no translation yet, might be doable with raw payload expressions though.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
extensions/libebt_arp.c | 490 ++++++++++++++++++++++++++++++++++++++++
iptables/xtables-eb.c | 1 +
2 files changed, 491 insertions(+)
create mode 100644 extensions/libebt_arp.c
diff --git a/extensions/libebt_arp.c b/extensions/libebt_arp.c
new file mode 100644
index 000000000000..45fc8d73e24d
--- /dev/null
+++ b/extensions/libebt_arp.c
@@ -0,0 +1,490 @@
+/* ebt_arp
+ *
+ * Authors:
+ * Bart De Schuymer <bdschuym@xxxxxxxxxx>
+ * Tim Gardner <timg@xxxxxxx>
+ *
+ * April, 2002
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <netinet/ether.h>
+
+#include <ebtables/ethernetdb.h>
+#include <net/if_arp.h>
+#include <linux/netfilter_bridge/ebt_arp.h>
+#include "iptables/nft.h"
+#include "iptables/nft-bridge.h"
+
+#define ARP_OPCODE '1'
+#define ARP_HTYPE '2'
+#define ARP_PTYPE '3'
+#define ARP_IP_S '4'
+#define ARP_IP_D '5'
+#define ARP_MAC_S '6'
+#define ARP_MAC_D '7'
+#define ARP_GRAT '8'
+
+static const struct option brarp_opts[] = {
+ { "arp-opcode" , required_argument, 0, ARP_OPCODE },
+ { "arp-op" , required_argument, 0, ARP_OPCODE },
+ { "arp-htype" , required_argument, 0, ARP_HTYPE },
+ { "arp-ptype" , required_argument, 0, ARP_PTYPE },
+ { "arp-ip-src" , required_argument, 0, ARP_IP_S },
+ { "arp-ip-dst" , required_argument, 0, ARP_IP_D },
+ { "arp-mac-src" , required_argument, 0, ARP_MAC_S },
+ { "arp-mac-dst" , required_argument, 0, ARP_MAC_D },
+ { "arp-gratuitous", no_argument, 0, ARP_GRAT },
+ XT_GETOPT_TABLEEND,
+};
+
+/* a few names */
+static char *opcodes[] =
+{
+ "Request",
+ "Reply",
+ "Request_Reverse",
+ "Reply_Reverse",
+ "DRARP_Request",
+ "DRARP_Reply",
+ "DRARP_Error",
+ "InARP_Request",
+ "ARP_NAK",
+};
+
+static void brarp_print_help(void)
+{
+ int i;
+
+ printf(
+"arp options:\n"
+"--arp-opcode [!] opcode : ARP opcode (integer or string)\n"
+"--arp-htype [!] type : ARP hardware type (integer or string)\n"
+"--arp-ptype [!] type : ARP protocol type (hexadecimal or string)\n"
+"--arp-ip-src [!] address[/mask]: ARP IP source specification\n"
+"--arp-ip-dst [!] address[/mask]: ARP IP target specification\n"
+"--arp-mac-src [!] address[/mask]: ARP MAC source specification\n"
+"--arp-mac-dst [!] address[/mask]: ARP MAC target specification\n"
+"[!] --arp-gratuitous : ARP gratuitous packet\n"
+" opcode strings: \n");
+ for (i = 0; i < ARRAY_SIZE(opcodes); i++)
+ printf(" %d = %s\n", i + 1, opcodes[i]);
+ printf(
+" hardware type string: 1 = Ethernet\n"
+" protocol type string: see "_PATH_ETHERTYPES"\n");
+}
+
+#define OPT_OPCODE 0x01
+#define OPT_HTYPE 0x02
+#define OPT_PTYPE 0x04
+#define OPT_IP_S 0x08
+#define OPT_IP_D 0x10
+#define OPT_MAC_S 0x20
+#define OPT_MAC_D 0x40
+#define OPT_GRAT 0x80
+
+static int undot_ip(char *ip, unsigned char *ip2)
+{
+ char *p, *q, *end;
+ long int onebyte;
+ int i;
+ char buf[20];
+
+ strncpy(buf, ip, sizeof(buf) - 1);
+
+ p = buf;
+ for (i = 0; i < 3; i++) {
+ if ((q = strchr(p, '.')) == NULL)
+ return -1;
+ *q = '\0';
+ onebyte = strtol(p, &end, 10);
+ if (*end != '\0' || onebyte > 255 || onebyte < 0)
+ return -1;
+ ip2[i] = (unsigned char)onebyte;
+ p = q + 1;
+ }
+
+ onebyte = strtol(p, &end, 10);
+ if (*end != '\0' || onebyte > 255 || onebyte < 0)
+ return -1;
+ ip2[3] = (unsigned char)onebyte;
+
+ return 0;
+}
+
+static int ip_mask(char *mask, unsigned char *mask2)
+{
+ char *end;
+ long int bits;
+ uint32_t mask22;
+
+ if (undot_ip(mask, mask2)) {
+ /* not the /a.b.c.e format, maybe the /x format */
+ bits = strtol(mask, &end, 10);
+ if (*end != '\0' || bits > 32 || bits < 0)
+ return -1;
+ if (bits != 0) {
+ mask22 = htonl(0xFFFFFFFF << (32 - bits));
+ memcpy(mask2, &mask22, 4);
+ } else {
+ mask22 = 0xFFFFFFFF;
+ memcpy(mask2, &mask22, 4);
+ }
+ }
+ return 0;
+}
+
+static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk)
+{
+ char *p;
+
+ /* first the mask */
+ if ((p = strrchr(address, '/')) != NULL) {
+ *p = '\0';
+ if (ip_mask(p + 1, (unsigned char *)msk)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with the IP mask '%s'", p + 1);
+ return;
+ }
+ } else
+ *msk = 0xFFFFFFFF;
+
+ if (undot_ip(address, (unsigned char *)addr)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with the IP address '%s'", address);
+ return;
+ }
+ *addr = *addr & *msk;
+}
+
+static int brarp_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask)
+{
+ char *p;
+ int i;
+ struct ether_addr *addr = NULL;
+
+ static const unsigned char mac_type_unicast[ETH_ALEN];
+ static const unsigned char msk_type_unicast[ETH_ALEN] = {1,0,0,0,0,0};
+ static const unsigned char mac_type_multicast[ETH_ALEN] = {1,0,0,0,0,0};
+ static const unsigned char mac_type_broadcast[ETH_ALEN] = {255,255,255,255,255,255};
+ static const unsigned char mac_type_bridge_group[ETH_ALEN] = {0x01,0x80,0xc2,0,0,0};
+ static const unsigned char msk_type_bridge_group[ETH_ALEN] = {255,255,255,255,255,255};
+
+ if (strcasecmp(from, "Unicast") == 0) {
+ memcpy(to, mac_type_unicast, ETH_ALEN);
+ memcpy(mask, msk_type_unicast, ETH_ALEN);
+ return 0;
+ }
+ if (strcasecmp(from, "Multicast") == 0) {
+ memcpy(to, mac_type_multicast, ETH_ALEN);
+ memcpy(mask, mac_type_multicast, ETH_ALEN);
+ return 0;
+ }
+ if (strcasecmp(from, "Broadcast") == 0) {
+ memcpy(to, mac_type_broadcast, ETH_ALEN);
+ memcpy(mask, mac_type_broadcast, ETH_ALEN);
+ return 0;
+ }
+ if (strcasecmp(from, "BGA") == 0) {
+ memcpy(to, mac_type_bridge_group, ETH_ALEN);
+ memcpy(mask, msk_type_bridge_group, ETH_ALEN);
+ return 0;
+ }
+ if ( (p = strrchr(from, '/')) != NULL) {
+ *p = '\0';
+ if (!(addr = ether_aton(p + 1)))
+ return -1;
+ memcpy(mask, addr, ETH_ALEN);
+ } else
+ memset(mask, 0xff, ETH_ALEN);
+ if (!(addr = ether_aton(from)))
+ return -1;
+ memcpy(to, addr, ETH_ALEN);
+ for (i = 0; i < ETH_ALEN; i++)
+ to[i] &= mask[i];
+ return 0;
+}
+
+static struct ethertypeent *brarp_getethertypeent(FILE *etherf, const char *name)
+{
+ static struct ethertypeent et_ent;
+ char *e, *found_name;
+ char line[1024];
+
+ while ((e = fgets(line, sizeof(line), etherf))) {
+ char *endptr, *cp;
+
+ if (*e == '#')
+ continue;
+
+ cp = strpbrk(e, "#\n");
+ if (cp == NULL)
+ continue;
+ *cp = '\0';
+ found_name = e;
+
+ cp = strpbrk(e, " \t");
+ if (cp == NULL)
+ continue;
+
+ *cp++ = '\0';
+ while (*cp == ' ' || *cp == '\t')
+ cp++;
+ e = strpbrk(cp, " \t");
+ if (e != NULL)
+ *e++ = '\0';
+
+ et_ent.e_ethertype = strtol(cp, &endptr, 16);
+ if (*endptr != '\0' ||
+ (et_ent.e_ethertype < ETH_ZLEN || et_ent.e_ethertype > 0xFFFF))
+ continue;
+
+ if (strcasecmp(found_name, name) == 0)
+ return (&et_ent);
+
+ if (e != NULL) {
+ cp = e;
+ while (cp && *cp) {
+ if (*cp == ' ' || *cp == '\t') {
+ cp++;
+ continue;
+ }
+ e = cp;
+ cp = strpbrk(cp, " \t");
+ if (cp != NULL)
+ *cp++ = '\0';
+ if (strcasecmp(e, name) == 0)
+ return (&et_ent);
+ e = cp;
+ }
+ }
+ }
+
+ return NULL;
+}
+
+static struct ethertypeent *brarp_getethertypebyname(const char *name)
+{
+ struct ethertypeent *e;
+ FILE *etherf;
+
+ etherf = fopen(_PATH_ETHERTYPES, "r");
+
+ e = brarp_getethertypeent(etherf, name);
+ fclose(etherf);
+ return (e);
+}
+
+static int
+brarp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)(*match)->data;
+ long int i;
+ char *end;
+ uint32_t *addr;
+ uint32_t *mask;
+ unsigned char *maddr;
+ unsigned char *mmask;
+
+ switch (c) {
+ case ARP_OPCODE:
+ EBT_CHECK_OPTION(flags, OPT_OPCODE);
+ if (invert)
+ arpinfo->invflags |= EBT_ARP_OPCODE;
+ i = strtol(optarg, &end, 10);
+ if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
+ for (i = 0; i < ARRAY_SIZE(opcodes); i++)
+ if (!strcasecmp(opcodes[i], optarg))
+ break;
+ if (i == ARRAY_SIZE(opcodes))
+ xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP opcode");
+ i++;
+ }
+ arpinfo->opcode = htons(i);
+ arpinfo->bitmask |= EBT_ARP_OPCODE;
+ break;
+
+ case ARP_HTYPE:
+ EBT_CHECK_OPTION(flags, OPT_HTYPE);
+ if (invert)
+ arpinfo->invflags |= EBT_ARP_HTYPE;
+ i = strtol(optarg, &end, 10);
+ if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
+ if (!strcasecmp("Ethernet", argv[optind - 1]))
+ i = 1;
+ else
+ xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP hardware type");
+ }
+ arpinfo->htype = htons(i);
+ arpinfo->bitmask |= EBT_ARP_HTYPE;
+ break;
+ case ARP_PTYPE: {
+ uint16_t proto;
+
+ EBT_CHECK_OPTION(flags, OPT_PTYPE);
+ if (invert)
+ arpinfo->invflags |= EBT_ARP_PTYPE;
+
+ i = strtol(optarg, &end, 16);
+ if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
+ struct ethertypeent *ent;
+
+ ent = brarp_getethertypebyname(argv[optind - 1]);
+ if (!ent)
+ xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP "
+ "protocol type");
+ proto = ent->e_ethertype;
+
+ } else
+ proto = i;
+ arpinfo->ptype = htons(proto);
+ arpinfo->bitmask |= EBT_ARP_PTYPE;
+ break;
+ }
+
+ case ARP_IP_S:
+ case ARP_IP_D:
+ if (c == ARP_IP_S) {
+ EBT_CHECK_OPTION(flags, OPT_IP_S);
+ addr = &arpinfo->saddr;
+ mask = &arpinfo->smsk;
+ arpinfo->bitmask |= EBT_ARP_SRC_IP;
+ } else {
+ EBT_CHECK_OPTION(flags, OPT_IP_D);
+ addr = &arpinfo->daddr;
+ mask = &arpinfo->dmsk;
+ arpinfo->bitmask |= EBT_ARP_DST_IP;
+ }
+ if (invert) {
+ if (c == ARP_IP_S)
+ arpinfo->invflags |= EBT_ARP_SRC_IP;
+ else
+ arpinfo->invflags |= EBT_ARP_DST_IP;
+ }
+ ebt_parse_ip_address(optarg, addr, mask);
+ break;
+ case ARP_MAC_S:
+ case ARP_MAC_D:
+ if (c == ARP_MAC_S) {
+ EBT_CHECK_OPTION(flags, OPT_MAC_S);
+ maddr = arpinfo->smaddr;
+ mmask = arpinfo->smmsk;
+ arpinfo->bitmask |= EBT_ARP_SRC_MAC;
+ } else {
+ EBT_CHECK_OPTION(flags, OPT_MAC_D);
+ maddr = arpinfo->dmaddr;
+ mmask = arpinfo->dmmsk;
+ arpinfo->bitmask |= EBT_ARP_DST_MAC;
+ }
+ if (invert) {
+ if (c == ARP_MAC_S)
+ arpinfo->invflags |= EBT_ARP_SRC_MAC;
+ else
+ arpinfo->invflags |= EBT_ARP_DST_MAC;
+ }
+ if (brarp_get_mac_and_mask(optarg, maddr, mmask))
+ xtables_error(PARAMETER_PROBLEM, "Problem with ARP MAC address argument");
+ break;
+ case ARP_GRAT:
+ EBT_CHECK_OPTION(flags, OPT_GRAT);
+ arpinfo->bitmask |= EBT_ARP_GRAT;
+ if (invert)
+ arpinfo->invflags |= EBT_ARP_GRAT;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void brarp_print_mac_and_mask(const unsigned char *mac, const unsigned char *mask)
+{
+ char hlpmsk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+
+ printf("%s", ether_ntoa((struct ether_addr *) mac));
+ if (memcmp(mask, hlpmsk, 6))
+ printf("/%s", ether_ntoa((struct ether_addr *) mask));
+}
+
+static void brarp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data;
+
+ if (arpinfo->bitmask & EBT_ARP_OPCODE) {
+ int opcode = ntohs(arpinfo->opcode);
+ printf("--arp-op ");
+ if (arpinfo->invflags & EBT_ARP_OPCODE)
+ printf("! ");
+ if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes))
+ printf("%s ", opcodes[opcode - 1]);
+ else
+ printf("%d ", opcode);
+ }
+ if (arpinfo->bitmask & EBT_ARP_HTYPE) {
+ printf("--arp-htype ");
+ if (arpinfo->invflags & EBT_ARP_HTYPE)
+ printf("! ");
+ printf("%d ", ntohs(arpinfo->htype));
+ }
+ if (arpinfo->bitmask & EBT_ARP_PTYPE) {
+ printf("--arp-ptype ");
+ if (arpinfo->invflags & EBT_ARP_PTYPE)
+ printf("! ");
+ printf("0x%x ", ntohs(arpinfo->ptype));
+ }
+ if (arpinfo->bitmask & EBT_ARP_SRC_IP) {
+ printf("--arp-ip-src ");
+ if (arpinfo->invflags & EBT_ARP_SRC_IP)
+ printf("! ");
+ printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr),
+ xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk));
+ }
+ if (arpinfo->bitmask & EBT_ARP_DST_IP) {
+ printf("--arp-ip-dst ");
+ if (arpinfo->invflags & EBT_ARP_DST_IP)
+ printf("! ");
+ printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr),
+ xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk));
+ }
+ if (arpinfo->bitmask & EBT_ARP_SRC_MAC) {
+ printf("--arp-mac-src ");
+ if (arpinfo->invflags & EBT_ARP_SRC_MAC)
+ printf("! ");
+ brarp_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);
+ printf(" ");
+ }
+ if (arpinfo->bitmask & EBT_ARP_DST_MAC) {
+ printf("--arp-mac-dst ");
+ if (arpinfo->invflags & EBT_ARP_DST_MAC)
+ printf("! ");
+ brarp_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);
+ printf(" ");
+ }
+ if (arpinfo->bitmask & EBT_ARP_GRAT) {
+ if (arpinfo->invflags & EBT_ARP_GRAT)
+ printf("! ");
+ printf("--arp-gratuitous ");
+ }
+}
+
+static struct xtables_match brarp_match = {
+ .name = "arp",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_BRIDGE,
+ .size = XT_ALIGN(sizeof(struct ebt_arp_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ebt_arp_info)),
+ .help = brarp_print_help,
+ .parse = brarp_parse,
+ .print = brarp_print,
+ .extra_opts = brarp_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&brarp_match);
+}
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 1230125f98f2..bfa66d7d8e42 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -665,6 +665,7 @@ void ebt_load_match_extensions(void)
{
opts = ebt_original_options;
ebt_load_match("802_3");
+ ebt_load_match("arp");
ebt_load_match("ip");
ebt_load_match("ip6");
ebt_load_match("mark_m");
--
2.17.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
