196518518SPatrick McHardy #ifndef _NET_NF_TABLES_H 296518518SPatrick McHardy #define _NET_NF_TABLES_H 396518518SPatrick McHardy 496518518SPatrick McHardy #include <linux/list.h> 596518518SPatrick McHardy #include <linux/netfilter.h> 667a8fc27SPatrick McHardy #include <linux/netfilter/nfnetlink.h> 70ca743a5SPablo Neira Ayuso #include <linux/netfilter/x_tables.h> 896518518SPatrick McHardy #include <linux/netfilter/nf_tables.h> 996518518SPatrick McHardy #include <net/netlink.h> 1096518518SPatrick McHardy 1120a69341SPatrick McHardy #define NFT_JUMP_STACK_SIZE 16 1220a69341SPatrick McHardy 1396518518SPatrick McHardy struct nft_pktinfo { 1496518518SPatrick McHardy struct sk_buff *skb; 1596518518SPatrick McHardy const struct net_device *in; 1696518518SPatrick McHardy const struct net_device *out; 17c9484874SPatrick McHardy const struct nf_hook_ops *ops; 1896518518SPatrick McHardy u8 nhoff; 1996518518SPatrick McHardy u8 thoff; 204566bf27SPatrick McHardy u8 tprot; 210ca743a5SPablo Neira Ayuso /* for x_tables compatibility */ 220ca743a5SPablo Neira Ayuso struct xt_action_param xt; 2396518518SPatrick McHardy }; 2496518518SPatrick McHardy 250ca743a5SPablo Neira Ayuso static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 260ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops, 270ca743a5SPablo Neira Ayuso struct sk_buff *skb, 280ca743a5SPablo Neira Ayuso const struct net_device *in, 290ca743a5SPablo Neira Ayuso const struct net_device *out) 300ca743a5SPablo Neira Ayuso { 310ca743a5SPablo Neira Ayuso pkt->skb = skb; 320ca743a5SPablo Neira Ayuso pkt->in = pkt->xt.in = in; 330ca743a5SPablo Neira Ayuso pkt->out = pkt->xt.out = out; 34c9484874SPatrick McHardy pkt->ops = ops; 35c9484874SPatrick McHardy pkt->xt.hooknum = ops->hooknum; 360ca743a5SPablo Neira Ayuso pkt->xt.family = ops->pf; 370ca743a5SPablo Neira Ayuso } 380ca743a5SPablo Neira Ayuso 3996518518SPatrick McHardy struct nft_data { 4096518518SPatrick McHardy union { 4196518518SPatrick McHardy u32 data[4]; 4296518518SPatrick McHardy struct { 4396518518SPatrick McHardy u32 verdict; 4496518518SPatrick McHardy struct nft_chain *chain; 4596518518SPatrick McHardy }; 4696518518SPatrick McHardy }; 4796518518SPatrick McHardy } __attribute__((aligned(__alignof__(u64)))); 4896518518SPatrick McHardy 4996518518SPatrick McHardy static inline int nft_data_cmp(const struct nft_data *d1, 5096518518SPatrick McHardy const struct nft_data *d2, 5196518518SPatrick McHardy unsigned int len) 5296518518SPatrick McHardy { 5396518518SPatrick McHardy return memcmp(d1->data, d2->data, len); 5496518518SPatrick McHardy } 5596518518SPatrick McHardy 5696518518SPatrick McHardy static inline void nft_data_copy(struct nft_data *dst, 5796518518SPatrick McHardy const struct nft_data *src) 5896518518SPatrick McHardy { 5996518518SPatrick McHardy BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64)); 6096518518SPatrick McHardy *(u64 *)&dst->data[0] = *(u64 *)&src->data[0]; 6196518518SPatrick McHardy *(u64 *)&dst->data[2] = *(u64 *)&src->data[2]; 6296518518SPatrick McHardy } 6396518518SPatrick McHardy 6496518518SPatrick McHardy static inline void nft_data_debug(const struct nft_data *data) 6596518518SPatrick McHardy { 6696518518SPatrick McHardy pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 6796518518SPatrick McHardy data->data[0], data->data[1], 6896518518SPatrick McHardy data->data[2], data->data[3]); 6996518518SPatrick McHardy } 7096518518SPatrick McHardy 7196518518SPatrick McHardy /** 7220a69341SPatrick McHardy * struct nft_ctx - nf_tables rule/set context 7396518518SPatrick McHardy * 7499633ab2SPablo Neira Ayuso * @net: net namespace 7596518518SPatrick McHardy * @afi: address family info 7696518518SPatrick McHardy * @table: the table the chain is contained in 7796518518SPatrick McHardy * @chain: the chain the rule is contained in 780ca743a5SPablo Neira Ayuso * @nla: netlink attributes 79128ad332SPablo Neira Ayuso * @portid: netlink portID of the original message 80128ad332SPablo Neira Ayuso * @seq: netlink sequence number 81128ad332SPablo Neira Ayuso * @report: notify via unicast netlink message 8296518518SPatrick McHardy */ 8396518518SPatrick McHardy struct nft_ctx { 8499633ab2SPablo Neira Ayuso struct net *net; 857c95f6d8SPablo Neira Ayuso struct nft_af_info *afi; 867c95f6d8SPablo Neira Ayuso struct nft_table *table; 877c95f6d8SPablo Neira Ayuso struct nft_chain *chain; 880ca743a5SPablo Neira Ayuso const struct nlattr * const *nla; 89128ad332SPablo Neira Ayuso u32 portid; 90128ad332SPablo Neira Ayuso u32 seq; 91128ad332SPablo Neira Ayuso bool report; 9296518518SPatrick McHardy }; 9396518518SPatrick McHardy 9496518518SPatrick McHardy struct nft_data_desc { 9596518518SPatrick McHardy enum nft_data_types type; 9696518518SPatrick McHardy unsigned int len; 9796518518SPatrick McHardy }; 9896518518SPatrick McHardy 995eccdfaaSJoe Perches int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, 10096518518SPatrick McHardy struct nft_data_desc *desc, const struct nlattr *nla); 1015eccdfaaSJoe Perches void nft_data_uninit(const struct nft_data *data, enum nft_data_types type); 1025eccdfaaSJoe Perches int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 10396518518SPatrick McHardy enum nft_data_types type, unsigned int len); 10496518518SPatrick McHardy 10596518518SPatrick McHardy static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 10696518518SPatrick McHardy { 10796518518SPatrick McHardy return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 10896518518SPatrick McHardy } 10996518518SPatrick McHardy 11020a69341SPatrick McHardy static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 11120a69341SPatrick McHardy { 11220a69341SPatrick McHardy return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1; 11320a69341SPatrick McHardy } 11420a69341SPatrick McHardy 1155eccdfaaSJoe Perches int nft_validate_input_register(enum nft_registers reg); 1165eccdfaaSJoe Perches int nft_validate_output_register(enum nft_registers reg); 1175eccdfaaSJoe Perches int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg, 11896518518SPatrick McHardy const struct nft_data *data, 11996518518SPatrick McHardy enum nft_data_types type); 12096518518SPatrick McHardy 12196518518SPatrick McHardy /** 12220a69341SPatrick McHardy * struct nft_set_elem - generic representation of set elements 12320a69341SPatrick McHardy * 12420a69341SPatrick McHardy * @cookie: implementation specific element cookie 12520a69341SPatrick McHardy * @key: element key 12620a69341SPatrick McHardy * @data: element data (maps only) 12720a69341SPatrick McHardy * @flags: element flags (end of interval) 12820a69341SPatrick McHardy * 12920a69341SPatrick McHardy * The cookie can be used to store a handle to the element for subsequent 13020a69341SPatrick McHardy * removal. 13120a69341SPatrick McHardy */ 13220a69341SPatrick McHardy struct nft_set_elem { 13320a69341SPatrick McHardy void *cookie; 13420a69341SPatrick McHardy struct nft_data key; 13520a69341SPatrick McHardy struct nft_data data; 13620a69341SPatrick McHardy u32 flags; 13720a69341SPatrick McHardy }; 13820a69341SPatrick McHardy 13920a69341SPatrick McHardy struct nft_set; 14020a69341SPatrick McHardy struct nft_set_iter { 14120a69341SPatrick McHardy unsigned int count; 14220a69341SPatrick McHardy unsigned int skip; 14320a69341SPatrick McHardy int err; 14420a69341SPatrick McHardy int (*fn)(const struct nft_ctx *ctx, 14520a69341SPatrick McHardy const struct nft_set *set, 14620a69341SPatrick McHardy const struct nft_set_iter *iter, 14720a69341SPatrick McHardy const struct nft_set_elem *elem); 14820a69341SPatrick McHardy }; 14920a69341SPatrick McHardy 15020a69341SPatrick McHardy /** 151c50b960cSPatrick McHardy * struct nft_set_desc - description of set elements 152c50b960cSPatrick McHardy * 153c50b960cSPatrick McHardy * @klen: key length 154c50b960cSPatrick McHardy * @dlen: data length 155c50b960cSPatrick McHardy * @size: number of set elements 156c50b960cSPatrick McHardy */ 157c50b960cSPatrick McHardy struct nft_set_desc { 158c50b960cSPatrick McHardy unsigned int klen; 159c50b960cSPatrick McHardy unsigned int dlen; 160c50b960cSPatrick McHardy unsigned int size; 161c50b960cSPatrick McHardy }; 162c50b960cSPatrick McHardy 163c50b960cSPatrick McHardy /** 164c50b960cSPatrick McHardy * enum nft_set_class - performance class 165c50b960cSPatrick McHardy * 166c50b960cSPatrick McHardy * @NFT_LOOKUP_O_1: constant, O(1) 167c50b960cSPatrick McHardy * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 168c50b960cSPatrick McHardy * @NFT_LOOKUP_O_N: linear, O(N) 169c50b960cSPatrick McHardy */ 170c50b960cSPatrick McHardy enum nft_set_class { 171c50b960cSPatrick McHardy NFT_SET_CLASS_O_1, 172c50b960cSPatrick McHardy NFT_SET_CLASS_O_LOG_N, 173c50b960cSPatrick McHardy NFT_SET_CLASS_O_N, 174c50b960cSPatrick McHardy }; 175c50b960cSPatrick McHardy 176c50b960cSPatrick McHardy /** 177c50b960cSPatrick McHardy * struct nft_set_estimate - estimation of memory and performance 178c50b960cSPatrick McHardy * characteristics 179c50b960cSPatrick McHardy * 180c50b960cSPatrick McHardy * @size: required memory 181c50b960cSPatrick McHardy * @class: lookup performance class 182c50b960cSPatrick McHardy */ 183c50b960cSPatrick McHardy struct nft_set_estimate { 184c50b960cSPatrick McHardy unsigned int size; 185c50b960cSPatrick McHardy enum nft_set_class class; 186c50b960cSPatrick McHardy }; 187c50b960cSPatrick McHardy 188c50b960cSPatrick McHardy /** 18920a69341SPatrick McHardy * struct nft_set_ops - nf_tables set operations 19020a69341SPatrick McHardy * 19120a69341SPatrick McHardy * @lookup: look up an element within the set 19220a69341SPatrick McHardy * @insert: insert new element into set 19320a69341SPatrick McHardy * @remove: remove element from set 19420a69341SPatrick McHardy * @walk: iterate over all set elemeennts 19520a69341SPatrick McHardy * @privsize: function to return size of set private data 19620a69341SPatrick McHardy * @init: initialize private data of new set instance 19720a69341SPatrick McHardy * @destroy: destroy private data of set instance 19820a69341SPatrick McHardy * @list: nf_tables_set_ops list node 19920a69341SPatrick McHardy * @owner: module reference 20020a69341SPatrick McHardy * @features: features supported by the implementation 20120a69341SPatrick McHardy */ 20220a69341SPatrick McHardy struct nft_set_ops { 20320a69341SPatrick McHardy bool (*lookup)(const struct nft_set *set, 20420a69341SPatrick McHardy const struct nft_data *key, 20520a69341SPatrick McHardy struct nft_data *data); 20620a69341SPatrick McHardy int (*get)(const struct nft_set *set, 20720a69341SPatrick McHardy struct nft_set_elem *elem); 20820a69341SPatrick McHardy int (*insert)(const struct nft_set *set, 20920a69341SPatrick McHardy const struct nft_set_elem *elem); 21020a69341SPatrick McHardy void (*remove)(const struct nft_set *set, 21120a69341SPatrick McHardy const struct nft_set_elem *elem); 21220a69341SPatrick McHardy void (*walk)(const struct nft_ctx *ctx, 21320a69341SPatrick McHardy const struct nft_set *set, 21420a69341SPatrick McHardy struct nft_set_iter *iter); 21520a69341SPatrick McHardy 21620a69341SPatrick McHardy unsigned int (*privsize)(const struct nlattr * const nla[]); 217c50b960cSPatrick McHardy bool (*estimate)(const struct nft_set_desc *desc, 218c50b960cSPatrick McHardy u32 features, 219c50b960cSPatrick McHardy struct nft_set_estimate *est); 22020a69341SPatrick McHardy int (*init)(const struct nft_set *set, 221c50b960cSPatrick McHardy const struct nft_set_desc *desc, 22220a69341SPatrick McHardy const struct nlattr * const nla[]); 22320a69341SPatrick McHardy void (*destroy)(const struct nft_set *set); 22420a69341SPatrick McHardy 22520a69341SPatrick McHardy struct list_head list; 22620a69341SPatrick McHardy struct module *owner; 22720a69341SPatrick McHardy u32 features; 22820a69341SPatrick McHardy }; 22920a69341SPatrick McHardy 2305eccdfaaSJoe Perches int nft_register_set(struct nft_set_ops *ops); 2315eccdfaaSJoe Perches void nft_unregister_set(struct nft_set_ops *ops); 23220a69341SPatrick McHardy 23320a69341SPatrick McHardy /** 23420a69341SPatrick McHardy * struct nft_set - nf_tables set instance 23520a69341SPatrick McHardy * 23620a69341SPatrick McHardy * @list: table set list node 23720a69341SPatrick McHardy * @bindings: list of set bindings 23820a69341SPatrick McHardy * @name: name of the set 23920a69341SPatrick McHardy * @ktype: key type (numeric type defined by userspace, not used in the kernel) 24020a69341SPatrick McHardy * @dtype: data type (verdict or numeric type defined by userspace) 241c50b960cSPatrick McHardy * @size: maximum set size 242c50b960cSPatrick McHardy * @nelems: number of elements 24320a69341SPatrick McHardy * @ops: set ops 24420a69341SPatrick McHardy * @flags: set flags 24520a69341SPatrick McHardy * @klen: key length 24620a69341SPatrick McHardy * @dlen: data length 24720a69341SPatrick McHardy * @data: private set data 24820a69341SPatrick McHardy */ 24920a69341SPatrick McHardy struct nft_set { 25020a69341SPatrick McHardy struct list_head list; 25120a69341SPatrick McHardy struct list_head bindings; 25220a69341SPatrick McHardy char name[IFNAMSIZ]; 25320a69341SPatrick McHardy u32 ktype; 25420a69341SPatrick McHardy u32 dtype; 255c50b960cSPatrick McHardy u32 size; 256c50b960cSPatrick McHardy u32 nelems; 25720a69341SPatrick McHardy /* runtime data below here */ 25820a69341SPatrick McHardy const struct nft_set_ops *ops ____cacheline_aligned; 25920a69341SPatrick McHardy u16 flags; 26020a69341SPatrick McHardy u8 klen; 26120a69341SPatrick McHardy u8 dlen; 26220a69341SPatrick McHardy unsigned char data[] 26320a69341SPatrick McHardy __attribute__((aligned(__alignof__(u64)))); 26420a69341SPatrick McHardy }; 26520a69341SPatrick McHardy 26620a69341SPatrick McHardy static inline void *nft_set_priv(const struct nft_set *set) 26720a69341SPatrick McHardy { 26820a69341SPatrick McHardy return (void *)set->data; 26920a69341SPatrick McHardy } 27020a69341SPatrick McHardy 2715eccdfaaSJoe Perches struct nft_set *nf_tables_set_lookup(const struct nft_table *table, 27220a69341SPatrick McHardy const struct nlattr *nla); 273958bee14SPablo Neira Ayuso struct nft_set *nf_tables_set_lookup_byid(const struct net *net, 274958bee14SPablo Neira Ayuso const struct nlattr *nla); 27520a69341SPatrick McHardy 27620a69341SPatrick McHardy /** 27720a69341SPatrick McHardy * struct nft_set_binding - nf_tables set binding 27820a69341SPatrick McHardy * 27920a69341SPatrick McHardy * @list: set bindings list node 28020a69341SPatrick McHardy * @chain: chain containing the rule bound to the set 28120a69341SPatrick McHardy * 28220a69341SPatrick McHardy * A set binding contains all information necessary for validation 28320a69341SPatrick McHardy * of new elements added to a bound set. 28420a69341SPatrick McHardy */ 28520a69341SPatrick McHardy struct nft_set_binding { 28620a69341SPatrick McHardy struct list_head list; 28720a69341SPatrick McHardy const struct nft_chain *chain; 28820a69341SPatrick McHardy }; 28920a69341SPatrick McHardy 2905eccdfaaSJoe Perches int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 29120a69341SPatrick McHardy struct nft_set_binding *binding); 2925eccdfaaSJoe Perches void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 29320a69341SPatrick McHardy struct nft_set_binding *binding); 29420a69341SPatrick McHardy 295ef1f7df9SPatrick McHardy 29620a69341SPatrick McHardy /** 297ef1f7df9SPatrick McHardy * struct nft_expr_type - nf_tables expression type 29896518518SPatrick McHardy * 299ef1f7df9SPatrick McHardy * @select_ops: function to select nft_expr_ops 300ef1f7df9SPatrick McHardy * @ops: default ops, used when no select_ops functions is present 30196518518SPatrick McHardy * @list: used internally 30296518518SPatrick McHardy * @name: Identifier 30396518518SPatrick McHardy * @owner: module reference 30496518518SPatrick McHardy * @policy: netlink attribute policy 30596518518SPatrick McHardy * @maxattr: highest netlink attribute number 30664d46806SPatrick McHardy * @family: address family for AF-specific types 307ef1f7df9SPatrick McHardy */ 308ef1f7df9SPatrick McHardy struct nft_expr_type { 3090ca743a5SPablo Neira Ayuso const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 3100ca743a5SPablo Neira Ayuso const struct nlattr * const tb[]); 311ef1f7df9SPatrick McHardy const struct nft_expr_ops *ops; 312ef1f7df9SPatrick McHardy struct list_head list; 313ef1f7df9SPatrick McHardy const char *name; 314ef1f7df9SPatrick McHardy struct module *owner; 315ef1f7df9SPatrick McHardy const struct nla_policy *policy; 316ef1f7df9SPatrick McHardy unsigned int maxattr; 31764d46806SPatrick McHardy u8 family; 318ef1f7df9SPatrick McHardy }; 319ef1f7df9SPatrick McHardy 320ef1f7df9SPatrick McHardy /** 321ef1f7df9SPatrick McHardy * struct nft_expr_ops - nf_tables expression operations 322ef1f7df9SPatrick McHardy * 323ef1f7df9SPatrick McHardy * @eval: Expression evaluation function 32496518518SPatrick McHardy * @size: full expression size, including private data size 325ef1f7df9SPatrick McHardy * @init: initialization function 326ef1f7df9SPatrick McHardy * @destroy: destruction function 327ef1f7df9SPatrick McHardy * @dump: function to dump parameters 328ef1f7df9SPatrick McHardy * @type: expression type 3290ca743a5SPablo Neira Ayuso * @validate: validate expression, called during loop detection 3300ca743a5SPablo Neira Ayuso * @data: extra data to attach to this expression operation 33196518518SPatrick McHardy */ 33296518518SPatrick McHardy struct nft_expr; 33396518518SPatrick McHardy struct nft_expr_ops { 33496518518SPatrick McHardy void (*eval)(const struct nft_expr *expr, 33596518518SPatrick McHardy struct nft_data data[NFT_REG_MAX + 1], 33696518518SPatrick McHardy const struct nft_pktinfo *pkt); 337ef1f7df9SPatrick McHardy unsigned int size; 338ef1f7df9SPatrick McHardy 33996518518SPatrick McHardy int (*init)(const struct nft_ctx *ctx, 34096518518SPatrick McHardy const struct nft_expr *expr, 34196518518SPatrick McHardy const struct nlattr * const tb[]); 34262472bceSPatrick McHardy void (*destroy)(const struct nft_ctx *ctx, 34362472bceSPatrick McHardy const struct nft_expr *expr); 34496518518SPatrick McHardy int (*dump)(struct sk_buff *skb, 34596518518SPatrick McHardy const struct nft_expr *expr); 3460ca743a5SPablo Neira Ayuso int (*validate)(const struct nft_ctx *ctx, 3470ca743a5SPablo Neira Ayuso const struct nft_expr *expr, 3480ca743a5SPablo Neira Ayuso const struct nft_data **data); 349ef1f7df9SPatrick McHardy const struct nft_expr_type *type; 3500ca743a5SPablo Neira Ayuso void *data; 35196518518SPatrick McHardy }; 35296518518SPatrick McHardy 353ef1f7df9SPatrick McHardy #define NFT_EXPR_MAXATTR 16 35496518518SPatrick McHardy #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 35596518518SPatrick McHardy ALIGN(size, __alignof__(struct nft_expr))) 35696518518SPatrick McHardy 35796518518SPatrick McHardy /** 35896518518SPatrick McHardy * struct nft_expr - nf_tables expression 35996518518SPatrick McHardy * 36096518518SPatrick McHardy * @ops: expression ops 36196518518SPatrick McHardy * @data: expression private data 36296518518SPatrick McHardy */ 36396518518SPatrick McHardy struct nft_expr { 36496518518SPatrick McHardy const struct nft_expr_ops *ops; 36596518518SPatrick McHardy unsigned char data[]; 36696518518SPatrick McHardy }; 36796518518SPatrick McHardy 36896518518SPatrick McHardy static inline void *nft_expr_priv(const struct nft_expr *expr) 36996518518SPatrick McHardy { 37096518518SPatrick McHardy return (void *)expr->data; 37196518518SPatrick McHardy } 37296518518SPatrick McHardy 37396518518SPatrick McHardy /** 37496518518SPatrick McHardy * struct nft_rule - nf_tables rule 37596518518SPatrick McHardy * 37696518518SPatrick McHardy * @list: used internally 37796518518SPatrick McHardy * @handle: rule handle 3780628b123SPablo Neira Ayuso * @genmask: generation mask 37996518518SPatrick McHardy * @dlen: length of expression data 3800768b3b3SPablo Neira Ayuso * @ulen: length of user data (used for comments) 38196518518SPatrick McHardy * @data: expression data 38296518518SPatrick McHardy */ 38396518518SPatrick McHardy struct nft_rule { 38496518518SPatrick McHardy struct list_head list; 3850768b3b3SPablo Neira Ayuso u64 handle:42, 3860628b123SPablo Neira Ayuso genmask:2, 3870768b3b3SPablo Neira Ayuso dlen:12, 3880768b3b3SPablo Neira Ayuso ulen:8; 38996518518SPatrick McHardy unsigned char data[] 39096518518SPatrick McHardy __attribute__((aligned(__alignof__(struct nft_expr)))); 39196518518SPatrick McHardy }; 39296518518SPatrick McHardy 3930628b123SPablo Neira Ayuso /** 3941081d11bSPablo Neira Ayuso * struct nft_trans - nf_tables object update in transaction 3950628b123SPablo Neira Ayuso * 396c7c32e72SPablo Neira Ayuso * @rcu_head: rcu head to defer release of transaction data 3970628b123SPablo Neira Ayuso * @list: used internally 398b380e5c7SPablo Neira Ayuso * @msg_type: message type 3991081d11bSPablo Neira Ayuso * @ctx: transaction context 4001081d11bSPablo Neira Ayuso * @data: internal information related to the transaction 4010628b123SPablo Neira Ayuso */ 4021081d11bSPablo Neira Ayuso struct nft_trans { 403c7c32e72SPablo Neira Ayuso struct rcu_head rcu_head; 4040628b123SPablo Neira Ayuso struct list_head list; 405b380e5c7SPablo Neira Ayuso int msg_type; 40662472bceSPatrick McHardy struct nft_ctx ctx; 4071081d11bSPablo Neira Ayuso char data[0]; 4081081d11bSPablo Neira Ayuso }; 4091081d11bSPablo Neira Ayuso 4101081d11bSPablo Neira Ayuso struct nft_trans_rule { 4110628b123SPablo Neira Ayuso struct nft_rule *rule; 4120628b123SPablo Neira Ayuso }; 4130628b123SPablo Neira Ayuso 4141081d11bSPablo Neira Ayuso #define nft_trans_rule(trans) \ 4151081d11bSPablo Neira Ayuso (((struct nft_trans_rule *)trans->data)->rule) 4161081d11bSPablo Neira Ayuso 417958bee14SPablo Neira Ayuso struct nft_trans_set { 418958bee14SPablo Neira Ayuso struct nft_set *set; 419958bee14SPablo Neira Ayuso u32 set_id; 420958bee14SPablo Neira Ayuso }; 421958bee14SPablo Neira Ayuso 422958bee14SPablo Neira Ayuso #define nft_trans_set(trans) \ 423958bee14SPablo Neira Ayuso (((struct nft_trans_set *)trans->data)->set) 424958bee14SPablo Neira Ayuso #define nft_trans_set_id(trans) \ 425958bee14SPablo Neira Ayuso (((struct nft_trans_set *)trans->data)->set_id) 426958bee14SPablo Neira Ayuso 42791c7b38dSPablo Neira Ayuso struct nft_trans_chain { 42891c7b38dSPablo Neira Ayuso bool update; 42991c7b38dSPablo Neira Ayuso char name[NFT_CHAIN_MAXNAMELEN]; 43091c7b38dSPablo Neira Ayuso struct nft_stats __percpu *stats; 43191c7b38dSPablo Neira Ayuso u8 policy; 43291c7b38dSPablo Neira Ayuso }; 43391c7b38dSPablo Neira Ayuso 43491c7b38dSPablo Neira Ayuso #define nft_trans_chain_update(trans) \ 43591c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->update) 43691c7b38dSPablo Neira Ayuso #define nft_trans_chain_name(trans) \ 43791c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->name) 43891c7b38dSPablo Neira Ayuso #define nft_trans_chain_stats(trans) \ 43991c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->stats) 44091c7b38dSPablo Neira Ayuso #define nft_trans_chain_policy(trans) \ 44191c7b38dSPablo Neira Ayuso (((struct nft_trans_chain *)trans->data)->policy) 44291c7b38dSPablo Neira Ayuso 44355dd6f93SPablo Neira Ayuso struct nft_trans_table { 44455dd6f93SPablo Neira Ayuso bool update; 44555dd6f93SPablo Neira Ayuso bool enable; 44655dd6f93SPablo Neira Ayuso }; 44755dd6f93SPablo Neira Ayuso 44855dd6f93SPablo Neira Ayuso #define nft_trans_table_update(trans) \ 44955dd6f93SPablo Neira Ayuso (((struct nft_trans_table *)trans->data)->update) 45055dd6f93SPablo Neira Ayuso #define nft_trans_table_enable(trans) \ 45155dd6f93SPablo Neira Ayuso (((struct nft_trans_table *)trans->data)->enable) 45255dd6f93SPablo Neira Ayuso 45360319eb1SPablo Neira Ayuso struct nft_trans_elem { 45460319eb1SPablo Neira Ayuso struct nft_set *set; 45560319eb1SPablo Neira Ayuso struct nft_set_elem elem; 45660319eb1SPablo Neira Ayuso }; 45760319eb1SPablo Neira Ayuso 45860319eb1SPablo Neira Ayuso #define nft_trans_elem_set(trans) \ 45960319eb1SPablo Neira Ayuso (((struct nft_trans_elem *)trans->data)->set) 46060319eb1SPablo Neira Ayuso #define nft_trans_elem(trans) \ 46160319eb1SPablo Neira Ayuso (((struct nft_trans_elem *)trans->data)->elem) 46260319eb1SPablo Neira Ayuso 46396518518SPatrick McHardy static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 46496518518SPatrick McHardy { 46596518518SPatrick McHardy return (struct nft_expr *)&rule->data[0]; 46696518518SPatrick McHardy } 46796518518SPatrick McHardy 46896518518SPatrick McHardy static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 46996518518SPatrick McHardy { 47096518518SPatrick McHardy return ((void *)expr) + expr->ops->size; 47196518518SPatrick McHardy } 47296518518SPatrick McHardy 47396518518SPatrick McHardy static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 47496518518SPatrick McHardy { 47596518518SPatrick McHardy return (struct nft_expr *)&rule->data[rule->dlen]; 47696518518SPatrick McHardy } 47796518518SPatrick McHardy 4780768b3b3SPablo Neira Ayuso static inline void *nft_userdata(const struct nft_rule *rule) 4790768b3b3SPablo Neira Ayuso { 4800768b3b3SPablo Neira Ayuso return (void *)&rule->data[rule->dlen]; 4810768b3b3SPablo Neira Ayuso } 4820768b3b3SPablo Neira Ayuso 48396518518SPatrick McHardy /* 48496518518SPatrick McHardy * The last pointer isn't really necessary, but the compiler isn't able to 48596518518SPatrick McHardy * determine that the result of nft_expr_last() is always the same since it 48696518518SPatrick McHardy * can't assume that the dlen value wasn't changed within calls in the loop. 48796518518SPatrick McHardy */ 48896518518SPatrick McHardy #define nft_rule_for_each_expr(expr, last, rule) \ 48996518518SPatrick McHardy for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 49096518518SPatrick McHardy (expr) != (last); \ 49196518518SPatrick McHardy (expr) = nft_expr_next(expr)) 49296518518SPatrick McHardy 49396518518SPatrick McHardy enum nft_chain_flags { 49496518518SPatrick McHardy NFT_BASE_CHAIN = 0x1, 49591c7b38dSPablo Neira Ayuso NFT_CHAIN_INACTIVE = 0x2, 49696518518SPatrick McHardy }; 49796518518SPatrick McHardy 49896518518SPatrick McHardy /** 49996518518SPatrick McHardy * struct nft_chain - nf_tables chain 50096518518SPatrick McHardy * 50196518518SPatrick McHardy * @rules: list of rules in the chain 50296518518SPatrick McHardy * @list: used internally 5030628b123SPablo Neira Ayuso * @net: net namespace that this chain belongs to 504b5bc89bfSPablo Neira Ayuso * @table: table that this chain belongs to 50596518518SPatrick McHardy * @handle: chain handle 50696518518SPatrick McHardy * @use: number of jump references to this chain 50796518518SPatrick McHardy * @level: length of longest path to this chain 508a0a7379eSPablo Neira Ayuso * @flags: bitmask of enum nft_chain_flags 50996518518SPatrick McHardy * @name: name of the chain 51096518518SPatrick McHardy */ 51196518518SPatrick McHardy struct nft_chain { 51296518518SPatrick McHardy struct list_head rules; 51396518518SPatrick McHardy struct list_head list; 5140628b123SPablo Neira Ayuso struct net *net; 515b5bc89bfSPablo Neira Ayuso struct nft_table *table; 51696518518SPatrick McHardy u64 handle; 517a0a7379eSPablo Neira Ayuso u32 use; 51896518518SPatrick McHardy u16 level; 519a0a7379eSPablo Neira Ayuso u8 flags; 52096518518SPatrick McHardy char name[NFT_CHAIN_MAXNAMELEN]; 52196518518SPatrick McHardy }; 52296518518SPatrick McHardy 5239370761cSPablo Neira Ayuso enum nft_chain_type { 5249370761cSPablo Neira Ayuso NFT_CHAIN_T_DEFAULT = 0, 5259370761cSPablo Neira Ayuso NFT_CHAIN_T_ROUTE, 5269370761cSPablo Neira Ayuso NFT_CHAIN_T_NAT, 5279370761cSPablo Neira Ayuso NFT_CHAIN_T_MAX 5289370761cSPablo Neira Ayuso }; 5299370761cSPablo Neira Ayuso 5300ca743a5SPablo Neira Ayuso struct nft_stats { 5310ca743a5SPablo Neira Ayuso u64 bytes; 5320ca743a5SPablo Neira Ayuso u64 pkts; 5330ca743a5SPablo Neira Ayuso }; 5340ca743a5SPablo Neira Ayuso 535115a60b1SPatrick McHardy #define NFT_HOOK_OPS_MAX 2 536115a60b1SPatrick McHardy 53796518518SPatrick McHardy /** 53896518518SPatrick McHardy * struct nft_base_chain - nf_tables base chain 53996518518SPatrick McHardy * 54096518518SPatrick McHardy * @ops: netfilter hook ops 5419370761cSPablo Neira Ayuso * @type: chain type 5420ca743a5SPablo Neira Ayuso * @policy: default policy 5430ca743a5SPablo Neira Ayuso * @stats: per-cpu chain stats 54496518518SPatrick McHardy * @chain: the chain 54596518518SPatrick McHardy */ 54696518518SPatrick McHardy struct nft_base_chain { 547115a60b1SPatrick McHardy struct nf_hook_ops ops[NFT_HOOK_OPS_MAX]; 5482a37d755SPatrick McHardy const struct nf_chain_type *type; 5490ca743a5SPablo Neira Ayuso u8 policy; 5500ca743a5SPablo Neira Ayuso struct nft_stats __percpu *stats; 55196518518SPatrick McHardy struct nft_chain chain; 55296518518SPatrick McHardy }; 55396518518SPatrick McHardy 55496518518SPatrick McHardy static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 55596518518SPatrick McHardy { 55696518518SPatrick McHardy return container_of(chain, struct nft_base_chain, chain); 55796518518SPatrick McHardy } 55896518518SPatrick McHardy 5593876d22dSPatrick McHardy unsigned int nft_do_chain(struct nft_pktinfo *pkt, 5600ca743a5SPablo Neira Ayuso const struct nf_hook_ops *ops); 56196518518SPatrick McHardy 56296518518SPatrick McHardy /** 56396518518SPatrick McHardy * struct nft_table - nf_tables table 56496518518SPatrick McHardy * 56596518518SPatrick McHardy * @list: used internally 56696518518SPatrick McHardy * @chains: chains in the table 56796518518SPatrick McHardy * @sets: sets in the table 56896518518SPatrick McHardy * @hgenerator: handle generator state 56996518518SPatrick McHardy * @use: number of chain references to this table 57096518518SPatrick McHardy * @flags: table flag (see enum nft_table_flags) 57196518518SPatrick McHardy * @name: name of the table 57296518518SPatrick McHardy */ 57396518518SPatrick McHardy struct nft_table { 57496518518SPatrick McHardy struct list_head list; 57596518518SPatrick McHardy struct list_head chains; 57696518518SPatrick McHardy struct list_head sets; 57796518518SPatrick McHardy u64 hgenerator; 57896518518SPatrick McHardy u32 use; 57996518518SPatrick McHardy u16 flags; 58096518518SPatrick McHardy char name[]; 58196518518SPatrick McHardy }; 58296518518SPatrick McHardy 58396518518SPatrick McHardy /** 58496518518SPatrick McHardy * struct nft_af_info - nf_tables address family info 58596518518SPatrick McHardy * 58696518518SPatrick McHardy * @list: used internally 58796518518SPatrick McHardy * @family: address family 58896518518SPatrick McHardy * @nhooks: number of hooks in this family 58996518518SPatrick McHardy * @owner: module owner 59096518518SPatrick McHardy * @tables: used internally 591115a60b1SPatrick McHardy * @nops: number of hook ops in this family 592115a60b1SPatrick McHardy * @hook_ops_init: initialization function for chain hook ops 59396518518SPatrick McHardy * @hooks: hookfn overrides for packet validation 59496518518SPatrick McHardy */ 59596518518SPatrick McHardy struct nft_af_info { 59696518518SPatrick McHardy struct list_head list; 59796518518SPatrick McHardy int family; 59896518518SPatrick McHardy unsigned int nhooks; 59996518518SPatrick McHardy struct module *owner; 60096518518SPatrick McHardy struct list_head tables; 601115a60b1SPatrick McHardy unsigned int nops; 602115a60b1SPatrick McHardy void (*hook_ops_init)(struct nf_hook_ops *, 603115a60b1SPatrick McHardy unsigned int); 60496518518SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 60596518518SPatrick McHardy }; 60696518518SPatrick McHardy 6075eccdfaaSJoe Perches int nft_register_afinfo(struct net *, struct nft_af_info *); 6085eccdfaaSJoe Perches void nft_unregister_afinfo(struct nft_af_info *); 60996518518SPatrick McHardy 610fa2c1de0SPatrick McHardy /** 611fa2c1de0SPatrick McHardy * struct nf_chain_type - nf_tables chain type info 612fa2c1de0SPatrick McHardy * 613fa2c1de0SPatrick McHardy * @name: name of the type 614fa2c1de0SPatrick McHardy * @type: numeric identifier 615fa2c1de0SPatrick McHardy * @family: address family 616fa2c1de0SPatrick McHardy * @owner: module owner 617fa2c1de0SPatrick McHardy * @hook_mask: mask of valid hooks 618fa2c1de0SPatrick McHardy * @hooks: hookfn overrides 619fa2c1de0SPatrick McHardy */ 6209370761cSPablo Neira Ayuso struct nf_chain_type { 6219370761cSPablo Neira Ayuso const char *name; 6229370761cSPablo Neira Ayuso enum nft_chain_type type; 6239370761cSPablo Neira Ayuso int family; 624fa2c1de0SPatrick McHardy struct module *owner; 625fa2c1de0SPatrick McHardy unsigned int hook_mask; 626fa2c1de0SPatrick McHardy nf_hookfn *hooks[NF_MAX_HOOKS]; 6279370761cSPablo Neira Ayuso }; 6289370761cSPablo Neira Ayuso 6292a37d755SPatrick McHardy int nft_register_chain_type(const struct nf_chain_type *); 6302a37d755SPatrick McHardy void nft_unregister_chain_type(const struct nf_chain_type *); 63196518518SPatrick McHardy 6325eccdfaaSJoe Perches int nft_register_expr(struct nft_expr_type *); 6335eccdfaaSJoe Perches void nft_unregister_expr(struct nft_expr_type *); 63496518518SPatrick McHardy 63567a8fc27SPatrick McHardy #define nft_dereference(p) \ 63667a8fc27SPatrick McHardy nfnl_dereference(p, NFNL_SUBSYS_NFTABLES) 63767a8fc27SPatrick McHardy 63896518518SPatrick McHardy #define MODULE_ALIAS_NFT_FAMILY(family) \ 63996518518SPatrick McHardy MODULE_ALIAS("nft-afinfo-" __stringify(family)) 64096518518SPatrick McHardy 6419370761cSPablo Neira Ayuso #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 6429370761cSPablo Neira Ayuso MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 64396518518SPatrick McHardy 64464d46806SPatrick McHardy #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 64564d46806SPatrick McHardy MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 64664d46806SPatrick McHardy 64796518518SPatrick McHardy #define MODULE_ALIAS_NFT_EXPR(name) \ 64896518518SPatrick McHardy MODULE_ALIAS("nft-expr-" name) 64996518518SPatrick McHardy 65020a69341SPatrick McHardy #define MODULE_ALIAS_NFT_SET() \ 65120a69341SPatrick McHardy MODULE_ALIAS("nft-set") 65220a69341SPatrick McHardy 65396518518SPatrick McHardy #endif /* _NET_NF_TABLES_H */ 654