1 #ifndef _NET_NF_TABLES_H 2 #define _NET_NF_TABLES_H 3 4 #include <linux/module.h> 5 #include <linux/list.h> 6 #include <linux/netfilter.h> 7 #include <linux/netfilter/nfnetlink.h> 8 #include <linux/netfilter/x_tables.h> 9 #include <linux/netfilter/nf_tables.h> 10 #include <linux/u64_stats_sync.h> 11 #include <net/netlink.h> 12 13 #define NFT_JUMP_STACK_SIZE 16 14 15 struct nft_pktinfo { 16 struct sk_buff *skb; 17 struct net *net; 18 const struct net_device *in; 19 const struct net_device *out; 20 u8 pf; 21 u8 hook; 22 u8 tprot; 23 /* for x_tables compatibility */ 24 struct xt_action_param xt; 25 }; 26 27 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 28 struct sk_buff *skb, 29 const struct nf_hook_state *state) 30 { 31 pkt->skb = skb; 32 pkt->net = pkt->xt.net = state->net; 33 pkt->in = pkt->xt.in = state->in; 34 pkt->out = pkt->xt.out = state->out; 35 pkt->hook = pkt->xt.hooknum = state->hook; 36 pkt->pf = pkt->xt.family = state->pf; 37 } 38 39 /** 40 * struct nft_verdict - nf_tables verdict 41 * 42 * @code: nf_tables/netfilter verdict code 43 * @chain: destination chain for NFT_JUMP/NFT_GOTO 44 */ 45 struct nft_verdict { 46 u32 code; 47 struct nft_chain *chain; 48 }; 49 50 struct nft_data { 51 union { 52 u32 data[4]; 53 struct nft_verdict verdict; 54 }; 55 } __attribute__((aligned(__alignof__(u64)))); 56 57 /** 58 * struct nft_regs - nf_tables register set 59 * 60 * @data: data registers 61 * @verdict: verdict register 62 * 63 * The first four data registers alias to the verdict register. 64 */ 65 struct nft_regs { 66 union { 67 u32 data[20]; 68 struct nft_verdict verdict; 69 }; 70 }; 71 72 static inline void nft_data_copy(u32 *dst, const struct nft_data *src, 73 unsigned int len) 74 { 75 memcpy(dst, src, len); 76 } 77 78 static inline void nft_data_debug(const struct nft_data *data) 79 { 80 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", 81 data->data[0], data->data[1], 82 data->data[2], data->data[3]); 83 } 84 85 /** 86 * struct nft_ctx - nf_tables rule/set context 87 * 88 * @net: net namespace 89 * @afi: address family info 90 * @table: the table the chain is contained in 91 * @chain: the chain the rule is contained in 92 * @nla: netlink attributes 93 * @portid: netlink portID of the original message 94 * @seq: netlink sequence number 95 * @report: notify via unicast netlink message 96 */ 97 struct nft_ctx { 98 struct net *net; 99 struct nft_af_info *afi; 100 struct nft_table *table; 101 struct nft_chain *chain; 102 const struct nlattr * const *nla; 103 u32 portid; 104 u32 seq; 105 bool report; 106 }; 107 108 struct nft_data_desc { 109 enum nft_data_types type; 110 unsigned int len; 111 }; 112 113 int nft_data_init(const struct nft_ctx *ctx, 114 struct nft_data *data, unsigned int size, 115 struct nft_data_desc *desc, const struct nlattr *nla); 116 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type); 117 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 118 enum nft_data_types type, unsigned int len); 119 120 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 121 { 122 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 123 } 124 125 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 126 { 127 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE; 128 } 129 130 unsigned int nft_parse_register(const struct nlattr *attr); 131 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg); 132 133 int nft_validate_register_load(enum nft_registers reg, unsigned int len); 134 int nft_validate_register_store(const struct nft_ctx *ctx, 135 enum nft_registers reg, 136 const struct nft_data *data, 137 enum nft_data_types type, unsigned int len); 138 139 /** 140 * struct nft_userdata - user defined data associated with an object 141 * 142 * @len: length of the data 143 * @data: content 144 * 145 * The presence of user data is indicated in an object specific fashion, 146 * so a length of zero can't occur and the value "len" indicates data 147 * of length len + 1. 148 */ 149 struct nft_userdata { 150 u8 len; 151 unsigned char data[0]; 152 }; 153 154 /** 155 * struct nft_set_elem - generic representation of set elements 156 * 157 * @key: element key 158 * @priv: element private data and extensions 159 */ 160 struct nft_set_elem { 161 union { 162 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 163 struct nft_data val; 164 } key; 165 void *priv; 166 }; 167 168 struct nft_set; 169 struct nft_set_iter { 170 unsigned int count; 171 unsigned int skip; 172 int err; 173 int (*fn)(const struct nft_ctx *ctx, 174 const struct nft_set *set, 175 const struct nft_set_iter *iter, 176 const struct nft_set_elem *elem); 177 }; 178 179 /** 180 * struct nft_set_desc - description of set elements 181 * 182 * @klen: key length 183 * @dlen: data length 184 * @size: number of set elements 185 */ 186 struct nft_set_desc { 187 unsigned int klen; 188 unsigned int dlen; 189 unsigned int size; 190 }; 191 192 /** 193 * enum nft_set_class - performance class 194 * 195 * @NFT_LOOKUP_O_1: constant, O(1) 196 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 197 * @NFT_LOOKUP_O_N: linear, O(N) 198 */ 199 enum nft_set_class { 200 NFT_SET_CLASS_O_1, 201 NFT_SET_CLASS_O_LOG_N, 202 NFT_SET_CLASS_O_N, 203 }; 204 205 /** 206 * struct nft_set_estimate - estimation of memory and performance 207 * characteristics 208 * 209 * @size: required memory 210 * @class: lookup performance class 211 */ 212 struct nft_set_estimate { 213 unsigned int size; 214 enum nft_set_class class; 215 }; 216 217 struct nft_set_ext; 218 struct nft_expr; 219 220 /** 221 * struct nft_set_ops - nf_tables set operations 222 * 223 * @lookup: look up an element within the set 224 * @insert: insert new element into set 225 * @activate: activate new element in the next generation 226 * @deactivate: deactivate element in the next generation 227 * @remove: remove element from set 228 * @walk: iterate over all set elemeennts 229 * @privsize: function to return size of set private data 230 * @init: initialize private data of new set instance 231 * @destroy: destroy private data of set instance 232 * @list: nf_tables_set_ops list node 233 * @owner: module reference 234 * @elemsize: element private size 235 * @features: features supported by the implementation 236 */ 237 struct nft_set_ops { 238 bool (*lookup)(const struct nft_set *set, 239 const u32 *key, 240 const struct nft_set_ext **ext); 241 bool (*update)(struct nft_set *set, 242 const u32 *key, 243 void *(*new)(struct nft_set *, 244 const struct nft_expr *, 245 struct nft_regs *), 246 const struct nft_expr *expr, 247 struct nft_regs *regs, 248 const struct nft_set_ext **ext); 249 250 int (*insert)(const struct nft_set *set, 251 const struct nft_set_elem *elem); 252 void (*activate)(const struct nft_set *set, 253 const struct nft_set_elem *elem); 254 void * (*deactivate)(const struct nft_set *set, 255 const struct nft_set_elem *elem); 256 void (*remove)(const struct nft_set *set, 257 const struct nft_set_elem *elem); 258 void (*walk)(const struct nft_ctx *ctx, 259 const struct nft_set *set, 260 struct nft_set_iter *iter); 261 262 unsigned int (*privsize)(const struct nlattr * const nla[]); 263 bool (*estimate)(const struct nft_set_desc *desc, 264 u32 features, 265 struct nft_set_estimate *est); 266 int (*init)(const struct nft_set *set, 267 const struct nft_set_desc *desc, 268 const struct nlattr * const nla[]); 269 void (*destroy)(const struct nft_set *set); 270 271 struct list_head list; 272 struct module *owner; 273 unsigned int elemsize; 274 u32 features; 275 }; 276 277 int nft_register_set(struct nft_set_ops *ops); 278 void nft_unregister_set(struct nft_set_ops *ops); 279 280 /** 281 * struct nft_set - nf_tables set instance 282 * 283 * @list: table set list node 284 * @bindings: list of set bindings 285 * @name: name of the set 286 * @ktype: key type (numeric type defined by userspace, not used in the kernel) 287 * @dtype: data type (verdict or numeric type defined by userspace) 288 * @size: maximum set size 289 * @nelems: number of elements 290 * @ndeact: number of deactivated elements queued for removal 291 * @timeout: default timeout value in msecs 292 * @gc_int: garbage collection interval in msecs 293 * @policy: set parameterization (see enum nft_set_policies) 294 * @udlen: user data length 295 * @udata: user data 296 * @ops: set ops 297 * @pnet: network namespace 298 * @flags: set flags 299 * @klen: key length 300 * @dlen: data length 301 * @data: private set data 302 */ 303 struct nft_set { 304 struct list_head list; 305 struct list_head bindings; 306 char name[IFNAMSIZ]; 307 u32 ktype; 308 u32 dtype; 309 u32 size; 310 atomic_t nelems; 311 u32 ndeact; 312 u64 timeout; 313 u32 gc_int; 314 u16 policy; 315 u16 udlen; 316 unsigned char *udata; 317 /* runtime data below here */ 318 const struct nft_set_ops *ops ____cacheline_aligned; 319 possible_net_t pnet; 320 u16 flags; 321 u8 klen; 322 u8 dlen; 323 unsigned char data[] 324 __attribute__((aligned(__alignof__(u64)))); 325 }; 326 327 static inline void *nft_set_priv(const struct nft_set *set) 328 { 329 return (void *)set->data; 330 } 331 332 static inline struct nft_set *nft_set_container_of(const void *priv) 333 { 334 return (void *)priv - offsetof(struct nft_set, data); 335 } 336 337 struct nft_set *nf_tables_set_lookup(const struct nft_table *table, 338 const struct nlattr *nla); 339 struct nft_set *nf_tables_set_lookup_byid(const struct net *net, 340 const struct nlattr *nla); 341 342 static inline unsigned long nft_set_gc_interval(const struct nft_set *set) 343 { 344 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ; 345 } 346 347 /** 348 * struct nft_set_binding - nf_tables set binding 349 * 350 * @list: set bindings list node 351 * @chain: chain containing the rule bound to the set 352 * @flags: set action flags 353 * 354 * A set binding contains all information necessary for validation 355 * of new elements added to a bound set. 356 */ 357 struct nft_set_binding { 358 struct list_head list; 359 const struct nft_chain *chain; 360 u32 flags; 361 }; 362 363 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 364 struct nft_set_binding *binding); 365 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 366 struct nft_set_binding *binding); 367 368 /** 369 * enum nft_set_extensions - set extension type IDs 370 * 371 * @NFT_SET_EXT_KEY: element key 372 * @NFT_SET_EXT_DATA: mapping data 373 * @NFT_SET_EXT_FLAGS: element flags 374 * @NFT_SET_EXT_TIMEOUT: element timeout 375 * @NFT_SET_EXT_EXPIRATION: element expiration time 376 * @NFT_SET_EXT_USERDATA: user data associated with the element 377 * @NFT_SET_EXT_EXPR: expression assiociated with the element 378 * @NFT_SET_EXT_NUM: number of extension types 379 */ 380 enum nft_set_extensions { 381 NFT_SET_EXT_KEY, 382 NFT_SET_EXT_DATA, 383 NFT_SET_EXT_FLAGS, 384 NFT_SET_EXT_TIMEOUT, 385 NFT_SET_EXT_EXPIRATION, 386 NFT_SET_EXT_USERDATA, 387 NFT_SET_EXT_EXPR, 388 NFT_SET_EXT_NUM 389 }; 390 391 /** 392 * struct nft_set_ext_type - set extension type 393 * 394 * @len: fixed part length of the extension 395 * @align: alignment requirements of the extension 396 */ 397 struct nft_set_ext_type { 398 u8 len; 399 u8 align; 400 }; 401 402 extern const struct nft_set_ext_type nft_set_ext_types[]; 403 404 /** 405 * struct nft_set_ext_tmpl - set extension template 406 * 407 * @len: length of extension area 408 * @offset: offsets of individual extension types 409 */ 410 struct nft_set_ext_tmpl { 411 u16 len; 412 u8 offset[NFT_SET_EXT_NUM]; 413 }; 414 415 /** 416 * struct nft_set_ext - set extensions 417 * 418 * @genmask: generation mask 419 * @offset: offsets of individual extension types 420 * @data: beginning of extension data 421 */ 422 struct nft_set_ext { 423 u8 genmask; 424 u8 offset[NFT_SET_EXT_NUM]; 425 char data[0]; 426 }; 427 428 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) 429 { 430 memset(tmpl, 0, sizeof(*tmpl)); 431 tmpl->len = sizeof(struct nft_set_ext); 432 } 433 434 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id, 435 unsigned int len) 436 { 437 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align); 438 BUG_ON(tmpl->len > U8_MAX); 439 tmpl->offset[id] = tmpl->len; 440 tmpl->len += nft_set_ext_types[id].len + len; 441 } 442 443 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id) 444 { 445 nft_set_ext_add_length(tmpl, id, 0); 446 } 447 448 static inline void nft_set_ext_init(struct nft_set_ext *ext, 449 const struct nft_set_ext_tmpl *tmpl) 450 { 451 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset)); 452 } 453 454 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 455 { 456 return !!ext->offset[id]; 457 } 458 459 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 460 { 461 return ext && __nft_set_ext_exists(ext, id); 462 } 463 464 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id) 465 { 466 return (void *)ext + ext->offset[id]; 467 } 468 469 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext) 470 { 471 return nft_set_ext(ext, NFT_SET_EXT_KEY); 472 } 473 474 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext) 475 { 476 return nft_set_ext(ext, NFT_SET_EXT_DATA); 477 } 478 479 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext) 480 { 481 return nft_set_ext(ext, NFT_SET_EXT_FLAGS); 482 } 483 484 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext) 485 { 486 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT); 487 } 488 489 static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ext) 490 { 491 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION); 492 } 493 494 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext) 495 { 496 return nft_set_ext(ext, NFT_SET_EXT_USERDATA); 497 } 498 499 static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext) 500 { 501 return nft_set_ext(ext, NFT_SET_EXT_EXPR); 502 } 503 504 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) 505 { 506 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && 507 time_is_before_eq_jiffies(*nft_set_ext_expiration(ext)); 508 } 509 510 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, 511 void *elem) 512 { 513 return elem + set->ops->elemsize; 514 } 515 516 void *nft_set_elem_init(const struct nft_set *set, 517 const struct nft_set_ext_tmpl *tmpl, 518 const u32 *key, const u32 *data, 519 u64 timeout, gfp_t gfp); 520 void nft_set_elem_destroy(const struct nft_set *set, void *elem); 521 522 /** 523 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch 524 * 525 * @rcu: rcu head 526 * @set: set the elements belong to 527 * @cnt: count of elements 528 */ 529 struct nft_set_gc_batch_head { 530 struct rcu_head rcu; 531 const struct nft_set *set; 532 unsigned int cnt; 533 }; 534 535 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \ 536 sizeof(struct nft_set_gc_batch_head)) / \ 537 sizeof(void *)) 538 539 /** 540 * struct nft_set_gc_batch - nf_tables set garbage collection batch 541 * 542 * @head: GC batch head 543 * @elems: garbage collection elements 544 */ 545 struct nft_set_gc_batch { 546 struct nft_set_gc_batch_head head; 547 void *elems[NFT_SET_GC_BATCH_SIZE]; 548 }; 549 550 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 551 gfp_t gfp); 552 void nft_set_gc_batch_release(struct rcu_head *rcu); 553 554 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb) 555 { 556 if (gcb != NULL) 557 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release); 558 } 559 560 static inline struct nft_set_gc_batch * 561 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb, 562 gfp_t gfp) 563 { 564 if (gcb != NULL) { 565 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems)) 566 return gcb; 567 nft_set_gc_batch_complete(gcb); 568 } 569 return nft_set_gc_batch_alloc(set, gfp); 570 } 571 572 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, 573 void *elem) 574 { 575 gcb->elems[gcb->head.cnt++] = elem; 576 } 577 578 /** 579 * struct nft_expr_type - nf_tables expression type 580 * 581 * @select_ops: function to select nft_expr_ops 582 * @ops: default ops, used when no select_ops functions is present 583 * @list: used internally 584 * @name: Identifier 585 * @owner: module reference 586 * @policy: netlink attribute policy 587 * @maxattr: highest netlink attribute number 588 * @family: address family for AF-specific types 589 * @flags: expression type flags 590 */ 591 struct nft_expr_type { 592 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 593 const struct nlattr * const tb[]); 594 const struct nft_expr_ops *ops; 595 struct list_head list; 596 const char *name; 597 struct module *owner; 598 const struct nla_policy *policy; 599 unsigned int maxattr; 600 u8 family; 601 u8 flags; 602 }; 603 604 #define NFT_EXPR_STATEFUL 0x1 605 606 /** 607 * struct nft_expr_ops - nf_tables expression operations 608 * 609 * @eval: Expression evaluation function 610 * @size: full expression size, including private data size 611 * @init: initialization function 612 * @destroy: destruction function 613 * @dump: function to dump parameters 614 * @type: expression type 615 * @validate: validate expression, called during loop detection 616 * @data: extra data to attach to this expression operation 617 */ 618 struct nft_expr; 619 struct nft_expr_ops { 620 void (*eval)(const struct nft_expr *expr, 621 struct nft_regs *regs, 622 const struct nft_pktinfo *pkt); 623 int (*clone)(struct nft_expr *dst, 624 const struct nft_expr *src); 625 unsigned int size; 626 627 int (*init)(const struct nft_ctx *ctx, 628 const struct nft_expr *expr, 629 const struct nlattr * const tb[]); 630 void (*destroy)(const struct nft_ctx *ctx, 631 const struct nft_expr *expr); 632 int (*dump)(struct sk_buff *skb, 633 const struct nft_expr *expr); 634 int (*validate)(const struct nft_ctx *ctx, 635 const struct nft_expr *expr, 636 const struct nft_data **data); 637 const struct nft_expr_type *type; 638 void *data; 639 }; 640 641 #define NFT_EXPR_MAXATTR 16 642 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 643 ALIGN(size, __alignof__(struct nft_expr))) 644 645 /** 646 * struct nft_expr - nf_tables expression 647 * 648 * @ops: expression ops 649 * @data: expression private data 650 */ 651 struct nft_expr { 652 const struct nft_expr_ops *ops; 653 unsigned char data[]; 654 }; 655 656 static inline void *nft_expr_priv(const struct nft_expr *expr) 657 { 658 return (void *)expr->data; 659 } 660 661 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 662 const struct nlattr *nla); 663 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 664 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 665 const struct nft_expr *expr); 666 667 static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 668 { 669 int err; 670 671 __module_get(src->ops->type->owner); 672 if (src->ops->clone) { 673 dst->ops = src->ops; 674 err = src->ops->clone(dst, src); 675 if (err < 0) 676 return err; 677 } else { 678 memcpy(dst, src, src->ops->size); 679 } 680 return 0; 681 } 682 683 /** 684 * struct nft_rule - nf_tables rule 685 * 686 * @list: used internally 687 * @handle: rule handle 688 * @genmask: generation mask 689 * @dlen: length of expression data 690 * @udata: user data is appended to the rule 691 * @data: expression data 692 */ 693 struct nft_rule { 694 struct list_head list; 695 u64 handle:42, 696 genmask:2, 697 dlen:12, 698 udata:1; 699 unsigned char data[] 700 __attribute__((aligned(__alignof__(struct nft_expr)))); 701 }; 702 703 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 704 { 705 return (struct nft_expr *)&rule->data[0]; 706 } 707 708 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 709 { 710 return ((void *)expr) + expr->ops->size; 711 } 712 713 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 714 { 715 return (struct nft_expr *)&rule->data[rule->dlen]; 716 } 717 718 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule) 719 { 720 return (void *)&rule->data[rule->dlen]; 721 } 722 723 /* 724 * The last pointer isn't really necessary, but the compiler isn't able to 725 * determine that the result of nft_expr_last() is always the same since it 726 * can't assume that the dlen value wasn't changed within calls in the loop. 727 */ 728 #define nft_rule_for_each_expr(expr, last, rule) \ 729 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 730 (expr) != (last); \ 731 (expr) = nft_expr_next(expr)) 732 733 enum nft_chain_flags { 734 NFT_BASE_CHAIN = 0x1, 735 NFT_CHAIN_INACTIVE = 0x2, 736 }; 737 738 /** 739 * struct nft_chain - nf_tables chain 740 * 741 * @rules: list of rules in the chain 742 * @list: used internally 743 * @table: table that this chain belongs to 744 * @handle: chain handle 745 * @use: number of jump references to this chain 746 * @level: length of longest path to this chain 747 * @flags: bitmask of enum nft_chain_flags 748 * @name: name of the chain 749 */ 750 struct nft_chain { 751 struct list_head rules; 752 struct list_head list; 753 struct nft_table *table; 754 u64 handle; 755 u32 use; 756 u16 level; 757 u8 flags; 758 char name[NFT_CHAIN_MAXNAMELEN]; 759 }; 760 761 enum nft_chain_type { 762 NFT_CHAIN_T_DEFAULT = 0, 763 NFT_CHAIN_T_ROUTE, 764 NFT_CHAIN_T_NAT, 765 NFT_CHAIN_T_MAX 766 }; 767 768 /** 769 * struct nf_chain_type - nf_tables chain type info 770 * 771 * @name: name of the type 772 * @type: numeric identifier 773 * @family: address family 774 * @owner: module owner 775 * @hook_mask: mask of valid hooks 776 * @hooks: hookfn overrides 777 */ 778 struct nf_chain_type { 779 const char *name; 780 enum nft_chain_type type; 781 int family; 782 struct module *owner; 783 unsigned int hook_mask; 784 nf_hookfn *hooks[NF_MAX_HOOKS]; 785 }; 786 787 int nft_chain_validate_dependency(const struct nft_chain *chain, 788 enum nft_chain_type type); 789 int nft_chain_validate_hooks(const struct nft_chain *chain, 790 unsigned int hook_flags); 791 792 struct nft_stats { 793 u64 bytes; 794 u64 pkts; 795 struct u64_stats_sync syncp; 796 }; 797 798 #define NFT_HOOK_OPS_MAX 2 799 #define NFT_BASECHAIN_DISABLED (1 << 0) 800 801 /** 802 * struct nft_base_chain - nf_tables base chain 803 * 804 * @ops: netfilter hook ops 805 * @pnet: net namespace that this chain belongs to 806 * @type: chain type 807 * @policy: default policy 808 * @stats: per-cpu chain stats 809 * @chain: the chain 810 * @dev_name: device name that this base chain is attached to (if any) 811 */ 812 struct nft_base_chain { 813 struct nf_hook_ops ops[NFT_HOOK_OPS_MAX]; 814 possible_net_t pnet; 815 const struct nf_chain_type *type; 816 u8 policy; 817 u8 flags; 818 struct nft_stats __percpu *stats; 819 struct nft_chain chain; 820 char dev_name[IFNAMSIZ]; 821 }; 822 823 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 824 { 825 return container_of(chain, struct nft_base_chain, chain); 826 } 827 828 int __nft_release_basechain(struct nft_ctx *ctx); 829 830 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); 831 832 /** 833 * struct nft_table - nf_tables table 834 * 835 * @list: used internally 836 * @chains: chains in the table 837 * @sets: sets in the table 838 * @hgenerator: handle generator state 839 * @use: number of chain references to this table 840 * @flags: table flag (see enum nft_table_flags) 841 * @name: name of the table 842 */ 843 struct nft_table { 844 struct list_head list; 845 struct list_head chains; 846 struct list_head sets; 847 u64 hgenerator; 848 u32 use; 849 u16 flags; 850 char name[NFT_TABLE_MAXNAMELEN]; 851 }; 852 853 enum nft_af_flags { 854 NFT_AF_NEEDS_DEV = (1 << 0), 855 }; 856 857 /** 858 * struct nft_af_info - nf_tables address family info 859 * 860 * @list: used internally 861 * @family: address family 862 * @nhooks: number of hooks in this family 863 * @owner: module owner 864 * @tables: used internally 865 * @flags: family flags 866 * @nops: number of hook ops in this family 867 * @hook_ops_init: initialization function for chain hook ops 868 * @hooks: hookfn overrides for packet validation 869 */ 870 struct nft_af_info { 871 struct list_head list; 872 int family; 873 unsigned int nhooks; 874 struct module *owner; 875 struct list_head tables; 876 u32 flags; 877 unsigned int nops; 878 void (*hook_ops_init)(struct nf_hook_ops *, 879 unsigned int); 880 nf_hookfn *hooks[NF_MAX_HOOKS]; 881 }; 882 883 int nft_register_afinfo(struct net *, struct nft_af_info *); 884 void nft_unregister_afinfo(struct net *, struct nft_af_info *); 885 886 int nft_register_chain_type(const struct nf_chain_type *); 887 void nft_unregister_chain_type(const struct nf_chain_type *); 888 889 int nft_register_expr(struct nft_expr_type *); 890 void nft_unregister_expr(struct nft_expr_type *); 891 892 int nft_verdict_dump(struct sk_buff *skb, int type, 893 const struct nft_verdict *v); 894 895 /** 896 * struct nft_traceinfo - nft tracing information and state 897 * 898 * @pkt: pktinfo currently processed 899 * @basechain: base chain currently processed 900 * @chain: chain currently processed 901 * @rule: rule that was evaluated 902 * @verdict: verdict given by rule 903 * @type: event type (enum nft_trace_types) 904 * @packet_dumped: packet headers sent in a previous traceinfo message 905 * @trace: other struct members are initialised 906 */ 907 struct nft_traceinfo { 908 const struct nft_pktinfo *pkt; 909 const struct nft_base_chain *basechain; 910 const struct nft_chain *chain; 911 const struct nft_rule *rule; 912 const struct nft_verdict *verdict; 913 enum nft_trace_types type; 914 bool packet_dumped; 915 bool trace; 916 }; 917 918 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt, 919 const struct nft_verdict *verdict, 920 const struct nft_chain *basechain); 921 922 void nft_trace_notify(struct nft_traceinfo *info); 923 924 #define nft_dereference(p) \ 925 nfnl_dereference(p, NFNL_SUBSYS_NFTABLES) 926 927 #define MODULE_ALIAS_NFT_FAMILY(family) \ 928 MODULE_ALIAS("nft-afinfo-" __stringify(family)) 929 930 #define MODULE_ALIAS_NFT_CHAIN(family, name) \ 931 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 932 933 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 934 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 935 936 #define MODULE_ALIAS_NFT_EXPR(name) \ 937 MODULE_ALIAS("nft-expr-" name) 938 939 #define MODULE_ALIAS_NFT_SET() \ 940 MODULE_ALIAS("nft-set") 941 942 /* 943 * The gencursor defines two generations, the currently active and the 944 * next one. Objects contain a bitmask of 2 bits specifying the generations 945 * they're active in. A set bit means they're inactive in the generation 946 * represented by that bit. 947 * 948 * New objects start out as inactive in the current and active in the 949 * next generation. When committing the ruleset the bitmask is cleared, 950 * meaning they're active in all generations. When removing an object, 951 * it is set inactive in the next generation. After committing the ruleset, 952 * the objects are removed. 953 */ 954 static inline unsigned int nft_gencursor_next(const struct net *net) 955 { 956 return net->nft.gencursor + 1 == 1 ? 1 : 0; 957 } 958 959 static inline u8 nft_genmask_next(const struct net *net) 960 { 961 return 1 << nft_gencursor_next(net); 962 } 963 964 static inline u8 nft_genmask_cur(const struct net *net) 965 { 966 /* Use ACCESS_ONCE() to prevent refetching the value for atomicity */ 967 return 1 << ACCESS_ONCE(net->nft.gencursor); 968 } 969 970 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1)) 971 972 /* 973 * Set element transaction helpers 974 */ 975 976 static inline bool nft_set_elem_active(const struct nft_set_ext *ext, 977 u8 genmask) 978 { 979 return !(ext->genmask & genmask); 980 } 981 982 static inline void nft_set_elem_change_active(const struct nft_set *set, 983 struct nft_set_ext *ext) 984 { 985 ext->genmask ^= nft_genmask_next(read_pnet(&set->pnet)); 986 } 987 988 /* 989 * We use a free bit in the genmask field to indicate the element 990 * is busy, meaning it is currently being processed either by 991 * the netlink API or GC. 992 * 993 * Even though the genmask is only a single byte wide, this works 994 * because the extension structure if fully constant once initialized, 995 * so there are no non-atomic write accesses unless it is already 996 * marked busy. 997 */ 998 #define NFT_SET_ELEM_BUSY_MASK (1 << 2) 999 1000 #if defined(__LITTLE_ENDIAN_BITFIELD) 1001 #define NFT_SET_ELEM_BUSY_BIT 2 1002 #elif defined(__BIG_ENDIAN_BITFIELD) 1003 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2) 1004 #else 1005 #error 1006 #endif 1007 1008 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext) 1009 { 1010 unsigned long *word = (unsigned long *)ext; 1011 1012 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0); 1013 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word); 1014 } 1015 1016 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) 1017 { 1018 unsigned long *word = (unsigned long *)ext; 1019 1020 clear_bit(NFT_SET_ELEM_BUSY_BIT, word); 1021 } 1022 1023 /** 1024 * struct nft_trans - nf_tables object update in transaction 1025 * 1026 * @list: used internally 1027 * @msg_type: message type 1028 * @ctx: transaction context 1029 * @data: internal information related to the transaction 1030 */ 1031 struct nft_trans { 1032 struct list_head list; 1033 int msg_type; 1034 struct nft_ctx ctx; 1035 char data[0]; 1036 }; 1037 1038 struct nft_trans_rule { 1039 struct nft_rule *rule; 1040 }; 1041 1042 #define nft_trans_rule(trans) \ 1043 (((struct nft_trans_rule *)trans->data)->rule) 1044 1045 struct nft_trans_set { 1046 struct nft_set *set; 1047 u32 set_id; 1048 }; 1049 1050 #define nft_trans_set(trans) \ 1051 (((struct nft_trans_set *)trans->data)->set) 1052 #define nft_trans_set_id(trans) \ 1053 (((struct nft_trans_set *)trans->data)->set_id) 1054 1055 struct nft_trans_chain { 1056 bool update; 1057 char name[NFT_CHAIN_MAXNAMELEN]; 1058 struct nft_stats __percpu *stats; 1059 u8 policy; 1060 }; 1061 1062 #define nft_trans_chain_update(trans) \ 1063 (((struct nft_trans_chain *)trans->data)->update) 1064 #define nft_trans_chain_name(trans) \ 1065 (((struct nft_trans_chain *)trans->data)->name) 1066 #define nft_trans_chain_stats(trans) \ 1067 (((struct nft_trans_chain *)trans->data)->stats) 1068 #define nft_trans_chain_policy(trans) \ 1069 (((struct nft_trans_chain *)trans->data)->policy) 1070 1071 struct nft_trans_table { 1072 bool update; 1073 bool enable; 1074 }; 1075 1076 #define nft_trans_table_update(trans) \ 1077 (((struct nft_trans_table *)trans->data)->update) 1078 #define nft_trans_table_enable(trans) \ 1079 (((struct nft_trans_table *)trans->data)->enable) 1080 1081 struct nft_trans_elem { 1082 struct nft_set *set; 1083 struct nft_set_elem elem; 1084 }; 1085 1086 #define nft_trans_elem_set(trans) \ 1087 (((struct nft_trans_elem *)trans->data)->set) 1088 #define nft_trans_elem(trans) \ 1089 (((struct nft_trans_elem *)trans->data)->elem) 1090 1091 #endif /* _NET_NF_TABLES_H */ 1092