1 #ifndef _NET_NF_TABLES_H
2 #define _NET_NF_TABLES_H
3
4 #include <linux/module.h>
5 #include <linux/list.h>
6 #include <linux/netfilter.h>
7 #include <linux/netfilter/nfnetlink.h>
8 #include <linux/netfilter/x_tables.h>
9 #include <linux/netfilter/nf_tables.h>
10 #include <linux/u64_stats_sync.h>
11 #include <net/netlink.h>
12
13 #define NFT_JUMP_STACK_SIZE 16
14
15 struct nft_pktinfo {
16 struct sk_buff *skb;
17 const struct net_device *in;
18 const struct net_device *out;
19 const struct nf_hook_ops *ops;
20 u8 nhoff;
21 u8 thoff;
22 u8 tprot;
23 /* for x_tables compatibility */
24 struct xt_action_param xt;
25 };
26
nft_set_pktinfo(struct nft_pktinfo * pkt,const struct nf_hook_ops * ops,struct sk_buff * skb,const struct nf_hook_state * state)27 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
28 const struct nf_hook_ops *ops,
29 struct sk_buff *skb,
30 const struct nf_hook_state *state)
31 {
32 pkt->skb = skb;
33 pkt->in = pkt->xt.in = state->in;
34 pkt->out = pkt->xt.out = state->out;
35 pkt->ops = ops;
36 pkt->xt.hooknum = ops->hooknum;
37 pkt->xt.family = ops->pf;
38 }
39
40 /**
41 * struct nft_verdict - nf_tables verdict
42 *
43 * @code: nf_tables/netfilter verdict code
44 * @chain: destination chain for NFT_JUMP/NFT_GOTO
45 */
46 struct nft_verdict {
47 u32 code;
48 struct nft_chain *chain;
49 };
50
51 struct nft_data {
52 union {
53 u32 data[4];
54 struct nft_verdict verdict;
55 };
56 } __attribute__((aligned(__alignof__(u64))));
57
58 /**
59 * struct nft_regs - nf_tables register set
60 *
61 * @data: data registers
62 * @verdict: verdict register
63 *
64 * The first four data registers alias to the verdict register.
65 */
66 struct nft_regs {
67 union {
68 u32 data[20];
69 struct nft_verdict verdict;
70 };
71 };
72
nft_data_copy(u32 * dst,const struct nft_data * src,unsigned int len)73 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
74 unsigned int len)
75 {
76 memcpy(dst, src, len);
77 }
78
nft_data_debug(const struct nft_data * data)79 static inline void nft_data_debug(const struct nft_data *data)
80 {
81 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
82 data->data[0], data->data[1],
83 data->data[2], data->data[3]);
84 }
85
86 /**
87 * struct nft_ctx - nf_tables rule/set context
88 *
89 * @net: net namespace
90 * @afi: address family info
91 * @table: the table the chain is contained in
92 * @chain: the chain the rule is contained in
93 * @nla: netlink attributes
94 * @portid: netlink portID of the original message
95 * @seq: netlink sequence number
96 * @report: notify via unicast netlink message
97 */
98 struct nft_ctx {
99 struct net *net;
100 struct nft_af_info *afi;
101 struct nft_table *table;
102 struct nft_chain *chain;
103 const struct nlattr * const *nla;
104 u32 portid;
105 u32 seq;
106 bool report;
107 };
108
109 struct nft_data_desc {
110 enum nft_data_types type;
111 unsigned int len;
112 };
113
114 int nft_data_init(const struct nft_ctx *ctx,
115 struct nft_data *data, unsigned int size,
116 struct nft_data_desc *desc, const struct nlattr *nla);
117 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
118 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
119 enum nft_data_types type, unsigned int len);
120
nft_dreg_to_type(enum nft_registers reg)121 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
122 {
123 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
124 }
125
nft_type_to_reg(enum nft_data_types type)126 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
127 {
128 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
129 }
130
131 unsigned int nft_parse_register(const struct nlattr *attr);
132 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
133
134 int nft_validate_register_load(enum nft_registers reg, unsigned int len);
135 int nft_validate_register_store(const struct nft_ctx *ctx,
136 enum nft_registers reg,
137 const struct nft_data *data,
138 enum nft_data_types type, unsigned int len);
139
140 /**
141 * struct nft_userdata - user defined data associated with an object
142 *
143 * @len: length of the data
144 * @data: content
145 *
146 * The presence of user data is indicated in an object specific fashion,
147 * so a length of zero can't occur and the value "len" indicates data
148 * of length len + 1.
149 */
150 struct nft_userdata {
151 u8 len;
152 unsigned char data[0];
153 };
154
155 /**
156 * struct nft_set_elem - generic representation of set elements
157 *
158 * @key: element key
159 * @priv: element private data and extensions
160 */
161 struct nft_set_elem {
162 union {
163 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
164 struct nft_data val;
165 } key;
166 void *priv;
167 };
168
169 struct nft_set;
170 struct nft_set_iter {
171 unsigned int count;
172 unsigned int skip;
173 int err;
174 int (*fn)(const struct nft_ctx *ctx,
175 const struct nft_set *set,
176 const struct nft_set_iter *iter,
177 const struct nft_set_elem *elem);
178 };
179
180 /**
181 * struct nft_set_desc - description of set elements
182 *
183 * @klen: key length
184 * @dlen: data length
185 * @size: number of set elements
186 */
187 struct nft_set_desc {
188 unsigned int klen;
189 unsigned int dlen;
190 unsigned int size;
191 };
192
193 /**
194 * enum nft_set_class - performance class
195 *
196 * @NFT_LOOKUP_O_1: constant, O(1)
197 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
198 * @NFT_LOOKUP_O_N: linear, O(N)
199 */
200 enum nft_set_class {
201 NFT_SET_CLASS_O_1,
202 NFT_SET_CLASS_O_LOG_N,
203 NFT_SET_CLASS_O_N,
204 };
205
206 /**
207 * struct nft_set_estimate - estimation of memory and performance
208 * characteristics
209 *
210 * @size: required memory
211 * @class: lookup performance class
212 */
213 struct nft_set_estimate {
214 unsigned int size;
215 enum nft_set_class class;
216 };
217
218 struct nft_set_ext;
219 struct nft_expr;
220
221 /**
222 * struct nft_set_ops - nf_tables set operations
223 *
224 * @lookup: look up an element within the set
225 * @insert: insert new element into set
226 * @activate: activate new element in the next generation
227 * @deactivate: deactivate element in the next generation
228 * @remove: remove element from set
229 * @walk: iterate over all set elemeennts
230 * @privsize: function to return size of set private data
231 * @init: initialize private data of new set instance
232 * @destroy: destroy private data of set instance
233 * @list: nf_tables_set_ops list node
234 * @owner: module reference
235 * @elemsize: element private size
236 * @features: features supported by the implementation
237 */
238 struct nft_set_ops {
239 bool (*lookup)(const struct nft_set *set,
240 const u32 *key,
241 const struct nft_set_ext **ext);
242 bool (*update)(struct nft_set *set,
243 const u32 *key,
244 void *(*new)(struct nft_set *,
245 const struct nft_expr *,
246 struct nft_regs *),
247 const struct nft_expr *expr,
248 struct nft_regs *regs,
249 const struct nft_set_ext **ext);
250
251 int (*insert)(const struct nft_set *set,
252 const struct nft_set_elem *elem);
253 void (*activate)(const struct nft_set *set,
254 const struct nft_set_elem *elem);
255 void * (*deactivate)(const struct nft_set *set,
256 const struct nft_set_elem *elem);
257 void (*remove)(const struct nft_set *set,
258 const struct nft_set_elem *elem);
259 void (*walk)(const struct nft_ctx *ctx,
260 const struct nft_set *set,
261 struct nft_set_iter *iter);
262
263 unsigned int (*privsize)(const struct nlattr * const nla[]);
264 bool (*estimate)(const struct nft_set_desc *desc,
265 u32 features,
266 struct nft_set_estimate *est);
267 int (*init)(const struct nft_set *set,
268 const struct nft_set_desc *desc,
269 const struct nlattr * const nla[]);
270 void (*destroy)(const struct nft_set *set);
271
272 struct list_head list;
273 struct module *owner;
274 unsigned int elemsize;
275 u32 features;
276 };
277
278 int nft_register_set(struct nft_set_ops *ops);
279 void nft_unregister_set(struct nft_set_ops *ops);
280
281 /**
282 * struct nft_set - nf_tables set instance
283 *
284 * @list: table set list node
285 * @bindings: list of set bindings
286 * @name: name of the set
287 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
288 * @dtype: data type (verdict or numeric type defined by userspace)
289 * @size: maximum set size
290 * @nelems: number of elements
291 * @ndeact: number of deactivated elements queued for removal
292 * @timeout: default timeout value in msecs
293 * @gc_int: garbage collection interval in msecs
294 * @policy: set parameterization (see enum nft_set_policies)
295 * @ops: set ops
296 * @pnet: network namespace
297 * @flags: set flags
298 * @klen: key length
299 * @dlen: data length
300 * @data: private set data
301 */
302 struct nft_set {
303 struct list_head list;
304 struct list_head bindings;
305 char name[IFNAMSIZ];
306 u32 ktype;
307 u32 dtype;
308 u32 size;
309 atomic_t nelems;
310 u32 ndeact;
311 u64 timeout;
312 u32 gc_int;
313 u16 policy;
314 /* runtime data below here */
315 const struct nft_set_ops *ops ____cacheline_aligned;
316 possible_net_t pnet;
317 u16 flags;
318 u8 klen;
319 u8 dlen;
320 unsigned char data[]
321 __attribute__((aligned(__alignof__(u64))));
322 };
323
nft_set_priv(const struct nft_set * set)324 static inline void *nft_set_priv(const struct nft_set *set)
325 {
326 return (void *)set->data;
327 }
328
nft_set_container_of(const void * priv)329 static inline struct nft_set *nft_set_container_of(const void *priv)
330 {
331 return (void *)priv - offsetof(struct nft_set, data);
332 }
333
334 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
335 const struct nlattr *nla);
336 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
337 const struct nlattr *nla);
338
nft_set_gc_interval(const struct nft_set * set)339 static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
340 {
341 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
342 }
343
344 /**
345 * struct nft_set_binding - nf_tables set binding
346 *
347 * @list: set bindings list node
348 * @chain: chain containing the rule bound to the set
349 * @flags: set action flags
350 *
351 * A set binding contains all information necessary for validation
352 * of new elements added to a bound set.
353 */
354 struct nft_set_binding {
355 struct list_head list;
356 const struct nft_chain *chain;
357 u32 flags;
358 };
359
360 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
361 struct nft_set_binding *binding);
362 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
363 struct nft_set_binding *binding);
364
365 /**
366 * enum nft_set_extensions - set extension type IDs
367 *
368 * @NFT_SET_EXT_KEY: element key
369 * @NFT_SET_EXT_DATA: mapping data
370 * @NFT_SET_EXT_FLAGS: element flags
371 * @NFT_SET_EXT_TIMEOUT: element timeout
372 * @NFT_SET_EXT_EXPIRATION: element expiration time
373 * @NFT_SET_EXT_USERDATA: user data associated with the element
374 * @NFT_SET_EXT_EXPR: expression assiociated with the element
375 * @NFT_SET_EXT_NUM: number of extension types
376 */
377 enum nft_set_extensions {
378 NFT_SET_EXT_KEY,
379 NFT_SET_EXT_DATA,
380 NFT_SET_EXT_FLAGS,
381 NFT_SET_EXT_TIMEOUT,
382 NFT_SET_EXT_EXPIRATION,
383 NFT_SET_EXT_USERDATA,
384 NFT_SET_EXT_EXPR,
385 NFT_SET_EXT_NUM
386 };
387
388 /**
389 * struct nft_set_ext_type - set extension type
390 *
391 * @len: fixed part length of the extension
392 * @align: alignment requirements of the extension
393 */
394 struct nft_set_ext_type {
395 u8 len;
396 u8 align;
397 };
398
399 extern const struct nft_set_ext_type nft_set_ext_types[];
400
401 /**
402 * struct nft_set_ext_tmpl - set extension template
403 *
404 * @len: length of extension area
405 * @offset: offsets of individual extension types
406 */
407 struct nft_set_ext_tmpl {
408 u16 len;
409 u8 offset[NFT_SET_EXT_NUM];
410 };
411
412 /**
413 * struct nft_set_ext - set extensions
414 *
415 * @genmask: generation mask
416 * @offset: offsets of individual extension types
417 * @data: beginning of extension data
418 */
419 struct nft_set_ext {
420 u8 genmask;
421 u8 offset[NFT_SET_EXT_NUM];
422 char data[0];
423 };
424
nft_set_ext_prepare(struct nft_set_ext_tmpl * tmpl)425 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
426 {
427 memset(tmpl, 0, sizeof(*tmpl));
428 tmpl->len = sizeof(struct nft_set_ext);
429 }
430
nft_set_ext_add_length(struct nft_set_ext_tmpl * tmpl,u8 id,unsigned int len)431 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
432 unsigned int len)
433 {
434 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align);
435 BUG_ON(tmpl->len > U8_MAX);
436 tmpl->offset[id] = tmpl->len;
437 tmpl->len += nft_set_ext_types[id].len + len;
438 }
439
nft_set_ext_add(struct nft_set_ext_tmpl * tmpl,u8 id)440 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
441 {
442 nft_set_ext_add_length(tmpl, id, 0);
443 }
444
nft_set_ext_init(struct nft_set_ext * ext,const struct nft_set_ext_tmpl * tmpl)445 static inline void nft_set_ext_init(struct nft_set_ext *ext,
446 const struct nft_set_ext_tmpl *tmpl)
447 {
448 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
449 }
450
__nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)451 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
452 {
453 return !!ext->offset[id];
454 }
455
nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)456 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
457 {
458 return ext && __nft_set_ext_exists(ext, id);
459 }
460
nft_set_ext(const struct nft_set_ext * ext,u8 id)461 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
462 {
463 return (void *)ext + ext->offset[id];
464 }
465
nft_set_ext_key(const struct nft_set_ext * ext)466 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
467 {
468 return nft_set_ext(ext, NFT_SET_EXT_KEY);
469 }
470
nft_set_ext_data(const struct nft_set_ext * ext)471 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
472 {
473 return nft_set_ext(ext, NFT_SET_EXT_DATA);
474 }
475
nft_set_ext_flags(const struct nft_set_ext * ext)476 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
477 {
478 return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
479 }
480
nft_set_ext_timeout(const struct nft_set_ext * ext)481 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
482 {
483 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
484 }
485
nft_set_ext_expiration(const struct nft_set_ext * ext)486 static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ext)
487 {
488 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
489 }
490
nft_set_ext_userdata(const struct nft_set_ext * ext)491 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
492 {
493 return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
494 }
495
nft_set_ext_expr(const struct nft_set_ext * ext)496 static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
497 {
498 return nft_set_ext(ext, NFT_SET_EXT_EXPR);
499 }
500
nft_set_elem_expired(const struct nft_set_ext * ext)501 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
502 {
503 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
504 time_is_before_eq_jiffies(*nft_set_ext_expiration(ext));
505 }
506
nft_set_elem_ext(const struct nft_set * set,void * elem)507 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
508 void *elem)
509 {
510 return elem + set->ops->elemsize;
511 }
512
513 void *nft_set_elem_init(const struct nft_set *set,
514 const struct nft_set_ext_tmpl *tmpl,
515 const u32 *key, const u32 *data,
516 u64 timeout, gfp_t gfp);
517 void nft_set_elem_destroy(const struct nft_set *set, void *elem);
518
519 /**
520 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch
521 *
522 * @rcu: rcu head
523 * @set: set the elements belong to
524 * @cnt: count of elements
525 */
526 struct nft_set_gc_batch_head {
527 struct rcu_head rcu;
528 const struct nft_set *set;
529 unsigned int cnt;
530 };
531
532 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \
533 sizeof(struct nft_set_gc_batch_head)) / \
534 sizeof(void *))
535
536 /**
537 * struct nft_set_gc_batch - nf_tables set garbage collection batch
538 *
539 * @head: GC batch head
540 * @elems: garbage collection elements
541 */
542 struct nft_set_gc_batch {
543 struct nft_set_gc_batch_head head;
544 void *elems[NFT_SET_GC_BATCH_SIZE];
545 };
546
547 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
548 gfp_t gfp);
549 void nft_set_gc_batch_release(struct rcu_head *rcu);
550
nft_set_gc_batch_complete(struct nft_set_gc_batch * gcb)551 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
552 {
553 if (gcb != NULL)
554 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
555 }
556
557 static inline struct nft_set_gc_batch *
nft_set_gc_batch_check(const struct nft_set * set,struct nft_set_gc_batch * gcb,gfp_t gfp)558 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
559 gfp_t gfp)
560 {
561 if (gcb != NULL) {
562 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
563 return gcb;
564 nft_set_gc_batch_complete(gcb);
565 }
566 return nft_set_gc_batch_alloc(set, gfp);
567 }
568
nft_set_gc_batch_add(struct nft_set_gc_batch * gcb,void * elem)569 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
570 void *elem)
571 {
572 gcb->elems[gcb->head.cnt++] = elem;
573 }
574
575 /**
576 * struct nft_expr_type - nf_tables expression type
577 *
578 * @select_ops: function to select nft_expr_ops
579 * @ops: default ops, used when no select_ops functions is present
580 * @list: used internally
581 * @name: Identifier
582 * @owner: module reference
583 * @policy: netlink attribute policy
584 * @maxattr: highest netlink attribute number
585 * @family: address family for AF-specific types
586 * @flags: expression type flags
587 */
588 struct nft_expr_type {
589 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
590 const struct nlattr * const tb[]);
591 const struct nft_expr_ops *ops;
592 struct list_head list;
593 const char *name;
594 struct module *owner;
595 const struct nla_policy *policy;
596 unsigned int maxattr;
597 u8 family;
598 u8 flags;
599 };
600
601 #define NFT_EXPR_STATEFUL 0x1
602
603 /**
604 * struct nft_expr_ops - nf_tables expression operations
605 *
606 * @eval: Expression evaluation function
607 * @size: full expression size, including private data size
608 * @init: initialization function
609 * @destroy: destruction function
610 * @dump: function to dump parameters
611 * @type: expression type
612 * @validate: validate expression, called during loop detection
613 * @data: extra data to attach to this expression operation
614 */
615 struct nft_expr;
616 struct nft_expr_ops {
617 void (*eval)(const struct nft_expr *expr,
618 struct nft_regs *regs,
619 const struct nft_pktinfo *pkt);
620 unsigned int size;
621
622 int (*init)(const struct nft_ctx *ctx,
623 const struct nft_expr *expr,
624 const struct nlattr * const tb[]);
625 void (*destroy)(const struct nft_ctx *ctx,
626 const struct nft_expr *expr);
627 int (*dump)(struct sk_buff *skb,
628 const struct nft_expr *expr);
629 int (*validate)(const struct nft_ctx *ctx,
630 const struct nft_expr *expr,
631 const struct nft_data **data);
632 const struct nft_expr_type *type;
633 void *data;
634 };
635
636 #define NFT_EXPR_MAXATTR 16
637 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
638 ALIGN(size, __alignof__(struct nft_expr)))
639
640 /**
641 * struct nft_expr - nf_tables expression
642 *
643 * @ops: expression ops
644 * @data: expression private data
645 */
646 struct nft_expr {
647 const struct nft_expr_ops *ops;
648 unsigned char data[];
649 };
650
nft_expr_priv(const struct nft_expr * expr)651 static inline void *nft_expr_priv(const struct nft_expr *expr)
652 {
653 return (void *)expr->data;
654 }
655
656 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
657 const struct nlattr *nla);
658 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
659 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
660 const struct nft_expr *expr);
661
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src)662 static inline void nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
663 {
664 __module_get(src->ops->type->owner);
665 memcpy(dst, src, src->ops->size);
666 }
667
668 /**
669 * struct nft_rule - nf_tables rule
670 *
671 * @list: used internally
672 * @handle: rule handle
673 * @genmask: generation mask
674 * @dlen: length of expression data
675 * @udata: user data is appended to the rule
676 * @data: expression data
677 */
678 struct nft_rule {
679 struct list_head list;
680 u64 handle:42,
681 genmask:2,
682 dlen:12,
683 udata:1;
684 unsigned char data[]
685 __attribute__((aligned(__alignof__(struct nft_expr))));
686 };
687
nft_expr_first(const struct nft_rule * rule)688 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
689 {
690 return (struct nft_expr *)&rule->data[0];
691 }
692
nft_expr_next(const struct nft_expr * expr)693 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
694 {
695 return ((void *)expr) + expr->ops->size;
696 }
697
nft_expr_last(const struct nft_rule * rule)698 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
699 {
700 return (struct nft_expr *)&rule->data[rule->dlen];
701 }
702
nft_userdata(const struct nft_rule * rule)703 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
704 {
705 return (void *)&rule->data[rule->dlen];
706 }
707
708 /*
709 * The last pointer isn't really necessary, but the compiler isn't able to
710 * determine that the result of nft_expr_last() is always the same since it
711 * can't assume that the dlen value wasn't changed within calls in the loop.
712 */
713 #define nft_rule_for_each_expr(expr, last, rule) \
714 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
715 (expr) != (last); \
716 (expr) = nft_expr_next(expr))
717
718 enum nft_chain_flags {
719 NFT_BASE_CHAIN = 0x1,
720 NFT_CHAIN_INACTIVE = 0x2,
721 };
722
723 /**
724 * struct nft_chain - nf_tables chain
725 *
726 * @rules: list of rules in the chain
727 * @list: used internally
728 * @table: table that this chain belongs to
729 * @handle: chain handle
730 * @use: number of jump references to this chain
731 * @level: length of longest path to this chain
732 * @flags: bitmask of enum nft_chain_flags
733 * @name: name of the chain
734 */
735 struct nft_chain {
736 struct list_head rules;
737 struct list_head list;
738 struct nft_table *table;
739 u64 handle;
740 u32 use;
741 u16 level;
742 u8 flags;
743 char name[NFT_CHAIN_MAXNAMELEN];
744 };
745
746 enum nft_chain_type {
747 NFT_CHAIN_T_DEFAULT = 0,
748 NFT_CHAIN_T_ROUTE,
749 NFT_CHAIN_T_NAT,
750 NFT_CHAIN_T_MAX
751 };
752
753 /**
754 * struct nf_chain_type - nf_tables chain type info
755 *
756 * @name: name of the type
757 * @type: numeric identifier
758 * @family: address family
759 * @owner: module owner
760 * @hook_mask: mask of valid hooks
761 * @hooks: hookfn overrides
762 */
763 struct nf_chain_type {
764 const char *name;
765 enum nft_chain_type type;
766 int family;
767 struct module *owner;
768 unsigned int hook_mask;
769 nf_hookfn *hooks[NF_MAX_HOOKS];
770 };
771
772 int nft_chain_validate_dependency(const struct nft_chain *chain,
773 enum nft_chain_type type);
774 int nft_chain_validate_hooks(const struct nft_chain *chain,
775 unsigned int hook_flags);
776
777 struct nft_stats {
778 u64 bytes;
779 u64 pkts;
780 struct u64_stats_sync syncp;
781 };
782
783 #define NFT_HOOK_OPS_MAX 2
784
785 /**
786 * struct nft_base_chain - nf_tables base chain
787 *
788 * @ops: netfilter hook ops
789 * @pnet: net namespace that this chain belongs to
790 * @type: chain type
791 * @policy: default policy
792 * @stats: per-cpu chain stats
793 * @chain: the chain
794 */
795 struct nft_base_chain {
796 struct nf_hook_ops ops[NFT_HOOK_OPS_MAX];
797 possible_net_t pnet;
798 const struct nf_chain_type *type;
799 u8 policy;
800 struct nft_stats __percpu *stats;
801 struct nft_chain chain;
802 };
803
nft_base_chain(const struct nft_chain * chain)804 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
805 {
806 return container_of(chain, struct nft_base_chain, chain);
807 }
808
809 unsigned int nft_do_chain(struct nft_pktinfo *pkt,
810 const struct nf_hook_ops *ops);
811
812 /**
813 * struct nft_table - nf_tables table
814 *
815 * @list: used internally
816 * @chains: chains in the table
817 * @sets: sets in the table
818 * @hgenerator: handle generator state
819 * @use: number of chain references to this table
820 * @flags: table flag (see enum nft_table_flags)
821 * @name: name of the table
822 */
823 struct nft_table {
824 struct list_head list;
825 struct list_head chains;
826 struct list_head sets;
827 u64 hgenerator;
828 u32 use;
829 u16 flags;
830 char name[NFT_TABLE_MAXNAMELEN];
831 };
832
833 /**
834 * struct nft_af_info - nf_tables address family info
835 *
836 * @list: used internally
837 * @family: address family
838 * @nhooks: number of hooks in this family
839 * @owner: module owner
840 * @tables: used internally
841 * @nops: number of hook ops in this family
842 * @hook_ops_init: initialization function for chain hook ops
843 * @hooks: hookfn overrides for packet validation
844 */
845 struct nft_af_info {
846 struct list_head list;
847 int family;
848 unsigned int nhooks;
849 struct module *owner;
850 struct list_head tables;
851 unsigned int nops;
852 void (*hook_ops_init)(struct nf_hook_ops *,
853 unsigned int);
854 nf_hookfn *hooks[NF_MAX_HOOKS];
855 };
856
857 int nft_register_afinfo(struct net *, struct nft_af_info *);
858 void nft_unregister_afinfo(struct nft_af_info *);
859
860 int nft_register_chain_type(const struct nf_chain_type *);
861 void nft_unregister_chain_type(const struct nf_chain_type *);
862
863 int nft_register_expr(struct nft_expr_type *);
864 void nft_unregister_expr(struct nft_expr_type *);
865
866 #define nft_dereference(p) \
867 nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)
868
869 #define MODULE_ALIAS_NFT_FAMILY(family) \
870 MODULE_ALIAS("nft-afinfo-" __stringify(family))
871
872 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
873 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
874
875 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
876 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
877
878 #define MODULE_ALIAS_NFT_EXPR(name) \
879 MODULE_ALIAS("nft-expr-" name)
880
881 #define MODULE_ALIAS_NFT_SET() \
882 MODULE_ALIAS("nft-set")
883
884 /*
885 * The gencursor defines two generations, the currently active and the
886 * next one. Objects contain a bitmask of 2 bits specifying the generations
887 * they're active in. A set bit means they're inactive in the generation
888 * represented by that bit.
889 *
890 * New objects start out as inactive in the current and active in the
891 * next generation. When committing the ruleset the bitmask is cleared,
892 * meaning they're active in all generations. When removing an object,
893 * it is set inactive in the next generation. After committing the ruleset,
894 * the objects are removed.
895 */
nft_gencursor_next(const struct net * net)896 static inline unsigned int nft_gencursor_next(const struct net *net)
897 {
898 return net->nft.gencursor + 1 == 1 ? 1 : 0;
899 }
900
nft_genmask_next(const struct net * net)901 static inline u8 nft_genmask_next(const struct net *net)
902 {
903 return 1 << nft_gencursor_next(net);
904 }
905
nft_genmask_cur(const struct net * net)906 static inline u8 nft_genmask_cur(const struct net *net)
907 {
908 /* Use ACCESS_ONCE() to prevent refetching the value for atomicity */
909 return 1 << ACCESS_ONCE(net->nft.gencursor);
910 }
911
912 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
913
914 /*
915 * Set element transaction helpers
916 */
917
nft_set_elem_active(const struct nft_set_ext * ext,u8 genmask)918 static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
919 u8 genmask)
920 {
921 return !(ext->genmask & genmask);
922 }
923
nft_set_elem_change_active(const struct nft_set * set,struct nft_set_ext * ext)924 static inline void nft_set_elem_change_active(const struct nft_set *set,
925 struct nft_set_ext *ext)
926 {
927 ext->genmask ^= nft_genmask_next(read_pnet(&set->pnet));
928 }
929
930 /*
931 * We use a free bit in the genmask field to indicate the element
932 * is busy, meaning it is currently being processed either by
933 * the netlink API or GC.
934 *
935 * Even though the genmask is only a single byte wide, this works
936 * because the extension structure if fully constant once initialized,
937 * so there are no non-atomic write accesses unless it is already
938 * marked busy.
939 */
940 #define NFT_SET_ELEM_BUSY_MASK (1 << 2)
941
942 #if defined(__LITTLE_ENDIAN_BITFIELD)
943 #define NFT_SET_ELEM_BUSY_BIT 2
944 #elif defined(__BIG_ENDIAN_BITFIELD)
945 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2)
946 #else
947 #error
948 #endif
949
nft_set_elem_mark_busy(struct nft_set_ext * ext)950 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
951 {
952 unsigned long *word = (unsigned long *)ext;
953
954 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
955 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
956 }
957
nft_set_elem_clear_busy(struct nft_set_ext * ext)958 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
959 {
960 unsigned long *word = (unsigned long *)ext;
961
962 clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
963 }
964
965 /**
966 * struct nft_trans - nf_tables object update in transaction
967 *
968 * @list: used internally
969 * @msg_type: message type
970 * @ctx: transaction context
971 * @data: internal information related to the transaction
972 */
973 struct nft_trans {
974 struct list_head list;
975 int msg_type;
976 struct nft_ctx ctx;
977 char data[0];
978 };
979
980 struct nft_trans_rule {
981 struct nft_rule *rule;
982 };
983
984 #define nft_trans_rule(trans) \
985 (((struct nft_trans_rule *)trans->data)->rule)
986
987 struct nft_trans_set {
988 struct nft_set *set;
989 u32 set_id;
990 };
991
992 #define nft_trans_set(trans) \
993 (((struct nft_trans_set *)trans->data)->set)
994 #define nft_trans_set_id(trans) \
995 (((struct nft_trans_set *)trans->data)->set_id)
996
997 struct nft_trans_chain {
998 bool update;
999 char name[NFT_CHAIN_MAXNAMELEN];
1000 struct nft_stats __percpu *stats;
1001 u8 policy;
1002 };
1003
1004 #define nft_trans_chain_update(trans) \
1005 (((struct nft_trans_chain *)trans->data)->update)
1006 #define nft_trans_chain_name(trans) \
1007 (((struct nft_trans_chain *)trans->data)->name)
1008 #define nft_trans_chain_stats(trans) \
1009 (((struct nft_trans_chain *)trans->data)->stats)
1010 #define nft_trans_chain_policy(trans) \
1011 (((struct nft_trans_chain *)trans->data)->policy)
1012
1013 struct nft_trans_table {
1014 bool update;
1015 bool enable;
1016 };
1017
1018 #define nft_trans_table_update(trans) \
1019 (((struct nft_trans_table *)trans->data)->update)
1020 #define nft_trans_table_enable(trans) \
1021 (((struct nft_trans_table *)trans->data)->enable)
1022
1023 struct nft_trans_elem {
1024 struct nft_set *set;
1025 struct nft_set_elem elem;
1026 };
1027
1028 #define nft_trans_elem_set(trans) \
1029 (((struct nft_trans_elem *)trans->data)->set)
1030 #define nft_trans_elem(trans) \
1031 (((struct nft_trans_elem *)trans->data)->elem)
1032
1033 #endif /* _NET_NF_TABLES_H */
1034