xref: /openbmc/linux/include/net/netfilter/nf_tables.h (revision 060f35a317ef09101b128f399dce7ed13d019461)
1  /* SPDX-License-Identifier: GPL-2.0 */
2  #ifndef _NET_NF_TABLES_H
3  #define _NET_NF_TABLES_H
4  
5  #include <asm/unaligned.h>
6  #include <linux/list.h>
7  #include <linux/netfilter.h>
8  #include <linux/netfilter/nfnetlink.h>
9  #include <linux/netfilter/x_tables.h>
10  #include <linux/netfilter/nf_tables.h>
11  #include <linux/u64_stats_sync.h>
12  #include <linux/rhashtable.h>
13  #include <net/netfilter/nf_flow_table.h>
14  #include <net/netlink.h>
15  #include <net/flow_offload.h>
16  #include <net/netns/generic.h>
17  
18  #define NFT_MAX_HOOKS	(NF_INET_INGRESS + 1)
19  
20  struct module;
21  
22  #define NFT_JUMP_STACK_SIZE	16
23  
24  enum {
25  	NFT_PKTINFO_L4PROTO	= (1 << 0),
26  	NFT_PKTINFO_INNER	= (1 << 1),
27  	NFT_PKTINFO_INNER_FULL	= (1 << 2),
28  };
29  
30  struct nft_pktinfo {
31  	struct sk_buff			*skb;
32  	const struct nf_hook_state	*state;
33  	u8				flags;
34  	u8				tprot;
35  	u16				fragoff;
36  	u16				thoff;
37  	u16				inneroff;
38  };
39  
nft_sk(const struct nft_pktinfo * pkt)40  static inline struct sock *nft_sk(const struct nft_pktinfo *pkt)
41  {
42  	return pkt->state->sk;
43  }
44  
nft_thoff(const struct nft_pktinfo * pkt)45  static inline unsigned int nft_thoff(const struct nft_pktinfo *pkt)
46  {
47  	return pkt->thoff;
48  }
49  
nft_net(const struct nft_pktinfo * pkt)50  static inline struct net *nft_net(const struct nft_pktinfo *pkt)
51  {
52  	return pkt->state->net;
53  }
54  
nft_hook(const struct nft_pktinfo * pkt)55  static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
56  {
57  	return pkt->state->hook;
58  }
59  
nft_pf(const struct nft_pktinfo * pkt)60  static inline u8 nft_pf(const struct nft_pktinfo *pkt)
61  {
62  	return pkt->state->pf;
63  }
64  
nft_in(const struct nft_pktinfo * pkt)65  static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
66  {
67  	return pkt->state->in;
68  }
69  
nft_out(const struct nft_pktinfo * pkt)70  static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
71  {
72  	return pkt->state->out;
73  }
74  
nft_set_pktinfo(struct nft_pktinfo * pkt,struct sk_buff * skb,const struct nf_hook_state * state)75  static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
76  				   struct sk_buff *skb,
77  				   const struct nf_hook_state *state)
78  {
79  	pkt->skb = skb;
80  	pkt->state = state;
81  }
82  
nft_set_pktinfo_unspec(struct nft_pktinfo * pkt)83  static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt)
84  {
85  	pkt->flags = 0;
86  	pkt->tprot = 0;
87  	pkt->thoff = 0;
88  	pkt->fragoff = 0;
89  }
90  
91  /**
92   * 	struct nft_verdict - nf_tables verdict
93   *
94   * 	@code: nf_tables/netfilter verdict code
95   * 	@chain: destination chain for NFT_JUMP/NFT_GOTO
96   */
97  struct nft_verdict {
98  	u32				code;
99  	struct nft_chain		*chain;
100  };
101  
102  struct nft_data {
103  	union {
104  		u32			data[4];
105  		struct nft_verdict	verdict;
106  	};
107  } __attribute__((aligned(__alignof__(u64))));
108  
109  #define NFT_REG32_NUM		20
110  
111  /**
112   *	struct nft_regs - nf_tables register set
113   *
114   *	@data: data registers
115   *	@verdict: verdict register
116   *
117   *	The first four data registers alias to the verdict register.
118   */
119  struct nft_regs {
120  	union {
121  		u32			data[NFT_REG32_NUM];
122  		struct nft_verdict	verdict;
123  	};
124  };
125  
126  struct nft_regs_track {
127  	struct {
128  		const struct nft_expr		*selector;
129  		const struct nft_expr		*bitwise;
130  		u8				num_reg;
131  	} regs[NFT_REG32_NUM];
132  
133  	const struct nft_expr			*cur;
134  	const struct nft_expr			*last;
135  };
136  
137  /* Store/load an u8, u16 or u64 integer to/from the u32 data register.
138   *
139   * Note, when using concatenations, register allocation happens at 32-bit
140   * level. So for store instruction, pad the rest part with zero to avoid
141   * garbage values.
142   */
143  
nft_reg_store8(u32 * dreg,u8 val)144  static inline void nft_reg_store8(u32 *dreg, u8 val)
145  {
146  	*dreg = 0;
147  	*(u8 *)dreg = val;
148  }
149  
nft_reg_load8(const u32 * sreg)150  static inline u8 nft_reg_load8(const u32 *sreg)
151  {
152  	return *(u8 *)sreg;
153  }
154  
nft_reg_store16(u32 * dreg,u16 val)155  static inline void nft_reg_store16(u32 *dreg, u16 val)
156  {
157  	*dreg = 0;
158  	*(u16 *)dreg = val;
159  }
160  
nft_reg_store_be16(u32 * dreg,__be16 val)161  static inline void nft_reg_store_be16(u32 *dreg, __be16 val)
162  {
163  	nft_reg_store16(dreg, (__force __u16)val);
164  }
165  
nft_reg_load16(const u32 * sreg)166  static inline u16 nft_reg_load16(const u32 *sreg)
167  {
168  	return *(u16 *)sreg;
169  }
170  
nft_reg_load_be16(const u32 * sreg)171  static inline __be16 nft_reg_load_be16(const u32 *sreg)
172  {
173  	return (__force __be16)nft_reg_load16(sreg);
174  }
175  
nft_reg_load_be32(const u32 * sreg)176  static inline __be32 nft_reg_load_be32(const u32 *sreg)
177  {
178  	return *(__force __be32 *)sreg;
179  }
180  
nft_reg_store64(u64 * dreg,u64 val)181  static inline void nft_reg_store64(u64 *dreg, u64 val)
182  {
183  	put_unaligned(val, dreg);
184  }
185  
nft_reg_load64(const u32 * sreg)186  static inline u64 nft_reg_load64(const u32 *sreg)
187  {
188  	return get_unaligned((u64 *)sreg);
189  }
190  
nft_data_copy(u32 * dst,const struct nft_data * src,unsigned int len)191  static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
192  				 unsigned int len)
193  {
194  	if (len % NFT_REG32_SIZE)
195  		dst[len / NFT_REG32_SIZE] = 0;
196  	memcpy(dst, src, len);
197  }
198  
199  /**
200   *	struct nft_ctx - nf_tables rule/set context
201   *
202   *	@net: net namespace
203   * 	@table: the table the chain is contained in
204   * 	@chain: the chain the rule is contained in
205   *	@nla: netlink attributes
206   *	@portid: netlink portID of the original message
207   *	@seq: netlink sequence number
208   *	@flags: modifiers to new request
209   *	@family: protocol family
210   *	@level: depth of the chains
211   *	@report: notify via unicast netlink message
212   */
213  struct nft_ctx {
214  	struct net			*net;
215  	struct nft_table		*table;
216  	struct nft_chain		*chain;
217  	const struct nlattr * const 	*nla;
218  	u32				portid;
219  	u32				seq;
220  	u16				flags;
221  	u8				family;
222  	u8				level;
223  	bool				report;
224  };
225  
226  enum nft_data_desc_flags {
227  	NFT_DATA_DESC_SETELEM	= (1 << 0),
228  };
229  
230  struct nft_data_desc {
231  	enum nft_data_types		type;
232  	unsigned int			size;
233  	unsigned int			len;
234  	unsigned int			flags;
235  };
236  
237  int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
238  		  struct nft_data_desc *desc, const struct nlattr *nla);
239  void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
240  void nft_data_release(const struct nft_data *data, enum nft_data_types type);
241  int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
242  		  enum nft_data_types type, unsigned int len);
243  
nft_dreg_to_type(enum nft_registers reg)244  static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
245  {
246  	return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
247  }
248  
nft_type_to_reg(enum nft_data_types type)249  static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
250  {
251  	return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
252  }
253  
254  int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
255  int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
256  
257  int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
258  int nft_parse_register_store(const struct nft_ctx *ctx,
259  			     const struct nlattr *attr, u8 *dreg,
260  			     const struct nft_data *data,
261  			     enum nft_data_types type, unsigned int len);
262  
263  /**
264   *	struct nft_userdata - user defined data associated with an object
265   *
266   *	@len: length of the data
267   *	@data: content
268   *
269   *	The presence of user data is indicated in an object specific fashion,
270   *	so a length of zero can't occur and the value "len" indicates data
271   *	of length len + 1.
272   */
273  struct nft_userdata {
274  	u8			len;
275  	unsigned char		data[];
276  };
277  
278  /**
279   *	struct nft_set_elem - generic representation of set elements
280   *
281   *	@key: element key
282   *	@key_end: closing element key
283   *	@data: element data
284   *	@priv: element private data and extensions
285   */
286  struct nft_set_elem {
287  	union {
288  		u32		buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
289  		struct nft_data	val;
290  	} key;
291  	union {
292  		u32		buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
293  		struct nft_data	val;
294  	} key_end;
295  	union {
296  		u32		buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
297  		struct nft_data val;
298  	} data;
299  	void			*priv;
300  };
301  
302  /**
303   * enum nft_iter_type - nftables set iterator type
304   *
305   * @NFT_ITER_READ: read-only iteration over set elements
306   * @NFT_ITER_UPDATE: iteration under mutex to update set element state
307   */
308  enum nft_iter_type {
309  	NFT_ITER_UNSPEC,
310  	NFT_ITER_READ,
311  	NFT_ITER_UPDATE,
312  };
313  
314  struct nft_set;
315  struct nft_set_iter {
316  	u8		genmask;
317  	enum nft_iter_type type:8;
318  	unsigned int	count;
319  	unsigned int	skip;
320  	int		err;
321  	int		(*fn)(const struct nft_ctx *ctx,
322  			      struct nft_set *set,
323  			      const struct nft_set_iter *iter,
324  			      struct nft_set_elem *elem);
325  };
326  
327  /**
328   *	struct nft_set_desc - description of set elements
329   *
330   *	@ktype: key type
331   *	@klen: key length
332   *	@dtype: data type
333   *	@dlen: data length
334   *	@objtype: object type
335   *	@size: number of set elements
336   *	@policy: set policy
337   *	@gc_int: garbage collector interval
338   *	@timeout: element timeout
339   *	@field_len: length of each field in concatenation, bytes
340   *	@field_count: number of concatenated fields in element
341   *	@expr: set must support for expressions
342   */
343  struct nft_set_desc {
344  	u32			ktype;
345  	unsigned int		klen;
346  	u32			dtype;
347  	unsigned int		dlen;
348  	u32			objtype;
349  	unsigned int		size;
350  	u32			policy;
351  	u32			gc_int;
352  	u64			timeout;
353  	u8			field_len[NFT_REG32_COUNT];
354  	u8			field_count;
355  	bool			expr;
356  };
357  
358  /**
359   *	enum nft_set_class - performance class
360   *
361   *	@NFT_SET_CLASS_O_1: constant, O(1)
362   *	@NFT_SET_CLASS_O_LOG_N: logarithmic, O(log N)
363   *	@NFT_SET_CLASS_O_N: linear, O(N)
364   */
365  enum nft_set_class {
366  	NFT_SET_CLASS_O_1,
367  	NFT_SET_CLASS_O_LOG_N,
368  	NFT_SET_CLASS_O_N,
369  };
370  
371  /**
372   *	struct nft_set_estimate - estimation of memory and performance
373   *				  characteristics
374   *
375   *	@size: required memory
376   *	@lookup: lookup performance class
377   *	@space: memory class
378   */
379  struct nft_set_estimate {
380  	u64			size;
381  	enum nft_set_class	lookup;
382  	enum nft_set_class	space;
383  };
384  
385  #define NFT_EXPR_MAXATTR		16
386  #define NFT_EXPR_SIZE(size)		(sizeof(struct nft_expr) + \
387  					 ALIGN(size, __alignof__(struct nft_expr)))
388  
389  /**
390   *	struct nft_expr - nf_tables expression
391   *
392   *	@ops: expression ops
393   *	@data: expression private data
394   */
395  struct nft_expr {
396  	const struct nft_expr_ops	*ops;
397  	unsigned char			data[]
398  		__attribute__((aligned(__alignof__(u64))));
399  };
400  
nft_expr_priv(const struct nft_expr * expr)401  static inline void *nft_expr_priv(const struct nft_expr *expr)
402  {
403  	return (void *)expr->data;
404  }
405  
406  struct nft_expr_info;
407  
408  int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
409  			 struct nft_expr_info *info);
410  int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
411  void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
412  int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
413  		  const struct nft_expr *expr, bool reset);
414  bool nft_expr_reduce_bitwise(struct nft_regs_track *track,
415  			     const struct nft_expr *expr);
416  
417  struct nft_set_ext;
418  
419  /**
420   *	struct nft_set_ops - nf_tables set operations
421   *
422   *	@lookup: look up an element within the set
423   *	@update: update an element if exists, add it if doesn't exist
424   *	@delete: delete an element
425   *	@insert: insert new element into set
426   *	@activate: activate new element in the next generation
427   *	@deactivate: lookup for element and deactivate it in the next generation
428   *	@flush: deactivate element in the next generation
429   *	@remove: remove element from set
430   *	@walk: iterate over all set elements
431   *	@get: get set elements
432   *	@ksize: kernel set size
433   * 	@usize: userspace set size
434   *	@adjust_maxsize: delta to adjust maximum set size
435   *	@commit: commit set elements
436   *	@abort: abort set elements
437   *	@privsize: function to return size of set private data
438   *	@estimate: estimate the required memory size and the lookup complexity class
439   *	@init: initialize private data of new set instance
440   *	@destroy: destroy private data of set instance
441   *	@gc_init: initialize garbage collection
442   *	@elemsize: element private size
443   *
444   *	Operations lookup, update and delete have simpler interfaces, are faster
445   *	and currently only used in the packet path. All the rest are slower,
446   *	control plane functions.
447   */
448  struct nft_set_ops {
449  	bool				(*lookup)(const struct net *net,
450  						  const struct nft_set *set,
451  						  const u32 *key,
452  						  const struct nft_set_ext **ext);
453  	bool				(*update)(struct nft_set *set,
454  						  const u32 *key,
455  						  void *(*new)(struct nft_set *,
456  							       const struct nft_expr *,
457  							       struct nft_regs *),
458  						  const struct nft_expr *expr,
459  						  struct nft_regs *regs,
460  						  const struct nft_set_ext **ext);
461  	bool				(*delete)(const struct nft_set *set,
462  						  const u32 *key);
463  
464  	int				(*insert)(const struct net *net,
465  						  const struct nft_set *set,
466  						  const struct nft_set_elem *elem,
467  						  struct nft_set_ext **ext);
468  	void				(*activate)(const struct net *net,
469  						    const struct nft_set *set,
470  						    const struct nft_set_elem *elem);
471  	void *				(*deactivate)(const struct net *net,
472  						      const struct nft_set *set,
473  						      const struct nft_set_elem *elem);
474  	bool				(*flush)(const struct net *net,
475  						 const struct nft_set *set,
476  						 void *priv);
477  	void				(*remove)(const struct net *net,
478  						  const struct nft_set *set,
479  						  const struct nft_set_elem *elem);
480  	void				(*walk)(const struct nft_ctx *ctx,
481  						struct nft_set *set,
482  						struct nft_set_iter *iter);
483  	void *				(*get)(const struct net *net,
484  					       const struct nft_set *set,
485  					       const struct nft_set_elem *elem,
486  					       unsigned int flags);
487  	u32				(*ksize)(u32 size);
488  	u32				(*usize)(u32 size);
489  	u32				(*adjust_maxsize)(const struct nft_set *set);
490  	void				(*commit)(struct nft_set *set);
491  	void				(*abort)(const struct nft_set *set);
492  	u64				(*privsize)(const struct nlattr * const nla[],
493  						    const struct nft_set_desc *desc);
494  	bool				(*estimate)(const struct nft_set_desc *desc,
495  						    u32 features,
496  						    struct nft_set_estimate *est);
497  	int				(*init)(const struct nft_set *set,
498  						const struct nft_set_desc *desc,
499  						const struct nlattr * const nla[]);
500  	void				(*destroy)(const struct nft_ctx *ctx,
501  						   const struct nft_set *set);
502  	void				(*gc_init)(const struct nft_set *set);
503  
504  	unsigned int			elemsize;
505  };
506  
507  /**
508   *      struct nft_set_type - nf_tables set type
509   *
510   *      @ops: set ops for this type
511   *      @features: features supported by the implementation
512   */
513  struct nft_set_type {
514  	const struct nft_set_ops	ops;
515  	u32				features;
516  };
517  #define to_set_type(o) container_of(o, struct nft_set_type, ops)
518  
519  struct nft_set_elem_expr {
520  	u8				size;
521  	unsigned char			data[]
522  		__attribute__((aligned(__alignof__(struct nft_expr))));
523  };
524  
525  #define nft_setelem_expr_at(__elem_expr, __offset)			\
526  	((struct nft_expr *)&__elem_expr->data[__offset])
527  
528  #define nft_setelem_expr_foreach(__expr, __elem_expr, __size)		\
529  	for (__expr = nft_setelem_expr_at(__elem_expr, 0), __size = 0;	\
530  	     __size < (__elem_expr)->size;				\
531  	     __size += (__expr)->ops->size, __expr = ((void *)(__expr)) + (__expr)->ops->size)
532  
533  #define NFT_SET_EXPR_MAX	2
534  
535  /**
536   * 	struct nft_set - nf_tables set instance
537   *
538   *	@list: table set list node
539   *	@bindings: list of set bindings
540   *	@refs: internal refcounting for async set destruction
541   *	@table: table this set belongs to
542   *	@net: netnamespace this set belongs to
543   * 	@name: name of the set
544   *	@handle: unique handle of the set
545   * 	@ktype: key type (numeric type defined by userspace, not used in the kernel)
546   * 	@dtype: data type (verdict or numeric type defined by userspace)
547   * 	@objtype: object type (see NFT_OBJECT_* definitions)
548   * 	@size: maximum set size
549   *	@field_len: length of each field in concatenation, bytes
550   *	@field_count: number of concatenated fields in element
551   *	@use: number of rules references to this set
552   * 	@nelems: number of elements
553   * 	@ndeact: number of deactivated elements queued for removal
554   *	@timeout: default timeout value in jiffies
555   * 	@gc_int: garbage collection interval in msecs
556   *	@policy: set parameterization (see enum nft_set_policies)
557   *	@udlen: user data length
558   *	@udata: user data
559   *	@pending_update: list of pending update set element
560   * 	@ops: set ops
561   * 	@flags: set flags
562   *	@dead: set will be freed, never cleared
563   *	@genmask: generation mask
564   * 	@klen: key length
565   * 	@dlen: data length
566   *	@num_exprs: numbers of exprs
567   *	@exprs: stateful expression
568   *	@catchall_list: list of catch-all set element
569   * 	@data: private set data
570   */
571  struct nft_set {
572  	struct list_head		list;
573  	struct list_head		bindings;
574  	refcount_t			refs;
575  	struct nft_table		*table;
576  	possible_net_t			net;
577  	char				*name;
578  	u64				handle;
579  	u32				ktype;
580  	u32				dtype;
581  	u32				objtype;
582  	u32				size;
583  	u8				field_len[NFT_REG32_COUNT];
584  	u8				field_count;
585  	u32				use;
586  	atomic_t			nelems;
587  	u32				ndeact;
588  	u64				timeout;
589  	u32				gc_int;
590  	u16				policy;
591  	u16				udlen;
592  	unsigned char			*udata;
593  	struct list_head		pending_update;
594  	/* runtime data below here */
595  	const struct nft_set_ops	*ops ____cacheline_aligned;
596  	u16				flags:13,
597  					dead:1,
598  					genmask:2;
599  	u8				klen;
600  	u8				dlen;
601  	u8				num_exprs;
602  	struct nft_expr			*exprs[NFT_SET_EXPR_MAX];
603  	struct list_head		catchall_list;
604  	unsigned char			data[]
605  		__attribute__((aligned(__alignof__(u64))));
606  };
607  
nft_set_is_anonymous(const struct nft_set * set)608  static inline bool nft_set_is_anonymous(const struct nft_set *set)
609  {
610  	return set->flags & NFT_SET_ANONYMOUS;
611  }
612  
nft_set_priv(const struct nft_set * set)613  static inline void *nft_set_priv(const struct nft_set *set)
614  {
615  	return (void *)set->data;
616  }
617  
nft_set_datatype(const struct nft_set * set)618  static inline enum nft_data_types nft_set_datatype(const struct nft_set *set)
619  {
620  	return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
621  }
622  
nft_set_gc_is_pending(const struct nft_set * s)623  static inline bool nft_set_gc_is_pending(const struct nft_set *s)
624  {
625  	return refcount_read(&s->refs) != 1;
626  }
627  
nft_set_container_of(const void * priv)628  static inline struct nft_set *nft_set_container_of(const void *priv)
629  {
630  	return (void *)priv - offsetof(struct nft_set, data);
631  }
632  
633  struct nft_set *nft_set_lookup_global(const struct net *net,
634  				      const struct nft_table *table,
635  				      const struct nlattr *nla_set_name,
636  				      const struct nlattr *nla_set_id,
637  				      u8 genmask);
638  
639  struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
640  					    const struct nft_set *set);
641  
nft_set_gc_interval(const struct nft_set * set)642  static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
643  {
644  	u32 gc_int = READ_ONCE(set->gc_int);
645  
646  	return gc_int ? msecs_to_jiffies(gc_int) : HZ;
647  }
648  
649  /**
650   *	struct nft_set_binding - nf_tables set binding
651   *
652   *	@list: set bindings list node
653   *	@chain: chain containing the rule bound to the set
654   *	@flags: set action flags
655   *
656   *	A set binding contains all information necessary for validation
657   *	of new elements added to a bound set.
658   */
659  struct nft_set_binding {
660  	struct list_head		list;
661  	const struct nft_chain		*chain;
662  	u32				flags;
663  };
664  
665  enum nft_trans_phase;
666  void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set);
667  void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
668  			      struct nft_set_binding *binding,
669  			      enum nft_trans_phase phase);
670  int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
671  		       struct nft_set_binding *binding);
672  void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
673  
674  /**
675   *	enum nft_set_extensions - set extension type IDs
676   *
677   *	@NFT_SET_EXT_KEY: element key
678   *	@NFT_SET_EXT_KEY_END: upper bound element key, for ranges
679   *	@NFT_SET_EXT_DATA: mapping data
680   *	@NFT_SET_EXT_FLAGS: element flags
681   *	@NFT_SET_EXT_TIMEOUT: element timeout
682   *	@NFT_SET_EXT_EXPIRATION: element expiration time
683   *	@NFT_SET_EXT_USERDATA: user data associated with the element
684   *	@NFT_SET_EXT_EXPRESSIONS: expressions assiciated with the element
685   *	@NFT_SET_EXT_OBJREF: stateful object reference associated with element
686   *	@NFT_SET_EXT_NUM: number of extension types
687   */
688  enum nft_set_extensions {
689  	NFT_SET_EXT_KEY,
690  	NFT_SET_EXT_KEY_END,
691  	NFT_SET_EXT_DATA,
692  	NFT_SET_EXT_FLAGS,
693  	NFT_SET_EXT_TIMEOUT,
694  	NFT_SET_EXT_EXPIRATION,
695  	NFT_SET_EXT_USERDATA,
696  	NFT_SET_EXT_EXPRESSIONS,
697  	NFT_SET_EXT_OBJREF,
698  	NFT_SET_EXT_NUM
699  };
700  
701  /**
702   *	struct nft_set_ext_type - set extension type
703   *
704   * 	@len: fixed part length of the extension
705   * 	@align: alignment requirements of the extension
706   */
707  struct nft_set_ext_type {
708  	u8	len;
709  	u8	align;
710  };
711  
712  extern const struct nft_set_ext_type nft_set_ext_types[];
713  
714  /**
715   *	struct nft_set_ext_tmpl - set extension template
716   *
717   *	@len: length of extension area
718   *	@offset: offsets of individual extension types
719   *	@ext_len: length of the expected extension(used to sanity check)
720   */
721  struct nft_set_ext_tmpl {
722  	u16	len;
723  	u8	offset[NFT_SET_EXT_NUM];
724  	u8	ext_len[NFT_SET_EXT_NUM];
725  };
726  
727  /**
728   *	struct nft_set_ext - set extensions
729   *
730   *	@genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT)
731   *	@offset: offsets of individual extension types
732   *	@data: beginning of extension data
733   *
734   *	This structure must be aligned to word size, otherwise atomic bitops
735   *	on genmask field can cause alignment failure on some archs.
736   */
737  struct nft_set_ext {
738  	u8	genmask;
739  	u8	offset[NFT_SET_EXT_NUM];
740  	char	data[];
741  } __aligned(BITS_PER_LONG / 8);
742  
nft_set_ext_prepare(struct nft_set_ext_tmpl * tmpl)743  static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
744  {
745  	memset(tmpl, 0, sizeof(*tmpl));
746  	tmpl->len = sizeof(struct nft_set_ext);
747  }
748  
nft_set_ext_add_length(struct nft_set_ext_tmpl * tmpl,u8 id,unsigned int len)749  static inline int nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
750  					 unsigned int len)
751  {
752  	tmpl->len	 = ALIGN(tmpl->len, nft_set_ext_types[id].align);
753  	if (tmpl->len > U8_MAX)
754  		return -EINVAL;
755  
756  	tmpl->offset[id] = tmpl->len;
757  	tmpl->ext_len[id] = nft_set_ext_types[id].len + len;
758  	tmpl->len	+= tmpl->ext_len[id];
759  
760  	return 0;
761  }
762  
nft_set_ext_add(struct nft_set_ext_tmpl * tmpl,u8 id)763  static inline int nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
764  {
765  	return nft_set_ext_add_length(tmpl, id, 0);
766  }
767  
nft_set_ext_init(struct nft_set_ext * ext,const struct nft_set_ext_tmpl * tmpl)768  static inline void nft_set_ext_init(struct nft_set_ext *ext,
769  				    const struct nft_set_ext_tmpl *tmpl)
770  {
771  	memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
772  }
773  
__nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)774  static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
775  {
776  	return !!ext->offset[id];
777  }
778  
nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)779  static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
780  {
781  	return ext && __nft_set_ext_exists(ext, id);
782  }
783  
nft_set_ext(const struct nft_set_ext * ext,u8 id)784  static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
785  {
786  	return (void *)ext + ext->offset[id];
787  }
788  
nft_set_ext_key(const struct nft_set_ext * ext)789  static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
790  {
791  	return nft_set_ext(ext, NFT_SET_EXT_KEY);
792  }
793  
nft_set_ext_key_end(const struct nft_set_ext * ext)794  static inline struct nft_data *nft_set_ext_key_end(const struct nft_set_ext *ext)
795  {
796  	return nft_set_ext(ext, NFT_SET_EXT_KEY_END);
797  }
798  
nft_set_ext_data(const struct nft_set_ext * ext)799  static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
800  {
801  	return nft_set_ext(ext, NFT_SET_EXT_DATA);
802  }
803  
nft_set_ext_flags(const struct nft_set_ext * ext)804  static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
805  {
806  	return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
807  }
808  
nft_set_ext_timeout(const struct nft_set_ext * ext)809  static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
810  {
811  	return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
812  }
813  
nft_set_ext_expiration(const struct nft_set_ext * ext)814  static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
815  {
816  	return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
817  }
818  
nft_set_ext_userdata(const struct nft_set_ext * ext)819  static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
820  {
821  	return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
822  }
823  
nft_set_ext_expr(const struct nft_set_ext * ext)824  static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
825  {
826  	return nft_set_ext(ext, NFT_SET_EXT_EXPRESSIONS);
827  }
828  
nft_set_elem_expired(const struct nft_set_ext * ext)829  static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
830  {
831  	return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
832  	       time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
833  }
834  
nft_set_elem_ext(const struct nft_set * set,void * elem)835  static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
836  						   void *elem)
837  {
838  	return elem + set->ops->elemsize;
839  }
840  
nft_set_ext_obj(const struct nft_set_ext * ext)841  static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
842  {
843  	return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
844  }
845  
846  struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
847  					 const struct nft_set *set,
848  					 const struct nlattr *attr);
849  
850  void *nft_set_elem_init(const struct nft_set *set,
851  			const struct nft_set_ext_tmpl *tmpl,
852  			const u32 *key, const u32 *key_end, const u32 *data,
853  			u64 timeout, u64 expiration, gfp_t gfp);
854  int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
855  			    struct nft_expr *expr_array[]);
856  void nft_set_elem_destroy(const struct nft_set *set, void *elem,
857  			  bool destroy_expr);
858  void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
859  				const struct nft_set *set, void *elem);
860  
861  struct nft_expr_ops;
862  /**
863   *	struct nft_expr_type - nf_tables expression type
864   *
865   *	@select_ops: function to select nft_expr_ops
866   *	@release_ops: release nft_expr_ops
867   *	@ops: default ops, used when no select_ops functions is present
868   *	@inner_ops: inner ops, used for inner packet operation
869   *	@list: used internally
870   *	@name: Identifier
871   *	@owner: module reference
872   *	@policy: netlink attribute policy
873   *	@maxattr: highest netlink attribute number
874   *	@family: address family for AF-specific types
875   *	@flags: expression type flags
876   */
877  struct nft_expr_type {
878  	const struct nft_expr_ops	*(*select_ops)(const struct nft_ctx *,
879  						       const struct nlattr * const tb[]);
880  	void				(*release_ops)(const struct nft_expr_ops *ops);
881  	const struct nft_expr_ops	*ops;
882  	const struct nft_expr_ops	*inner_ops;
883  	struct list_head		list;
884  	const char			*name;
885  	struct module			*owner;
886  	const struct nla_policy		*policy;
887  	unsigned int			maxattr;
888  	u8				family;
889  	u8				flags;
890  };
891  
892  #define NFT_EXPR_STATEFUL		0x1
893  #define NFT_EXPR_GC			0x2
894  
895  enum nft_trans_phase {
896  	NFT_TRANS_PREPARE,
897  	NFT_TRANS_PREPARE_ERROR,
898  	NFT_TRANS_ABORT,
899  	NFT_TRANS_COMMIT,
900  	NFT_TRANS_RELEASE
901  };
902  
903  struct nft_flow_rule;
904  struct nft_offload_ctx;
905  
906  /**
907   *	struct nft_expr_ops - nf_tables expression operations
908   *
909   *	@eval: Expression evaluation function
910   *	@clone: Expression clone function
911   *	@size: full expression size, including private data size
912   *	@init: initialization function
913   *	@activate: activate expression in the next generation
914   *	@deactivate: deactivate expression in next generation
915   *	@destroy: destruction function, called after synchronize_rcu
916   *	@destroy_clone: destruction clone function
917   *	@dump: function to dump parameters
918   *	@validate: validate expression, called during loop detection
919   *	@reduce: reduce expression
920   *	@gc: garbage collection expression
921   *	@offload: hardware offload expression
922   *	@offload_action: function to report true/false to allocate one slot or not in the flow
923   *			 offload array
924   *	@offload_stats: function to synchronize hardware stats via updating the counter expression
925   *	@type: expression type
926   *	@data: extra data to attach to this expression operation
927   */
928  struct nft_expr_ops {
929  	void				(*eval)(const struct nft_expr *expr,
930  						struct nft_regs *regs,
931  						const struct nft_pktinfo *pkt);
932  	int				(*clone)(struct nft_expr *dst,
933  						 const struct nft_expr *src);
934  	unsigned int			size;
935  
936  	int				(*init)(const struct nft_ctx *ctx,
937  						const struct nft_expr *expr,
938  						const struct nlattr * const tb[]);
939  	void				(*activate)(const struct nft_ctx *ctx,
940  						    const struct nft_expr *expr);
941  	void				(*deactivate)(const struct nft_ctx *ctx,
942  						      const struct nft_expr *expr,
943  						      enum nft_trans_phase phase);
944  	void				(*destroy)(const struct nft_ctx *ctx,
945  						   const struct nft_expr *expr);
946  	void				(*destroy_clone)(const struct nft_ctx *ctx,
947  							 const struct nft_expr *expr);
948  	int				(*dump)(struct sk_buff *skb,
949  						const struct nft_expr *expr,
950  						bool reset);
951  	int				(*validate)(const struct nft_ctx *ctx,
952  						    const struct nft_expr *expr,
953  						    const struct nft_data **data);
954  	bool				(*reduce)(struct nft_regs_track *track,
955  						  const struct nft_expr *expr);
956  	bool				(*gc)(struct net *net,
957  					      const struct nft_expr *expr);
958  	int				(*offload)(struct nft_offload_ctx *ctx,
959  						   struct nft_flow_rule *flow,
960  						   const struct nft_expr *expr);
961  	bool				(*offload_action)(const struct nft_expr *expr);
962  	void				(*offload_stats)(struct nft_expr *expr,
963  							 const struct flow_stats *stats);
964  	const struct nft_expr_type	*type;
965  	void				*data;
966  };
967  
968  /**
969   *	struct nft_rule - nf_tables rule
970   *
971   *	@list: used internally
972   *	@handle: rule handle
973   *	@genmask: generation mask
974   *	@dlen: length of expression data
975   *	@udata: user data is appended to the rule
976   *	@data: expression data
977   */
978  struct nft_rule {
979  	struct list_head		list;
980  	u64				handle:42,
981  					genmask:2,
982  					dlen:12,
983  					udata:1;
984  	unsigned char			data[]
985  		__attribute__((aligned(__alignof__(struct nft_expr))));
986  };
987  
nft_expr_first(const struct nft_rule * rule)988  static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
989  {
990  	return (struct nft_expr *)&rule->data[0];
991  }
992  
nft_expr_next(const struct nft_expr * expr)993  static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
994  {
995  	return ((void *)expr) + expr->ops->size;
996  }
997  
nft_expr_last(const struct nft_rule * rule)998  static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
999  {
1000  	return (struct nft_expr *)&rule->data[rule->dlen];
1001  }
1002  
nft_expr_more(const struct nft_rule * rule,const struct nft_expr * expr)1003  static inline bool nft_expr_more(const struct nft_rule *rule,
1004  				 const struct nft_expr *expr)
1005  {
1006  	return expr != nft_expr_last(rule) && expr->ops;
1007  }
1008  
nft_userdata(const struct nft_rule * rule)1009  static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
1010  {
1011  	return (void *)&rule->data[rule->dlen];
1012  }
1013  
1014  void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule);
1015  void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
1016  			      enum nft_trans_phase phase);
1017  void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule);
1018  
nft_set_elem_update_expr(const struct nft_set_ext * ext,struct nft_regs * regs,const struct nft_pktinfo * pkt)1019  static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
1020  					    struct nft_regs *regs,
1021  					    const struct nft_pktinfo *pkt)
1022  {
1023  	struct nft_set_elem_expr *elem_expr;
1024  	struct nft_expr *expr;
1025  	u32 size;
1026  
1027  	if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) {
1028  		elem_expr = nft_set_ext_expr(ext);
1029  		nft_setelem_expr_foreach(expr, elem_expr, size) {
1030  			expr->ops->eval(expr, regs, pkt);
1031  			if (regs->verdict.code == NFT_BREAK)
1032  				return;
1033  		}
1034  	}
1035  }
1036  
1037  /*
1038   * The last pointer isn't really necessary, but the compiler isn't able to
1039   * determine that the result of nft_expr_last() is always the same since it
1040   * can't assume that the dlen value wasn't changed within calls in the loop.
1041   */
1042  #define nft_rule_for_each_expr(expr, last, rule) \
1043  	for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
1044  	     (expr) != (last); \
1045  	     (expr) = nft_expr_next(expr))
1046  
1047  #define NFT_CHAIN_POLICY_UNSET		U8_MAX
1048  
1049  struct nft_rule_dp {
1050  	u64				is_last:1,
1051  					dlen:12,
1052  					handle:42;	/* for tracing */
1053  	unsigned char			data[]
1054  		__attribute__((aligned(__alignof__(struct nft_expr))));
1055  };
1056  
1057  struct nft_rule_dp_last {
1058  	struct nft_rule_dp end;		/* end of nft_rule_blob marker */
1059  	struct rcu_head h;		/* call_rcu head */
1060  	struct nft_rule_blob *blob;	/* ptr to free via call_rcu */
1061  	const struct nft_chain *chain;	/* for nftables tracing */
1062  };
1063  
nft_rule_next(const struct nft_rule_dp * rule)1064  static inline const struct nft_rule_dp *nft_rule_next(const struct nft_rule_dp *rule)
1065  {
1066  	return (void *)rule + sizeof(*rule) + rule->dlen;
1067  }
1068  
1069  struct nft_rule_blob {
1070  	unsigned long			size;
1071  	unsigned char			data[]
1072  		__attribute__((aligned(__alignof__(struct nft_rule_dp))));
1073  };
1074  
1075  /**
1076   *	struct nft_chain - nf_tables chain
1077   *
1078   *	@blob_gen_0: rule blob pointer to the current generation
1079   *	@blob_gen_1: rule blob pointer to the future generation
1080   *	@rules: list of rules in the chain
1081   *	@list: used internally
1082   *	@rhlhead: used internally
1083   *	@table: table that this chain belongs to
1084   *	@handle: chain handle
1085   *	@use: number of jump references to this chain
1086   *	@flags: bitmask of enum NFTA_CHAIN_FLAGS
1087   *	@bound: bind or not
1088   *	@genmask: generation mask
1089   *	@name: name of the chain
1090   *	@udlen: user data length
1091   *	@udata: user data in the chain
1092   *	@blob_next: rule blob pointer to the next in the chain
1093   */
1094  struct nft_chain {
1095  	struct nft_rule_blob		__rcu *blob_gen_0;
1096  	struct nft_rule_blob		__rcu *blob_gen_1;
1097  	struct list_head		rules;
1098  	struct list_head		list;
1099  	struct rhlist_head		rhlhead;
1100  	struct nft_table		*table;
1101  	u64				handle;
1102  	u32				use;
1103  	u8				flags:5,
1104  					bound:1,
1105  					genmask:2;
1106  	char				*name;
1107  	u16				udlen;
1108  	u8				*udata;
1109  
1110  	/* Only used during control plane commit phase: */
1111  	struct nft_rule_blob		*blob_next;
1112  };
1113  
1114  int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
1115  int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
1116  			 const struct nft_set_iter *iter,
1117  			 struct nft_set_elem *elem);
1118  int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
1119  int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
1120  void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
1121  
1122  enum nft_chain_types {
1123  	NFT_CHAIN_T_DEFAULT = 0,
1124  	NFT_CHAIN_T_ROUTE,
1125  	NFT_CHAIN_T_NAT,
1126  	NFT_CHAIN_T_MAX
1127  };
1128  
1129  /**
1130   * 	struct nft_chain_type - nf_tables chain type info
1131   *
1132   * 	@name: name of the type
1133   * 	@type: numeric identifier
1134   * 	@family: address family
1135   * 	@owner: module owner
1136   * 	@hook_mask: mask of valid hooks
1137   * 	@hooks: array of hook functions
1138   *	@ops_register: base chain register function
1139   *	@ops_unregister: base chain unregister function
1140   */
1141  struct nft_chain_type {
1142  	const char			*name;
1143  	enum nft_chain_types		type;
1144  	int				family;
1145  	struct module			*owner;
1146  	unsigned int			hook_mask;
1147  	nf_hookfn			*hooks[NFT_MAX_HOOKS];
1148  	int				(*ops_register)(struct net *net, const struct nf_hook_ops *ops);
1149  	void				(*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
1150  };
1151  
1152  int nft_chain_validate_dependency(const struct nft_chain *chain,
1153  				  enum nft_chain_types type);
1154  int nft_chain_validate_hooks(const struct nft_chain *chain,
1155                               unsigned int hook_flags);
1156  
nft_chain_binding(const struct nft_chain * chain)1157  static inline bool nft_chain_binding(const struct nft_chain *chain)
1158  {
1159  	return chain->flags & NFT_CHAIN_BINDING;
1160  }
1161  
nft_chain_is_bound(struct nft_chain * chain)1162  static inline bool nft_chain_is_bound(struct nft_chain *chain)
1163  {
1164  	return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
1165  }
1166  
1167  int nft_chain_add(struct nft_table *table, struct nft_chain *chain);
1168  void nft_chain_del(struct nft_chain *chain);
1169  void nf_tables_chain_destroy(struct nft_chain *chain);
1170  
1171  struct nft_stats {
1172  	u64			bytes;
1173  	u64			pkts;
1174  	struct u64_stats_sync	syncp;
1175  };
1176  
1177  struct nft_hook {
1178  	struct list_head	list;
1179  	struct nf_hook_ops	ops;
1180  	struct rcu_head		rcu;
1181  };
1182  
1183  /**
1184   *	struct nft_base_chain - nf_tables base chain
1185   *
1186   *	@ops: netfilter hook ops
1187   *	@hook_list: list of netfilter hooks (for NFPROTO_NETDEV family)
1188   *	@type: chain type
1189   *	@policy: default policy
1190   *	@flags: indicate the base chain disabled or not
1191   *	@stats: per-cpu chain stats
1192   *	@chain: the chain
1193   *	@flow_block: flow block (for hardware offload)
1194   */
1195  struct nft_base_chain {
1196  	struct nf_hook_ops		ops;
1197  	struct list_head		hook_list;
1198  	const struct nft_chain_type	*type;
1199  	u8				policy;
1200  	u8				flags;
1201  	struct nft_stats __percpu	*stats;
1202  	struct nft_chain		chain;
1203  	struct flow_block		flow_block;
1204  };
1205  
nft_base_chain(const struct nft_chain * chain)1206  static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
1207  {
1208  	return container_of(chain, struct nft_base_chain, chain);
1209  }
1210  
nft_is_base_chain(const struct nft_chain * chain)1211  static inline bool nft_is_base_chain(const struct nft_chain *chain)
1212  {
1213  	return chain->flags & NFT_CHAIN_BASE;
1214  }
1215  
1216  int __nft_release_basechain(struct nft_ctx *ctx);
1217  
1218  unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
1219  
nft_use_inc(u32 * use)1220  static inline bool nft_use_inc(u32 *use)
1221  {
1222  	if (*use == UINT_MAX)
1223  		return false;
1224  
1225  	(*use)++;
1226  
1227  	return true;
1228  }
1229  
nft_use_dec(u32 * use)1230  static inline void nft_use_dec(u32 *use)
1231  {
1232  	WARN_ON_ONCE((*use)-- == 0);
1233  }
1234  
1235  /* For error and abort path: restore use counter to previous state. */
nft_use_inc_restore(u32 * use)1236  static inline void nft_use_inc_restore(u32 *use)
1237  {
1238  	WARN_ON_ONCE(!nft_use_inc(use));
1239  }
1240  
1241  #define nft_use_dec_restore	nft_use_dec
1242  
1243  /**
1244   *	struct nft_table - nf_tables table
1245   *
1246   *	@list: used internally
1247   *	@chains_ht: chains in the table
1248   *	@chains: same, for stable walks
1249   *	@sets: sets in the table
1250   *	@objects: stateful objects in the table
1251   *	@flowtables: flow tables in the table
1252   *	@hgenerator: handle generator state
1253   *	@handle: table handle
1254   *	@use: number of chain references to this table
1255   *	@flags: table flag (see enum nft_table_flags)
1256   *	@genmask: generation mask
1257   *	@afinfo: address family info
1258   *	@name: name of the table
1259   *	@validate_state: internal, set when transaction adds jumps
1260   */
1261  struct nft_table {
1262  	struct list_head		list;
1263  	struct rhltable			chains_ht;
1264  	struct list_head		chains;
1265  	struct list_head		sets;
1266  	struct list_head		objects;
1267  	struct list_head		flowtables;
1268  	u64				hgenerator;
1269  	u64				handle;
1270  	u32				use;
1271  	u16				family:6,
1272  					flags:8,
1273  					genmask:2;
1274  	u32				nlpid;
1275  	char				*name;
1276  	u16				udlen;
1277  	u8				*udata;
1278  	u8				validate_state;
1279  };
1280  
nft_table_has_owner(const struct nft_table * table)1281  static inline bool nft_table_has_owner(const struct nft_table *table)
1282  {
1283  	return table->flags & NFT_TABLE_F_OWNER;
1284  }
1285  
nft_base_chain_netdev(int family,u32 hooknum)1286  static inline bool nft_base_chain_netdev(int family, u32 hooknum)
1287  {
1288  	return family == NFPROTO_NETDEV ||
1289  	       (family == NFPROTO_INET && hooknum == NF_INET_INGRESS);
1290  }
1291  
1292  void nft_register_chain_type(const struct nft_chain_type *);
1293  void nft_unregister_chain_type(const struct nft_chain_type *);
1294  
1295  int nft_register_expr(struct nft_expr_type *);
1296  void nft_unregister_expr(struct nft_expr_type *);
1297  
1298  int nft_verdict_dump(struct sk_buff *skb, int type,
1299  		     const struct nft_verdict *v);
1300  
1301  /**
1302   *	struct nft_object_hash_key - key to lookup nft_object
1303   *
1304   *	@name: name of the stateful object to look up
1305   *	@table: table the object belongs to
1306   */
1307  struct nft_object_hash_key {
1308  	const char                      *name;
1309  	const struct nft_table          *table;
1310  };
1311  
1312  /**
1313   *	struct nft_object - nf_tables stateful object
1314   *
1315   *	@list: table stateful object list node
1316   *	@rhlhead: nft_objname_ht node
1317   *	@key: keys that identify this object
1318   *	@genmask: generation mask
1319   *	@use: number of references to this stateful object
1320   *	@handle: unique object handle
1321   *	@udlen: length of user data
1322   *	@udata: user data
1323   *	@ops: object operations
1324   *	@data: object data, layout depends on type
1325   */
1326  struct nft_object {
1327  	struct list_head		list;
1328  	struct rhlist_head		rhlhead;
1329  	struct nft_object_hash_key	key;
1330  	u32				genmask:2;
1331  	u32				use;
1332  	u64				handle;
1333  	u16				udlen;
1334  	u8				*udata;
1335  	/* runtime data below here */
1336  	const struct nft_object_ops	*ops ____cacheline_aligned;
1337  	unsigned char			data[]
1338  		__attribute__((aligned(__alignof__(u64))));
1339  };
1340  
nft_obj_data(const struct nft_object * obj)1341  static inline void *nft_obj_data(const struct nft_object *obj)
1342  {
1343  	return (void *)obj->data;
1344  }
1345  
1346  #define nft_expr_obj(expr)	*((struct nft_object **)nft_expr_priv(expr))
1347  
1348  struct nft_object *nft_obj_lookup(const struct net *net,
1349  				  const struct nft_table *table,
1350  				  const struct nlattr *nla, u32 objtype,
1351  				  u8 genmask);
1352  
1353  void nft_obj_notify(struct net *net, const struct nft_table *table,
1354  		    struct nft_object *obj, u32 portid, u32 seq,
1355  		    int event, u16 flags, int family, int report, gfp_t gfp);
1356  
1357  /**
1358   *	struct nft_object_type - stateful object type
1359   *
1360   *	@select_ops: function to select nft_object_ops
1361   *	@ops: default ops, used when no select_ops functions is present
1362   *	@list: list node in list of object types
1363   *	@type: stateful object numeric type
1364   *	@owner: module owner
1365   *	@maxattr: maximum netlink attribute
1366   *	@family: address family for AF-specific object types
1367   *	@policy: netlink attribute policy
1368   */
1369  struct nft_object_type {
1370  	const struct nft_object_ops	*(*select_ops)(const struct nft_ctx *,
1371  						       const struct nlattr * const tb[]);
1372  	const struct nft_object_ops	*ops;
1373  	struct list_head		list;
1374  	u32				type;
1375  	unsigned int                    maxattr;
1376  	u8				family;
1377  	struct module			*owner;
1378  	const struct nla_policy		*policy;
1379  };
1380  
1381  /**
1382   *	struct nft_object_ops - stateful object operations
1383   *
1384   *	@eval: stateful object evaluation function
1385   *	@size: stateful object size
1386   *	@init: initialize object from netlink attributes
1387   *	@destroy: release existing stateful object
1388   *	@dump: netlink dump stateful object
1389   *	@update: update stateful object
1390   *	@type: pointer to object type
1391   */
1392  struct nft_object_ops {
1393  	void				(*eval)(struct nft_object *obj,
1394  						struct nft_regs *regs,
1395  						const struct nft_pktinfo *pkt);
1396  	unsigned int			size;
1397  	int				(*init)(const struct nft_ctx *ctx,
1398  						const struct nlattr *const tb[],
1399  						struct nft_object *obj);
1400  	void				(*destroy)(const struct nft_ctx *ctx,
1401  						   struct nft_object *obj);
1402  	int				(*dump)(struct sk_buff *skb,
1403  						struct nft_object *obj,
1404  						bool reset);
1405  	void				(*update)(struct nft_object *obj,
1406  						  struct nft_object *newobj);
1407  	const struct nft_object_type	*type;
1408  };
1409  
1410  int nft_register_obj(struct nft_object_type *obj_type);
1411  void nft_unregister_obj(struct nft_object_type *obj_type);
1412  
1413  #define NFT_NETDEVICE_MAX	256
1414  
1415  /**
1416   *	struct nft_flowtable - nf_tables flow table
1417   *
1418   *	@list: flow table list node in table list
1419   * 	@table: the table the flow table is contained in
1420   *	@name: name of this flow table
1421   *	@hooknum: hook number
1422   *	@ops_len: number of hooks in array
1423   *	@genmask: generation mask
1424   *	@use: number of references to this flow table
1425   * 	@handle: unique object handle
1426   *	@hook_list: hook list for hooks per net_device in flowtables
1427   *	@data: rhashtable and garbage collector
1428   */
1429  struct nft_flowtable {
1430  	struct list_head		list;
1431  	struct nft_table		*table;
1432  	char				*name;
1433  	int				hooknum;
1434  	int				ops_len;
1435  	u32				genmask:2;
1436  	u32				use;
1437  	u64				handle;
1438  	/* runtime data below here */
1439  	struct list_head		hook_list ____cacheline_aligned;
1440  	struct nf_flowtable		data;
1441  };
1442  
1443  struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1444  					   const struct nlattr *nla,
1445  					   u8 genmask);
1446  
1447  void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
1448  				    struct nft_flowtable *flowtable,
1449  				    enum nft_trans_phase phase);
1450  
1451  void nft_register_flowtable_type(struct nf_flowtable_type *type);
1452  void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1453  
1454  /**
1455   *	struct nft_traceinfo - nft tracing information and state
1456   *
1457   *	@trace: other struct members are initialised
1458   *	@nf_trace: copy of skb->nf_trace before rule evaluation
1459   *	@type: event type (enum nft_trace_types)
1460   *	@skbid: hash of skb to be used as trace id
1461   *	@packet_dumped: packet headers sent in a previous traceinfo message
1462   *	@basechain: base chain currently processed
1463   */
1464  struct nft_traceinfo {
1465  	bool				trace;
1466  	bool				nf_trace;
1467  	bool				packet_dumped;
1468  	enum nft_trace_types		type:8;
1469  	u32				skbid;
1470  	const struct nft_base_chain	*basechain;
1471  };
1472  
1473  void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1474  		    const struct nft_chain *basechain);
1475  
1476  void nft_trace_notify(const struct nft_pktinfo *pkt,
1477  		      const struct nft_verdict *verdict,
1478  		      const struct nft_rule_dp *rule,
1479  		      struct nft_traceinfo *info);
1480  
1481  #define MODULE_ALIAS_NFT_CHAIN(family, name) \
1482  	MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1483  
1484  #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1485  	MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1486  
1487  #define MODULE_ALIAS_NFT_EXPR(name) \
1488  	MODULE_ALIAS("nft-expr-" name)
1489  
1490  #define MODULE_ALIAS_NFT_OBJ(type) \
1491  	MODULE_ALIAS("nft-obj-" __stringify(type))
1492  
1493  #if IS_ENABLED(CONFIG_NF_TABLES)
1494  
1495  /*
1496   * The gencursor defines two generations, the currently active and the
1497   * next one. Objects contain a bitmask of 2 bits specifying the generations
1498   * they're active in. A set bit means they're inactive in the generation
1499   * represented by that bit.
1500   *
1501   * New objects start out as inactive in the current and active in the
1502   * next generation. When committing the ruleset the bitmask is cleared,
1503   * meaning they're active in all generations. When removing an object,
1504   * it is set inactive in the next generation. After committing the ruleset,
1505   * the objects are removed.
1506   */
nft_gencursor_next(const struct net * net)1507  static inline unsigned int nft_gencursor_next(const struct net *net)
1508  {
1509  	return net->nft.gencursor + 1 == 1 ? 1 : 0;
1510  }
1511  
nft_genmask_next(const struct net * net)1512  static inline u8 nft_genmask_next(const struct net *net)
1513  {
1514  	return 1 << nft_gencursor_next(net);
1515  }
1516  
nft_genmask_cur(const struct net * net)1517  static inline u8 nft_genmask_cur(const struct net *net)
1518  {
1519  	/* Use READ_ONCE() to prevent refetching the value for atomicity */
1520  	return 1 << READ_ONCE(net->nft.gencursor);
1521  }
1522  
1523  #define NFT_GENMASK_ANY		((1 << 0) | (1 << 1))
1524  
1525  /*
1526   * Generic transaction helpers
1527   */
1528  
1529  /* Check if this object is currently active. */
1530  #define nft_is_active(__net, __obj)				\
1531  	(((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1532  
1533  /* Check if this object is active in the next generation. */
1534  #define nft_is_active_next(__net, __obj)			\
1535  	(((__obj)->genmask & nft_genmask_next(__net)) == 0)
1536  
1537  /* This object becomes active in the next generation. */
1538  #define nft_activate_next(__net, __obj)				\
1539  	(__obj)->genmask = nft_genmask_cur(__net)
1540  
1541  /* This object becomes inactive in the next generation. */
1542  #define nft_deactivate_next(__net, __obj)			\
1543          (__obj)->genmask = nft_genmask_next(__net)
1544  
1545  /* After committing the ruleset, clear the stale generation bit. */
1546  #define nft_clear(__net, __obj)					\
1547  	(__obj)->genmask &= ~nft_genmask_next(__net)
1548  #define nft_active_genmask(__obj, __genmask)			\
1549  	!((__obj)->genmask & __genmask)
1550  
1551  /*
1552   * Set element transaction helpers
1553   */
1554  
nft_set_elem_active(const struct nft_set_ext * ext,u8 genmask)1555  static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1556  				       u8 genmask)
1557  {
1558  	return !(ext->genmask & genmask);
1559  }
1560  
nft_set_elem_change_active(const struct net * net,const struct nft_set * set,struct nft_set_ext * ext)1561  static inline void nft_set_elem_change_active(const struct net *net,
1562  					      const struct nft_set *set,
1563  					      struct nft_set_ext *ext)
1564  {
1565  	ext->genmask ^= nft_genmask_next(net);
1566  }
1567  
1568  #endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1569  
1570  #define NFT_SET_ELEM_DEAD_MASK	(1 << 2)
1571  
1572  #if defined(__LITTLE_ENDIAN_BITFIELD)
1573  #define NFT_SET_ELEM_DEAD_BIT	2
1574  #elif defined(__BIG_ENDIAN_BITFIELD)
1575  #define NFT_SET_ELEM_DEAD_BIT	(BITS_PER_LONG - BITS_PER_BYTE + 2)
1576  #else
1577  #error
1578  #endif
1579  
nft_set_elem_dead(struct nft_set_ext * ext)1580  static inline void nft_set_elem_dead(struct nft_set_ext *ext)
1581  {
1582  	unsigned long *word = (unsigned long *)ext;
1583  
1584  	BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1585  	set_bit(NFT_SET_ELEM_DEAD_BIT, word);
1586  }
1587  
nft_set_elem_is_dead(const struct nft_set_ext * ext)1588  static inline int nft_set_elem_is_dead(const struct nft_set_ext *ext)
1589  {
1590  	unsigned long *word = (unsigned long *)ext;
1591  
1592  	BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1593  	return test_bit(NFT_SET_ELEM_DEAD_BIT, word);
1594  }
1595  
1596  /**
1597   *	struct nft_trans - nf_tables object update in transaction
1598   *
1599   *	@list: used internally
1600   *	@binding_list: list of objects with possible bindings
1601   *	@msg_type: message type
1602   *	@put_net: ctx->net needs to be put
1603   *	@ctx: transaction context
1604   *	@data: internal information related to the transaction
1605   */
1606  struct nft_trans {
1607  	struct list_head		list;
1608  	struct list_head		binding_list;
1609  	int				msg_type;
1610  	bool				put_net;
1611  	struct nft_ctx			ctx;
1612  	char				data[];
1613  };
1614  
1615  struct nft_trans_rule {
1616  	struct nft_rule			*rule;
1617  	struct nft_flow_rule		*flow;
1618  	u32				rule_id;
1619  	bool				bound;
1620  };
1621  
1622  #define nft_trans_rule(trans)	\
1623  	(((struct nft_trans_rule *)trans->data)->rule)
1624  #define nft_trans_flow_rule(trans)	\
1625  	(((struct nft_trans_rule *)trans->data)->flow)
1626  #define nft_trans_rule_id(trans)	\
1627  	(((struct nft_trans_rule *)trans->data)->rule_id)
1628  #define nft_trans_rule_bound(trans)	\
1629  	(((struct nft_trans_rule *)trans->data)->bound)
1630  
1631  struct nft_trans_set {
1632  	struct nft_set			*set;
1633  	u32				set_id;
1634  	u32				gc_int;
1635  	u64				timeout;
1636  	bool				update;
1637  	bool				bound;
1638  	u32				size;
1639  };
1640  
1641  #define nft_trans_set(trans)	\
1642  	(((struct nft_trans_set *)trans->data)->set)
1643  #define nft_trans_set_id(trans)	\
1644  	(((struct nft_trans_set *)trans->data)->set_id)
1645  #define nft_trans_set_bound(trans)	\
1646  	(((struct nft_trans_set *)trans->data)->bound)
1647  #define nft_trans_set_update(trans)	\
1648  	(((struct nft_trans_set *)trans->data)->update)
1649  #define nft_trans_set_timeout(trans)	\
1650  	(((struct nft_trans_set *)trans->data)->timeout)
1651  #define nft_trans_set_gc_int(trans)	\
1652  	(((struct nft_trans_set *)trans->data)->gc_int)
1653  #define nft_trans_set_size(trans)	\
1654  	(((struct nft_trans_set *)trans->data)->size)
1655  
1656  struct nft_trans_chain {
1657  	struct nft_chain		*chain;
1658  	bool				update;
1659  	char				*name;
1660  	struct nft_stats __percpu	*stats;
1661  	u8				policy;
1662  	bool				bound;
1663  	u32				chain_id;
1664  	struct nft_base_chain		*basechain;
1665  	struct list_head		hook_list;
1666  };
1667  
1668  #define nft_trans_chain(trans)	\
1669  	(((struct nft_trans_chain *)trans->data)->chain)
1670  #define nft_trans_chain_update(trans)	\
1671  	(((struct nft_trans_chain *)trans->data)->update)
1672  #define nft_trans_chain_name(trans)	\
1673  	(((struct nft_trans_chain *)trans->data)->name)
1674  #define nft_trans_chain_stats(trans)	\
1675  	(((struct nft_trans_chain *)trans->data)->stats)
1676  #define nft_trans_chain_policy(trans)	\
1677  	(((struct nft_trans_chain *)trans->data)->policy)
1678  #define nft_trans_chain_bound(trans)	\
1679  	(((struct nft_trans_chain *)trans->data)->bound)
1680  #define nft_trans_chain_id(trans)	\
1681  	(((struct nft_trans_chain *)trans->data)->chain_id)
1682  #define nft_trans_basechain(trans)	\
1683  	(((struct nft_trans_chain *)trans->data)->basechain)
1684  #define nft_trans_chain_hooks(trans)	\
1685  	(((struct nft_trans_chain *)trans->data)->hook_list)
1686  
1687  struct nft_trans_table {
1688  	bool				update;
1689  };
1690  
1691  #define nft_trans_table_update(trans)	\
1692  	(((struct nft_trans_table *)trans->data)->update)
1693  
1694  struct nft_trans_elem {
1695  	struct nft_set			*set;
1696  	struct nft_set_elem		elem;
1697  	bool				bound;
1698  };
1699  
1700  #define nft_trans_elem_set(trans)	\
1701  	(((struct nft_trans_elem *)trans->data)->set)
1702  #define nft_trans_elem(trans)	\
1703  	(((struct nft_trans_elem *)trans->data)->elem)
1704  #define nft_trans_elem_set_bound(trans)	\
1705  	(((struct nft_trans_elem *)trans->data)->bound)
1706  
1707  struct nft_trans_obj {
1708  	struct nft_object		*obj;
1709  	struct nft_object		*newobj;
1710  	bool				update;
1711  };
1712  
1713  #define nft_trans_obj(trans)	\
1714  	(((struct nft_trans_obj *)trans->data)->obj)
1715  #define nft_trans_obj_newobj(trans) \
1716  	(((struct nft_trans_obj *)trans->data)->newobj)
1717  #define nft_trans_obj_update(trans)	\
1718  	(((struct nft_trans_obj *)trans->data)->update)
1719  
1720  struct nft_trans_flowtable {
1721  	struct nft_flowtable		*flowtable;
1722  	bool				update;
1723  	struct list_head		hook_list;
1724  	u32				flags;
1725  };
1726  
1727  #define nft_trans_flowtable(trans)	\
1728  	(((struct nft_trans_flowtable *)trans->data)->flowtable)
1729  #define nft_trans_flowtable_update(trans)	\
1730  	(((struct nft_trans_flowtable *)trans->data)->update)
1731  #define nft_trans_flowtable_hooks(trans)	\
1732  	(((struct nft_trans_flowtable *)trans->data)->hook_list)
1733  #define nft_trans_flowtable_flags(trans)	\
1734  	(((struct nft_trans_flowtable *)trans->data)->flags)
1735  
1736  #define NFT_TRANS_GC_BATCHCOUNT	256
1737  
1738  struct nft_trans_gc {
1739  	struct list_head	list;
1740  	struct net		*net;
1741  	struct nft_set		*set;
1742  	u32			seq;
1743  	u16			count;
1744  	void			*priv[NFT_TRANS_GC_BATCHCOUNT];
1745  	struct rcu_head		rcu;
1746  };
1747  
1748  struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
1749  					unsigned int gc_seq, gfp_t gfp);
1750  void nft_trans_gc_destroy(struct nft_trans_gc *trans);
1751  
1752  struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
1753  					      unsigned int gc_seq, gfp_t gfp);
1754  void nft_trans_gc_queue_async_done(struct nft_trans_gc *gc);
1755  
1756  struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp);
1757  void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans);
1758  
1759  void nft_trans_gc_elem_add(struct nft_trans_gc *gc, void *priv);
1760  
1761  struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
1762  						 unsigned int gc_seq);
1763  struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc);
1764  
1765  void nft_setelem_data_deactivate(const struct net *net,
1766  				 const struct nft_set *set,
1767  				 struct nft_set_elem *elem);
1768  
1769  int __init nft_chain_filter_init(void);
1770  void nft_chain_filter_fini(void);
1771  
1772  void __init nft_chain_route_init(void);
1773  void nft_chain_route_fini(void);
1774  
1775  void nf_tables_trans_destroy_flush_work(void);
1776  
1777  int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
1778  __be64 nf_jiffies64_to_msecs(u64 input);
1779  
1780  #ifdef CONFIG_MODULES
1781  __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, ...);
1782  #else
nft_request_module(struct net * net,const char * fmt,...)1783  static inline int nft_request_module(struct net *net, const char *fmt, ...) { return -ENOENT; }
1784  #endif
1785  
1786  struct nftables_pernet {
1787  	struct list_head	tables;
1788  	struct list_head	commit_list;
1789  	struct list_head	binding_list;
1790  	struct list_head	module_list;
1791  	struct list_head	notify_list;
1792  	struct mutex		commit_mutex;
1793  	u64			table_handle;
1794  	unsigned int		base_seq;
1795  	unsigned int		gc_seq;
1796  	u8			validate_state;
1797  };
1798  
1799  extern unsigned int nf_tables_net_id;
1800  
nft_pernet(const struct net * net)1801  static inline struct nftables_pernet *nft_pernet(const struct net *net)
1802  {
1803  	return net_generic(net, nf_tables_net_id);
1804  }
1805  
1806  #define __NFT_REDUCE_READONLY	1UL
1807  #define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY
1808  
nft_reduce_is_readonly(const struct nft_expr * expr)1809  static inline bool nft_reduce_is_readonly(const struct nft_expr *expr)
1810  {
1811  	return expr->ops->reduce == NFT_REDUCE_READONLY;
1812  }
1813  
1814  void nft_reg_track_update(struct nft_regs_track *track,
1815  			  const struct nft_expr *expr, u8 dreg, u8 len);
1816  void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len);
1817  void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg);
1818  
nft_reg_track_cmp(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg)1819  static inline bool nft_reg_track_cmp(struct nft_regs_track *track,
1820  				     const struct nft_expr *expr, u8 dreg)
1821  {
1822  	return track->regs[dreg].selector &&
1823  	       track->regs[dreg].selector->ops == expr->ops &&
1824  	       track->regs[dreg].num_reg == 0;
1825  }
1826  
1827  #endif /* _NET_NF_TABLES_H */
1828