From 4b0f2a712b5792d2842d89fe68d4230e0eb05c7e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 22 May 2019 22:06:16 +0200
Subject: src: support for arp sender and target ethernet and IPv4 addresses

 # nft add table arp x
 # nft add chain arp x y { type filter hook input priority 0\; }
 # nft add rule arp x y arp saddr ip 192.168.2.1 counter

Testing this:

 # ip neigh flush dev eth0
 # ping 8.8.8.8
 # nft list ruleset
 table arp x {
        chain y {
                type filter hook input priority filter; policy accept;
                arp saddr ip 192.168.2.1 counter packets 1 bytes 46
        }
 }

You can also specify hardware sender address, eg.

 # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/payload-expression.txt | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'doc')

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 7f3ca42d..ebbffe50 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -44,7 +44,7 @@ ether_type
 ARP HEADER EXPRESSION
 ~~~~~~~~~~~~~~~~~~~~~
 [verse]
-*arp* {*htype* | *ptype* | *hlen* | *plen* | *operation*}
+*arp* {*htype* | *ptype* | *hlen* | *plen* | *operation* | *saddr* { *ip* | *ether* } | *daddr* { *ip* | *ether* }
 
 .ARP header expression
 [options="header"]
@@ -65,6 +65,18 @@ integer (8 bit)
 |operation|
 Operation |
 arp_op
+|saddr ether|
+Ethernet sender address|
+ether_addr
+|daddr ether|
+Ethernet target address|
+ether_addr
+|saddr ip|
+IPv4 sender address|
+ipv4_addr
+|daddr ip|
+IPv4 target address|
+ipv4_addr
 |======================
 
 IPV4 HEADER EXPRESSION
-- 
cgit v1.2.3