xref: /openbmc/linux/include/net/netfilter/nf_tables_offload.h (revision 4f2c0a4acffbec01079c28f839422e64ddeff004)
1  #ifndef _NET_NF_TABLES_OFFLOAD_H
2  #define _NET_NF_TABLES_OFFLOAD_H
3  
4  #include <net/flow_offload.h>
5  #include <net/netfilter/nf_tables.h>
6  
7  enum nft_offload_reg_flags {
8  	NFT_OFFLOAD_F_NETWORK2HOST	= (1 << 0),
9  };
10  
11  struct nft_offload_reg {
12  	u32		key;
13  	u32		len;
14  	u32		base_offset;
15  	u32		offset;
16  	u32		flags;
17  	struct nft_data data;
18  	struct nft_data	mask;
19  };
20  
21  enum nft_offload_dep_type {
22  	NFT_OFFLOAD_DEP_UNSPEC	= 0,
23  	NFT_OFFLOAD_DEP_NETWORK,
24  	NFT_OFFLOAD_DEP_TRANSPORT,
25  };
26  
27  struct nft_offload_ctx {
28  	struct {
29  		enum nft_offload_dep_type	type;
30  		__be16				l3num;
31  		u8				protonum;
32  	} dep;
33  	unsigned int				num_actions;
34  	struct net				*net;
35  	struct nft_offload_reg			regs[NFT_REG32_15 + 1];
36  };
37  
38  void nft_offload_set_dependency(struct nft_offload_ctx *ctx,
39  				enum nft_offload_dep_type type);
40  void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
41  				   const void *data, u32 len);
42  
43  struct nft_flow_key {
44  	struct flow_dissector_key_basic			basic;
45  	struct flow_dissector_key_control		control;
46  	union {
47  		struct flow_dissector_key_ipv4_addrs	ipv4;
48  		struct flow_dissector_key_ipv6_addrs	ipv6;
49  	};
50  	struct flow_dissector_key_ports			tp;
51  	struct flow_dissector_key_ip			ip;
52  	struct flow_dissector_key_vlan			vlan;
53  	struct flow_dissector_key_vlan			cvlan;
54  	struct flow_dissector_key_eth_addrs		eth_addrs;
55  	struct flow_dissector_key_meta			meta;
56  } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
57  
58  struct nft_flow_match {
59  	struct flow_dissector	dissector;
60  	struct nft_flow_key	key;
61  	struct nft_flow_key	mask;
62  };
63  
64  struct nft_flow_rule {
65  	__be16			proto;
66  	struct nft_flow_match	match;
67  	struct flow_rule	*rule;
68  };
69  
70  void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
71  				 enum flow_dissector_key_id addr_type);
72  
73  struct nft_rule;
74  struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
75  int nft_flow_rule_stats(const struct nft_chain *chain, const struct nft_rule *rule);
76  void nft_flow_rule_destroy(struct nft_flow_rule *flow);
77  int nft_flow_rule_offload_commit(struct net *net);
78  
79  #define NFT_OFFLOAD_MATCH_FLAGS(__key, __base, __field, __len, __reg, __flags)	\
80  	(__reg)->base_offset	=					\
81  		offsetof(struct nft_flow_key, __base);			\
82  	(__reg)->offset		=					\
83  		offsetof(struct nft_flow_key, __base.__field);		\
84  	(__reg)->len		= __len;				\
85  	(__reg)->key		= __key;				\
86  	(__reg)->flags		= __flags;
87  
88  #define NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg)		\
89  	NFT_OFFLOAD_MATCH_FLAGS(__key, __base, __field, __len, __reg, 0)
90  
91  #define NFT_OFFLOAD_MATCH_EXACT(__key, __base, __field, __len, __reg)	\
92  	NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg)		\
93  	memset(&(__reg)->mask, 0xff, (__reg)->len);
94  
95  bool nft_chain_offload_support(const struct nft_base_chain *basechain);
96  
97  int nft_offload_init(void);
98  void nft_offload_exit(void);
99  
100  #endif
101