1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/x_tables.h>
7 #include <linux/netfilter/nf_tables.h>
8 #include <net/netlink.h>
10 #define NFT_JUMP_STACK_SIZE 16
14 const struct net_device *in;
15 const struct net_device *out;
19 /* for x_tables compatibility */
20 struct xt_action_param xt;
23 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
24 const struct nf_hook_ops *ops,
26 const struct net_device *in,
27 const struct net_device *out)
30 pkt->in = pkt->xt.in = in;
31 pkt->out = pkt->xt.out = out;
32 pkt->hooknum = pkt->xt.hooknum = ops->hooknum;
33 pkt->xt.family = ops->pf;
41 struct nft_chain *chain;
44 } __attribute__((aligned(__alignof__(u64))));
46 static inline int nft_data_cmp(const struct nft_data *d1,
47 const struct nft_data *d2,
50 return memcmp(d1->data, d2->data, len);
53 static inline void nft_data_copy(struct nft_data *dst,
54 const struct nft_data *src)
56 BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
57 *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
58 *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
61 static inline void nft_data_debug(const struct nft_data *data)
63 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
64 data->data[0], data->data[1],
65 data->data[2], data->data[3]);
69 * struct nft_ctx - nf_tables rule/set context
73 * @nlh: netlink message header
74 * @afi: address family info
75 * @table: the table the chain is contained in
76 * @chain: the chain the rule is contained in
77 * @nla: netlink attributes
81 const struct sk_buff *skb;
82 const struct nlmsghdr *nlh;
83 const struct nft_af_info *afi;
84 const struct nft_table *table;
85 const struct nft_chain *chain;
86 const struct nlattr * const *nla;
89 struct nft_data_desc {
90 enum nft_data_types type;
94 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
95 struct nft_data_desc *desc, const struct nlattr *nla);
96 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
97 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
98 enum nft_data_types type, unsigned int len);
100 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
102 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
105 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
107 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
110 int nft_validate_input_register(enum nft_registers reg);
111 int nft_validate_output_register(enum nft_registers reg);
112 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
113 const struct nft_data *data,
114 enum nft_data_types type);
117 * struct nft_set_elem - generic representation of set elements
119 * @cookie: implementation specific element cookie
121 * @data: element data (maps only)
122 * @flags: element flags (end of interval)
124 * The cookie can be used to store a handle to the element for subsequent
127 struct nft_set_elem {
130 struct nft_data data;
135 struct nft_set_iter {
139 int (*fn)(const struct nft_ctx *ctx,
140 const struct nft_set *set,
141 const struct nft_set_iter *iter,
142 const struct nft_set_elem *elem);
146 * struct nft_set_ops - nf_tables set operations
148 * @lookup: look up an element within the set
149 * @insert: insert new element into set
150 * @remove: remove element from set
151 * @walk: iterate over all set elemeennts
152 * @privsize: function to return size of set private data
153 * @init: initialize private data of new set instance
154 * @destroy: destroy private data of set instance
155 * @list: nf_tables_set_ops list node
156 * @owner: module reference
157 * @features: features supported by the implementation
160 bool (*lookup)(const struct nft_set *set,
161 const struct nft_data *key,
162 struct nft_data *data);
163 int (*get)(const struct nft_set *set,
164 struct nft_set_elem *elem);
165 int (*insert)(const struct nft_set *set,
166 const struct nft_set_elem *elem);
167 void (*remove)(const struct nft_set *set,
168 const struct nft_set_elem *elem);
169 void (*walk)(const struct nft_ctx *ctx,
170 const struct nft_set *set,
171 struct nft_set_iter *iter);
173 unsigned int (*privsize)(const struct nlattr * const nla[]);
174 int (*init)(const struct nft_set *set,
175 const struct nlattr * const nla[]);
176 void (*destroy)(const struct nft_set *set);
178 struct list_head list;
179 struct module *owner;
183 int nft_register_set(struct nft_set_ops *ops);
184 void nft_unregister_set(struct nft_set_ops *ops);
187 * struct nft_set - nf_tables set instance
189 * @list: table set list node
190 * @bindings: list of set bindings
191 * @name: name of the set
192 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
193 * @dtype: data type (verdict or numeric type defined by userspace)
198 * @data: private set data
201 struct list_head list;
202 struct list_head bindings;
206 /* runtime data below here */
207 const struct nft_set_ops *ops ____cacheline_aligned;
212 __attribute__((aligned(__alignof__(u64))));
215 static inline void *nft_set_priv(const struct nft_set *set)
217 return (void *)set->data;
220 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
221 const struct nlattr *nla);
224 * struct nft_set_binding - nf_tables set binding
226 * @list: set bindings list node
227 * @chain: chain containing the rule bound to the set
229 * A set binding contains all information necessary for validation
230 * of new elements added to a bound set.
232 struct nft_set_binding {
233 struct list_head list;
234 const struct nft_chain *chain;
237 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
238 struct nft_set_binding *binding);
239 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
240 struct nft_set_binding *binding);
244 * struct nft_expr_type - nf_tables expression type
246 * @select_ops: function to select nft_expr_ops
247 * @ops: default ops, used when no select_ops functions is present
248 * @list: used internally
250 * @owner: module reference
251 * @policy: netlink attribute policy
252 * @maxattr: highest netlink attribute number
254 struct nft_expr_type {
255 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
256 const struct nlattr * const tb[]);
257 const struct nft_expr_ops *ops;
258 struct list_head list;
260 struct module *owner;
261 const struct nla_policy *policy;
262 unsigned int maxattr;
266 * struct nft_expr_ops - nf_tables expression operations
268 * @eval: Expression evaluation function
269 * @size: full expression size, including private data size
270 * @init: initialization function
271 * @destroy: destruction function
272 * @dump: function to dump parameters
273 * @type: expression type
274 * @validate: validate expression, called during loop detection
275 * @data: extra data to attach to this expression operation
278 struct nft_expr_ops {
279 void (*eval)(const struct nft_expr *expr,
280 struct nft_data data[NFT_REG_MAX + 1],
281 const struct nft_pktinfo *pkt);
284 int (*init)(const struct nft_ctx *ctx,
285 const struct nft_expr *expr,
286 const struct nlattr * const tb[]);
287 void (*destroy)(const struct nft_expr *expr);
288 int (*dump)(struct sk_buff *skb,
289 const struct nft_expr *expr);
290 int (*validate)(const struct nft_ctx *ctx,
291 const struct nft_expr *expr,
292 const struct nft_data **data);
293 const struct nft_expr_type *type;
297 #define NFT_EXPR_MAXATTR 16
298 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
299 ALIGN(size, __alignof__(struct nft_expr)))
302 * struct nft_expr - nf_tables expression
304 * @ops: expression ops
305 * @data: expression private data
308 const struct nft_expr_ops *ops;
309 unsigned char data[];
312 static inline void *nft_expr_priv(const struct nft_expr *expr)
314 return (void *)expr->data;
318 * struct nft_rule - nf_tables rule
320 * @list: used internally
321 * @rcu_head: used internally for rcu
322 * @handle: rule handle
323 * @genmask: generation mask
324 * @dlen: length of expression data
325 * @data: expression data
328 struct list_head list;
329 struct rcu_head rcu_head;
334 __attribute__((aligned(__alignof__(struct nft_expr))));
338 * struct nft_rule_trans - nf_tables rule update in transaction
340 * @list: used internally
341 * @rule: rule that needs to be updated
342 * @chain: chain that this rule belongs to
343 * @table: table for which this chain applies
344 * @nlh: netlink header of the message that contain this update
345 * @family: family expressesed as AF_*
347 struct nft_rule_trans {
348 struct list_head list;
349 struct nft_rule *rule;
350 const struct nft_chain *chain;
351 const struct nft_table *table;
352 const struct nlmsghdr *nlh;
356 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
358 return (struct nft_expr *)&rule->data[0];
361 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
363 return ((void *)expr) + expr->ops->size;
366 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
368 return (struct nft_expr *)&rule->data[rule->dlen];
372 * The last pointer isn't really necessary, but the compiler isn't able to
373 * determine that the result of nft_expr_last() is always the same since it
374 * can't assume that the dlen value wasn't changed within calls in the loop.
376 #define nft_rule_for_each_expr(expr, last, rule) \
377 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
379 (expr) = nft_expr_next(expr))
381 enum nft_chain_flags {
382 NFT_BASE_CHAIN = 0x1,
386 * struct nft_chain - nf_tables chain
388 * @rules: list of rules in the chain
389 * @list: used internally
390 * @rcu_head: used internally
391 * @net: net namespace that this chain belongs to
392 * @table: table that this chain belongs to
393 * @handle: chain handle
394 * @flags: bitmask of enum nft_chain_flags
395 * @use: number of jump references to this chain
396 * @level: length of longest path to this chain
397 * @name: name of the chain
400 struct list_head rules;
401 struct list_head list;
402 struct rcu_head rcu_head;
404 struct nft_table *table;
409 char name[NFT_CHAIN_MAXNAMELEN];
412 enum nft_chain_type {
413 NFT_CHAIN_T_DEFAULT = 0,
425 * struct nft_base_chain - nf_tables base chain
427 * @ops: netfilter hook ops
429 * @policy: default policy
430 * @stats: per-cpu chain stats
433 struct nft_base_chain {
434 struct nf_hook_ops ops;
435 enum nft_chain_type type;
437 struct nft_stats __percpu *stats;
438 struct nft_chain chain;
441 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
443 return container_of(chain, struct nft_base_chain, chain);
446 unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt,
447 const struct nf_hook_ops *ops);
450 * struct nft_table - nf_tables table
452 * @list: used internally
453 * @chains: chains in the table
454 * @sets: sets in the table
455 * @hgenerator: handle generator state
456 * @use: number of chain references to this table
457 * @flags: table flag (see enum nft_table_flags)
458 * @name: name of the table
461 struct list_head list;
462 struct list_head chains;
463 struct list_head sets;
471 * struct nft_af_info - nf_tables address family info
473 * @list: used internally
474 * @family: address family
475 * @nhooks: number of hooks in this family
476 * @owner: module owner
477 * @tables: used internally
478 * @hooks: hookfn overrides for packet validation
481 struct list_head list;
484 struct module *owner;
485 struct list_head tables;
486 nf_hookfn *hooks[NF_MAX_HOOKS];
489 int nft_register_afinfo(struct net *, struct nft_af_info *);
490 void nft_unregister_afinfo(struct nft_af_info *);
492 struct nf_chain_type {
493 unsigned int hook_mask;
495 enum nft_chain_type type;
496 nf_hookfn *fn[NF_MAX_HOOKS];
501 int nft_register_chain_type(struct nf_chain_type *);
502 void nft_unregister_chain_type(struct nf_chain_type *);
504 int nft_register_expr(struct nft_expr_type *);
505 void nft_unregister_expr(struct nft_expr_type *);
507 #define MODULE_ALIAS_NFT_FAMILY(family) \
508 MODULE_ALIAS("nft-afinfo-" __stringify(family))
510 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
511 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
513 #define MODULE_ALIAS_NFT_EXPR(name) \
514 MODULE_ALIAS("nft-expr-" name)
516 #define MODULE_ALIAS_NFT_SET() \
517 MODULE_ALIAS("nft-set")
519 #endif /* _NET_NF_TABLES_H */
projects / karo-tx-linux.git / blob