From 4b0f2a712b5792d2842d89fe68d4230e0eb05c7e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 22 May 2019 22:06:16 +0200 Subject: src: support for arp sender and target ethernet and IPv4 addresses # nft add table arp x # nft add chain arp x y { type filter hook input priority 0\; } # nft add rule arp x y arp saddr ip 192.168.2.1 counter Testing this: # ip neigh flush dev eth0 # ping 8.8.8.8 # nft list ruleset table arp x { chain y { type filter hook input priority filter; policy accept; arp saddr ip 192.168.2.1 counter packets 1 bytes 46 } } You can also specify hardware sender address, eg. # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter Signed-off-by: Pablo Neira Ayuso --- tests/py/arp/arp.t | 7 ++++++- tests/py/arp/arp.t.payload | 21 +++++++++++++++++++++ tests/py/arp/arp.t.payload.netdev | 28 ++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) (limited to 'tests/py') diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t index d62cc546..86bab523 100644 --- a/tests/py/arp/arp.t +++ b/tests/py/arp/arp.t @@ -55,4 +55,9 @@ arp operation != inreply;ok arp operation != nak;ok arp operation != reply;ok -meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 @nh,192,32 3232272144 @nh,144,48 set 18838586676582 +arp saddr ip 1.2.3.4;ok +arp daddr ip 4.3.2.1;ok +arp saddr ether aa:bb:cc:aa:bb:cc;ok +arp daddr ether aa:bb:cc:aa:bb:cc;ok + +meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 arp daddr ip 192.168.143.16 arp daddr ether set 11:22:33:44:55:66 diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload index 33e73417..d36bef18 100644 --- a/tests/py/arp/arp.t.payload +++ b/tests/py/arp/arp.t.payload @@ -280,3 +280,24 @@ arp test-arp input [ cmp eq reg 1 0x108fa8c0 ] [ immediate reg 1 0x44332211 0x00006655 ] [ payload write reg 1 => 6b @ network header + 18 csum_type 0 csum_off 0 csum_flags 0x0 ] + +# arp saddr ip 1.2.3.4 +arp test-arp input + [ payload load 4b @ network header + 14 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + +# arp daddr ip 4.3.2.1 +arp test-arp input + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x01020304 ] + +# arp saddr ether aa:bb:cc:aa:bb:cc +arp test-arp input + [ payload load 6b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ] + +# arp daddr ether aa:bb:cc:aa:bb:cc +arp test-arp input + [ payload load 6b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ] + diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev index 4fcf3504..0146cf50 100644 --- a/tests/py/arp/arp.t.payload.netdev +++ b/tests/py/arp/arp.t.payload.netdev @@ -373,3 +373,31 @@ netdev test-netdev ingress [ immediate reg 1 0x44332211 0x00006655 ] [ payload write reg 1 => 6b @ network header + 18 csum_type 0 csum_off 0 csum_flags 0x0 ] +# arp saddr ip 1.2.3.4 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 4b @ network header + 14 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + +# arp daddr ip 4.3.2.1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x01020304 ] + +# arp saddr ether aa:bb:cc:aa:bb:cc +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 6b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ] + +# arp daddr ether aa:bb:cc:aa:bb:cc +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 6b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ] + -- cgit v1.2.3