[deliverable/linux.git] / include / net / netfilter / nf_tables.h

#ifndef _NET_NF_TABLES_H
#define _NET_NF_TABLES_H

#include <linux/list.h>
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netlink.h>

#define NFT_JUMP_STACK_SIZE	16

struct nft_pktinfo {
	struct sk_buff			*skb;
	const struct net_device		*in;
	const struct net_device		*out;
	u8				hooknum;
	u8				nhoff;
	u8				thoff;
	/* for x_tables compatibility */
	struct xt_action_param		xt;
};

static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
				   const struct nf_hook_ops *ops,
				   struct sk_buff *skb,
				   const struct net_device *in,
				   const struct net_device *out)
{
	pkt->skb = skb;
	pkt->in = pkt->xt.in = in;
	pkt->out = pkt->xt.out = out;
	pkt->hooknum = pkt->xt.hooknum = ops->hooknum;
	pkt->xt.family = ops->pf;
}

struct nft_data {
	union {
		u32				data[4];
		struct {
			u32			verdict;
			struct nft_chain	*chain;
		};
	};
} __attribute__((aligned(__alignof__(u64))));

static inline int nft_data_cmp(const struct nft_data *d1,
			       const struct nft_data *d2,
			       unsigned int len)
{
	return memcmp(d1->data, d2->data, len);
}

static inline void nft_data_copy(struct nft_data *dst,
				 const struct nft_data *src)
{
	BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
	*(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
	*(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
}

static inline void nft_data_debug(const struct nft_data *data)
{
	pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
		 data->data[0], data->data[1],
		 data->data[2], data->data[3]);
}

/**
 *	struct nft_ctx - nf_tables rule/set context
 *
 *	@net: net namespace
 * 	@skb: netlink skb
 * 	@nlh: netlink message header
 * 	@afi: address family info
 * 	@table: the table the chain is contained in
 * 	@chain: the chain the rule is contained in
 *	@nla: netlink attributes
 */
struct nft_ctx {
	struct net			*net;
	const struct sk_buff		*skb;
	const struct nlmsghdr		*nlh;
	const struct nft_af_info	*afi;
	const struct nft_table		*table;
	const struct nft_chain		*chain;
	const struct nlattr * const 	*nla;
};

struct nft_data_desc {
	enum nft_data_types		type;
	unsigned int			len;
};

extern int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
			 struct nft_data_desc *desc, const struct nlattr *nla);
extern void nft_data_uninit(const struct nft_data *data,
			    enum nft_data_types type);
extern int nft_data_dump(struct sk_buff *skb, int attr,
			 const struct nft_data *data,
			 enum nft_data_types type, unsigned int len);

static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
{
	return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
}

static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
{
	return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
}

extern int nft_validate_input_register(enum nft_registers reg);
extern int nft_validate_output_register(enum nft_registers reg);
extern int nft_validate_data_load(const struct nft_ctx *ctx,
				  enum nft_registers reg,
				  const struct nft_data *data,
				  enum nft_data_types type);

/**
 *	struct nft_set_elem - generic representation of set elements
 *
 *	@cookie: implementation specific element cookie
 *	@key: element key
 *	@data: element data (maps only)
 *	@flags: element flags (end of interval)
 *
 *	The cookie can be used to store a handle to the element for subsequent
 *	removal.
 */
struct nft_set_elem {
	void			*cookie;
	struct nft_data		key;
	struct nft_data		data;
	u32			flags;
};

struct nft_set;
struct nft_set_iter {
	unsigned int	count;
	unsigned int	skip;
	int		err;
	int		(*fn)(const struct nft_ctx *ctx,
			      const struct nft_set *set,
			      const struct nft_set_iter *iter,
			      const struct nft_set_elem *elem);
};

/**
 *	struct nft_set_ops - nf_tables set operations
 *
 *	@lookup: look up an element within the set
 *	@insert: insert new element into set
 *	@remove: remove element from set
 *	@walk: iterate over all set elemeennts
 *	@privsize: function to return size of set private data
 *	@init: initialize private data of new set instance
 *	@destroy: destroy private data of set instance
 *	@list: nf_tables_set_ops list node
 *	@owner: module reference
 *	@features: features supported by the implementation
 */
struct nft_set_ops {
	bool				(*lookup)(const struct nft_set *set,
						  const struct nft_data *key,
						  struct nft_data *data);
	int				(*get)(const struct nft_set *set,
					       struct nft_set_elem *elem);
	int				(*insert)(const struct nft_set *set,
						  const struct nft_set_elem *elem);
	void				(*remove)(const struct nft_set *set,
						  const struct nft_set_elem *elem);
	void				(*walk)(const struct nft_ctx *ctx,
						const struct nft_set *set,
						struct nft_set_iter *iter);

	unsigned int			(*privsize)(const struct nlattr * const nla[]);
	int				(*init)(const struct nft_set *set,
						const struct nlattr * const nla[]);
	void				(*destroy)(const struct nft_set *set);

	struct list_head		list;
	struct module			*owner;
	u32				features;
};

extern int nft_register_set(struct nft_set_ops *ops);
extern void nft_unregister_set(struct nft_set_ops *ops);

/**
 * 	struct nft_set - nf_tables set instance
 *
 *	@list: table set list node
 *	@bindings: list of set bindings
 * 	@name: name of the set
 * 	@ktype: key type (numeric type defined by userspace, not used in the kernel)
 * 	@dtype: data type (verdict or numeric type defined by userspace)
 * 	@ops: set ops
 * 	@flags: set flags
 * 	@klen: key length
 * 	@dlen: data length
 * 	@data: private set data
 */
struct nft_set {
	struct list_head		list;
	struct list_head		bindings;
	char				name[IFNAMSIZ];
	u32				ktype;
	u32				dtype;
	/* runtime data below here */
	const struct nft_set_ops	*ops ____cacheline_aligned;
	u16				flags;
	u8				klen;
	u8				dlen;
	unsigned char			data[]
		__attribute__((aligned(__alignof__(u64))));
};

static inline void *nft_set_priv(const struct nft_set *set)
{
	return (void *)set->data;
}

extern struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
					    const struct nlattr *nla);

/**
 *	struct nft_set_binding - nf_tables set binding
 *
 *	@list: set bindings list node
 *	@chain: chain containing the rule bound to the set
 *
 *	A set binding contains all information necessary for validation
 *	of new elements added to a bound set.
 */
struct nft_set_binding {
	struct list_head		list;
	const struct nft_chain		*chain;
};

extern int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
			      struct nft_set_binding *binding);
extern void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
				 struct nft_set_binding *binding);


/**
 *	struct nft_expr_type - nf_tables expression type
 *
 *	@select_ops: function to select nft_expr_ops
 *	@ops: default ops, used when no select_ops functions is present
 *	@list: used internally
 *	@name: Identifier
 *	@owner: module reference
 *	@policy: netlink attribute policy
 *	@maxattr: highest netlink attribute number
 */
struct nft_expr_type {
	const struct nft_expr_ops	*(*select_ops)(const struct nft_ctx *,
						       const struct nlattr * const tb[]);
	const struct nft_expr_ops	*ops;
	struct list_head		list;
	const char			*name;
	struct module			*owner;
	const struct nla_policy		*policy;
	unsigned int			maxattr;
};

/**
 *	struct nft_expr_ops - nf_tables expression operations
 *
 *	@eval: Expression evaluation function
 *	@size: full expression size, including private data size
 *	@init: initialization function
 *	@destroy: destruction function
 *	@dump: function to dump parameters
 *	@type: expression type
 *	@validate: validate expression, called during loop detection
 *	@data: extra data to attach to this expression operation
 */
struct nft_expr;
struct nft_expr_ops {
	void				(*eval)(const struct nft_expr *expr,
						struct nft_data data[NFT_REG_MAX + 1],
						const struct nft_pktinfo *pkt);
	unsigned int			size;

	int				(*init)(const struct nft_ctx *ctx,
						const struct nft_expr *expr,
						const struct nlattr * const tb[]);
	void				(*destroy)(const struct nft_expr *expr);
	int				(*dump)(struct sk_buff *skb,
						const struct nft_expr *expr);
	int				(*validate)(const struct nft_ctx *ctx,
						    const struct nft_expr *expr,
						    const struct nft_data **data);
	const struct nft_expr_type	*type;
	void				*data;
};

#define NFT_EXPR_MAXATTR		16
#define NFT_EXPR_SIZE(size)		(sizeof(struct nft_expr) + \
					 ALIGN(size, __alignof__(struct nft_expr)))

/**
 *	struct nft_expr - nf_tables expression
 *
 *	@ops: expression ops
 *	@data: expression private data
 */
struct nft_expr {
	const struct nft_expr_ops	*ops;
	unsigned char			data[];
};

static inline void *nft_expr_priv(const struct nft_expr *expr)
{
	return (void *)expr->data;
}

/**
 *	struct nft_rule - nf_tables rule
 *
 *	@list: used internally
 *	@rcu_head: used internally for rcu
 *	@handle: rule handle
 *	@genmask: generation mask
 *	@dlen: length of expression data
 *	@data: expression data
 */
struct nft_rule {
	struct list_head		list;
	struct rcu_head			rcu_head;
	u64				handle:46,
					genmask:2,
					dlen:16;
	unsigned char			data[]
		__attribute__((aligned(__alignof__(struct nft_expr))));
};

/**
 *	struct nft_rule_trans - nf_tables rule update in transaction
 *
 *	@list: used internally
 *	@rule: rule that needs to be updated
 *	@chain: chain that this rule belongs to
 *	@table: table for which this chain applies
 *	@nlh: netlink header of the message that contain this update
 *	@family: family expressesed as AF_*
 */
struct nft_rule_trans {
	struct list_head		list;
	struct nft_rule			*rule;
	const struct nft_chain		*chain;
	const struct nft_table		*table;
	const struct nlmsghdr		*nlh;
	u8				family;
};

static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
{
	return (struct nft_expr *)&rule->data[0];
}

static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
{
	return ((void *)expr) + expr->ops->size;
}

static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
{
	return (struct nft_expr *)&rule->data[rule->dlen];
}

/*
 * The last pointer isn't really necessary, but the compiler isn't able to
 * determine that the result of nft_expr_last() is always the same since it
 * can't assume that the dlen value wasn't changed within calls in the loop.
 */
#define nft_rule_for_each_expr(expr, last, rule) \
	for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
	     (expr) != (last); \
	     (expr) = nft_expr_next(expr))

enum nft_chain_flags {
	NFT_BASE_CHAIN			= 0x1,
};

/**
 *	struct nft_chain - nf_tables chain
 *
 *	@rules: list of rules in the chain
 *	@list: used internally
 *	@rcu_head: used internally
 *	@net: net namespace that this chain belongs to
 *	@table: table that this chain belongs to
 *	@handle: chain handle
 *	@flags: bitmask of enum nft_chain_flags
 *	@use: number of jump references to this chain
 *	@level: length of longest path to this chain
 *	@name: name of the chain
 */
struct nft_chain {
	struct list_head		rules;
	struct list_head		list;
	struct rcu_head			rcu_head;
	struct net			*net;
	struct nft_table		*table;
	u64				handle;
	u8				flags;
	u16				use;
	u16				level;
	char				name[NFT_CHAIN_MAXNAMELEN];
};

enum nft_chain_type {
	NFT_CHAIN_T_DEFAULT = 0,
	NFT_CHAIN_T_ROUTE,
	NFT_CHAIN_T_NAT,
	NFT_CHAIN_T_MAX
};

struct nft_stats {
	u64 bytes;
	u64 pkts;
};

/**
 *	struct nft_base_chain - nf_tables base chain
 *
 *	@ops: netfilter hook ops
 *	@type: chain type
 *	@policy: default policy
 *	@stats: per-cpu chain stats
 *	@chain: the chain
 */
struct nft_base_chain {
	struct nf_hook_ops		ops;
	enum nft_chain_type		type;
	u8				policy;
	struct nft_stats __percpu	*stats;
	struct nft_chain		chain;
};

static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
{
	return container_of(chain, struct nft_base_chain, chain);
}

extern unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt,
					 const struct nf_hook_ops *ops);

/**
 *	struct nft_table - nf_tables table
 *
 *	@list: used internally
 *	@chains: chains in the table
 *	@sets: sets in the table
 *	@hgenerator: handle generator state
 *	@use: number of chain references to this table
 *	@flags: table flag (see enum nft_table_flags)
 *	@name: name of the table
 */
struct nft_table {
	struct list_head		list;
	struct list_head		chains;
	struct list_head		sets;
	u64				hgenerator;
	u32				use;
	u16				flags;
	char				name[];
};

/**
 *	struct nft_af_info - nf_tables address family info
 *
 *	@list: used internally
 *	@family: address family
 *	@nhooks: number of hooks in this family
 *	@owner: module owner
 *	@tables: used internally
 *	@hooks: hookfn overrides for packet validation
 */
struct nft_af_info {
	struct list_head		list;
	int				family;
	unsigned int			nhooks;
	struct module			*owner;
	struct list_head		tables;
	nf_hookfn			*hooks[NF_MAX_HOOKS];
};

extern int nft_register_afinfo(struct net *, struct nft_af_info *);
extern void nft_unregister_afinfo(struct nft_af_info *);

struct nf_chain_type {
	unsigned int		hook_mask;
	const char		*name;
	enum nft_chain_type	type;
	nf_hookfn		*fn[NF_MAX_HOOKS];
	struct module		*me;
	int			family;
};

extern int nft_register_chain_type(struct nf_chain_type *);
extern void nft_unregister_chain_type(struct nf_chain_type *);

extern int nft_register_expr(struct nft_expr_type *);
extern void nft_unregister_expr(struct nft_expr_type *);

#define MODULE_ALIAS_NFT_FAMILY(family)	\
	MODULE_ALIAS("nft-afinfo-" __stringify(family))

#define MODULE_ALIAS_NFT_CHAIN(family, name) \
	MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)

#define MODULE_ALIAS_NFT_EXPR(name) \
	MODULE_ALIAS("nft-expr-" name)

#define MODULE_ALIAS_NFT_SET() \
	MODULE_ALIAS("nft-set")

#endif /* _NET_NF_TABLES_H */
Commit	Line	Data
96518518 PM	1	#ifndef _NET_NF_TABLES_H
	2	#define _NET_NF_TABLES_H
	3
	4	#include <linux/list.h>
	5	#include <linux/netfilter.h>
0ca743a5	6	#include <linux/netfilter/x_tables.h>
96518518 PM	7	#include <linux/netfilter/nf_tables.h>
	8	#include <net/netlink.h>
	9
20a69341 PM	10	#define NFT_JUMP_STACK_SIZE 16
20a69341 PM	11
96518518 PM	12	struct nft_pktinfo {
	13	struct sk_buff *skb;
	14	const struct net_device *in;
	15	const struct net_device *out;
	16	u8 hooknum;
	17	u8 nhoff;
	18	u8 thoff;
0ca743a5 PNA	19	/* for x_tables compatibility */
0ca743a5 PNA	20	struct xt_action_param xt;
96518518 PM	21	};
96518518 PM	22
0ca743a5 PNA	23	static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
	24	const struct nf_hook_ops *ops,
	25	struct sk_buff *skb,
	26	const struct net_device *in,
	27	const struct net_device *out)
	28	{
	29	pkt->skb = skb;
	30	pkt->in = pkt->xt.in = in;
	31	pkt->out = pkt->xt.out = out;
	32	pkt->hooknum = pkt->xt.hooknum = ops->hooknum;
	33	pkt->xt.family = ops->pf;
	34	}
	35
96518518 PM	36	struct nft_data {
	37	union {
	38	u32 data[4];
	39	struct {
	40	u32 verdict;
	41	struct nft_chain *chain;
	42	};
	43	};
	44	} __attribute__((aligned(__alignof__(u64))));
	45
	46	static inline int nft_data_cmp(const struct nft_data *d1,
	47	const struct nft_data *d2,
	48	unsigned int len)
	49	{
	50	return memcmp(d1->data, d2->data, len);
	51	}
	52
	53	static inline void nft_data_copy(struct nft_data *dst,
	54	const struct nft_data *src)
	55	{
	56	BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
	57	(u64 )&dst->data[0] = (u64 )&src->data[0];
	58	(u64 )&dst->data[2] = (u64 )&src->data[2];
	59	}
	60
	61	static inline void nft_data_debug(const struct nft_data *data)
	62	{
	63	pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
	64	data->data[0], data->data[1],
	65	data->data[2], data->data[3]);
	66	}
	67
	68	/**
20a69341	69	* struct nft_ctx - nf_tables rule/set context
96518518	70	*
99633ab2	71	* @net: net namespace
20a69341 PM	72	* @skb: netlink skb
20a69341 PM	73	* @nlh: netlink message header
96518518 PM	74	* @afi: address family info
	75	* @table: the table the chain is contained in
	76	* @chain: the chain the rule is contained in
0ca743a5	77	* @nla: netlink attributes
96518518 PM	78	*/
96518518 PM	79	struct nft_ctx {
99633ab2	80	struct net *net;
20a69341 PM	81	const struct sk_buff *skb;
20a69341 PM	82	const struct nlmsghdr *nlh;
96518518 PM	83	const struct nft_af_info *afi;
	84	const struct nft_table *table;
	85	const struct nft_chain *chain;
0ca743a5	86	const struct nlattr * const *nla;
96518518 PM	87	};
96518518 PM	88
96518518 PM	89	struct nft_data_desc {
	90	enum nft_data_types type;
	91	unsigned int len;
	92	};
	93
	94	extern int nft_data_init(const struct nft_ctx ctx, struct nft_data data,
	95	struct nft_data_desc desc, const struct nlattr nla);
	96	extern void nft_data_uninit(const struct nft_data *data,
	97	enum nft_data_types type);
	98	extern int nft_data_dump(struct sk_buff *skb, int attr,
	99	const struct nft_data *data,
	100	enum nft_data_types type, unsigned int len);
	101
	102	static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
	103	{
	104	return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
	105	}
	106
20a69341 PM	107	static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
	108	{
	109	return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
	110	}
	111
96518518 PM	112	extern int nft_validate_input_register(enum nft_registers reg);
	113	extern int nft_validate_output_register(enum nft_registers reg);
	114	extern int nft_validate_data_load(const struct nft_ctx *ctx,
	115	enum nft_registers reg,
	116	const struct nft_data *data,
	117	enum nft_data_types type);
	118
20a69341 PM	119	/**
	120	* struct nft_set_elem - generic representation of set elements
	121	*
	122	* @cookie: implementation specific element cookie
	123	* @key: element key
	124	* @data: element data (maps only)
	125	* @flags: element flags (end of interval)
	126	*
	127	* The cookie can be used to store a handle to the element for subsequent
	128	* removal.
	129	*/
	130	struct nft_set_elem {
	131	void *cookie;
	132	struct nft_data key;
	133	struct nft_data data;
	134	u32 flags;
	135	};
	136
	137	struct nft_set;
	138	struct nft_set_iter {
	139	unsigned int count;
	140	unsigned int skip;
	141	int err;
	142	int (fn)(const struct nft_ctx ctx,
	143	const struct nft_set *set,
	144	const struct nft_set_iter *iter,
	145	const struct nft_set_elem *elem);
	146	};
	147
	148	/**
	149	* struct nft_set_ops - nf_tables set operations
	150	*
	151	* @lookup: look up an element within the set
	152	* @insert: insert new element into set
	153	* @remove: remove element from set
	154	* @walk: iterate over all set elemeennts
	155	* @privsize: function to return size of set private data
	156	* @init: initialize private data of new set instance
	157	* @destroy: destroy private data of set instance
	158	* @list: nf_tables_set_ops list node
	159	* @owner: module reference
	160	* @features: features supported by the implementation
	161	*/
	162	struct nft_set_ops {
	163	bool (lookup)(const struct nft_set set,
	164	const struct nft_data *key,
	165	struct nft_data *data);
	166	int (get)(const struct nft_set set,
	167	struct nft_set_elem *elem);
	168	int (insert)(const struct nft_set set,
	169	const struct nft_set_elem *elem);
	170	void (remove)(const struct nft_set set,
	171	const struct nft_set_elem *elem);
	172	void (walk)(const struct nft_ctx ctx,
	173	const struct nft_set *set,
	174	struct nft_set_iter *iter);
	175
	176	unsigned int (privsize)(const struct nlattr const nla[]);
	177	int (init)(const struct nft_set set,
	178	const struct nlattr * const nla[]);
	179	void (destroy)(const struct nft_set set);
	180
	181	struct list_head list;
	182	struct module *owner;
183	u32 features;
184	};
185
186	extern int nft_register_set(struct nft_set_ops *ops);
187	extern void nft_unregister_set(struct nft_set_ops *ops);
188
189	/**
190	* struct nft_set - nf_tables set instance
191	*
192	* @list: table set list node
193	* @bindings: list of set bindings
194	* @name: name of the set
195	* @ktype: key type (numeric type defined by userspace, not used in the kernel)
196	* @dtype: data type (verdict or numeric type defined by userspace)
197	* @ops: set ops
198	* @flags: set flags
199	* @klen: key length
200	* @dlen: data length
201	* @data: private set data
202	*/
203	struct nft_set {
204	struct list_head list;
205	struct list_head bindings;
206	char name[IFNAMSIZ];
207	u32 ktype;
208	u32 dtype;
209	/* runtime data below here */
210	const struct nft_set_ops *ops ____cacheline_aligned;
211	u16 flags;
212	u8 klen;
213	u8 dlen;
214	unsigned char data[]
215	__attribute__((aligned(__alignof__(u64))));
216	};
217
218	static inline void nft_set_priv(const struct nft_set set)
219	{
220	return (void *)set->data;
221	}
222
223	extern struct nft_set nf_tables_set_lookup(const struct nft_table table,
224	const struct nlattr *nla);
225
226	/**
227	* struct nft_set_binding - nf_tables set binding
228	*
229	* @list: set bindings list node
230	* @chain: chain containing the rule bound to the set
231	*
232	* A set binding contains all information necessary for validation
233	* of new elements added to a bound set.
234	*/
235	struct nft_set_binding {
236	struct list_head list;
237	const struct nft_chain *chain;
238	};
239
240	extern int nf_tables_bind_set(const struct nft_ctx ctx, struct nft_set set,
241	struct nft_set_binding *binding);
242	extern void nf_tables_unbind_set(const struct nft_ctx ctx, struct nft_set set,
243	struct nft_set_binding *binding);
244
ef1f7df9	245
96518518	246	/**
ef1f7df9	247	* struct nft_expr_type - nf_tables expression type
96518518	248	*
ef1f7df9 PM	249	* @select_ops: function to select nft_expr_ops
ef1f7df9 PM	250	* @ops: default ops, used when no select_ops functions is present
96518518 PM	251	* @list: used internally
	252	* @name: Identifier
	253	* @owner: module reference
	254	* @policy: netlink attribute policy
	255	* @maxattr: highest netlink attribute number
ef1f7df9 PM	256	*/
ef1f7df9 PM	257	struct nft_expr_type {
0ca743a5 PNA	258	const struct nft_expr_ops (select_ops)(const struct nft_ctx *,
0ca743a5 PNA	259	const struct nlattr * const tb[]);
ef1f7df9 PM	260	const struct nft_expr_ops *ops;
	261	struct list_head list;
	262	const char *name;
	263	struct module *owner;
	264	const struct nla_policy *policy;
	265	unsigned int maxattr;
	266	};
	267
	268	/**
	269	* struct nft_expr_ops - nf_tables expression operations
	270	*
	271	* @eval: Expression evaluation function
96518518	272	* @size: full expression size, including private data size
ef1f7df9 PM	273	* @init: initialization function
	274	* @destroy: destruction function
	275	* @dump: function to dump parameters
	276	* @type: expression type
0ca743a5 PNA	277	* @validate: validate expression, called during loop detection
0ca743a5 PNA	278	* @data: extra data to attach to this expression operation
96518518 PM	279	*/
	280	struct nft_expr;
	281	struct nft_expr_ops {
	282	void (eval)(const struct nft_expr expr,
	283	struct nft_data data[NFT_REG_MAX + 1],
	284	const struct nft_pktinfo *pkt);
ef1f7df9 PM	285	unsigned int size;
ef1f7df9 PM	286
96518518 PM	287	int (init)(const struct nft_ctx ctx,
	288	const struct nft_expr *expr,
	289	const struct nlattr * const tb[]);
	290	void (destroy)(const struct nft_expr expr);
	291	int (dump)(struct sk_buff skb,
	292	const struct nft_expr *expr);
0ca743a5 PNA	293	int (validate)(const struct nft_ctx ctx,
	294	const struct nft_expr *expr,
	295	const struct nft_data **data);
ef1f7df9	296	const struct nft_expr_type *type;
0ca743a5	297	void *data;
96518518 PM	298	};
96518518 PM	299
ef1f7df9	300	#define NFT_EXPR_MAXATTR 16
96518518 PM	301	#define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
	302	ALIGN(size, __alignof__(struct nft_expr)))
	303
	304	/**
	305	* struct nft_expr - nf_tables expression
	306	*
	307	* @ops: expression ops
	308	* @data: expression private data
	309	*/
	310	struct nft_expr {
	311	const struct nft_expr_ops *ops;
	312	unsigned char data[];
	313	};
	314
	315	static inline void nft_expr_priv(const struct nft_expr expr)
	316	{
	317	return (void *)expr->data;
	318	}
	319
	320	/**
	321	* struct nft_rule - nf_tables rule
	322	*
	323	* @list: used internally
	324	* @rcu_head: used internally for rcu
	325	* @handle: rule handle
0628b123	326	* @genmask: generation mask
96518518 PM	327	* @dlen: length of expression data
	328	* @data: expression data
	329	*/
	330	struct nft_rule {
	331	struct list_head list;
	332	struct rcu_head rcu_head;
0628b123 PNA	333	u64 handle:46,
0628b123 PNA	334	genmask:2,
96518518 PM	335	dlen:16;
	336	unsigned char data[]
	337	__attribute__((aligned(__alignof__(struct nft_expr))));
	338	};
	339
0628b123 PNA	340	/**
	341	* struct nft_rule_trans - nf_tables rule update in transaction
	342	*
	343	* @list: used internally
	344	* @rule: rule that needs to be updated
	345	* @chain: chain that this rule belongs to
	346	* @table: table for which this chain applies
	347	* @nlh: netlink header of the message that contain this update
	348	* @family: family expressesed as AF_*
	349	*/
	350	struct nft_rule_trans {
	351	struct list_head list;
	352	struct nft_rule *rule;
	353	const struct nft_chain *chain;
	354	const struct nft_table *table;
	355	const struct nlmsghdr *nlh;
	356	u8 family;
	357	};
	358
96518518 PM	359	static inline struct nft_expr nft_expr_first(const struct nft_rule rule)
	360	{
	361	return (struct nft_expr *)&rule->data[0];
	362	}
	363
	364	static inline struct nft_expr nft_expr_next(const struct nft_expr expr)
	365	{
	366	return ((void *)expr) + expr->ops->size;
	367	}
	368
	369	static inline struct nft_expr nft_expr_last(const struct nft_rule rule)
	370	{
	371	return (struct nft_expr *)&rule->data[rule->dlen];
	372	}
	373
	374	/*
	375	* The last pointer isn't really necessary, but the compiler isn't able to
	376	* determine that the result of nft_expr_last() is always the same since it
	377	* can't assume that the dlen value wasn't changed within calls in the loop.
	378	*/
	379	#define nft_rule_for_each_expr(expr, last, rule) \
	380	for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
	381	(expr) != (last); \
	382	(expr) = nft_expr_next(expr))
	383
	384	enum nft_chain_flags {
	385	NFT_BASE_CHAIN = 0x1,
96518518 PM	386	};
	387
	388	/**
	389	* struct nft_chain - nf_tables chain
	390	*
	391	* @rules: list of rules in the chain
	392	* @list: used internally
	393	* @rcu_head: used internally
0628b123	394	* @net: net namespace that this chain belongs to
b5bc89bf	395	* @table: table that this chain belongs to
96518518 PM	396	* @handle: chain handle
	397	* @flags: bitmask of enum nft_chain_flags
	398	* @use: number of jump references to this chain
	399	* @level: length of longest path to this chain
	400	* @name: name of the chain
	401	*/
	402	struct nft_chain {
	403	struct list_head rules;
	404	struct list_head list;
	405	struct rcu_head rcu_head;
0628b123	406	struct net *net;
b5bc89bf	407	struct nft_table *table;
96518518 PM	408	u64 handle;
	409	u8 flags;
	410	u16 use;
	411	u16 level;
	412	char name[NFT_CHAIN_MAXNAMELEN];
	413	};
	414
9370761c PNA	415	enum nft_chain_type {
	416	NFT_CHAIN_T_DEFAULT = 0,
	417	NFT_CHAIN_T_ROUTE,
	418	NFT_CHAIN_T_NAT,
	419	NFT_CHAIN_T_MAX
	420	};
	421
0ca743a5 PNA	422	struct nft_stats {
	423	u64 bytes;
	424	u64 pkts;
	425	};
	426
96518518 PM	427	/**
	428	* struct nft_base_chain - nf_tables base chain
	429	*
	430	* @ops: netfilter hook ops
9370761c	431	* @type: chain type
0ca743a5 PNA	432	* @policy: default policy
0ca743a5 PNA	433	* @stats: per-cpu chain stats
96518518 PM	434	* @chain: the chain
	435	*/
	436	struct nft_base_chain {
	437	struct nf_hook_ops ops;
9370761c	438	enum nft_chain_type type;
0ca743a5 PNA	439	u8 policy;
0ca743a5 PNA	440	struct nft_stats __percpu *stats;
96518518 PM	441	struct nft_chain chain;
	442	};
	443
	444	static inline struct nft_base_chain nft_base_chain(const struct nft_chain chain)
	445	{
	446	return container_of(chain, struct nft_base_chain, chain);
	447	}
	448
0ca743a5 PNA	449	extern unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt,
0ca743a5 PNA	450	const struct nf_hook_ops *ops);
96518518	451
96518518 PM	452	/**
	453	* struct nft_table - nf_tables table
	454	*
	455	* @list: used internally
	456	* @chains: chains in the table
	457	* @sets: sets in the table
	458	* @hgenerator: handle generator state
	459	* @use: number of chain references to this table
	460	* @flags: table flag (see enum nft_table_flags)
	461	* @name: name of the table
	462	*/
	463	struct nft_table {
	464	struct list_head list;
	465	struct list_head chains;
	466	struct list_head sets;
	467	u64 hgenerator;
	468	u32 use;
	469	u16 flags;
	470	char name[];
	471	};
	472
	473	/**
	474	* struct nft_af_info - nf_tables address family info
	475	*
	476	* @list: used internally
	477	* @family: address family
	478	* @nhooks: number of hooks in this family
	479	* @owner: module owner
	480	* @tables: used internally
	481	* @hooks: hookfn overrides for packet validation
	482	*/
	483	struct nft_af_info {
	484	struct list_head list;
	485	int family;
	486	unsigned int nhooks;
	487	struct module *owner;
	488	struct list_head tables;
	489	nf_hookfn *hooks[NF_MAX_HOOKS];
	490	};
	491
99633ab2	492	extern int nft_register_afinfo(struct net , struct nft_af_info );
96518518 PM	493	extern void nft_unregister_afinfo(struct nft_af_info *);
96518518 PM	494
9370761c PNA	495	struct nf_chain_type {
	496	unsigned int hook_mask;
	497	const char *name;
	498	enum nft_chain_type type;
	499	nf_hookfn *fn[NF_MAX_HOOKS];
	500	struct module *me;
	501	int family;
	502	};
	503
	504	extern int nft_register_chain_type(struct nf_chain_type *);
	505	extern void nft_unregister_chain_type(struct nf_chain_type *);
96518518	506
ef1f7df9 PM	507	extern int nft_register_expr(struct nft_expr_type *);
ef1f7df9 PM	508	extern void nft_unregister_expr(struct nft_expr_type *);
96518518 PM	509
	510	#define MODULE_ALIAS_NFT_FAMILY(family) \
	511	MODULE_ALIAS("nft-afinfo-" __stringify(family))
	512
9370761c PNA	513	#define MODULE_ALIAS_NFT_CHAIN(family, name) \
9370761c PNA	514	MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
96518518 PM	515
	516	#define MODULE_ALIAS_NFT_EXPR(name) \
	517	MODULE_ALIAS("nft-expr-" name)
	518
20a69341 PM	519	#define MODULE_ALIAS_NFT_SET() \
	520	MODULE_ALIAS("nft-set")
	521
96518518	522	#endif /* _NET_NF_TABLES_H */