1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _NET_NF_TABLES_H 3 #define _NET_NF_TABLES_H 4 5 #include <linux/module.h> 6 #include <linux/list.h> 7 #include <linux/netfilter.h> 8 #include <linux/netfilter/nfnetlink.h> 9 #include <linux/netfilter/x_tables.h> 10 #include <linux/netfilter/nf_tables.h> 11 #include <linux/u64_stats_sync.h> 12 #include <net/netfilter/nf_flow_table.h> 13 #include <net/netlink.h> 14 15 #define NFT_JUMP_STACK_SIZE 16 16 17 struct nft_pktinfo { 18 struct sk_buff *skb; 19 bool tprot_set; 20 u8 tprot; 21 /* for x_tables compatibility */ 22 struct xt_action_param xt; 23 }; 24 25 static inline struct net *nft_net(const struct nft_pktinfo *pkt) 26 { 27 return pkt->xt.state->net; 28 } 29 30 static inline unsigned int nft_hook(const struct nft_pktinfo *pkt) 31 { 32 return pkt->xt.state->hook; 33 } 34 35 static inline u8 nft_pf(const struct nft_pktinfo *pkt) 36 { 37 return pkt->xt.state->pf; 38 } 39 40 static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt) 41 { 42 return pkt->xt.state->in; 43 } 44 45 static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt) 46 { 47 return pkt->xt.state->out; 48 } 49 50 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 51 struct sk_buff *skb, 52 const struct nf_hook_state *state) 53 { 54 pkt->skb = skb; 55 pkt->xt.state = state; 56 } 57 58 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt, 59 struct sk_buff *skb) 60 { 61 pkt->tprot_set = false; 62 pkt->tprot = 0; 63 pkt->xt.thoff = 0; 64 pkt->xt.fragoff = 0; 65 } 66 67 /** 68 * struct nft_verdict - nf_tables verdict 69 * 70 * @code: nf_tables/netfilter verdict code 71 * @chain: destination chain for NFT_JUMP/NFT_GOTO 72 */ 73 struct nft_verdict { 74 u32 code; 75 struct nft_chain *chain; 76 }; 77 78 struct nft_data { 79 union { 80 u32 data[4]; 81 struct nft_verdict verdict; 82 }; 83 } __attribute__((aligned(__alignof__(u64)))); 84 85 /** 86 * struct nft_regs - nf_tables register set 87 * 88 * @data: data registers 89 * @verdict: verdict register 90 * 91 * The first four data registers alias to the verdict register. 92 */ 93 struct nft_regs { 94 union { 95 u32 data[20]; 96 struct nft_verdict verdict; 97 }; 98 }; 99 100 /* Store/load an u16 or u8 integer to/from the u32 data register. 101 * 102 * Note, when using concatenations, register allocation happens at 32-bit 103 * level. So for store instruction, pad the rest part with zero to avoid 104 * garbage values. 105 */ 106 107 static inline void nft_reg_store16(u32 *dreg, u16 val) 108 { 109 *dreg = 0; 110 *(u16 *)dreg = val; 111 } 112 113 static inline void nft_reg_store8(u32 *dreg, u8 val) 114 { 115 *dreg = 0; 116 *(u8 *)dreg = val; 117 } 118 119 static inline u16 nft_reg_load16(u32 *sreg) 120 { 121 return *(u16 *)sreg; 122 } 123 124 static inline u8 nft_reg_load8(u32 *sreg) 125 { 126 return *(u8 *)sreg; 127 } 128 129 static inline void nft_data_copy(u32 *dst, const struct nft_data *src, 130 unsigned int len) 131 { 132 memcpy(dst, src, len); 133 } 134 135 static inline void nft_data_debug(const struct nft_data *data) 136 { 137 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 138 data->data[0], data->data[1], 139 data->data[2], data->data[3]); 140 } 141 142 /** 143 * struct nft_ctx - nf_tables rule/set context 144 * 145 * @net: net namespace 146 * @table: the table the chain is contained in 147 * @chain: the chain the rule is contained in 148 * @nla: netlink attributes 149 * @portid: netlink portID of the original message 150 * @seq: netlink sequence number 151 * @family: protocol family 152 * @report: notify via unicast netlink message 153 */ 154 struct nft_ctx { 155 struct net *net; 156 struct nft_table *table; 157 struct nft_chain *chain; 158 const struct nlattr * const *nla; 159 u32 portid; 160 u32 seq; 161 u8 family; 162 bool report; 163 }; 164 165 struct nft_data_desc { 166 enum nft_data_types type; 167 unsigned int len; 168 }; 169 170 int nft_data_init(const struct nft_ctx *ctx, 171 struct nft_data *data, unsigned int size, 172 struct nft_data_desc *desc, const struct nlattr *nla); 173 void nft_data_release(const struct nft_data *data, enum nft_data_types type); 174 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 175 enum nft_data_types type, unsigned int len); 176 177 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 178 { 179 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 180 } 181 182 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 183 { 184 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE; 185 } 186 187 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest); 188 unsigned int nft_parse_register(const struct nlattr *attr); 189 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg); 190 191 int nft_validate_register_load(enum nft_registers reg, unsigned int len); 192 int nft_validate_register_store(const struct nft_ctx *ctx, 193 enum nft_registers reg, 194 const struct nft_data *data, 195 enum nft_data_types type, unsigned int len); 196 197 /** 198 * struct nft_userdata - user defined data associated with an object 199 * 200 * @len: length of the data 201 * @data: content 202 * 203 * The presence of user data is indicated in an object specific fashion, 204 * so a length of zero can't occur and the value "len" indicates data 205 * of length len + 1. 206 */ 207 struct nft_userdata { 208 u8 len; 209 unsigned char data[0]; 210 }; 211 212 /** 213 * struct nft_set_elem - generic representation of set elements 214 * 215 * @key: element key 216 * @priv: element private data and extensions 217 */ 218 struct nft_set_elem { 219 union { 220 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 221 struct nft_data val; 222 } key; 223 void *priv; 224 }; 225 226 struct nft_set; 227 struct nft_set_iter { 228 u8 genmask; 229 unsigned int count; 230 unsigned int skip; 231 int err; 232 int (*fn)(const struct nft_ctx *ctx, 233 struct nft_set *set, 234 const struct nft_set_iter *iter, 235 struct nft_set_elem *elem); 236 }; 237 238 /** 239 * struct nft_set_desc - description of set elements 240 * 241 * @klen: key length 242 * @dlen: data length 243 * @size: number of set elements 244 */ 245 struct nft_set_desc { 246 unsigned int klen; 247 unsigned int dlen; 248 unsigned int size; 249 }; 250 251 /** 252 * enum nft_set_class - performance class 253 * 254 * @NFT_LOOKUP_O_1: constant, O(1) 255 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 256 * @NFT_LOOKUP_O_N: linear, O(N) 257 */ 258 enum nft_set_class { 259 NFT_SET_CLASS_O_1, 260 NFT_SET_CLASS_O_LOG_N, 261 NFT_SET_CLASS_O_N, 262 }; 263 264 /** 265 * struct nft_set_estimate - estimation of memory and performance 266 * characteristics 267 * 268 * @size: required memory 269 * @lookup: lookup performance class 270 * @space: memory class 271 */ 272 struct nft_set_estimate { 273 unsigned int size; 274 enum nft_set_class lookup; 275 enum nft_set_class space; 276 }; 277 278 /** 279 * struct nft_set_type - nf_tables set type 280 * 281 * @select_ops: function to select nft_set_ops 282 * @ops: default ops, used when no select_ops functions is present 283 * @list: used internally 284 * @owner: module reference 285 */ 286 struct nft_set_type { 287 const struct nft_set_ops *(*select_ops)(const struct nft_ctx *, 288 const struct nft_set_desc *desc, 289 u32 flags); 290 const struct nft_set_ops *ops; 291 struct list_head list; 292 struct module *owner; 293 }; 294 295 struct nft_set_ext; 296 struct nft_expr; 297 298 /** 299 * struct nft_set_ops - nf_tables set operations 300 * 301 * @lookup: look up an element within the set 302 * @insert: insert new element into set 303 * @activate: activate new element in the next generation 304 * @deactivate: lookup for element and deactivate it in the next generation 305 * @flush: deactivate element in the next generation 306 * @remove: remove element from set 307 * @walk: iterate over all set elemeennts 308 * @get: get set elements 309 * @privsize: function to return size of set private data 310 * @init: initialize private data of new set instance 311 * @destroy: destroy private data of set instance 312 * @elemsize: element private size 313 * @features: features supported by the implementation 314 */ 315 struct nft_set_ops { 316 bool (*lookup)(const struct net *net, 317 const struct nft_set *set, 318 const u32 *key, 319 const struct nft_set_ext **ext); 320 bool (*update)(struct nft_set *set, 321 const u32 *key, 322 void *(*new)(struct nft_set *, 323 const struct nft_expr *, 324 struct nft_regs *), 325 const struct nft_expr *expr, 326 struct nft_regs *regs, 327 const struct nft_set_ext **ext); 328 329 int (*insert)(const struct net *net, 330 const struct nft_set *set, 331 const struct nft_set_elem *elem, 332 struct nft_set_ext **ext); 333 void (*activate)(const struct net *net, 334 const struct nft_set *set, 335 const struct nft_set_elem *elem); 336 void * (*deactivate)(const struct net *net, 337 const struct nft_set *set, 338 const struct nft_set_elem *elem); 339 bool (*flush)(const struct net *net, 340 const struct nft_set *set, 341 void *priv); 342 void (*remove)(const struct net *net, 343 const struct nft_set *set, 344 const struct nft_set_elem *elem); 345 void (*walk)(const struct nft_ctx *ctx, 346 struct nft_set *set, 347 struct nft_set_iter *iter); 348 void * (*get)(const struct net *net, 349 const struct nft_set *set, 350 const struct nft_set_elem *elem, 351 unsigned int flags); 352 353 unsigned int (*privsize)(const struct nlattr * const nla[], 354 const struct nft_set_desc *desc); 355 bool (*estimate)(const struct nft_set_desc *desc, 356 u32 features, 357 struct nft_set_estimate *est); 358 int (*init)(const struct nft_set *set, 359 const struct nft_set_desc *desc, 360 const struct nlattr * const nla[]); 361 void (*destroy)(const struct nft_set *set); 362 363 unsigned int elemsize; 364 u32 features; 365 const struct nft_set_type *type; 366 }; 367 368 int nft_register_set(struct nft_set_type *type); 369 void nft_unregister_set(struct nft_set_type *type); 370 371 /** 372 * struct nft_set - nf_tables set instance 373 * 374 * @list: table set list node 375 * @bindings: list of set bindings 376 * @name: name of the set 377 * @handle: unique handle of the set 378 * @ktype: key type (numeric type defined by userspace, not used in the kernel) 379 * @dtype: data type (verdict or numeric type defined by userspace) 380 * @objtype: object type (see NFT_OBJECT_* definitions) 381 * @size: maximum set size 382 * @nelems: number of elements 383 * @ndeact: number of deactivated elements queued for removal 384 * @timeout: default timeout value in jiffies 385 * @gc_int: garbage collection interval in msecs 386 * @policy: set parameterization (see enum nft_set_policies) 387 * @udlen: user data length 388 * @udata: user data 389 * @ops: set ops 390 * @flags: set flags 391 * @genmask: generation mask 392 * @klen: key length 393 * @dlen: data length 394 * @data: private set data 395 */ 396 struct nft_set { 397 struct list_head list; 398 struct list_head bindings; 399 char *name; 400 u64 handle; 401 u32 ktype; 402 u32 dtype; 403 u32 objtype; 404 u32 size; 405 atomic_t nelems; 406 u32 ndeact; 407 u64 timeout; 408 u32 gc_int; 409 u16 policy; 410 u16 udlen; 411 unsigned char *udata; 412 /* runtime data below here */ 413 const struct nft_set_ops *ops ____cacheline_aligned; 414 u16 flags:14, 415 genmask:2; 416 u8 klen; 417 u8 dlen; 418 unsigned char data[] 419 __attribute__((aligned(__alignof__(u64)))); 420 }; 421 422 static inline bool nft_set_is_anonymous(const struct nft_set *set) 423 { 424 return set->flags & NFT_SET_ANONYMOUS; 425 } 426 427 static inline void *nft_set_priv(const struct nft_set *set) 428 { 429 return (void *)set->data; 430 } 431 432 static inline struct nft_set *nft_set_container_of(const void *priv) 433 { 434 return (void *)priv - offsetof(struct nft_set, data); 435 } 436 437 struct nft_set *nft_set_lookup_global(const struct net *net, 438 const struct nft_table *table, 439 const struct nlattr *nla_set_name, 440 const struct nlattr *nla_set_id, 441 u8 genmask); 442 443 static inline unsigned long nft_set_gc_interval(const struct nft_set *set) 444 { 445 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ; 446 } 447 448 /** 449 * struct nft_set_binding - nf_tables set binding 450 * 451 * @list: set bindings list node 452 * @chain: chain containing the rule bound to the set 453 * @flags: set action flags 454 * 455 * A set binding contains all information necessary for validation 456 * of new elements added to a bound set. 457 */ 458 struct nft_set_binding { 459 struct list_head list; 460 const struct nft_chain *chain; 461 u32 flags; 462 }; 463 464 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 465 struct nft_set_binding *binding); 466 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 467 struct nft_set_binding *binding); 468 469 /** 470 * enum nft_set_extensions - set extension type IDs 471 * 472 * @NFT_SET_EXT_KEY: element key 473 * @NFT_SET_EXT_DATA: mapping data 474 * @NFT_SET_EXT_FLAGS: element flags 475 * @NFT_SET_EXT_TIMEOUT: element timeout 476 * @NFT_SET_EXT_EXPIRATION: element expiration time 477 * @NFT_SET_EXT_USERDATA: user data associated with the element 478 * @NFT_SET_EXT_EXPR: expression assiociated with the element 479 * @NFT_SET_EXT_OBJREF: stateful object reference associated with element 480 * @NFT_SET_EXT_NUM: number of extension types 481 */ 482 enum nft_set_extensions { 483 NFT_SET_EXT_KEY, 484 NFT_SET_EXT_DATA, 485 NFT_SET_EXT_FLAGS, 486 NFT_SET_EXT_TIMEOUT, 487 NFT_SET_EXT_EXPIRATION, 488 NFT_SET_EXT_USERDATA, 489 NFT_SET_EXT_EXPR, 490 NFT_SET_EXT_OBJREF, 491 NFT_SET_EXT_NUM 492 }; 493 494 /** 495 * struct nft_set_ext_type - set extension type 496 * 497 * @len: fixed part length of the extension 498 * @align: alignment requirements of the extension 499 */ 500 struct nft_set_ext_type { 501 u8 len; 502 u8 align; 503 }; 504 505 extern const struct nft_set_ext_type nft_set_ext_types[]; 506 507 /** 508 * struct nft_set_ext_tmpl - set extension template 509 * 510 * @len: length of extension area 511 * @offset: offsets of individual extension types 512 */ 513 struct nft_set_ext_tmpl { 514 u16 len; 515 u8 offset[NFT_SET_EXT_NUM]; 516 }; 517 518 /** 519 * struct nft_set_ext - set extensions 520 * 521 * @genmask: generation mask 522 * @offset: offsets of individual extension types 523 * @data: beginning of extension data 524 */ 525 struct nft_set_ext { 526 u8 genmask; 527 u8 offset[NFT_SET_EXT_NUM]; 528 char data[0]; 529 }; 530 531 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) 532 { 533 memset(tmpl, 0, sizeof(*tmpl)); 534 tmpl->len = sizeof(struct nft_set_ext); 535 } 536 537 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id, 538 unsigned int len) 539 { 540 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align); 541 BUG_ON(tmpl->len > U8_MAX); 542 tmpl->offset[id] = tmpl->len; 543 tmpl->len += nft_set_ext_types[id].len + len; 544 } 545 546 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id) 547 { 548 nft_set_ext_add_length(tmpl, id, 0); 549 } 550 551 static inline void nft_set_ext_init(struct nft_set_ext *ext, 552 const struct nft_set_ext_tmpl *tmpl) 553 { 554 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset)); 555 } 556 557 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 558 { 559 return !!ext->offset[id]; 560 } 561 562 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 563 { 564 return ext && __nft_set_ext_exists(ext, id); 565 } 566 567 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id) 568 { 569 return (void *)ext + ext->offset[id]; 570 } 571 572 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext) 573 { 574 return nft_set_ext(ext, NFT_SET_EXT_KEY); 575 } 576 577 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext) 578 { 579 return nft_set_ext(ext, NFT_SET_EXT_DATA); 580 } 581 582 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext) 583 { 584 return nft_set_ext(ext, NFT_SET_EXT_FLAGS); 585 } 586 587 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext) 588 { 589 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT); 590 } 591 592 static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ext) 593 { 594 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION); 595 } 596 597 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext) 598 { 599 return nft_set_ext(ext, NFT_SET_EXT_USERDATA); 600 } 601 602 static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext) 603 { 604 return nft_set_ext(ext, NFT_SET_EXT_EXPR); 605 } 606 607 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) 608 { 609 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && 610 time_is_before_eq_jiffies(*nft_set_ext_expiration(ext)); 611 } 612 613 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, 614 void *elem) 615 { 616 return elem + set->ops->elemsize; 617 } 618 619 static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext) 620 { 621 return nft_set_ext(ext, NFT_SET_EXT_OBJREF); 622 } 623 624 void *nft_set_elem_init(const struct nft_set *set, 625 const struct nft_set_ext_tmpl *tmpl, 626 const u32 *key, const u32 *data, 627 u64 timeout, gfp_t gfp); 628 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 629 bool destroy_expr); 630 631 /** 632 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch 633 * 634 * @rcu: rcu head 635 * @set: set the elements belong to 636 * @cnt: count of elements 637 */ 638 struct nft_set_gc_batch_head { 639 struct rcu_head rcu; 640 const struct nft_set *set; 641 unsigned int cnt; 642 }; 643 644 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \ 645 sizeof(struct nft_set_gc_batch_head)) / \ 646 sizeof(void *)) 647 648 /** 649 * struct nft_set_gc_batch - nf_tables set garbage collection batch 650 * 651 * @head: GC batch head 652 * @elems: garbage collection elements 653 */ 654 struct nft_set_gc_batch { 655 struct nft_set_gc_batch_head head; 656 void *elems[NFT_SET_GC_BATCH_SIZE]; 657 }; 658 659 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 660 gfp_t gfp); 661 void nft_set_gc_batch_release(struct rcu_head *rcu); 662 663 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb) 664 { 665 if (gcb != NULL) 666 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release); 667 } 668 669 static inline struct nft_set_gc_batch * 670 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb, 671 gfp_t gfp) 672 { 673 if (gcb != NULL) { 674 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems)) 675 return gcb; 676 nft_set_gc_batch_complete(gcb); 677 } 678 return nft_set_gc_batch_alloc(set, gfp); 679 } 680 681 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, 682 void *elem) 683 { 684 gcb->elems[gcb->head.cnt++] = elem; 685 } 686 687 /** 688 * struct nft_expr_type - nf_tables expression type 689 * 690 * @select_ops: function to select nft_expr_ops 691 * @ops: default ops, used when no select_ops functions is present 692 * @list: used internally 693 * @name: Identifier 694 * @owner: module reference 695 * @policy: netlink attribute policy 696 * @maxattr: highest netlink attribute number 697 * @family: address family for AF-specific types 698 * @flags: expression type flags 699 */ 700 struct nft_expr_type { 701 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 702 const struct nlattr * const tb[]); 703 const struct nft_expr_ops *ops; 704 struct list_head list; 705 const char *name; 706 struct module *owner; 707 const struct nla_policy *policy; 708 unsigned int maxattr; 709 u8 family; 710 u8 flags; 711 }; 712 713 #define NFT_EXPR_STATEFUL 0x1 714 715 /** 716 * struct nft_expr_ops - nf_tables expression operations 717 * 718 * @eval: Expression evaluation function 719 * @size: full expression size, including private data size 720 * @init: initialization function 721 * @destroy: destruction function 722 * @dump: function to dump parameters 723 * @type: expression type 724 * @validate: validate expression, called during loop detection 725 * @data: extra data to attach to this expression operation 726 */ 727 struct nft_expr; 728 struct nft_expr_ops { 729 void (*eval)(const struct nft_expr *expr, 730 struct nft_regs *regs, 731 const struct nft_pktinfo *pkt); 732 int (*clone)(struct nft_expr *dst, 733 const struct nft_expr *src); 734 unsigned int size; 735 736 int (*init)(const struct nft_ctx *ctx, 737 const struct nft_expr *expr, 738 const struct nlattr * const tb[]); 739 void (*destroy)(const struct nft_ctx *ctx, 740 const struct nft_expr *expr); 741 int (*dump)(struct sk_buff *skb, 742 const struct nft_expr *expr); 743 int (*validate)(const struct nft_ctx *ctx, 744 const struct nft_expr *expr, 745 const struct nft_data **data); 746 const struct nft_expr_type *type; 747 void *data; 748 }; 749 750 #define NFT_EXPR_MAXATTR 16 751 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 752 ALIGN(size, __alignof__(struct nft_expr))) 753 754 /** 755 * struct nft_expr - nf_tables expression 756 * 757 * @ops: expression ops 758 * @data: expression private data 759 */ 760 struct nft_expr { 761 const struct nft_expr_ops *ops; 762 unsigned char data[]; 763 }; 764 765 static inline void *nft_expr_priv(const struct nft_expr *expr) 766 { 767 return (void *)expr->data; 768 } 769 770 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 771 const struct nlattr *nla); 772 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 773 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 774 const struct nft_expr *expr); 775 776 static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 777 { 778 int err; 779 780 if (src->ops->clone) { 781 dst->ops = src->ops; 782 err = src->ops->clone(dst, src); 783 if (err < 0) 784 return err; 785 } else { 786 memcpy(dst, src, src->ops->size); 787 } 788 789 __module_get(src->ops->type->owner); 790 return 0; 791 } 792 793 /** 794 * struct nft_rule - nf_tables rule 795 * 796 * @list: used internally 797 * @handle: rule handle 798 * @genmask: generation mask 799 * @dlen: length of expression data 800 * @udata: user data is appended to the rule 801 * @data: expression data 802 */ 803 struct nft_rule { 804 struct list_head list; 805 u64 handle:42, 806 genmask:2, 807 dlen:12, 808 udata:1; 809 unsigned char data[] 810 __attribute__((aligned(__alignof__(struct nft_expr)))); 811 }; 812 813 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 814 { 815 return (struct nft_expr *)&rule->data[0]; 816 } 817 818 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 819 { 820 return ((void *)expr) + expr->ops->size; 821 } 822 823 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 824 { 825 return (struct nft_expr *)&rule->data[rule->dlen]; 826 } 827 828 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule) 829 { 830 return (void *)&rule->data[rule->dlen]; 831 } 832 833 /* 834 * The last pointer isn't really necessary, but the compiler isn't able to 835 * determine that the result of nft_expr_last() is always the same since it 836 * can't assume that the dlen value wasn't changed within calls in the loop. 837 */ 838 #define nft_rule_for_each_expr(expr, last, rule) \ 839 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 840 (expr) != (last); \ 841 (expr) = nft_expr_next(expr)) 842 843 enum nft_chain_flags { 844 NFT_BASE_CHAIN = 0x1, 845 }; 846 847 /** 848 * struct nft_chain - nf_tables chain 849 * 850 * @rules: list of rules in the chain 851 * @list: used internally 852 * @table: table that this chain belongs to 853 * @handle: chain handle 854 * @use: number of jump references to this chain 855 * @level: length of longest path to this chain 856 * @flags: bitmask of enum nft_chain_flags 857 * @name: name of the chain 858 */ 859 struct nft_chain { 860 struct list_head rules; 861 struct list_head list; 862 struct nft_table *table; 863 u64 handle; 864 u32 use; 865 u16 level; 866 u8 flags:6, 867 genmask:2; 868 char *name; 869 }; 870 871 enum nft_chain_types { 872 NFT_CHAIN_T_DEFAULT = 0, 873 NFT_CHAIN_T_ROUTE, 874 NFT_CHAIN_T_NAT, 875 NFT_CHAIN_T_MAX 876 }; 877 878 /** 879 * struct nft_chain_type - nf_tables chain type info 880 * 881 * @name: name of the type 882 * @type: numeric identifier 883 * @family: address family 884 * @owner: module owner 885 * @hook_mask: mask of valid hooks 886 * @hooks: array of hook functions 887 * @init: chain initialization function 888 * @free: chain release function 889 */ 890 struct nft_chain_type { 891 const char *name; 892 enum nft_chain_types type; 893 int family; 894 struct module *owner; 895 unsigned int hook_mask; 896 nf_hookfn *hooks[NF_MAX_HOOKS]; 897 int (*init)(struct nft_ctx *ctx); 898 void (*free)(struct nft_ctx *ctx); 899 }; 900 901 int nft_chain_validate_dependency(const struct nft_chain *chain, 902 enum nft_chain_types type); 903 int nft_chain_validate_hooks(const struct nft_chain *chain, 904 unsigned int hook_flags); 905 906 struct nft_stats { 907 u64 bytes; 908 u64 pkts; 909 struct u64_stats_sync syncp; 910 }; 911 912 /** 913 * struct nft_base_chain - nf_tables base chain 914 * 915 * @ops: netfilter hook ops 916 * @type: chain type 917 * @policy: default policy 918 * @stats: per-cpu chain stats 919 * @chain: the chain 920 * @dev_name: device name that this base chain is attached to (if any) 921 */ 922 struct nft_base_chain { 923 struct nf_hook_ops ops; 924 const struct nft_chain_type *type; 925 u8 policy; 926 u8 flags; 927 struct nft_stats __percpu *stats; 928 struct nft_chain chain; 929 char dev_name[IFNAMSIZ]; 930 }; 931 932 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 933 { 934 return container_of(chain, struct nft_base_chain, chain); 935 } 936 937 static inline bool nft_is_base_chain(const struct nft_chain *chain) 938 { 939 return chain->flags & NFT_BASE_CHAIN; 940 } 941 942 int __nft_release_basechain(struct nft_ctx *ctx); 943 944 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); 945 946 /** 947 * struct nft_table - nf_tables table 948 * 949 * @list: used internally 950 * @chains: chains in the table 951 * @sets: sets in the table 952 * @objects: stateful objects in the table 953 * @flowtables: flow tables in the table 954 * @hgenerator: handle generator state 955 * @handle: table handle 956 * @use: number of chain references to this table 957 * @flags: table flag (see enum nft_table_flags) 958 * @genmask: generation mask 959 * @afinfo: address family info 960 * @name: name of the table 961 */ 962 struct nft_table { 963 struct list_head list; 964 struct list_head chains; 965 struct list_head sets; 966 struct list_head objects; 967 struct list_head flowtables; 968 u64 hgenerator; 969 u64 handle; 970 u32 use; 971 u16 family:6, 972 flags:8, 973 genmask:2; 974 char *name; 975 }; 976 977 void nft_register_chain_type(const struct nft_chain_type *); 978 void nft_unregister_chain_type(const struct nft_chain_type *); 979 980 int nft_register_expr(struct nft_expr_type *); 981 void nft_unregister_expr(struct nft_expr_type *); 982 983 int nft_verdict_dump(struct sk_buff *skb, int type, 984 const struct nft_verdict *v); 985 986 /** 987 * struct nft_object - nf_tables stateful object 988 * 989 * @list: table stateful object list node 990 * @table: table this object belongs to 991 * @name: name of this stateful object 992 * @genmask: generation mask 993 * @use: number of references to this stateful object 994 * @handle: unique object handle 995 * @ops: object operations 996 * @data: object data, layout depends on type 997 */ 998 struct nft_object { 999 struct list_head list; 1000 char *name; 1001 struct nft_table *table; 1002 u32 genmask:2, 1003 use:30; 1004 u64 handle; 1005 /* runtime data below here */ 1006 const struct nft_object_ops *ops ____cacheline_aligned; 1007 unsigned char data[] 1008 __attribute__((aligned(__alignof__(u64)))); 1009 }; 1010 1011 static inline void *nft_obj_data(const struct nft_object *obj) 1012 { 1013 return (void *)obj->data; 1014 } 1015 1016 #define nft_expr_obj(expr) *((struct nft_object **)nft_expr_priv(expr)) 1017 1018 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table, 1019 const struct nlattr *nla, u32 objtype, 1020 u8 genmask); 1021 1022 void nft_obj_notify(struct net *net, struct nft_table *table, 1023 struct nft_object *obj, u32 portid, u32 seq, 1024 int event, int family, int report, gfp_t gfp); 1025 1026 /** 1027 * struct nft_object_type - stateful object type 1028 * 1029 * @select_ops: function to select nft_object_ops 1030 * @ops: default ops, used when no select_ops functions is present 1031 * @list: list node in list of object types 1032 * @type: stateful object numeric type 1033 * @owner: module owner 1034 * @maxattr: maximum netlink attribute 1035 * @policy: netlink attribute policy 1036 */ 1037 struct nft_object_type { 1038 const struct nft_object_ops *(*select_ops)(const struct nft_ctx *, 1039 const struct nlattr * const tb[]); 1040 const struct nft_object_ops *ops; 1041 struct list_head list; 1042 u32 type; 1043 unsigned int maxattr; 1044 struct module *owner; 1045 const struct nla_policy *policy; 1046 }; 1047 1048 /** 1049 * struct nft_object_ops - stateful object operations 1050 * 1051 * @eval: stateful object evaluation function 1052 * @size: stateful object size 1053 * @init: initialize object from netlink attributes 1054 * @destroy: release existing stateful object 1055 * @dump: netlink dump stateful object 1056 */ 1057 struct nft_object_ops { 1058 void (*eval)(struct nft_object *obj, 1059 struct nft_regs *regs, 1060 const struct nft_pktinfo *pkt); 1061 unsigned int size; 1062 int (*init)(const struct nft_ctx *ctx, 1063 const struct nlattr *const tb[], 1064 struct nft_object *obj); 1065 void (*destroy)(struct nft_object *obj); 1066 int (*dump)(struct sk_buff *skb, 1067 struct nft_object *obj, 1068 bool reset); 1069 const struct nft_object_type *type; 1070 }; 1071 1072 int nft_register_obj(struct nft_object_type *obj_type); 1073 void nft_unregister_obj(struct nft_object_type *obj_type); 1074 1075 #define NFT_FLOWTABLE_DEVICE_MAX 8 1076 1077 /** 1078 * struct nft_flowtable - nf_tables flow table 1079 * 1080 * @list: flow table list node in table list 1081 * @table: the table the flow table is contained in 1082 * @name: name of this flow table 1083 * @hooknum: hook number 1084 * @priority: hook priority 1085 * @ops_len: number of hooks in array 1086 * @genmask: generation mask 1087 * @use: number of references to this flow table 1088 * @handle: unique object handle 1089 * @dev_name: array of device names 1090 * @data: rhashtable and garbage collector 1091 * @ops: array of hooks 1092 */ 1093 struct nft_flowtable { 1094 struct list_head list; 1095 struct nft_table *table; 1096 char *name; 1097 int hooknum; 1098 int priority; 1099 int ops_len; 1100 u32 genmask:2, 1101 use:30; 1102 u64 handle; 1103 char *dev_name[NFT_FLOWTABLE_DEVICE_MAX]; 1104 /* runtime data below here */ 1105 struct nf_hook_ops *ops ____cacheline_aligned; 1106 struct nf_flowtable data; 1107 }; 1108 1109 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table, 1110 const struct nlattr *nla, 1111 u8 genmask); 1112 void nft_flow_table_iterate(struct net *net, 1113 void (*iter)(struct nf_flowtable *flowtable, void *data), 1114 void *data); 1115 1116 void nft_register_flowtable_type(struct nf_flowtable_type *type); 1117 void nft_unregister_flowtable_type(struct nf_flowtable_type *type); 1118 1119 /** 1120 * struct nft_traceinfo - nft tracing information and state 1121 * 1122 * @pkt: pktinfo currently processed 1123 * @basechain: base chain currently processed 1124 * @chain: chain currently processed 1125 * @rule: rule that was evaluated 1126 * @verdict: verdict given by rule 1127 * @type: event type (enum nft_trace_types) 1128 * @packet_dumped: packet headers sent in a previous traceinfo message 1129 * @trace: other struct members are initialised 1130 */ 1131 struct nft_traceinfo { 1132 const struct nft_pktinfo *pkt; 1133 const struct nft_base_chain *basechain; 1134 const struct nft_chain *chain; 1135 const struct nft_rule *rule; 1136 const struct nft_verdict *verdict; 1137 enum nft_trace_types type; 1138 bool packet_dumped; 1139 bool trace; 1140 }; 1141 1142 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt, 1143 const struct nft_verdict *verdict, 1144 const struct nft_chain *basechain); 1145 1146 void nft_trace_notify(struct nft_traceinfo *info); 1147 1148 #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 1149 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 1150 1151 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 1152 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 1153 1154 #define MODULE_ALIAS_NFT_EXPR(name) \ 1155 MODULE_ALIAS("nft-expr-" name) 1156 1157 #define MODULE_ALIAS_NFT_SET() \ 1158 MODULE_ALIAS("nft-set") 1159 1160 #define MODULE_ALIAS_NFT_OBJ(type) \ 1161 MODULE_ALIAS("nft-obj-" __stringify(type)) 1162 1163 /* 1164 * The gencursor defines two generations, the currently active and the 1165 * next one. Objects contain a bitmask of 2 bits specifying the generations 1166 * they're active in. A set bit means they're inactive in the generation 1167 * represented by that bit. 1168 * 1169 * New objects start out as inactive in the current and active in the 1170 * next generation. When committing the ruleset the bitmask is cleared, 1171 * meaning they're active in all generations. When removing an object, 1172 * it is set inactive in the next generation. After committing the ruleset, 1173 * the objects are removed. 1174 */ 1175 static inline unsigned int nft_gencursor_next(const struct net *net) 1176 { 1177 return net->nft.gencursor + 1 == 1 ? 1 : 0; 1178 } 1179 1180 static inline u8 nft_genmask_next(const struct net *net) 1181 { 1182 return 1 << nft_gencursor_next(net); 1183 } 1184 1185 static inline u8 nft_genmask_cur(const struct net *net) 1186 { 1187 /* Use READ_ONCE() to prevent refetching the value for atomicity */ 1188 return 1 << READ_ONCE(net->nft.gencursor); 1189 } 1190 1191 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1)) 1192 1193 /* 1194 * Generic transaction helpers 1195 */ 1196 1197 /* Check if this object is currently active. */ 1198 #define nft_is_active(__net, __obj) \ 1199 (((__obj)->genmask & nft_genmask_cur(__net)) == 0) 1200 1201 /* Check if this object is active in the next generation. */ 1202 #define nft_is_active_next(__net, __obj) \ 1203 (((__obj)->genmask & nft_genmask_next(__net)) == 0) 1204 1205 /* This object becomes active in the next generation. */ 1206 #define nft_activate_next(__net, __obj) \ 1207 (__obj)->genmask = nft_genmask_cur(__net) 1208 1209 /* This object becomes inactive in the next generation. */ 1210 #define nft_deactivate_next(__net, __obj) \ 1211 (__obj)->genmask = nft_genmask_next(__net) 1212 1213 /* After committing the ruleset, clear the stale generation bit. */ 1214 #define nft_clear(__net, __obj) \ 1215 (__obj)->genmask &= ~nft_genmask_next(__net) 1216 #define nft_active_genmask(__obj, __genmask) \ 1217 !((__obj)->genmask & __genmask) 1218 1219 /* 1220 * Set element transaction helpers 1221 */ 1222 1223 static inline bool nft_set_elem_active(const struct nft_set_ext *ext, 1224 u8 genmask) 1225 { 1226 return !(ext->genmask & genmask); 1227 } 1228 1229 static inline void nft_set_elem_change_active(const struct net *net, 1230 const struct nft_set *set, 1231 struct nft_set_ext *ext) 1232 { 1233 ext->genmask ^= nft_genmask_next(net); 1234 } 1235 1236 /* 1237 * We use a free bit in the genmask field to indicate the element 1238 * is busy, meaning it is currently being processed either by 1239 * the netlink API or GC. 1240 * 1241 * Even though the genmask is only a single byte wide, this works 1242 * because the extension structure if fully constant once initialized, 1243 * so there are no non-atomic write accesses unless it is already 1244 * marked busy. 1245 */ 1246 #define NFT_SET_ELEM_BUSY_MASK (1 << 2) 1247 1248 #if defined(__LITTLE_ENDIAN_BITFIELD) 1249 #define NFT_SET_ELEM_BUSY_BIT 2 1250 #elif defined(__BIG_ENDIAN_BITFIELD) 1251 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2) 1252 #else 1253 #error 1254 #endif 1255 1256 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext) 1257 { 1258 unsigned long *word = (unsigned long *)ext; 1259 1260 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0); 1261 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word); 1262 } 1263 1264 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) 1265 { 1266 unsigned long *word = (unsigned long *)ext; 1267 1268 clear_bit(NFT_SET_ELEM_BUSY_BIT, word); 1269 } 1270 1271 /** 1272 * struct nft_trans - nf_tables object update in transaction 1273 * 1274 * @list: used internally 1275 * @msg_type: message type 1276 * @ctx: transaction context 1277 * @data: internal information related to the transaction 1278 */ 1279 struct nft_trans { 1280 struct list_head list; 1281 int msg_type; 1282 struct nft_ctx ctx; 1283 char data[0]; 1284 }; 1285 1286 struct nft_trans_rule { 1287 struct nft_rule *rule; 1288 u32 rule_id; 1289 }; 1290 1291 #define nft_trans_rule(trans) \ 1292 (((struct nft_trans_rule *)trans->data)->rule) 1293 #define nft_trans_rule_id(trans) \ 1294 (((struct nft_trans_rule *)trans->data)->rule_id) 1295 1296 struct nft_trans_set { 1297 struct nft_set *set; 1298 u32 set_id; 1299 }; 1300 1301 #define nft_trans_set(trans) \ 1302 (((struct nft_trans_set *)trans->data)->set) 1303 #define nft_trans_set_id(trans) \ 1304 (((struct nft_trans_set *)trans->data)->set_id) 1305 1306 struct nft_trans_chain { 1307 bool update; 1308 char *name; 1309 struct nft_stats __percpu *stats; 1310 u8 policy; 1311 }; 1312 1313 #define nft_trans_chain_update(trans) \ 1314 (((struct nft_trans_chain *)trans->data)->update) 1315 #define nft_trans_chain_name(trans) \ 1316 (((struct nft_trans_chain *)trans->data)->name) 1317 #define nft_trans_chain_stats(trans) \ 1318 (((struct nft_trans_chain *)trans->data)->stats) 1319 #define nft_trans_chain_policy(trans) \ 1320 (((struct nft_trans_chain *)trans->data)->policy) 1321 1322 struct nft_trans_table { 1323 bool update; 1324 bool enable; 1325 }; 1326 1327 #define nft_trans_table_update(trans) \ 1328 (((struct nft_trans_table *)trans->data)->update) 1329 #define nft_trans_table_enable(trans) \ 1330 (((struct nft_trans_table *)trans->data)->enable) 1331 1332 struct nft_trans_elem { 1333 struct nft_set *set; 1334 struct nft_set_elem elem; 1335 }; 1336 1337 #define nft_trans_elem_set(trans) \ 1338 (((struct nft_trans_elem *)trans->data)->set) 1339 #define nft_trans_elem(trans) \ 1340 (((struct nft_trans_elem *)trans->data)->elem) 1341 1342 struct nft_trans_obj { 1343 struct nft_object *obj; 1344 }; 1345 1346 #define nft_trans_obj(trans) \ 1347 (((struct nft_trans_obj *)trans->data)->obj) 1348 1349 struct nft_trans_flowtable { 1350 struct nft_flowtable *flowtable; 1351 }; 1352 1353 #define nft_trans_flowtable(trans) \ 1354 (((struct nft_trans_flowtable *)trans->data)->flowtable) 1355 1356 int __init nft_chain_filter_init(void); 1357 void __exit nft_chain_filter_fini(void); 1358 1359 #endif /* _NET_NF_TABLES_H */ 1360