125981136fb13bcacf5f475f3e0ec750341e1e671Christopher Ferris/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* 330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * Format of an ARP firewall descriptor 430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * 530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in 630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * network byte order. 730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * flags are stored in host byte order (of course). 830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng */ 930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 1030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#ifndef _UAPI_ARPTABLES_H 1130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define _UAPI_ARPTABLES_H 1230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 1330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#include <linux/types.h> 1430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#include <linux/compiler.h> 15ccfaccd726a369b7df72e251710755233d176e5aChristopher Ferris#include <linux/if.h> 1630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#include <linux/netfilter_arp.h> 1730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 1830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#include <linux/netfilter/x_tables.h> 1930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 2030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#ifndef __KERNEL__ 2130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 2230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 2330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define arpt_entry_target xt_entry_target 2430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define arpt_standard_target xt_standard_target 2530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define arpt_error_target xt_error_target 2630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_CONTINUE XT_CONTINUE 2730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_RETURN XT_RETURN 2830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define arpt_counters_info xt_counters_info 2930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define arpt_counters xt_counters 3030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET 3130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_ERROR_TARGET XT_ERROR_TARGET 3230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ 3330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) 3430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#endif 3530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 3630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_DEV_ADDR_LEN_MAX 16 3730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 3830692c65c4174412c90e79489e98ab85c1a7412fBen Chengstruct arpt_devaddr_info { 3930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng char addr[ARPT_DEV_ADDR_LEN_MAX]; 4030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng char mask[ARPT_DEV_ADDR_LEN_MAX]; 4130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng}; 4230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 4330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* Yes, Virginia, you have to zero the padding. */ 4430692c65c4174412c90e79489e98ab85c1a7412fBen Chengstruct arpt_arp { 4530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Source and target IP addr */ 4630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct in_addr src, tgt; 4730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Mask for src and target IP addr */ 4830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct in_addr smsk, tmsk; 4930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 5030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Device hw address length, src+target device addresses */ 5130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __u8 arhln, arhln_mask; 5230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct arpt_devaddr_info src_devaddr; 5330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct arpt_devaddr_info tgt_devaddr; 5430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 5530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* ARP operation code. */ 5630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __be16 arpop, arpop_mask; 5730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 5830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* ARP hardware address and protocol address format. */ 5930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __be16 arhrd, arhrd_mask; 6030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __be16 arpro, arpro_mask; 6130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 6230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* The protocol address length is only accepted if it is 4 6330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * so there is no use in offering a way to do filtering on it. 6430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng */ 6530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 6630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 6730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 6830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 6930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Flags word */ 7030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __u8 flags; 7130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Inverse flags */ 7230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __u16 invflags; 7330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng}; 7430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 7530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* Values for "flag" field in struct arpt_ip (general arp structure). 7630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * No flags defined yet. 7730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng */ 7830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ 7930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 8030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* Values for "inv" field in struct arpt_arp. */ 8130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ 8230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ 8330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ 8430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ 8530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ 8630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ 8730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ 8830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ 8930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ 9030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ 9130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ 9230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 9330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* This structure defines each of the firewall rules. Consists of 3 9430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng parts which are 1) general ARP header stuff 2) match specific 9530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng stuff 3) the target to perform if the rule matches */ 9630692c65c4174412c90e79489e98ab85c1a7412fBen Chengstruct arpt_entry 9730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng{ 9830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct arpt_arp arp; 9930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 10030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Size of arpt_entry + matches */ 10130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __u16 target_offset; 10230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Size of arpt_entry + matches + target */ 10330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng __u16 next_offset; 10430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 10530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Back pointer */ 10630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int comefrom; 10730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 10830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Packet and byte counters. */ 10930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct xt_counters counters; 11030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 11130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* The matches (if any), then the target. */ 11230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned char elems[0]; 11330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng}; 11430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 11530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* 11630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * New IP firewall options for [gs]etsockopt at the RAW IP level. 11730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * Unlike BSD Linux inherits IP options so you don't have to use a raw 11830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * socket for this. Instead we check rights in the calls. 11930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * 12030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * ATTENTION: check linux/in.h before adding new number here. 12130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng */ 12230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_BASE_CTL 96 12330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 12430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) 12530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) 12630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS 12730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 12830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_GET_INFO (ARPT_BASE_CTL) 12930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) 13030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ 13130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) 13230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) 13330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 13430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* The argument to ARPT_SO_GET_INFO */ 13530692c65c4174412c90e79489e98ab85c1a7412fBen Chengstruct arpt_getinfo { 13630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Which table: caller fills this in. */ 13730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng char name[XT_TABLE_MAXNAMELEN]; 13830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 13930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Kernel fills these in. */ 14030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Which hook entry points are valid: bitmask */ 14130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int valid_hooks; 14230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 14330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Hook entry points: one per netfilter hook. */ 14430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int hook_entry[NF_ARP_NUMHOOKS]; 14530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 14630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Underflow points. */ 14730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int underflow[NF_ARP_NUMHOOKS]; 14830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 14930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Number of entries */ 15030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int num_entries; 15130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 15230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Size of entries. */ 15330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int size; 15430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng}; 15530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 15630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* The argument to ARPT_SO_SET_REPLACE. */ 15730692c65c4174412c90e79489e98ab85c1a7412fBen Chengstruct arpt_replace { 15830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Which table. */ 15930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng char name[XT_TABLE_MAXNAMELEN]; 16030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 16130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Which hook entry points are valid: bitmask. You can't 16230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng change this. */ 16330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int valid_hooks; 16430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 16530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Number of entries */ 16630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int num_entries; 16730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 16830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Total size of new entries */ 16930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int size; 17030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 17130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Hook entry points. */ 17230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int hook_entry[NF_ARP_NUMHOOKS]; 17330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 17430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Underflow points. */ 17530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int underflow[NF_ARP_NUMHOOKS]; 17630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 17730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Information about old entries: */ 17830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Number of counters (must be equal to current number of entries). */ 17930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int num_counters; 18030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* The old entries' counters. */ 18130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct xt_counters __user *counters; 18230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 18330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* The entries (hang off end: not really an array). */ 18430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct arpt_entry entries[0]; 18530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng}; 18630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 18730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* The argument to ARPT_SO_GET_ENTRIES. */ 18830692c65c4174412c90e79489e98ab85c1a7412fBen Chengstruct arpt_get_entries { 18930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* Which table: user fills this in. */ 19030692c65c4174412c90e79489e98ab85c1a7412fBen Cheng char name[XT_TABLE_MAXNAMELEN]; 19130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 19230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* User fills this in: total entry size. */ 19330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng unsigned int size; 19430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 19530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng /* The entries. */ 19630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng struct arpt_entry entrytable[0]; 19730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng}; 19830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 19930692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* Helper functions */ 20030692c65c4174412c90e79489e98ab85c1a7412fBen Chengstatic __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) 20130692c65c4174412c90e79489e98ab85c1a7412fBen Cheng{ 20230692c65c4174412c90e79489e98ab85c1a7412fBen Cheng return (void *)e + e->target_offset; 20330692c65c4174412c90e79489e98ab85c1a7412fBen Cheng} 20430692c65c4174412c90e79489e98ab85c1a7412fBen Cheng 20530692c65c4174412c90e79489e98ab85c1a7412fBen Cheng/* 20630692c65c4174412c90e79489e98ab85c1a7412fBen Cheng * Main firewall chains definitions and global var's definitions. 20730692c65c4174412c90e79489e98ab85c1a7412fBen Cheng */ 20830692c65c4174412c90e79489e98ab85c1a7412fBen Cheng#endif /* _UAPI_ARPTABLES_H */ 209