1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/x_tables.h>
7 #include <linux/netfilter/nf_tables.h>
8 #include <net/netlink.h>
10 #define NFT_JUMP_STACK_SIZE 16
14 const struct net_device *in;
15 const struct net_device *out;
16 const struct nf_hook_ops *ops;
20 /* for x_tables compatibility */
21 struct xt_action_param xt;
24 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
25 const struct nf_hook_ops *ops,
27 const struct net_device *in,
28 const struct net_device *out)
31 pkt->in = pkt->xt.in = in;
32 pkt->out = pkt->xt.out = out;
34 pkt->xt.hooknum = ops->hooknum;
35 pkt->xt.family = ops->pf;
43 struct nft_chain *chain;
46 } __attribute__((aligned(__alignof__(u64))));
48 static inline int nft_data_cmp(const struct nft_data *d1,
49 const struct nft_data *d2,
52 return memcmp(d1->data, d2->data, len);
55 static inline void nft_data_copy(struct nft_data *dst,
56 const struct nft_data *src)
58 BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
59 *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
60 *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
63 static inline void nft_data_debug(const struct nft_data *data)
65 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
66 data->data[0], data->data[1],
67 data->data[2], data->data[3]);
71 * struct nft_ctx - nf_tables rule/set context
75 * @nlh: netlink message header
76 * @afi: address family info
77 * @table: the table the chain is contained in
78 * @chain: the chain the rule is contained in
79 * @nla: netlink attributes
83 const struct sk_buff *skb;
84 const struct nlmsghdr *nlh;
85 const struct nft_af_info *afi;
86 const struct nft_table *table;
87 const struct nft_chain *chain;
88 const struct nlattr * const *nla;
91 struct nft_data_desc {
92 enum nft_data_types type;
96 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
97 struct nft_data_desc *desc, const struct nlattr *nla);
98 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
99 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
100 enum nft_data_types type, unsigned int len);
102 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
104 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
107 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
109 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
112 int nft_validate_input_register(enum nft_registers reg);
113 int nft_validate_output_register(enum nft_registers reg);
114 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
115 const struct nft_data *data,
116 enum nft_data_types type);
119 * struct nft_set_elem - generic representation of set elements
121 * @cookie: implementation specific element cookie
123 * @data: element data (maps only)
124 * @flags: element flags (end of interval)
126 * The cookie can be used to store a handle to the element for subsequent
129 struct nft_set_elem {
132 struct nft_data data;
137 struct nft_set_iter {
141 int (*fn)(const struct nft_ctx *ctx,
142 const struct nft_set *set,
143 const struct nft_set_iter *iter,
144 const struct nft_set_elem *elem);
148 * struct nft_set_ops - nf_tables set operations
150 * @lookup: look up an element within the set
151 * @insert: insert new element into set
152 * @remove: remove element from set
153 * @walk: iterate over all set elemeennts
154 * @privsize: function to return size of set private data
155 * @init: initialize private data of new set instance
156 * @destroy: destroy private data of set instance
157 * @list: nf_tables_set_ops list node
158 * @owner: module reference
159 * @features: features supported by the implementation
162 bool (*lookup)(const struct nft_set *set,
163 const struct nft_data *key,
164 struct nft_data *data);
165 int (*get)(const struct nft_set *set,
166 struct nft_set_elem *elem);
167 int (*insert)(const struct nft_set *set,
168 const struct nft_set_elem *elem);
169 void (*remove)(const struct nft_set *set,
170 const struct nft_set_elem *elem);
171 void (*walk)(const struct nft_ctx *ctx,
172 const struct nft_set *set,
173 struct nft_set_iter *iter);
175 unsigned int (*privsize)(const struct nlattr * const nla[]);
176 int (*init)(const struct nft_set *set,
177 const struct nlattr * const nla[]);
178 void (*destroy)(const struct nft_set *set);
180 struct list_head list;
181 struct module *owner;
185 int nft_register_set(struct nft_set_ops *ops);
186 void nft_unregister_set(struct nft_set_ops *ops);
189 * struct nft_set - nf_tables set instance
191 * @list: table set list node
192 * @bindings: list of set bindings
193 * @name: name of the set
194 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
195 * @dtype: data type (verdict or numeric type defined by userspace)
200 * @data: private set data
203 struct list_head list;
204 struct list_head bindings;
208 /* runtime data below here */
209 const struct nft_set_ops *ops ____cacheline_aligned;
214 __attribute__((aligned(__alignof__(u64))));
217 static inline void *nft_set_priv(const struct nft_set *set)
219 return (void *)set->data;
222 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
223 const struct nlattr *nla);
226 * struct nft_set_binding - nf_tables set binding
228 * @list: set bindings list node
229 * @chain: chain containing the rule bound to the set
231 * A set binding contains all information necessary for validation
232 * of new elements added to a bound set.
234 struct nft_set_binding {
235 struct list_head list;
236 const struct nft_chain *chain;
239 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
240 struct nft_set_binding *binding);
241 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
242 struct nft_set_binding *binding);
246 * struct nft_expr_type - nf_tables expression type
248 * @select_ops: function to select nft_expr_ops
249 * @ops: default ops, used when no select_ops functions is present
250 * @list: used internally
252 * @owner: module reference
253 * @policy: netlink attribute policy
254 * @maxattr: highest netlink attribute number
255 * @family: address family for AF-specific types
257 struct nft_expr_type {
258 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
259 const struct nlattr * const tb[]);
260 const struct nft_expr_ops *ops;
261 struct list_head list;
263 struct module *owner;
264 const struct nla_policy *policy;
265 unsigned int maxattr;
270 * struct nft_expr_ops - nf_tables expression operations
272 * @eval: Expression evaluation function
273 * @size: full expression size, including private data size
274 * @init: initialization function
275 * @destroy: destruction function
276 * @dump: function to dump parameters
277 * @type: expression type
278 * @validate: validate expression, called during loop detection
279 * @data: extra data to attach to this expression operation
282 struct nft_expr_ops {
283 void (*eval)(const struct nft_expr *expr,
284 struct nft_data data[NFT_REG_MAX + 1],
285 const struct nft_pktinfo *pkt);
288 int (*init)(const struct nft_ctx *ctx,
289 const struct nft_expr *expr,
290 const struct nlattr * const tb[]);
291 void (*destroy)(const struct nft_expr *expr);
292 int (*dump)(struct sk_buff *skb,
293 const struct nft_expr *expr);
294 int (*validate)(const struct nft_ctx *ctx,
295 const struct nft_expr *expr,
296 const struct nft_data **data);
297 const struct nft_expr_type *type;
301 #define NFT_EXPR_MAXATTR 16
302 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
303 ALIGN(size, __alignof__(struct nft_expr)))
306 * struct nft_expr - nf_tables expression
308 * @ops: expression ops
309 * @data: expression private data
312 const struct nft_expr_ops *ops;
313 unsigned char data[];
316 static inline void *nft_expr_priv(const struct nft_expr *expr)
318 return (void *)expr->data;
322 * struct nft_rule - nf_tables rule
324 * @list: used internally
325 * @handle: rule handle
326 * @genmask: generation mask
327 * @dlen: length of expression data
328 * @data: expression data
331 struct list_head list;
336 __attribute__((aligned(__alignof__(struct nft_expr))));
340 * struct nft_rule_trans - nf_tables rule update in transaction
342 * @list: used internally
343 * @rule: rule that needs to be updated
344 * @chain: chain that this rule belongs to
345 * @table: table for which this chain applies
346 * @nlh: netlink header of the message that contain this update
347 * @family: family expressesed as AF_*
349 struct nft_rule_trans {
350 struct list_head list;
351 struct nft_rule *rule;
352 const struct nft_chain *chain;
353 const struct nft_table *table;
354 const struct nlmsghdr *nlh;
358 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
360 return (struct nft_expr *)&rule->data[0];
363 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
365 return ((void *)expr) + expr->ops->size;
368 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
370 return (struct nft_expr *)&rule->data[rule->dlen];
374 * The last pointer isn't really necessary, but the compiler isn't able to
375 * determine that the result of nft_expr_last() is always the same since it
376 * can't assume that the dlen value wasn't changed within calls in the loop.
378 #define nft_rule_for_each_expr(expr, last, rule) \
379 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
381 (expr) = nft_expr_next(expr))
383 enum nft_chain_flags {
384 NFT_BASE_CHAIN = 0x1,
388 * struct nft_chain - nf_tables chain
390 * @rules: list of rules in the chain
391 * @list: used internally
392 * @net: net namespace that this chain belongs to
393 * @table: table that this chain belongs to
394 * @handle: chain handle
395 * @flags: bitmask of enum nft_chain_flags
396 * @use: number of jump references to this chain
397 * @level: length of longest path to this chain
398 * @name: name of the chain
401 struct list_head rules;
402 struct list_head list;
404 struct nft_table *table;
409 char name[NFT_CHAIN_MAXNAMELEN];
412 enum nft_chain_type {
413 NFT_CHAIN_T_DEFAULT = 0,
424 #define NFT_HOOK_OPS_MAX 2
427 * struct nft_base_chain - nf_tables base chain
429 * @ops: netfilter hook ops
431 * @policy: default policy
432 * @stats: per-cpu chain stats
435 struct nft_base_chain {
436 struct nf_hook_ops ops[NFT_HOOK_OPS_MAX];
437 const struct nf_chain_type *type;
439 struct nft_stats __percpu *stats;
440 struct nft_chain chain;
443 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
445 return container_of(chain, struct nft_base_chain, chain);
448 unsigned int nft_do_chain(struct nft_pktinfo *pkt,
449 const struct nf_hook_ops *ops);
452 * struct nft_table - nf_tables table
454 * @list: used internally
455 * @chains: chains in the table
456 * @sets: sets in the table
457 * @hgenerator: handle generator state
458 * @use: number of chain references to this table
459 * @flags: table flag (see enum nft_table_flags)
460 * @name: name of the table
463 struct list_head list;
464 struct list_head chains;
465 struct list_head sets;
473 * struct nft_af_info - nf_tables address family info
475 * @list: used internally
476 * @family: address family
477 * @nhooks: number of hooks in this family
478 * @owner: module owner
479 * @tables: used internally
480 * @nops: number of hook ops in this family
481 * @hook_ops_init: initialization function for chain hook ops
482 * @hooks: hookfn overrides for packet validation
485 struct list_head list;
488 struct module *owner;
489 struct list_head tables;
491 void (*hook_ops_init)(struct nf_hook_ops *,
493 nf_hookfn *hooks[NF_MAX_HOOKS];
496 int nft_register_afinfo(struct net *, struct nft_af_info *);
497 void nft_unregister_afinfo(struct nft_af_info *);
500 * struct nf_chain_type - nf_tables chain type info
502 * @name: name of the type
503 * @type: numeric identifier
504 * @family: address family
505 * @owner: module owner
506 * @hook_mask: mask of valid hooks
507 * @hooks: hookfn overrides
509 struct nf_chain_type {
511 enum nft_chain_type type;
513 struct module *owner;
514 unsigned int hook_mask;
515 nf_hookfn *hooks[NF_MAX_HOOKS];
518 int nft_register_chain_type(const struct nf_chain_type *);
519 void nft_unregister_chain_type(const struct nf_chain_type *);
521 int nft_register_expr(struct nft_expr_type *);
522 void nft_unregister_expr(struct nft_expr_type *);
524 #define MODULE_ALIAS_NFT_FAMILY(family) \
525 MODULE_ALIAS("nft-afinfo-" __stringify(family))
527 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
528 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
530 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
531 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
533 #define MODULE_ALIAS_NFT_EXPR(name) \
534 MODULE_ALIAS("nft-expr-" name)
536 #define MODULE_ALIAS_NFT_SET() \
537 MODULE_ALIAS("nft-set")
539 #endif /* _NET_NF_TABLES_H */
projects / karo-tx-linux.git / blob