diff options
Diffstat (limited to 'iptables/nft-arp.c')
-rw-r--r-- | iptables/nft-arp.c | 140 |
1 files changed, 0 insertions, 140 deletions
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index d2756309..265de5f8 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -160,141 +160,6 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, return ret; } -static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, - const struct nft_xt_ctx_reg *reg, - struct nftnl_expr *e, - struct iptables_command_state *cs) -{ - struct arpt_entry *fw = &cs->arp; - uint8_t flags = 0; - - if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface, fw->arp.iniface_mask, - fw->arp.outiface, fw->arp.outiface_mask, - &flags) == 0) { - fw->arp.invflags |= flags; - return; - } - - ctx->errmsg = "Unknown arp meta key"; -} - -static void parse_mask_ipv4(const struct nft_xt_ctx_reg *reg, struct in_addr *mask) -{ - mask->s_addr = reg->bitwise.mask[0]; -} - -static bool nft_arp_parse_devaddr(const struct nft_xt_ctx_reg *reg, - struct nftnl_expr *e, - struct arpt_devaddr_info *info) -{ - uint32_t hlen; - bool inv; - - nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &hlen); - - if (hlen != ETH_ALEN) - return false; - - get_cmp_data(e, info->addr, ETH_ALEN, &inv); - - if (reg->bitwise.set) - memcpy(info->mask, reg->bitwise.mask, ETH_ALEN); - else - memset(info->mask, 0xff, - min(reg->payload.len, ETH_ALEN)); - - return inv; -} - -static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, - const struct nft_xt_ctx_reg *reg, - struct nftnl_expr *e, - struct iptables_command_state *cs) -{ - struct arpt_entry *fw = &cs->arp; - struct in_addr addr; - uint16_t ar_hrd, ar_pro, ar_op; - uint8_t ar_hln, ar_pln; - bool inv; - - switch (reg->payload.offset) { - case offsetof(struct arphdr, ar_hrd): - get_cmp_data(e, &ar_hrd, sizeof(ar_hrd), &inv); - fw->arp.arhrd = ar_hrd; - fw->arp.arhrd_mask = 0xffff; - if (inv) - fw->arp.invflags |= IPT_INV_ARPHRD; - break; - case offsetof(struct arphdr, ar_pro): - get_cmp_data(e, &ar_pro, sizeof(ar_pro), &inv); - fw->arp.arpro = ar_pro; - fw->arp.arpro_mask = 0xffff; - if (inv) - fw->arp.invflags |= IPT_INV_PROTO; - break; - case offsetof(struct arphdr, ar_op): - get_cmp_data(e, &ar_op, sizeof(ar_op), &inv); - fw->arp.arpop = ar_op; - fw->arp.arpop_mask = 0xffff; - if (inv) - fw->arp.invflags |= IPT_INV_ARPOP; - break; - case offsetof(struct arphdr, ar_hln): - get_cmp_data(e, &ar_hln, sizeof(ar_hln), &inv); - fw->arp.arhln = ar_hln; - fw->arp.arhln_mask = 0xff; - if (inv) - fw->arp.invflags |= IPT_INV_ARPHLN; - break; - case offsetof(struct arphdr, ar_pln): - get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv); - if (ar_pln != 4 || inv) - ctx->errmsg = "unexpected ARP protocol length match"; - break; - default: - if (reg->payload.offset == sizeof(struct arphdr)) { - if (nft_arp_parse_devaddr(reg, e, &fw->arp.src_devaddr)) - fw->arp.invflags |= IPT_INV_SRCDEVADDR; - } else if (reg->payload.offset == sizeof(struct arphdr) + - fw->arp.arhln) { - get_cmp_data(e, &addr, sizeof(addr), &inv); - fw->arp.src.s_addr = addr.s_addr; - if (reg->bitwise.set) - parse_mask_ipv4(reg, &fw->arp.smsk); - else - memset(&fw->arp.smsk, 0xff, - min(reg->payload.len, - sizeof(struct in_addr))); - - if (inv) - fw->arp.invflags |= IPT_INV_SRCIP; - } else if (reg->payload.offset == sizeof(struct arphdr) + - fw->arp.arhln + - sizeof(struct in_addr)) { - if (nft_arp_parse_devaddr(reg, e, &fw->arp.tgt_devaddr)) - fw->arp.invflags |= IPT_INV_TGTDEVADDR; - } else if (reg->payload.offset == sizeof(struct arphdr) + - fw->arp.arhln + - sizeof(struct in_addr) + - fw->arp.arhln) { - get_cmp_data(e, &addr, sizeof(addr), &inv); - fw->arp.tgt.s_addr = addr.s_addr; - if (reg->bitwise.set) - parse_mask_ipv4(reg, &fw->arp.tmsk); - else - memset(&fw->arp.tmsk, 0xff, - min(reg->payload.len, - sizeof(struct in_addr))); - - if (inv) - fw->arp.invflags |= IPT_INV_DSTIP; - } else { - ctx->errmsg = "unknown payload offset"; - } - break; - } -} - static void nft_arp_print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, @@ -781,11 +646,6 @@ nft_arp_replace_entry(struct nft_handle *h, return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); } -static struct nft_ruleparse_ops nft_ruleparse_ops_arp = { - .meta = nft_arp_parse_meta, - .payload = nft_arp_parse_payload, - .target = nft_ipv46_parse_target, -}; struct nft_family_ops nft_family_ops_arp = { .add = nft_arp_add, .is_same = nft_arp_is_same, |