196518518SPatrick McHardy #ifndef _NET_NF_TABLES_H 296518518SPatrick McHardy #define _NET_NF_TABLES_H 396518518SPatrick McHardy 496518518SPatrick McHardy #include <linux/list.h> 596518518SPatrick McHardy #include <linux/netfilter.h> 667a8fc27SPatrick McHardy #include <linux/netfilter/nfnetlink.h> 70ca743a5SPablo Neira Ayuso #include <linux/netfilter/x_tables.h> 896518518SPatrick McHardy #include <linux/netfilter/nf_tables.h> 996518518SPatrick McHardy #include <net/netlink.h> 1096518518SPatrick McHardy 1120a69341SPatrick McHardy #define NFT_JUMP_STACK_SIZE 16 1220a69341SPatrick McHardy 1396518518SPatrick McHardy struct nft_pktinfo { 1496518518SPatrick McHardy struct sk_buff *skb; 1596518518SPatrick McHardy const struct net_device *in; 1696518518SPatrick McHardy const struct net_device *out; 17c9484874SPatrick McHardy const struct nf_hook_ops *ops; 1896518518SPatrick McHardy u8 nhoff; 1996518518SPatrick McHardy u8 thoff; 204566bf27SPatrick McHardy u8 tprot; 210ca743a5SPablo Neira Ayuso /* for x_tables compatibility */ 220ca743a5SPablo Neira Ayuso struct xt_action_param xt; 2396518518SPatrick McHardy }; 2496518518SPatrick McHardy 250ca743a5SPablo Neira Ayuso static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 260ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops, 270ca743a5SPablo Neira Ayuso struct sk_buff *skb, 280ca743a5SPablo Neira Ayuso const struct net_device *in, 290ca743a5SPablo Neira Ayuso const struct net_device *out) 300ca743a5SPablo Neira Ayuso { 310ca743a5SPablo Neira Ayuso pkt->skb = skb; 320ca743a5SPablo Neira Ayuso pkt->in = pkt->xt.in = in; 330ca743a5SPablo Neira Ayuso pkt->out = pkt->xt.out = out; 34c9484874SPatrick McHardy pkt->ops = ops; 35c9484874SPatrick McHardy pkt->xt.hooknum = ops->hooknum; 360ca743a5SPablo Neira Ayuso pkt->xt.family = ops->pf; 370ca743a5SPablo Neira Ayuso } 380ca743a5SPablo Neira Ayuso 3996518518SPatrick McHardy struct nft_data { 4096518518SPatrick McHardy union { 4196518518SPatrick McHardy u32 data[4]; 4296518518SPatrick McHardy struct { 4396518518SPatrick McHardy u32 verdict; 4496518518SPatrick McHardy struct nft_chain *chain; 4596518518SPatrick McHardy }; 4696518518SPatrick McHardy }; 4796518518SPatrick McHardy } __attribute__((aligned(__alignof__(u64)))); 4896518518SPatrick McHardy 4996518518SPatrick McHardy static inline int nft_data_cmp(const struct nft_data *d1, 5096518518SPatrick McHardy const struct nft_data *d2, 5196518518SPatrick McHardy unsigned int len) 5296518518SPatrick McHardy { 5396518518SPatrick McHardy return memcmp(d1->data, d2->data, len); 5496518518SPatrick McHardy } 5596518518SPatrick McHardy 5696518518SPatrick McHardy static inline void nft_data_copy(struct nft_data *dst, 5796518518SPatrick McHardy const struct nft_data *src) 5896518518SPatrick McHardy { 5996518518SPatrick McHardy BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64)); 6096518518SPatrick McHardy *(u64 *)&dst->data[0] = *(u64 *)&src->data[0]; 6196518518SPatrick McHardy *(u64 *)&dst->data[2] = *(u64 *)&src->data[2]; 6296518518SPatrick McHardy } 6396518518SPatrick McHardy 6496518518SPatrick McHardy static inline void nft_data_debug(const struct nft_data *data) 6596518518SPatrick McHardy { 6696518518SPatrick McHardy pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 6796518518SPatrick McHardy data->data[0], data->data[1], 6896518518SPatrick McHardy data->data[2], data->data[3]); 6996518518SPatrick McHardy } 7096518518SPatrick McHardy 7196518518SPatrick McHardy /** 7220a69341SPatrick McHardy * struct nft_ctx - nf_tables rule/set context 7396518518SPatrick McHardy * 7499633ab2SPablo Neira Ayuso * @net: net namespace 7520a69341SPatrick McHardy * @skb: netlink skb 7620a69341SPatrick McHardy * @nlh: netlink message header 7796518518SPatrick McHardy * @afi: address family info 7896518518SPatrick McHardy * @table: the table the chain is contained in 7996518518SPatrick McHardy * @chain: the chain the rule is contained in 800ca743a5SPablo Neira Ayuso * @nla: netlink attributes 8196518518SPatrick McHardy */ 8296518518SPatrick McHardy struct nft_ctx { 8399633ab2SPablo Neira Ayuso struct net *net; 8420a69341SPatrick McHardy const struct sk_buff *skb; 8520a69341SPatrick McHardy const struct nlmsghdr *nlh; 867c95f6d8SPablo Neira Ayuso struct nft_af_info *afi; 877c95f6d8SPablo Neira Ayuso struct nft_table *table; 887c95f6d8SPablo Neira Ayuso struct nft_chain *chain; 890ca743a5SPablo Neira Ayuso const struct nlattr * const *nla; 9096518518SPatrick McHardy }; 9196518518SPatrick McHardy 9296518518SPatrick McHardy struct nft_data_desc { 9396518518SPatrick McHardy enum nft_data_types type; 9496518518SPatrick McHardy unsigned int len; 9596518518SPatrick McHardy }; 9696518518SPatrick McHardy 975eccdfaaSJoe Perches int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 9896518518SPatrick McHardy struct nft_data_desc *desc, const struct nlattr *nla); 995eccdfaaSJoe Perches void nft_data_uninit(const struct nft_data *data, enum nft_data_types type); 1005eccdfaaSJoe Perches int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 10196518518SPatrick McHardy enum nft_data_types type, unsigned int len); 10296518518SPatrick McHardy 10396518518SPatrick McHardy static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 10496518518SPatrick McHardy { 10596518518SPatrick McHardy return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 10696518518SPatrick McHardy } 10796518518SPatrick McHardy 10820a69341SPatrick McHardy static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 10920a69341SPatrick McHardy { 11020a69341SPatrick McHardy return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1; 11120a69341SPatrick McHardy } 11220a69341SPatrick McHardy 1135eccdfaaSJoe Perches int nft_validate_input_register(enum nft_registers reg); 1145eccdfaaSJoe Perches int nft_validate_output_register(enum nft_registers reg); 1155eccdfaaSJoe Perches int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg, 11696518518SPatrick McHardy const struct nft_data *data, 11796518518SPatrick McHardy enum nft_data_types type); 11896518518SPatrick McHardy 11996518518SPatrick McHardy /** 12020a69341SPatrick McHardy * struct nft_set_elem - generic representation of set elements 12120a69341SPatrick McHardy * 12220a69341SPatrick McHardy * @cookie: implementation specific element cookie 12320a69341SPatrick McHardy * @key: element key 12420a69341SPatrick McHardy * @data: element data (maps only) 12520a69341SPatrick McHardy * @flags: element flags (end of interval) 12620a69341SPatrick McHardy * 12720a69341SPatrick McHardy * The cookie can be used to store a handle to the element for subsequent 12820a69341SPatrick McHardy * removal. 12920a69341SPatrick McHardy */ 13020a69341SPatrick McHardy struct nft_set_elem { 13120a69341SPatrick McHardy void *cookie; 13220a69341SPatrick McHardy struct nft_data key; 13320a69341SPatrick McHardy struct nft_data data; 13420a69341SPatrick McHardy u32 flags; 13520a69341SPatrick McHardy }; 13620a69341SPatrick McHardy 13720a69341SPatrick McHardy struct nft_set; 13820a69341SPatrick McHardy struct nft_set_iter { 13920a69341SPatrick McHardy unsigned int count; 14020a69341SPatrick McHardy unsigned int skip; 14120a69341SPatrick McHardy int err; 14220a69341SPatrick McHardy int (*fn)(const struct nft_ctx *ctx, 14320a69341SPatrick McHardy const struct nft_set *set, 14420a69341SPatrick McHardy const struct nft_set_iter *iter, 14520a69341SPatrick McHardy const struct nft_set_elem *elem); 14620a69341SPatrick McHardy }; 14720a69341SPatrick McHardy 14820a69341SPatrick McHardy /** 149c50b960cSPatrick McHardy * struct nft_set_desc - description of set elements 150c50b960cSPatrick McHardy * 151c50b960cSPatrick McHardy * @klen: key length 152c50b960cSPatrick McHardy * @dlen: data length 153c50b960cSPatrick McHardy * @size: number of set elements 154c50b960cSPatrick McHardy */ 155c50b960cSPatrick McHardy struct nft_set_desc { 156c50b960cSPatrick McHardy unsigned int klen; 157c50b960cSPatrick McHardy unsigned int dlen; 158c50b960cSPatrick McHardy unsigned int size; 159c50b960cSPatrick McHardy }; 160c50b960cSPatrick McHardy 161c50b960cSPatrick McHardy /** 162c50b960cSPatrick McHardy * enum nft_set_class - performance class 163c50b960cSPatrick McHardy * 164c50b960cSPatrick McHardy * @NFT_LOOKUP_O_1: constant, O(1) 165c50b960cSPatrick McHardy * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 166c50b960cSPatrick McHardy * @NFT_LOOKUP_O_N: linear, O(N) 167c50b960cSPatrick McHardy */ 168c50b960cSPatrick McHardy enum nft_set_class { 169c50b960cSPatrick McHardy NFT_SET_CLASS_O_1, 170c50b960cSPatrick McHardy NFT_SET_CLASS_O_LOG_N, 171c50b960cSPatrick McHardy NFT_SET_CLASS_O_N, 172c50b960cSPatrick McHardy }; 173c50b960cSPatrick McHardy 174c50b960cSPatrick McHardy /** 175c50b960cSPatrick McHardy * struct nft_set_estimate - estimation of memory and performance 176c50b960cSPatrick McHardy * characteristics 177c50b960cSPatrick McHardy * 178c50b960cSPatrick McHardy * @size: required memory 179c50b960cSPatrick McHardy * @class: lookup performance class 180c50b960cSPatrick McHardy */ 181c50b960cSPatrick McHardy struct nft_set_estimate { 182c50b960cSPatrick McHardy unsigned int size; 183c50b960cSPatrick McHardy enum nft_set_class class; 184c50b960cSPatrick McHardy }; 185c50b960cSPatrick McHardy 186c50b960cSPatrick McHardy /** 18720a69341SPatrick McHardy * struct nft_set_ops - nf_tables set operations 18820a69341SPatrick McHardy * 18920a69341SPatrick McHardy * @lookup: look up an element within the set 19020a69341SPatrick McHardy * @insert: insert new element into set 19120a69341SPatrick McHardy * @remove: remove element from set 19220a69341SPatrick McHardy * @walk: iterate over all set elemeennts 19320a69341SPatrick McHardy * @privsize: function to return size of set private data 19420a69341SPatrick McHardy * @init: initialize private data of new set instance 19520a69341SPatrick McHardy * @destroy: destroy private data of set instance 19620a69341SPatrick McHardy * @list: nf_tables_set_ops list node 19720a69341SPatrick McHardy * @owner: module reference 19820a69341SPatrick McHardy * @features: features supported by the implementation 19920a69341SPatrick McHardy */ 20020a69341SPatrick McHardy struct nft_set_ops { 20120a69341SPatrick McHardy bool (*lookup)(const struct nft_set *set, 20220a69341SPatrick McHardy const struct nft_data *key, 20320a69341SPatrick McHardy struct nft_data *data); 20420a69341SPatrick McHardy int (*get)(const struct nft_set *set, 20520a69341SPatrick McHardy struct nft_set_elem *elem); 20620a69341SPatrick McHardy int (*insert)(const struct nft_set *set, 20720a69341SPatrick McHardy const struct nft_set_elem *elem); 20820a69341SPatrick McHardy void (*remove)(const struct nft_set *set, 20920a69341SPatrick McHardy const struct nft_set_elem *elem); 21020a69341SPatrick McHardy void (*walk)(const struct nft_ctx *ctx, 21120a69341SPatrick McHardy const struct nft_set *set, 21220a69341SPatrick McHardy struct nft_set_iter *iter); 21320a69341SPatrick McHardy 21420a69341SPatrick McHardy unsigned int (*privsize)(const struct nlattr * const nla[]); 215c50b960cSPatrick McHardy bool (*estimate)(const struct nft_set_desc *desc, 216c50b960cSPatrick McHardy u32 features, 217c50b960cSPatrick McHardy struct nft_set_estimate *est); 21820a69341SPatrick McHardy int (*init)(const struct nft_set *set, 219c50b960cSPatrick McHardy const struct nft_set_desc *desc, 22020a69341SPatrick McHardy const struct nlattr * const nla[]); 22120a69341SPatrick McHardy void (*destroy)(const struct nft_set *set); 22220a69341SPatrick McHardy 22320a69341SPatrick McHardy struct list_head list; 22420a69341SPatrick McHardy struct module *owner; 22520a69341SPatrick McHardy u32 features; 22620a69341SPatrick McHardy }; 22720a69341SPatrick McHardy 2285eccdfaaSJoe Perches int nft_register_set(struct nft_set_ops *ops); 2295eccdfaaSJoe Perches void nft_unregister_set(struct nft_set_ops *ops); 23020a69341SPatrick McHardy 23120a69341SPatrick McHardy /** 23220a69341SPatrick McHardy * struct nft_set - nf_tables set instance 23320a69341SPatrick McHardy * 23420a69341SPatrick McHardy * @list: table set list node 23520a69341SPatrick McHardy * @bindings: list of set bindings 23620a69341SPatrick McHardy * @name: name of the set 23720a69341SPatrick McHardy * @ktype: key type (numeric type defined by userspace, not used in the kernel) 23820a69341SPatrick McHardy * @dtype: data type (verdict or numeric type defined by userspace) 239c50b960cSPatrick McHardy * @size: maximum set size 240c50b960cSPatrick McHardy * @nelems: number of elements 24120a69341SPatrick McHardy * @ops: set ops 24220a69341SPatrick McHardy * @flags: set flags 24320a69341SPatrick McHardy * @klen: key length 24420a69341SPatrick McHardy * @dlen: data length 24520a69341SPatrick McHardy * @data: private set data 24620a69341SPatrick McHardy */ 24720a69341SPatrick McHardy struct nft_set { 24820a69341SPatrick McHardy struct list_head list; 24920a69341SPatrick McHardy struct list_head bindings; 25020a69341SPatrick McHardy char name[IFNAMSIZ]; 25120a69341SPatrick McHardy u32 ktype; 25220a69341SPatrick McHardy u32 dtype; 253c50b960cSPatrick McHardy u32 size; 254c50b960cSPatrick McHardy u32 nelems; 25520a69341SPatrick McHardy /* runtime data below here */ 25620a69341SPatrick McHardy const struct nft_set_ops *ops ____cacheline_aligned; 25720a69341SPatrick McHardy u16 flags; 25820a69341SPatrick McHardy u8 klen; 25920a69341SPatrick McHardy u8 dlen; 26020a69341SPatrick McHardy unsigned char data[] 26120a69341SPatrick McHardy __attribute__((aligned(__alignof__(u64)))); 26220a69341SPatrick McHardy }; 26320a69341SPatrick McHardy 26420a69341SPatrick McHardy static inline void *nft_set_priv(const struct nft_set *set) 26520a69341SPatrick McHardy { 26620a69341SPatrick McHardy return (void *)set->data; 26720a69341SPatrick McHardy } 26820a69341SPatrick McHardy 2695eccdfaaSJoe Perches struct nft_set *nf_tables_set_lookup(const struct nft_table *table, 27020a69341SPatrick McHardy const struct nlattr *nla); 27120a69341SPatrick McHardy 27220a69341SPatrick McHardy /** 27320a69341SPatrick McHardy * struct nft_set_binding - nf_tables set binding 27420a69341SPatrick McHardy * 27520a69341SPatrick McHardy * @list: set bindings list node 27620a69341SPatrick McHardy * @chain: chain containing the rule bound to the set 27720a69341SPatrick McHardy * 27820a69341SPatrick McHardy * A set binding contains all information necessary for validation 27920a69341SPatrick McHardy * of new elements added to a bound set. 28020a69341SPatrick McHardy */ 28120a69341SPatrick McHardy struct nft_set_binding { 28220a69341SPatrick McHardy struct list_head list; 28320a69341SPatrick McHardy const struct nft_chain *chain; 28420a69341SPatrick McHardy }; 28520a69341SPatrick McHardy 2865eccdfaaSJoe Perches int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 28720a69341SPatrick McHardy struct nft_set_binding *binding); 2885eccdfaaSJoe Perches void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 28920a69341SPatrick McHardy struct nft_set_binding *binding); 29020a69341SPatrick McHardy 291ef1f7df9SPatrick McHardy 29220a69341SPatrick McHardy /** 293ef1f7df9SPatrick McHardy * struct nft_expr_type - nf_tables expression type 29496518518SPatrick McHardy * 295ef1f7df9SPatrick McHardy * @select_ops: function to select nft_expr_ops 296ef1f7df9SPatrick McHardy * @ops: default ops, used when no select_ops functions is present 29796518518SPatrick McHardy * @list: used internally 29896518518SPatrick McHardy * @name: Identifier 29996518518SPatrick McHardy * @owner: module reference 30096518518SPatrick McHardy * @policy: netlink attribute policy 30196518518SPatrick McHardy * @maxattr: highest netlink attribute number 30264d46806SPatrick McHardy * @family: address family for AF-specific types 303ef1f7df9SPatrick McHardy */ 304ef1f7df9SPatrick McHardy struct nft_expr_type { 3050ca743a5SPablo Neira Ayuso const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 3060ca743a5SPablo Neira Ayuso const struct nlattr * const tb[]); 307ef1f7df9SPatrick McHardy const struct nft_expr_ops *ops; 308ef1f7df9SPatrick McHardy struct list_head list; 309ef1f7df9SPatrick McHardy const char *name; 310ef1f7df9SPatrick McHardy struct module *owner; 311ef1f7df9SPatrick McHardy const struct nla_policy *policy; 312ef1f7df9SPatrick McHardy unsigned int maxattr; 31364d46806SPatrick McHardy u8 family; 314ef1f7df9SPatrick McHardy }; 315ef1f7df9SPatrick McHardy 316ef1f7df9SPatrick McHardy /** 317ef1f7df9SPatrick McHardy * struct nft_expr_ops - nf_tables expression operations 318ef1f7df9SPatrick McHardy * 319ef1f7df9SPatrick McHardy * @eval: Expression evaluation function 32096518518SPatrick McHardy * @size: full expression size, including private data size 321ef1f7df9SPatrick McHardy * @init: initialization function 322ef1f7df9SPatrick McHardy * @destroy: destruction function 323ef1f7df9SPatrick McHardy * @dump: function to dump parameters 324ef1f7df9SPatrick McHardy * @type: expression type 3250ca743a5SPablo Neira Ayuso * @validate: validate expression, called during loop detection 3260ca743a5SPablo Neira Ayuso * @data: extra data to attach to this expression operation 32796518518SPatrick McHardy */ 32896518518SPatrick McHardy struct nft_expr; 32996518518SPatrick McHardy struct nft_expr_ops { 33096518518SPatrick McHardy void (*eval)(const struct nft_expr *expr, 33196518518SPatrick McHardy struct nft_data data[NFT_REG_MAX + 1], 33296518518SPatrick McHardy const struct nft_pktinfo *pkt); 333ef1f7df9SPatrick McHardy unsigned int size; 334ef1f7df9SPatrick McHardy 33596518518SPatrick McHardy int (*init)(const struct nft_ctx *ctx, 33696518518SPatrick McHardy const struct nft_expr *expr, 33796518518SPatrick McHardy const struct nlattr * const tb[]); 33862472bceSPatrick McHardy void (*destroy)(const struct nft_ctx *ctx, 33962472bceSPatrick McHardy const struct nft_expr *expr); 34096518518SPatrick McHardy int (*dump)(struct sk_buff *skb, 34196518518SPatrick McHardy const struct nft_expr *expr); 3420ca743a5SPablo Neira Ayuso int (*validate)(const struct nft_ctx *ctx, 3430ca743a5SPablo Neira Ayuso const struct nft_expr *expr, 3440ca743a5SPablo Neira Ayuso const struct nft_data **data); 345ef1f7df9SPatrick McHardy const struct nft_expr_type *type; 3460ca743a5SPablo Neira Ayuso void *data; 34796518518SPatrick McHardy }; 34896518518SPatrick McHardy 349ef1f7df9SPatrick McHardy #define NFT_EXPR_MAXATTR 16 35096518518SPatrick McHardy #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 35196518518SPatrick McHardy ALIGN(size, __alignof__(struct nft_expr))) 35296518518SPatrick McHardy 35396518518SPatrick McHardy /** 35496518518SPatrick McHardy * struct nft_expr - nf_tables expression 35596518518SPatrick McHardy * 35696518518SPatrick McHardy * @ops: expression ops 35796518518SPatrick McHardy * @data: expression private data 35896518518SPatrick McHardy */ 35996518518SPatrick McHardy struct nft_expr { 36096518518SPatrick McHardy const struct nft_expr_ops *ops; 36196518518SPatrick McHardy unsigned char data[]; 36296518518SPatrick McHardy }; 36396518518SPatrick McHardy 36496518518SPatrick McHardy static inline void *nft_expr_priv(const struct nft_expr *expr) 36596518518SPatrick McHardy { 36696518518SPatrick McHardy return (void *)expr->data; 36796518518SPatrick McHardy } 36896518518SPatrick McHardy 36996518518SPatrick McHardy /** 37096518518SPatrick McHardy * struct nft_rule - nf_tables rule 37196518518SPatrick McHardy * 37296518518SPatrick McHardy * @list: used internally 37396518518SPatrick McHardy * @handle: rule handle 3740628b123SPablo Neira Ayuso * @genmask: generation mask 37596518518SPatrick McHardy * @dlen: length of expression data 3760768b3b3SPablo Neira Ayuso * @ulen: length of user data (used for comments) 37796518518SPatrick McHardy * @data: expression data 37896518518SPatrick McHardy */ 37996518518SPatrick McHardy struct nft_rule { 38096518518SPatrick McHardy struct list_head list; 3810768b3b3SPablo Neira Ayuso u64 handle:42, 3820628b123SPablo Neira Ayuso genmask:2, 3830768b3b3SPablo Neira Ayuso dlen:12, 3840768b3b3SPablo Neira Ayuso ulen:8; 38596518518SPatrick McHardy unsigned char data[] 38696518518SPatrick McHardy __attribute__((aligned(__alignof__(struct nft_expr)))); 38796518518SPatrick McHardy }; 38896518518SPatrick McHardy 3890628b123SPablo Neira Ayuso /** 3901081d11bSPablo Neira Ayuso * struct nft_trans - nf_tables object update in transaction 3910628b123SPablo Neira Ayuso * 3920628b123SPablo Neira Ayuso * @list: used internally 3931081d11bSPablo Neira Ayuso * @ctx: transaction context 3941081d11bSPablo Neira Ayuso * @data: internal information related to the transaction 3950628b123SPablo Neira Ayuso */ 3961081d11bSPablo Neira Ayuso struct nft_trans { 3970628b123SPablo Neira Ayuso struct list_head list; 39862472bceSPatrick McHardy struct nft_ctx ctx; 3991081d11bSPablo Neira Ayuso char data[0]; 4001081d11bSPablo Neira Ayuso }; 4011081d11bSPablo Neira Ayuso 4021081d11bSPablo Neira Ayuso struct nft_trans_rule { 4030628b123SPablo Neira Ayuso struct nft_rule *rule; 4040628b123SPablo Neira Ayuso }; 4050628b123SPablo Neira Ayuso 4061081d11bSPablo Neira Ayuso #define nft_trans_rule(trans) \ 4071081d11bSPablo Neira Ayuso (((struct nft_trans_rule *)trans->data)->rule) 4081081d11bSPablo Neira Ayuso 40996518518SPatrick McHardy static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 41096518518SPatrick McHardy { 41196518518SPatrick McHardy return (struct nft_expr *)&rule->data[0]; 41296518518SPatrick McHardy } 41396518518SPatrick McHardy 41496518518SPatrick McHardy static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 41596518518SPatrick McHardy { 41696518518SPatrick McHardy return ((void *)expr) + expr->ops->size; 41796518518SPatrick McHardy } 41896518518SPatrick McHardy 41996518518SPatrick McHardy static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 42096518518SPatrick McHardy { 42196518518SPatrick McHardy return (struct nft_expr *)&rule->data[rule->dlen]; 42296518518SPatrick McHardy } 42396518518SPatrick McHardy 4240768b3b3SPablo Neira Ayuso static inline void *nft_userdata(const struct nft_rule *rule) 4250768b3b3SPablo Neira Ayuso { 4260768b3b3SPablo Neira Ayuso return (void *)&rule->data[rule->dlen]; 4270768b3b3SPablo Neira Ayuso } 4280768b3b3SPablo Neira Ayuso 42996518518SPatrick McHardy /* 43096518518SPatrick McHardy * The last pointer isn't really necessary, but the compiler isn't able to 43196518518SPatrick McHardy * determine that the result of nft_expr_last() is always the same since it 43296518518SPatrick McHardy * can't assume that the dlen value wasn't changed within calls in the loop. 43396518518SPatrick McHardy */ 43496518518SPatrick McHardy #define nft_rule_for_each_expr(expr, last, rule) \ 43596518518SPatrick McHardy for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 43696518518SPatrick McHardy (expr) != (last); \ 43796518518SPatrick McHardy (expr) = nft_expr_next(expr)) 43896518518SPatrick McHardy 43996518518SPatrick McHardy enum nft_chain_flags { 44096518518SPatrick McHardy NFT_BASE_CHAIN = 0x1, 44196518518SPatrick McHardy }; 44296518518SPatrick McHardy 44396518518SPatrick McHardy /** 44496518518SPatrick McHardy * struct nft_chain - nf_tables chain 44596518518SPatrick McHardy * 44696518518SPatrick McHardy * @rules: list of rules in the chain 44796518518SPatrick McHardy * @list: used internally 4480628b123SPablo Neira Ayuso * @net: net namespace that this chain belongs to 449b5bc89bfSPablo Neira Ayuso * @table: table that this chain belongs to 45096518518SPatrick McHardy * @handle: chain handle 45196518518SPatrick McHardy * @flags: bitmask of enum nft_chain_flags 45296518518SPatrick McHardy * @use: number of jump references to this chain 45396518518SPatrick McHardy * @level: length of longest path to this chain 45496518518SPatrick McHardy * @name: name of the chain 45596518518SPatrick McHardy */ 45696518518SPatrick McHardy struct nft_chain { 45796518518SPatrick McHardy struct list_head rules; 45896518518SPatrick McHardy struct list_head list; 4590628b123SPablo Neira Ayuso struct net *net; 460b5bc89bfSPablo Neira Ayuso struct nft_table *table; 46196518518SPatrick McHardy u64 handle; 46296518518SPatrick McHardy u8 flags; 46396518518SPatrick McHardy u16 use; 46496518518SPatrick McHardy u16 level; 46596518518SPatrick McHardy char name[NFT_CHAIN_MAXNAMELEN]; 46696518518SPatrick McHardy }; 46796518518SPatrick McHardy 4689370761cSPablo Neira Ayuso enum nft_chain_type { 4699370761cSPablo Neira Ayuso NFT_CHAIN_T_DEFAULT = 0, 4709370761cSPablo Neira Ayuso NFT_CHAIN_T_ROUTE, 4719370761cSPablo Neira Ayuso NFT_CHAIN_T_NAT, 4729370761cSPablo Neira Ayuso NFT_CHAIN_T_MAX 4739370761cSPablo Neira Ayuso }; 4749370761cSPablo Neira Ayuso 4750ca743a5SPablo Neira Ayuso struct nft_stats { 4760ca743a5SPablo Neira Ayuso u64 bytes; 4770ca743a5SPablo Neira Ayuso u64 pkts; 4780ca743a5SPablo Neira Ayuso }; 4790ca743a5SPablo Neira Ayuso 480115a60b1SPatrick McHardy #define NFT_HOOK_OPS_MAX 2 481115a60b1SPatrick McHardy 48296518518SPatrick McHardy /** 48396518518SPatrick McHardy * struct nft_base_chain - nf_tables base chain 48496518518SPatrick McHardy * 48596518518SPatrick McHardy * @ops: netfilter hook ops 4869370761cSPablo Neira Ayuso * @type: chain type 4870ca743a5SPablo Neira Ayuso * @policy: default policy 4880ca743a5SPablo Neira Ayuso * @stats: per-cpu chain stats 48996518518SPatrick McHardy * @chain: the chain 49096518518SPatrick McHardy */ 49196518518SPatrick McHardy struct nft_base_chain { 492115a60b1SPatrick McHardy struct nf_hook_ops ops[NFT_HOOK_OPS_MAX]; 4932a37d755SPatrick McHardy const struct nf_chain_type *type; 4940ca743a5SPablo Neira Ayuso u8 policy; 4950ca743a5SPablo Neira Ayuso struct nft_stats __percpu *stats; 49696518518SPatrick McHardy struct nft_chain chain; 49796518518SPatrick McHardy }; 49896518518SPatrick McHardy 49996518518SPatrick McHardy static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 50096518518SPatrick McHardy { 50196518518SPatrick McHardy return container_of(chain, struct nft_base_chain, chain); 50296518518SPatrick McHardy } 50396518518SPatrick McHardy 5043876d22dSPatrick McHardy unsigned int nft_do_chain(struct nft_pktinfo *pkt, 5050ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops); 50696518518SPatrick McHardy 50796518518SPatrick McHardy /** 50896518518SPatrick McHardy * struct nft_table - nf_tables table 50996518518SPatrick McHardy * 51096518518SPatrick McHardy * @list: used internally 51196518518SPatrick McHardy * @chains: chains in the table 51296518518SPatrick McHardy * @sets: sets in the table 51396518518SPatrick McHardy * @hgenerator: handle generator state 51496518518SPatrick McHardy * @use: number of chain references to this table 51596518518SPatrick McHardy * @flags: table flag (see enum nft_table_flags) 51696518518SPatrick McHardy * @name: name of the table 51796518518SPatrick McHardy */ 51896518518SPatrick McHardy struct nft_table { 51996518518SPatrick McHardy struct list_head list; 52096518518SPatrick McHardy struct list_head chains; 52196518518SPatrick McHardy struct list_head sets; 52296518518SPatrick McHardy u64 hgenerator; 52396518518SPatrick McHardy u32 use; 52496518518SPatrick McHardy u16 flags; 52596518518SPatrick McHardy char name[]; 52696518518SPatrick McHardy }; 52796518518SPatrick McHardy 52896518518SPatrick McHardy /** 52996518518SPatrick McHardy * struct nft_af_info - nf_tables address family info 53096518518SPatrick McHardy * 53196518518SPatrick McHardy * @list: used internally 53296518518SPatrick McHardy * @family: address family 53396518518SPatrick McHardy * @nhooks: number of hooks in this family 53496518518SPatrick McHardy * @owner: module owner 53596518518SPatrick McHardy * @tables: used internally 536115a60b1SPatrick McHardy * @nops: number of hook ops in this family 537115a60b1SPatrick McHardy * @hook_ops_init: initialization function for chain hook ops 53896518518SPatrick McHardy * @hooks: hookfn overrides for packet validation 53996518518SPatrick McHardy */ 54096518518SPatrick McHardy struct nft_af_info { 54196518518SPatrick McHardy struct list_head list; 54296518518SPatrick McHardy int family; 54396518518SPatrick McHardy unsigned int nhooks; 54496518518SPatrick McHardy struct module *owner; 54596518518SPatrick McHardy struct list_head tables; 546115a60b1SPatrick McHardy unsigned int nops; 547115a60b1SPatrick McHardy void (*hook_ops_init)(struct nf_hook_ops *, 548115a60b1SPatrick McHardy unsigned int); 54996518518SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 55096518518SPatrick McHardy }; 55196518518SPatrick McHardy 5525eccdfaaSJoe Perches int nft_register_afinfo(struct net *, struct nft_af_info *); 5535eccdfaaSJoe Perches void nft_unregister_afinfo(struct nft_af_info *); 55496518518SPatrick McHardy 555fa2c1de0SPatrick McHardy /** 556fa2c1de0SPatrick McHardy * struct nf_chain_type - nf_tables chain type info 557fa2c1de0SPatrick McHardy * 558fa2c1de0SPatrick McHardy * @name: name of the type 559fa2c1de0SPatrick McHardy * @type: numeric identifier 560fa2c1de0SPatrick McHardy * @family: address family 561fa2c1de0SPatrick McHardy * @owner: module owner 562fa2c1de0SPatrick McHardy * @hook_mask: mask of valid hooks 563fa2c1de0SPatrick McHardy * @hooks: hookfn overrides 564fa2c1de0SPatrick McHardy */ 5659370761cSPablo Neira Ayuso struct nf_chain_type { 5669370761cSPablo Neira Ayuso const char *name; 5679370761cSPablo Neira Ayuso enum nft_chain_type type; 5689370761cSPablo Neira Ayuso int family; 569fa2c1de0SPatrick McHardy struct module *owner; 570fa2c1de0SPatrick McHardy unsigned int hook_mask; 571fa2c1de0SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 5729370761cSPablo Neira Ayuso }; 5739370761cSPablo Neira Ayuso 5742a37d755SPatrick McHardy int nft_register_chain_type(const struct nf_chain_type *); 5752a37d755SPatrick McHardy void nft_unregister_chain_type(const struct nf_chain_type *); 57696518518SPatrick McHardy 5775eccdfaaSJoe Perches int nft_register_expr(struct nft_expr_type *); 5785eccdfaaSJoe Perches void nft_unregister_expr(struct nft_expr_type *); 57996518518SPatrick McHardy 58067a8fc27SPatrick McHardy #define nft_dereference(p) \ 58167a8fc27SPatrick McHardy nfnl_dereference(p, NFNL_SUBSYS_NFTABLES) 58267a8fc27SPatrick McHardy 58396518518SPatrick McHardy #define MODULE_ALIAS_NFT_FAMILY(family) \ 58496518518SPatrick McHardy MODULE_ALIAS("nft-afinfo-" __stringify(family)) 58596518518SPatrick McHardy 5869370761cSPablo Neira Ayuso #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 5879370761cSPablo Neira Ayuso MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 58896518518SPatrick McHardy 58964d46806SPatrick McHardy #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 59064d46806SPatrick McHardy MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 59164d46806SPatrick McHardy 59296518518SPatrick McHardy #define MODULE_ALIAS_NFT_EXPR(name) \ 59396518518SPatrick McHardy MODULE_ALIAS("nft-expr-" name) 59496518518SPatrick McHardy 59520a69341SPatrick McHardy #define MODULE_ALIAS_NFT_SET() \ 59620a69341SPatrick McHardy MODULE_ALIAS("nft-set") 59720a69341SPatrick McHardy 59896518518SPatrick McHardy #endif /* _NET_NF_TABLES_H */ 599