1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * ebt_arp
4 *
5 * Authors:
6 * Bart De Schuymer <bdschuym@pandora.be>
7 * Tim Gardner <timg@tpi.com>
8 *
9 * April, 2002
10 *
11 */
12 #include <linux/if_arp.h>
13 #include <linux/if_ether.h>
14 #include <linux/module.h>
15 #include <linux/netfilter/x_tables.h>
16 #include <linux/netfilter_bridge/ebtables.h>
17 #include <linux/netfilter_bridge/ebt_arp.h>
18
19 static bool
ebt_arp_mt(const struct sk_buff * skb,struct xt_action_param * par)20 ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
21 {
22 const struct ebt_arp_info *info = par->matchinfo;
23 const struct arphdr *ah;
24 struct arphdr _arph;
25
26 ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
27 if (ah == NULL)
28 return false;
29 if ((info->bitmask & EBT_ARP_OPCODE) &&
30 NF_INVF(info, EBT_ARP_OPCODE, info->opcode != ah->ar_op))
31 return false;
32 if ((info->bitmask & EBT_ARP_HTYPE) &&
33 NF_INVF(info, EBT_ARP_HTYPE, info->htype != ah->ar_hrd))
34 return false;
35 if ((info->bitmask & EBT_ARP_PTYPE) &&
36 NF_INVF(info, EBT_ARP_PTYPE, info->ptype != ah->ar_pro))
37 return false;
38
39 if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) {
40 const __be32 *sap, *dap;
41 __be32 saddr, daddr;
42
43 if (ah->ar_pln != sizeof(__be32) || ah->ar_pro != htons(ETH_P_IP))
44 return false;
45 sap = skb_header_pointer(skb, sizeof(struct arphdr) +
46 ah->ar_hln, sizeof(saddr),
47 &saddr);
48 if (sap == NULL)
49 return false;
50 dap = skb_header_pointer(skb, sizeof(struct arphdr) +
51 2*ah->ar_hln+sizeof(saddr),
52 sizeof(daddr), &daddr);
53 if (dap == NULL)
54 return false;
55 if ((info->bitmask & EBT_ARP_SRC_IP) &&
56 NF_INVF(info, EBT_ARP_SRC_IP,
57 info->saddr != (*sap & info->smsk)))
58 return false;
59 if ((info->bitmask & EBT_ARP_DST_IP) &&
60 NF_INVF(info, EBT_ARP_DST_IP,
61 info->daddr != (*dap & info->dmsk)))
62 return false;
63 if ((info->bitmask & EBT_ARP_GRAT) &&
64 NF_INVF(info, EBT_ARP_GRAT, *dap != *sap))
65 return false;
66 }
67
68 if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) {
69 const unsigned char *mp;
70 unsigned char _mac[ETH_ALEN];
71
72 if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER))
73 return false;
74 if (info->bitmask & EBT_ARP_SRC_MAC) {
75 mp = skb_header_pointer(skb, sizeof(struct arphdr),
76 sizeof(_mac), &_mac);
77 if (mp == NULL)
78 return false;
79 if (NF_INVF(info, EBT_ARP_SRC_MAC,
80 !ether_addr_equal_masked(mp, info->smaddr,
81 info->smmsk)))
82 return false;
83 }
84
85 if (info->bitmask & EBT_ARP_DST_MAC) {
86 mp = skb_header_pointer(skb, sizeof(struct arphdr) +
87 ah->ar_hln + ah->ar_pln,
88 sizeof(_mac), &_mac);
89 if (mp == NULL)
90 return false;
91 if (NF_INVF(info, EBT_ARP_DST_MAC,
92 !ether_addr_equal_masked(mp, info->dmaddr,
93 info->dmmsk)))
94 return false;
95 }
96 }
97
98 return true;
99 }
100
ebt_arp_mt_check(const struct xt_mtchk_param * par)101 static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
102 {
103 const struct ebt_arp_info *info = par->matchinfo;
104 const struct ebt_entry *e = par->entryinfo;
105
106 if ((e->ethproto != htons(ETH_P_ARP) &&
107 e->ethproto != htons(ETH_P_RARP)) ||
108 e->invflags & EBT_IPROTO)
109 return -EINVAL;
110 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
111 return -EINVAL;
112 return 0;
113 }
114
115 static struct xt_match ebt_arp_mt_reg __read_mostly = {
116 .name = "arp",
117 .revision = 0,
118 .family = NFPROTO_BRIDGE,
119 .match = ebt_arp_mt,
120 .checkentry = ebt_arp_mt_check,
121 .matchsize = sizeof(struct ebt_arp_info),
122 .me = THIS_MODULE,
123 };
124
ebt_arp_init(void)125 static int __init ebt_arp_init(void)
126 {
127 return xt_register_match(&ebt_arp_mt_reg);
128 }
129
ebt_arp_fini(void)130 static void __exit ebt_arp_fini(void)
131 {
132 xt_unregister_match(&ebt_arp_mt_reg);
133 }
134
135 module_init(ebt_arp_init);
136 module_exit(ebt_arp_fini);
137 MODULE_DESCRIPTION("Ebtables: ARP protocol packet match");
138 MODULE_LICENSE("GPL");
139