 {
217 /* Which table. */
218 char name[ARPT_TABLE_MAXNAMELEN];
219
220 unsigned int num_counters;
221
222 /* The counters (actually `number' of these). */
223 struct arpt_counters counters[0];
224 };
225
226 /* The argument to ARPT_SO_GET_ENTRIES. */
227 struct arpt_get_entries
228 {
229 /* Which table: user fills this in. */
230 char name[ARPT_TABLE_MAXNAMELEN];
231
232 /* User fills this in: total entry size. */
233 unsigned int size;
234
235 /* The entries. */
236 struct arpt_entry entrytable[0];
237 };
238
239 /* Standard return verdict, or do jump. */
240 #define ARPT_STANDARD_TARGET ""
241 /* Error verdict. */
242 #define ARPT_ERROR_TARGET "ERROR"
243
244 /* Helper functions */
arpt_get_target(struct arpt_entry * e)245 static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
246 {
247 return (void *)e + e->target_offset;
248 }
249
250 /* fn returns 0 to continue iteration */
251 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
252 ({ \
253 unsigned int __i; \
254 int __ret = 0; \
255 struct arpt_entry *__entry; \
256 \
257 for (__i = 0; __i < (size); __i += __entry->next_offset) { \
258 __entry = (void *)(entries) + __i; \
259 \
260 __ret = fn(__entry , ## args); \
261 if (__ret != 0) \
262 break; \
263 } \
264 __ret; \
265 })
266
267 /*
268 * Main firewall chains definitions and global var's definitions.
269 */
270 #ifdef __KERNEL__
271
272 /* Registration hooks for targets. */
273 struct arpt_target
274 {
275 struct list_head list;
276
277 const char name[ARPT_FUNCTION_MAXNAMELEN];
278
279 /* Returns verdict. */
280 unsigned int (*target)(struct sk_buff **pskb,
281 unsigned int hooknum,
282 const struct net_device *in,
283 const struct net_device *out,
284 const void *targinfo,
285 void *userdata);
286
287 /* Called when user tries to insert an entry of this type:
288 hook_mask is a bitmask of hooks from which it can be
289 called. */
290 /* Should return true or false. */
291 int (*checkentry)(const char *tablename,
292 const struct arpt_entry *e,
293 void *targinfo,
294 unsigned int targinfosize,
295 unsigned int hook_mask);
296
297 /* Called when entry of this type deleted. */
298 void (*destroy)(void *targinfo, unsigned int targinfosize);
299
300 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
301 struct module *me;
302 };
303
304 extern int arpt_register_target(struct arpt_target *target);
305 extern void arpt_unregister_target(struct arpt_target *target);
306
307 /* Furniture shopping... */
308 struct arpt_table
309 {
310 struct list_head list;
311
312 /* A unique name... */
313 char name[ARPT_TABLE_MAXNAMELEN];
314
315 /* Seed table: copied in register_table */
316 struct arpt_replace *table;
317
318 /* What hooks you will enter on */
319 unsigned int valid_hooks;
320
321 /* Lock for the curtain */
322 rwlock_t lock;
323
324 /* Man behind the curtain... */
325 struct arpt_table_info *private;
326
327 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
328 struct module *me;
329 };
330
331 extern int arpt_register_table(struct arpt_table *table);
332 extern void arpt_unregister_table(struct arpt_table *table);
333 extern unsigned int arpt_do_table(struct sk_buff **pskb,
334 unsigned int hook,
335 const struct net_device *in,
336 const struct net_device *out,
337 struct arpt_table *table,
338 void *userdata);
339
340 #define ARPT_ALIGN(s) (((s) + (__alignof__(struct arpt_entry)-1)) & ~(__alignof__(struct arpt_entry)-1))
341 #endif /*__KERNEL__*/
342 #endif /* _ARPTABLES_H */
343