arptables: pre-init hlen and ethertype

to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:

base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)

In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the correct location, but we cannot
do this in nf_tables, at least not at this time (we need a fixed offset
value).

code does:

  op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
  add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ...

but if user did not provide "--h-length 6" argument, then this won't
work even for ethernet, as the payload expression will be told to load
the first 4 bytes of arp header source mac address (sender hw address).

Fix this by pre-initialising arhlen to 6.
We also need to set up arhrd.  Otherwise, src/dst mac can't be used:

arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66
arptables v1.8.1 (nf_tables):  RULE_APPEND failed (Invalid argument): rule in chain INPUT

This means that matching won't work for AX25, NETROM etc, however,
arptables "classic" can't  parse non-ethernet addresses, and makes
ETH_ALEN assumptions in several spots, so this should be fine from
compatibility point of view.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
index 67265c83f1ef8897dfd1f2a789950cedc48adf76..73b3b0cf88e18ffacdb88ce369ccf12dc9915738 100755 (executable)
--- a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
+++ b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
@@ -11,11 +11,12 @@ set -e
 $XT_MULTI arptables -F
 $XT_MULTI arptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
 $XT_MULTI arptables -A INPUT -d 192.168.123.1 -j ACCEPT
-#$XT_MULTI arptables -A INPUT --source-mac fe:ed:ba:be:00:01 -j ACCEPT
-#$XT_MULTI arptables -A INPUT --destination-mac fe:ed:ba:be:00:01 -j ACCEPT
+$XT_MULTI arptables -A INPUT --source-mac fe:ed:ba:be:00:01 -j ACCEPT
+$XT_MULTI arptables -A INPUT --destination-mac fe:ed:ba:be:00:01 -j ACCEPT
 $XT_MULTI arptables -N foo
 $XT_MULTI arptables -A foo -i lo -j ACCEPT
 $XT_MULTI arptables -A foo -l 6 -j ACCEPT
+$XT_MULTI arptables -A foo -j MARK --set-mark 12345
 $XT_MULTI arptables -A foo --opcode Request -j ACCEPT
 $XT_MULTI arptables -A foo --h-type 1 --proto-type 0x800 -j ACCEPT
 $XT_MULTI arptables -A foo -l 6 --h-type 1 --proto-type 0x800 -i lo --opcode Request -j ACCEPT
@@ -34,18 +35,21 @@ DUMP='*filter
 :INPUT ACCEPT
 :OUTPUT DROP
 :foo -
--A INPUT -s 10.0.0.0/8 -j ACCEPT
--A INPUT -d 192.168.123.1 -j ACCEPT
--A INPUT -j foo
--A INPUT 
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -o eth134 -j mangle --mangle-ip-s 10.0.0.1
--A OUTPUT -o eth432 -j CLASSIFY --set-class feed:babe
--A OUTPUT -o eth432 --opcode 1 -j CLASSIFY --set-class feed:babe
--A foo -i lo -j ACCEPT
--A foo --h-length 6 -j ACCEPT
--A foo --opcode 1 -j ACCEPT
--A foo --h-type 1 --proto-type 0x800 -j ACCEPT
+-A INPUT -s 10.0.0.0/8 --h-length 6 --h-type 1 -j ACCEPT
+-A INPUT -d 192.168.123.1 --h-length 6 --h-type 1 -j ACCEPT
+-A INPUT --src-mac fe:ed:ba:be:00:01 --h-length 6 --h-type 1 -j ACCEPT
+-A INPUT --dst-mac fe:ed:ba:be:00:01 --h-length 6 --h-type 1 -j ACCEPT
+-A INPUT --h-length 6 --h-type 1 -j foo
+-A INPUT --h-length 6 --h-type 1 
+-A OUTPUT -o lo --h-length 6 --h-type 1 -j ACCEPT
+-A OUTPUT -o eth134 --h-length 6 --h-type 1 -j mangle --mangle-ip-s 10.0.0.1
+-A OUTPUT -o eth432 --h-length 6 --h-type 1 -j CLASSIFY --set-class feed:babe
+-A OUTPUT -o eth432 --h-length 6 --opcode 1 --h-type 1 -j CLASSIFY --set-class feed:babe
+-A foo -i lo --h-length 6 --h-type 1 -j ACCEPT
+-A foo --h-length 6 --h-type 1 -j ACCEPT
+-A foo --h-length 6 --h-type 1 -j MARK --set-xmark 0x3039/0xffffffff
+-A foo --h-length 6 --opcode 1 --h-type 1 -j ACCEPT
+-A foo --h-length 6 --h-type 1 --proto-type 0x800 -j ACCEPT
 -A foo -i lo --h-length 6 --opcode 1 --h-type 1 --proto-type 0x800 -j ACCEPT
 '
 

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index a791ecceb88b60ac798109cd84013bfe3a435c53..bde35e5dcb9cb22fbd316b5ccb5654fdfdaab5b7 100644 (file)
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -905,6 +905,8 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
 {
        struct iptables_command_state cs = {
                .jumpto = "",
+               .arp.arp.arhln = 6,
+               .arp.arp.arhrd = htons(ARPHRD_ETHER),
        };
        int invert = 0;
        unsigned int nsaddrs = 0, ndaddrs = 0;