projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nf_tables: convert built-in tables/chains to chain types
[deliverable/linux.git] / include / net / netfilter / nf_tables.h
1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
3
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/nf_tables.h>
7 #include <net/netlink.h>
8
9 #define NFT_JUMP_STACK_SIZE 16
10
11 struct nft_pktinfo {
12 struct sk_buff *skb;
13 const struct net_device *in;
14 const struct net_device *out;
15 u8 hooknum;
16 u8 nhoff;
17 u8 thoff;
18 };
19
20 struct nft_data {
21 union {
22 u32 data[4];
23 struct {
24 u32 verdict;
25 struct nft_chain *chain;
26 };
27 };
28 } __attribute__((aligned(__alignof__(u64))));
29
30 static inline int nft_data_cmp(const struct nft_data *d1,
31 const struct nft_data *d2,
32 unsigned int len)
33 {
34 return memcmp(d1->data, d2->data, len);
35 }
36
37 static inline void nft_data_copy(struct nft_data *dst,
38 const struct nft_data *src)
39 {
40 BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
41 *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
42 *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
43 }
44
45 static inline void nft_data_debug(const struct nft_data *data)
46 {
47 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
48 data->data[0], data->data[1],
49 data->data[2], data->data[3]);
50 }
51
52 /**
53 * struct nft_ctx - nf_tables rule/set context
54 *
55 * @skb: netlink skb
56 * @nlh: netlink message header
57 * @afi: address family info
58 * @table: the table the chain is contained in
59 * @chain: the chain the rule is contained in
60 */
61 struct nft_ctx {
62 const struct sk_buff *skb;
63 const struct nlmsghdr *nlh;
64 const struct nft_af_info *afi;
65 const struct nft_table *table;
66 const struct nft_chain *chain;
67 };
68
69 struct nft_data_desc {
70 enum nft_data_types type;
71 unsigned int len;
72 };
73
74 extern int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
75 struct nft_data_desc *desc, const struct nlattr *nla);
76 extern void nft_data_uninit(const struct nft_data *data,
77 enum nft_data_types type);
78 extern int nft_data_dump(struct sk_buff *skb, int attr,
79 const struct nft_data *data,
80 enum nft_data_types type, unsigned int len);
81
82 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
83 {
84 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
85 }
86
87 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
88 {
89 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
90 }
91
92 extern int nft_validate_input_register(enum nft_registers reg);
93 extern int nft_validate_output_register(enum nft_registers reg);
94 extern int nft_validate_data_load(const struct nft_ctx *ctx,
95 enum nft_registers reg,
96 const struct nft_data *data,
97 enum nft_data_types type);
98
99 /**
100 * struct nft_set_elem - generic representation of set elements
101 *
102 * @cookie: implementation specific element cookie
103 * @key: element key
104 * @data: element data (maps only)
105 * @flags: element flags (end of interval)
106 *
107 * The cookie can be used to store a handle to the element for subsequent
108 * removal.
109 */
110 struct nft_set_elem {
111 void *cookie;
112 struct nft_data key;
113 struct nft_data data;
114 u32 flags;
115 };
116
117 struct nft_set;
118 struct nft_set_iter {
119 unsigned int count;
120 unsigned int skip;
121 int err;
122 int (*fn)(const struct nft_ctx *ctx,
123 const struct nft_set *set,
124 const struct nft_set_iter *iter,
125 const struct nft_set_elem *elem);
126 };
127
128 /**
129 * struct nft_set_ops - nf_tables set operations
130 *
131 * @lookup: look up an element within the set
132 * @insert: insert new element into set
133 * @remove: remove element from set
134 * @walk: iterate over all set elemeennts
135 * @privsize: function to return size of set private data
136 * @init: initialize private data of new set instance
137 * @destroy: destroy private data of set instance
138 * @list: nf_tables_set_ops list node
139 * @owner: module reference
140 * @features: features supported by the implementation
141 */
142 struct nft_set_ops {
143 bool (*lookup)(const struct nft_set *set,
144 const struct nft_data *key,
145 struct nft_data *data);
146 int (*get)(const struct nft_set *set,
147 struct nft_set_elem *elem);
148 int (*insert)(const struct nft_set *set,
149 const struct nft_set_elem *elem);
150 void (*remove)(const struct nft_set *set,
151 const struct nft_set_elem *elem);
152 void (*walk)(const struct nft_ctx *ctx,
153 const struct nft_set *set,
154 struct nft_set_iter *iter);
155
156 unsigned int (*privsize)(const struct nlattr * const nla[]);
157 int (*init)(const struct nft_set *set,
158 const struct nlattr * const nla[]);
159 void (*destroy)(const struct nft_set *set);
160
161 struct list_head list;
162 struct module *owner;
163 u32 features;
164 };
165
166 extern int nft_register_set(struct nft_set_ops *ops);
167 extern void nft_unregister_set(struct nft_set_ops *ops);
168
169 /**
170 * struct nft_set - nf_tables set instance
171 *
172 * @list: table set list node
173 * @bindings: list of set bindings
174 * @name: name of the set
175 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
176 * @dtype: data type (verdict or numeric type defined by userspace)
177 * @ops: set ops
178 * @flags: set flags
179 * @klen: key length
180 * @dlen: data length
181 * @data: private set data
182 */
183 struct nft_set {
184 struct list_head list;
185 struct list_head bindings;
186 char name[IFNAMSIZ];
187 u32 ktype;
188 u32 dtype;
189 /* runtime data below here */
190 const struct nft_set_ops *ops ____cacheline_aligned;
191 u16 flags;
192 u8 klen;
193 u8 dlen;
194 unsigned char data[]
195 __attribute__((aligned(__alignof__(u64))));
196 };
197
198 static inline void *nft_set_priv(const struct nft_set *set)
199 {
200 return (void *)set->data;
201 }
202
203 extern struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
204 const struct nlattr *nla);
205
206 /**
207 * struct nft_set_binding - nf_tables set binding
208 *
209 * @list: set bindings list node
210 * @chain: chain containing the rule bound to the set
211 *
212 * A set binding contains all information necessary for validation
213 * of new elements added to a bound set.
214 */
215 struct nft_set_binding {
216 struct list_head list;
217 const struct nft_chain *chain;
218 };
219
220 extern int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
221 struct nft_set_binding *binding);
222 extern void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
223 struct nft_set_binding *binding);
224
225
226 /**
227 * struct nft_expr_type - nf_tables expression type
228 *
229 * @select_ops: function to select nft_expr_ops
230 * @ops: default ops, used when no select_ops functions is present
231 * @list: used internally
232 * @name: Identifier
233 * @owner: module reference
234 * @policy: netlink attribute policy
235 * @maxattr: highest netlink attribute number
236 */
237 struct nft_expr_type {
238 const struct nft_expr_ops *(*select_ops)(const struct nlattr * const tb[]);
239 const struct nft_expr_ops *ops;
240 struct list_head list;
241 const char *name;
242 struct module *owner;
243 const struct nla_policy *policy;
244 unsigned int maxattr;
245 };
246
247 /**
248 * struct nft_expr_ops - nf_tables expression operations
249 *
250 * @eval: Expression evaluation function
251 * @size: full expression size, including private data size
252 * @init: initialization function
253 * @destroy: destruction function
254 * @dump: function to dump parameters
255 * @type: expression type
256 */
257 struct nft_expr;
258 struct nft_expr_ops {
259 void (*eval)(const struct nft_expr *expr,
260 struct nft_data data[NFT_REG_MAX + 1],
261 const struct nft_pktinfo *pkt);
262 unsigned int size;
263
264 int (*init)(const struct nft_ctx *ctx,
265 const struct nft_expr *expr,
266 const struct nlattr * const tb[]);
267 void (*destroy)(const struct nft_expr *expr);
268 int (*dump)(struct sk_buff *skb,
269 const struct nft_expr *expr);
270 const struct nft_data * (*get_verdict)(const struct nft_expr *expr);
271 const struct nft_expr_type *type;
272 };
273
274 #define NFT_EXPR_MAXATTR 16
275 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
276 ALIGN(size, __alignof__(struct nft_expr)))
277
278 /**
279 * struct nft_expr - nf_tables expression
280 *
281 * @ops: expression ops
282 * @data: expression private data
283 */
284 struct nft_expr {
285 const struct nft_expr_ops *ops;
286 unsigned char data[];
287 };
288
289 static inline void *nft_expr_priv(const struct nft_expr *expr)
290 {
291 return (void *)expr->data;
292 }
293
294 /**
295 * struct nft_rule - nf_tables rule
296 *
297 * @list: used internally
298 * @rcu_head: used internally for rcu
299 * @handle: rule handle
300 * @dlen: length of expression data
301 * @data: expression data
302 */
303 struct nft_rule {
304 struct list_head list;
305 struct rcu_head rcu_head;
306 u64 handle:48,
307 dlen:16;
308 unsigned char data[]
309 __attribute__((aligned(__alignof__(struct nft_expr))));
310 };
311
312 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
313 {
314 return (struct nft_expr *)&rule->data[0];
315 }
316
317 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
318 {
319 return ((void *)expr) + expr->ops->size;
320 }
321
322 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
323 {
324 return (struct nft_expr *)&rule->data[rule->dlen];
325 }
326
327 /*
328 * The last pointer isn't really necessary, but the compiler isn't able to
329 * determine that the result of nft_expr_last() is always the same since it
330 * can't assume that the dlen value wasn't changed within calls in the loop.
331 */
332 #define nft_rule_for_each_expr(expr, last, rule) \
333 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
334 (expr) != (last); \
335 (expr) = nft_expr_next(expr))
336
337 enum nft_chain_flags {
338 NFT_BASE_CHAIN = 0x1,
339 };
340
341 /**
342 * struct nft_chain - nf_tables chain
343 *
344 * @rules: list of rules in the chain
345 * @list: used internally
346 * @rcu_head: used internally
347 * @handle: chain handle
348 * @flags: bitmask of enum nft_chain_flags
349 * @use: number of jump references to this chain
350 * @level: length of longest path to this chain
351 * @name: name of the chain
352 */
353 struct nft_chain {
354 struct list_head rules;
355 struct list_head list;
356 struct rcu_head rcu_head;
357 u64 handle;
358 u8 flags;
359 u16 use;
360 u16 level;
361 char name[NFT_CHAIN_MAXNAMELEN];
362 };
363
364 enum nft_chain_type {
365 NFT_CHAIN_T_DEFAULT = 0,
366 NFT_CHAIN_T_ROUTE,
367 NFT_CHAIN_T_NAT,
368 NFT_CHAIN_T_MAX
369 };
370
371 /**
372 * struct nft_base_chain - nf_tables base chain
373 *
374 * @ops: netfilter hook ops
375 * @type: chain type
376 * @chain: the chain
377 */
378 struct nft_base_chain {
379 struct nf_hook_ops ops;
380 enum nft_chain_type type;
381 struct nft_chain chain;
382 };
383
384 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
385 {
386 return container_of(chain, struct nft_base_chain, chain);
387 }
388
389 extern unsigned int nft_do_chain(const struct nf_hook_ops *ops,
390 struct sk_buff *skb,
391 const struct net_device *in,
392 const struct net_device *out,
393 int (*okfn)(struct sk_buff *));
394
395 /**
396 * struct nft_table - nf_tables table
397 *
398 * @list: used internally
399 * @chains: chains in the table
400 * @sets: sets in the table
401 * @hgenerator: handle generator state
402 * @use: number of chain references to this table
403 * @flags: table flag (see enum nft_table_flags)
404 * @name: name of the table
405 */
406 struct nft_table {
407 struct list_head list;
408 struct list_head chains;
409 struct list_head sets;
410 u64 hgenerator;
411 u32 use;
412 u16 flags;
413 char name[];
414 };
415
416 /**
417 * struct nft_af_info - nf_tables address family info
418 *
419 * @list: used internally
420 * @family: address family
421 * @nhooks: number of hooks in this family
422 * @owner: module owner
423 * @tables: used internally
424 * @hooks: hookfn overrides for packet validation
425 */
426 struct nft_af_info {
427 struct list_head list;
428 int family;
429 unsigned int nhooks;
430 struct module *owner;
431 struct list_head tables;
432 nf_hookfn *hooks[NF_MAX_HOOKS];
433 };
434
435 extern int nft_register_afinfo(struct nft_af_info *);
436 extern void nft_unregister_afinfo(struct nft_af_info *);
437
438 struct nf_chain_type {
439 unsigned int hook_mask;
440 const char *name;
441 enum nft_chain_type type;
442 nf_hookfn *fn[NF_MAX_HOOKS];
443 struct module *me;
444 int family;
445 };
446
447 extern int nft_register_chain_type(struct nf_chain_type *);
448 extern void nft_unregister_chain_type(struct nf_chain_type *);
449
450 extern int nft_register_expr(struct nft_expr_type *);
451 extern void nft_unregister_expr(struct nft_expr_type *);
452
453 #define MODULE_ALIAS_NFT_FAMILY(family) \
454 MODULE_ALIAS("nft-afinfo-" __stringify(family))
455
456 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
457 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
458
459 #define MODULE_ALIAS_NFT_EXPR(name) \
460 MODULE_ALIAS("nft-expr-" name)
461
462 #define MODULE_ALIAS_NFT_SET() \
463 MODULE_ALIAS("nft-set")
464
465 #endif /* _NET_NF_TABLES_H */
Linux kernel - Deliverables
This page took 0.04079 seconds and 5 git commands to generate.