[PATCH xtables] ebtables-compat: add arp extension

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



no translation yet, might be doable with raw payload expressions though.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 extensions/libebt_arp.c | 490 ++++++++++++++++++++++++++++++++++++++++
 iptables/xtables-eb.c   |   1 +
 2 files changed, 491 insertions(+)
 create mode 100644 extensions/libebt_arp.c

diff --git a/extensions/libebt_arp.c b/extensions/libebt_arp.c
new file mode 100644
index 000000000000..45fc8d73e24d
--- /dev/null
+++ b/extensions/libebt_arp.c
@@ -0,0 +1,490 @@
+/* ebt_arp
+ *
+ * Authors:
+ * Bart De Schuymer <bdschuym@xxxxxxxxxx>
+ * Tim Gardner <timg@xxxxxxx>
+ *
+ * April, 2002
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <netinet/ether.h>
+
+#include <ebtables/ethernetdb.h>
+#include <net/if_arp.h>
+#include <linux/netfilter_bridge/ebt_arp.h>
+#include "iptables/nft.h"
+#include "iptables/nft-bridge.h"
+
+#define ARP_OPCODE '1'
+#define ARP_HTYPE  '2'
+#define ARP_PTYPE  '3'
+#define ARP_IP_S   '4'
+#define ARP_IP_D   '5'
+#define ARP_MAC_S  '6'
+#define ARP_MAC_D  '7'
+#define ARP_GRAT   '8'
+
+static const struct option brarp_opts[] = {
+	{ "arp-opcode"    , required_argument, 0, ARP_OPCODE },
+	{ "arp-op"        , required_argument, 0, ARP_OPCODE },
+	{ "arp-htype"     , required_argument, 0, ARP_HTYPE  },
+	{ "arp-ptype"     , required_argument, 0, ARP_PTYPE  },
+	{ "arp-ip-src"    , required_argument, 0, ARP_IP_S   },
+	{ "arp-ip-dst"    , required_argument, 0, ARP_IP_D   },
+	{ "arp-mac-src"   , required_argument, 0, ARP_MAC_S  },
+	{ "arp-mac-dst"   , required_argument, 0, ARP_MAC_D  },
+	{ "arp-gratuitous",       no_argument, 0, ARP_GRAT   },
+	XT_GETOPT_TABLEEND,
+};
+
+/* a few names */
+static char *opcodes[] =
+{
+	"Request",
+	"Reply",
+	"Request_Reverse",
+	"Reply_Reverse",
+	"DRARP_Request",
+	"DRARP_Reply",
+	"DRARP_Error",
+	"InARP_Request",
+	"ARP_NAK",
+};
+
+static void brarp_print_help(void)
+{
+	int i;
+
+	printf(
+"arp options:\n"
+"--arp-opcode  [!] opcode        : ARP opcode (integer or string)\n"
+"--arp-htype   [!] type          : ARP hardware type (integer or string)\n"
+"--arp-ptype   [!] type          : ARP protocol type (hexadecimal or string)\n"
+"--arp-ip-src  [!] address[/mask]: ARP IP source specification\n"
+"--arp-ip-dst  [!] address[/mask]: ARP IP target specification\n"
+"--arp-mac-src [!] address[/mask]: ARP MAC source specification\n"
+"--arp-mac-dst [!] address[/mask]: ARP MAC target specification\n"
+"[!] --arp-gratuitous            : ARP gratuitous packet\n"
+" opcode strings: \n");
+	for (i = 0; i < ARRAY_SIZE(opcodes); i++)
+		printf(" %d = %s\n", i + 1, opcodes[i]);
+	printf(
+" hardware type string: 1 = Ethernet\n"
+" protocol type string: see "_PATH_ETHERTYPES"\n");
+}
+
+#define OPT_OPCODE 0x01
+#define OPT_HTYPE  0x02
+#define OPT_PTYPE  0x04
+#define OPT_IP_S   0x08
+#define OPT_IP_D   0x10
+#define OPT_MAC_S  0x20
+#define OPT_MAC_D  0x40
+#define OPT_GRAT   0x80
+
+static int undot_ip(char *ip, unsigned char *ip2)
+{
+	char *p, *q, *end;
+	long int onebyte;
+	int i;
+	char buf[20];
+
+	strncpy(buf, ip, sizeof(buf) - 1);
+
+	p = buf;
+	for (i = 0; i < 3; i++) {
+		if ((q = strchr(p, '.')) == NULL)
+			return -1;
+		*q = '\0';
+		onebyte = strtol(p, &end, 10);
+		if (*end != '\0' || onebyte > 255 || onebyte < 0)
+			return -1;
+		ip2[i] = (unsigned char)onebyte;
+		p = q + 1;
+	}
+
+	onebyte = strtol(p, &end, 10);
+	if (*end != '\0' || onebyte > 255 || onebyte < 0)
+		return -1;
+	ip2[3] = (unsigned char)onebyte;
+
+	return 0;
+}
+
+static int ip_mask(char *mask, unsigned char *mask2)
+{
+	char *end;
+	long int bits;
+	uint32_t mask22;
+
+	if (undot_ip(mask, mask2)) {
+		/* not the /a.b.c.e format, maybe the /x format */
+		bits = strtol(mask, &end, 10);
+		if (*end != '\0' || bits > 32 || bits < 0)
+			return -1;
+		if (bits != 0) {
+			mask22 = htonl(0xFFFFFFFF << (32 - bits));
+			memcpy(mask2, &mask22, 4);
+		} else {
+			mask22 = 0xFFFFFFFF;
+			memcpy(mask2, &mask22, 4);
+		}
+	}
+	return 0;
+}
+
+static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk)
+{
+	char *p;
+
+	/* first the mask */
+	if ((p = strrchr(address, '/')) != NULL) {
+		*p = '\0';
+		if (ip_mask(p + 1, (unsigned char *)msk)) {
+			xtables_error(PARAMETER_PROBLEM,
+				      "Problem with the IP mask '%s'", p + 1);
+			return;
+		}
+	} else
+		*msk = 0xFFFFFFFF;
+
+	if (undot_ip(address, (unsigned char *)addr)) {
+		xtables_error(PARAMETER_PROBLEM,
+			      "Problem with the IP address '%s'", address);
+		return;
+	}
+	*addr = *addr & *msk;
+}
+
+static int brarp_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask)
+{
+	char *p;
+	int i;
+	struct ether_addr *addr = NULL;
+
+	static const unsigned char mac_type_unicast[ETH_ALEN];
+	static const unsigned char msk_type_unicast[ETH_ALEN] =   {1,0,0,0,0,0};
+	static const unsigned char mac_type_multicast[ETH_ALEN] = {1,0,0,0,0,0};
+	static const unsigned char mac_type_broadcast[ETH_ALEN] = {255,255,255,255,255,255};
+	static const unsigned char mac_type_bridge_group[ETH_ALEN] = {0x01,0x80,0xc2,0,0,0};
+	static const unsigned char msk_type_bridge_group[ETH_ALEN] = {255,255,255,255,255,255};
+
+	if (strcasecmp(from, "Unicast") == 0) {
+		memcpy(to, mac_type_unicast, ETH_ALEN);
+		memcpy(mask, msk_type_unicast, ETH_ALEN);
+		return 0;
+	}
+	if (strcasecmp(from, "Multicast") == 0) {
+		memcpy(to, mac_type_multicast, ETH_ALEN);
+		memcpy(mask, mac_type_multicast, ETH_ALEN);
+		return 0;
+	}
+	if (strcasecmp(from, "Broadcast") == 0) {
+		memcpy(to, mac_type_broadcast, ETH_ALEN);
+		memcpy(mask, mac_type_broadcast, ETH_ALEN);
+		return 0;
+	}
+	if (strcasecmp(from, "BGA") == 0) {
+		memcpy(to, mac_type_bridge_group, ETH_ALEN);
+		memcpy(mask, msk_type_bridge_group, ETH_ALEN);
+		return 0;
+	}
+	if ( (p = strrchr(from, '/')) != NULL) {
+		*p = '\0';
+		if (!(addr = ether_aton(p + 1)))
+			return -1;
+		memcpy(mask, addr, ETH_ALEN);
+	} else
+		memset(mask, 0xff, ETH_ALEN);
+	if (!(addr = ether_aton(from)))
+		return -1;
+	memcpy(to, addr, ETH_ALEN);
+	for (i = 0; i < ETH_ALEN; i++)
+		to[i] &= mask[i];
+	return 0;
+}
+
+static struct ethertypeent *brarp_getethertypeent(FILE *etherf, const char *name)
+{
+	static struct ethertypeent et_ent;
+	char *e, *found_name;
+	char line[1024];
+
+	while ((e = fgets(line, sizeof(line), etherf))) {
+		char *endptr, *cp;
+
+		if (*e == '#')
+			continue;
+
+		cp = strpbrk(e, "#\n");
+		if (cp == NULL)
+			continue;
+		*cp = '\0';
+		found_name = e;
+
+		cp = strpbrk(e, " \t");
+		if (cp == NULL)
+			continue;
+
+		*cp++ = '\0';
+		while (*cp == ' ' || *cp == '\t')
+			cp++;
+		e = strpbrk(cp, " \t");
+		if (e != NULL)
+			*e++ = '\0';
+
+		et_ent.e_ethertype = strtol(cp, &endptr, 16);
+		if (*endptr != '\0' ||
+		    (et_ent.e_ethertype < ETH_ZLEN || et_ent.e_ethertype > 0xFFFF))
+			continue;
+
+		if (strcasecmp(found_name, name) == 0)
+			return (&et_ent);
+
+		if (e != NULL) {
+			cp = e;
+			while (cp && *cp) {
+				if (*cp == ' ' || *cp == '\t') {
+					cp++;
+					continue;
+				}
+				e = cp;
+				cp = strpbrk(cp, " \t");
+				if (cp != NULL)
+					*cp++ = '\0';
+				if (strcasecmp(e, name) == 0)
+					return (&et_ent);
+				e = cp;
+			}
+		}
+	}
+
+	return NULL;
+}
+
+static struct ethertypeent *brarp_getethertypebyname(const char *name)
+{
+	struct ethertypeent *e;
+	FILE *etherf;
+
+	etherf = fopen(_PATH_ETHERTYPES, "r");
+
+	e = brarp_getethertypeent(etherf, name);
+	fclose(etherf);
+	return (e);
+}
+
+static int
+brarp_parse(int c, char **argv, int invert, unsigned int *flags,
+	    const void *entry, struct xt_entry_match **match)
+{
+	struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)(*match)->data;
+	long int i;
+	char *end;
+	uint32_t *addr;
+	uint32_t *mask;
+	unsigned char *maddr;
+	unsigned char *mmask;
+
+	switch (c) {
+	case ARP_OPCODE:
+		EBT_CHECK_OPTION(flags, OPT_OPCODE);
+		if (invert)
+			arpinfo->invflags |= EBT_ARP_OPCODE;
+		i = strtol(optarg, &end, 10);
+		if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
+			for (i = 0; i < ARRAY_SIZE(opcodes); i++)
+				if (!strcasecmp(opcodes[i], optarg))
+					break;
+			if (i == ARRAY_SIZE(opcodes))
+				xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP opcode");
+			i++;
+		}
+		arpinfo->opcode = htons(i);
+		arpinfo->bitmask |= EBT_ARP_OPCODE;
+		break;
+
+	case ARP_HTYPE:
+		EBT_CHECK_OPTION(flags, OPT_HTYPE);
+		if (invert)
+			arpinfo->invflags |= EBT_ARP_HTYPE;
+		i = strtol(optarg, &end, 10);
+		if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
+			if (!strcasecmp("Ethernet", argv[optind - 1]))
+				i = 1;
+			else
+				xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP hardware type");
+		}
+		arpinfo->htype = htons(i);
+		arpinfo->bitmask |= EBT_ARP_HTYPE;
+		break;
+	case ARP_PTYPE: {
+		uint16_t proto;
+
+		EBT_CHECK_OPTION(flags, OPT_PTYPE);
+		if (invert)
+			arpinfo->invflags |= EBT_ARP_PTYPE;
+
+		i = strtol(optarg, &end, 16);
+		if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
+			struct ethertypeent *ent;
+
+			ent = brarp_getethertypebyname(argv[optind - 1]);
+			if (!ent)
+				xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP "
+								 "protocol type");
+			proto = ent->e_ethertype;
+
+		} else
+			proto = i;
+		arpinfo->ptype = htons(proto);
+		arpinfo->bitmask |= EBT_ARP_PTYPE;
+		break;
+	}
+
+	case ARP_IP_S:
+	case ARP_IP_D:
+		if (c == ARP_IP_S) {
+			EBT_CHECK_OPTION(flags, OPT_IP_S);
+			addr = &arpinfo->saddr;
+			mask = &arpinfo->smsk;
+			arpinfo->bitmask |= EBT_ARP_SRC_IP;
+		} else {
+			EBT_CHECK_OPTION(flags, OPT_IP_D);
+			addr = &arpinfo->daddr;
+			mask = &arpinfo->dmsk;
+			arpinfo->bitmask |= EBT_ARP_DST_IP;
+		}
+		if (invert) {
+			if (c == ARP_IP_S)
+				arpinfo->invflags |= EBT_ARP_SRC_IP;
+			else
+				arpinfo->invflags |= EBT_ARP_DST_IP;
+		}
+		ebt_parse_ip_address(optarg, addr, mask);
+		break;
+	case ARP_MAC_S:
+	case ARP_MAC_D:
+		if (c == ARP_MAC_S) {
+			EBT_CHECK_OPTION(flags, OPT_MAC_S);
+			maddr = arpinfo->smaddr;
+			mmask = arpinfo->smmsk;
+			arpinfo->bitmask |= EBT_ARP_SRC_MAC;
+		} else {
+			EBT_CHECK_OPTION(flags, OPT_MAC_D);
+			maddr = arpinfo->dmaddr;
+			mmask = arpinfo->dmmsk;
+			arpinfo->bitmask |= EBT_ARP_DST_MAC;
+		}
+		if (invert) {
+			if (c == ARP_MAC_S)
+				arpinfo->invflags |= EBT_ARP_SRC_MAC;
+			else
+				arpinfo->invflags |= EBT_ARP_DST_MAC;
+		}
+		if (brarp_get_mac_and_mask(optarg, maddr, mmask))
+			xtables_error(PARAMETER_PROBLEM, "Problem with ARP MAC address argument");
+		break;
+	case ARP_GRAT:
+		EBT_CHECK_OPTION(flags, OPT_GRAT);
+		arpinfo->bitmask |= EBT_ARP_GRAT;
+		if (invert)
+			arpinfo->invflags |= EBT_ARP_GRAT;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void brarp_print_mac_and_mask(const unsigned char *mac, const unsigned char *mask)
+{
+	char hlpmsk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+
+	printf("%s", ether_ntoa((struct ether_addr *) mac));
+	if (memcmp(mask, hlpmsk, 6))
+	        printf("/%s", ether_ntoa((struct ether_addr *) mask));
+}
+
+static void brarp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data;
+
+	if (arpinfo->bitmask & EBT_ARP_OPCODE) {
+		int opcode = ntohs(arpinfo->opcode);
+		printf("--arp-op ");
+		if (arpinfo->invflags & EBT_ARP_OPCODE)
+			printf("! ");
+		if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes))
+			printf("%s ", opcodes[opcode - 1]);
+		else
+			printf("%d ", opcode);
+	}
+	if (arpinfo->bitmask & EBT_ARP_HTYPE) {
+		printf("--arp-htype ");
+		if (arpinfo->invflags & EBT_ARP_HTYPE)
+			printf("! ");
+		printf("%d ", ntohs(arpinfo->htype));
+	}
+	if (arpinfo->bitmask & EBT_ARP_PTYPE) {
+		printf("--arp-ptype ");
+		if (arpinfo->invflags & EBT_ARP_PTYPE)
+			printf("! ");
+		printf("0x%x ", ntohs(arpinfo->ptype));
+	}
+	if (arpinfo->bitmask & EBT_ARP_SRC_IP) {
+		printf("--arp-ip-src ");
+		if (arpinfo->invflags & EBT_ARP_SRC_IP)
+			printf("! ");
+		printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr),
+		       xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk));
+	}
+	if (arpinfo->bitmask & EBT_ARP_DST_IP) {
+		printf("--arp-ip-dst ");
+		if (arpinfo->invflags & EBT_ARP_DST_IP)
+			printf("! ");
+		printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr),
+		       xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk));
+	}
+	if (arpinfo->bitmask & EBT_ARP_SRC_MAC) {
+		printf("--arp-mac-src ");
+		if (arpinfo->invflags & EBT_ARP_SRC_MAC)
+			printf("! ");
+		brarp_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);
+		printf(" ");
+	}
+	if (arpinfo->bitmask & EBT_ARP_DST_MAC) {
+		printf("--arp-mac-dst ");
+		if (arpinfo->invflags & EBT_ARP_DST_MAC)
+			printf("! ");
+		brarp_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);
+		printf(" ");
+	}
+	if (arpinfo->bitmask & EBT_ARP_GRAT) {
+		if (arpinfo->invflags & EBT_ARP_GRAT)
+			printf("! ");
+		printf("--arp-gratuitous ");
+	}
+}
+
+static struct xtables_match brarp_match = {
+	.name		= "arp",
+	.version	= XTABLES_VERSION,
+	.family		= NFPROTO_BRIDGE,
+	.size		= XT_ALIGN(sizeof(struct ebt_arp_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct ebt_arp_info)),
+	.help		= brarp_print_help,
+	.parse		= brarp_parse,
+	.print		= brarp_print,
+	.extra_opts	= brarp_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&brarp_match);
+}
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 1230125f98f2..bfa66d7d8e42 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -665,6 +665,7 @@ void ebt_load_match_extensions(void)
 {
 	opts = ebt_original_options;
 	ebt_load_match("802_3");
+	ebt_load_match("arp");
 	ebt_load_match("ip");
 	ebt_load_match("ip6");
 	ebt_load_match("mark_m");
-- 
2.17.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux