196518518SPatrick McHardy #ifndef _NET_NF_TABLES_H 296518518SPatrick McHardy #define _NET_NF_TABLES_H 396518518SPatrick McHardy 496518518SPatrick McHardy #include <linux/list.h> 596518518SPatrick McHardy #include <linux/netfilter.h> 60ca743a5SPablo Neira Ayuso #include <linux/netfilter/x_tables.h> 796518518SPatrick McHardy #include <linux/netfilter/nf_tables.h> 896518518SPatrick McHardy #include <net/netlink.h> 996518518SPatrick McHardy 1020a69341SPatrick McHardy #define NFT_JUMP_STACK_SIZE 16 1120a69341SPatrick McHardy 1296518518SPatrick McHardy struct nft_pktinfo { 1396518518SPatrick McHardy struct sk_buff *skb; 1496518518SPatrick McHardy const struct net_device *in; 1596518518SPatrick McHardy const struct net_device *out; 1696518518SPatrick McHardy u8 hooknum; 1796518518SPatrick McHardy u8 nhoff; 1896518518SPatrick McHardy u8 thoff; 190ca743a5SPablo Neira Ayuso /* for x_tables compatibility */ 200ca743a5SPablo Neira Ayuso struct xt_action_param xt; 2196518518SPatrick McHardy }; 2296518518SPatrick McHardy 230ca743a5SPablo Neira Ayuso static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 240ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops, 250ca743a5SPablo Neira Ayuso struct sk_buff *skb, 260ca743a5SPablo Neira Ayuso const struct net_device *in, 270ca743a5SPablo Neira Ayuso const struct net_device *out) 280ca743a5SPablo Neira Ayuso { 290ca743a5SPablo Neira Ayuso pkt->skb = skb; 300ca743a5SPablo Neira Ayuso pkt->in = pkt->xt.in = in; 310ca743a5SPablo Neira Ayuso pkt->out = pkt->xt.out = out; 320ca743a5SPablo Neira Ayuso pkt->hooknum = pkt->xt.hooknum = ops->hooknum; 330ca743a5SPablo Neira Ayuso pkt->xt.family = ops->pf; 340ca743a5SPablo Neira Ayuso } 350ca743a5SPablo Neira Ayuso 3696518518SPatrick McHardy struct nft_data { 3796518518SPatrick McHardy union { 3896518518SPatrick McHardy u32 data[4]; 3996518518SPatrick McHardy struct { 4096518518SPatrick McHardy u32 verdict; 4196518518SPatrick McHardy struct nft_chain *chain; 4296518518SPatrick McHardy }; 4396518518SPatrick McHardy }; 4496518518SPatrick McHardy } __attribute__((aligned(__alignof__(u64)))); 4596518518SPatrick McHardy 4696518518SPatrick McHardy static inline int nft_data_cmp(const struct nft_data *d1, 4796518518SPatrick McHardy const struct nft_data *d2, 4896518518SPatrick McHardy unsigned int len) 4996518518SPatrick McHardy { 5096518518SPatrick McHardy return memcmp(d1->data, d2->data, len); 5196518518SPatrick McHardy } 5296518518SPatrick McHardy 5396518518SPatrick McHardy static inline void nft_data_copy(struct nft_data *dst, 5496518518SPatrick McHardy const struct nft_data *src) 5596518518SPatrick McHardy { 5696518518SPatrick McHardy BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64)); 5796518518SPatrick McHardy *(u64 *)&dst->data[0] = *(u64 *)&src->data[0]; 5896518518SPatrick McHardy *(u64 *)&dst->data[2] = *(u64 *)&src->data[2]; 5996518518SPatrick McHardy } 6096518518SPatrick McHardy 6196518518SPatrick McHardy static inline void nft_data_debug(const struct nft_data *data) 6296518518SPatrick McHardy { 6396518518SPatrick McHardy pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 6496518518SPatrick McHardy data->data[0], data->data[1], 6596518518SPatrick McHardy data->data[2], data->data[3]); 6696518518SPatrick McHardy } 6796518518SPatrick McHardy 6896518518SPatrick McHardy /** 6920a69341SPatrick McHardy * struct nft_ctx - nf_tables rule/set context 7096518518SPatrick McHardy * 7199633ab2SPablo Neira Ayuso * @net: net namespace 7220a69341SPatrick McHardy * @skb: netlink skb 7320a69341SPatrick McHardy * @nlh: netlink message header 7496518518SPatrick McHardy * @afi: address family info 7596518518SPatrick McHardy * @table: the table the chain is contained in 7696518518SPatrick McHardy * @chain: the chain the rule is contained in 770ca743a5SPablo Neira Ayuso * @nla: netlink attributes 7896518518SPatrick McHardy */ 7996518518SPatrick McHardy struct nft_ctx { 8099633ab2SPablo Neira Ayuso struct net *net; 8120a69341SPatrick McHardy const struct sk_buff *skb; 8220a69341SPatrick McHardy const struct nlmsghdr *nlh; 8396518518SPatrick McHardy const struct nft_af_info *afi; 8496518518SPatrick McHardy const struct nft_table *table; 8596518518SPatrick McHardy const struct nft_chain *chain; 860ca743a5SPablo Neira Ayuso const struct nlattr * const *nla; 8796518518SPatrick McHardy }; 8896518518SPatrick McHardy 8996518518SPatrick McHardy struct nft_data_desc { 9096518518SPatrick McHardy enum nft_data_types type; 9196518518SPatrick McHardy unsigned int len; 9296518518SPatrick McHardy }; 9396518518SPatrick McHardy 945eccdfaaSJoe Perches int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 9596518518SPatrick McHardy struct nft_data_desc *desc, const struct nlattr *nla); 965eccdfaaSJoe Perches void nft_data_uninit(const struct nft_data *data, enum nft_data_types type); 975eccdfaaSJoe Perches int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 9896518518SPatrick McHardy enum nft_data_types type, unsigned int len); 9996518518SPatrick McHardy 10096518518SPatrick McHardy static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 10196518518SPatrick McHardy { 10296518518SPatrick McHardy return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 10396518518SPatrick McHardy } 10496518518SPatrick McHardy 10520a69341SPatrick McHardy static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 10620a69341SPatrick McHardy { 10720a69341SPatrick McHardy return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1; 10820a69341SPatrick McHardy } 10920a69341SPatrick McHardy 1105eccdfaaSJoe Perches int nft_validate_input_register(enum nft_registers reg); 1115eccdfaaSJoe Perches int nft_validate_output_register(enum nft_registers reg); 1125eccdfaaSJoe Perches int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg, 11396518518SPatrick McHardy const struct nft_data *data, 11496518518SPatrick McHardy enum nft_data_types type); 11596518518SPatrick McHardy 11696518518SPatrick McHardy /** 11720a69341SPatrick McHardy * struct nft_set_elem - generic representation of set elements 11820a69341SPatrick McHardy * 11920a69341SPatrick McHardy * @cookie: implementation specific element cookie 12020a69341SPatrick McHardy * @key: element key 12120a69341SPatrick McHardy * @data: element data (maps only) 12220a69341SPatrick McHardy * @flags: element flags (end of interval) 12320a69341SPatrick McHardy * 12420a69341SPatrick McHardy * The cookie can be used to store a handle to the element for subsequent 12520a69341SPatrick McHardy * removal. 12620a69341SPatrick McHardy */ 12720a69341SPatrick McHardy struct nft_set_elem { 12820a69341SPatrick McHardy void *cookie; 12920a69341SPatrick McHardy struct nft_data key; 13020a69341SPatrick McHardy struct nft_data data; 13120a69341SPatrick McHardy u32 flags; 13220a69341SPatrick McHardy }; 13320a69341SPatrick McHardy 13420a69341SPatrick McHardy struct nft_set; 13520a69341SPatrick McHardy struct nft_set_iter { 13620a69341SPatrick McHardy unsigned int count; 13720a69341SPatrick McHardy unsigned int skip; 13820a69341SPatrick McHardy int err; 13920a69341SPatrick McHardy int (*fn)(const struct nft_ctx *ctx, 14020a69341SPatrick McHardy const struct nft_set *set, 14120a69341SPatrick McHardy const struct nft_set_iter *iter, 14220a69341SPatrick McHardy const struct nft_set_elem *elem); 14320a69341SPatrick McHardy }; 14420a69341SPatrick McHardy 14520a69341SPatrick McHardy /** 14620a69341SPatrick McHardy * struct nft_set_ops - nf_tables set operations 14720a69341SPatrick McHardy * 14820a69341SPatrick McHardy * @lookup: look up an element within the set 14920a69341SPatrick McHardy * @insert: insert new element into set 15020a69341SPatrick McHardy * @remove: remove element from set 15120a69341SPatrick McHardy * @walk: iterate over all set elemeennts 15220a69341SPatrick McHardy * @privsize: function to return size of set private data 15320a69341SPatrick McHardy * @init: initialize private data of new set instance 15420a69341SPatrick McHardy * @destroy: destroy private data of set instance 15520a69341SPatrick McHardy * @list: nf_tables_set_ops list node 15620a69341SPatrick McHardy * @owner: module reference 15720a69341SPatrick McHardy * @features: features supported by the implementation 15820a69341SPatrick McHardy */ 15920a69341SPatrick McHardy struct nft_set_ops { 16020a69341SPatrick McHardy bool (*lookup)(const struct nft_set *set, 16120a69341SPatrick McHardy const struct nft_data *key, 16220a69341SPatrick McHardy struct nft_data *data); 16320a69341SPatrick McHardy int (*get)(const struct nft_set *set, 16420a69341SPatrick McHardy struct nft_set_elem *elem); 16520a69341SPatrick McHardy int (*insert)(const struct nft_set *set, 16620a69341SPatrick McHardy const struct nft_set_elem *elem); 16720a69341SPatrick McHardy void (*remove)(const struct nft_set *set, 16820a69341SPatrick McHardy const struct nft_set_elem *elem); 16920a69341SPatrick McHardy void (*walk)(const struct nft_ctx *ctx, 17020a69341SPatrick McHardy const struct nft_set *set, 17120a69341SPatrick McHardy struct nft_set_iter *iter); 17220a69341SPatrick McHardy 17320a69341SPatrick McHardy unsigned int (*privsize)(const struct nlattr * const nla[]); 17420a69341SPatrick McHardy int (*init)(const struct nft_set *set, 17520a69341SPatrick McHardy const struct nlattr * const nla[]); 17620a69341SPatrick McHardy void (*destroy)(const struct nft_set *set); 17720a69341SPatrick McHardy 17820a69341SPatrick McHardy struct list_head list; 17920a69341SPatrick McHardy struct module *owner; 18020a69341SPatrick McHardy u32 features; 18120a69341SPatrick McHardy }; 18220a69341SPatrick McHardy 1835eccdfaaSJoe Perches int nft_register_set(struct nft_set_ops *ops); 1845eccdfaaSJoe Perches void nft_unregister_set(struct nft_set_ops *ops); 18520a69341SPatrick McHardy 18620a69341SPatrick McHardy /** 18720a69341SPatrick McHardy * struct nft_set - nf_tables set instance 18820a69341SPatrick McHardy * 18920a69341SPatrick McHardy * @list: table set list node 19020a69341SPatrick McHardy * @bindings: list of set bindings 19120a69341SPatrick McHardy * @name: name of the set 19220a69341SPatrick McHardy * @ktype: key type (numeric type defined by userspace, not used in the kernel) 19320a69341SPatrick McHardy * @dtype: data type (verdict or numeric type defined by userspace) 19420a69341SPatrick McHardy * @ops: set ops 19520a69341SPatrick McHardy * @flags: set flags 19620a69341SPatrick McHardy * @klen: key length 19720a69341SPatrick McHardy * @dlen: data length 19820a69341SPatrick McHardy * @data: private set data 19920a69341SPatrick McHardy */ 20020a69341SPatrick McHardy struct nft_set { 20120a69341SPatrick McHardy struct list_head list; 20220a69341SPatrick McHardy struct list_head bindings; 20320a69341SPatrick McHardy char name[IFNAMSIZ]; 20420a69341SPatrick McHardy u32 ktype; 20520a69341SPatrick McHardy u32 dtype; 20620a69341SPatrick McHardy /* runtime data below here */ 20720a69341SPatrick McHardy const struct nft_set_ops *ops ____cacheline_aligned; 20820a69341SPatrick McHardy u16 flags; 20920a69341SPatrick McHardy u8 klen; 21020a69341SPatrick McHardy u8 dlen; 21120a69341SPatrick McHardy unsigned char data[] 21220a69341SPatrick McHardy __attribute__((aligned(__alignof__(u64)))); 21320a69341SPatrick McHardy }; 21420a69341SPatrick McHardy 21520a69341SPatrick McHardy static inline void *nft_set_priv(const struct nft_set *set) 21620a69341SPatrick McHardy { 21720a69341SPatrick McHardy return (void *)set->data; 21820a69341SPatrick McHardy } 21920a69341SPatrick McHardy 2205eccdfaaSJoe Perches struct nft_set *nf_tables_set_lookup(const struct nft_table *table, 22120a69341SPatrick McHardy const struct nlattr *nla); 22220a69341SPatrick McHardy 22320a69341SPatrick McHardy /** 22420a69341SPatrick McHardy * struct nft_set_binding - nf_tables set binding 22520a69341SPatrick McHardy * 22620a69341SPatrick McHardy * @list: set bindings list node 22720a69341SPatrick McHardy * @chain: chain containing the rule bound to the set 22820a69341SPatrick McHardy * 22920a69341SPatrick McHardy * A set binding contains all information necessary for validation 23020a69341SPatrick McHardy * of new elements added to a bound set. 23120a69341SPatrick McHardy */ 23220a69341SPatrick McHardy struct nft_set_binding { 23320a69341SPatrick McHardy struct list_head list; 23420a69341SPatrick McHardy const struct nft_chain *chain; 23520a69341SPatrick McHardy }; 23620a69341SPatrick McHardy 2375eccdfaaSJoe Perches int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 23820a69341SPatrick McHardy struct nft_set_binding *binding); 2395eccdfaaSJoe Perches void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 24020a69341SPatrick McHardy struct nft_set_binding *binding); 24120a69341SPatrick McHardy 242ef1f7df9SPatrick McHardy 24320a69341SPatrick McHardy /** 244ef1f7df9SPatrick McHardy * struct nft_expr_type - nf_tables expression type 24596518518SPatrick McHardy * 246ef1f7df9SPatrick McHardy * @select_ops: function to select nft_expr_ops 247ef1f7df9SPatrick McHardy * @ops: default ops, used when no select_ops functions is present 24896518518SPatrick McHardy * @list: used internally 24996518518SPatrick McHardy * @name: Identifier 25096518518SPatrick McHardy * @owner: module reference 25196518518SPatrick McHardy * @policy: netlink attribute policy 25296518518SPatrick McHardy * @maxattr: highest netlink attribute number 253ef1f7df9SPatrick McHardy */ 254ef1f7df9SPatrick McHardy struct nft_expr_type { 2550ca743a5SPablo Neira Ayuso const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 2560ca743a5SPablo Neira Ayuso const struct nlattr * const tb[]); 257ef1f7df9SPatrick McHardy const struct nft_expr_ops *ops; 258ef1f7df9SPatrick McHardy struct list_head list; 259ef1f7df9SPatrick McHardy const char *name; 260ef1f7df9SPatrick McHardy struct module *owner; 261ef1f7df9SPatrick McHardy const struct nla_policy *policy; 262ef1f7df9SPatrick McHardy unsigned int maxattr; 263ef1f7df9SPatrick McHardy }; 264ef1f7df9SPatrick McHardy 265ef1f7df9SPatrick McHardy /** 266ef1f7df9SPatrick McHardy * struct nft_expr_ops - nf_tables expression operations 267ef1f7df9SPatrick McHardy * 268ef1f7df9SPatrick McHardy * @eval: Expression evaluation function 26996518518SPatrick McHardy * @size: full expression size, including private data size 270ef1f7df9SPatrick McHardy * @init: initialization function 271ef1f7df9SPatrick McHardy * @destroy: destruction function 272ef1f7df9SPatrick McHardy * @dump: function to dump parameters 273ef1f7df9SPatrick McHardy * @type: expression type 2740ca743a5SPablo Neira Ayuso * @validate: validate expression, called during loop detection 2750ca743a5SPablo Neira Ayuso * @data: extra data to attach to this expression operation 27696518518SPatrick McHardy */ 27796518518SPatrick McHardy struct nft_expr; 27896518518SPatrick McHardy struct nft_expr_ops { 27996518518SPatrick McHardy void (*eval)(const struct nft_expr *expr, 28096518518SPatrick McHardy struct nft_data data[NFT_REG_MAX + 1], 28196518518SPatrick McHardy const struct nft_pktinfo *pkt); 282ef1f7df9SPatrick McHardy unsigned int size; 283ef1f7df9SPatrick McHardy 28496518518SPatrick McHardy int (*init)(const struct nft_ctx *ctx, 28596518518SPatrick McHardy const struct nft_expr *expr, 28696518518SPatrick McHardy const struct nlattr * const tb[]); 28796518518SPatrick McHardy void (*destroy)(const struct nft_expr *expr); 28896518518SPatrick McHardy int (*dump)(struct sk_buff *skb, 28996518518SPatrick McHardy const struct nft_expr *expr); 2900ca743a5SPablo Neira Ayuso int (*validate)(const struct nft_ctx *ctx, 2910ca743a5SPablo Neira Ayuso const struct nft_expr *expr, 2920ca743a5SPablo Neira Ayuso const struct nft_data **data); 293ef1f7df9SPatrick McHardy const struct nft_expr_type *type; 2940ca743a5SPablo Neira Ayuso void *data; 29596518518SPatrick McHardy }; 29696518518SPatrick McHardy 297ef1f7df9SPatrick McHardy #define NFT_EXPR_MAXATTR 16 29896518518SPatrick McHardy #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 29996518518SPatrick McHardy ALIGN(size, __alignof__(struct nft_expr))) 30096518518SPatrick McHardy 30196518518SPatrick McHardy /** 30296518518SPatrick McHardy * struct nft_expr - nf_tables expression 30396518518SPatrick McHardy * 30496518518SPatrick McHardy * @ops: expression ops 30596518518SPatrick McHardy * @data: expression private data 30696518518SPatrick McHardy */ 30796518518SPatrick McHardy struct nft_expr { 30896518518SPatrick McHardy const struct nft_expr_ops *ops; 30996518518SPatrick McHardy unsigned char data[]; 31096518518SPatrick McHardy }; 31196518518SPatrick McHardy 31296518518SPatrick McHardy static inline void *nft_expr_priv(const struct nft_expr *expr) 31396518518SPatrick McHardy { 31496518518SPatrick McHardy return (void *)expr->data; 31596518518SPatrick McHardy } 31696518518SPatrick McHardy 31796518518SPatrick McHardy /** 31896518518SPatrick McHardy * struct nft_rule - nf_tables rule 31996518518SPatrick McHardy * 32096518518SPatrick McHardy * @list: used internally 32196518518SPatrick McHardy * @rcu_head: used internally for rcu 32296518518SPatrick McHardy * @handle: rule handle 3230628b123SPablo Neira Ayuso * @genmask: generation mask 32496518518SPatrick McHardy * @dlen: length of expression data 32596518518SPatrick McHardy * @data: expression data 32696518518SPatrick McHardy */ 32796518518SPatrick McHardy struct nft_rule { 32896518518SPatrick McHardy struct list_head list; 32996518518SPatrick McHardy struct rcu_head rcu_head; 3300628b123SPablo Neira Ayuso u64 handle:46, 3310628b123SPablo Neira Ayuso genmask:2, 33296518518SPatrick McHardy dlen:16; 33396518518SPatrick McHardy unsigned char data[] 33496518518SPatrick McHardy __attribute__((aligned(__alignof__(struct nft_expr)))); 33596518518SPatrick McHardy }; 33696518518SPatrick McHardy 3370628b123SPablo Neira Ayuso /** 3380628b123SPablo Neira Ayuso * struct nft_rule_trans - nf_tables rule update in transaction 3390628b123SPablo Neira Ayuso * 3400628b123SPablo Neira Ayuso * @list: used internally 3410628b123SPablo Neira Ayuso * @rule: rule that needs to be updated 3420628b123SPablo Neira Ayuso * @chain: chain that this rule belongs to 3430628b123SPablo Neira Ayuso * @table: table for which this chain applies 3440628b123SPablo Neira Ayuso * @nlh: netlink header of the message that contain this update 3450628b123SPablo Neira Ayuso * @family: family expressesed as AF_* 3460628b123SPablo Neira Ayuso */ 3470628b123SPablo Neira Ayuso struct nft_rule_trans { 3480628b123SPablo Neira Ayuso struct list_head list; 3490628b123SPablo Neira Ayuso struct nft_rule *rule; 3500628b123SPablo Neira Ayuso const struct nft_chain *chain; 3510628b123SPablo Neira Ayuso const struct nft_table *table; 3520628b123SPablo Neira Ayuso const struct nlmsghdr *nlh; 3530628b123SPablo Neira Ayuso u8 family; 3540628b123SPablo Neira Ayuso }; 3550628b123SPablo Neira Ayuso 35696518518SPatrick McHardy static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 35796518518SPatrick McHardy { 35896518518SPatrick McHardy return (struct nft_expr *)&rule->data[0]; 35996518518SPatrick McHardy } 36096518518SPatrick McHardy 36196518518SPatrick McHardy static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 36296518518SPatrick McHardy { 36396518518SPatrick McHardy return ((void *)expr) + expr->ops->size; 36496518518SPatrick McHardy } 36596518518SPatrick McHardy 36696518518SPatrick McHardy static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 36796518518SPatrick McHardy { 36896518518SPatrick McHardy return (struct nft_expr *)&rule->data[rule->dlen]; 36996518518SPatrick McHardy } 37096518518SPatrick McHardy 37196518518SPatrick McHardy /* 37296518518SPatrick McHardy * The last pointer isn't really necessary, but the compiler isn't able to 37396518518SPatrick McHardy * determine that the result of nft_expr_last() is always the same since it 37496518518SPatrick McHardy * can't assume that the dlen value wasn't changed within calls in the loop. 37596518518SPatrick McHardy */ 37696518518SPatrick McHardy #define nft_rule_for_each_expr(expr, last, rule) \ 37796518518SPatrick McHardy for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 37896518518SPatrick McHardy (expr) != (last); \ 37996518518SPatrick McHardy (expr) = nft_expr_next(expr)) 38096518518SPatrick McHardy 38196518518SPatrick McHardy enum nft_chain_flags { 38296518518SPatrick McHardy NFT_BASE_CHAIN = 0x1, 38396518518SPatrick McHardy }; 38496518518SPatrick McHardy 38596518518SPatrick McHardy /** 38696518518SPatrick McHardy * struct nft_chain - nf_tables chain 38796518518SPatrick McHardy * 38896518518SPatrick McHardy * @rules: list of rules in the chain 38996518518SPatrick McHardy * @list: used internally 39096518518SPatrick McHardy * @rcu_head: used internally 3910628b123SPablo Neira Ayuso * @net: net namespace that this chain belongs to 392b5bc89bfSPablo Neira Ayuso * @table: table that this chain belongs to 39396518518SPatrick McHardy * @handle: chain handle 39496518518SPatrick McHardy * @flags: bitmask of enum nft_chain_flags 39596518518SPatrick McHardy * @use: number of jump references to this chain 39696518518SPatrick McHardy * @level: length of longest path to this chain 39796518518SPatrick McHardy * @name: name of the chain 39896518518SPatrick McHardy */ 39996518518SPatrick McHardy struct nft_chain { 40096518518SPatrick McHardy struct list_head rules; 40196518518SPatrick McHardy struct list_head list; 40296518518SPatrick McHardy struct rcu_head rcu_head; 4030628b123SPablo Neira Ayuso struct net *net; 404b5bc89bfSPablo Neira Ayuso struct nft_table *table; 40596518518SPatrick McHardy u64 handle; 40696518518SPatrick McHardy u8 flags; 40796518518SPatrick McHardy u16 use; 40896518518SPatrick McHardy u16 level; 40996518518SPatrick McHardy char name[NFT_CHAIN_MAXNAMELEN]; 41096518518SPatrick McHardy }; 41196518518SPatrick McHardy 4129370761cSPablo Neira Ayuso enum nft_chain_type { 4139370761cSPablo Neira Ayuso NFT_CHAIN_T_DEFAULT = 0, 4149370761cSPablo Neira Ayuso NFT_CHAIN_T_ROUTE, 4159370761cSPablo Neira Ayuso NFT_CHAIN_T_NAT, 4169370761cSPablo Neira Ayuso NFT_CHAIN_T_MAX 4179370761cSPablo Neira Ayuso }; 4189370761cSPablo Neira Ayuso 4190ca743a5SPablo Neira Ayuso struct nft_stats { 4200ca743a5SPablo Neira Ayuso u64 bytes; 4210ca743a5SPablo Neira Ayuso u64 pkts; 4220ca743a5SPablo Neira Ayuso }; 4230ca743a5SPablo Neira Ayuso 42496518518SPatrick McHardy /** 42596518518SPatrick McHardy * struct nft_base_chain - nf_tables base chain 42696518518SPatrick McHardy * 42796518518SPatrick McHardy * @ops: netfilter hook ops 4289370761cSPablo Neira Ayuso * @type: chain type 4290ca743a5SPablo Neira Ayuso * @policy: default policy 4300ca743a5SPablo Neira Ayuso * @stats: per-cpu chain stats 43196518518SPatrick McHardy * @chain: the chain 43296518518SPatrick McHardy */ 43396518518SPatrick McHardy struct nft_base_chain { 43496518518SPatrick McHardy struct nf_hook_ops ops; 4359370761cSPablo Neira Ayuso enum nft_chain_type type; 4360ca743a5SPablo Neira Ayuso u8 policy; 4370ca743a5SPablo Neira Ayuso struct nft_stats __percpu *stats; 43896518518SPatrick McHardy struct nft_chain chain; 43996518518SPatrick McHardy }; 44096518518SPatrick McHardy 44196518518SPatrick McHardy static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 44296518518SPatrick McHardy { 44396518518SPatrick McHardy return container_of(chain, struct nft_base_chain, chain); 44496518518SPatrick McHardy } 44596518518SPatrick McHardy 4465eccdfaaSJoe Perches unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt, 4470ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops); 44896518518SPatrick McHardy 44996518518SPatrick McHardy /** 45096518518SPatrick McHardy * struct nft_table - nf_tables table 45196518518SPatrick McHardy * 45296518518SPatrick McHardy * @list: used internally 45396518518SPatrick McHardy * @chains: chains in the table 45496518518SPatrick McHardy * @sets: sets in the table 45596518518SPatrick McHardy * @hgenerator: handle generator state 45696518518SPatrick McHardy * @use: number of chain references to this table 45796518518SPatrick McHardy * @flags: table flag (see enum nft_table_flags) 45896518518SPatrick McHardy * @name: name of the table 45996518518SPatrick McHardy */ 46096518518SPatrick McHardy struct nft_table { 46196518518SPatrick McHardy struct list_head list; 46296518518SPatrick McHardy struct list_head chains; 46396518518SPatrick McHardy struct list_head sets; 46496518518SPatrick McHardy u64 hgenerator; 46596518518SPatrick McHardy u32 use; 46696518518SPatrick McHardy u16 flags; 46796518518SPatrick McHardy char name[]; 46896518518SPatrick McHardy }; 46996518518SPatrick McHardy 47096518518SPatrick McHardy /** 47196518518SPatrick McHardy * struct nft_af_info - nf_tables address family info 47296518518SPatrick McHardy * 47396518518SPatrick McHardy * @list: used internally 47496518518SPatrick McHardy * @family: address family 47596518518SPatrick McHardy * @nhooks: number of hooks in this family 47696518518SPatrick McHardy * @owner: module owner 47796518518SPatrick McHardy * @tables: used internally 47896518518SPatrick McHardy * @hooks: hookfn overrides for packet validation 47996518518SPatrick McHardy */ 48096518518SPatrick McHardy struct nft_af_info { 48196518518SPatrick McHardy struct list_head list; 48296518518SPatrick McHardy int family; 48396518518SPatrick McHardy unsigned int nhooks; 48496518518SPatrick McHardy struct module *owner; 48596518518SPatrick McHardy struct list_head tables; 48696518518SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 48796518518SPatrick McHardy }; 48896518518SPatrick McHardy 4895eccdfaaSJoe Perches int nft_register_afinfo(struct net *, struct nft_af_info *); 4905eccdfaaSJoe Perches void nft_unregister_afinfo(struct nft_af_info *); 49196518518SPatrick McHardy 4929370761cSPablo Neira Ayuso struct nf_chain_type { 4939370761cSPablo Neira Ayuso unsigned int hook_mask; 4949370761cSPablo Neira Ayuso const char *name; 4959370761cSPablo Neira Ayuso enum nft_chain_type type; 4969370761cSPablo Neira Ayuso nf_hookfn *fn[NF_MAX_HOOKS]; 4979370761cSPablo Neira Ayuso struct module *me; 4989370761cSPablo Neira Ayuso int family; 4999370761cSPablo Neira Ayuso }; 5009370761cSPablo Neira Ayuso 5015eccdfaaSJoe Perches int nft_register_chain_type(struct nf_chain_type *); 5025eccdfaaSJoe Perches void nft_unregister_chain_type(struct nf_chain_type *); 50396518518SPatrick McHardy 5045eccdfaaSJoe Perches int nft_register_expr(struct nft_expr_type *); 5055eccdfaaSJoe Perches void nft_unregister_expr(struct nft_expr_type *); 50696518518SPatrick McHardy 50796518518SPatrick McHardy #define MODULE_ALIAS_NFT_FAMILY(family) \ 50896518518SPatrick McHardy MODULE_ALIAS("nft-afinfo-" __stringify(family)) 50996518518SPatrick McHardy 5109370761cSPablo Neira Ayuso #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 5119370761cSPablo Neira Ayuso MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 51296518518SPatrick McHardy 51396518518SPatrick McHardy #define MODULE_ALIAS_NFT_EXPR(name) \ 51496518518SPatrick McHardy MODULE_ALIAS("nft-expr-" name) 51596518518SPatrick McHardy 51620a69341SPatrick McHardy #define MODULE_ALIAS_NFT_SET() \ 51720a69341SPatrick McHardy MODULE_ALIAS("nft-set") 51820a69341SPatrick McHardy 51996518518SPatrick McHardy #endif /* _NET_NF_TABLES_H */ 520