2 * Format of an ARP firewall descriptor
4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
6 * flags are stored in host byte order (of course).
9 #ifndef _UAPI_ARPTABLES_H
10 #define _UAPI_ARPTABLES_H
12 #include <linux/types.h>
13 #include <linux/compiler.h>
15 #include <linux/netfilter_arp.h>
17 #include <linux/netfilter/x_tables.h>
20 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
21 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
22 #define arpt_entry_target xt_entry_target
23 #define arpt_standard_target xt_standard_target
24 #define arpt_error_target xt_error_target
25 #define ARPT_CONTINUE XT_CONTINUE
26 #define ARPT_RETURN XT_RETURN
27 #define arpt_counters_info xt_counters_info
28 #define arpt_counters xt_counters
29 #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
30 #define ARPT_ERROR_TARGET XT_ERROR_TARGET
31 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
32 XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
35 #define ARPT_DEV_ADDR_LEN_MAX 16
37 struct arpt_devaddr_info {
38 char addr[ARPT_DEV_ADDR_LEN_MAX];
39 char mask[ARPT_DEV_ADDR_LEN_MAX];
42 /* Yes, Virginia, you have to zero the padding. */
44 /* Source and target IP addr */
45 struct in_addr src, tgt;
46 /* Mask for src and target IP addr */
47 struct in_addr smsk, tmsk;
49 /* Device hw address length, src+target device addresses */
50 __u8 arhln, arhln_mask;
51 struct arpt_devaddr_info src_devaddr;
52 struct arpt_devaddr_info tgt_devaddr;
54 /* ARP operation code. */
55 __be16 arpop, arpop_mask;
57 /* ARP hardware address and protocol address format. */
58 __be16 arhrd, arhrd_mask;
59 __be16 arpro, arpro_mask;
61 /* The protocol address length is only accepted if it is 4
62 * so there is no use in offering a way to do filtering on it.
65 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
66 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
74 /* Values for "flag" field in struct arpt_ip (general arp structure).
75 * No flags defined yet.
77 #define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
79 /* Values for "inv" field in struct arpt_arp. */
80 #define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
81 #define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
82 #define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
83 #define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
84 #define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
85 #define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
86 #define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
87 #define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
88 #define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
89 #define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
90 #define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
92 /* This structure defines each of the firewall rules. Consists of 3
93 parts which are 1) general ARP header stuff 2) match specific
94 stuff 3) the target to perform if the rule matches */
99 /* Size of arpt_entry + matches */
101 /* Size of arpt_entry + matches + target */
105 unsigned int comefrom;
107 /* Packet and byte counters. */
108 struct xt_counters counters;
110 /* The matches (if any), then the target. */
111 unsigned char elems[0];
115 * New IP firewall options for [gs]etsockopt at the RAW IP level.
116 * Unlike BSD Linux inherits IP options so you don't have to use a raw
117 * socket for this. Instead we check rights in the calls.
119 * ATTENTION: check linux/in.h before adding new number here.
121 #define ARPT_BASE_CTL 96
123 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
124 #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
125 #define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
127 #define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
128 #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
129 /* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */
130 #define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
131 #define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
133 /* The argument to ARPT_SO_GET_INFO */
134 struct arpt_getinfo {
135 /* Which table: caller fills this in. */
136 char name[XT_TABLE_MAXNAMELEN];
138 /* Kernel fills these in. */
139 /* Which hook entry points are valid: bitmask */
140 unsigned int valid_hooks;
142 /* Hook entry points: one per netfilter hook. */
143 unsigned int hook_entry[NF_ARP_NUMHOOKS];
145 /* Underflow points. */
146 unsigned int underflow[NF_ARP_NUMHOOKS];
148 /* Number of entries */
149 unsigned int num_entries;
151 /* Size of entries. */
155 /* The argument to ARPT_SO_SET_REPLACE. */
156 struct arpt_replace {
158 char name[XT_TABLE_MAXNAMELEN];
160 /* Which hook entry points are valid: bitmask. You can't
162 unsigned int valid_hooks;
164 /* Number of entries */
165 unsigned int num_entries;
167 /* Total size of new entries */
170 /* Hook entry points. */
171 unsigned int hook_entry[NF_ARP_NUMHOOKS];
173 /* Underflow points. */
174 unsigned int underflow[NF_ARP_NUMHOOKS];
176 /* Information about old entries: */
177 /* Number of counters (must be equal to current number of entries). */
178 unsigned int num_counters;
179 /* The old entries' counters. */
180 struct xt_counters __user *counters;
182 /* The entries (hang off end: not really an array). */
183 struct arpt_entry entries[0];
186 /* The argument to ARPT_SO_GET_ENTRIES. */
187 struct arpt_get_entries {
188 /* Which table: user fills this in. */
189 char name[XT_TABLE_MAXNAMELEN];
191 /* User fills this in: total entry size. */
195 struct arpt_entry entrytable[0];
198 /* Helper functions */
199 static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
201 return (void *)e + e->target_offset;
205 * Main firewall chains definitions and global var's definitions.
207 #endif /* _UAPI_ARPTABLES_H */