From 5aecb2d8bfdda4a6eea9d93079e33fc414afd8d0 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Mon, 5 Nov 2018 17:51:18 +0100 Subject: arptables: pre-init hlen and ethertype to check -s 1.2.3.4, we need to add the size of the hardware address to the arp header to obtain the offset where the ipv4 address begins: base_arphdr HW_ADDR IP_ADDR (src) IP_ADDR (target) In arptables-classic, the kernel will add dev->addr_len to the arp header base address to obtain the correct location, but we cannot do this in nf_tables, at least not at this time (we need a fixed offset value). code does: op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP); add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ... but if user did not provide "--h-length 6" argument, then this won't work even for ethernet, as the payload expression will be told to load the first 4 bytes of arp header source mac address (sender hw address). Fix this by pre-initialising arhlen to 6. We also need to set up arhrd. Otherwise, src/dst mac can't be used: arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66 arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT This means that matching won't work for AX25, NETROM etc, however, arptables "classic" can't parse non-ethernet addresses, and makes ETH_ALEN assumptions in several spots, so this should be fine from compatibility point of view. Signed-off-by: Florian Westphal --- iptables/xtables-arp.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'iptables/xtables-arp.c') diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index a791ecce..bde35e5d 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -905,6 +905,8 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, { struct iptables_command_state cs = { .jumpto = "", + .arp.arp.arhln = 6, + .arp.arp.arhrd = htons(ARPHRD_ETHER), }; int invert = 0; unsigned int nsaddrs = 0, ndaddrs = 0; -- cgit v1.2.3