projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nf_tables: rename nft_validate_data_load()
[deliverable/linux.git] / include / net / netfilter / nf_tables.h
1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
3
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/nfnetlink.h>
7 #include <linux/netfilter/x_tables.h>
8 #include <linux/netfilter/nf_tables.h>
9 #include <linux/u64_stats_sync.h>
10 #include <net/netlink.h>
11
12 #define NFT_JUMP_STACK_SIZE 16
13
14 struct nft_pktinfo {
15 struct sk_buff *skb;
16 const struct net_device *in;
17 const struct net_device *out;
18 const struct nf_hook_ops *ops;
19 u8 nhoff;
20 u8 thoff;
21 u8 tprot;
22 /* for x_tables compatibility */
23 struct xt_action_param xt;
24 };
25
26 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
27 const struct nf_hook_ops *ops,
28 struct sk_buff *skb,
29 const struct nf_hook_state *state)
30 {
31 pkt->skb = skb;
32 pkt->in = pkt->xt.in = state->in;
33 pkt->out = pkt->xt.out = state->out;
34 pkt->ops = ops;
35 pkt->xt.hooknum = ops->hooknum;
36 pkt->xt.family = ops->pf;
37 }
38
39 struct nft_data {
40 union {
41 u32 data[4];
42 struct {
43 u32 verdict;
44 struct nft_chain *chain;
45 };
46 };
47 } __attribute__((aligned(__alignof__(u64))));
48
49 static inline int nft_data_cmp(const struct nft_data *d1,
50 const struct nft_data *d2,
51 unsigned int len)
52 {
53 return memcmp(d1->data, d2->data, len);
54 }
55
56 static inline void nft_data_copy(struct nft_data *dst,
57 const struct nft_data *src)
58 {
59 BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
60 *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
61 *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
62 }
63
64 static inline void nft_data_debug(const struct nft_data *data)
65 {
66 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
67 data->data[0], data->data[1],
68 data->data[2], data->data[3]);
69 }
70
71 /**
72 * struct nft_ctx - nf_tables rule/set context
73 *
74 * @net: net namespace
75 * @afi: address family info
76 * @table: the table the chain is contained in
77 * @chain: the chain the rule is contained in
78 * @nla: netlink attributes
79 * @portid: netlink portID of the original message
80 * @seq: netlink sequence number
81 * @report: notify via unicast netlink message
82 */
83 struct nft_ctx {
84 struct net *net;
85 struct nft_af_info *afi;
86 struct nft_table *table;
87 struct nft_chain *chain;
88 const struct nlattr * const *nla;
89 u32 portid;
90 u32 seq;
91 bool report;
92 };
93
94 struct nft_data_desc {
95 enum nft_data_types type;
96 unsigned int len;
97 };
98
99 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
100 struct nft_data_desc *desc, const struct nlattr *nla);
101 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
102 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
103 enum nft_data_types type, unsigned int len);
104
105 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
106 {
107 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
108 }
109
110 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
111 {
112 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
113 }
114
115 int nft_validate_input_register(enum nft_registers reg);
116 int nft_validate_output_register(enum nft_registers reg);
117 int nft_validate_register_store(const struct nft_ctx *ctx,
118 enum nft_registers reg,
119 const struct nft_data *data,
120 enum nft_data_types type, unsigned int len);
121
122
123 /**
124 * struct nft_userdata - user defined data associated with an object
125 *
126 * @len: length of the data
127 * @data: content
128 *
129 * The presence of user data is indicated in an object specific fashion,
130 * so a length of zero can't occur and the value "len" indicates data
131 * of length len + 1.
132 */
133 struct nft_userdata {
134 u8 len;
135 unsigned char data[0];
136 };
137
138 /**
139 * struct nft_set_elem - generic representation of set elements
140 *
141 * @key: element key
142 * @priv: element private data and extensions
143 */
144 struct nft_set_elem {
145 struct nft_data key;
146 void *priv;
147 };
148
149 struct nft_set;
150 struct nft_set_iter {
151 unsigned int count;
152 unsigned int skip;
153 int err;
154 int (*fn)(const struct nft_ctx *ctx,
155 const struct nft_set *set,
156 const struct nft_set_iter *iter,
157 const struct nft_set_elem *elem);
158 };
159
160 /**
161 * struct nft_set_desc - description of set elements
162 *
163 * @klen: key length
164 * @dlen: data length
165 * @size: number of set elements
166 */
167 struct nft_set_desc {
168 unsigned int klen;
169 unsigned int dlen;
170 unsigned int size;
171 };
172
173 /**
174 * enum nft_set_class - performance class
175 *
176 * @NFT_LOOKUP_O_1: constant, O(1)
177 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
178 * @NFT_LOOKUP_O_N: linear, O(N)
179 */
180 enum nft_set_class {
181 NFT_SET_CLASS_O_1,
182 NFT_SET_CLASS_O_LOG_N,
183 NFT_SET_CLASS_O_N,
184 };
185
186 /**
187 * struct nft_set_estimate - estimation of memory and performance
188 * characteristics
189 *
190 * @size: required memory
191 * @class: lookup performance class
192 */
193 struct nft_set_estimate {
194 unsigned int size;
195 enum nft_set_class class;
196 };
197
198 struct nft_set_ext;
199 struct nft_expr;
200
201 /**
202 * struct nft_set_ops - nf_tables set operations
203 *
204 * @lookup: look up an element within the set
205 * @insert: insert new element into set
206 * @activate: activate new element in the next generation
207 * @deactivate: deactivate element in the next generation
208 * @remove: remove element from set
209 * @walk: iterate over all set elemeennts
210 * @privsize: function to return size of set private data
211 * @init: initialize private data of new set instance
212 * @destroy: destroy private data of set instance
213 * @list: nf_tables_set_ops list node
214 * @owner: module reference
215 * @elemsize: element private size
216 * @features: features supported by the implementation
217 */
218 struct nft_set_ops {
219 bool (*lookup)(const struct nft_set *set,
220 const struct nft_data *key,
221 const struct nft_set_ext **ext);
222 bool (*update)(struct nft_set *set,
223 const struct nft_data *key,
224 void *(*new)(struct nft_set *,
225 const struct nft_expr *,
226 struct nft_data []),
227 const struct nft_expr *expr,
228 struct nft_data data[],
229 const struct nft_set_ext **ext);
230
231 int (*insert)(const struct nft_set *set,
232 const struct nft_set_elem *elem);
233 void (*activate)(const struct nft_set *set,
234 const struct nft_set_elem *elem);
235 void * (*deactivate)(const struct nft_set *set,
236 const struct nft_set_elem *elem);
237 void (*remove)(const struct nft_set *set,
238 const struct nft_set_elem *elem);
239 void (*walk)(const struct nft_ctx *ctx,
240 const struct nft_set *set,
241 struct nft_set_iter *iter);
242
243 unsigned int (*privsize)(const struct nlattr * const nla[]);
244 bool (*estimate)(const struct nft_set_desc *desc,
245 u32 features,
246 struct nft_set_estimate *est);
247 int (*init)(const struct nft_set *set,
248 const struct nft_set_desc *desc,
249 const struct nlattr * const nla[]);
250 void (*destroy)(const struct nft_set *set);
251
252 struct list_head list;
253 struct module *owner;
254 unsigned int elemsize;
255 u32 features;
256 };
257
258 int nft_register_set(struct nft_set_ops *ops);
259 void nft_unregister_set(struct nft_set_ops *ops);
260
261 /**
262 * struct nft_set - nf_tables set instance
263 *
264 * @list: table set list node
265 * @bindings: list of set bindings
266 * @name: name of the set
267 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
268 * @dtype: data type (verdict or numeric type defined by userspace)
269 * @size: maximum set size
270 * @nelems: number of elements
271 * @ndeact: number of deactivated elements queued for removal
272 * @timeout: default timeout value in msecs
273 * @gc_int: garbage collection interval in msecs
274 * @policy: set parameterization (see enum nft_set_policies)
275 * @ops: set ops
276 * @pnet: network namespace
277 * @flags: set flags
278 * @klen: key length
279 * @dlen: data length
280 * @data: private set data
281 */
282 struct nft_set {
283 struct list_head list;
284 struct list_head bindings;
285 char name[IFNAMSIZ];
286 u32 ktype;
287 u32 dtype;
288 u32 size;
289 atomic_t nelems;
290 u32 ndeact;
291 u64 timeout;
292 u32 gc_int;
293 u16 policy;
294 /* runtime data below here */
295 const struct nft_set_ops *ops ____cacheline_aligned;
296 possible_net_t pnet;
297 u16 flags;
298 u8 klen;
299 u8 dlen;
300 unsigned char data[]
301 __attribute__((aligned(__alignof__(u64))));
302 };
303
304 static inline void *nft_set_priv(const struct nft_set *set)
305 {
306 return (void *)set->data;
307 }
308
309 static inline struct nft_set *nft_set_container_of(const void *priv)
310 {
311 return (void *)priv - offsetof(struct nft_set, data);
312 }
313
314 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
315 const struct nlattr *nla);
316 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
317 const struct nlattr *nla);
318
319 static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
320 {
321 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
322 }
323
324 /**
325 * struct nft_set_binding - nf_tables set binding
326 *
327 * @list: set bindings list node
328 * @chain: chain containing the rule bound to the set
329 * @flags: set action flags
330 *
331 * A set binding contains all information necessary for validation
332 * of new elements added to a bound set.
333 */
334 struct nft_set_binding {
335 struct list_head list;
336 const struct nft_chain *chain;
337 u32 flags;
338 };
339
340 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
341 struct nft_set_binding *binding);
342 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
343 struct nft_set_binding *binding);
344
345 /**
346 * enum nft_set_extensions - set extension type IDs
347 *
348 * @NFT_SET_EXT_KEY: element key
349 * @NFT_SET_EXT_DATA: mapping data
350 * @NFT_SET_EXT_FLAGS: element flags
351 * @NFT_SET_EXT_TIMEOUT: element timeout
352 * @NFT_SET_EXT_EXPIRATION: element expiration time
353 * @NFT_SET_EXT_USERDATA: user data associated with the element
354 * @NFT_SET_EXT_NUM: number of extension types
355 */
356 enum nft_set_extensions {
357 NFT_SET_EXT_KEY,
358 NFT_SET_EXT_DATA,
359 NFT_SET_EXT_FLAGS,
360 NFT_SET_EXT_TIMEOUT,
361 NFT_SET_EXT_EXPIRATION,
362 NFT_SET_EXT_USERDATA,
363 NFT_SET_EXT_NUM
364 };
365
366 /**
367 * struct nft_set_ext_type - set extension type
368 *
369 * @len: fixed part length of the extension
370 * @align: alignment requirements of the extension
371 */
372 struct nft_set_ext_type {
373 u8 len;
374 u8 align;
375 };
376
377 extern const struct nft_set_ext_type nft_set_ext_types[];
378
379 /**
380 * struct nft_set_ext_tmpl - set extension template
381 *
382 * @len: length of extension area
383 * @offset: offsets of individual extension types
384 */
385 struct nft_set_ext_tmpl {
386 u16 len;
387 u8 offset[NFT_SET_EXT_NUM];
388 };
389
390 /**
391 * struct nft_set_ext - set extensions
392 *
393 * @genmask: generation mask
394 * @offset: offsets of individual extension types
395 * @data: beginning of extension data
396 */
397 struct nft_set_ext {
398 u8 genmask;
399 u8 offset[NFT_SET_EXT_NUM];
400 char data[0];
401 };
402
403 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
404 {
405 memset(tmpl, 0, sizeof(*tmpl));
406 tmpl->len = sizeof(struct nft_set_ext);
407 }
408
409 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
410 unsigned int len)
411 {
412 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align);
413 BUG_ON(tmpl->len > U8_MAX);
414 tmpl->offset[id] = tmpl->len;
415 tmpl->len += nft_set_ext_types[id].len + len;
416 }
417
418 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
419 {
420 nft_set_ext_add_length(tmpl, id, 0);
421 }
422
423 static inline void nft_set_ext_init(struct nft_set_ext *ext,
424 const struct nft_set_ext_tmpl *tmpl)
425 {
426 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
427 }
428
429 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
430 {
431 return !!ext->offset[id];
432 }
433
434 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
435 {
436 return ext && __nft_set_ext_exists(ext, id);
437 }
438
439 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
440 {
441 return (void *)ext + ext->offset[id];
442 }
443
444 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
445 {
446 return nft_set_ext(ext, NFT_SET_EXT_KEY);
447 }
448
449 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
450 {
451 return nft_set_ext(ext, NFT_SET_EXT_DATA);
452 }
453
454 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
455 {
456 return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
457 }
458
459 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
460 {
461 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
462 }
463
464 static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ext)
465 {
466 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
467 }
468
469 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
470 {
471 return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
472 }
473
474 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
475 {
476 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
477 time_is_before_eq_jiffies(*nft_set_ext_expiration(ext));
478 }
479
480 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
481 void *elem)
482 {
483 return elem + set->ops->elemsize;
484 }
485
486 void *nft_set_elem_init(const struct nft_set *set,
487 const struct nft_set_ext_tmpl *tmpl,
488 const struct nft_data *key,
489 const struct nft_data *data,
490 u64 timeout, gfp_t gfp);
491 void nft_set_elem_destroy(const struct nft_set *set, void *elem);
492
493 /**
494 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch
495 *
496 * @rcu: rcu head
497 * @set: set the elements belong to
498 * @cnt: count of elements
499 */
500 struct nft_set_gc_batch_head {
501 struct rcu_head rcu;
502 const struct nft_set *set;
503 unsigned int cnt;
504 };
505
506 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \
507 sizeof(struct nft_set_gc_batch_head)) / \
508 sizeof(void *))
509
510 /**
511 * struct nft_set_gc_batch - nf_tables set garbage collection batch
512 *
513 * @head: GC batch head
514 * @elems: garbage collection elements
515 */
516 struct nft_set_gc_batch {
517 struct nft_set_gc_batch_head head;
518 void *elems[NFT_SET_GC_BATCH_SIZE];
519 };
520
521 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
522 gfp_t gfp);
523 void nft_set_gc_batch_release(struct rcu_head *rcu);
524
525 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
526 {
527 if (gcb != NULL)
528 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
529 }
530
531 static inline struct nft_set_gc_batch *
532 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
533 gfp_t gfp)
534 {
535 if (gcb != NULL) {
536 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
537 return gcb;
538 nft_set_gc_batch_complete(gcb);
539 }
540 return nft_set_gc_batch_alloc(set, gfp);
541 }
542
543 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
544 void *elem)
545 {
546 gcb->elems[gcb->head.cnt++] = elem;
547 }
548
549 /**
550 * struct nft_expr_type - nf_tables expression type
551 *
552 * @select_ops: function to select nft_expr_ops
553 * @ops: default ops, used when no select_ops functions is present
554 * @list: used internally
555 * @name: Identifier
556 * @owner: module reference
557 * @policy: netlink attribute policy
558 * @maxattr: highest netlink attribute number
559 * @family: address family for AF-specific types
560 */
561 struct nft_expr_type {
562 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
563 const struct nlattr * const tb[]);
564 const struct nft_expr_ops *ops;
565 struct list_head list;
566 const char *name;
567 struct module *owner;
568 const struct nla_policy *policy;
569 unsigned int maxattr;
570 u8 family;
571 };
572
573 /**
574 * struct nft_expr_ops - nf_tables expression operations
575 *
576 * @eval: Expression evaluation function
577 * @size: full expression size, including private data size
578 * @init: initialization function
579 * @destroy: destruction function
580 * @dump: function to dump parameters
581 * @type: expression type
582 * @validate: validate expression, called during loop detection
583 * @data: extra data to attach to this expression operation
584 */
585 struct nft_expr;
586 struct nft_expr_ops {
587 void (*eval)(const struct nft_expr *expr,
588 struct nft_data data[NFT_REG_MAX + 1],
589 const struct nft_pktinfo *pkt);
590 unsigned int size;
591
592 int (*init)(const struct nft_ctx *ctx,
593 const struct nft_expr *expr,
594 const struct nlattr * const tb[]);
595 void (*destroy)(const struct nft_ctx *ctx,
596 const struct nft_expr *expr);
597 int (*dump)(struct sk_buff *skb,
598 const struct nft_expr *expr);
599 int (*validate)(const struct nft_ctx *ctx,
600 const struct nft_expr *expr,
601 const struct nft_data **data);
602 const struct nft_expr_type *type;
603 void *data;
604 };
605
606 #define NFT_EXPR_MAXATTR 16
607 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
608 ALIGN(size, __alignof__(struct nft_expr)))
609
610 /**
611 * struct nft_expr - nf_tables expression
612 *
613 * @ops: expression ops
614 * @data: expression private data
615 */
616 struct nft_expr {
617 const struct nft_expr_ops *ops;
618 unsigned char data[];
619 };
620
621 static inline void *nft_expr_priv(const struct nft_expr *expr)
622 {
623 return (void *)expr->data;
624 }
625
626 /**
627 * struct nft_rule - nf_tables rule
628 *
629 * @list: used internally
630 * @handle: rule handle
631 * @genmask: generation mask
632 * @dlen: length of expression data
633 * @udata: user data is appended to the rule
634 * @data: expression data
635 */
636 struct nft_rule {
637 struct list_head list;
638 u64 handle:42,
639 genmask:2,
640 dlen:12,
641 udata:1;
642 unsigned char data[]
643 __attribute__((aligned(__alignof__(struct nft_expr))));
644 };
645
646 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
647 {
648 return (struct nft_expr *)&rule->data[0];
649 }
650
651 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
652 {
653 return ((void *)expr) + expr->ops->size;
654 }
655
656 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
657 {
658 return (struct nft_expr *)&rule->data[rule->dlen];
659 }
660
661 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
662 {
663 return (void *)&rule->data[rule->dlen];
664 }
665
666 /*
667 * The last pointer isn't really necessary, but the compiler isn't able to
668 * determine that the result of nft_expr_last() is always the same since it
669 * can't assume that the dlen value wasn't changed within calls in the loop.
670 */
671 #define nft_rule_for_each_expr(expr, last, rule) \
672 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
673 (expr) != (last); \
674 (expr) = nft_expr_next(expr))
675
676 enum nft_chain_flags {
677 NFT_BASE_CHAIN = 0x1,
678 NFT_CHAIN_INACTIVE = 0x2,
679 };
680
681 /**
682 * struct nft_chain - nf_tables chain
683 *
684 * @rules: list of rules in the chain
685 * @list: used internally
686 * @table: table that this chain belongs to
687 * @handle: chain handle
688 * @use: number of jump references to this chain
689 * @level: length of longest path to this chain
690 * @flags: bitmask of enum nft_chain_flags
691 * @name: name of the chain
692 */
693 struct nft_chain {
694 struct list_head rules;
695 struct list_head list;
696 struct nft_table *table;
697 u64 handle;
698 u32 use;
699 u16 level;
700 u8 flags;
701 char name[NFT_CHAIN_MAXNAMELEN];
702 };
703
704 enum nft_chain_type {
705 NFT_CHAIN_T_DEFAULT = 0,
706 NFT_CHAIN_T_ROUTE,
707 NFT_CHAIN_T_NAT,
708 NFT_CHAIN_T_MAX
709 };
710
711 /**
712 * struct nf_chain_type - nf_tables chain type info
713 *
714 * @name: name of the type
715 * @type: numeric identifier
716 * @family: address family
717 * @owner: module owner
718 * @hook_mask: mask of valid hooks
719 * @hooks: hookfn overrides
720 */
721 struct nf_chain_type {
722 const char *name;
723 enum nft_chain_type type;
724 int family;
725 struct module *owner;
726 unsigned int hook_mask;
727 nf_hookfn *hooks[NF_MAX_HOOKS];
728 };
729
730 int nft_chain_validate_dependency(const struct nft_chain *chain,
731 enum nft_chain_type type);
732 int nft_chain_validate_hooks(const struct nft_chain *chain,
733 unsigned int hook_flags);
734
735 struct nft_stats {
736 u64 bytes;
737 u64 pkts;
738 struct u64_stats_sync syncp;
739 };
740
741 #define NFT_HOOK_OPS_MAX 2
742
743 /**
744 * struct nft_base_chain - nf_tables base chain
745 *
746 * @ops: netfilter hook ops
747 * @pnet: net namespace that this chain belongs to
748 * @type: chain type
749 * @policy: default policy
750 * @stats: per-cpu chain stats
751 * @chain: the chain
752 */
753 struct nft_base_chain {
754 struct nf_hook_ops ops[NFT_HOOK_OPS_MAX];
755 possible_net_t pnet;
756 const struct nf_chain_type *type;
757 u8 policy;
758 struct nft_stats __percpu *stats;
759 struct nft_chain chain;
760 };
761
762 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
763 {
764 return container_of(chain, struct nft_base_chain, chain);
765 }
766
767 unsigned int nft_do_chain(struct nft_pktinfo *pkt,
768 const struct nf_hook_ops *ops);
769
770 /**
771 * struct nft_table - nf_tables table
772 *
773 * @list: used internally
774 * @chains: chains in the table
775 * @sets: sets in the table
776 * @hgenerator: handle generator state
777 * @use: number of chain references to this table
778 * @flags: table flag (see enum nft_table_flags)
779 * @name: name of the table
780 */
781 struct nft_table {
782 struct list_head list;
783 struct list_head chains;
784 struct list_head sets;
785 u64 hgenerator;
786 u32 use;
787 u16 flags;
788 char name[NFT_TABLE_MAXNAMELEN];
789 };
790
791 /**
792 * struct nft_af_info - nf_tables address family info
793 *
794 * @list: used internally
795 * @family: address family
796 * @nhooks: number of hooks in this family
797 * @owner: module owner
798 * @tables: used internally
799 * @nops: number of hook ops in this family
800 * @hook_ops_init: initialization function for chain hook ops
801 * @hooks: hookfn overrides for packet validation
802 */
803 struct nft_af_info {
804 struct list_head list;
805 int family;
806 unsigned int nhooks;
807 struct module *owner;
808 struct list_head tables;
809 unsigned int nops;
810 void (*hook_ops_init)(struct nf_hook_ops *,
811 unsigned int);
812 nf_hookfn *hooks[NF_MAX_HOOKS];
813 };
814
815 int nft_register_afinfo(struct net *, struct nft_af_info *);
816 void nft_unregister_afinfo(struct nft_af_info *);
817
818 int nft_register_chain_type(const struct nf_chain_type *);
819 void nft_unregister_chain_type(const struct nf_chain_type *);
820
821 int nft_register_expr(struct nft_expr_type *);
822 void nft_unregister_expr(struct nft_expr_type *);
823
824 #define nft_dereference(p) \
825 nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)
826
827 #define MODULE_ALIAS_NFT_FAMILY(family) \
828 MODULE_ALIAS("nft-afinfo-" __stringify(family))
829
830 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
831 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
832
833 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
834 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
835
836 #define MODULE_ALIAS_NFT_EXPR(name) \
837 MODULE_ALIAS("nft-expr-" name)
838
839 #define MODULE_ALIAS_NFT_SET() \
840 MODULE_ALIAS("nft-set")
841
842 /*
843 * The gencursor defines two generations, the currently active and the
844 * next one. Objects contain a bitmask of 2 bits specifying the generations
845 * they're active in. A set bit means they're inactive in the generation
846 * represented by that bit.
847 *
848 * New objects start out as inactive in the current and active in the
849 * next generation. When committing the ruleset the bitmask is cleared,
850 * meaning they're active in all generations. When removing an object,
851 * it is set inactive in the next generation. After committing the ruleset,
852 * the objects are removed.
853 */
854 static inline unsigned int nft_gencursor_next(const struct net *net)
855 {
856 return net->nft.gencursor + 1 == 1 ? 1 : 0;
857 }
858
859 static inline u8 nft_genmask_next(const struct net *net)
860 {
861 return 1 << nft_gencursor_next(net);
862 }
863
864 static inline u8 nft_genmask_cur(const struct net *net)
865 {
866 /* Use ACCESS_ONCE() to prevent refetching the value for atomicity */
867 return 1 << ACCESS_ONCE(net->nft.gencursor);
868 }
869
870 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
871
872 /*
873 * Set element transaction helpers
874 */
875
876 static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
877 u8 genmask)
878 {
879 return !(ext->genmask & genmask);
880 }
881
882 static inline void nft_set_elem_change_active(const struct nft_set *set,
883 struct nft_set_ext *ext)
884 {
885 ext->genmask ^= nft_genmask_next(read_pnet(&set->pnet));
886 }
887
888 /*
889 * We use a free bit in the genmask field to indicate the element
890 * is busy, meaning it is currently being processed either by
891 * the netlink API or GC.
892 *
893 * Even though the genmask is only a single byte wide, this works
894 * because the extension structure if fully constant once initialized,
895 * so there are no non-atomic write accesses unless it is already
896 * marked busy.
897 */
898 #define NFT_SET_ELEM_BUSY_MASK (1 << 2)
899
900 #if defined(__LITTLE_ENDIAN_BITFIELD)
901 #define NFT_SET_ELEM_BUSY_BIT 2
902 #elif defined(__BIG_ENDIAN_BITFIELD)
903 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2)
904 #else
905 #error
906 #endif
907
908 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
909 {
910 unsigned long *word = (unsigned long *)ext;
911
912 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
913 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
914 }
915
916 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
917 {
918 unsigned long *word = (unsigned long *)ext;
919
920 clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
921 }
922
923 /**
924 * struct nft_trans - nf_tables object update in transaction
925 *
926 * @list: used internally
927 * @msg_type: message type
928 * @ctx: transaction context
929 * @data: internal information related to the transaction
930 */
931 struct nft_trans {
932 struct list_head list;
933 int msg_type;
934 struct nft_ctx ctx;
935 char data[0];
936 };
937
938 struct nft_trans_rule {
939 struct nft_rule *rule;
940 };
941
942 #define nft_trans_rule(trans) \
943 (((struct nft_trans_rule *)trans->data)->rule)
944
945 struct nft_trans_set {
946 struct nft_set *set;
947 u32 set_id;
948 };
949
950 #define nft_trans_set(trans) \
951 (((struct nft_trans_set *)trans->data)->set)
952 #define nft_trans_set_id(trans) \
953 (((struct nft_trans_set *)trans->data)->set_id)
954
955 struct nft_trans_chain {
956 bool update;
957 char name[NFT_CHAIN_MAXNAMELEN];
958 struct nft_stats __percpu *stats;
959 u8 policy;
960 };
961
962 #define nft_trans_chain_update(trans) \
963 (((struct nft_trans_chain *)trans->data)->update)
964 #define nft_trans_chain_name(trans) \
965 (((struct nft_trans_chain *)trans->data)->name)
966 #define nft_trans_chain_stats(trans) \
967 (((struct nft_trans_chain *)trans->data)->stats)
968 #define nft_trans_chain_policy(trans) \
969 (((struct nft_trans_chain *)trans->data)->policy)
970
971 struct nft_trans_table {
972 bool update;
973 bool enable;
974 };
975
976 #define nft_trans_table_update(trans) \
977 (((struct nft_trans_table *)trans->data)->update)
978 #define nft_trans_table_enable(trans) \
979 (((struct nft_trans_table *)trans->data)->enable)
980
981 struct nft_trans_elem {
982 struct nft_set *set;
983 struct nft_set_elem elem;
984 };
985
986 #define nft_trans_elem_set(trans) \
987 (((struct nft_trans_elem *)trans->data)->set)
988 #define nft_trans_elem(trans) \
989 (((struct nft_trans_elem *)trans->data)->elem)
990
991 #endif /* _NET_NF_TABLES_H */
Linux kernel - Deliverables
This page took 0.055979 seconds and 5 git commands to generate.