1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/nfnetlink.h>
7 #include <linux/netfilter/x_tables.h>
8 #include <linux/netfilter/nf_tables.h>
9 #include <linux/u64_stats_sync.h>
10 #include <net/netlink.h>
12 #define NFT_JUMP_STACK_SIZE 16
16 const struct net_device
*in
;
17 const struct net_device
*out
;
18 const struct nf_hook_ops
*ops
;
22 /* for x_tables compatibility */
23 struct xt_action_param xt
;
26 static inline void nft_set_pktinfo(struct nft_pktinfo
*pkt
,
27 const struct nf_hook_ops
*ops
,
29 const struct nf_hook_state
*state
)
32 pkt
->in
= pkt
->xt
.in
= state
->in
;
33 pkt
->out
= pkt
->xt
.out
= state
->out
;
35 pkt
->xt
.hooknum
= ops
->hooknum
;
36 pkt
->xt
.family
= ops
->pf
;
44 struct nft_chain
*chain
;
47 } __attribute__((aligned(__alignof__(u64
))));
49 static inline int nft_data_cmp(const struct nft_data
*d1
,
50 const struct nft_data
*d2
,
53 return memcmp(d1
->data
, d2
->data
, len
);
56 static inline void nft_data_copy(struct nft_data
*dst
,
57 const struct nft_data
*src
)
59 BUILD_BUG_ON(__alignof__(*dst
) != __alignof__(u64
));
60 *(u64
*)&dst
->data
[0] = *(u64
*)&src
->data
[0];
61 *(u64
*)&dst
->data
[2] = *(u64
*)&src
->data
[2];
64 static inline void nft_data_debug(const struct nft_data
*data
)
66 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
67 data
->data
[0], data
->data
[1],
68 data
->data
[2], data
->data
[3]);
72 * struct nft_ctx - nf_tables rule/set context
75 * @afi: address family info
76 * @table: the table the chain is contained in
77 * @chain: the chain the rule is contained in
78 * @nla: netlink attributes
79 * @portid: netlink portID of the original message
80 * @seq: netlink sequence number
81 * @report: notify via unicast netlink message
85 struct nft_af_info
*afi
;
86 struct nft_table
*table
;
87 struct nft_chain
*chain
;
88 const struct nlattr
* const *nla
;
94 struct nft_data_desc
{
95 enum nft_data_types type
;
99 int nft_data_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
100 struct nft_data_desc
*desc
, const struct nlattr
*nla
);
101 void nft_data_uninit(const struct nft_data
*data
, enum nft_data_types type
);
102 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
103 enum nft_data_types type
, unsigned int len
);
105 static inline enum nft_data_types
nft_dreg_to_type(enum nft_registers reg
)
107 return reg
== NFT_REG_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
;
110 static inline enum nft_registers
nft_type_to_reg(enum nft_data_types type
)
112 return type
== NFT_DATA_VERDICT
? NFT_REG_VERDICT
: NFT_REG_1
;
115 int nft_validate_input_register(enum nft_registers reg
);
116 int nft_validate_output_register(enum nft_registers reg
);
117 int nft_validate_register_store(const struct nft_ctx
*ctx
,
118 enum nft_registers reg
,
119 const struct nft_data
*data
,
120 enum nft_data_types type
, unsigned int len
);
124 * struct nft_userdata - user defined data associated with an object
126 * @len: length of the data
129 * The presence of user data is indicated in an object specific fashion,
130 * so a length of zero can't occur and the value "len" indicates data
133 struct nft_userdata
{
135 unsigned char data
[0];
139 * struct nft_set_elem - generic representation of set elements
142 * @priv: element private data and extensions
144 struct nft_set_elem
{
150 struct nft_set_iter
{
154 int (*fn
)(const struct nft_ctx
*ctx
,
155 const struct nft_set
*set
,
156 const struct nft_set_iter
*iter
,
157 const struct nft_set_elem
*elem
);
161 * struct nft_set_desc - description of set elements
165 * @size: number of set elements
167 struct nft_set_desc
{
174 * enum nft_set_class - performance class
176 * @NFT_LOOKUP_O_1: constant, O(1)
177 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
178 * @NFT_LOOKUP_O_N: linear, O(N)
182 NFT_SET_CLASS_O_LOG_N
,
187 * struct nft_set_estimate - estimation of memory and performance
190 * @size: required memory
191 * @class: lookup performance class
193 struct nft_set_estimate
{
195 enum nft_set_class
class;
202 * struct nft_set_ops - nf_tables set operations
204 * @lookup: look up an element within the set
205 * @insert: insert new element into set
206 * @activate: activate new element in the next generation
207 * @deactivate: deactivate element in the next generation
208 * @remove: remove element from set
209 * @walk: iterate over all set elemeennts
210 * @privsize: function to return size of set private data
211 * @init: initialize private data of new set instance
212 * @destroy: destroy private data of set instance
213 * @list: nf_tables_set_ops list node
214 * @owner: module reference
215 * @elemsize: element private size
216 * @features: features supported by the implementation
219 bool (*lookup
)(const struct nft_set
*set
,
220 const struct nft_data
*key
,
221 const struct nft_set_ext
**ext
);
222 bool (*update
)(struct nft_set
*set
,
223 const struct nft_data
*key
,
224 void *(*new)(struct nft_set
*,
225 const struct nft_expr
*,
227 const struct nft_expr
*expr
,
228 struct nft_data data
[],
229 const struct nft_set_ext
**ext
);
231 int (*insert
)(const struct nft_set
*set
,
232 const struct nft_set_elem
*elem
);
233 void (*activate
)(const struct nft_set
*set
,
234 const struct nft_set_elem
*elem
);
235 void * (*deactivate
)(const struct nft_set
*set
,
236 const struct nft_set_elem
*elem
);
237 void (*remove
)(const struct nft_set
*set
,
238 const struct nft_set_elem
*elem
);
239 void (*walk
)(const struct nft_ctx
*ctx
,
240 const struct nft_set
*set
,
241 struct nft_set_iter
*iter
);
243 unsigned int (*privsize
)(const struct nlattr
* const nla
[]);
244 bool (*estimate
)(const struct nft_set_desc
*desc
,
246 struct nft_set_estimate
*est
);
247 int (*init
)(const struct nft_set
*set
,
248 const struct nft_set_desc
*desc
,
249 const struct nlattr
* const nla
[]);
250 void (*destroy
)(const struct nft_set
*set
);
252 struct list_head list
;
253 struct module
*owner
;
254 unsigned int elemsize
;
258 int nft_register_set(struct nft_set_ops
*ops
);
259 void nft_unregister_set(struct nft_set_ops
*ops
);
262 * struct nft_set - nf_tables set instance
264 * @list: table set list node
265 * @bindings: list of set bindings
266 * @name: name of the set
267 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
268 * @dtype: data type (verdict or numeric type defined by userspace)
269 * @size: maximum set size
270 * @nelems: number of elements
271 * @ndeact: number of deactivated elements queued for removal
272 * @timeout: default timeout value in msecs
273 * @gc_int: garbage collection interval in msecs
274 * @policy: set parameterization (see enum nft_set_policies)
276 * @pnet: network namespace
280 * @data: private set data
283 struct list_head list
;
284 struct list_head bindings
;
294 /* runtime data below here */
295 const struct nft_set_ops
*ops ____cacheline_aligned
;
301 __attribute__((aligned(__alignof__(u64
))));
304 static inline void *nft_set_priv(const struct nft_set
*set
)
306 return (void *)set
->data
;
309 static inline struct nft_set
*nft_set_container_of(const void *priv
)
311 return (void *)priv
- offsetof(struct nft_set
, data
);
314 struct nft_set
*nf_tables_set_lookup(const struct nft_table
*table
,
315 const struct nlattr
*nla
);
316 struct nft_set
*nf_tables_set_lookup_byid(const struct net
*net
,
317 const struct nlattr
*nla
);
319 static inline unsigned long nft_set_gc_interval(const struct nft_set
*set
)
321 return set
->gc_int
? msecs_to_jiffies(set
->gc_int
) : HZ
;
325 * struct nft_set_binding - nf_tables set binding
327 * @list: set bindings list node
328 * @chain: chain containing the rule bound to the set
329 * @flags: set action flags
331 * A set binding contains all information necessary for validation
332 * of new elements added to a bound set.
334 struct nft_set_binding
{
335 struct list_head list
;
336 const struct nft_chain
*chain
;
340 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
341 struct nft_set_binding
*binding
);
342 void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
343 struct nft_set_binding
*binding
);
346 * enum nft_set_extensions - set extension type IDs
348 * @NFT_SET_EXT_KEY: element key
349 * @NFT_SET_EXT_DATA: mapping data
350 * @NFT_SET_EXT_FLAGS: element flags
351 * @NFT_SET_EXT_TIMEOUT: element timeout
352 * @NFT_SET_EXT_EXPIRATION: element expiration time
353 * @NFT_SET_EXT_USERDATA: user data associated with the element
354 * @NFT_SET_EXT_NUM: number of extension types
356 enum nft_set_extensions
{
361 NFT_SET_EXT_EXPIRATION
,
362 NFT_SET_EXT_USERDATA
,
367 * struct nft_set_ext_type - set extension type
369 * @len: fixed part length of the extension
370 * @align: alignment requirements of the extension
372 struct nft_set_ext_type
{
377 extern const struct nft_set_ext_type nft_set_ext_types
[];
380 * struct nft_set_ext_tmpl - set extension template
382 * @len: length of extension area
383 * @offset: offsets of individual extension types
385 struct nft_set_ext_tmpl
{
387 u8 offset
[NFT_SET_EXT_NUM
];
391 * struct nft_set_ext - set extensions
393 * @genmask: generation mask
394 * @offset: offsets of individual extension types
395 * @data: beginning of extension data
399 u8 offset
[NFT_SET_EXT_NUM
];
403 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl
*tmpl
)
405 memset(tmpl
, 0, sizeof(*tmpl
));
406 tmpl
->len
= sizeof(struct nft_set_ext
);
409 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl
*tmpl
, u8 id
,
412 tmpl
->len
= ALIGN(tmpl
->len
, nft_set_ext_types
[id
].align
);
413 BUG_ON(tmpl
->len
> U8_MAX
);
414 tmpl
->offset
[id
] = tmpl
->len
;
415 tmpl
->len
+= nft_set_ext_types
[id
].len
+ len
;
418 static inline void nft_set_ext_add(struct nft_set_ext_tmpl
*tmpl
, u8 id
)
420 nft_set_ext_add_length(tmpl
, id
, 0);
423 static inline void nft_set_ext_init(struct nft_set_ext
*ext
,
424 const struct nft_set_ext_tmpl
*tmpl
)
426 memcpy(ext
->offset
, tmpl
->offset
, sizeof(ext
->offset
));
429 static inline bool __nft_set_ext_exists(const struct nft_set_ext
*ext
, u8 id
)
431 return !!ext
->offset
[id
];
434 static inline bool nft_set_ext_exists(const struct nft_set_ext
*ext
, u8 id
)
436 return ext
&& __nft_set_ext_exists(ext
, id
);
439 static inline void *nft_set_ext(const struct nft_set_ext
*ext
, u8 id
)
441 return (void *)ext
+ ext
->offset
[id
];
444 static inline struct nft_data
*nft_set_ext_key(const struct nft_set_ext
*ext
)
446 return nft_set_ext(ext
, NFT_SET_EXT_KEY
);
449 static inline struct nft_data
*nft_set_ext_data(const struct nft_set_ext
*ext
)
451 return nft_set_ext(ext
, NFT_SET_EXT_DATA
);
454 static inline u8
*nft_set_ext_flags(const struct nft_set_ext
*ext
)
456 return nft_set_ext(ext
, NFT_SET_EXT_FLAGS
);
459 static inline u64
*nft_set_ext_timeout(const struct nft_set_ext
*ext
)
461 return nft_set_ext(ext
, NFT_SET_EXT_TIMEOUT
);
464 static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext
*ext
)
466 return nft_set_ext(ext
, NFT_SET_EXT_EXPIRATION
);
469 static inline struct nft_userdata
*nft_set_ext_userdata(const struct nft_set_ext
*ext
)
471 return nft_set_ext(ext
, NFT_SET_EXT_USERDATA
);
474 static inline bool nft_set_elem_expired(const struct nft_set_ext
*ext
)
476 return nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
) &&
477 time_is_before_eq_jiffies(*nft_set_ext_expiration(ext
));
480 static inline struct nft_set_ext
*nft_set_elem_ext(const struct nft_set
*set
,
483 return elem
+ set
->ops
->elemsize
;
486 void *nft_set_elem_init(const struct nft_set
*set
,
487 const struct nft_set_ext_tmpl
*tmpl
,
488 const struct nft_data
*key
,
489 const struct nft_data
*data
,
490 u64 timeout
, gfp_t gfp
);
491 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
);
494 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch
497 * @set: set the elements belong to
498 * @cnt: count of elements
500 struct nft_set_gc_batch_head
{
502 const struct nft_set
*set
;
506 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \
507 sizeof(struct nft_set_gc_batch_head)) / \
511 * struct nft_set_gc_batch - nf_tables set garbage collection batch
513 * @head: GC batch head
514 * @elems: garbage collection elements
516 struct nft_set_gc_batch
{
517 struct nft_set_gc_batch_head head
;
518 void *elems
[NFT_SET_GC_BATCH_SIZE
];
521 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
523 void nft_set_gc_batch_release(struct rcu_head
*rcu
);
525 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch
*gcb
)
528 call_rcu(&gcb
->head
.rcu
, nft_set_gc_batch_release
);
531 static inline struct nft_set_gc_batch
*
532 nft_set_gc_batch_check(const struct nft_set
*set
, struct nft_set_gc_batch
*gcb
,
536 if (gcb
->head
.cnt
+ 1 < ARRAY_SIZE(gcb
->elems
))
538 nft_set_gc_batch_complete(gcb
);
540 return nft_set_gc_batch_alloc(set
, gfp
);
543 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch
*gcb
,
546 gcb
->elems
[gcb
->head
.cnt
++] = elem
;
550 * struct nft_expr_type - nf_tables expression type
552 * @select_ops: function to select nft_expr_ops
553 * @ops: default ops, used when no select_ops functions is present
554 * @list: used internally
556 * @owner: module reference
557 * @policy: netlink attribute policy
558 * @maxattr: highest netlink attribute number
559 * @family: address family for AF-specific types
561 struct nft_expr_type
{
562 const struct nft_expr_ops
*(*select_ops
)(const struct nft_ctx
*,
563 const struct nlattr
* const tb
[]);
564 const struct nft_expr_ops
*ops
;
565 struct list_head list
;
567 struct module
*owner
;
568 const struct nla_policy
*policy
;
569 unsigned int maxattr
;
574 * struct nft_expr_ops - nf_tables expression operations
576 * @eval: Expression evaluation function
577 * @size: full expression size, including private data size
578 * @init: initialization function
579 * @destroy: destruction function
580 * @dump: function to dump parameters
581 * @type: expression type
582 * @validate: validate expression, called during loop detection
583 * @data: extra data to attach to this expression operation
586 struct nft_expr_ops
{
587 void (*eval
)(const struct nft_expr
*expr
,
588 struct nft_data data
[NFT_REG_MAX
+ 1],
589 const struct nft_pktinfo
*pkt
);
592 int (*init
)(const struct nft_ctx
*ctx
,
593 const struct nft_expr
*expr
,
594 const struct nlattr
* const tb
[]);
595 void (*destroy
)(const struct nft_ctx
*ctx
,
596 const struct nft_expr
*expr
);
597 int (*dump
)(struct sk_buff
*skb
,
598 const struct nft_expr
*expr
);
599 int (*validate
)(const struct nft_ctx
*ctx
,
600 const struct nft_expr
*expr
,
601 const struct nft_data
**data
);
602 const struct nft_expr_type
*type
;
606 #define NFT_EXPR_MAXATTR 16
607 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
608 ALIGN(size, __alignof__(struct nft_expr)))
611 * struct nft_expr - nf_tables expression
613 * @ops: expression ops
614 * @data: expression private data
617 const struct nft_expr_ops
*ops
;
618 unsigned char data
[];
621 static inline void *nft_expr_priv(const struct nft_expr
*expr
)
623 return (void *)expr
->data
;
627 * struct nft_rule - nf_tables rule
629 * @list: used internally
630 * @handle: rule handle
631 * @genmask: generation mask
632 * @dlen: length of expression data
633 * @udata: user data is appended to the rule
634 * @data: expression data
637 struct list_head list
;
643 __attribute__((aligned(__alignof__(struct nft_expr
))));
646 static inline struct nft_expr
*nft_expr_first(const struct nft_rule
*rule
)
648 return (struct nft_expr
*)&rule
->data
[0];
651 static inline struct nft_expr
*nft_expr_next(const struct nft_expr
*expr
)
653 return ((void *)expr
) + expr
->ops
->size
;
656 static inline struct nft_expr
*nft_expr_last(const struct nft_rule
*rule
)
658 return (struct nft_expr
*)&rule
->data
[rule
->dlen
];
661 static inline struct nft_userdata
*nft_userdata(const struct nft_rule
*rule
)
663 return (void *)&rule
->data
[rule
->dlen
];
667 * The last pointer isn't really necessary, but the compiler isn't able to
668 * determine that the result of nft_expr_last() is always the same since it
669 * can't assume that the dlen value wasn't changed within calls in the loop.
671 #define nft_rule_for_each_expr(expr, last, rule) \
672 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
674 (expr) = nft_expr_next(expr))
676 enum nft_chain_flags
{
677 NFT_BASE_CHAIN
= 0x1,
678 NFT_CHAIN_INACTIVE
= 0x2,
682 * struct nft_chain - nf_tables chain
684 * @rules: list of rules in the chain
685 * @list: used internally
686 * @table: table that this chain belongs to
687 * @handle: chain handle
688 * @use: number of jump references to this chain
689 * @level: length of longest path to this chain
690 * @flags: bitmask of enum nft_chain_flags
691 * @name: name of the chain
694 struct list_head rules
;
695 struct list_head list
;
696 struct nft_table
*table
;
701 char name
[NFT_CHAIN_MAXNAMELEN
];
704 enum nft_chain_type
{
705 NFT_CHAIN_T_DEFAULT
= 0,
712 * struct nf_chain_type - nf_tables chain type info
714 * @name: name of the type
715 * @type: numeric identifier
716 * @family: address family
717 * @owner: module owner
718 * @hook_mask: mask of valid hooks
719 * @hooks: hookfn overrides
721 struct nf_chain_type
{
723 enum nft_chain_type type
;
725 struct module
*owner
;
726 unsigned int hook_mask
;
727 nf_hookfn
*hooks
[NF_MAX_HOOKS
];
730 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
731 enum nft_chain_type type
);
732 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
733 unsigned int hook_flags
);
738 struct u64_stats_sync syncp
;
741 #define NFT_HOOK_OPS_MAX 2
744 * struct nft_base_chain - nf_tables base chain
746 * @ops: netfilter hook ops
747 * @pnet: net namespace that this chain belongs to
749 * @policy: default policy
750 * @stats: per-cpu chain stats
753 struct nft_base_chain
{
754 struct nf_hook_ops ops
[NFT_HOOK_OPS_MAX
];
756 const struct nf_chain_type
*type
;
758 struct nft_stats __percpu
*stats
;
759 struct nft_chain chain
;
762 static inline struct nft_base_chain
*nft_base_chain(const struct nft_chain
*chain
)
764 return container_of(chain
, struct nft_base_chain
, chain
);
767 unsigned int nft_do_chain(struct nft_pktinfo
*pkt
,
768 const struct nf_hook_ops
*ops
);
771 * struct nft_table - nf_tables table
773 * @list: used internally
774 * @chains: chains in the table
775 * @sets: sets in the table
776 * @hgenerator: handle generator state
777 * @use: number of chain references to this table
778 * @flags: table flag (see enum nft_table_flags)
779 * @name: name of the table
782 struct list_head list
;
783 struct list_head chains
;
784 struct list_head sets
;
788 char name
[NFT_TABLE_MAXNAMELEN
];
792 * struct nft_af_info - nf_tables address family info
794 * @list: used internally
795 * @family: address family
796 * @nhooks: number of hooks in this family
797 * @owner: module owner
798 * @tables: used internally
799 * @nops: number of hook ops in this family
800 * @hook_ops_init: initialization function for chain hook ops
801 * @hooks: hookfn overrides for packet validation
804 struct list_head list
;
807 struct module
*owner
;
808 struct list_head tables
;
810 void (*hook_ops_init
)(struct nf_hook_ops
*,
812 nf_hookfn
*hooks
[NF_MAX_HOOKS
];
815 int nft_register_afinfo(struct net
*, struct nft_af_info
*);
816 void nft_unregister_afinfo(struct nft_af_info
*);
818 int nft_register_chain_type(const struct nf_chain_type
*);
819 void nft_unregister_chain_type(const struct nf_chain_type
*);
821 int nft_register_expr(struct nft_expr_type
*);
822 void nft_unregister_expr(struct nft_expr_type
*);
824 #define nft_dereference(p) \
825 nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)
827 #define MODULE_ALIAS_NFT_FAMILY(family) \
828 MODULE_ALIAS("nft-afinfo-" __stringify(family))
830 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
831 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
833 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
834 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
836 #define MODULE_ALIAS_NFT_EXPR(name) \
837 MODULE_ALIAS("nft-expr-" name)
839 #define MODULE_ALIAS_NFT_SET() \
840 MODULE_ALIAS("nft-set")
843 * The gencursor defines two generations, the currently active and the
844 * next one. Objects contain a bitmask of 2 bits specifying the generations
845 * they're active in. A set bit means they're inactive in the generation
846 * represented by that bit.
848 * New objects start out as inactive in the current and active in the
849 * next generation. When committing the ruleset the bitmask is cleared,
850 * meaning they're active in all generations. When removing an object,
851 * it is set inactive in the next generation. After committing the ruleset,
852 * the objects are removed.
854 static inline unsigned int nft_gencursor_next(const struct net
*net
)
856 return net
->nft
.gencursor
+ 1 == 1 ? 1 : 0;
859 static inline u8
nft_genmask_next(const struct net
*net
)
861 return 1 << nft_gencursor_next(net
);
864 static inline u8
nft_genmask_cur(const struct net
*net
)
866 /* Use ACCESS_ONCE() to prevent refetching the value for atomicity */
867 return 1 << ACCESS_ONCE(net
->nft
.gencursor
);
870 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
873 * Set element transaction helpers
876 static inline bool nft_set_elem_active(const struct nft_set_ext
*ext
,
879 return !(ext
->genmask
& genmask
);
882 static inline void nft_set_elem_change_active(const struct nft_set
*set
,
883 struct nft_set_ext
*ext
)
885 ext
->genmask
^= nft_genmask_next(read_pnet(&set
->pnet
));
889 * We use a free bit in the genmask field to indicate the element
890 * is busy, meaning it is currently being processed either by
891 * the netlink API or GC.
893 * Even though the genmask is only a single byte wide, this works
894 * because the extension structure if fully constant once initialized,
895 * so there are no non-atomic write accesses unless it is already
898 #define NFT_SET_ELEM_BUSY_MASK (1 << 2)
900 #if defined(__LITTLE_ENDIAN_BITFIELD)
901 #define NFT_SET_ELEM_BUSY_BIT 2
902 #elif defined(__BIG_ENDIAN_BITFIELD)
903 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2)
908 static inline int nft_set_elem_mark_busy(struct nft_set_ext
*ext
)
910 unsigned long *word
= (unsigned long *)ext
;
912 BUILD_BUG_ON(offsetof(struct nft_set_ext
, genmask
) != 0);
913 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT
, word
);
916 static inline void nft_set_elem_clear_busy(struct nft_set_ext
*ext
)
918 unsigned long *word
= (unsigned long *)ext
;
920 clear_bit(NFT_SET_ELEM_BUSY_BIT
, word
);
924 * struct nft_trans - nf_tables object update in transaction
926 * @list: used internally
927 * @msg_type: message type
928 * @ctx: transaction context
929 * @data: internal information related to the transaction
932 struct list_head list
;
938 struct nft_trans_rule
{
939 struct nft_rule
*rule
;
942 #define nft_trans_rule(trans) \
943 (((struct nft_trans_rule *)trans->data)->rule)
945 struct nft_trans_set
{
950 #define nft_trans_set(trans) \
951 (((struct nft_trans_set *)trans->data)->set)
952 #define nft_trans_set_id(trans) \
953 (((struct nft_trans_set *)trans->data)->set_id)
955 struct nft_trans_chain
{
957 char name
[NFT_CHAIN_MAXNAMELEN
];
958 struct nft_stats __percpu
*stats
;
962 #define nft_trans_chain_update(trans) \
963 (((struct nft_trans_chain *)trans->data)->update)
964 #define nft_trans_chain_name(trans) \
965 (((struct nft_trans_chain *)trans->data)->name)
966 #define nft_trans_chain_stats(trans) \
967 (((struct nft_trans_chain *)trans->data)->stats)
968 #define nft_trans_chain_policy(trans) \
969 (((struct nft_trans_chain *)trans->data)->policy)
971 struct nft_trans_table
{
976 #define nft_trans_table_update(trans) \
977 (((struct nft_trans_table *)trans->data)->update)
978 #define nft_trans_table_enable(trans) \
979 (((struct nft_trans_table *)trans->data)->enable)
981 struct nft_trans_elem
{
983 struct nft_set_elem elem
;
986 #define nft_trans_elem_set(trans) \
987 (((struct nft_trans_elem *)trans->data)->set)
988 #define nft_trans_elem(trans) \
989 (((struct nft_trans_elem *)trans->data)->elem)
991 #endif /* _NET_NF_TABLES_H */