1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _NET_NF_TABLES_CORE_H 3 #define _NET_NF_TABLES_CORE_H 4 5 #include <net/netfilter/nf_tables.h> 6 #include <linux/indirect_call_wrapper.h> 7 8 extern struct nft_expr_type nft_imm_type; 9 extern struct nft_expr_type nft_cmp_type; 10 extern struct nft_expr_type nft_counter_type; 11 extern struct nft_expr_type nft_lookup_type; 12 extern struct nft_expr_type nft_bitwise_type; 13 extern struct nft_expr_type nft_byteorder_type; 14 extern struct nft_expr_type nft_payload_type; 15 extern struct nft_expr_type nft_dynset_type; 16 extern struct nft_expr_type nft_range_type; 17 extern struct nft_expr_type nft_meta_type; 18 extern struct nft_expr_type nft_rt_type; 19 extern struct nft_expr_type nft_exthdr_type; 20 extern struct nft_expr_type nft_last_type; 21 22 #ifdef CONFIG_NETWORK_SECMARK 23 extern struct nft_object_type nft_secmark_obj_type; 24 #endif 25 extern struct nft_object_type nft_counter_obj_type; 26 27 int nf_tables_core_module_init(void); 28 void nf_tables_core_module_exit(void); 29 30 struct nft_bitwise_fast_expr { 31 u32 mask; 32 u32 xor; 33 u8 sreg; 34 u8 dreg; 35 }; 36 37 struct nft_cmp_fast_expr { 38 u32 data; 39 u32 mask; 40 u8 sreg; 41 u8 len; 42 bool inv; 43 }; 44 45 struct nft_cmp16_fast_expr { 46 struct nft_data data; 47 struct nft_data mask; 48 u8 sreg; 49 u8 len; 50 bool inv; 51 }; 52 53 struct nft_immediate_expr { 54 struct nft_data data; 55 u8 dreg; 56 u8 dlen; 57 }; 58 59 /* Calculate the mask for the nft_cmp_fast expression. On big endian the 60 * mask needs to include the *upper* bytes when interpreting that data as 61 * something smaller than the full u32, therefore a cpu_to_le32 is done. 62 */ 63 static inline u32 nft_cmp_fast_mask(unsigned int len) 64 { 65 return cpu_to_le32(~0U >> (sizeof_field(struct nft_cmp_fast_expr, 66 data) * BITS_PER_BYTE - len)); 67 } 68 69 extern const struct nft_expr_ops nft_cmp_fast_ops; 70 extern const struct nft_expr_ops nft_cmp16_fast_ops; 71 72 struct nft_payload { 73 enum nft_payload_bases base:8; 74 u8 offset; 75 u8 len; 76 u8 dreg; 77 }; 78 79 struct nft_payload_set { 80 enum nft_payload_bases base:8; 81 u8 offset; 82 u8 len; 83 u8 sreg; 84 u8 csum_type; 85 u8 csum_offset; 86 u8 csum_flags; 87 }; 88 89 extern const struct nft_expr_ops nft_payload_fast_ops; 90 91 extern const struct nft_expr_ops nft_bitwise_fast_ops; 92 93 extern struct static_key_false nft_counters_enabled; 94 extern struct static_key_false nft_trace_enabled; 95 96 extern const struct nft_set_type nft_set_rhash_type; 97 extern const struct nft_set_type nft_set_hash_type; 98 extern const struct nft_set_type nft_set_hash_fast_type; 99 extern const struct nft_set_type nft_set_rbtree_type; 100 extern const struct nft_set_type nft_set_bitmap_type; 101 extern const struct nft_set_type nft_set_pipapo_type; 102 extern const struct nft_set_type nft_set_pipapo_avx2_type; 103 104 #ifdef CONFIG_RETPOLINE 105 bool nft_rhash_lookup(const struct net *net, const struct nft_set *set, 106 const u32 *key, const struct nft_set_ext **ext); 107 bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set, 108 const u32 *key, const struct nft_set_ext **ext); 109 bool nft_bitmap_lookup(const struct net *net, const struct nft_set *set, 110 const u32 *key, const struct nft_set_ext **ext); 111 bool nft_hash_lookup_fast(const struct net *net, 112 const struct nft_set *set, 113 const u32 *key, const struct nft_set_ext **ext); 114 bool nft_hash_lookup(const struct net *net, const struct nft_set *set, 115 const u32 *key, const struct nft_set_ext **ext); 116 bool nft_set_do_lookup(const struct net *net, const struct nft_set *set, 117 const u32 *key, const struct nft_set_ext **ext); 118 #else 119 static inline bool 120 nft_set_do_lookup(const struct net *net, const struct nft_set *set, 121 const u32 *key, const struct nft_set_ext **ext) 122 { 123 return set->ops->lookup(net, set, key, ext); 124 } 125 #endif 126 127 /* called from nft_pipapo_avx2.c */ 128 bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, 129 const u32 *key, const struct nft_set_ext **ext); 130 /* called from nft_set_pipapo.c */ 131 bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, 132 const u32 *key, const struct nft_set_ext **ext); 133 134 void nft_counter_init_seqcount(void); 135 136 struct nft_expr; 137 struct nft_regs; 138 struct nft_pktinfo; 139 void nft_meta_get_eval(const struct nft_expr *expr, 140 struct nft_regs *regs, const struct nft_pktinfo *pkt); 141 void nft_cmp_eval(const struct nft_expr *expr, 142 struct nft_regs *regs, const struct nft_pktinfo *pkt); 143 void nft_lookup_eval(const struct nft_expr *expr, 144 struct nft_regs *regs, const struct nft_pktinfo *pkt); 145 void nft_payload_eval(const struct nft_expr *expr, 146 struct nft_regs *regs, const struct nft_pktinfo *pkt); 147 void nft_immediate_eval(const struct nft_expr *expr, 148 struct nft_regs *regs, const struct nft_pktinfo *pkt); 149 void nft_bitwise_eval(const struct nft_expr *expr, 150 struct nft_regs *regs, const struct nft_pktinfo *pkt); 151 void nft_range_eval(const struct nft_expr *expr, 152 struct nft_regs *regs, const struct nft_pktinfo *pkt); 153 void nft_byteorder_eval(const struct nft_expr *expr, 154 struct nft_regs *regs, const struct nft_pktinfo *pkt); 155 void nft_dynset_eval(const struct nft_expr *expr, 156 struct nft_regs *regs, const struct nft_pktinfo *pkt); 157 void nft_rt_get_eval(const struct nft_expr *expr, 158 struct nft_regs *regs, const struct nft_pktinfo *pkt); 159 void nft_counter_eval(const struct nft_expr *expr, struct nft_regs *regs, 160 const struct nft_pktinfo *pkt); 161 #endif /* _NET_NF_TABLES_CORE_H */ 162