sys/linux/netfilter_arp.txt - platform/external/syzkaller - Git at Google

 # Copyright 2018 syzkaller project authors. All rights reserved.
 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

 include <linux/socket.h>
 include <uapi/linux/netfilter_arp/arp_tables.h>
 include <uapi/linux/netfilter_arp/arpt_mangle.h>

 setsockopt$ARPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_SET_REPLACE], val ptr[in, arpt_replace], len len[val])
 setsockopt$ARPT_SO_SET_ADD_COUNTERS(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_SET_ADD_COUNTERS], val ptr[in, arpt_counters_info], len len[val])
 getsockopt$ARPT_SO_GET_INFO(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_GET_INFO], val ptr[in, arpt_getinfo], len ptr[in, len[val, int32]])
 getsockopt$ARPT_SO_GET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_GET_ENTRIES], val ptr[in, arpt_get_entries], len ptr[in, len[val, int32]])
 getsockopt$ARPT_SO_GET_REVISION_TARGET(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_GET_REVISION_TARGET], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])

 arpt_replace {
 	name			string["filter", XT_TABLE_MAXNAMELEN]
 	valid_hooks		const[ARPT_FILTER_VALID_HOOKS, int32]
 	num_entries		const[4, int32]
 	size			bytesize[entries, int32]
 	hook_in			ipt_hook
 	hook_out		ipt_hook
 	hook_forward		ipt_hook
 	underflow_in		ipt_hook
 	underflow_out		ipt_hook
 	underflow_forward	ipt_hook
 	num_counters		const[4, int32]
 	counters		ptr[out, array[xt_counters, 4]]
 	entries			arpt_replace_entries
 }

 define ARPT_FILTER_VALID_HOOKS	(1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD)

 arpt_replace_entries {
 	entries		array[arpt_entry, 3]
 	underflow	arpt_entry_underflow
 } [packed, align_ptr]

 arpt_entry {
 	matches	arpt_entry_matches
 	target	arpt_targets
 } [packed, align_ptr]

 arpt_entry_matches {
 	arp		arpt_arp_or_uncond
 	target_offset	len[parent, int16]
 	next_offset	len[arpt_entry, int16]
 	comefrom	const[0, int32]
 	counters	xt_counters
 # Note: matches should go here, but they seem to be unused in arp tables.
 } [align_ptr]

 arpt_entry_underflow {
 	matches	arpt_entry_underflow_matches
 	target	xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0]
 } [align_ptr]

 arpt_entry_underflow_matches {
 	arp		arpt_arp_uncond
 	target_offset	len[parent, int16]
 	next_offset	len[arpt_entry_underflow, int16]
 	comefrom	const[0, int32]
 	counters	xt_counters
 }

 arpt_arp_or_uncond [
 	arp	arpt_arp
 	uncond	arpt_arp_uncond
 ]

 type arpt_arp_uncond array[const[0, int8], ARPT_ARP_SIZE]
 define ARPT_ARP_SIZE	sizeof(struct arpt_arp)

 arpt_arp {
 	src		ipv4_addr
 	dst		ipv4_addr
 	smsk		ipv4_addr_mask
 	dmsk		ipv4_addr_mask
 	src_devaddr	arpt_devaddr
 	src_devmask	arpt_devmask
 	tgt_devaddr	arpt_devaddr
 	tgt_devmask	arpt_devmask
 	arpop		int16be
 	arpop_mask	int16be
 	arhrd		int16be
 	arhrd_mask	int16be
 	arpro		int16be
 	arpro_mask	int16be
 	iniface		devname
 	outiface	devname
 	iniface_mask	devname_mask
 	outiface_mask	devname_mask
 	flags		const[0, int8]
 	invflags	flags[arpt_arp_invflags, int16]
 }

 arpt_devaddr [
 	empty	array[const[0, int8], ARPT_DEV_ADDR_LEN_MAX]
 	mac	mac_addr
 ]

 arpt_devmask {
 	mac	mac_addr_mask
 } [size[ARPT_DEV_ADDR_LEN_MAX]]

 arpt_arp_invflags = ARPT_INV_VIA_IN, ARPT_INV_VIA_OUT, ARPT_INV_SRCIP, ARPT_INV_TGTIP, ARPT_INV_SRCDEVADDR, ARPT_INV_TGTDEVADDR, ARPT_INV_ARPOP, ARPT_INV_ARPHRD, ARPT_INV_ARPPRO, ARPT_INV_ARPHLN

 arpt_targets [
 	unspec	xt_unspec_targets
 	mangle	xt_target_t["mangle", arpt_mangle, 0]
 ] [varlen]

 arpt_mangle {
 	src_devaddr	arpt_devaddr
 	tgt_devaddr	arpt_devaddr
 	src_ip		ipv4_addr
 	tgt_ip		ipv4_addr
 	flags		flags[arpt_mangle_flags, int8]
 	target		flags[arpt_mangle_targets, int32]
 }

 arpt_mangle_flags = ARPT_MANGLE_SDEV, ARPT_MANGLE_TDEV, ARPT_MANGLE_SIP, ARPT_MANGLE_TIP, ARPT_MANGLE_MASK
 arpt_mangle_targets = NF_DROP, NF_ACCEPT, XT_CONTINUE

 arpt_counters_info {
 	name		string["filter", XT_TABLE_MAXNAMELEN]
 	num_counters	len[counters, int32]
 	counters	array[xt_counters, 4:4]
 }

 arpt_getinfo {
 	name		string["filter", XT_TABLE_MAXNAMELEN]
 	valid_hooks	const[0, int32]
 	hook_entry	array[const[0, int32], NF_ARP_NUMHOOKS]
 	underflow	array[const[0, int32], NF_ARP_NUMHOOKS]
 	num_entries	const[0, int32]
 	size		const[0, int32]
 }

 arpt_get_entries {
 	name		string["filter", XT_TABLE_MAXNAMELEN]
 	size		bytesize[entrytable, int32]
 	entrytable	array[int8]
 }
	# Copyright 2018 syzkaller project authors. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	include <linux/socket.h>
	include <uapi/linux/netfilter_arp/arp_tables.h>
	include <uapi/linux/netfilter_arp/arpt_mangle.h>

	setsockopt$ARPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_SET_REPLACE], val ptr[in, arpt_replace], len len[val])
	setsockopt$ARPT_SO_SET_ADD_COUNTERS(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_SET_ADD_COUNTERS], val ptr[in, arpt_counters_info], len len[val])
	getsockopt$ARPT_SO_GET_INFO(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_GET_INFO], val ptr[in, arpt_getinfo], len ptr[in, len[val, int32]])
	getsockopt$ARPT_SO_GET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_GET_ENTRIES], val ptr[in, arpt_get_entries], len ptr[in, len[val, int32]])
	getsockopt$ARPT_SO_GET_REVISION_TARGET(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_GET_REVISION_TARGET], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])

	arpt_replace {
	name string["filter", XT_TABLE_MAXNAMELEN]
	valid_hooks const[ARPT_FILTER_VALID_HOOKS, int32]
	num_entries const[4, int32]
	size bytesize[entries, int32]
	hook_in ipt_hook
	hook_out ipt_hook
	hook_forward ipt_hook
	underflow_in ipt_hook
	underflow_out ipt_hook
	underflow_forward ipt_hook
	num_counters const[4, int32]
	counters ptr[out, array[xt_counters, 4]]
	entries arpt_replace_entries
	}

	define ARPT_FILTER_VALID_HOOKS (1 << NF_ARP_IN) \| (1 << NF_ARP_OUT) \| (1 << NF_ARP_FORWARD)

	arpt_replace_entries {
	entries array[arpt_entry, 3]
	underflow arpt_entry_underflow
	} [packed, align_ptr]

	arpt_entry {
	matches arpt_entry_matches
	target arpt_targets
	} [packed, align_ptr]

	arpt_entry_matches {
	arp arpt_arp_or_uncond
	target_offset len[parent, int16]
	next_offset len[arpt_entry, int16]
	comefrom const[0, int32]
	counters xt_counters
	# Note: matches should go here, but they seem to be unused in arp tables.
	} [align_ptr]

	arpt_entry_underflow {
	matches arpt_entry_underflow_matches
	target xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0]
	} [align_ptr]

	arpt_entry_underflow_matches {
	arp arpt_arp_uncond
	target_offset len[parent, int16]
	next_offset len[arpt_entry_underflow, int16]
	comefrom const[0, int32]
	counters xt_counters
	}

	arpt_arp_or_uncond [
	arp arpt_arp
	uncond arpt_arp_uncond
	]

	type arpt_arp_uncond array[const[0, int8], ARPT_ARP_SIZE]
	define ARPT_ARP_SIZE sizeof(struct arpt_arp)

	arpt_arp {
	src ipv4_addr
	dst ipv4_addr
	smsk ipv4_addr_mask
	dmsk ipv4_addr_mask
	src_devaddr arpt_devaddr
	src_devmask arpt_devmask
	tgt_devaddr arpt_devaddr
	tgt_devmask arpt_devmask
	arpop int16be
	arpop_mask int16be
	arhrd int16be
	arhrd_mask int16be
	arpro int16be
	arpro_mask int16be
	iniface devname
	outiface devname
	iniface_mask devname_mask
	outiface_mask devname_mask
	flags const[0, int8]
	invflags flags[arpt_arp_invflags, int16]
	}

	arpt_devaddr [
	empty array[const[0, int8], ARPT_DEV_ADDR_LEN_MAX]
	mac mac_addr
	]

	arpt_devmask {
	mac mac_addr_mask
	} [size[ARPT_DEV_ADDR_LEN_MAX]]

	arpt_arp_invflags = ARPT_INV_VIA_IN, ARPT_INV_VIA_OUT, ARPT_INV_SRCIP, ARPT_INV_TGTIP, ARPT_INV_SRCDEVADDR, ARPT_INV_TGTDEVADDR, ARPT_INV_ARPOP, ARPT_INV_ARPHRD, ARPT_INV_ARPPRO, ARPT_INV_ARPHLN

	arpt_targets [
	unspec xt_unspec_targets
	mangle xt_target_t["mangle", arpt_mangle, 0]
	] [varlen]

	arpt_mangle {
	src_devaddr arpt_devaddr
	tgt_devaddr arpt_devaddr
	src_ip ipv4_addr
	tgt_ip ipv4_addr
	flags flags[arpt_mangle_flags, int8]
	target flags[arpt_mangle_targets, int32]
	}

	arpt_mangle_flags = ARPT_MANGLE_SDEV, ARPT_MANGLE_TDEV, ARPT_MANGLE_SIP, ARPT_MANGLE_TIP, ARPT_MANGLE_MASK
	arpt_mangle_targets = NF_DROP, NF_ACCEPT, XT_CONTINUE

	arpt_counters_info {
	name string["filter", XT_TABLE_MAXNAMELEN]
	num_counters len[counters, int32]
	counters array[xt_counters, 4:4]
	}

	arpt_getinfo {
	name string["filter", XT_TABLE_MAXNAMELEN]
	valid_hooks const[0, int32]
	hook_entry array[const[0, int32], NF_ARP_NUMHOOKS]
	underflow array[const[0, int32], NF_ARP_NUMHOOKS]
	num_entries const[0, int32]
	size const[0, int32]
	}

	arpt_get_entries {
	name string["filter", XT_TABLE_MAXNAMELEN]
	size bytesize[entrytable, int32]
	entrytable array[int8]
	}