path: root/iptables/nft-shared.h
diff options
authorGiuseppe Longo <>2013-09-09 12:54:04 +0200
committerPablo Neira Ayuso <>2013-12-30 23:50:46 +0100
commit84909d171585d77fe769f03e2b1b96eab0aa0213 (patch)
tree1627c75d71025b18b6d7a94ee504617146b02419 /iptables/nft-shared.h
parent67da6075a4e7ced0e8cc452d73ce8ab06cbf8cd9 (diff)
xtables: bootstrap ARP compatibility layer for nftables
This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <> Signed-off-by: Tomasz Bursztyka <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/nft-shared.h')
1 files changed, 30 insertions, 0 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 3f1a9a4a..375c714f 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -84,6 +84,19 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface,
void print_proto(uint16_t proto, int invert);
void get_cmp_data(struct nft_rule_expr_iter *iter,
void *data, size_t dlen, bool *inv);
+void nft_parse_target(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter,
+ int family, void *data);
+void nft_parse_meta(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter,
+ int family, void *data);
+void nft_parse_payload(struct nft_rule_expr *e,
+ struct nft_rule_expr_iter *iter,
+ int family, void *data);
+void nft_parse_counter(struct nft_rule_expr *e,
+ struct nft_rule_expr_iter *iter,
+ struct xt_counters *counters);
+void nft_parse_immediate(struct nft_rule_expr *e,
+ struct nft_rule_expr_iter *iter,
+ int family, void *data);
void nft_rule_to_iptables_command_state(struct nft_rule *r,
struct iptables_command_state *cs);
void print_firewall_details(const struct iptables_command_state *cs,
@@ -149,4 +162,21 @@ struct xtables_args {
#define CMD_ZERO_NUM 0x2000U
#define CMD_CHECK 0x4000U
+ * ARP
+ */
+extern char *opcodes[];
+#define NUMOPCODES 9
+#include <linux/netfilter_arp/arp_tables.h>
+static inline struct xt_entry_target *nft_arp_get_target(struct arpt_entry *fw)
+ struct xt_entry_target **target;
+ target = (void *) fw + fw->target_offset;
+ return *target;