196518518SPatrick McHardy #ifndef _NET_NF_TABLES_H 296518518SPatrick McHardy #define _NET_NF_TABLES_H 396518518SPatrick McHardy 496518518SPatrick McHardy #include <linux/list.h> 596518518SPatrick McHardy #include <linux/netfilter.h> 667a8fc27SPatrick McHardy #include <linux/netfilter/nfnetlink.h> 70ca743a5SPablo Neira Ayuso #include <linux/netfilter/x_tables.h> 896518518SPatrick McHardy #include <linux/netfilter/nf_tables.h> 996518518SPatrick McHardy #include <net/netlink.h> 1096518518SPatrick McHardy 1120a69341SPatrick McHardy #define NFT_JUMP_STACK_SIZE 16 1220a69341SPatrick McHardy 1396518518SPatrick McHardy struct nft_pktinfo { 1496518518SPatrick McHardy struct sk_buff *skb; 1596518518SPatrick McHardy const struct net_device *in; 1696518518SPatrick McHardy const struct net_device *out; 17c9484874SPatrick McHardy const struct nf_hook_ops *ops; 1896518518SPatrick McHardy u8 nhoff; 1996518518SPatrick McHardy u8 thoff; 204566bf27SPatrick McHardy u8 tprot; 210ca743a5SPablo Neira Ayuso /* for x_tables compatibility */ 220ca743a5SPablo Neira Ayuso struct xt_action_param xt; 2396518518SPatrick McHardy }; 2496518518SPatrick McHardy 250ca743a5SPablo Neira Ayuso static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 260ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops, 270ca743a5SPablo Neira Ayuso struct sk_buff *skb, 280ca743a5SPablo Neira Ayuso const struct net_device *in, 290ca743a5SPablo Neira Ayuso const struct net_device *out) 300ca743a5SPablo Neira Ayuso { 310ca743a5SPablo Neira Ayuso pkt->skb = skb; 320ca743a5SPablo Neira Ayuso pkt->in = pkt->xt.in = in; 330ca743a5SPablo Neira Ayuso pkt->out = pkt->xt.out = out; 34c9484874SPatrick McHardy pkt->ops = ops; 35c9484874SPatrick McHardy pkt->xt.hooknum = ops->hooknum; 360ca743a5SPablo Neira Ayuso pkt->xt.family = ops->pf; 370ca743a5SPablo Neira Ayuso } 380ca743a5SPablo Neira Ayuso 3996518518SPatrick McHardy struct nft_data { 4096518518SPatrick McHardy union { 4196518518SPatrick McHardy u32 data[4]; 4296518518SPatrick McHardy struct { 4396518518SPatrick McHardy u32 verdict; 4496518518SPatrick McHardy struct nft_chain *chain; 4596518518SPatrick McHardy }; 4696518518SPatrick McHardy }; 4796518518SPatrick McHardy } __attribute__((aligned(__alignof__(u64)))); 4896518518SPatrick McHardy 4996518518SPatrick McHardy static inline int nft_data_cmp(const struct nft_data *d1, 5096518518SPatrick McHardy const struct nft_data *d2, 5196518518SPatrick McHardy unsigned int len) 5296518518SPatrick McHardy { 5396518518SPatrick McHardy return memcmp(d1->data, d2->data, len); 5496518518SPatrick McHardy } 5596518518SPatrick McHardy 5696518518SPatrick McHardy static inline void nft_data_copy(struct nft_data *dst, 5796518518SPatrick McHardy const struct nft_data *src) 5896518518SPatrick McHardy { 5996518518SPatrick McHardy BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64)); 6096518518SPatrick McHardy *(u64 *)&dst->data[0] = *(u64 *)&src->data[0]; 6196518518SPatrick McHardy *(u64 *)&dst->data[2] = *(u64 *)&src->data[2]; 6296518518SPatrick McHardy } 6396518518SPatrick McHardy 6496518518SPatrick McHardy static inline void nft_data_debug(const struct nft_data *data) 6596518518SPatrick McHardy { 6696518518SPatrick McHardy pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 6796518518SPatrick McHardy data->data[0], data->data[1], 6896518518SPatrick McHardy data->data[2], data->data[3]); 6996518518SPatrick McHardy } 7096518518SPatrick McHardy 7196518518SPatrick McHardy /** 7220a69341SPatrick McHardy * struct nft_ctx - nf_tables rule/set context 7396518518SPatrick McHardy * 7499633ab2SPablo Neira Ayuso * @net: net namespace 7520a69341SPatrick McHardy * @skb: netlink skb 7620a69341SPatrick McHardy * @nlh: netlink message header 7796518518SPatrick McHardy * @afi: address family info 7896518518SPatrick McHardy * @table: the table the chain is contained in 7996518518SPatrick McHardy * @chain: the chain the rule is contained in 800ca743a5SPablo Neira Ayuso * @nla: netlink attributes 8196518518SPatrick McHardy */ 8296518518SPatrick McHardy struct nft_ctx { 8399633ab2SPablo Neira Ayuso struct net *net; 8420a69341SPatrick McHardy const struct sk_buff *skb; 8520a69341SPatrick McHardy const struct nlmsghdr *nlh; 867c95f6d8SPablo Neira Ayuso struct nft_af_info *afi; 877c95f6d8SPablo Neira Ayuso struct nft_table *table; 887c95f6d8SPablo Neira Ayuso struct nft_chain *chain; 890ca743a5SPablo Neira Ayuso const struct nlattr * const *nla; 9096518518SPatrick McHardy }; 9196518518SPatrick McHardy 9296518518SPatrick McHardy struct nft_data_desc { 9396518518SPatrick McHardy enum nft_data_types type; 9496518518SPatrick McHardy unsigned int len; 9596518518SPatrick McHardy }; 9696518518SPatrick McHardy 975eccdfaaSJoe Perches int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 9896518518SPatrick McHardy struct nft_data_desc *desc, const struct nlattr *nla); 995eccdfaaSJoe Perches void nft_data_uninit(const struct nft_data *data, enum nft_data_types type); 1005eccdfaaSJoe Perches int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 10196518518SPatrick McHardy enum nft_data_types type, unsigned int len); 10296518518SPatrick McHardy 10396518518SPatrick McHardy static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 10496518518SPatrick McHardy { 10596518518SPatrick McHardy return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 10696518518SPatrick McHardy } 10796518518SPatrick McHardy 10820a69341SPatrick McHardy static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 10920a69341SPatrick McHardy { 11020a69341SPatrick McHardy return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1; 11120a69341SPatrick McHardy } 11220a69341SPatrick McHardy 1135eccdfaaSJoe Perches int nft_validate_input_register(enum nft_registers reg); 1145eccdfaaSJoe Perches int nft_validate_output_register(enum nft_registers reg); 1155eccdfaaSJoe Perches int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg, 11696518518SPatrick McHardy const struct nft_data *data, 11796518518SPatrick McHardy enum nft_data_types type); 11896518518SPatrick McHardy 11996518518SPatrick McHardy /** 12020a69341SPatrick McHardy * struct nft_set_elem - generic representation of set elements 12120a69341SPatrick McHardy * 12220a69341SPatrick McHardy * @cookie: implementation specific element cookie 12320a69341SPatrick McHardy * @key: element key 12420a69341SPatrick McHardy * @data: element data (maps only) 12520a69341SPatrick McHardy * @flags: element flags (end of interval) 12620a69341SPatrick McHardy * 12720a69341SPatrick McHardy * The cookie can be used to store a handle to the element for subsequent 12820a69341SPatrick McHardy * removal. 12920a69341SPatrick McHardy */ 13020a69341SPatrick McHardy struct nft_set_elem { 13120a69341SPatrick McHardy void *cookie; 13220a69341SPatrick McHardy struct nft_data key; 13320a69341SPatrick McHardy struct nft_data data; 13420a69341SPatrick McHardy u32 flags; 13520a69341SPatrick McHardy }; 13620a69341SPatrick McHardy 13720a69341SPatrick McHardy struct nft_set; 13820a69341SPatrick McHardy struct nft_set_iter { 13920a69341SPatrick McHardy unsigned int count; 14020a69341SPatrick McHardy unsigned int skip; 14120a69341SPatrick McHardy int err; 14220a69341SPatrick McHardy int (*fn)(const struct nft_ctx *ctx, 14320a69341SPatrick McHardy const struct nft_set *set, 14420a69341SPatrick McHardy const struct nft_set_iter *iter, 14520a69341SPatrick McHardy const struct nft_set_elem *elem); 14620a69341SPatrick McHardy }; 14720a69341SPatrick McHardy 14820a69341SPatrick McHardy /** 149c50b960cSPatrick McHardy * struct nft_set_desc - description of set elements 150c50b960cSPatrick McHardy * 151c50b960cSPatrick McHardy * @klen: key length 152c50b960cSPatrick McHardy * @dlen: data length 153c50b960cSPatrick McHardy * @size: number of set elements 154c50b960cSPatrick McHardy */ 155c50b960cSPatrick McHardy struct nft_set_desc { 156c50b960cSPatrick McHardy unsigned int klen; 157c50b960cSPatrick McHardy unsigned int dlen; 158c50b960cSPatrick McHardy unsigned int size; 159c50b960cSPatrick McHardy }; 160c50b960cSPatrick McHardy 161c50b960cSPatrick McHardy /** 162c50b960cSPatrick McHardy * enum nft_set_class - performance class 163c50b960cSPatrick McHardy * 164c50b960cSPatrick McHardy * @NFT_LOOKUP_O_1: constant, O(1) 165c50b960cSPatrick McHardy * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 166c50b960cSPatrick McHardy * @NFT_LOOKUP_O_N: linear, O(N) 167c50b960cSPatrick McHardy */ 168c50b960cSPatrick McHardy enum nft_set_class { 169c50b960cSPatrick McHardy NFT_SET_CLASS_O_1, 170c50b960cSPatrick McHardy NFT_SET_CLASS_O_LOG_N, 171c50b960cSPatrick McHardy NFT_SET_CLASS_O_N, 172c50b960cSPatrick McHardy }; 173c50b960cSPatrick McHardy 174c50b960cSPatrick McHardy /** 175c50b960cSPatrick McHardy * struct nft_set_estimate - estimation of memory and performance 176c50b960cSPatrick McHardy * characteristics 177c50b960cSPatrick McHardy * 178c50b960cSPatrick McHardy * @size: required memory 179c50b960cSPatrick McHardy * @class: lookup performance class 180c50b960cSPatrick McHardy */ 181c50b960cSPatrick McHardy struct nft_set_estimate { 182c50b960cSPatrick McHardy unsigned int size; 183c50b960cSPatrick McHardy enum nft_set_class class; 184c50b960cSPatrick McHardy }; 185c50b960cSPatrick McHardy 186c50b960cSPatrick McHardy /** 18720a69341SPatrick McHardy * struct nft_set_ops - nf_tables set operations 18820a69341SPatrick McHardy * 18920a69341SPatrick McHardy * @lookup: look up an element within the set 19020a69341SPatrick McHardy * @insert: insert new element into set 19120a69341SPatrick McHardy * @remove: remove element from set 19220a69341SPatrick McHardy * @walk: iterate over all set elemeennts 19320a69341SPatrick McHardy * @privsize: function to return size of set private data 19420a69341SPatrick McHardy * @init: initialize private data of new set instance 19520a69341SPatrick McHardy * @destroy: destroy private data of set instance 19620a69341SPatrick McHardy * @list: nf_tables_set_ops list node 19720a69341SPatrick McHardy * @owner: module reference 19820a69341SPatrick McHardy * @features: features supported by the implementation 19920a69341SPatrick McHardy */ 20020a69341SPatrick McHardy struct nft_set_ops { 20120a69341SPatrick McHardy bool (*lookup)(const struct nft_set *set, 20220a69341SPatrick McHardy const struct nft_data *key, 20320a69341SPatrick McHardy struct nft_data *data); 20420a69341SPatrick McHardy int (*get)(const struct nft_set *set, 20520a69341SPatrick McHardy struct nft_set_elem *elem); 20620a69341SPatrick McHardy int (*insert)(const struct nft_set *set, 20720a69341SPatrick McHardy const struct nft_set_elem *elem); 20820a69341SPatrick McHardy void (*remove)(const struct nft_set *set, 20920a69341SPatrick McHardy const struct nft_set_elem *elem); 21020a69341SPatrick McHardy void (*walk)(const struct nft_ctx *ctx, 21120a69341SPatrick McHardy const struct nft_set *set, 21220a69341SPatrick McHardy struct nft_set_iter *iter); 21320a69341SPatrick McHardy 21420a69341SPatrick McHardy unsigned int (*privsize)(const struct nlattr * const nla[]); 215c50b960cSPatrick McHardy bool (*estimate)(const struct nft_set_desc *desc, 216c50b960cSPatrick McHardy u32 features, 217c50b960cSPatrick McHardy struct nft_set_estimate *est); 21820a69341SPatrick McHardy int (*init)(const struct nft_set *set, 219c50b960cSPatrick McHardy const struct nft_set_desc *desc, 22020a69341SPatrick McHardy const struct nlattr * const nla[]); 22120a69341SPatrick McHardy void (*destroy)(const struct nft_set *set); 22220a69341SPatrick McHardy 22320a69341SPatrick McHardy struct list_head list; 22420a69341SPatrick McHardy struct module *owner; 22520a69341SPatrick McHardy u32 features; 22620a69341SPatrick McHardy }; 22720a69341SPatrick McHardy 2285eccdfaaSJoe Perches int nft_register_set(struct nft_set_ops *ops); 2295eccdfaaSJoe Perches void nft_unregister_set(struct nft_set_ops *ops); 23020a69341SPatrick McHardy 23120a69341SPatrick McHardy /** 23220a69341SPatrick McHardy * struct nft_set - nf_tables set instance 23320a69341SPatrick McHardy * 23420a69341SPatrick McHardy * @list: table set list node 23520a69341SPatrick McHardy * @bindings: list of set bindings 23620a69341SPatrick McHardy * @name: name of the set 23720a69341SPatrick McHardy * @ktype: key type (numeric type defined by userspace, not used in the kernel) 23820a69341SPatrick McHardy * @dtype: data type (verdict or numeric type defined by userspace) 239c50b960cSPatrick McHardy * @size: maximum set size 240c50b960cSPatrick McHardy * @nelems: number of elements 24120a69341SPatrick McHardy * @ops: set ops 24220a69341SPatrick McHardy * @flags: set flags 24320a69341SPatrick McHardy * @klen: key length 24420a69341SPatrick McHardy * @dlen: data length 24520a69341SPatrick McHardy * @data: private set data 24620a69341SPatrick McHardy */ 24720a69341SPatrick McHardy struct nft_set { 24820a69341SPatrick McHardy struct list_head list; 24920a69341SPatrick McHardy struct list_head bindings; 25020a69341SPatrick McHardy char name[IFNAMSIZ]; 25120a69341SPatrick McHardy u32 ktype; 25220a69341SPatrick McHardy u32 dtype; 253c50b960cSPatrick McHardy u32 size; 254c50b960cSPatrick McHardy u32 nelems; 25520a69341SPatrick McHardy /* runtime data below here */ 25620a69341SPatrick McHardy const struct nft_set_ops *ops ____cacheline_aligned; 25720a69341SPatrick McHardy u16 flags; 25820a69341SPatrick McHardy u8 klen; 25920a69341SPatrick McHardy u8 dlen; 26020a69341SPatrick McHardy unsigned char data[] 26120a69341SPatrick McHardy __attribute__((aligned(__alignof__(u64)))); 26220a69341SPatrick McHardy }; 26320a69341SPatrick McHardy 26420a69341SPatrick McHardy static inline void *nft_set_priv(const struct nft_set *set) 26520a69341SPatrick McHardy { 26620a69341SPatrick McHardy return (void *)set->data; 26720a69341SPatrick McHardy } 26820a69341SPatrick McHardy 2695eccdfaaSJoe Perches struct nft_set *nf_tables_set_lookup(const struct nft_table *table, 27020a69341SPatrick McHardy const struct nlattr *nla); 271958bee14SPablo Neira Ayuso struct nft_set *nf_tables_set_lookup_byid(const struct net *net, 272958bee14SPablo Neira Ayuso const struct nlattr *nla); 27320a69341SPatrick McHardy 27420a69341SPatrick McHardy /** 27520a69341SPatrick McHardy * struct nft_set_binding - nf_tables set binding 27620a69341SPatrick McHardy * 27720a69341SPatrick McHardy * @list: set bindings list node 27820a69341SPatrick McHardy * @chain: chain containing the rule bound to the set 27920a69341SPatrick McHardy * 28020a69341SPatrick McHardy * A set binding contains all information necessary for validation 28120a69341SPatrick McHardy * of new elements added to a bound set. 28220a69341SPatrick McHardy */ 28320a69341SPatrick McHardy struct nft_set_binding { 28420a69341SPatrick McHardy struct list_head list; 28520a69341SPatrick McHardy const struct nft_chain *chain; 28620a69341SPatrick McHardy }; 28720a69341SPatrick McHardy 2885eccdfaaSJoe Perches int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 28920a69341SPatrick McHardy struct nft_set_binding *binding); 2905eccdfaaSJoe Perches void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 29120a69341SPatrick McHardy struct nft_set_binding *binding); 29220a69341SPatrick McHardy 293ef1f7df9SPatrick McHardy 29420a69341SPatrick McHardy /** 295ef1f7df9SPatrick McHardy * struct nft_expr_type - nf_tables expression type 29696518518SPatrick McHardy * 297ef1f7df9SPatrick McHardy * @select_ops: function to select nft_expr_ops 298ef1f7df9SPatrick McHardy * @ops: default ops, used when no select_ops functions is present 29996518518SPatrick McHardy * @list: used internally 30096518518SPatrick McHardy * @name: Identifier 30196518518SPatrick McHardy * @owner: module reference 30296518518SPatrick McHardy * @policy: netlink attribute policy 30396518518SPatrick McHardy * @maxattr: highest netlink attribute number 30464d46806SPatrick McHardy * @family: address family for AF-specific types 305ef1f7df9SPatrick McHardy */ 306ef1f7df9SPatrick McHardy struct nft_expr_type { 3070ca743a5SPablo Neira Ayuso const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 3080ca743a5SPablo Neira Ayuso const struct nlattr * const tb[]); 309ef1f7df9SPatrick McHardy const struct nft_expr_ops *ops; 310ef1f7df9SPatrick McHardy struct list_head list; 311ef1f7df9SPatrick McHardy const char *name; 312ef1f7df9SPatrick McHardy struct module *owner; 313ef1f7df9SPatrick McHardy const struct nla_policy *policy; 314ef1f7df9SPatrick McHardy unsigned int maxattr; 31564d46806SPatrick McHardy u8 family; 316ef1f7df9SPatrick McHardy }; 317ef1f7df9SPatrick McHardy 318ef1f7df9SPatrick McHardy /** 319ef1f7df9SPatrick McHardy * struct nft_expr_ops - nf_tables expression operations 320ef1f7df9SPatrick McHardy * 321ef1f7df9SPatrick McHardy * @eval: Expression evaluation function 32296518518SPatrick McHardy * @size: full expression size, including private data size 323ef1f7df9SPatrick McHardy * @init: initialization function 324ef1f7df9SPatrick McHardy * @destroy: destruction function 325ef1f7df9SPatrick McHardy * @dump: function to dump parameters 326ef1f7df9SPatrick McHardy * @type: expression type 3270ca743a5SPablo Neira Ayuso * @validate: validate expression, called during loop detection 3280ca743a5SPablo Neira Ayuso * @data: extra data to attach to this expression operation 32996518518SPatrick McHardy */ 33096518518SPatrick McHardy struct nft_expr; 33196518518SPatrick McHardy struct nft_expr_ops { 33296518518SPatrick McHardy void (*eval)(const struct nft_expr *expr, 33396518518SPatrick McHardy struct nft_data data[NFT_REG_MAX + 1], 33496518518SPatrick McHardy const struct nft_pktinfo *pkt); 335ef1f7df9SPatrick McHardy unsigned int size; 336ef1f7df9SPatrick McHardy 33796518518SPatrick McHardy int (*init)(const struct nft_ctx *ctx, 33896518518SPatrick McHardy const struct nft_expr *expr, 33996518518SPatrick McHardy const struct nlattr * const tb[]); 34062472bceSPatrick McHardy void (*destroy)(const struct nft_ctx *ctx, 34162472bceSPatrick McHardy const struct nft_expr *expr); 34296518518SPatrick McHardy int (*dump)(struct sk_buff *skb, 34396518518SPatrick McHardy const struct nft_expr *expr); 3440ca743a5SPablo Neira Ayuso int (*validate)(const struct nft_ctx *ctx, 3450ca743a5SPablo Neira Ayuso const struct nft_expr *expr, 3460ca743a5SPablo Neira Ayuso const struct nft_data **data); 347ef1f7df9SPatrick McHardy const struct nft_expr_type *type; 3480ca743a5SPablo Neira Ayuso void *data; 34996518518SPatrick McHardy }; 35096518518SPatrick McHardy 351ef1f7df9SPatrick McHardy #define NFT_EXPR_MAXATTR 16 35296518518SPatrick McHardy #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 35396518518SPatrick McHardy ALIGN(size, __alignof__(struct nft_expr))) 35496518518SPatrick McHardy 35596518518SPatrick McHardy /** 35696518518SPatrick McHardy * struct nft_expr - nf_tables expression 35796518518SPatrick McHardy * 35896518518SPatrick McHardy * @ops: expression ops 35996518518SPatrick McHardy * @data: expression private data 36096518518SPatrick McHardy */ 36196518518SPatrick McHardy struct nft_expr { 36296518518SPatrick McHardy const struct nft_expr_ops *ops; 36396518518SPatrick McHardy unsigned char data[]; 36496518518SPatrick McHardy }; 36596518518SPatrick McHardy 36696518518SPatrick McHardy static inline void *nft_expr_priv(const struct nft_expr *expr) 36796518518SPatrick McHardy { 36896518518SPatrick McHardy return (void *)expr->data; 36996518518SPatrick McHardy } 37096518518SPatrick McHardy 37196518518SPatrick McHardy /** 37296518518SPatrick McHardy * struct nft_rule - nf_tables rule 37396518518SPatrick McHardy * 37496518518SPatrick McHardy * @list: used internally 37596518518SPatrick McHardy * @handle: rule handle 3760628b123SPablo Neira Ayuso * @genmask: generation mask 37796518518SPatrick McHardy * @dlen: length of expression data 3780768b3b3SPablo Neira Ayuso * @ulen: length of user data (used for comments) 37996518518SPatrick McHardy * @data: expression data 38096518518SPatrick McHardy */ 38196518518SPatrick McHardy struct nft_rule { 38296518518SPatrick McHardy struct list_head list; 3830768b3b3SPablo Neira Ayuso u64 handle:42, 3840628b123SPablo Neira Ayuso genmask:2, 3850768b3b3SPablo Neira Ayuso dlen:12, 3860768b3b3SPablo Neira Ayuso ulen:8; 38796518518SPatrick McHardy unsigned char data[] 38896518518SPatrick McHardy __attribute__((aligned(__alignof__(struct nft_expr)))); 38996518518SPatrick McHardy }; 39096518518SPatrick McHardy 3910628b123SPablo Neira Ayuso /** 3921081d11bSPablo Neira Ayuso * struct nft_trans - nf_tables object update in transaction 3930628b123SPablo Neira Ayuso * 3940628b123SPablo Neira Ayuso * @list: used internally 395b380e5c7SPablo Neira Ayuso * @msg_type: message type 3961081d11bSPablo Neira Ayuso * @ctx: transaction context 3971081d11bSPablo Neira Ayuso * @data: internal information related to the transaction 3980628b123SPablo Neira Ayuso */ 3991081d11bSPablo Neira Ayuso struct nft_trans { 4000628b123SPablo Neira Ayuso struct list_head list; 401b380e5c7SPablo Neira Ayuso int msg_type; 40262472bceSPatrick McHardy struct nft_ctx ctx; 4031081d11bSPablo Neira Ayuso char data[0]; 4041081d11bSPablo Neira Ayuso }; 4051081d11bSPablo Neira Ayuso 4061081d11bSPablo Neira Ayuso struct nft_trans_rule { 4070628b123SPablo Neira Ayuso struct nft_rule *rule; 4080628b123SPablo Neira Ayuso }; 4090628b123SPablo Neira Ayuso 4101081d11bSPablo Neira Ayuso #define nft_trans_rule(trans) \ 4111081d11bSPablo Neira Ayuso (((struct nft_trans_rule *)trans->data)->rule) 4121081d11bSPablo Neira Ayuso 413958bee14SPablo Neira Ayuso struct nft_trans_set { 414958bee14SPablo Neira Ayuso struct nft_set *set; 415958bee14SPablo Neira Ayuso u32 set_id; 416958bee14SPablo Neira Ayuso }; 417958bee14SPablo Neira Ayuso 418958bee14SPablo Neira Ayuso #define nft_trans_set(trans) \ 419958bee14SPablo Neira Ayuso (((struct nft_trans_set *)trans->data)->set) 420958bee14SPablo Neira Ayuso #define nft_trans_set_id(trans) \ 421958bee14SPablo Neira Ayuso (((struct nft_trans_set *)trans->data)->set_id) 422958bee14SPablo Neira Ayuso 42391c7b38dSPablo Neira Ayuso struct nft_trans_chain { 42491c7b38dSPablo Neira Ayuso bool update; 42591c7b38dSPablo Neira Ayuso char name[NFT_CHAIN_MAXNAMELEN]; 42691c7b38dSPablo Neira Ayuso struct nft_stats __percpu *stats; 42791c7b38dSPablo Neira Ayuso u8 policy; 42891c7b38dSPablo Neira Ayuso }; 42991c7b38dSPablo Neira Ayuso 43091c7b38dSPablo Neira Ayuso #define nft_trans_chain_update(trans) \ 43191c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->update) 43291c7b38dSPablo Neira Ayuso #define nft_trans_chain_name(trans) \ 43391c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->name) 43491c7b38dSPablo Neira Ayuso #define nft_trans_chain_stats(trans) \ 43591c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->stats) 43691c7b38dSPablo Neira Ayuso #define nft_trans_chain_policy(trans) \ 43791c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->policy) 43891c7b38dSPablo Neira Ayuso 43955dd6f93SPablo Neira Ayuso struct nft_trans_table { 44055dd6f93SPablo Neira Ayuso bool update; 44155dd6f93SPablo Neira Ayuso bool enable; 44255dd6f93SPablo Neira Ayuso }; 44355dd6f93SPablo Neira Ayuso 44455dd6f93SPablo Neira Ayuso #define nft_trans_table_update(trans) \ 44555dd6f93SPablo Neira Ayuso (((struct nft_trans_table *)trans->data)->update) 44655dd6f93SPablo Neira Ayuso #define nft_trans_table_enable(trans) \ 44755dd6f93SPablo Neira Ayuso (((struct nft_trans_table *)trans->data)->enable) 44855dd6f93SPablo Neira Ayuso 44996518518SPatrick McHardy static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 45096518518SPatrick McHardy { 45196518518SPatrick McHardy return (struct nft_expr *)&rule->data[0]; 45296518518SPatrick McHardy } 45396518518SPatrick McHardy 45496518518SPatrick McHardy static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 45596518518SPatrick McHardy { 45696518518SPatrick McHardy return ((void *)expr) + expr->ops->size; 45796518518SPatrick McHardy } 45896518518SPatrick McHardy 45996518518SPatrick McHardy static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 46096518518SPatrick McHardy { 46196518518SPatrick McHardy return (struct nft_expr *)&rule->data[rule->dlen]; 46296518518SPatrick McHardy } 46396518518SPatrick McHardy 4640768b3b3SPablo Neira Ayuso static inline void *nft_userdata(const struct nft_rule *rule) 4650768b3b3SPablo Neira Ayuso { 4660768b3b3SPablo Neira Ayuso return (void *)&rule->data[rule->dlen]; 4670768b3b3SPablo Neira Ayuso } 4680768b3b3SPablo Neira Ayuso 46996518518SPatrick McHardy /* 47096518518SPatrick McHardy * The last pointer isn't really necessary, but the compiler isn't able to 47196518518SPatrick McHardy * determine that the result of nft_expr_last() is always the same since it 47296518518SPatrick McHardy * can't assume that the dlen value wasn't changed within calls in the loop. 47396518518SPatrick McHardy */ 47496518518SPatrick McHardy #define nft_rule_for_each_expr(expr, last, rule) \ 47596518518SPatrick McHardy for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 47696518518SPatrick McHardy (expr) != (last); \ 47796518518SPatrick McHardy (expr) = nft_expr_next(expr)) 47896518518SPatrick McHardy 47996518518SPatrick McHardy enum nft_chain_flags { 48096518518SPatrick McHardy NFT_BASE_CHAIN = 0x1, 48191c7b38dSPablo Neira Ayuso NFT_CHAIN_INACTIVE = 0x2, 48296518518SPatrick McHardy }; 48396518518SPatrick McHardy 48496518518SPatrick McHardy /** 48596518518SPatrick McHardy * struct nft_chain - nf_tables chain 48696518518SPatrick McHardy * 48796518518SPatrick McHardy * @rules: list of rules in the chain 48896518518SPatrick McHardy * @list: used internally 4890628b123SPablo Neira Ayuso * @net: net namespace that this chain belongs to 490b5bc89bfSPablo Neira Ayuso * @table: table that this chain belongs to 49196518518SPatrick McHardy * @handle: chain handle 49296518518SPatrick McHardy * @flags: bitmask of enum nft_chain_flags 49396518518SPatrick McHardy * @use: number of jump references to this chain 49496518518SPatrick McHardy * @level: length of longest path to this chain 49596518518SPatrick McHardy * @name: name of the chain 49696518518SPatrick McHardy */ 49796518518SPatrick McHardy struct nft_chain { 49896518518SPatrick McHardy struct list_head rules; 49996518518SPatrick McHardy struct list_head list; 5000628b123SPablo Neira Ayuso struct net *net; 501b5bc89bfSPablo Neira Ayuso struct nft_table *table; 50296518518SPatrick McHardy u64 handle; 50396518518SPatrick McHardy u8 flags; 50496518518SPatrick McHardy u16 use; 50596518518SPatrick McHardy u16 level; 50696518518SPatrick McHardy char name[NFT_CHAIN_MAXNAMELEN]; 50796518518SPatrick McHardy }; 50896518518SPatrick McHardy 5099370761cSPablo Neira Ayuso enum nft_chain_type { 5109370761cSPablo Neira Ayuso NFT_CHAIN_T_DEFAULT = 0, 5119370761cSPablo Neira Ayuso NFT_CHAIN_T_ROUTE, 5129370761cSPablo Neira Ayuso NFT_CHAIN_T_NAT, 5139370761cSPablo Neira Ayuso NFT_CHAIN_T_MAX 5149370761cSPablo Neira Ayuso }; 5159370761cSPablo Neira Ayuso 5160ca743a5SPablo Neira Ayuso struct nft_stats { 5170ca743a5SPablo Neira Ayuso u64 bytes; 5180ca743a5SPablo Neira Ayuso u64 pkts; 5190ca743a5SPablo Neira Ayuso }; 5200ca743a5SPablo Neira Ayuso 521115a60b1SPatrick McHardy #define NFT_HOOK_OPS_MAX 2 522115a60b1SPatrick McHardy 52396518518SPatrick McHardy /** 52496518518SPatrick McHardy * struct nft_base_chain - nf_tables base chain 52596518518SPatrick McHardy * 52696518518SPatrick McHardy * @ops: netfilter hook ops 5279370761cSPablo Neira Ayuso * @type: chain type 5280ca743a5SPablo Neira Ayuso * @policy: default policy 5290ca743a5SPablo Neira Ayuso * @stats: per-cpu chain stats 53096518518SPatrick McHardy * @chain: the chain 53196518518SPatrick McHardy */ 53296518518SPatrick McHardy struct nft_base_chain { 533115a60b1SPatrick McHardy struct nf_hook_ops ops[NFT_HOOK_OPS_MAX]; 5342a37d755SPatrick McHardy const struct nf_chain_type *type; 5350ca743a5SPablo Neira Ayuso u8 policy; 5360ca743a5SPablo Neira Ayuso struct nft_stats __percpu *stats; 53796518518SPatrick McHardy struct nft_chain chain; 53896518518SPatrick McHardy }; 53996518518SPatrick McHardy 54096518518SPatrick McHardy static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 54196518518SPatrick McHardy { 54296518518SPatrick McHardy return container_of(chain, struct nft_base_chain, chain); 54396518518SPatrick McHardy } 54496518518SPatrick McHardy 5453876d22dSPatrick McHardy unsigned int nft_do_chain(struct nft_pktinfo *pkt, 5460ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops); 54796518518SPatrick McHardy 54896518518SPatrick McHardy /** 54996518518SPatrick McHardy * struct nft_table - nf_tables table 55096518518SPatrick McHardy * 55196518518SPatrick McHardy * @list: used internally 55296518518SPatrick McHardy * @chains: chains in the table 55396518518SPatrick McHardy * @sets: sets in the table 55496518518SPatrick McHardy * @hgenerator: handle generator state 55596518518SPatrick McHardy * @use: number of chain references to this table 55696518518SPatrick McHardy * @flags: table flag (see enum nft_table_flags) 55796518518SPatrick McHardy * @name: name of the table 55896518518SPatrick McHardy */ 55996518518SPatrick McHardy struct nft_table { 56096518518SPatrick McHardy struct list_head list; 56196518518SPatrick McHardy struct list_head chains; 56296518518SPatrick McHardy struct list_head sets; 56396518518SPatrick McHardy u64 hgenerator; 56496518518SPatrick McHardy u32 use; 56596518518SPatrick McHardy u16 flags; 56696518518SPatrick McHardy char name[]; 56796518518SPatrick McHardy }; 56896518518SPatrick McHardy 56996518518SPatrick McHardy /** 57096518518SPatrick McHardy * struct nft_af_info - nf_tables address family info 57196518518SPatrick McHardy * 57296518518SPatrick McHardy * @list: used internally 57396518518SPatrick McHardy * @family: address family 57496518518SPatrick McHardy * @nhooks: number of hooks in this family 57596518518SPatrick McHardy * @owner: module owner 57696518518SPatrick McHardy * @tables: used internally 577115a60b1SPatrick McHardy * @nops: number of hook ops in this family 578115a60b1SPatrick McHardy * @hook_ops_init: initialization function for chain hook ops 57996518518SPatrick McHardy * @hooks: hookfn overrides for packet validation 58096518518SPatrick McHardy */ 58196518518SPatrick McHardy struct nft_af_info { 58296518518SPatrick McHardy struct list_head list; 58396518518SPatrick McHardy int family; 58496518518SPatrick McHardy unsigned int nhooks; 58596518518SPatrick McHardy struct module *owner; 58696518518SPatrick McHardy struct list_head tables; 587115a60b1SPatrick McHardy unsigned int nops; 588115a60b1SPatrick McHardy void (*hook_ops_init)(struct nf_hook_ops *, 589115a60b1SPatrick McHardy unsigned int); 59096518518SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 59196518518SPatrick McHardy }; 59296518518SPatrick McHardy 5935eccdfaaSJoe Perches int nft_register_afinfo(struct net *, struct nft_af_info *); 5945eccdfaaSJoe Perches void nft_unregister_afinfo(struct nft_af_info *); 59596518518SPatrick McHardy 596fa2c1de0SPatrick McHardy /** 597fa2c1de0SPatrick McHardy * struct nf_chain_type - nf_tables chain type info 598fa2c1de0SPatrick McHardy * 599fa2c1de0SPatrick McHardy * @name: name of the type 600fa2c1de0SPatrick McHardy * @type: numeric identifier 601fa2c1de0SPatrick McHardy * @family: address family 602fa2c1de0SPatrick McHardy * @owner: module owner 603fa2c1de0SPatrick McHardy * @hook_mask: mask of valid hooks 604fa2c1de0SPatrick McHardy * @hooks: hookfn overrides 605fa2c1de0SPatrick McHardy */ 6069370761cSPablo Neira Ayuso struct nf_chain_type { 6079370761cSPablo Neira Ayuso const char *name; 6089370761cSPablo Neira Ayuso enum nft_chain_type type; 6099370761cSPablo Neira Ayuso int family; 610fa2c1de0SPatrick McHardy struct module *owner; 611fa2c1de0SPatrick McHardy unsigned int hook_mask; 612fa2c1de0SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 6139370761cSPablo Neira Ayuso }; 6149370761cSPablo Neira Ayuso 6152a37d755SPatrick McHardy int nft_register_chain_type(const struct nf_chain_type *); 6162a37d755SPatrick McHardy void nft_unregister_chain_type(const struct nf_chain_type *); 61796518518SPatrick McHardy 6185eccdfaaSJoe Perches int nft_register_expr(struct nft_expr_type *); 6195eccdfaaSJoe Perches void nft_unregister_expr(struct nft_expr_type *); 62096518518SPatrick McHardy 62167a8fc27SPatrick McHardy #define nft_dereference(p) \ 62267a8fc27SPatrick McHardy nfnl_dereference(p, NFNL_SUBSYS_NFTABLES) 62367a8fc27SPatrick McHardy 62496518518SPatrick McHardy #define MODULE_ALIAS_NFT_FAMILY(family) \ 62596518518SPatrick McHardy MODULE_ALIAS("nft-afinfo-" __stringify(family)) 62696518518SPatrick McHardy 6279370761cSPablo Neira Ayuso #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 6289370761cSPablo Neira Ayuso MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 62996518518SPatrick McHardy 63064d46806SPatrick McHardy #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 63164d46806SPatrick McHardy MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 63264d46806SPatrick McHardy 63396518518SPatrick McHardy #define MODULE_ALIAS_NFT_EXPR(name) \ 63496518518SPatrick McHardy MODULE_ALIAS("nft-expr-" name) 63596518518SPatrick McHardy 63620a69341SPatrick McHardy #define MODULE_ALIAS_NFT_SET() \ 63720a69341SPatrick McHardy MODULE_ALIAS("nft-set") 63820a69341SPatrick McHardy 63996518518SPatrick McHardy #endif /* _NET_NF_TABLES_H */ 640