From 84909d171585d77fe769f03e2b1b96eab0aa0213 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Mon, 9 Sep 2013 12:54:04 +0200 Subject: xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft-shared.h | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'iptables/nft-shared.h') diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 3f1a9a4a..375c714f 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -84,6 +84,19 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface, void print_proto(uint16_t proto, int invert); void get_cmp_data(struct nft_rule_expr_iter *iter, void *data, size_t dlen, bool *inv); +void nft_parse_target(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, + int family, void *data); +void nft_parse_meta(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, + int family, void *data); +void nft_parse_payload(struct nft_rule_expr *e, + struct nft_rule_expr_iter *iter, + int family, void *data); +void nft_parse_counter(struct nft_rule_expr *e, + struct nft_rule_expr_iter *iter, + struct xt_counters *counters); +void nft_parse_immediate(struct nft_rule_expr *e, + struct nft_rule_expr_iter *iter, + int family, void *data); void nft_rule_to_iptables_command_state(struct nft_rule *r, struct iptables_command_state *cs); void print_firewall_details(const struct iptables_command_state *cs, @@ -149,4 +162,21 @@ struct xtables_args { #define CMD_ZERO_NUM 0x2000U #define CMD_CHECK 0x4000U +/* + * ARP + */ +extern char *opcodes[]; +#define NUMOPCODES 9 + +#include + +static inline struct xt_entry_target *nft_arp_get_target(struct arpt_entry *fw) +{ + struct xt_entry_target **target; + + target = (void *) fw + fw->target_offset; + + return *target; +} + #endif -- cgit v1.2.3