|
|
ea9c6b |
From a5d52efe21e0f0ba6447b48e1646bb7046cb09eb Mon Sep 17 00:00:00 2001
|
|
|
ea9c6b |
From: Phil Sutter <phil@nwl.cc>
|
|
|
ea9c6b |
Date: Tue, 3 Nov 2020 12:21:29 +0100
|
|
|
ea9c6b |
Subject: [PATCH] xtables-arp: Don't use ARPT_INV_*
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Arptables invflags are partly identical to IPT_INV_* ones but the bits
|
|
|
ea9c6b |
are differently assigned. Eliminate this incompatibility by definition
|
|
|
ea9c6b |
of the unique invflags in nft-arp.h on bits that don't collide with
|
|
|
ea9c6b |
IPT_INV_* ones, then use those in combination with IPT_INV_* ones in
|
|
|
ea9c6b |
arptables-specific code.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Note that ARPT_INV_ARPPRO is replaced by IPT_INV_PROTO although these
|
|
|
ea9c6b |
are in fact different options - yet since '-p' option is not supported
|
|
|
ea9c6b |
by arptables, this does not lead to a collision.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
ea9c6b |
(cherry picked from commit 44457c0805905ea22b4ecf9156648e774dd29155)
|
|
|
ea9c6b |
---
|
|
|
ea9c6b |
iptables/nft-arp.c | 92 ++++++++++++++++--------------------------
|
|
|
ea9c6b |
iptables/nft-arp.h | 7 ++++
|
|
|
ea9c6b |
iptables/xtables-arp.c | 22 +++++-----
|
|
|
ea9c6b |
3 files changed, 53 insertions(+), 68 deletions(-)
|
|
|
ea9c6b |
|
|
|
ea9c6b |
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
|
|
ea9c6b |
index 776b55949472b..ec8147dd58c0d 100644
|
|
|
ea9c6b |
--- a/iptables/nft-arp.c
|
|
|
ea9c6b |
+++ b/iptables/nft-arp.c
|
|
|
ea9c6b |
@@ -134,34 +134,34 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
|
|
|
ea9c6b |
int ret = 0;
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.iniface[0] != '\0') {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_VIA_IN);
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_IN);
|
|
|
ea9c6b |
add_iniface(r, fw->arp.iniface, op);
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.outiface[0] != '\0') {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_VIA_OUT);
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_OUT);
|
|
|
ea9c6b |
add_outiface(r, fw->arp.outiface, op);
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.arhrd != 0 ||
|
|
|
ea9c6b |
- fw->arp.invflags & ARPT_INV_ARPHRD) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPHRD);
|
|
|
ea9c6b |
+ fw->arp.invflags & IPT_INV_ARPHRD) {
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPHRD);
|
|
|
ea9c6b |
add_payload(r, offsetof(struct arphdr, ar_hrd), 2,
|
|
|
ea9c6b |
NFT_PAYLOAD_NETWORK_HEADER);
|
|
|
ea9c6b |
add_cmp_u16(r, fw->arp.arhrd, op);
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.arpro != 0 ||
|
|
|
ea9c6b |
- fw->arp.invflags & ARPT_INV_ARPPRO) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPPRO);
|
|
|
ea9c6b |
+ fw->arp.invflags & IPT_INV_PROTO) {
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_PROTO);
|
|
|
ea9c6b |
add_payload(r, offsetof(struct arphdr, ar_pro), 2,
|
|
|
ea9c6b |
NFT_PAYLOAD_NETWORK_HEADER);
|
|
|
ea9c6b |
add_cmp_u16(r, fw->arp.arpro, op);
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.arhln != 0 ||
|
|
|
ea9c6b |
- fw->arp.invflags & ARPT_INV_ARPHLN) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPHLN);
|
|
|
ea9c6b |
+ fw->arp.invflags & IPT_INV_ARPHLN) {
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPHLN);
|
|
|
ea9c6b |
add_proto(r, offsetof(struct arphdr, ar_hln), 1,
|
|
|
ea9c6b |
fw->arp.arhln, op);
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
@@ -169,15 +169,15 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
|
|
|
ea9c6b |
add_proto(r, offsetof(struct arphdr, ar_pln), 1, 4, NFT_CMP_EQ);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.arpop != 0 ||
|
|
|
ea9c6b |
- fw->arp.invflags & ARPT_INV_ARPOP) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPOP);
|
|
|
ea9c6b |
+ fw->arp.invflags & IPT_INV_ARPOP) {
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPOP);
|
|
|
ea9c6b |
add_payload(r, offsetof(struct arphdr, ar_op), 2,
|
|
|
ea9c6b |
NFT_PAYLOAD_NETWORK_HEADER);
|
|
|
ea9c6b |
add_cmp_u16(r, fw->arp.arpop, op);
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (need_devaddr(&fw->arp.src_devaddr)) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_SRCDEVADDR);
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_SRCDEVADDR);
|
|
|
ea9c6b |
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
|
|
|
ea9c6b |
sizeof(struct arphdr),
|
|
|
ea9c6b |
&fw->arp.src_devaddr.addr,
|
|
|
ea9c6b |
@@ -188,8 +188,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.src.s_addr != 0 ||
|
|
|
ea9c6b |
fw->arp.smsk.s_addr != 0 ||
|
|
|
ea9c6b |
- fw->arp.invflags & ARPT_INV_SRCIP) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_SRCIP);
|
|
|
ea9c6b |
+ fw->arp.invflags & IPT_INV_SRCIP) {
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_SRCIP);
|
|
|
ea9c6b |
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
|
|
|
ea9c6b |
sizeof(struct arphdr) + fw->arp.arhln,
|
|
|
ea9c6b |
&fw->arp.src.s_addr, &fw->arp.smsk.s_addr,
|
|
|
ea9c6b |
@@ -198,7 +198,7 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
|
|
|
ea9c6b |
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (need_devaddr(&fw->arp.tgt_devaddr)) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTDEVADDR);
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_TGTDEVADDR);
|
|
|
ea9c6b |
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
|
|
|
ea9c6b |
sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr),
|
|
|
ea9c6b |
&fw->arp.tgt_devaddr.addr,
|
|
|
ea9c6b |
@@ -208,8 +208,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.tgt.s_addr != 0 ||
|
|
|
ea9c6b |
fw->arp.tmsk.s_addr != 0 ||
|
|
|
ea9c6b |
- fw->arp.invflags & ARPT_INV_TGTIP) {
|
|
|
ea9c6b |
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
|
|
|
ea9c6b |
+ fw->arp.invflags & IPT_INV_DSTIP) {
|
|
|
ea9c6b |
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_DSTIP);
|
|
|
ea9c6b |
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
|
|
|
ea9c6b |
sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr) + fw->arp.arhln,
|
|
|
ea9c6b |
&fw->arp.tgt.s_addr, &fw->arp.tmsk.s_addr,
|
|
|
ea9c6b |
@@ -240,28 +240,6 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
|
|
|
ea9c6b |
return ret;
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
-static uint16_t ipt_to_arpt_flags(uint8_t invflags)
|
|
|
ea9c6b |
-{
|
|
|
ea9c6b |
- uint16_t result = 0;
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
- if (invflags & IPT_INV_VIA_IN)
|
|
|
ea9c6b |
- result |= ARPT_INV_VIA_IN;
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
- if (invflags & IPT_INV_VIA_OUT)
|
|
|
ea9c6b |
- result |= ARPT_INV_VIA_OUT;
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
- if (invflags & IPT_INV_SRCIP)
|
|
|
ea9c6b |
- result |= ARPT_INV_SRCIP;
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
- if (invflags & IPT_INV_DSTIP)
|
|
|
ea9c6b |
- result |= ARPT_INV_TGTIP;
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
- if (invflags & IPT_INV_PROTO)
|
|
|
ea9c6b |
- result |= ARPT_INV_ARPPRO;
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
- return result;
|
|
|
ea9c6b |
-}
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
|
|
|
ea9c6b |
void *data)
|
|
|
ea9c6b |
{
|
|
|
ea9c6b |
@@ -273,7 +251,7 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
|
|
|
ea9c6b |
fw->arp.outiface, fw->arp.outiface_mask,
|
|
|
ea9c6b |
&flags);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
- fw->arp.invflags |= ipt_to_arpt_flags(flags);
|
|
|
ea9c6b |
+ fw->arp.invflags |= flags;
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
|
|
|
ea9c6b |
@@ -330,33 +308,33 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
|
|
|
ea9c6b |
fw->arp.arhrd = ar_hrd;
|
|
|
ea9c6b |
fw->arp.arhrd_mask = 0xffff;
|
|
|
ea9c6b |
if (inv)
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_ARPHRD;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_ARPHRD;
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
case offsetof(struct arphdr, ar_pro):
|
|
|
ea9c6b |
get_cmp_data(e, &ar_pro, sizeof(ar_pro), &inv;;
|
|
|
ea9c6b |
fw->arp.arpro = ar_pro;
|
|
|
ea9c6b |
fw->arp.arpro_mask = 0xffff;
|
|
|
ea9c6b |
if (inv)
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_ARPPRO;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_PROTO;
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
case offsetof(struct arphdr, ar_op):
|
|
|
ea9c6b |
get_cmp_data(e, &ar_op, sizeof(ar_op), &inv;;
|
|
|
ea9c6b |
fw->arp.arpop = ar_op;
|
|
|
ea9c6b |
fw->arp.arpop_mask = 0xffff;
|
|
|
ea9c6b |
if (inv)
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_ARPOP;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_ARPOP;
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
case offsetof(struct arphdr, ar_hln):
|
|
|
ea9c6b |
get_cmp_data(e, &ar_hln, sizeof(ar_hln), &inv;;
|
|
|
ea9c6b |
fw->arp.arhln = ar_hln;
|
|
|
ea9c6b |
fw->arp.arhln_mask = 0xff;
|
|
|
ea9c6b |
if (inv)
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_ARPOP;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_ARPOP;
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
default:
|
|
|
ea9c6b |
if (ctx->payload.offset == sizeof(struct arphdr)) {
|
|
|
ea9c6b |
if (nft_arp_parse_devaddr(ctx, e, &fw->arp.src_devaddr))
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_SRCDEVADDR;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_SRCDEVADDR;
|
|
|
ea9c6b |
} else if (ctx->payload.offset == sizeof(struct arphdr) +
|
|
|
ea9c6b |
fw->arp.arhln) {
|
|
|
ea9c6b |
get_cmp_data(e, &addr, sizeof(addr), &inv;;
|
|
|
ea9c6b |
@@ -371,12 +349,12 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (inv)
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_SRCIP;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_SRCIP;
|
|
|
ea9c6b |
} else if (ctx->payload.offset == sizeof(struct arphdr) +
|
|
|
ea9c6b |
fw->arp.arhln +
|
|
|
ea9c6b |
sizeof(struct in_addr)) {
|
|
|
ea9c6b |
if (nft_arp_parse_devaddr(ctx, e, &fw->arp.tgt_devaddr))
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_TGTDEVADDR;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_TGTDEVADDR;
|
|
|
ea9c6b |
} else if (ctx->payload.offset == sizeof(struct arphdr) +
|
|
|
ea9c6b |
fw->arp.arhln +
|
|
|
ea9c6b |
sizeof(struct in_addr) +
|
|
|
ea9c6b |
@@ -393,7 +371,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (inv)
|
|
|
ea9c6b |
- fw->arp.invflags |= ARPT_INV_TGTIP;
|
|
|
ea9c6b |
+ fw->arp.invflags |= IPT_INV_DSTIP;
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
@@ -448,7 +426,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
|
|
ea9c6b |
else strcat(iface, "any");
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
if (print_iface) {
|
|
|
ea9c6b |
- printf("%s%s-i %s", sep, fw->arp.invflags & ARPT_INV_VIA_IN ?
|
|
|
ea9c6b |
+ printf("%s%s-i %s", sep, fw->arp.invflags & IPT_INV_VIA_IN ?
|
|
|
ea9c6b |
"! " : "", iface);
|
|
|
ea9c6b |
sep = " ";
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
@@ -466,13 +444,13 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
|
|
ea9c6b |
else strcat(iface, "any");
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
if (print_iface) {
|
|
|
ea9c6b |
- printf("%s%s-o %s", sep, fw->arp.invflags & ARPT_INV_VIA_OUT ?
|
|
|
ea9c6b |
+ printf("%s%s-o %s", sep, fw->arp.invflags & IPT_INV_VIA_OUT ?
|
|
|
ea9c6b |
"! " : "", iface);
|
|
|
ea9c6b |
sep = " ";
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.smsk.s_addr != 0L) {
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_SRCIP
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
if (format & FMT_NUMERIC)
|
|
|
ea9c6b |
sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
|
|
|
ea9c6b |
@@ -489,7 +467,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
if (i == ARPT_DEV_ADDR_LEN_MAX)
|
|
|
ea9c6b |
goto after_devsrc;
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_SRCDEVADDR
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCDEVADDR
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
printf("--src-mac ");
|
|
|
ea9c6b |
xtables_print_mac_and_mask((unsigned char *)fw->arp.src_devaddr.addr,
|
|
|
ea9c6b |
@@ -498,7 +476,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
|
|
ea9c6b |
after_devsrc:
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.tmsk.s_addr != 0L) {
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_TGTIP
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
if (format & FMT_NUMERIC)
|
|
|
ea9c6b |
sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
|
|
|
ea9c6b |
@@ -515,7 +493,7 @@ after_devsrc:
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
if (i == ARPT_DEV_ADDR_LEN_MAX)
|
|
|
ea9c6b |
goto after_devdst;
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_TGTDEVADDR
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_TGTDEVADDR
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
printf("--dst-mac ");
|
|
|
ea9c6b |
xtables_print_mac_and_mask((unsigned char *)fw->arp.tgt_devaddr.addr,
|
|
|
ea9c6b |
@@ -525,7 +503,7 @@ after_devsrc:
|
|
|
ea9c6b |
after_devdst:
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) {
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPHLN
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHLN
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
printf("--h-length %d", fw->arp.arhln);
|
|
|
ea9c6b |
if (fw->arp.arhln_mask != 255)
|
|
|
ea9c6b |
@@ -536,7 +514,7 @@ after_devdst:
|
|
|
ea9c6b |
if (fw->arp.arpop_mask != 0) {
|
|
|
ea9c6b |
int tmp = ntohs(fw->arp.arpop);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPOP
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPOP
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC))
|
|
|
ea9c6b |
printf("--opcode %s", arp_opcodes[tmp-1]);
|
|
|
ea9c6b |
@@ -551,7 +529,7 @@ after_devdst:
|
|
|
ea9c6b |
if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) {
|
|
|
ea9c6b |
uint16_t tmp = ntohs(fw->arp.arhrd);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPHRD
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHRD
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
if (tmp == 1 && !(format & FMT_NUMERIC))
|
|
|
ea9c6b |
printf("--h-type %s", "Ethernet");
|
|
|
ea9c6b |
@@ -565,7 +543,7 @@ after_devdst:
|
|
|
ea9c6b |
if (fw->arp.arpro_mask != 0) {
|
|
|
ea9c6b |
int tmp = ntohs(fw->arp.arpro);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPPRO
|
|
|
ea9c6b |
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_PROTO
|
|
|
ea9c6b |
? "! " : "");
|
|
|
ea9c6b |
if (tmp == 0x0800 && !(format & FMT_NUMERIC))
|
|
|
ea9c6b |
printf("--proto-type %s", "IPv4");
|
|
|
ea9c6b |
diff --git a/iptables/nft-arp.h b/iptables/nft-arp.h
|
|
|
ea9c6b |
index 3411fc3d7c7b3..0d93a31f563b1 100644
|
|
|
ea9c6b |
--- a/iptables/nft-arp.h
|
|
|
ea9c6b |
+++ b/iptables/nft-arp.h
|
|
|
ea9c6b |
@@ -4,4 +4,11 @@
|
|
|
ea9c6b |
extern char *arp_opcodes[];
|
|
|
ea9c6b |
#define NUMOPCODES 9
|
|
|
ea9c6b |
|
|
|
ea9c6b |
+/* define invflags which won't collide with IPT ones */
|
|
|
ea9c6b |
+#define IPT_INV_SRCDEVADDR 0x0080
|
|
|
ea9c6b |
+#define IPT_INV_TGTDEVADDR 0x0100
|
|
|
ea9c6b |
+#define IPT_INV_ARPHLN 0x0200
|
|
|
ea9c6b |
+#define IPT_INV_ARPOP 0x0400
|
|
|
ea9c6b |
+#define IPT_INV_ARPHRD 0x0800
|
|
|
ea9c6b |
+
|
|
|
ea9c6b |
#endif
|
|
|
ea9c6b |
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
|
|
|
ea9c6b |
index c8196f08baa59..3f96cb22c3ec0 100644
|
|
|
ea9c6b |
--- a/iptables/xtables-arp.c
|
|
|
ea9c6b |
+++ b/iptables/xtables-arp.c
|
|
|
ea9c6b |
@@ -113,22 +113,22 @@ struct xtables_globals arptables_globals = {
|
|
|
ea9c6b |
static int inverse_for_options[] =
|
|
|
ea9c6b |
{
|
|
|
ea9c6b |
/* -n */ 0,
|
|
|
ea9c6b |
-/* -s */ ARPT_INV_SRCIP,
|
|
|
ea9c6b |
-/* -d */ ARPT_INV_TGTIP,
|
|
|
ea9c6b |
+/* -s */ IPT_INV_SRCIP,
|
|
|
ea9c6b |
+/* -d */ IPT_INV_DSTIP,
|
|
|
ea9c6b |
/* -p */ 0,
|
|
|
ea9c6b |
/* -j */ 0,
|
|
|
ea9c6b |
/* -v */ 0,
|
|
|
ea9c6b |
/* -x */ 0,
|
|
|
ea9c6b |
-/* -i */ ARPT_INV_VIA_IN,
|
|
|
ea9c6b |
-/* -o */ ARPT_INV_VIA_OUT,
|
|
|
ea9c6b |
+/* -i */ IPT_INV_VIA_IN,
|
|
|
ea9c6b |
+/* -o */ IPT_INV_VIA_OUT,
|
|
|
ea9c6b |
/*--line*/ 0,
|
|
|
ea9c6b |
/* -c */ 0,
|
|
|
ea9c6b |
-/* 2 */ ARPT_INV_SRCDEVADDR,
|
|
|
ea9c6b |
-/* 3 */ ARPT_INV_TGTDEVADDR,
|
|
|
ea9c6b |
-/* -l */ ARPT_INV_ARPHLN,
|
|
|
ea9c6b |
-/* 4 */ ARPT_INV_ARPOP,
|
|
|
ea9c6b |
-/* 5 */ ARPT_INV_ARPHRD,
|
|
|
ea9c6b |
-/* 6 */ ARPT_INV_ARPPRO,
|
|
|
ea9c6b |
+/* 2 */ IPT_INV_SRCDEVADDR,
|
|
|
ea9c6b |
+/* 3 */ IPT_INV_TGTDEVADDR,
|
|
|
ea9c6b |
+/* -l */ IPT_INV_ARPHLN,
|
|
|
ea9c6b |
+/* 4 */ IPT_INV_ARPOP,
|
|
|
ea9c6b |
+/* 5 */ IPT_INV_ARPHRD,
|
|
|
ea9c6b |
+/* 6 */ IPT_INV_PROTO,
|
|
|
ea9c6b |
};
|
|
|
ea9c6b |
|
|
|
ea9c6b |
/***********************************************/
|
|
|
ea9c6b |
@@ -903,7 +903,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
|
|
|
ea9c6b |
&dmasks, &ndaddrs);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
if ((nsaddrs > 1 || ndaddrs > 1) &&
|
|
|
ea9c6b |
- (cs.arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
|
|
|
ea9c6b |
+ (cs.arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
|
|
|
ea9c6b |
xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple"
|
|
|
ea9c6b |
" source or destination IP addresses");
|
|
|
ea9c6b |
|
|
|
ea9c6b |
--
|
|
|
ea9c6b |
2.31.1
|
|
|
ea9c6b |
|