Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c15bf6e699f4c366f2d1e19ac5d7add21c6b5a19
Commit:     c15bf6e699f4c366f2d1e19ac5d7add21c6b5a19
Parent:     516299d2f5b6f9703b9b388faf91898dc636a678
Author:     Bart De Schuymer <[EMAIL PROTECTED]>
AuthorDate: Thu Apr 12 22:15:06 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Wed Apr 25 22:28:58 2007 -0700

    [NETFILTER]: ebt_arp: add gratuitous arp filtering
    
    The attached patch adds gratuitous arp filtering, more precisely: it
    allows checking that the IPv4 source address matches the IPv4
    destination address inside the ARP header. It also adds a check for the
    hardware address type when matching MAC addresses (nothing critical,
    just for better consistency).
    
    Signed-off-by: Bart De Schuymer <[EMAIL PROTECTED]>
    Acked-by: Carl-Daniel Hailfinger <[EMAIL PROTECTED]>
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 include/linux/netfilter_bridge/ebt_arp.h |    4 ++-
 net/bridge/netfilter/ebt_arp.c           |   48 +++++++++++++----------------
 2 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/include/linux/netfilter_bridge/ebt_arp.h 
b/include/linux/netfilter_bridge/ebt_arp.h
index 97e4dbd..cbf4843 100644
--- a/include/linux/netfilter_bridge/ebt_arp.h
+++ b/include/linux/netfilter_bridge/ebt_arp.h
@@ -8,8 +8,10 @@
 #define EBT_ARP_DST_IP 0x10
 #define EBT_ARP_SRC_MAC 0x20
 #define EBT_ARP_DST_MAC 0x40
+#define EBT_ARP_GRAT 0x80
 #define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \
-   EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)
+   EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC | \
+   EBT_ARP_GRAT)
 #define EBT_ARP_MATCH "arp"
 
 struct ebt_arp_info
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 9c59980..1a46952 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -35,40 +35,36 @@ static int ebt_filter_arp(const struct sk_buff *skb, const 
struct net_device *in
                return EBT_NOMATCH;
 
        if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP)) {
-               __be32 _addr, *ap;
+               __be32 saddr, daddr, *sap, *dap;
 
-               /* IPv4 addresses are always 4 bytes */
-               if (ah->ar_pln != sizeof(__be32))
+               if (ah->ar_pln != sizeof(__be32) || ah->ar_pro != 
htons(ETH_P_IP))
+                       return EBT_NOMATCH;
+               sap = skb_header_pointer(skb, sizeof(struct arphdr) +
+                                       ah->ar_hln, sizeof(saddr),
+                                       &saddr);
+               if (sap == NULL)
+                       return EBT_NOMATCH;
+               dap = skb_header_pointer(skb, sizeof(struct arphdr) +
+                                       2*ah->ar_hln+sizeof(saddr),
+                                       sizeof(daddr), &daddr);
+               if (dap == NULL)
+                       return EBT_NOMATCH;
+               if (info->bitmask & EBT_ARP_SRC_IP &&
+                   FWINV(info->saddr != (*sap & info->smsk), EBT_ARP_SRC_IP))
+                       return EBT_NOMATCH;
+               if (info->bitmask & EBT_ARP_DST_IP &&
+                   FWINV(info->daddr != (*dap & info->dmsk), EBT_ARP_DST_IP))
+                       return EBT_NOMATCH;
+               if (info->bitmask & EBT_ARP_GRAT &&
+                   FWINV(*dap != *sap, EBT_ARP_GRAT))
                        return EBT_NOMATCH;
-               if (info->bitmask & EBT_ARP_SRC_IP) {
-                       ap = skb_header_pointer(skb, sizeof(struct arphdr) +
-                                               ah->ar_hln, sizeof(_addr),
-                                               &_addr);
-                       if (ap == NULL)
-                               return EBT_NOMATCH;
-                       if (FWINV(info->saddr != (*ap & info->smsk),
-                          EBT_ARP_SRC_IP))
-                               return EBT_NOMATCH;
-               }
-
-               if (info->bitmask & EBT_ARP_DST_IP) {
-                       ap = skb_header_pointer(skb, sizeof(struct arphdr) +
-                                               2*ah->ar_hln+sizeof(__be32),
-                                               sizeof(_addr), &_addr);
-                       if (ap == NULL)
-                               return EBT_NOMATCH;
-                       if (FWINV(info->daddr != (*ap & info->dmsk),
-                          EBT_ARP_DST_IP))
-                               return EBT_NOMATCH;
-               }
        }
 
        if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) {
                unsigned char _mac[ETH_ALEN], *mp;
                uint8_t verdict, i;
 
-               /* MAC addresses are 6 bytes */
-               if (ah->ar_hln != ETH_ALEN)
+               if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER))
                        return EBT_NOMATCH;
                if (info->bitmask & EBT_ARP_SRC_MAC) {
                        mp = skb_header_pointer(skb, sizeof(struct arphdr),
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to