1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /*
3  * 	Format of an ARP firewall descriptor
4  *
5  * 	src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
6  *	network byte order.
7  * 	flags are stored in host byte order (of course).
8  */
9 
10 #ifndef _UAPI_ARPTABLES_H
11 #define _UAPI_ARPTABLES_H
12 
13 #include <linux/types.h>
14 #include <linux/compiler.h>
15 #include <linux/if.h>
16 #include <linux/netfilter_arp.h>
17 
18 #include <linux/netfilter/x_tables.h>
19 
20 #ifndef __KERNEL__
21 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
22 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
23 #define arpt_entry_target xt_entry_target
24 #define arpt_standard_target xt_standard_target
25 #define arpt_error_target xt_error_target
26 #define ARPT_CONTINUE XT_CONTINUE
27 #define ARPT_RETURN XT_RETURN
28 #define arpt_counters_info xt_counters_info
29 #define arpt_counters xt_counters
30 #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
31 #define ARPT_ERROR_TARGET XT_ERROR_TARGET
32 #define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
33 	XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
34 #endif
35 
36 #define ARPT_DEV_ADDR_LEN_MAX 16
37 
38 struct arpt_devaddr_info {
39 	char addr[ARPT_DEV_ADDR_LEN_MAX];
40 	char mask[ARPT_DEV_ADDR_LEN_MAX];
41 };
42 
43 /* Yes, Virginia, you have to zero the padding. */
44 struct arpt_arp {
45 	/* Source and target IP addr */
46 	struct in_addr src, tgt;
47 	/* Mask for src and target IP addr */
48 	struct in_addr smsk, tmsk;
49 
50 	/* Device hw address length, src+target device addresses */
51 	__u8 arhln, arhln_mask;
52 	struct arpt_devaddr_info src_devaddr;
53 	struct arpt_devaddr_info tgt_devaddr;
54 
55 	/* ARP operation code. */
56 	__be16 arpop, arpop_mask;
57 
58 	/* ARP hardware address and protocol address format. */
59 	__be16 arhrd, arhrd_mask;
60 	__be16 arpro, arpro_mask;
61 
62 	/* The protocol address length is only accepted if it is 4
63 	 * so there is no use in offering a way to do filtering on it.
64 	 */
65 
66 	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
67 	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
68 
69 	/* Flags word */
70 	__u8 flags;
71 	/* Inverse flags */
72 	__u16 invflags;
73 };
74 
75 /* Values for "flag" field in struct arpt_ip (general arp structure).
76  * No flags defined yet.
77  */
78 #define ARPT_F_MASK		0x00	/* All possible flag bits mask. */
79 
80 /* Values for "inv" field in struct arpt_arp. */
81 #define ARPT_INV_VIA_IN		0x0001	/* Invert the sense of IN IFACE. */
82 #define ARPT_INV_VIA_OUT	0x0002	/* Invert the sense of OUT IFACE */
83 #define ARPT_INV_SRCIP		0x0004	/* Invert the sense of SRC IP. */
84 #define ARPT_INV_TGTIP		0x0008	/* Invert the sense of TGT IP. */
85 #define ARPT_INV_SRCDEVADDR	0x0010	/* Invert the sense of SRC DEV ADDR. */
86 #define ARPT_INV_TGTDEVADDR	0x0020	/* Invert the sense of TGT DEV ADDR. */
87 #define ARPT_INV_ARPOP		0x0040	/* Invert the sense of ARP OP. */
88 #define ARPT_INV_ARPHRD		0x0080	/* Invert the sense of ARP HRD. */
89 #define ARPT_INV_ARPPRO		0x0100	/* Invert the sense of ARP PRO. */
90 #define ARPT_INV_ARPHLN		0x0200	/* Invert the sense of ARP HLN. */
91 #define ARPT_INV_MASK		0x03FF	/* All possible flag bits mask. */
92 
93 /* This structure defines each of the firewall rules.  Consists of 3
94    parts which are 1) general ARP header stuff 2) match specific
95    stuff 3) the target to perform if the rule matches */
96 struct arpt_entry
97 {
98 	struct arpt_arp arp;
99 
100 	/* Size of arpt_entry + matches */
101 	__u16 target_offset;
102 	/* Size of arpt_entry + matches + target */
103 	__u16 next_offset;
104 
105 	/* Back pointer */
106 	unsigned int comefrom;
107 
108 	/* Packet and byte counters. */
109 	struct xt_counters counters;
110 
111 	/* The matches (if any), then the target. */
112 	unsigned char elems[0];
113 };
114 
115 /*
116  * New IP firewall options for [gs]etsockopt at the RAW IP level.
117  * Unlike BSD Linux inherits IP options so you don't have to use a raw
118  * socket for this. Instead we check rights in the calls.
119  *
120  * ATTENTION: check linux/in.h before adding new number here.
121  */
122 #define ARPT_BASE_CTL		96
123 
124 #define ARPT_SO_SET_REPLACE		(ARPT_BASE_CTL)
125 #define ARPT_SO_SET_ADD_COUNTERS	(ARPT_BASE_CTL + 1)
126 #define ARPT_SO_SET_MAX			ARPT_SO_SET_ADD_COUNTERS
127 
128 #define ARPT_SO_GET_INFO		(ARPT_BASE_CTL)
129 #define ARPT_SO_GET_ENTRIES		(ARPT_BASE_CTL + 1)
130 /* #define ARPT_SO_GET_REVISION_MATCH	(APRT_BASE_CTL + 2) */
131 #define ARPT_SO_GET_REVISION_TARGET	(ARPT_BASE_CTL + 3)
132 #define ARPT_SO_GET_MAX			(ARPT_SO_GET_REVISION_TARGET)
133 
134 /* The argument to ARPT_SO_GET_INFO */
135 struct arpt_getinfo {
136 	/* Which table: caller fills this in. */
137 	char name[XT_TABLE_MAXNAMELEN];
138 
139 	/* Kernel fills these in. */
140 	/* Which hook entry points are valid: bitmask */
141 	unsigned int valid_hooks;
142 
143 	/* Hook entry points: one per netfilter hook. */
144 	unsigned int hook_entry[NF_ARP_NUMHOOKS];
145 
146 	/* Underflow points. */
147 	unsigned int underflow[NF_ARP_NUMHOOKS];
148 
149 	/* Number of entries */
150 	unsigned int num_entries;
151 
152 	/* Size of entries. */
153 	unsigned int size;
154 };
155 
156 /* The argument to ARPT_SO_SET_REPLACE. */
157 struct arpt_replace {
158 	/* Which table. */
159 	char name[XT_TABLE_MAXNAMELEN];
160 
161 	/* Which hook entry points are valid: bitmask.  You can't
162            change this. */
163 	unsigned int valid_hooks;
164 
165 	/* Number of entries */
166 	unsigned int num_entries;
167 
168 	/* Total size of new entries */
169 	unsigned int size;
170 
171 	/* Hook entry points. */
172 	unsigned int hook_entry[NF_ARP_NUMHOOKS];
173 
174 	/* Underflow points. */
175 	unsigned int underflow[NF_ARP_NUMHOOKS];
176 
177 	/* Information about old entries: */
178 	/* Number of counters (must be equal to current number of entries). */
179 	unsigned int num_counters;
180 	/* The old entries' counters. */
181 	struct xt_counters __user *counters;
182 
183 	/* The entries (hang off end: not really an array). */
184 	struct arpt_entry entries[0];
185 };
186 
187 /* The argument to ARPT_SO_GET_ENTRIES. */
188 struct arpt_get_entries {
189 	/* Which table: user fills this in. */
190 	char name[XT_TABLE_MAXNAMELEN];
191 
192 	/* User fills this in: total entry size. */
193 	unsigned int size;
194 
195 	/* The entries. */
196 	struct arpt_entry entrytable[0];
197 };
198 
199 /* Helper functions */
arpt_get_target(struct arpt_entry * e)200 static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
201 {
202 	return (void *)e + e->target_offset;
203 }
204 
205 /*
206  *	Main firewall chains definitions and global var's definitions.
207  */
208 #endif /* _UAPI_ARPTABLES_H */
209