projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nf_tables: add compatibility layer for x_tables
[deliverable/linux.git] / include / net / netfilter / nf_tables.h
1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
3
4 #include <linux/list.h>
5 #include <linux/netfilter.h>
6 #include <linux/netfilter/x_tables.h>
7 #include <linux/netfilter/nf_tables.h>
8 #include <net/netlink.h>
9
10 #define NFT_JUMP_STACK_SIZE 16
11
12 struct nft_pktinfo {
13 struct sk_buff *skb;
14 const struct net_device *in;
15 const struct net_device *out;
16 u8 hooknum;
17 u8 nhoff;
18 u8 thoff;
19 /* for x_tables compatibility */
20 struct xt_action_param xt;
21 };
22
23 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
24 const struct nf_hook_ops *ops,
25 struct sk_buff *skb,
26 const struct net_device *in,
27 const struct net_device *out)
28 {
29 pkt->skb = skb;
30 pkt->in = pkt->xt.in = in;
31 pkt->out = pkt->xt.out = out;
32 pkt->hooknum = pkt->xt.hooknum = ops->hooknum;
33 pkt->xt.family = ops->pf;
34 }
35
36 struct nft_data {
37 union {
38 u32 data[4];
39 struct {
40 u32 verdict;
41 struct nft_chain *chain;
42 };
43 };
44 } __attribute__((aligned(__alignof__(u64))));
45
46 static inline int nft_data_cmp(const struct nft_data *d1,
47 const struct nft_data *d2,
48 unsigned int len)
49 {
50 return memcmp(d1->data, d2->data, len);
51 }
52
53 static inline void nft_data_copy(struct nft_data *dst,
54 const struct nft_data *src)
55 {
56 BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
57 *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
58 *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
59 }
60
61 static inline void nft_data_debug(const struct nft_data *data)
62 {
63 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
64 data->data[0], data->data[1],
65 data->data[2], data->data[3]);
66 }
67
68 /**
69 * struct nft_ctx - nf_tables rule/set context
70 *
71 * @skb: netlink skb
72 * @nlh: netlink message header
73 * @afi: address family info
74 * @table: the table the chain is contained in
75 * @chain: the chain the rule is contained in
76 * @nla: netlink attributes
77 */
78 struct nft_ctx {
79 const struct sk_buff *skb;
80 const struct nlmsghdr *nlh;
81 const struct nft_af_info *afi;
82 const struct nft_table *table;
83 const struct nft_chain *chain;
84 const struct nlattr * const *nla;
85 };
86
87 struct nft_data_desc {
88 enum nft_data_types type;
89 unsigned int len;
90 };
91
92 extern int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
93 struct nft_data_desc *desc, const struct nlattr *nla);
94 extern void nft_data_uninit(const struct nft_data *data,
95 enum nft_data_types type);
96 extern int nft_data_dump(struct sk_buff *skb, int attr,
97 const struct nft_data *data,
98 enum nft_data_types type, unsigned int len);
99
100 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
101 {
102 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
103 }
104
105 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
106 {
107 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
108 }
109
110 extern int nft_validate_input_register(enum nft_registers reg);
111 extern int nft_validate_output_register(enum nft_registers reg);
112 extern int nft_validate_data_load(const struct nft_ctx *ctx,
113 enum nft_registers reg,
114 const struct nft_data *data,
115 enum nft_data_types type);
116
117 /**
118 * struct nft_set_elem - generic representation of set elements
119 *
120 * @cookie: implementation specific element cookie
121 * @key: element key
122 * @data: element data (maps only)
123 * @flags: element flags (end of interval)
124 *
125 * The cookie can be used to store a handle to the element for subsequent
126 * removal.
127 */
128 struct nft_set_elem {
129 void *cookie;
130 struct nft_data key;
131 struct nft_data data;
132 u32 flags;
133 };
134
135 struct nft_set;
136 struct nft_set_iter {
137 unsigned int count;
138 unsigned int skip;
139 int err;
140 int (*fn)(const struct nft_ctx *ctx,
141 const struct nft_set *set,
142 const struct nft_set_iter *iter,
143 const struct nft_set_elem *elem);
144 };
145
146 /**
147 * struct nft_set_ops - nf_tables set operations
148 *
149 * @lookup: look up an element within the set
150 * @insert: insert new element into set
151 * @remove: remove element from set
152 * @walk: iterate over all set elemeennts
153 * @privsize: function to return size of set private data
154 * @init: initialize private data of new set instance
155 * @destroy: destroy private data of set instance
156 * @list: nf_tables_set_ops list node
157 * @owner: module reference
158 * @features: features supported by the implementation
159 */
160 struct nft_set_ops {
161 bool (*lookup)(const struct nft_set *set,
162 const struct nft_data *key,
163 struct nft_data *data);
164 int (*get)(const struct nft_set *set,
165 struct nft_set_elem *elem);
166 int (*insert)(const struct nft_set *set,
167 const struct nft_set_elem *elem);
168 void (*remove)(const struct nft_set *set,
169 const struct nft_set_elem *elem);
170 void (*walk)(const struct nft_ctx *ctx,
171 const struct nft_set *set,
172 struct nft_set_iter *iter);
173
174 unsigned int (*privsize)(const struct nlattr * const nla[]);
175 int (*init)(const struct nft_set *set,
176 const struct nlattr * const nla[]);
177 void (*destroy)(const struct nft_set *set);
178
179 struct list_head list;
180 struct module *owner;
181 u32 features;
182 };
183
184 extern int nft_register_set(struct nft_set_ops *ops);
185 extern void nft_unregister_set(struct nft_set_ops *ops);
186
187 /**
188 * struct nft_set - nf_tables set instance
189 *
190 * @list: table set list node
191 * @bindings: list of set bindings
192 * @name: name of the set
193 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
194 * @dtype: data type (verdict or numeric type defined by userspace)
195 * @ops: set ops
196 * @flags: set flags
197 * @klen: key length
198 * @dlen: data length
199 * @data: private set data
200 */
201 struct nft_set {
202 struct list_head list;
203 struct list_head bindings;
204 char name[IFNAMSIZ];
205 u32 ktype;
206 u32 dtype;
207 /* runtime data below here */
208 const struct nft_set_ops *ops ____cacheline_aligned;
209 u16 flags;
210 u8 klen;
211 u8 dlen;
212 unsigned char data[]
213 __attribute__((aligned(__alignof__(u64))));
214 };
215
216 static inline void *nft_set_priv(const struct nft_set *set)
217 {
218 return (void *)set->data;
219 }
220
221 extern struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
222 const struct nlattr *nla);
223
224 /**
225 * struct nft_set_binding - nf_tables set binding
226 *
227 * @list: set bindings list node
228 * @chain: chain containing the rule bound to the set
229 *
230 * A set binding contains all information necessary for validation
231 * of new elements added to a bound set.
232 */
233 struct nft_set_binding {
234 struct list_head list;
235 const struct nft_chain *chain;
236 };
237
238 extern int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
239 struct nft_set_binding *binding);
240 extern void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
241 struct nft_set_binding *binding);
242
243
244 /**
245 * struct nft_expr_type - nf_tables expression type
246 *
247 * @select_ops: function to select nft_expr_ops
248 * @ops: default ops, used when no select_ops functions is present
249 * @list: used internally
250 * @name: Identifier
251 * @owner: module reference
252 * @policy: netlink attribute policy
253 * @maxattr: highest netlink attribute number
254 */
255 struct nft_expr_type {
256 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
257 const struct nlattr * const tb[]);
258 const struct nft_expr_ops *ops;
259 struct list_head list;
260 const char *name;
261 struct module *owner;
262 const struct nla_policy *policy;
263 unsigned int maxattr;
264 };
265
266 /**
267 * struct nft_expr_ops - nf_tables expression operations
268 *
269 * @eval: Expression evaluation function
270 * @size: full expression size, including private data size
271 * @init: initialization function
272 * @destroy: destruction function
273 * @dump: function to dump parameters
274 * @type: expression type
275 * @validate: validate expression, called during loop detection
276 * @data: extra data to attach to this expression operation
277 */
278 struct nft_expr;
279 struct nft_expr_ops {
280 void (*eval)(const struct nft_expr *expr,
281 struct nft_data data[NFT_REG_MAX + 1],
282 const struct nft_pktinfo *pkt);
283 unsigned int size;
284
285 int (*init)(const struct nft_ctx *ctx,
286 const struct nft_expr *expr,
287 const struct nlattr * const tb[]);
288 void (*destroy)(const struct nft_expr *expr);
289 int (*dump)(struct sk_buff *skb,
290 const struct nft_expr *expr);
291 int (*validate)(const struct nft_ctx *ctx,
292 const struct nft_expr *expr,
293 const struct nft_data **data);
294 const struct nft_expr_type *type;
295 void *data;
296 };
297
298 #define NFT_EXPR_MAXATTR 16
299 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
300 ALIGN(size, __alignof__(struct nft_expr)))
301
302 /**
303 * struct nft_expr - nf_tables expression
304 *
305 * @ops: expression ops
306 * @data: expression private data
307 */
308 struct nft_expr {
309 const struct nft_expr_ops *ops;
310 unsigned char data[];
311 };
312
313 static inline void *nft_expr_priv(const struct nft_expr *expr)
314 {
315 return (void *)expr->data;
316 }
317
318 /**
319 * struct nft_rule - nf_tables rule
320 *
321 * @list: used internally
322 * @rcu_head: used internally for rcu
323 * @handle: rule handle
324 * @dlen: length of expression data
325 * @data: expression data
326 */
327 struct nft_rule {
328 struct list_head list;
329 struct rcu_head rcu_head;
330 u64 handle:48,
331 dlen:16;
332 unsigned char data[]
333 __attribute__((aligned(__alignof__(struct nft_expr))));
334 };
335
336 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
337 {
338 return (struct nft_expr *)&rule->data[0];
339 }
340
341 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
342 {
343 return ((void *)expr) + expr->ops->size;
344 }
345
346 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
347 {
348 return (struct nft_expr *)&rule->data[rule->dlen];
349 }
350
351 /*
352 * The last pointer isn't really necessary, but the compiler isn't able to
353 * determine that the result of nft_expr_last() is always the same since it
354 * can't assume that the dlen value wasn't changed within calls in the loop.
355 */
356 #define nft_rule_for_each_expr(expr, last, rule) \
357 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
358 (expr) != (last); \
359 (expr) = nft_expr_next(expr))
360
361 enum nft_chain_flags {
362 NFT_BASE_CHAIN = 0x1,
363 };
364
365 /**
366 * struct nft_chain - nf_tables chain
367 *
368 * @rules: list of rules in the chain
369 * @list: used internally
370 * @rcu_head: used internally
371 * @handle: chain handle
372 * @flags: bitmask of enum nft_chain_flags
373 * @use: number of jump references to this chain
374 * @level: length of longest path to this chain
375 * @name: name of the chain
376 */
377 struct nft_chain {
378 struct list_head rules;
379 struct list_head list;
380 struct rcu_head rcu_head;
381 u64 handle;
382 u8 flags;
383 u16 use;
384 u16 level;
385 char name[NFT_CHAIN_MAXNAMELEN];
386 };
387
388 enum nft_chain_type {
389 NFT_CHAIN_T_DEFAULT = 0,
390 NFT_CHAIN_T_ROUTE,
391 NFT_CHAIN_T_NAT,
392 NFT_CHAIN_T_MAX
393 };
394
395 struct nft_stats {
396 u64 bytes;
397 u64 pkts;
398 };
399
400 /**
401 * struct nft_base_chain - nf_tables base chain
402 *
403 * @ops: netfilter hook ops
404 * @type: chain type
405 * @policy: default policy
406 * @stats: per-cpu chain stats
407 * @chain: the chain
408 */
409 struct nft_base_chain {
410 struct nf_hook_ops ops;
411 enum nft_chain_type type;
412 u8 policy;
413 struct nft_stats __percpu *stats;
414 struct nft_chain chain;
415 };
416
417 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
418 {
419 return container_of(chain, struct nft_base_chain, chain);
420 }
421
422 extern unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt,
423 const struct nf_hook_ops *ops);
424
425 /**
426 * struct nft_table - nf_tables table
427 *
428 * @list: used internally
429 * @chains: chains in the table
430 * @sets: sets in the table
431 * @hgenerator: handle generator state
432 * @use: number of chain references to this table
433 * @flags: table flag (see enum nft_table_flags)
434 * @name: name of the table
435 */
436 struct nft_table {
437 struct list_head list;
438 struct list_head chains;
439 struct list_head sets;
440 u64 hgenerator;
441 u32 use;
442 u16 flags;
443 char name[];
444 };
445
446 /**
447 * struct nft_af_info - nf_tables address family info
448 *
449 * @list: used internally
450 * @family: address family
451 * @nhooks: number of hooks in this family
452 * @owner: module owner
453 * @tables: used internally
454 * @hooks: hookfn overrides for packet validation
455 */
456 struct nft_af_info {
457 struct list_head list;
458 int family;
459 unsigned int nhooks;
460 struct module *owner;
461 struct list_head tables;
462 nf_hookfn *hooks[NF_MAX_HOOKS];
463 };
464
465 extern int nft_register_afinfo(struct nft_af_info *);
466 extern void nft_unregister_afinfo(struct nft_af_info *);
467
468 struct nf_chain_type {
469 unsigned int hook_mask;
470 const char *name;
471 enum nft_chain_type type;
472 nf_hookfn *fn[NF_MAX_HOOKS];
473 struct module *me;
474 int family;
475 };
476
477 extern int nft_register_chain_type(struct nf_chain_type *);
478 extern void nft_unregister_chain_type(struct nf_chain_type *);
479
480 extern int nft_register_expr(struct nft_expr_type *);
481 extern void nft_unregister_expr(struct nft_expr_type *);
482
483 #define MODULE_ALIAS_NFT_FAMILY(family) \
484 MODULE_ALIAS("nft-afinfo-" __stringify(family))
485
486 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
487 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
488
489 #define MODULE_ALIAS_NFT_EXPR(name) \
490 MODULE_ALIAS("nft-expr-" name)
491
492 #define MODULE_ALIAS_NFT_SET() \
493 MODULE_ALIAS("nft-set")
494
495 #endif /* _NET_NF_TABLES_H */
Linux kernel - Deliverables
This page took 0.043843 seconds and 5 git commands to generate.