Dr Andrew Scott G7VAV
MBCS, MIET, Member ACM, Member IEEE
My photo
Senior Lecturer
School of Computing
    and Communications

D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
 
June 2025
Mo Tu We Th Fr Sa Su
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 1 2 3 4 5 6
arp_tables.h
001: /*
002:  *      Format of an ARP firewall descriptor
003:  *
004:  *      src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
005:  *      network byte order.
006:  *      flags are stored in host byte order (of course).
007:  */
008: 
009: #ifndef _ARPTABLES_H
010: #define _ARPTABLES_H
011: 
012: #include <linux/types.h>
013: 
014: #include <linux/netfilter_arp.h>
015: 
016: #include <linux/netfilter/x_tables.h>
017: 
018: #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
019: #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
020: #define arpt_entry_target xt_entry_target
021: #define arpt_standard_target xt_standard_target
022: #define arpt_error_target xt_error_target
023: #define ARPT_CONTINUE XT_CONTINUE
024: #define ARPT_RETURN XT_RETURN
025: #define arpt_counters_info xt_counters_info
026: #define arpt_counters xt_counters
027: #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
028: #define ARPT_ERROR_TARGET XT_ERROR_TARGET
029: #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
030:         XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
031: 
032: #define ARPT_DEV_ADDR_LEN_MAX 16
033: 
034: struct arpt_devaddr_info {
035:         char addr[ARPT_DEV_ADDR_LEN_MAX];
036:         char mask[ARPT_DEV_ADDR_LEN_MAX];
037: };
038: 
039: /* Yes, Virginia, you have to zero the padding. */
040: struct arpt_arp {
041:         /* Source and target IP addr */
042:         struct in_addr src, tgt;
043:         /* Mask for src and target IP addr */
044:         struct in_addr smsk, tmsk;
045: 
046:         /* Device hw address length, src+target device addresses */
047:         __u8 arhln, arhln_mask;
048:         struct arpt_devaddr_info src_devaddr;
049:         struct arpt_devaddr_info tgt_devaddr;
050: 
051:         /* ARP operation code. */
052:         __be16 arpop, arpop_mask;
053: 
054:         /* ARP hardware address and protocol address format. */
055:         __be16 arhrd, arhrd_mask;
056:         __be16 arpro, arpro_mask;
057: 
058:         /* The protocol address length is only accepted if it is 4
059:          * so there is no use in offering a way to do filtering on it.
060:          */
061: 
062:         char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
063:         unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
064: 
065:         /* Flags word */
066:         __u8 flags;
067:         /* Inverse flags */
068:         __u16 invflags;
069: };
070: 
071: /* Values for "flag" field in struct arpt_ip (general arp structure).
072:  * No flags defined yet.
073:  */
074: #define ARPT_F_MASK             0x00    /* All possible flag bits mask. */
075: 
076: /* Values for "inv" field in struct arpt_arp. */
077: #define ARPT_INV_VIA_IN         0x0001  /* Invert the sense of IN IFACE. */
078: #define ARPT_INV_VIA_OUT        0x0002  /* Invert the sense of OUT IFACE */
079: #define ARPT_INV_SRCIP          0x0004  /* Invert the sense of SRC IP. */
080: #define ARPT_INV_TGTIP          0x0008  /* Invert the sense of TGT IP. */
081: #define ARPT_INV_SRCDEVADDR     0x0010  /* Invert the sense of SRC DEV ADDR. */
082: #define ARPT_INV_TGTDEVADDR     0x0020  /* Invert the sense of TGT DEV ADDR. */
083: #define ARPT_INV_ARPOP          0x0040  /* Invert the sense of ARP OP. */
084: #define ARPT_INV_ARPHRD         0x0080  /* Invert the sense of ARP HRD. */
085: #define ARPT_INV_ARPPRO         0x0100  /* Invert the sense of ARP PRO. */
086: #define ARPT_INV_ARPHLN         0x0200  /* Invert the sense of ARP HLN. */
087: #define ARPT_INV_MASK           0x03FF  /* All possible flag bits mask. */
088: 
089: /* This structure defines each of the firewall rules.  Consists of 3
090:    parts which are 1) general ARP header stuff 2) match specific
091:    stuff 3) the target to perform if the rule matches */
092: struct arpt_entry
093: {
094:         struct arpt_arp arp;
095: 
096:         /* Size of arpt_entry + matches */
097:         __u16 target_offset;
098:         /* Size of arpt_entry + matches + target */
099:         __u16 next_offset;
100: 
101:         /* Back pointer */
102:         unsigned int comefrom;
103: 
104:         /* Packet and byte counters. */
105:         struct xt_counters counters;
106: 
107:         /* The matches (if any), then the target. */
108:         unsigned char elems[0];
109: };
110: 
111: /*
112:  * New IP firewall options for [gs]etsockopt at the RAW IP level.
113:  * Unlike BSD Linux inherits IP options so you don't have to use a raw
114:  * socket for this. Instead we check rights in the calls.
115:  *
116:  * ATTENTION: check linux/in.h before adding new number here.
117:  */
118: #define ARPT_BASE_CTL           96
119: 
120: #define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
121: #define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
122: #define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
123: 
124: #define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
125: #define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
126: /* #define ARPT_SO_GET_REVISION_MATCH   (APRT_BASE_CTL + 2) */
127: #define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
128: #define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
129: 
130: /* The argument to ARPT_SO_GET_INFO */
131: struct arpt_getinfo {
132:         /* Which table: caller fills this in. */
133:         char name[XT_TABLE_MAXNAMELEN];
134: 
135:         /* Kernel fills these in. */
136:         /* Which hook entry points are valid: bitmask */
137:         unsigned int valid_hooks;
138: 
139:         /* Hook entry points: one per netfilter hook. */
140:         unsigned int hook_entry[NF_ARP_NUMHOOKS];
141: 
142:         /* Underflow points. */
143:         unsigned int underflow[NF_ARP_NUMHOOKS];
144: 
145:         /* Number of entries */
146:         unsigned int num_entries;
147: 
148:         /* Size of entries. */
149:         unsigned int size;
150: };
151: 
152: /* The argument to ARPT_SO_SET_REPLACE. */
153: struct arpt_replace {
154:         /* Which table. */
155:         char name[XT_TABLE_MAXNAMELEN];
156: 
157:         /* Which hook entry points are valid: bitmask.  You can't
158:            change this. */
159:         unsigned int valid_hooks;
160: 
161:         /* Number of entries */
162:         unsigned int num_entries;
163: 
164:         /* Total size of new entries */
165:         unsigned int size;
166: 
167:         /* Hook entry points. */
168:         unsigned int hook_entry[NF_ARP_NUMHOOKS];
169: 
170:         /* Underflow points. */
171:         unsigned int underflow[NF_ARP_NUMHOOKS];
172: 
173:         /* Information about old entries: */
174:         /* Number of counters (must be equal to current number of entries). */
175:         unsigned int num_counters;
176:         /* The old entries' counters. */
177:         struct xt_counters *counters;
178: 
179:         /* The entries (hang off end: not really an array). */
180:         struct arpt_entry entries[0];
181: };
182: 
183: /* The argument to ARPT_SO_GET_ENTRIES. */
184: struct arpt_get_entries {
185:         /* Which table: user fills this in. */
186:         char name[XT_TABLE_MAXNAMELEN];
187: 
188:         /* User fills this in: total entry size. */
189:         unsigned int size;
190: 
191:         /* The entries. */
192:         struct arpt_entry entrytable[0];
193: };
194: 
195: /* Helper functions */
196: static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
197: {
198:         return (void *)e + e->target_offset;
199: }
200: 
201: /*
202:  *      Main firewall chains definitions and global var's definitions.
203:  */
204: #endif /* _ARPTABLES_H */
205:
for client (none)
© Andrew Scott 2006 - 2025,
All Rights Reserved
http://www.andrew-scott.uk/
Andrew Scott
http://www.andrew-scott.co.uk/