1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _NET_NF_TABLES_H 3 #define _NET_NF_TABLES_H 4 5 #include <linux/module.h> 6 #include <linux/list.h> 7 #include <linux/netfilter.h> 8 #include <linux/netfilter/nfnetlink.h> 9 #include <linux/netfilter/x_tables.h> 10 #include <linux/netfilter/nf_tables.h> 11 #include <linux/u64_stats_sync.h> 12 #include <linux/rhashtable.h> 13 #include <net/netfilter/nf_flow_table.h> 14 #include <net/netlink.h> 15 16 #define NFT_JUMP_STACK_SIZE 16 17 18 struct nft_pktinfo { 19 struct sk_buff *skb; 20 bool tprot_set; 21 u8 tprot; 22 /* for x_tables compatibility */ 23 struct xt_action_param xt; 24 }; 25 26 static inline struct net *nft_net(const struct nft_pktinfo *pkt) 27 { 28 return pkt->xt.state->net; 29 } 30 31 static inline unsigned int nft_hook(const struct nft_pktinfo *pkt) 32 { 33 return pkt->xt.state->hook; 34 } 35 36 static inline u8 nft_pf(const struct nft_pktinfo *pkt) 37 { 38 return pkt->xt.state->pf; 39 } 40 41 static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt) 42 { 43 return pkt->xt.state->in; 44 } 45 46 static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt) 47 { 48 return pkt->xt.state->out; 49 } 50 51 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 52 struct sk_buff *skb, 53 const struct nf_hook_state *state) 54 { 55 pkt->skb = skb; 56 pkt->xt.state = state; 57 } 58 59 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt, 60 struct sk_buff *skb) 61 { 62 pkt->tprot_set = false; 63 pkt->tprot = 0; 64 pkt->xt.thoff = 0; 65 pkt->xt.fragoff = 0; 66 } 67 68 /** 69 * struct nft_verdict - nf_tables verdict 70 * 71 * @code: nf_tables/netfilter verdict code 72 * @chain: destination chain for NFT_JUMP/NFT_GOTO 73 */ 74 struct nft_verdict { 75 u32 code; 76 struct nft_chain *chain; 77 }; 78 79 struct nft_data { 80 union { 81 u32 data[4]; 82 struct nft_verdict verdict; 83 }; 84 } __attribute__((aligned(__alignof__(u64)))); 85 86 /** 87 * struct nft_regs - nf_tables register set 88 * 89 * @data: data registers 90 * @verdict: verdict register 91 * 92 * The first four data registers alias to the verdict register. 93 */ 94 struct nft_regs { 95 union { 96 u32 data[20]; 97 struct nft_verdict verdict; 98 }; 99 }; 100 101 /* Store/load an u16 or u8 integer to/from the u32 data register. 102 * 103 * Note, when using concatenations, register allocation happens at 32-bit 104 * level. So for store instruction, pad the rest part with zero to avoid 105 * garbage values. 106 */ 107 108 static inline void nft_reg_store16(u32 *dreg, u16 val) 109 { 110 *dreg = 0; 111 *(u16 *)dreg = val; 112 } 113 114 static inline void nft_reg_store8(u32 *dreg, u8 val) 115 { 116 *dreg = 0; 117 *(u8 *)dreg = val; 118 } 119 120 static inline u16 nft_reg_load16(u32 *sreg) 121 { 122 return *(u16 *)sreg; 123 } 124 125 static inline u8 nft_reg_load8(u32 *sreg) 126 { 127 return *(u8 *)sreg; 128 } 129 130 static inline void nft_data_copy(u32 *dst, const struct nft_data *src, 131 unsigned int len) 132 { 133 memcpy(dst, src, len); 134 } 135 136 static inline void nft_data_debug(const struct nft_data *data) 137 { 138 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 139 data->data[0], data->data[1], 140 data->data[2], data->data[3]); 141 } 142 143 /** 144 * struct nft_ctx - nf_tables rule/set context 145 * 146 * @net: net namespace 147 * @table: the table the chain is contained in 148 * @chain: the chain the rule is contained in 149 * @nla: netlink attributes 150 * @portid: netlink portID of the original message 151 * @seq: netlink sequence number 152 * @family: protocol family 153 * @level: depth of the chains 154 * @report: notify via unicast netlink message 155 */ 156 struct nft_ctx { 157 struct net *net; 158 struct nft_table *table; 159 struct nft_chain *chain; 160 const struct nlattr * const *nla; 161 u32 portid; 162 u32 seq; 163 u8 family; 164 u8 level; 165 bool report; 166 }; 167 168 struct nft_data_desc { 169 enum nft_data_types type; 170 unsigned int len; 171 }; 172 173 int nft_data_init(const struct nft_ctx *ctx, 174 struct nft_data *data, unsigned int size, 175 struct nft_data_desc *desc, const struct nlattr *nla); 176 void nft_data_hold(const struct nft_data *data, enum nft_data_types type); 177 void nft_data_release(const struct nft_data *data, enum nft_data_types type); 178 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 179 enum nft_data_types type, unsigned int len); 180 181 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 182 { 183 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 184 } 185 186 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 187 { 188 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE; 189 } 190 191 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest); 192 unsigned int nft_parse_register(const struct nlattr *attr); 193 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg); 194 195 int nft_validate_register_load(enum nft_registers reg, unsigned int len); 196 int nft_validate_register_store(const struct nft_ctx *ctx, 197 enum nft_registers reg, 198 const struct nft_data *data, 199 enum nft_data_types type, unsigned int len); 200 201 /** 202 * struct nft_userdata - user defined data associated with an object 203 * 204 * @len: length of the data 205 * @data: content 206 * 207 * The presence of user data is indicated in an object specific fashion, 208 * so a length of zero can't occur and the value "len" indicates data 209 * of length len + 1. 210 */ 211 struct nft_userdata { 212 u8 len; 213 unsigned char data[0]; 214 }; 215 216 /** 217 * struct nft_set_elem - generic representation of set elements 218 * 219 * @key: element key 220 * @priv: element private data and extensions 221 */ 222 struct nft_set_elem { 223 union { 224 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 225 struct nft_data val; 226 } key; 227 void *priv; 228 }; 229 230 struct nft_set; 231 struct nft_set_iter { 232 u8 genmask; 233 unsigned int count; 234 unsigned int skip; 235 int err; 236 int (*fn)(const struct nft_ctx *ctx, 237 struct nft_set *set, 238 const struct nft_set_iter *iter, 239 struct nft_set_elem *elem); 240 }; 241 242 /** 243 * struct nft_set_desc - description of set elements 244 * 245 * @klen: key length 246 * @dlen: data length 247 * @size: number of set elements 248 */ 249 struct nft_set_desc { 250 unsigned int klen; 251 unsigned int dlen; 252 unsigned int size; 253 }; 254 255 /** 256 * enum nft_set_class - performance class 257 * 258 * @NFT_LOOKUP_O_1: constant, O(1) 259 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 260 * @NFT_LOOKUP_O_N: linear, O(N) 261 */ 262 enum nft_set_class { 263 NFT_SET_CLASS_O_1, 264 NFT_SET_CLASS_O_LOG_N, 265 NFT_SET_CLASS_O_N, 266 }; 267 268 /** 269 * struct nft_set_estimate - estimation of memory and performance 270 * characteristics 271 * 272 * @size: required memory 273 * @lookup: lookup performance class 274 * @space: memory class 275 */ 276 struct nft_set_estimate { 277 u64 size; 278 enum nft_set_class lookup; 279 enum nft_set_class space; 280 }; 281 282 struct nft_set_ext; 283 struct nft_expr; 284 285 /** 286 * struct nft_set_ops - nf_tables set operations 287 * 288 * @lookup: look up an element within the set 289 * @insert: insert new element into set 290 * @activate: activate new element in the next generation 291 * @deactivate: lookup for element and deactivate it in the next generation 292 * @flush: deactivate element in the next generation 293 * @remove: remove element from set 294 * @walk: iterate over all set elemeennts 295 * @get: get set elements 296 * @privsize: function to return size of set private data 297 * @init: initialize private data of new set instance 298 * @destroy: destroy private data of set instance 299 * @elemsize: element private size 300 */ 301 struct nft_set_ops { 302 bool (*lookup)(const struct net *net, 303 const struct nft_set *set, 304 const u32 *key, 305 const struct nft_set_ext **ext); 306 bool (*update)(struct nft_set *set, 307 const u32 *key, 308 void *(*new)(struct nft_set *, 309 const struct nft_expr *, 310 struct nft_regs *), 311 const struct nft_expr *expr, 312 struct nft_regs *regs, 313 const struct nft_set_ext **ext); 314 315 int (*insert)(const struct net *net, 316 const struct nft_set *set, 317 const struct nft_set_elem *elem, 318 struct nft_set_ext **ext); 319 void (*activate)(const struct net *net, 320 const struct nft_set *set, 321 const struct nft_set_elem *elem); 322 void * (*deactivate)(const struct net *net, 323 const struct nft_set *set, 324 const struct nft_set_elem *elem); 325 bool (*flush)(const struct net *net, 326 const struct nft_set *set, 327 void *priv); 328 void (*remove)(const struct net *net, 329 const struct nft_set *set, 330 const struct nft_set_elem *elem); 331 void (*walk)(const struct nft_ctx *ctx, 332 struct nft_set *set, 333 struct nft_set_iter *iter); 334 void * (*get)(const struct net *net, 335 const struct nft_set *set, 336 const struct nft_set_elem *elem, 337 unsigned int flags); 338 339 u64 (*privsize)(const struct nlattr * const nla[], 340 const struct nft_set_desc *desc); 341 bool (*estimate)(const struct nft_set_desc *desc, 342 u32 features, 343 struct nft_set_estimate *est); 344 int (*init)(const struct nft_set *set, 345 const struct nft_set_desc *desc, 346 const struct nlattr * const nla[]); 347 void (*destroy)(const struct nft_set *set); 348 void (*gc_init)(const struct nft_set *set); 349 350 unsigned int elemsize; 351 }; 352 353 /** 354 * struct nft_set_type - nf_tables set type 355 * 356 * @ops: set ops for this type 357 * @list: used internally 358 * @owner: module reference 359 * @features: features supported by the implementation 360 */ 361 struct nft_set_type { 362 const struct nft_set_ops ops; 363 struct list_head list; 364 struct module *owner; 365 u32 features; 366 }; 367 #define to_set_type(o) container_of(o, struct nft_set_type, ops) 368 369 int nft_register_set(struct nft_set_type *type); 370 void nft_unregister_set(struct nft_set_type *type); 371 372 /** 373 * struct nft_set - nf_tables set instance 374 * 375 * @list: table set list node 376 * @bindings: list of set bindings 377 * @table: table this set belongs to 378 * @net: netnamespace this set belongs to 379 * @name: name of the set 380 * @handle: unique handle of the set 381 * @ktype: key type (numeric type defined by userspace, not used in the kernel) 382 * @dtype: data type (verdict or numeric type defined by userspace) 383 * @objtype: object type (see NFT_OBJECT_* definitions) 384 * @size: maximum set size 385 * @nelems: number of elements 386 * @ndeact: number of deactivated elements queued for removal 387 * @timeout: default timeout value in jiffies 388 * @gc_int: garbage collection interval in msecs 389 * @policy: set parameterization (see enum nft_set_policies) 390 * @udlen: user data length 391 * @udata: user data 392 * @ops: set ops 393 * @flags: set flags 394 * @genmask: generation mask 395 * @klen: key length 396 * @dlen: data length 397 * @data: private set data 398 */ 399 struct nft_set { 400 struct list_head list; 401 struct list_head bindings; 402 struct nft_table *table; 403 possible_net_t net; 404 char *name; 405 u64 handle; 406 u32 ktype; 407 u32 dtype; 408 u32 objtype; 409 u32 size; 410 atomic_t nelems; 411 u32 ndeact; 412 u64 timeout; 413 u32 gc_int; 414 u16 policy; 415 u16 udlen; 416 unsigned char *udata; 417 /* runtime data below here */ 418 const struct nft_set_ops *ops ____cacheline_aligned; 419 u16 flags:14, 420 genmask:2; 421 u8 klen; 422 u8 dlen; 423 unsigned char data[] 424 __attribute__((aligned(__alignof__(u64)))); 425 }; 426 427 static inline bool nft_set_is_anonymous(const struct nft_set *set) 428 { 429 return set->flags & NFT_SET_ANONYMOUS; 430 } 431 432 static inline void *nft_set_priv(const struct nft_set *set) 433 { 434 return (void *)set->data; 435 } 436 437 static inline struct nft_set *nft_set_container_of(const void *priv) 438 { 439 return (void *)priv - offsetof(struct nft_set, data); 440 } 441 442 struct nft_set *nft_set_lookup_global(const struct net *net, 443 const struct nft_table *table, 444 const struct nlattr *nla_set_name, 445 const struct nlattr *nla_set_id, 446 u8 genmask); 447 448 static inline unsigned long nft_set_gc_interval(const struct nft_set *set) 449 { 450 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ; 451 } 452 453 /** 454 * struct nft_set_binding - nf_tables set binding 455 * 456 * @list: set bindings list node 457 * @chain: chain containing the rule bound to the set 458 * @flags: set action flags 459 * 460 * A set binding contains all information necessary for validation 461 * of new elements added to a bound set. 462 */ 463 struct nft_set_binding { 464 struct list_head list; 465 const struct nft_chain *chain; 466 u32 flags; 467 }; 468 469 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 470 struct nft_set_binding *binding); 471 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 472 struct nft_set_binding *binding); 473 void nf_tables_rebind_set(const struct nft_ctx *ctx, struct nft_set *set, 474 struct nft_set_binding *binding); 475 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set); 476 477 /** 478 * enum nft_set_extensions - set extension type IDs 479 * 480 * @NFT_SET_EXT_KEY: element key 481 * @NFT_SET_EXT_DATA: mapping data 482 * @NFT_SET_EXT_FLAGS: element flags 483 * @NFT_SET_EXT_TIMEOUT: element timeout 484 * @NFT_SET_EXT_EXPIRATION: element expiration time 485 * @NFT_SET_EXT_USERDATA: user data associated with the element 486 * @NFT_SET_EXT_EXPR: expression assiociated with the element 487 * @NFT_SET_EXT_OBJREF: stateful object reference associated with element 488 * @NFT_SET_EXT_NUM: number of extension types 489 */ 490 enum nft_set_extensions { 491 NFT_SET_EXT_KEY, 492 NFT_SET_EXT_DATA, 493 NFT_SET_EXT_FLAGS, 494 NFT_SET_EXT_TIMEOUT, 495 NFT_SET_EXT_EXPIRATION, 496 NFT_SET_EXT_USERDATA, 497 NFT_SET_EXT_EXPR, 498 NFT_SET_EXT_OBJREF, 499 NFT_SET_EXT_NUM 500 }; 501 502 /** 503 * struct nft_set_ext_type - set extension type 504 * 505 * @len: fixed part length of the extension 506 * @align: alignment requirements of the extension 507 */ 508 struct nft_set_ext_type { 509 u8 len; 510 u8 align; 511 }; 512 513 extern const struct nft_set_ext_type nft_set_ext_types[]; 514 515 /** 516 * struct nft_set_ext_tmpl - set extension template 517 * 518 * @len: length of extension area 519 * @offset: offsets of individual extension types 520 */ 521 struct nft_set_ext_tmpl { 522 u16 len; 523 u8 offset[NFT_SET_EXT_NUM]; 524 }; 525 526 /** 527 * struct nft_set_ext - set extensions 528 * 529 * @genmask: generation mask 530 * @offset: offsets of individual extension types 531 * @data: beginning of extension data 532 */ 533 struct nft_set_ext { 534 u8 genmask; 535 u8 offset[NFT_SET_EXT_NUM]; 536 char data[0]; 537 }; 538 539 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) 540 { 541 memset(tmpl, 0, sizeof(*tmpl)); 542 tmpl->len = sizeof(struct nft_set_ext); 543 } 544 545 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id, 546 unsigned int len) 547 { 548 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align); 549 BUG_ON(tmpl->len > U8_MAX); 550 tmpl->offset[id] = tmpl->len; 551 tmpl->len += nft_set_ext_types[id].len + len; 552 } 553 554 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id) 555 { 556 nft_set_ext_add_length(tmpl, id, 0); 557 } 558 559 static inline void nft_set_ext_init(struct nft_set_ext *ext, 560 const struct nft_set_ext_tmpl *tmpl) 561 { 562 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset)); 563 } 564 565 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 566 { 567 return !!ext->offset[id]; 568 } 569 570 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 571 { 572 return ext && __nft_set_ext_exists(ext, id); 573 } 574 575 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id) 576 { 577 return (void *)ext + ext->offset[id]; 578 } 579 580 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext) 581 { 582 return nft_set_ext(ext, NFT_SET_EXT_KEY); 583 } 584 585 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext) 586 { 587 return nft_set_ext(ext, NFT_SET_EXT_DATA); 588 } 589 590 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext) 591 { 592 return nft_set_ext(ext, NFT_SET_EXT_FLAGS); 593 } 594 595 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext) 596 { 597 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT); 598 } 599 600 static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext) 601 { 602 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION); 603 } 604 605 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext) 606 { 607 return nft_set_ext(ext, NFT_SET_EXT_USERDATA); 608 } 609 610 static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext) 611 { 612 return nft_set_ext(ext, NFT_SET_EXT_EXPR); 613 } 614 615 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) 616 { 617 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && 618 time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext)); 619 } 620 621 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, 622 void *elem) 623 { 624 return elem + set->ops->elemsize; 625 } 626 627 static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext) 628 { 629 return nft_set_ext(ext, NFT_SET_EXT_OBJREF); 630 } 631 632 void *nft_set_elem_init(const struct nft_set *set, 633 const struct nft_set_ext_tmpl *tmpl, 634 const u32 *key, const u32 *data, 635 u64 timeout, gfp_t gfp); 636 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 637 bool destroy_expr); 638 639 /** 640 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch 641 * 642 * @rcu: rcu head 643 * @set: set the elements belong to 644 * @cnt: count of elements 645 */ 646 struct nft_set_gc_batch_head { 647 struct rcu_head rcu; 648 const struct nft_set *set; 649 unsigned int cnt; 650 }; 651 652 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \ 653 sizeof(struct nft_set_gc_batch_head)) / \ 654 sizeof(void *)) 655 656 /** 657 * struct nft_set_gc_batch - nf_tables set garbage collection batch 658 * 659 * @head: GC batch head 660 * @elems: garbage collection elements 661 */ 662 struct nft_set_gc_batch { 663 struct nft_set_gc_batch_head head; 664 void *elems[NFT_SET_GC_BATCH_SIZE]; 665 }; 666 667 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 668 gfp_t gfp); 669 void nft_set_gc_batch_release(struct rcu_head *rcu); 670 671 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb) 672 { 673 if (gcb != NULL) 674 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release); 675 } 676 677 static inline struct nft_set_gc_batch * 678 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb, 679 gfp_t gfp) 680 { 681 if (gcb != NULL) { 682 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems)) 683 return gcb; 684 nft_set_gc_batch_complete(gcb); 685 } 686 return nft_set_gc_batch_alloc(set, gfp); 687 } 688 689 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, 690 void *elem) 691 { 692 gcb->elems[gcb->head.cnt++] = elem; 693 } 694 695 /** 696 * struct nft_expr_type - nf_tables expression type 697 * 698 * @select_ops: function to select nft_expr_ops 699 * @ops: default ops, used when no select_ops functions is present 700 * @list: used internally 701 * @name: Identifier 702 * @owner: module reference 703 * @policy: netlink attribute policy 704 * @maxattr: highest netlink attribute number 705 * @family: address family for AF-specific types 706 * @flags: expression type flags 707 */ 708 struct nft_expr_type { 709 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 710 const struct nlattr * const tb[]); 711 const struct nft_expr_ops *ops; 712 struct list_head list; 713 const char *name; 714 struct module *owner; 715 const struct nla_policy *policy; 716 unsigned int maxattr; 717 u8 family; 718 u8 flags; 719 }; 720 721 #define NFT_EXPR_STATEFUL 0x1 722 #define NFT_EXPR_GC 0x2 723 724 /** 725 * struct nft_expr_ops - nf_tables expression operations 726 * 727 * @eval: Expression evaluation function 728 * @size: full expression size, including private data size 729 * @init: initialization function 730 * @activate: activate expression in the next generation 731 * @deactivate: deactivate expression in next generation 732 * @destroy: destruction function, called after synchronize_rcu 733 * @dump: function to dump parameters 734 * @type: expression type 735 * @validate: validate expression, called during loop detection 736 * @data: extra data to attach to this expression operation 737 */ 738 struct nft_expr; 739 struct nft_expr_ops { 740 void (*eval)(const struct nft_expr *expr, 741 struct nft_regs *regs, 742 const struct nft_pktinfo *pkt); 743 int (*clone)(struct nft_expr *dst, 744 const struct nft_expr *src); 745 unsigned int size; 746 747 int (*init)(const struct nft_ctx *ctx, 748 const struct nft_expr *expr, 749 const struct nlattr * const tb[]); 750 void (*activate)(const struct nft_ctx *ctx, 751 const struct nft_expr *expr); 752 void (*deactivate)(const struct nft_ctx *ctx, 753 const struct nft_expr *expr); 754 void (*destroy)(const struct nft_ctx *ctx, 755 const struct nft_expr *expr); 756 void (*destroy_clone)(const struct nft_ctx *ctx, 757 const struct nft_expr *expr); 758 int (*dump)(struct sk_buff *skb, 759 const struct nft_expr *expr); 760 int (*validate)(const struct nft_ctx *ctx, 761 const struct nft_expr *expr, 762 const struct nft_data **data); 763 bool (*gc)(struct net *net, 764 const struct nft_expr *expr); 765 const struct nft_expr_type *type; 766 void *data; 767 }; 768 769 #define NFT_EXPR_MAXATTR 16 770 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 771 ALIGN(size, __alignof__(struct nft_expr))) 772 773 /** 774 * struct nft_expr - nf_tables expression 775 * 776 * @ops: expression ops 777 * @data: expression private data 778 */ 779 struct nft_expr { 780 const struct nft_expr_ops *ops; 781 unsigned char data[]; 782 }; 783 784 static inline void *nft_expr_priv(const struct nft_expr *expr) 785 { 786 return (void *)expr->data; 787 } 788 789 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 790 const struct nlattr *nla); 791 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 792 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 793 const struct nft_expr *expr); 794 795 static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 796 { 797 int err; 798 799 if (src->ops->clone) { 800 dst->ops = src->ops; 801 err = src->ops->clone(dst, src); 802 if (err < 0) 803 return err; 804 } else { 805 memcpy(dst, src, src->ops->size); 806 } 807 808 __module_get(src->ops->type->owner); 809 return 0; 810 } 811 812 /** 813 * struct nft_rule - nf_tables rule 814 * 815 * @list: used internally 816 * @handle: rule handle 817 * @genmask: generation mask 818 * @dlen: length of expression data 819 * @udata: user data is appended to the rule 820 * @data: expression data 821 */ 822 struct nft_rule { 823 struct list_head list; 824 u64 handle:42, 825 genmask:2, 826 dlen:12, 827 udata:1; 828 unsigned char data[] 829 __attribute__((aligned(__alignof__(struct nft_expr)))); 830 }; 831 832 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 833 { 834 return (struct nft_expr *)&rule->data[0]; 835 } 836 837 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 838 { 839 return ((void *)expr) + expr->ops->size; 840 } 841 842 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 843 { 844 return (struct nft_expr *)&rule->data[rule->dlen]; 845 } 846 847 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule) 848 { 849 return (void *)&rule->data[rule->dlen]; 850 } 851 852 /* 853 * The last pointer isn't really necessary, but the compiler isn't able to 854 * determine that the result of nft_expr_last() is always the same since it 855 * can't assume that the dlen value wasn't changed within calls in the loop. 856 */ 857 #define nft_rule_for_each_expr(expr, last, rule) \ 858 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 859 (expr) != (last); \ 860 (expr) = nft_expr_next(expr)) 861 862 enum nft_chain_flags { 863 NFT_BASE_CHAIN = 0x1, 864 }; 865 866 /** 867 * struct nft_chain - nf_tables chain 868 * 869 * @rules: list of rules in the chain 870 * @list: used internally 871 * @rhlhead: used internally 872 * @table: table that this chain belongs to 873 * @handle: chain handle 874 * @use: number of jump references to this chain 875 * @flags: bitmask of enum nft_chain_flags 876 * @name: name of the chain 877 */ 878 struct nft_chain { 879 struct nft_rule *__rcu *rules_gen_0; 880 struct nft_rule *__rcu *rules_gen_1; 881 struct list_head rules; 882 struct list_head list; 883 struct rhlist_head rhlhead; 884 struct nft_table *table; 885 u64 handle; 886 u32 use; 887 u8 flags:6, 888 genmask:2; 889 char *name; 890 891 /* Only used during control plane commit phase: */ 892 struct nft_rule **rules_next; 893 }; 894 895 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain); 896 897 enum nft_chain_types { 898 NFT_CHAIN_T_DEFAULT = 0, 899 NFT_CHAIN_T_ROUTE, 900 NFT_CHAIN_T_NAT, 901 NFT_CHAIN_T_MAX 902 }; 903 904 /** 905 * struct nft_chain_type - nf_tables chain type info 906 * 907 * @name: name of the type 908 * @type: numeric identifier 909 * @family: address family 910 * @owner: module owner 911 * @hook_mask: mask of valid hooks 912 * @hooks: array of hook functions 913 * @ops_register: base chain register function 914 * @ops_unregister: base chain unregister function 915 */ 916 struct nft_chain_type { 917 const char *name; 918 enum nft_chain_types type; 919 int family; 920 struct module *owner; 921 unsigned int hook_mask; 922 nf_hookfn *hooks[NF_MAX_HOOKS]; 923 int (*ops_register)(struct net *net, const struct nf_hook_ops *ops); 924 void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops); 925 }; 926 927 int nft_chain_validate_dependency(const struct nft_chain *chain, 928 enum nft_chain_types type); 929 int nft_chain_validate_hooks(const struct nft_chain *chain, 930 unsigned int hook_flags); 931 932 struct nft_stats { 933 u64 bytes; 934 u64 pkts; 935 struct u64_stats_sync syncp; 936 }; 937 938 /** 939 * struct nft_base_chain - nf_tables base chain 940 * 941 * @ops: netfilter hook ops 942 * @type: chain type 943 * @policy: default policy 944 * @stats: per-cpu chain stats 945 * @chain: the chain 946 * @dev_name: device name that this base chain is attached to (if any) 947 */ 948 struct nft_base_chain { 949 struct nf_hook_ops ops; 950 const struct nft_chain_type *type; 951 u8 policy; 952 u8 flags; 953 struct nft_stats __percpu *stats; 954 struct nft_chain chain; 955 char dev_name[IFNAMSIZ]; 956 }; 957 958 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 959 { 960 return container_of(chain, struct nft_base_chain, chain); 961 } 962 963 static inline bool nft_is_base_chain(const struct nft_chain *chain) 964 { 965 return chain->flags & NFT_BASE_CHAIN; 966 } 967 968 int __nft_release_basechain(struct nft_ctx *ctx); 969 970 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); 971 972 /** 973 * struct nft_table - nf_tables table 974 * 975 * @list: used internally 976 * @chains_ht: chains in the table 977 * @chains: same, for stable walks 978 * @sets: sets in the table 979 * @objects: stateful objects in the table 980 * @flowtables: flow tables in the table 981 * @hgenerator: handle generator state 982 * @handle: table handle 983 * @use: number of chain references to this table 984 * @flags: table flag (see enum nft_table_flags) 985 * @genmask: generation mask 986 * @afinfo: address family info 987 * @name: name of the table 988 */ 989 struct nft_table { 990 struct list_head list; 991 struct rhltable chains_ht; 992 struct list_head chains; 993 struct list_head sets; 994 struct list_head objects; 995 struct list_head flowtables; 996 u64 hgenerator; 997 u64 handle; 998 u32 use; 999 u16 family:6, 1000 flags:8, 1001 genmask:2; 1002 char *name; 1003 }; 1004 1005 void nft_register_chain_type(const struct nft_chain_type *); 1006 void nft_unregister_chain_type(const struct nft_chain_type *); 1007 1008 int nft_register_expr(struct nft_expr_type *); 1009 void nft_unregister_expr(struct nft_expr_type *); 1010 1011 int nft_verdict_dump(struct sk_buff *skb, int type, 1012 const struct nft_verdict *v); 1013 1014 /** 1015 * struct nft_object - nf_tables stateful object 1016 * 1017 * @list: table stateful object list node 1018 * @table: table this object belongs to 1019 * @name: name of this stateful object 1020 * @genmask: generation mask 1021 * @use: number of references to this stateful object 1022 * @handle: unique object handle 1023 * @ops: object operations 1024 * @data: object data, layout depends on type 1025 */ 1026 struct nft_object { 1027 struct list_head list; 1028 char *name; 1029 struct nft_table *table; 1030 u32 genmask:2, 1031 use:30; 1032 u64 handle; 1033 /* runtime data below here */ 1034 const struct nft_object_ops *ops ____cacheline_aligned; 1035 unsigned char data[] 1036 __attribute__((aligned(__alignof__(u64)))); 1037 }; 1038 1039 static inline void *nft_obj_data(const struct nft_object *obj) 1040 { 1041 return (void *)obj->data; 1042 } 1043 1044 #define nft_expr_obj(expr) *((struct nft_object **)nft_expr_priv(expr)) 1045 1046 struct nft_object *nft_obj_lookup(const struct nft_table *table, 1047 const struct nlattr *nla, u32 objtype, 1048 u8 genmask); 1049 1050 void nft_obj_notify(struct net *net, struct nft_table *table, 1051 struct nft_object *obj, u32 portid, u32 seq, 1052 int event, int family, int report, gfp_t gfp); 1053 1054 /** 1055 * struct nft_object_type - stateful object type 1056 * 1057 * @select_ops: function to select nft_object_ops 1058 * @ops: default ops, used when no select_ops functions is present 1059 * @list: list node in list of object types 1060 * @type: stateful object numeric type 1061 * @owner: module owner 1062 * @maxattr: maximum netlink attribute 1063 * @policy: netlink attribute policy 1064 */ 1065 struct nft_object_type { 1066 const struct nft_object_ops *(*select_ops)(const struct nft_ctx *, 1067 const struct nlattr * const tb[]); 1068 const struct nft_object_ops *ops; 1069 struct list_head list; 1070 u32 type; 1071 unsigned int maxattr; 1072 struct module *owner; 1073 const struct nla_policy *policy; 1074 }; 1075 1076 /** 1077 * struct nft_object_ops - stateful object operations 1078 * 1079 * @eval: stateful object evaluation function 1080 * @size: stateful object size 1081 * @init: initialize object from netlink attributes 1082 * @destroy: release existing stateful object 1083 * @dump: netlink dump stateful object 1084 */ 1085 struct nft_object_ops { 1086 void (*eval)(struct nft_object *obj, 1087 struct nft_regs *regs, 1088 const struct nft_pktinfo *pkt); 1089 unsigned int size; 1090 int (*init)(const struct nft_ctx *ctx, 1091 const struct nlattr *const tb[], 1092 struct nft_object *obj); 1093 void (*destroy)(const struct nft_ctx *ctx, 1094 struct nft_object *obj); 1095 int (*dump)(struct sk_buff *skb, 1096 struct nft_object *obj, 1097 bool reset); 1098 const struct nft_object_type *type; 1099 }; 1100 1101 int nft_register_obj(struct nft_object_type *obj_type); 1102 void nft_unregister_obj(struct nft_object_type *obj_type); 1103 1104 #define NFT_FLOWTABLE_DEVICE_MAX 8 1105 1106 /** 1107 * struct nft_flowtable - nf_tables flow table 1108 * 1109 * @list: flow table list node in table list 1110 * @table: the table the flow table is contained in 1111 * @name: name of this flow table 1112 * @hooknum: hook number 1113 * @priority: hook priority 1114 * @ops_len: number of hooks in array 1115 * @genmask: generation mask 1116 * @use: number of references to this flow table 1117 * @handle: unique object handle 1118 * @dev_name: array of device names 1119 * @data: rhashtable and garbage collector 1120 * @ops: array of hooks 1121 */ 1122 struct nft_flowtable { 1123 struct list_head list; 1124 struct nft_table *table; 1125 char *name; 1126 int hooknum; 1127 int priority; 1128 int ops_len; 1129 u32 genmask:2, 1130 use:30; 1131 u64 handle; 1132 /* runtime data below here */ 1133 struct nf_hook_ops *ops ____cacheline_aligned; 1134 struct nf_flowtable data; 1135 }; 1136 1137 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 1138 const struct nlattr *nla, 1139 u8 genmask); 1140 1141 void nft_register_flowtable_type(struct nf_flowtable_type *type); 1142 void nft_unregister_flowtable_type(struct nf_flowtable_type *type); 1143 1144 /** 1145 * struct nft_traceinfo - nft tracing information and state 1146 * 1147 * @pkt: pktinfo currently processed 1148 * @basechain: base chain currently processed 1149 * @chain: chain currently processed 1150 * @rule: rule that was evaluated 1151 * @verdict: verdict given by rule 1152 * @type: event type (enum nft_trace_types) 1153 * @packet_dumped: packet headers sent in a previous traceinfo message 1154 * @trace: other struct members are initialised 1155 */ 1156 struct nft_traceinfo { 1157 const struct nft_pktinfo *pkt; 1158 const struct nft_base_chain *basechain; 1159 const struct nft_chain *chain; 1160 const struct nft_rule *rule; 1161 const struct nft_verdict *verdict; 1162 enum nft_trace_types type; 1163 bool packet_dumped; 1164 bool trace; 1165 }; 1166 1167 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt, 1168 const struct nft_verdict *verdict, 1169 const struct nft_chain *basechain); 1170 1171 void nft_trace_notify(struct nft_traceinfo *info); 1172 1173 #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 1174 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 1175 1176 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 1177 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 1178 1179 #define MODULE_ALIAS_NFT_EXPR(name) \ 1180 MODULE_ALIAS("nft-expr-" name) 1181 1182 #define MODULE_ALIAS_NFT_SET() \ 1183 MODULE_ALIAS("nft-set") 1184 1185 #define MODULE_ALIAS_NFT_OBJ(type) \ 1186 MODULE_ALIAS("nft-obj-" __stringify(type)) 1187 1188 /* 1189 * The gencursor defines two generations, the currently active and the 1190 * next one. Objects contain a bitmask of 2 bits specifying the generations 1191 * they're active in. A set bit means they're inactive in the generation 1192 * represented by that bit. 1193 * 1194 * New objects start out as inactive in the current and active in the 1195 * next generation. When committing the ruleset the bitmask is cleared, 1196 * meaning they're active in all generations. When removing an object, 1197 * it is set inactive in the next generation. After committing the ruleset, 1198 * the objects are removed. 1199 */ 1200 static inline unsigned int nft_gencursor_next(const struct net *net) 1201 { 1202 return net->nft.gencursor + 1 == 1 ? 1 : 0; 1203 } 1204 1205 static inline u8 nft_genmask_next(const struct net *net) 1206 { 1207 return 1 << nft_gencursor_next(net); 1208 } 1209 1210 static inline u8 nft_genmask_cur(const struct net *net) 1211 { 1212 /* Use READ_ONCE() to prevent refetching the value for atomicity */ 1213 return 1 << READ_ONCE(net->nft.gencursor); 1214 } 1215 1216 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1)) 1217 1218 /* 1219 * Generic transaction helpers 1220 */ 1221 1222 /* Check if this object is currently active. */ 1223 #define nft_is_active(__net, __obj) \ 1224 (((__obj)->genmask & nft_genmask_cur(__net)) == 0) 1225 1226 /* Check if this object is active in the next generation. */ 1227 #define nft_is_active_next(__net, __obj) \ 1228 (((__obj)->genmask & nft_genmask_next(__net)) == 0) 1229 1230 /* This object becomes active in the next generation. */ 1231 #define nft_activate_next(__net, __obj) \ 1232 (__obj)->genmask = nft_genmask_cur(__net) 1233 1234 /* This object becomes inactive in the next generation. */ 1235 #define nft_deactivate_next(__net, __obj) \ 1236 (__obj)->genmask = nft_genmask_next(__net) 1237 1238 /* After committing the ruleset, clear the stale generation bit. */ 1239 #define nft_clear(__net, __obj) \ 1240 (__obj)->genmask &= ~nft_genmask_next(__net) 1241 #define nft_active_genmask(__obj, __genmask) \ 1242 !((__obj)->genmask & __genmask) 1243 1244 /* 1245 * Set element transaction helpers 1246 */ 1247 1248 static inline bool nft_set_elem_active(const struct nft_set_ext *ext, 1249 u8 genmask) 1250 { 1251 return !(ext->genmask & genmask); 1252 } 1253 1254 static inline void nft_set_elem_change_active(const struct net *net, 1255 const struct nft_set *set, 1256 struct nft_set_ext *ext) 1257 { 1258 ext->genmask ^= nft_genmask_next(net); 1259 } 1260 1261 /* 1262 * We use a free bit in the genmask field to indicate the element 1263 * is busy, meaning it is currently being processed either by 1264 * the netlink API or GC. 1265 * 1266 * Even though the genmask is only a single byte wide, this works 1267 * because the extension structure if fully constant once initialized, 1268 * so there are no non-atomic write accesses unless it is already 1269 * marked busy. 1270 */ 1271 #define NFT_SET_ELEM_BUSY_MASK (1 << 2) 1272 1273 #if defined(__LITTLE_ENDIAN_BITFIELD) 1274 #define NFT_SET_ELEM_BUSY_BIT 2 1275 #elif defined(__BIG_ENDIAN_BITFIELD) 1276 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2) 1277 #else 1278 #error 1279 #endif 1280 1281 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext) 1282 { 1283 unsigned long *word = (unsigned long *)ext; 1284 1285 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0); 1286 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word); 1287 } 1288 1289 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) 1290 { 1291 unsigned long *word = (unsigned long *)ext; 1292 1293 clear_bit(NFT_SET_ELEM_BUSY_BIT, word); 1294 } 1295 1296 /** 1297 * struct nft_trans - nf_tables object update in transaction 1298 * 1299 * @list: used internally 1300 * @msg_type: message type 1301 * @put_net: ctx->net needs to be put 1302 * @ctx: transaction context 1303 * @data: internal information related to the transaction 1304 */ 1305 struct nft_trans { 1306 struct list_head list; 1307 int msg_type; 1308 bool put_net; 1309 struct nft_ctx ctx; 1310 char data[0]; 1311 }; 1312 1313 struct nft_trans_rule { 1314 struct nft_rule *rule; 1315 u32 rule_id; 1316 }; 1317 1318 #define nft_trans_rule(trans) \ 1319 (((struct nft_trans_rule *)trans->data)->rule) 1320 #define nft_trans_rule_id(trans) \ 1321 (((struct nft_trans_rule *)trans->data)->rule_id) 1322 1323 struct nft_trans_set { 1324 struct nft_set *set; 1325 u32 set_id; 1326 }; 1327 1328 #define nft_trans_set(trans) \ 1329 (((struct nft_trans_set *)trans->data)->set) 1330 #define nft_trans_set_id(trans) \ 1331 (((struct nft_trans_set *)trans->data)->set_id) 1332 1333 struct nft_trans_chain { 1334 bool update; 1335 char *name; 1336 struct nft_stats __percpu *stats; 1337 u8 policy; 1338 }; 1339 1340 #define nft_trans_chain_update(trans) \ 1341 (((struct nft_trans_chain *)trans->data)->update) 1342 #define nft_trans_chain_name(trans) \ 1343 (((struct nft_trans_chain *)trans->data)->name) 1344 #define nft_trans_chain_stats(trans) \ 1345 (((struct nft_trans_chain *)trans->data)->stats) 1346 #define nft_trans_chain_policy(trans) \ 1347 (((struct nft_trans_chain *)trans->data)->policy) 1348 1349 struct nft_trans_table { 1350 bool update; 1351 bool enable; 1352 }; 1353 1354 #define nft_trans_table_update(trans) \ 1355 (((struct nft_trans_table *)trans->data)->update) 1356 #define nft_trans_table_enable(trans) \ 1357 (((struct nft_trans_table *)trans->data)->enable) 1358 1359 struct nft_trans_elem { 1360 struct nft_set *set; 1361 struct nft_set_elem elem; 1362 }; 1363 1364 #define nft_trans_elem_set(trans) \ 1365 (((struct nft_trans_elem *)trans->data)->set) 1366 #define nft_trans_elem(trans) \ 1367 (((struct nft_trans_elem *)trans->data)->elem) 1368 1369 struct nft_trans_obj { 1370 struct nft_object *obj; 1371 }; 1372 1373 #define nft_trans_obj(trans) \ 1374 (((struct nft_trans_obj *)trans->data)->obj) 1375 1376 struct nft_trans_flowtable { 1377 struct nft_flowtable *flowtable; 1378 }; 1379 1380 #define nft_trans_flowtable(trans) \ 1381 (((struct nft_trans_flowtable *)trans->data)->flowtable) 1382 1383 int __init nft_chain_filter_init(void); 1384 void nft_chain_filter_fini(void); 1385 1386 #endif /* _NET_NF_TABLES_H */ 1387