diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-05-22 22:06:16 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-05-24 21:14:30 +0200 |
commit | 4b0f2a712b5792d2842d89fe68d4230e0eb05c7e (patch) | |
tree | 954a866715d95529e65f39c3ff90920973186ac1 /include | |
parent | eeda228c2d1719f5b6276b40ad14a5b3c3e88536 (diff) |
src: support for arp sender and target ethernet and IPv4 addresses
# nft add table arp x
# nft add chain arp x y { type filter hook input priority 0\; }
# nft add rule arp x y arp saddr ip 192.168.2.1 counter
Testing this:
# ip neigh flush dev eth0
# ping 8.8.8.8
# nft list ruleset
table arp x {
chain y {
type filter hook input priority filter; policy accept;
arp saddr ip 192.168.2.1 counter packets 1 bytes 46
}
}
You can also specify hardware sender address, eg.
# nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/headers.h | 12 | ||||
-rw-r--r-- | include/proto.h | 4 |
2 files changed, 16 insertions, 0 deletions
diff --git a/include/headers.h b/include/headers.h index 3d564deb..759f93bf 100644 --- a/include/headers.h +++ b/include/headers.h @@ -78,6 +78,18 @@ struct sctphdr { uint32_t checksum; }; +struct arp_hdr { + uint16_t htype; + uint16_t ptype; + uint8_t hlen; + uint8_t plen; + uint16_t oper; + uint8_t sha[6]; + uint32_t spa; + uint8_t tha[6]; + uint32_t tpa; +} __attribute__((__packed__)); + struct ipv6hdr { uint8_t version:4, priority:4; diff --git a/include/proto.h b/include/proto.h index 99c57a79..92b25edb 100644 --- a/include/proto.h +++ b/include/proto.h @@ -182,6 +182,10 @@ enum arp_hdr_fields { ARPHDR_HLN, ARPHDR_PLN, ARPHDR_OP, + ARPHDR_SADDR_ETHER, + ARPHDR_DADDR_ETHER, + ARPHDR_SADDR_IP, + ARPHDR_DADDR_IP, }; enum ip_hdr_fields { |