From patchwork Fri Dec  7 12:57:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 1009404
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=netfilter.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 43BCDS6mkSz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Fri,  7 Dec 2018 23:57:28 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726128AbeLGM52 (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Fri, 7 Dec 2018 07:57:28 -0500
Received: from mail.us.es ([193.147.175.20]:39542 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1726014AbeLGM51 (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Fri, 7 Dec 2018 07:57:27 -0500
Received: from antivirus1-rhel7.int (unknown [192.168.2.11])
	by mail.us.es (Postfix) with ESMTP id D42EC141B2E
	for <netfilter-devel@vger.kernel.org>;
	Fri,  7 Dec 2018 13:57:25 +0100 (CET)
Received: from antivirus1-rhel7.int (localhost [127.0.0.1])
	by antivirus1-rhel7.int (Postfix) with ESMTP id AC112DA7E9
	for <netfilter-devel@vger.kernel.org>;
	Fri,  7 Dec 2018 13:57:09 +0100 (CET)
Received: by antivirus1-rhel7.int (Postfix, from userid 99)
	id A1782DA7E8; Fri,  7 Dec 2018 13:57:09 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	antivirus1-rhel7.int
X-Spam-Level: 
X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,
	SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1
Received: from antivirus1-rhel7.int (localhost [127.0.0.1])
	by antivirus1-rhel7.int (Postfix) with ESMTP id 85B63DA79E
	for <netfilter-devel@vger.kernel.org>;
	Fri,  7 Dec 2018 13:57:05 +0100 (CET)
Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int
	(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int);
	Fri, 07 Dec 2018 13:57:05 +0100 (CET)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)
Received: from salvia.here (sys.soleta.eu [212.170.55.40])
	(Authenticated sender: pneira@us.es)
	by entrada.int (Postfix) with ESMTPA id 6C55A4265A5C
	for <netfilter-devel@vger.kernel.org>;
	Fri,  7 Dec 2018 13:57:05 +0100 (CET)
X-SMTPAUTHUS: auth mail.us.es
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH RFC] src: support for arp ether and IP source and
	destination fields
Date: Fri,  7 Dec 2018 13:57:00 +0100
Message-Id: <20181207125700.20432-1-pablo@netfilter.org>
X-Mailer: git-send-email 2.11.0
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg.

 # nft add table arp x
 # nft add chain arp x y { type filter hook input priority 0\; }
 # nft add rule arp x y arp ip-saddr 192.168.2.1 counter

Testing this:

 # ip neigh flush dev eth0
 # ping 8.8.8.8
 # nft list ruleset
 table arp x {
        chain y {
                type filter hook input priority filter; policy accept;
		arp ip-saddr 192.168.2.1 counter packets 1 bytes 46
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Documentation is still missing, and we should generate dependencies to
restrict htype and ptype.

 include/headers.h  | 12 ++++++++++++
 include/proto.h    |  4 ++++
 src/parser_bison.y |  8 ++++++++
 src/proto.c        | 22 ++++++++++++++--------
 src/scanner.l      |  4 ++++
 5 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/include/headers.h b/include/headers.h
index 3d564debf8b0..759f93bf8c7a 100644
--- a/include/headers.h
+++ b/include/headers.h
@@ -78,6 +78,18 @@ struct sctphdr {
 	uint32_t	checksum;
 };
 
+struct arp_hdr {
+	uint16_t	htype;
+	uint16_t	ptype;
+	uint8_t		hlen;
+	uint8_t		plen;
+	uint16_t	oper;
+	uint8_t		sha[6];
+	uint32_t	spa;
+	uint8_t		tha[6];
+	uint32_t	tpa;
+} __attribute__((__packed__));
+
 struct ipv6hdr {
 	uint8_t		version:4,
 			priority:4;
diff --git a/include/proto.h b/include/proto.h
index 9a9f9255f047..b097e8fcbc2b 100644
--- a/include/proto.h
+++ b/include/proto.h
@@ -182,6 +182,10 @@ enum arp_hdr_fields {
 	ARPHDR_HLN,
 	ARPHDR_PLN,
 	ARPHDR_OP,
+	ARPHDR_IP_SADDR,
+	ARPHDR_IP_DADDR,
+	ARPHDR_ETHER_SADDR,
+	ARPHDR_ETHER_DADDR,
 };
 
 enum ip_hdr_fields {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 34202b0415ec..e94282a43615 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -296,6 +296,10 @@ int nft_lex(void *, void *, void *);
 %token HLEN			"hlen"
 %token PLEN			"plen"
 %token OPERATION		"operation"
+%token ETHER_SADDR		"ether-saddr"
+%token ETHER_DADDR		"ether-daddr"
+%token IP_SADDR			"ip-saddr"
+%token IP_DADDR			"ip-daddr"
 
 %token IP			"ip"
 %token HDRVERSION		"version"
@@ -4204,6 +4208,10 @@ arp_hdr_field		:	HTYPE		{ $$ = ARPHDR_HRD; }
 			|	HLEN		{ $$ = ARPHDR_HLN; }
 			|	PLEN		{ $$ = ARPHDR_PLN; }
 			|	OPERATION	{ $$ = ARPHDR_OP; }
+			|	ETHER_SADDR	{ $$ = ARPHDR_ETHER_SADDR; }
+			|	ETHER_DADDR	{ $$ = ARPHDR_ETHER_DADDR; }
+			|	IP_SADDR	{ $$ = ARPHDR_IP_SADDR; }
+			|	IP_DADDR	{ $$ = ARPHDR_IP_DADDR; }
 			;
 
 ip_hdr_expr		:	IP	ip_hdr_field
diff --git a/src/proto.c b/src/proto.c
index d178bf39ea90..d52f11ce6f30 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -822,23 +822,29 @@ const struct datatype arpop_type = {
 };
 
 #define ARPHDR_TYPE(__name, __type, __member) \
-	HDR_TYPE(__name, __type, struct arphdr, __member)
+	HDR_TYPE(__name, __type, struct arp_hdr, __member)
 #define ARPHDR_FIELD(__name, __member) \
-	HDR_FIELD(__name, struct arphdr, __member)
+	HDR_FIELD(__name, struct arp_hdr, __member)
 
 const struct proto_desc proto_arp = {
 	.name		= "arp",
 	.base		= PROTO_BASE_NETWORK_HDR,
 	.templates	= {
-		[ARPHDR_HRD]		= ARPHDR_FIELD("htype",	ar_hrd),
-		[ARPHDR_PRO]		= ARPHDR_TYPE("ptype", &ethertype_type, ar_pro),
-		[ARPHDR_HLN]		= ARPHDR_FIELD("hlen", ar_hln),
-		[ARPHDR_PLN]		= ARPHDR_FIELD("plen", ar_pln),
-		[ARPHDR_OP]		= ARPHDR_TYPE("operation", &arpop_type, ar_op),
+		[ARPHDR_HRD]		= ARPHDR_FIELD("htype",	htype),
+		[ARPHDR_PRO]		= ARPHDR_TYPE("ptype", &ethertype_type, ptype),
+		[ARPHDR_HLN]		= ARPHDR_FIELD("hlen", hlen),
+		[ARPHDR_PLN]		= ARPHDR_FIELD("plen", plen),
+		[ARPHDR_OP]		= ARPHDR_TYPE("operation", &arpop_type, oper),
+		[ARPHDR_ETHER_SADDR]	= ARPHDR_TYPE("ether-saddr", &etheraddr_type, sha),
+		[ARPHDR_ETHER_DADDR]	= ARPHDR_TYPE("ether-daddr", &etheraddr_type, tha),
+		[ARPHDR_IP_SADDR]	= ARPHDR_TYPE("ip-saddr", &ipaddr_type, spa),
+		[ARPHDR_IP_DADDR]	= ARPHDR_TYPE("ip-daddr", &ipaddr_type, tpa),
 	},
 	.format		= {
 		.filter	= (1 << ARPHDR_HRD) | (1 << ARPHDR_PRO) |
-			  (1 << ARPHDR_HLN) | (1 << ARPHDR_PLN),
+			  (1 << ARPHDR_HLN) | (1 << ARPHDR_PLN) |
+			  (1 << ARPHDR_ETHER_SADDR) | (1 << ARPHDR_ETHER_DADDR) |
+			  (1 << ARPHDR_IP_SADDR) | (1 << ARPHDR_IP_DADDR),
 	},
 };
 
diff --git a/src/scanner.l b/src/scanner.l
index f96944e976b3..5221086e38e5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -389,6 +389,10 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "hlen"			{ return HLEN; }
 "plen"			{ return PLEN; }
 "operation"		{ return OPERATION; }
+"ip-saddr"		{ return IP_SADDR; }
+"ip-daddr"		{ return IP_DADDR; }
+"ether-saddr"		{ return ETHER_SADDR; }
+"ether-daddr"		{ return ETHER_DADDR; }
 
 "ip"			{ return IP; }
 "version"		{ return HDRVERSION; }