From 4b0f2a712b5792d2842d89fe68d4230e0eb05c7e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 22 May 2019 22:06:16 +0200
Subject: src: support for arp sender and target ethernet and IPv4 addresses

 # nft add table arp x
 # nft add chain arp x y { type filter hook input priority 0\; }
 # nft add rule arp x y arp saddr ip 192.168.2.1 counter

Testing this:

 # ip neigh flush dev eth0
 # ping 8.8.8.8
 # nft list ruleset
 table arp x {
        chain y {
                type filter hook input priority filter; policy accept;
                arp saddr ip 192.168.2.1 counter packets 1 bytes 46
        }
 }

You can also specify hardware sender address, eg.

 # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/proto.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

(limited to 'src/proto.c')

diff --git a/src/proto.c b/src/proto.c
index f68fb684..67e86f20 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -874,23 +874,29 @@ const struct datatype arpop_type = {
 };
 
 #define ARPHDR_TYPE(__name, __type, __member) \
-	HDR_TYPE(__name, __type, struct arphdr, __member)
+	HDR_TYPE(__name, __type, struct arp_hdr, __member)
 #define ARPHDR_FIELD(__name, __member) \
-	HDR_FIELD(__name, struct arphdr, __member)
+	HDR_FIELD(__name, struct arp_hdr, __member)
 
 const struct proto_desc proto_arp = {
 	.name		= "arp",
 	.base		= PROTO_BASE_NETWORK_HDR,
 	.templates	= {
-		[ARPHDR_HRD]		= ARPHDR_FIELD("htype",	ar_hrd),
-		[ARPHDR_PRO]		= ARPHDR_TYPE("ptype", &ethertype_type, ar_pro),
-		[ARPHDR_HLN]		= ARPHDR_FIELD("hlen", ar_hln),
-		[ARPHDR_PLN]		= ARPHDR_FIELD("plen", ar_pln),
-		[ARPHDR_OP]		= ARPHDR_TYPE("operation", &arpop_type, ar_op),
+		[ARPHDR_HRD]		= ARPHDR_FIELD("htype",	htype),
+		[ARPHDR_PRO]		= ARPHDR_TYPE("ptype", &ethertype_type, ptype),
+		[ARPHDR_HLN]		= ARPHDR_FIELD("hlen", hlen),
+		[ARPHDR_PLN]		= ARPHDR_FIELD("plen", plen),
+		[ARPHDR_OP]		= ARPHDR_TYPE("operation", &arpop_type, oper),
+		[ARPHDR_SADDR_ETHER]	= ARPHDR_TYPE("saddr ether", &etheraddr_type, sha),
+		[ARPHDR_DADDR_ETHER]	= ARPHDR_TYPE("daddr ether", &etheraddr_type, tha),
+		[ARPHDR_SADDR_IP]	= ARPHDR_TYPE("saddr ip", &ipaddr_type, spa),
+		[ARPHDR_DADDR_IP]	= ARPHDR_TYPE("daddr ip", &ipaddr_type, tpa),
 	},
 	.format		= {
 		.filter	= (1 << ARPHDR_HRD) | (1 << ARPHDR_PRO) |
-			  (1 << ARPHDR_HLN) | (1 << ARPHDR_PLN),
+			  (1 << ARPHDR_HLN) | (1 << ARPHDR_PLN) |
+			  (1 << ARPHDR_SADDR_ETHER) | (1 << ARPHDR_DADDR_ETHER) |
+			  (1 << ARPHDR_SADDR_IP) | (1 << ARPHDR_DADDR_IP),
 	},
 };
 
-- 
cgit v1.2.3