[BRIDGE]: Add arpreply EBTABLES target.

include/linux/netfilter_bridge/ebt_arpreply.h

+#ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H
+#define __LINUX_BRIDGE_EBT_ARPREPLY_H
+
+struct ebt_arpreply_info
+{
+	unsigned char mac[ETH_ALEN];
+	int target;
+};
+#define EBT_ARPREPLY_TARGET "arpreply"
+
+#endif

net/bridge/netfilter/Kconfig

@@ -4,29 +4,9 @@
 config BRIDGE_NF_EBTABLES
 	tristate "Bridge: ebtables"
 	depends on NETFILTER && BRIDGE
-
-config BRIDGE_EBT_T_FILTER
-	tristate "ebt: filter table support"
-	depends on BRIDGE_NF_EBTABLES
-	help
-	  The ebtables filter table is used to define frame filtering rules at
-	  local input, forwarding and local output. See the man page for
-	  ebtables(8).
-
-	  If you want to compile it as a module, say M here and read
-	  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-config BRIDGE_EBT_T_NAT
-	tristate "ebt: nat table support"
-	depends on BRIDGE_NF_EBTABLES
-	help
-	  The ebtables nat table is used to define rules that alter the MAC
-	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
-	  See the man page for ebtables(8).
-
-	  If you want to compile it as a module, say M here and read
-	  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
+#
+# tables
+#
 config BRIDGE_EBT_BROUTE
 	tristate "ebt: broute table support"
 	depends on BRIDGE_NF_EBTABLES
@@ -39,26 +19,30 @@ config BRIDGE_EBT_BROUTE
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-config BRIDGE_EBT_LOG
-	tristate "ebt: log support"
+config BRIDGE_EBT_T_FILTER
+	tristate "ebt: filter table support"
 	depends on BRIDGE_NF_EBTABLES
 	help
-	  This option adds the log target, that you can use in any rule in
-	  any ebtables table. It records the frame header to the syslog.
+	  The ebtables filter table is used to define frame filtering rules at
+	  local input, forwarding and local output. See the man page for
+	  ebtables(8).
 
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-config BRIDGE_EBT_IP
-	tristate "ebt: IP filter support"
+config BRIDGE_EBT_T_NAT
+	tristate "ebt: nat table support"
 	depends on BRIDGE_NF_EBTABLES
 	help
-	  This option adds the IP match, which allows basic IP header field
-	  filtering.
+	  The ebtables nat table is used to define rules that alter the MAC
+	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
+	  See the man page for ebtables(8).
 
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
+#
+# matches
+#
 config BRIDGE_EBT_ARP
 	tristate "ebt: ARP filter support"
 	depends on BRIDGE_NF_EBTABLES
@@ -69,12 +53,12 @@ config BRIDGE_EBT_ARP
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-config BRIDGE_EBT_VLAN
-	tristate "ebt: 802.1Q VLAN filter support"
+config BRIDGE_EBT_IP
+	tristate "ebt: IP filter support"
 	depends on BRIDGE_NF_EBTABLES
 	help
-	  This option adds the 802.1Q vlan match, which allows the filtering of
-	  802.1Q vlan fields.
+	  This option adds the IP match, which allows basic IP header field
+	  filtering.
 
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
@@ -113,12 +97,24 @@ config BRIDGE_EBT_STP
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-config BRIDGE_EBT_SNAT
-	tristate "ebt: snat target support"
+config BRIDGE_EBT_VLAN
+	tristate "ebt: 802.1Q VLAN filter support"
 	depends on BRIDGE_NF_EBTABLES
 	help
-	  This option adds the MAC SNAT target, which allows altering the MAC
-	  source address of frames.
+	  This option adds the 802.1Q vlan match, which allows the filtering of
+	  802.1Q vlan fields.
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+#
+# targets
+#
+config BRIDGE_EBT_ARPREPLY
+	tristate "ebt: arp reply target support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option adds the arp reply target, which allows
+	  automatically sending arp replies to arp requests.
 
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
@@ -133,6 +129,18 @@ config BRIDGE_EBT_DNAT
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+config BRIDGE_EBT_MARK_T
+	tristate "ebt: mark target support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option adds the mark target, which allows marking frames by
+	  setting the 'nfmark' value in the frame.
+	  This value is the same as the one used in the iptables mark match and
+	  target.
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 config BRIDGE_EBT_REDIRECT
 	tristate "ebt: redirect target support"
 	depends on BRIDGE_NF_EBTABLES
@@ -143,15 +151,24 @@ config BRIDGE_EBT_REDIRECT
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-config BRIDGE_EBT_MARK_T
-	tristate "ebt: mark target support"
+config BRIDGE_EBT_SNAT
+	tristate "ebt: snat target support"
 	depends on BRIDGE_NF_EBTABLES
 	help
-	  This option adds the mark target, which allows marking frames by
-	  setting the 'nfmark' value in the frame.
-	  This value is the same as the one used in the iptables mark match and
-	  target.
+	  This option adds the MAC SNAT target, which allows altering the MAC
+	  source address of frames.
 
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+#
+# watchers
+#
+config BRIDGE_EBT_LOG
+	tristate "ebt: log support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option adds the log target, that you can use in any rule in
+	  any ebtables table. It records the frame header to the syslog.
 
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.

net/bridge/netfilter/Makefile

@@ -3,17 +3,26 @@
 #
 
 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
+
+# tables
+obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o
 obj-$(CONFIG_BRIDGE_EBT_T_FILTER) += ebtable_filter.o
 obj-$(CONFIG_BRIDGE_EBT_T_NAT) += ebtable_nat.o
-obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o
-obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o
+
+#matches
 obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o
-obj-$(CONFIG_BRIDGE_EBT_VLAN) += ebt_vlan.o
+obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o
 obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o
 obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o
 obj-$(CONFIG_BRIDGE_EBT_STP) += ebt_stp.o
-obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o
-obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_snat.o
+obj-$(CONFIG_BRIDGE_EBT_VLAN) += ebt_vlan.o
+
+# targets
+obj-$(CONFIG_BRIDGE_EBT_ARPREPLY) += ebt_arpreply.o
+obj-$(CONFIG_BRIDGE_EBT_MARK_T) += ebt_mark.o
 obj-$(CONFIG_BRIDGE_EBT_DNAT) += ebt_dnat.o
 obj-$(CONFIG_BRIDGE_EBT_REDIRECT) += ebt_redirect.o
-obj-$(CONFIG_BRIDGE_EBT_MARK_T) += ebt_mark.o
+obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_snat.o
+
+# watchers
+obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o

net/bridge/netfilter/ebt_arpreply.c

+/*
+ *  ebt_arpreply
+ *
+ *	Authors:
+ *	Grzegorz Borowiak <grzes@gnu.univ.gda.pl>
+ *	Bart De Schuymer <bdschuym@pandora.be>
+ *
+ *  August, 2003
+ *
+ */
+
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_arpreply.h>
+#include <linux/if_arp.h>
+#include <net/arp.h>
+#include <linux/module.h>
+
+static int ebt_target_reply(struct sk_buff **pskb, unsigned int hooknr,
+   const struct net_device *in, const struct net_device *out,
+   const void *data, unsigned int datalen)
+{
+	struct ebt_arpreply_info *info = (struct ebt_arpreply_info *)data;
+	u32 sip, dip;
+	struct arphdr ah;
+	unsigned char sha[ETH_ALEN];
+	struct sk_buff *skb = *pskb;
+
+	if (skb_copy_bits(skb, 0, &ah, sizeof(ah)))
+		return EBT_DROP;
+
+	if (ah.ar_op != __constant_htons(ARPOP_REQUEST) || ah.ar_hln != ETH_ALEN
+	    || ah.ar_pro != __constant_htons(ETH_P_IP) || ah.ar_pln != 4)
+		return EBT_CONTINUE;
+
+	if (skb_copy_bits(skb, sizeof(ah), &sha, ETH_ALEN))
+		return EBT_DROP;
+
+	if (skb_copy_bits(skb, sizeof(ah) + ETH_ALEN, &sip, sizeof(sip)))
+		return EBT_DROP;
+
+	if (skb_copy_bits(skb, sizeof(ah) + 2 * ETH_ALEN + sizeof(sip),
+	    &dip, sizeof(dip)))
+		return EBT_DROP;
+
+	arp_send(ARPOP_REPLY, ETH_P_ARP, sip, (struct net_device *)in,
+	         dip, sha, info->mac, sha);
+
+	return info->target;
+}
+
+static int ebt_target_reply_check(const char *tablename, unsigned int hookmask,
+   const struct ebt_entry *e, void *data, unsigned int datalen)
+{
+	struct ebt_arpreply_info *info = (struct ebt_arpreply_info *)data;
+
+	if (datalen != EBT_ALIGN(sizeof(struct ebt_arpreply_info)))
+		return -EINVAL;
+	if (BASE_CHAIN && info->target == EBT_RETURN)
+		return -EINVAL;
+	if (e->ethproto != __constant_htons(ETH_P_ARP) ||
+	    e->invflags & EBT_IPROTO)
+		return -EINVAL;
+	CLEAR_BASE_CHAIN_BIT;
+	if (strcmp(tablename, "nat") || hookmask & ~(1 << NF_BR_PRE_ROUTING))
+		return -EINVAL;
+	return 0;
+}
+
+static struct ebt_target reply_target =
+{
+	.name		= EBT_ARPREPLY_TARGET,
+	.target		= ebt_target_reply,
+	.check		= ebt_target_reply_check,
+	.me		= THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	return ebt_register_target(&reply_target);
+}
+
+static void __exit fini(void)
+{
+	ebt_unregister_target(&reply_target);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");