1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/nfnetlink.h>
7 #include <linux/netfilter/x_tables.h>
8 #include <linux/netfilter/nf_tables.h>
9 #include <net/netlink.h>
11 #define NFT_JUMP_STACK_SIZE 16
15 const struct net_device *in;
16 const struct net_device *out;
17 const struct nf_hook_ops *ops;
21 /* for x_tables compatibility */
22 struct xt_action_param xt;
25 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
26 const struct nf_hook_ops *ops,
28 const struct net_device *in,
29 const struct net_device *out)
32 pkt->in = pkt->xt.in = in;
33 pkt->out = pkt->xt.out = out;
35 pkt->xt.hooknum = ops->hooknum;
36 pkt->xt.family = ops->pf;
44 struct nft_chain *chain;
47 } __attribute__((aligned(__alignof__(u64))));
49 static inline int nft_data_cmp(const struct nft_data *d1,
50 const struct nft_data *d2,
53 return memcmp(d1->data, d2->data, len);
56 static inline void nft_data_copy(struct nft_data *dst,
57 const struct nft_data *src)
59 BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
60 *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
61 *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
64 static inline void nft_data_debug(const struct nft_data *data)
66 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
67 data->data[0], data->data[1],
68 data->data[2], data->data[3]);
72 * struct nft_ctx - nf_tables rule/set context
76 * @nlh: netlink message header
77 * @afi: address family info
78 * @table: the table the chain is contained in
79 * @chain: the chain the rule is contained in
80 * @nla: netlink attributes
84 const struct sk_buff *skb;
85 const struct nlmsghdr *nlh;
86 struct nft_af_info *afi;
87 struct nft_table *table;
88 struct nft_chain *chain;
89 const struct nlattr * const *nla;
92 struct nft_data_desc {
93 enum nft_data_types type;
97 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
98 struct nft_data_desc *desc, const struct nlattr *nla);
99 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
100 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
101 enum nft_data_types type, unsigned int len);
103 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
105 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
108 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
110 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
113 int nft_validate_input_register(enum nft_registers reg);
114 int nft_validate_output_register(enum nft_registers reg);
115 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
116 const struct nft_data *data,
117 enum nft_data_types type);
120 * struct nft_set_elem - generic representation of set elements
122 * @cookie: implementation specific element cookie
124 * @data: element data (maps only)
125 * @flags: element flags (end of interval)
127 * The cookie can be used to store a handle to the element for subsequent
130 struct nft_set_elem {
133 struct nft_data data;
138 struct nft_set_iter {
142 int (*fn)(const struct nft_ctx *ctx,
143 const struct nft_set *set,
144 const struct nft_set_iter *iter,
145 const struct nft_set_elem *elem);
149 * struct nft_set_desc - description of set elements
153 * @size: number of set elements
155 struct nft_set_desc {
162 * enum nft_set_class - performance class
164 * @NFT_LOOKUP_O_1: constant, O(1)
165 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
166 * @NFT_LOOKUP_O_N: linear, O(N)
170 NFT_SET_CLASS_O_LOG_N,
175 * struct nft_set_estimate - estimation of memory and performance
178 * @size: required memory
179 * @class: lookup performance class
181 struct nft_set_estimate {
183 enum nft_set_class class;
187 * struct nft_set_ops - nf_tables set operations
189 * @lookup: look up an element within the set
190 * @insert: insert new element into set
191 * @remove: remove element from set
192 * @walk: iterate over all set elemeennts
193 * @privsize: function to return size of set private data
194 * @init: initialize private data of new set instance
195 * @destroy: destroy private data of set instance
196 * @list: nf_tables_set_ops list node
197 * @owner: module reference
198 * @features: features supported by the implementation
201 bool (*lookup)(const struct nft_set *set,
202 const struct nft_data *key,
203 struct nft_data *data);
204 int (*get)(const struct nft_set *set,
205 struct nft_set_elem *elem);
206 int (*insert)(const struct nft_set *set,
207 const struct nft_set_elem *elem);
208 void (*remove)(const struct nft_set *set,
209 const struct nft_set_elem *elem);
210 void (*walk)(const struct nft_ctx *ctx,
211 const struct nft_set *set,
212 struct nft_set_iter *iter);
214 unsigned int (*privsize)(const struct nlattr * const nla[]);
215 bool (*estimate)(const struct nft_set_desc *desc,
217 struct nft_set_estimate *est);
218 int (*init)(const struct nft_set *set,
219 const struct nft_set_desc *desc,
220 const struct nlattr * const nla[]);
221 void (*destroy)(const struct nft_set *set);
223 struct list_head list;
224 struct module *owner;
228 int nft_register_set(struct nft_set_ops *ops);
229 void nft_unregister_set(struct nft_set_ops *ops);
232 * struct nft_set - nf_tables set instance
234 * @list: table set list node
235 * @bindings: list of set bindings
236 * @name: name of the set
237 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
238 * @dtype: data type (verdict or numeric type defined by userspace)
239 * @size: maximum set size
240 * @nelems: number of elements
245 * @data: private set data
248 struct list_head list;
249 struct list_head bindings;
255 /* runtime data below here */
256 const struct nft_set_ops *ops ____cacheline_aligned;
261 __attribute__((aligned(__alignof__(u64))));
264 static inline void *nft_set_priv(const struct nft_set *set)
266 return (void *)set->data;
269 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
270 const struct nlattr *nla);
271 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
272 const struct nlattr *nla);
275 * struct nft_set_binding - nf_tables set binding
277 * @list: set bindings list node
278 * @chain: chain containing the rule bound to the set
280 * A set binding contains all information necessary for validation
281 * of new elements added to a bound set.
283 struct nft_set_binding {
284 struct list_head list;
285 const struct nft_chain *chain;
288 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
289 struct nft_set_binding *binding);
290 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
291 struct nft_set_binding *binding);
295 * struct nft_expr_type - nf_tables expression type
297 * @select_ops: function to select nft_expr_ops
298 * @ops: default ops, used when no select_ops functions is present
299 * @list: used internally
301 * @owner: module reference
302 * @policy: netlink attribute policy
303 * @maxattr: highest netlink attribute number
304 * @family: address family for AF-specific types
306 struct nft_expr_type {
307 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
308 const struct nlattr * const tb[]);
309 const struct nft_expr_ops *ops;
310 struct list_head list;
312 struct module *owner;
313 const struct nla_policy *policy;
314 unsigned int maxattr;
319 * struct nft_expr_ops - nf_tables expression operations
321 * @eval: Expression evaluation function
322 * @size: full expression size, including private data size
323 * @init: initialization function
324 * @destroy: destruction function
325 * @dump: function to dump parameters
326 * @type: expression type
327 * @validate: validate expression, called during loop detection
328 * @data: extra data to attach to this expression operation
331 struct nft_expr_ops {
332 void (*eval)(const struct nft_expr *expr,
333 struct nft_data data[NFT_REG_MAX + 1],
334 const struct nft_pktinfo *pkt);
337 int (*init)(const struct nft_ctx *ctx,
338 const struct nft_expr *expr,
339 const struct nlattr * const tb[]);
340 void (*destroy)(const struct nft_ctx *ctx,
341 const struct nft_expr *expr);
342 int (*dump)(struct sk_buff *skb,
343 const struct nft_expr *expr);
344 int (*validate)(const struct nft_ctx *ctx,
345 const struct nft_expr *expr,
346 const struct nft_data **data);
347 const struct nft_expr_type *type;
351 #define NFT_EXPR_MAXATTR 16
352 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
353 ALIGN(size, __alignof__(struct nft_expr)))
356 * struct nft_expr - nf_tables expression
358 * @ops: expression ops
359 * @data: expression private data
362 const struct nft_expr_ops *ops;
363 unsigned char data[];
366 static inline void *nft_expr_priv(const struct nft_expr *expr)
368 return (void *)expr->data;
372 * struct nft_rule - nf_tables rule
374 * @list: used internally
375 * @handle: rule handle
376 * @genmask: generation mask
377 * @dlen: length of expression data
378 * @ulen: length of user data (used for comments)
379 * @data: expression data
382 struct list_head list;
388 __attribute__((aligned(__alignof__(struct nft_expr))));
392 * struct nft_trans - nf_tables object update in transaction
394 * @list: used internally
395 * @msg_type: message type
396 * @ctx: transaction context
397 * @data: internal information related to the transaction
400 struct list_head list;
406 struct nft_trans_rule {
407 struct nft_rule *rule;
410 #define nft_trans_rule(trans) \
411 (((struct nft_trans_rule *)trans->data)->rule)
413 struct nft_trans_set {
418 #define nft_trans_set(trans) \
419 (((struct nft_trans_set *)trans->data)->set)
420 #define nft_trans_set_id(trans) \
421 (((struct nft_trans_set *)trans->data)->set_id)
423 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
425 return (struct nft_expr *)&rule->data[0];
428 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
430 return ((void *)expr) + expr->ops->size;
433 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
435 return (struct nft_expr *)&rule->data[rule->dlen];
438 static inline void *nft_userdata(const struct nft_rule *rule)
440 return (void *)&rule->data[rule->dlen];
444 * The last pointer isn't really necessary, but the compiler isn't able to
445 * determine that the result of nft_expr_last() is always the same since it
446 * can't assume that the dlen value wasn't changed within calls in the loop.
448 #define nft_rule_for_each_expr(expr, last, rule) \
449 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
451 (expr) = nft_expr_next(expr))
453 enum nft_chain_flags {
454 NFT_BASE_CHAIN = 0x1,
458 * struct nft_chain - nf_tables chain
460 * @rules: list of rules in the chain
461 * @list: used internally
462 * @net: net namespace that this chain belongs to
463 * @table: table that this chain belongs to
464 * @handle: chain handle
465 * @flags: bitmask of enum nft_chain_flags
466 * @use: number of jump references to this chain
467 * @level: length of longest path to this chain
468 * @name: name of the chain
471 struct list_head rules;
472 struct list_head list;
474 struct nft_table *table;
479 char name[NFT_CHAIN_MAXNAMELEN];
482 enum nft_chain_type {
483 NFT_CHAIN_T_DEFAULT = 0,
494 #define NFT_HOOK_OPS_MAX 2
497 * struct nft_base_chain - nf_tables base chain
499 * @ops: netfilter hook ops
501 * @policy: default policy
502 * @stats: per-cpu chain stats
505 struct nft_base_chain {
506 struct nf_hook_ops ops[NFT_HOOK_OPS_MAX];
507 const struct nf_chain_type *type;
509 struct nft_stats __percpu *stats;
510 struct nft_chain chain;
513 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
515 return container_of(chain, struct nft_base_chain, chain);
518 unsigned int nft_do_chain(struct nft_pktinfo *pkt,
519 const struct nf_hook_ops *ops);
522 * struct nft_table - nf_tables table
524 * @list: used internally
525 * @chains: chains in the table
526 * @sets: sets in the table
527 * @hgenerator: handle generator state
528 * @use: number of chain references to this table
529 * @flags: table flag (see enum nft_table_flags)
530 * @name: name of the table
533 struct list_head list;
534 struct list_head chains;
535 struct list_head sets;
543 * struct nft_af_info - nf_tables address family info
545 * @list: used internally
546 * @family: address family
547 * @nhooks: number of hooks in this family
548 * @owner: module owner
549 * @tables: used internally
550 * @nops: number of hook ops in this family
551 * @hook_ops_init: initialization function for chain hook ops
552 * @hooks: hookfn overrides for packet validation
555 struct list_head list;
558 struct module *owner;
559 struct list_head tables;
561 void (*hook_ops_init)(struct nf_hook_ops *,
563 nf_hookfn *hooks[NF_MAX_HOOKS];
566 int nft_register_afinfo(struct net *, struct nft_af_info *);
567 void nft_unregister_afinfo(struct nft_af_info *);
570 * struct nf_chain_type - nf_tables chain type info
572 * @name: name of the type
573 * @type: numeric identifier
574 * @family: address family
575 * @owner: module owner
576 * @hook_mask: mask of valid hooks
577 * @hooks: hookfn overrides
579 struct nf_chain_type {
581 enum nft_chain_type type;
583 struct module *owner;
584 unsigned int hook_mask;
585 nf_hookfn *hooks[NF_MAX_HOOKS];
588 int nft_register_chain_type(const struct nf_chain_type *);
589 void nft_unregister_chain_type(const struct nf_chain_type *);
591 int nft_register_expr(struct nft_expr_type *);
592 void nft_unregister_expr(struct nft_expr_type *);
594 #define nft_dereference(p) \
595 nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)
597 #define MODULE_ALIAS_NFT_FAMILY(family) \
598 MODULE_ALIAS("nft-afinfo-" __stringify(family))
600 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
601 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
603 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
604 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
606 #define MODULE_ALIAS_NFT_EXPR(name) \
607 MODULE_ALIAS("nft-expr-" name)
609 #define MODULE_ALIAS_NFT_SET() \
610 MODULE_ALIAS("nft-set")
612 #endif /* _NET_NF_TABLES_H */
projects / firefly-linux-kernel-4.4.55.git / blob