root/include/net/netfilter/nf_tables.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM

DEFINITIONS

This source file includes following definitions.
  1. nft_net
  2. nft_hook
  3. nft_pf
  4. nft_in
  5. nft_out
  6. nft_set_pktinfo
  7. nft_set_pktinfo_unspec
  8. nft_reg_store8
  9. nft_reg_load8
  10. nft_reg_store16
  11. nft_reg_load16
  12. nft_reg_store64
  13. nft_reg_load64
  14. nft_data_copy
  15. nft_data_debug
  16. nft_dreg_to_type
  17. nft_type_to_reg
  18. nft_set_is_anonymous
  19. nft_set_priv
  20. nft_set_container_of
  21. nft_set_gc_interval
  22. nft_set_ext_prepare
  23. nft_set_ext_add_length
  24. nft_set_ext_add
  25. nft_set_ext_init
  26. __nft_set_ext_exists
  27. nft_set_ext_exists
  28. nft_set_ext
  29. nft_set_ext_key
  30. nft_set_ext_data
  31. nft_set_ext_flags
  32. nft_set_ext_timeout
  33. nft_set_ext_expiration
  34. nft_set_ext_userdata
  35. nft_set_ext_expr
  36. nft_set_elem_expired
  37. nft_set_elem_ext
  38. nft_set_ext_obj
  39. nft_set_gc_batch_complete
  40. nft_set_gc_batch_check
  41. nft_set_gc_batch_add
  42. nft_expr_priv
  43. nft_expr_first
  44. nft_expr_next
  45. nft_expr_last
  46. nft_is_base_chain
  47. nft_obj_data
  48. nft_gencursor_next
  49. nft_genmask_next
  50. nft_genmask_cur
  51. nft_set_elem_active
  52. nft_set_elem_change_active
  53. nft_set_elem_mark_busy
  54. nft_set_elem_clear_busy
   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 #ifndef _NET_NF_TABLES_H
   3 #define _NET_NF_TABLES_H
   4 
   5 #include <asm/unaligned.h>
   6 #include <linux/list.h>
   7 #include <linux/netfilter.h>
   8 #include <linux/netfilter/nfnetlink.h>
   9 #include <linux/netfilter/x_tables.h>
  10 #include <linux/netfilter/nf_tables.h>
  11 #include <linux/u64_stats_sync.h>
  12 #include <linux/rhashtable.h>
  13 #include <net/netfilter/nf_flow_table.h>
  14 #include <net/netlink.h>
  15 #include <net/flow_offload.h>
  16 
  17 struct module;
  18 
  19 #define NFT_JUMP_STACK_SIZE     16
  20 
  21 struct nft_pktinfo {
  22         struct sk_buff                  *skb;
  23         bool                            tprot_set;
  24         u8                              tprot;
  25         /* for x_tables compatibility */
  26         struct xt_action_param          xt;
  27 };
  28 
  29 static inline struct net *nft_net(const struct nft_pktinfo *pkt)
  30 {
  31         return pkt->xt.state->net;
  32 }
  33 
  34 static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
  35 {
  36         return pkt->xt.state->hook;
  37 }
  38 
  39 static inline u8 nft_pf(const struct nft_pktinfo *pkt)
  40 {
  41         return pkt->xt.state->pf;
  42 }
  43 
  44 static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
  45 {
  46         return pkt->xt.state->in;
  47 }
  48 
  49 static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
  50 {
  51         return pkt->xt.state->out;
  52 }
  53 
  54 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  55                                    struct sk_buff *skb,
  56                                    const struct nf_hook_state *state)
  57 {
  58         pkt->skb = skb;
  59         pkt->xt.state = state;
  60 }
  61 
  62 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
  63                                           struct sk_buff *skb)
  64 {
  65         pkt->tprot_set = false;
  66         pkt->tprot = 0;
  67         pkt->xt.thoff = 0;
  68         pkt->xt.fragoff = 0;
  69 }
  70 
  71 /**
  72  *      struct nft_verdict - nf_tables verdict
  73  *
  74  *      @code: nf_tables/netfilter verdict code
  75  *      @chain: destination chain for NFT_JUMP/NFT_GOTO
  76  */
  77 struct nft_verdict {
  78         u32                             code;
  79         struct nft_chain                *chain;
  80 };
  81 
  82 struct nft_data {
  83         union {
  84                 u32                     data[4];
  85                 struct nft_verdict      verdict;
  86         };
  87 } __attribute__((aligned(__alignof__(u64))));
  88 
  89 /**
  90  *      struct nft_regs - nf_tables register set
  91  *
  92  *      @data: data registers
  93  *      @verdict: verdict register
  94  *
  95  *      The first four data registers alias to the verdict register.
  96  */
  97 struct nft_regs {
  98         union {
  99                 u32                     data[20];
 100                 struct nft_verdict      verdict;
 101         };
 102 };
 103 
 104 /* Store/load an u8, u16 or u64 integer to/from the u32 data register.
 105  *
 106  * Note, when using concatenations, register allocation happens at 32-bit
 107  * level. So for store instruction, pad the rest part with zero to avoid
 108  * garbage values.
 109  */
 110 
 111 static inline void nft_reg_store8(u32 *dreg, u8 val)
 112 {
 113         *dreg = 0;
 114         *(u8 *)dreg = val;
 115 }
 116 
 117 static inline u8 nft_reg_load8(u32 *sreg)
 118 {
 119         return *(u8 *)sreg;
 120 }
 121 
 122 static inline void nft_reg_store16(u32 *dreg, u16 val)
 123 {
 124         *dreg = 0;
 125         *(u16 *)dreg = val;
 126 }
 127 
 128 static inline u16 nft_reg_load16(u32 *sreg)
 129 {
 130         return *(u16 *)sreg;
 131 }
 132 
 133 static inline void nft_reg_store64(u32 *dreg, u64 val)
 134 {
 135         put_unaligned(val, (u64 *)dreg);
 136 }
 137 
 138 static inline u64 nft_reg_load64(u32 *sreg)
 139 {
 140         return get_unaligned((u64 *)sreg);
 141 }
 142 
 143 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 144                                  unsigned int len)
 145 {
 146         memcpy(dst, src, len);
 147 }
 148 
 149 static inline void nft_data_debug(const struct nft_data *data)
 150 {
 151         pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
 152                  data->data[0], data->data[1],
 153                  data->data[2], data->data[3]);
 154 }
 155 
 156 /**
 157  *      struct nft_ctx - nf_tables rule/set context
 158  *
 159  *      @net: net namespace
 160  *      @table: the table the chain is contained in
 161  *      @chain: the chain the rule is contained in
 162  *      @nla: netlink attributes
 163  *      @portid: netlink portID of the original message
 164  *      @seq: netlink sequence number
 165  *      @family: protocol family
 166  *      @level: depth of the chains
 167  *      @report: notify via unicast netlink message
 168  */
 169 struct nft_ctx {
 170         struct net                      *net;
 171         struct nft_table                *table;
 172         struct nft_chain                *chain;
 173         const struct nlattr * const     *nla;
 174         u32                             portid;
 175         u32                             seq;
 176         u16                             flags;
 177         u8                              family;
 178         u8                              level;
 179         bool                            report;
 180 };
 181 
 182 struct nft_data_desc {
 183         enum nft_data_types             type;
 184         unsigned int                    len;
 185 };
 186 
 187 int nft_data_init(const struct nft_ctx *ctx,
 188                   struct nft_data *data, unsigned int size,
 189                   struct nft_data_desc *desc, const struct nlattr *nla);
 190 void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 191 void nft_data_release(const struct nft_data *data, enum nft_data_types type);
 192 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 193                   enum nft_data_types type, unsigned int len);
 194 
 195 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 196 {
 197         return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 198 }
 199 
 200 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 201 {
 202         return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
 203 }
 204 
 205 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
 206 unsigned int nft_parse_register(const struct nlattr *attr);
 207 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
 208 
 209 int nft_validate_register_load(enum nft_registers reg, unsigned int len);
 210 int nft_validate_register_store(const struct nft_ctx *ctx,
 211                                 enum nft_registers reg,
 212                                 const struct nft_data *data,
 213                                 enum nft_data_types type, unsigned int len);
 214 
 215 /**
 216  *      struct nft_userdata - user defined data associated with an object
 217  *
 218  *      @len: length of the data
 219  *      @data: content
 220  *
 221  *      The presence of user data is indicated in an object specific fashion,
 222  *      so a length of zero can't occur and the value "len" indicates data
 223  *      of length len + 1.
 224  */
 225 struct nft_userdata {
 226         u8                      len;
 227         unsigned char           data[0];
 228 };
 229 
 230 /**
 231  *      struct nft_set_elem - generic representation of set elements
 232  *
 233  *      @key: element key
 234  *      @priv: element private data and extensions
 235  */
 236 struct nft_set_elem {
 237         union {
 238                 u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 239                 struct nft_data val;
 240         } key;
 241         void                    *priv;
 242 };
 243 
 244 struct nft_set;
 245 struct nft_set_iter {
 246         u8              genmask;
 247         unsigned int    count;
 248         unsigned int    skip;
 249         int             err;
 250         int             (*fn)(const struct nft_ctx *ctx,
 251                               struct nft_set *set,
 252                               const struct nft_set_iter *iter,
 253                               struct nft_set_elem *elem);
 254 };
 255 
 256 /**
 257  *      struct nft_set_desc - description of set elements
 258  *
 259  *      @klen: key length
 260  *      @dlen: data length
 261  *      @size: number of set elements
 262  */
 263 struct nft_set_desc {
 264         unsigned int            klen;
 265         unsigned int            dlen;
 266         unsigned int            size;
 267 };
 268 
 269 /**
 270  *      enum nft_set_class - performance class
 271  *
 272  *      @NFT_LOOKUP_O_1: constant, O(1)
 273  *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 274  *      @NFT_LOOKUP_O_N: linear, O(N)
 275  */
 276 enum nft_set_class {
 277         NFT_SET_CLASS_O_1,
 278         NFT_SET_CLASS_O_LOG_N,
 279         NFT_SET_CLASS_O_N,
 280 };
 281 
 282 /**
 283  *      struct nft_set_estimate - estimation of memory and performance
 284  *                                characteristics
 285  *
 286  *      @size: required memory
 287  *      @lookup: lookup performance class
 288  *      @space: memory class
 289  */
 290 struct nft_set_estimate {
 291         u64                     size;
 292         enum nft_set_class      lookup;
 293         enum nft_set_class      space;
 294 };
 295 
 296 struct nft_set_ext;
 297 struct nft_expr;
 298 
 299 /**
 300  *      struct nft_set_ops - nf_tables set operations
 301  *
 302  *      @lookup: look up an element within the set
 303  *      @update: update an element if exists, add it if doesn't exist
 304  *      @delete: delete an element
 305  *      @insert: insert new element into set
 306  *      @activate: activate new element in the next generation
 307  *      @deactivate: lookup for element and deactivate it in the next generation
 308  *      @flush: deactivate element in the next generation
 309  *      @remove: remove element from set
 310  *      @walk: iterate over all set elements
 311  *      @get: get set elements
 312  *      @privsize: function to return size of set private data
 313  *      @init: initialize private data of new set instance
 314  *      @destroy: destroy private data of set instance
 315  *      @elemsize: element private size
 316  *
 317  *      Operations lookup, update and delete have simpler interfaces, are faster
 318  *      and currently only used in the packet path. All the rest are slower,
 319  *      control plane functions.
 320  */
 321 struct nft_set_ops {
 322         bool                            (*lookup)(const struct net *net,
 323                                                   const struct nft_set *set,
 324                                                   const u32 *key,
 325                                                   const struct nft_set_ext **ext);
 326         bool                            (*update)(struct nft_set *set,
 327                                                   const u32 *key,
 328                                                   void *(*new)(struct nft_set *,
 329                                                                const struct nft_expr *,
 330                                                                struct nft_regs *),
 331                                                   const struct nft_expr *expr,
 332                                                   struct nft_regs *regs,
 333                                                   const struct nft_set_ext **ext);
 334         bool                            (*delete)(const struct nft_set *set,
 335                                                   const u32 *key);
 336 
 337         int                             (*insert)(const struct net *net,
 338                                                   const struct nft_set *set,
 339                                                   const struct nft_set_elem *elem,
 340                                                   struct nft_set_ext **ext);
 341         void                            (*activate)(const struct net *net,
 342                                                     const struct nft_set *set,
 343                                                     const struct nft_set_elem *elem);
 344         void *                          (*deactivate)(const struct net *net,
 345                                                       const struct nft_set *set,
 346                                                       const struct nft_set_elem *elem);
 347         bool                            (*flush)(const struct net *net,
 348                                                  const struct nft_set *set,
 349                                                  void *priv);
 350         void                            (*remove)(const struct net *net,
 351                                                   const struct nft_set *set,
 352                                                   const struct nft_set_elem *elem);
 353         void                            (*walk)(const struct nft_ctx *ctx,
 354                                                 struct nft_set *set,
 355                                                 struct nft_set_iter *iter);
 356         void *                          (*get)(const struct net *net,
 357                                                const struct nft_set *set,
 358                                                const struct nft_set_elem *elem,
 359                                                unsigned int flags);
 360 
 361         u64                             (*privsize)(const struct nlattr * const nla[],
 362                                                     const struct nft_set_desc *desc);
 363         bool                            (*estimate)(const struct nft_set_desc *desc,
 364                                                     u32 features,
 365                                                     struct nft_set_estimate *est);
 366         int                             (*init)(const struct nft_set *set,
 367                                                 const struct nft_set_desc *desc,
 368                                                 const struct nlattr * const nla[]);
 369         void                            (*destroy)(const struct nft_set *set);
 370         void                            (*gc_init)(const struct nft_set *set);
 371 
 372         unsigned int                    elemsize;
 373 };
 374 
 375 /**
 376  *      struct nft_set_type - nf_tables set type
 377  *
 378  *      @ops: set ops for this type
 379  *      @list: used internally
 380  *      @owner: module reference
 381  *      @features: features supported by the implementation
 382  */
 383 struct nft_set_type {
 384         const struct nft_set_ops        ops;
 385         struct list_head                list;
 386         struct module                   *owner;
 387         u32                             features;
 388 };
 389 #define to_set_type(o) container_of(o, struct nft_set_type, ops)
 390 
 391 int nft_register_set(struct nft_set_type *type);
 392 void nft_unregister_set(struct nft_set_type *type);
 393 
 394 /**
 395  *      struct nft_set - nf_tables set instance
 396  *
 397  *      @list: table set list node
 398  *      @bindings: list of set bindings
 399  *      @table: table this set belongs to
 400  *      @net: netnamespace this set belongs to
 401  *      @name: name of the set
 402  *      @handle: unique handle of the set
 403  *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 404  *      @dtype: data type (verdict or numeric type defined by userspace)
 405  *      @objtype: object type (see NFT_OBJECT_* definitions)
 406  *      @size: maximum set size
 407  *      @use: number of rules references to this set
 408  *      @nelems: number of elements
 409  *      @ndeact: number of deactivated elements queued for removal
 410  *      @timeout: default timeout value in jiffies
 411  *      @gc_int: garbage collection interval in msecs
 412  *      @policy: set parameterization (see enum nft_set_policies)
 413  *      @udlen: user data length
 414  *      @udata: user data
 415  *      @ops: set ops
 416  *      @flags: set flags
 417  *      @genmask: generation mask
 418  *      @klen: key length
 419  *      @dlen: data length
 420  *      @data: private set data
 421  */
 422 struct nft_set {
 423         struct list_head                list;
 424         struct list_head                bindings;
 425         struct nft_table                *table;
 426         possible_net_t                  net;
 427         char                            *name;
 428         u64                             handle;
 429         u32                             ktype;
 430         u32                             dtype;
 431         u32                             objtype;
 432         u32                             size;
 433         u32                             use;
 434         atomic_t                        nelems;
 435         u32                             ndeact;
 436         u64                             timeout;
 437         u32                             gc_int;
 438         u16                             policy;
 439         u16                             udlen;
 440         unsigned char                   *udata;
 441         /* runtime data below here */
 442         const struct nft_set_ops        *ops ____cacheline_aligned;
 443         u16                             flags:14,
 444                                         genmask:2;
 445         u8                              klen;
 446         u8                              dlen;
 447         unsigned char                   data[]
 448                 __attribute__((aligned(__alignof__(u64))));
 449 };
 450 
 451 static inline bool nft_set_is_anonymous(const struct nft_set *set)
 452 {
 453         return set->flags & NFT_SET_ANONYMOUS;
 454 }
 455 
 456 static inline void *nft_set_priv(const struct nft_set *set)
 457 {
 458         return (void *)set->data;
 459 }
 460 
 461 static inline struct nft_set *nft_set_container_of(const void *priv)
 462 {
 463         return (void *)priv - offsetof(struct nft_set, data);
 464 }
 465 
 466 struct nft_set *nft_set_lookup_global(const struct net *net,
 467                                       const struct nft_table *table,
 468                                       const struct nlattr *nla_set_name,
 469                                       const struct nlattr *nla_set_id,
 470                                       u8 genmask);
 471 
 472 static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
 473 {
 474         return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
 475 }
 476 
 477 /**
 478  *      struct nft_set_binding - nf_tables set binding
 479  *
 480  *      @list: set bindings list node
 481  *      @chain: chain containing the rule bound to the set
 482  *      @flags: set action flags
 483  *
 484  *      A set binding contains all information necessary for validation
 485  *      of new elements added to a bound set.
 486  */
 487 struct nft_set_binding {
 488         struct list_head                list;
 489         const struct nft_chain          *chain;
 490         u32                             flags;
 491 };
 492 
 493 enum nft_trans_phase;
 494 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 495                               struct nft_set_binding *binding,
 496                               enum nft_trans_phase phase);
 497 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 498                        struct nft_set_binding *binding);
 499 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
 500 
 501 /**
 502  *      enum nft_set_extensions - set extension type IDs
 503  *
 504  *      @NFT_SET_EXT_KEY: element key
 505  *      @NFT_SET_EXT_DATA: mapping data
 506  *      @NFT_SET_EXT_FLAGS: element flags
 507  *      @NFT_SET_EXT_TIMEOUT: element timeout
 508  *      @NFT_SET_EXT_EXPIRATION: element expiration time
 509  *      @NFT_SET_EXT_USERDATA: user data associated with the element
 510  *      @NFT_SET_EXT_EXPR: expression assiociated with the element
 511  *      @NFT_SET_EXT_OBJREF: stateful object reference associated with element
 512  *      @NFT_SET_EXT_NUM: number of extension types
 513  */
 514 enum nft_set_extensions {
 515         NFT_SET_EXT_KEY,
 516         NFT_SET_EXT_DATA,
 517         NFT_SET_EXT_FLAGS,
 518         NFT_SET_EXT_TIMEOUT,
 519         NFT_SET_EXT_EXPIRATION,
 520         NFT_SET_EXT_USERDATA,
 521         NFT_SET_EXT_EXPR,
 522         NFT_SET_EXT_OBJREF,
 523         NFT_SET_EXT_NUM
 524 };
 525 
 526 /**
 527  *      struct nft_set_ext_type - set extension type
 528  *
 529  *      @len: fixed part length of the extension
 530  *      @align: alignment requirements of the extension
 531  */
 532 struct nft_set_ext_type {
 533         u8      len;
 534         u8      align;
 535 };
 536 
 537 extern const struct nft_set_ext_type nft_set_ext_types[];
 538 
 539 /**
 540  *      struct nft_set_ext_tmpl - set extension template
 541  *
 542  *      @len: length of extension area
 543  *      @offset: offsets of individual extension types
 544  */
 545 struct nft_set_ext_tmpl {
 546         u16     len;
 547         u8      offset[NFT_SET_EXT_NUM];
 548 };
 549 
 550 /**
 551  *      struct nft_set_ext - set extensions
 552  *
 553  *      @genmask: generation mask
 554  *      @offset: offsets of individual extension types
 555  *      @data: beginning of extension data
 556  */
 557 struct nft_set_ext {
 558         u8      genmask;
 559         u8      offset[NFT_SET_EXT_NUM];
 560         char    data[0];
 561 };
 562 
 563 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
 564 {
 565         memset(tmpl, 0, sizeof(*tmpl));
 566         tmpl->len = sizeof(struct nft_set_ext);
 567 }
 568 
 569 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
 570                                           unsigned int len)
 571 {
 572         tmpl->len        = ALIGN(tmpl->len, nft_set_ext_types[id].align);
 573         BUG_ON(tmpl->len > U8_MAX);
 574         tmpl->offset[id] = tmpl->len;
 575         tmpl->len       += nft_set_ext_types[id].len + len;
 576 }
 577 
 578 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
 579 {
 580         nft_set_ext_add_length(tmpl, id, 0);
 581 }
 582 
 583 static inline void nft_set_ext_init(struct nft_set_ext *ext,
 584                                     const struct nft_set_ext_tmpl *tmpl)
 585 {
 586         memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
 587 }
 588 
 589 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 590 {
 591         return !!ext->offset[id];
 592 }
 593 
 594 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 595 {
 596         return ext && __nft_set_ext_exists(ext, id);
 597 }
 598 
 599 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
 600 {
 601         return (void *)ext + ext->offset[id];
 602 }
 603 
 604 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
 605 {
 606         return nft_set_ext(ext, NFT_SET_EXT_KEY);
 607 }
 608 
 609 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
 610 {
 611         return nft_set_ext(ext, NFT_SET_EXT_DATA);
 612 }
 613 
 614 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
 615 {
 616         return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 617 }
 618 
 619 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
 620 {
 621         return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
 622 }
 623 
 624 static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
 625 {
 626         return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 627 }
 628 
 629 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
 630 {
 631         return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
 632 }
 633 
 634 static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
 635 {
 636         return nft_set_ext(ext, NFT_SET_EXT_EXPR);
 637 }
 638 
 639 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 640 {
 641         return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
 642                time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
 643 }
 644 
 645 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
 646                                                    void *elem)
 647 {
 648         return elem + set->ops->elemsize;
 649 }
 650 
 651 static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
 652 {
 653         return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
 654 }
 655 
 656 void *nft_set_elem_init(const struct nft_set *set,
 657                         const struct nft_set_ext_tmpl *tmpl,
 658                         const u32 *key, const u32 *data,
 659                         u64 timeout, u64 expiration, gfp_t gfp);
 660 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 661                           bool destroy_expr);
 662 
 663 /**
 664  *      struct nft_set_gc_batch_head - nf_tables set garbage collection batch
 665  *
 666  *      @rcu: rcu head
 667  *      @set: set the elements belong to
 668  *      @cnt: count of elements
 669  */
 670 struct nft_set_gc_batch_head {
 671         struct rcu_head                 rcu;
 672         const struct nft_set            *set;
 673         unsigned int                    cnt;
 674 };
 675 
 676 #define NFT_SET_GC_BATCH_SIZE   ((PAGE_SIZE -                             \
 677                                   sizeof(struct nft_set_gc_batch_head)) / \
 678                                  sizeof(void *))
 679 
 680 /**
 681  *      struct nft_set_gc_batch - nf_tables set garbage collection batch
 682  *
 683  *      @head: GC batch head
 684  *      @elems: garbage collection elements
 685  */
 686 struct nft_set_gc_batch {
 687         struct nft_set_gc_batch_head    head;
 688         void                            *elems[NFT_SET_GC_BATCH_SIZE];
 689 };
 690 
 691 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
 692                                                 gfp_t gfp);
 693 void nft_set_gc_batch_release(struct rcu_head *rcu);
 694 
 695 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
 696 {
 697         if (gcb != NULL)
 698                 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
 699 }
 700 
 701 static inline struct nft_set_gc_batch *
 702 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
 703                        gfp_t gfp)
 704 {
 705         if (gcb != NULL) {
 706                 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
 707                         return gcb;
 708                 nft_set_gc_batch_complete(gcb);
 709         }
 710         return nft_set_gc_batch_alloc(set, gfp);
 711 }
 712 
 713 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
 714                                         void *elem)
 715 {
 716         gcb->elems[gcb->head.cnt++] = elem;
 717 }
 718 
 719 struct nft_expr_ops;
 720 /**
 721  *      struct nft_expr_type - nf_tables expression type
 722  *
 723  *      @select_ops: function to select nft_expr_ops
 724  *      @release_ops: release nft_expr_ops
 725  *      @ops: default ops, used when no select_ops functions is present
 726  *      @list: used internally
 727  *      @name: Identifier
 728  *      @owner: module reference
 729  *      @policy: netlink attribute policy
 730  *      @maxattr: highest netlink attribute number
 731  *      @family: address family for AF-specific types
 732  *      @flags: expression type flags
 733  */
 734 struct nft_expr_type {
 735         const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 736                                                        const struct nlattr * const tb[]);
 737         void                            (*release_ops)(const struct nft_expr_ops *ops);
 738         const struct nft_expr_ops       *ops;
 739         struct list_head                list;
 740         const char                      *name;
 741         struct module                   *owner;
 742         const struct nla_policy         *policy;
 743         unsigned int                    maxattr;
 744         u8                              family;
 745         u8                              flags;
 746 };
 747 
 748 #define NFT_EXPR_STATEFUL               0x1
 749 #define NFT_EXPR_GC                     0x2
 750 
 751 enum nft_trans_phase {
 752         NFT_TRANS_PREPARE,
 753         NFT_TRANS_ABORT,
 754         NFT_TRANS_COMMIT,
 755         NFT_TRANS_RELEASE
 756 };
 757 
 758 struct nft_flow_rule;
 759 struct nft_offload_ctx;
 760 
 761 /**
 762  *      struct nft_expr_ops - nf_tables expression operations
 763  *
 764  *      @eval: Expression evaluation function
 765  *      @size: full expression size, including private data size
 766  *      @init: initialization function
 767  *      @activate: activate expression in the next generation
 768  *      @deactivate: deactivate expression in next generation
 769  *      @destroy: destruction function, called after synchronize_rcu
 770  *      @dump: function to dump parameters
 771  *      @type: expression type
 772  *      @validate: validate expression, called during loop detection
 773  *      @data: extra data to attach to this expression operation
 774  */
 775 struct nft_expr;
 776 struct nft_expr_ops {
 777         void                            (*eval)(const struct nft_expr *expr,
 778                                                 struct nft_regs *regs,
 779                                                 const struct nft_pktinfo *pkt);
 780         int                             (*clone)(struct nft_expr *dst,
 781                                                  const struct nft_expr *src);
 782         unsigned int                    size;
 783 
 784         int                             (*init)(const struct nft_ctx *ctx,
 785                                                 const struct nft_expr *expr,
 786                                                 const struct nlattr * const tb[]);
 787         void                            (*activate)(const struct nft_ctx *ctx,
 788                                                     const struct nft_expr *expr);
 789         void                            (*deactivate)(const struct nft_ctx *ctx,
 790                                                       const struct nft_expr *expr,
 791                                                       enum nft_trans_phase phase);
 792         void                            (*destroy)(const struct nft_ctx *ctx,
 793                                                    const struct nft_expr *expr);
 794         void                            (*destroy_clone)(const struct nft_ctx *ctx,
 795                                                          const struct nft_expr *expr);
 796         int                             (*dump)(struct sk_buff *skb,
 797                                                 const struct nft_expr *expr);
 798         int                             (*validate)(const struct nft_ctx *ctx,
 799                                                     const struct nft_expr *expr,
 800                                                     const struct nft_data **data);
 801         bool                            (*gc)(struct net *net,
 802                                               const struct nft_expr *expr);
 803         int                             (*offload)(struct nft_offload_ctx *ctx,
 804                                                    struct nft_flow_rule *flow,
 805                                                    const struct nft_expr *expr);
 806         u32                             offload_flags;
 807         const struct nft_expr_type      *type;
 808         void                            *data;
 809 };
 810 
 811 #define NFT_EXPR_MAXATTR                16
 812 #define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 813                                          ALIGN(size, __alignof__(struct nft_expr)))
 814 
 815 /**
 816  *      struct nft_expr - nf_tables expression
 817  *
 818  *      @ops: expression ops
 819  *      @data: expression private data
 820  */
 821 struct nft_expr {
 822         const struct nft_expr_ops       *ops;
 823         unsigned char                   data[]
 824                 __attribute__((aligned(__alignof__(u64))));
 825 };
 826 
 827 static inline void *nft_expr_priv(const struct nft_expr *expr)
 828 {
 829         return (void *)expr->data;
 830 }
 831 
 832 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
 833                                const struct nlattr *nla);
 834 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 835 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
 836                   const struct nft_expr *expr);
 837 
 838 /**
 839  *      struct nft_rule - nf_tables rule
 840  *
 841  *      @list: used internally
 842  *      @handle: rule handle
 843  *      @genmask: generation mask
 844  *      @dlen: length of expression data
 845  *      @udata: user data is appended to the rule
 846  *      @data: expression data
 847  */
 848 struct nft_rule {
 849         struct list_head                list;
 850         u64                             handle:42,
 851                                         genmask:2,
 852                                         dlen:12,
 853                                         udata:1;
 854         unsigned char                   data[]
 855                 __attribute__((aligned(__alignof__(struct nft_expr))));
 856 };
 857 
 858 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 859 {
 860         return (struct nft_expr *)&rule->data[0];
 861 }
 862 
 863 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 864 {
 865         return ((void *)expr) + expr->ops->size;
 866 }
 867 
 868 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 869 {
 870         return (struct nft_expr *)&rule->data[rule->dlen];
 871 }
 872 
 873 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 874 {
 875         return (void *)&rule->data[rule->dlen];
 876 }
 877 
 878 /*
 879  * The last pointer isn't really necessary, but the compiler isn't able to
 880  * determine that the result of nft_expr_last() is always the same since it
 881  * can't assume that the dlen value wasn't changed within calls in the loop.
 882  */
 883 #define nft_rule_for_each_expr(expr, last, rule) \
 884         for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 885              (expr) != (last); \
 886              (expr) = nft_expr_next(expr))
 887 
 888 enum nft_chain_flags {
 889         NFT_BASE_CHAIN                  = 0x1,
 890         NFT_CHAIN_HW_OFFLOAD            = 0x2,
 891 };
 892 
 893 #define NFT_CHAIN_POLICY_UNSET          U8_MAX
 894 
 895 /**
 896  *      struct nft_chain - nf_tables chain
 897  *
 898  *      @rules: list of rules in the chain
 899  *      @list: used internally
 900  *      @rhlhead: used internally
 901  *      @table: table that this chain belongs to
 902  *      @handle: chain handle
 903  *      @use: number of jump references to this chain
 904  *      @flags: bitmask of enum nft_chain_flags
 905  *      @name: name of the chain
 906  */
 907 struct nft_chain {
 908         struct nft_rule                 *__rcu *rules_gen_0;
 909         struct nft_rule                 *__rcu *rules_gen_1;
 910         struct list_head                rules;
 911         struct list_head                list;
 912         struct rhlist_head              rhlhead;
 913         struct nft_table                *table;
 914         u64                             handle;
 915         u32                             use;
 916         u8                              flags:6,
 917                                         genmask:2;
 918         char                            *name;
 919 
 920         /* Only used during control plane commit phase: */
 921         struct nft_rule                 **rules_next;
 922 };
 923 
 924 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
 925 
 926 enum nft_chain_types {
 927         NFT_CHAIN_T_DEFAULT = 0,
 928         NFT_CHAIN_T_ROUTE,
 929         NFT_CHAIN_T_NAT,
 930         NFT_CHAIN_T_MAX
 931 };
 932 
 933 /**
 934  *      struct nft_chain_type - nf_tables chain type info
 935  *
 936  *      @name: name of the type
 937  *      @type: numeric identifier
 938  *      @family: address family
 939  *      @owner: module owner
 940  *      @hook_mask: mask of valid hooks
 941  *      @hooks: array of hook functions
 942  *      @ops_register: base chain register function
 943  *      @ops_unregister: base chain unregister function
 944  */
 945 struct nft_chain_type {
 946         const char                      *name;
 947         enum nft_chain_types            type;
 948         int                             family;
 949         struct module                   *owner;
 950         unsigned int                    hook_mask;
 951         nf_hookfn                       *hooks[NF_MAX_HOOKS];
 952         int                             (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
 953         void                            (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
 954 };
 955 
 956 int nft_chain_validate_dependency(const struct nft_chain *chain,
 957                                   enum nft_chain_types type);
 958 int nft_chain_validate_hooks(const struct nft_chain *chain,
 959                              unsigned int hook_flags);
 960 
 961 struct nft_stats {
 962         u64                     bytes;
 963         u64                     pkts;
 964         struct u64_stats_sync   syncp;
 965 };
 966 
 967 /**
 968  *      struct nft_base_chain - nf_tables base chain
 969  *
 970  *      @ops: netfilter hook ops
 971  *      @type: chain type
 972  *      @policy: default policy
 973  *      @stats: per-cpu chain stats
 974  *      @chain: the chain
 975  *      @dev_name: device name that this base chain is attached to (if any)
 976  *      @flow_block: flow block (for hardware offload)
 977  */
 978 struct nft_base_chain {
 979         struct nf_hook_ops              ops;
 980         const struct nft_chain_type     *type;
 981         u8                              policy;
 982         u8                              flags;
 983         struct nft_stats __percpu       *stats;
 984         struct nft_chain                chain;
 985         char                            dev_name[IFNAMSIZ];
 986         struct flow_block               flow_block;
 987 };
 988 
 989 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
 990 {
 991         return container_of(chain, struct nft_base_chain, chain);
 992 }
 993 
 994 static inline bool nft_is_base_chain(const struct nft_chain *chain)
 995 {
 996         return chain->flags & NFT_BASE_CHAIN;
 997 }
 998 
 999 int __nft_release_basechain(struct nft_ctx *ctx);
1000 
1001 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
1002 
1003 /**
1004  *      struct nft_table - nf_tables table
1005  *
1006  *      @list: used internally
1007  *      @chains_ht: chains in the table
1008  *      @chains: same, for stable walks
1009  *      @sets: sets in the table
1010  *      @objects: stateful objects in the table
1011  *      @flowtables: flow tables in the table
1012  *      @hgenerator: handle generator state
1013  *      @handle: table handle
1014  *      @use: number of chain references to this table
1015  *      @flags: table flag (see enum nft_table_flags)
1016  *      @genmask: generation mask
1017  *      @afinfo: address family info
1018  *      @name: name of the table
1019  */
1020 struct nft_table {
1021         struct list_head                list;
1022         struct rhltable                 chains_ht;
1023         struct list_head                chains;
1024         struct list_head                sets;
1025         struct list_head                objects;
1026         struct list_head                flowtables;
1027         u64                             hgenerator;
1028         u64                             handle;
1029         u32                             use;
1030         u16                             family:6,
1031                                         flags:8,
1032                                         genmask:2;
1033         char                            *name;
1034 };
1035 
1036 void nft_register_chain_type(const struct nft_chain_type *);
1037 void nft_unregister_chain_type(const struct nft_chain_type *);
1038 
1039 int nft_register_expr(struct nft_expr_type *);
1040 void nft_unregister_expr(struct nft_expr_type *);
1041 
1042 int nft_verdict_dump(struct sk_buff *skb, int type,
1043                      const struct nft_verdict *v);
1044 
1045 /**
1046  *      struct nft_object_hash_key - key to lookup nft_object
1047  *
1048  *      @name: name of the stateful object to look up
1049  *      @table: table the object belongs to
1050  */
1051 struct nft_object_hash_key {
1052         const char                      *name;
1053         const struct nft_table          *table;
1054 };
1055 
1056 /**
1057  *      struct nft_object - nf_tables stateful object
1058  *
1059  *      @list: table stateful object list node
1060  *      @key:  keys that identify this object
1061  *      @rhlhead: nft_objname_ht node
1062  *      @genmask: generation mask
1063  *      @use: number of references to this stateful object
1064  *      @handle: unique object handle
1065  *      @ops: object operations
1066  *      @data: object data, layout depends on type
1067  */
1068 struct nft_object {
1069         struct list_head                list;
1070         struct rhlist_head              rhlhead;
1071         struct nft_object_hash_key      key;
1072         u32                             genmask:2,
1073                                         use:30;
1074         u64                             handle;
1075         /* runtime data below here */
1076         const struct nft_object_ops     *ops ____cacheline_aligned;
1077         unsigned char                   data[]
1078                 __attribute__((aligned(__alignof__(u64))));
1079 };
1080 
1081 static inline void *nft_obj_data(const struct nft_object *obj)
1082 {
1083         return (void *)obj->data;
1084 }
1085 
1086 #define nft_expr_obj(expr)      *((struct nft_object **)nft_expr_priv(expr))
1087 
1088 struct nft_object *nft_obj_lookup(const struct net *net,
1089                                   const struct nft_table *table,
1090                                   const struct nlattr *nla, u32 objtype,
1091                                   u8 genmask);
1092 
1093 void nft_obj_notify(struct net *net, const struct nft_table *table,
1094                     struct nft_object *obj, u32 portid, u32 seq,
1095                     int event, int family, int report, gfp_t gfp);
1096 
1097 /**
1098  *      struct nft_object_type - stateful object type
1099  *
1100  *      @select_ops: function to select nft_object_ops
1101  *      @ops: default ops, used when no select_ops functions is present
1102  *      @list: list node in list of object types
1103  *      @type: stateful object numeric type
1104  *      @owner: module owner
1105  *      @maxattr: maximum netlink attribute
1106  *      @policy: netlink attribute policy
1107  */
1108 struct nft_object_type {
1109         const struct nft_object_ops     *(*select_ops)(const struct nft_ctx *,
1110                                                        const struct nlattr * const tb[]);
1111         const struct nft_object_ops     *ops;
1112         struct list_head                list;
1113         u32                             type;
1114         unsigned int                    maxattr;
1115         struct module                   *owner;
1116         const struct nla_policy         *policy;
1117 };
1118 
1119 /**
1120  *      struct nft_object_ops - stateful object operations
1121  *
1122  *      @eval: stateful object evaluation function
1123  *      @size: stateful object size
1124  *      @init: initialize object from netlink attributes
1125  *      @destroy: release existing stateful object
1126  *      @dump: netlink dump stateful object
1127  *      @update: update stateful object
1128  */
1129 struct nft_object_ops {
1130         void                            (*eval)(struct nft_object *obj,
1131                                                 struct nft_regs *regs,
1132                                                 const struct nft_pktinfo *pkt);
1133         unsigned int                    size;
1134         int                             (*init)(const struct nft_ctx *ctx,
1135                                                 const struct nlattr *const tb[],
1136                                                 struct nft_object *obj);
1137         void                            (*destroy)(const struct nft_ctx *ctx,
1138                                                    struct nft_object *obj);
1139         int                             (*dump)(struct sk_buff *skb,
1140                                                 struct nft_object *obj,
1141                                                 bool reset);
1142         void                            (*update)(struct nft_object *obj,
1143                                                   struct nft_object *newobj);
1144         const struct nft_object_type    *type;
1145 };
1146 
1147 int nft_register_obj(struct nft_object_type *obj_type);
1148 void nft_unregister_obj(struct nft_object_type *obj_type);
1149 
1150 #define NFT_FLOWTABLE_DEVICE_MAX        8
1151 
1152 /**
1153  *      struct nft_flowtable - nf_tables flow table
1154  *
1155  *      @list: flow table list node in table list
1156  *      @table: the table the flow table is contained in
1157  *      @name: name of this flow table
1158  *      @hooknum: hook number
1159  *      @priority: hook priority
1160  *      @ops_len: number of hooks in array
1161  *      @genmask: generation mask
1162  *      @use: number of references to this flow table
1163  *      @handle: unique object handle
1164  *      @dev_name: array of device names
1165  *      @data: rhashtable and garbage collector
1166  *      @ops: array of hooks
1167  */
1168 struct nft_flowtable {
1169         struct list_head                list;
1170         struct nft_table                *table;
1171         char                            *name;
1172         int                             hooknum;
1173         int                             priority;
1174         int                             ops_len;
1175         u32                             genmask:2,
1176                                         use:30;
1177         u64                             handle;
1178         /* runtime data below here */
1179         struct nf_hook_ops              *ops ____cacheline_aligned;
1180         struct nf_flowtable             data;
1181 };
1182 
1183 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1184                                            const struct nlattr *nla,
1185                                            u8 genmask);
1186 
1187 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
1188                                     struct nft_flowtable *flowtable,
1189                                     enum nft_trans_phase phase);
1190 
1191 void nft_register_flowtable_type(struct nf_flowtable_type *type);
1192 void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1193 
1194 /**
1195  *      struct nft_traceinfo - nft tracing information and state
1196  *
1197  *      @pkt: pktinfo currently processed
1198  *      @basechain: base chain currently processed
1199  *      @chain: chain currently processed
1200  *      @rule:  rule that was evaluated
1201  *      @verdict: verdict given by rule
1202  *      @type: event type (enum nft_trace_types)
1203  *      @packet_dumped: packet headers sent in a previous traceinfo message
1204  *      @trace: other struct members are initialised
1205  */
1206 struct nft_traceinfo {
1207         const struct nft_pktinfo        *pkt;
1208         const struct nft_base_chain     *basechain;
1209         const struct nft_chain          *chain;
1210         const struct nft_rule           *rule;
1211         const struct nft_verdict        *verdict;
1212         enum nft_trace_types            type;
1213         bool                            packet_dumped;
1214         bool                            trace;
1215 };
1216 
1217 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1218                     const struct nft_verdict *verdict,
1219                     const struct nft_chain *basechain);
1220 
1221 void nft_trace_notify(struct nft_traceinfo *info);
1222 
1223 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
1224         MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1225 
1226 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1227         MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1228 
1229 #define MODULE_ALIAS_NFT_EXPR(name) \
1230         MODULE_ALIAS("nft-expr-" name)
1231 
1232 #define MODULE_ALIAS_NFT_SET() \
1233         MODULE_ALIAS("nft-set")
1234 
1235 #define MODULE_ALIAS_NFT_OBJ(type) \
1236         MODULE_ALIAS("nft-obj-" __stringify(type))
1237 
1238 #if IS_ENABLED(CONFIG_NF_TABLES)
1239 
1240 /*
1241  * The gencursor defines two generations, the currently active and the
1242  * next one. Objects contain a bitmask of 2 bits specifying the generations
1243  * they're active in. A set bit means they're inactive in the generation
1244  * represented by that bit.
1245  *
1246  * New objects start out as inactive in the current and active in the
1247  * next generation. When committing the ruleset the bitmask is cleared,
1248  * meaning they're active in all generations. When removing an object,
1249  * it is set inactive in the next generation. After committing the ruleset,
1250  * the objects are removed.
1251  */
1252 static inline unsigned int nft_gencursor_next(const struct net *net)
1253 {
1254         return net->nft.gencursor + 1 == 1 ? 1 : 0;
1255 }
1256 
1257 static inline u8 nft_genmask_next(const struct net *net)
1258 {
1259         return 1 << nft_gencursor_next(net);
1260 }
1261 
1262 static inline u8 nft_genmask_cur(const struct net *net)
1263 {
1264         /* Use READ_ONCE() to prevent refetching the value for atomicity */
1265         return 1 << READ_ONCE(net->nft.gencursor);
1266 }
1267 
1268 #define NFT_GENMASK_ANY         ((1 << 0) | (1 << 1))
1269 
1270 /*
1271  * Generic transaction helpers
1272  */
1273 
1274 /* Check if this object is currently active. */
1275 #define nft_is_active(__net, __obj)                             \
1276         (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1277 
1278 /* Check if this object is active in the next generation. */
1279 #define nft_is_active_next(__net, __obj)                        \
1280         (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1281 
1282 /* This object becomes active in the next generation. */
1283 #define nft_activate_next(__net, __obj)                         \
1284         (__obj)->genmask = nft_genmask_cur(__net)
1285 
1286 /* This object becomes inactive in the next generation. */
1287 #define nft_deactivate_next(__net, __obj)                       \
1288         (__obj)->genmask = nft_genmask_next(__net)
1289 
1290 /* After committing the ruleset, clear the stale generation bit. */
1291 #define nft_clear(__net, __obj)                                 \
1292         (__obj)->genmask &= ~nft_genmask_next(__net)
1293 #define nft_active_genmask(__obj, __genmask)                    \
1294         !((__obj)->genmask & __genmask)
1295 
1296 /*
1297  * Set element transaction helpers
1298  */
1299 
1300 static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1301                                        u8 genmask)
1302 {
1303         return !(ext->genmask & genmask);
1304 }
1305 
1306 static inline void nft_set_elem_change_active(const struct net *net,
1307                                               const struct nft_set *set,
1308                                               struct nft_set_ext *ext)
1309 {
1310         ext->genmask ^= nft_genmask_next(net);
1311 }
1312 
1313 #endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1314 
1315 /*
1316  * We use a free bit in the genmask field to indicate the element
1317  * is busy, meaning it is currently being processed either by
1318  * the netlink API or GC.
1319  *
1320  * Even though the genmask is only a single byte wide, this works
1321  * because the extension structure if fully constant once initialized,
1322  * so there are no non-atomic write accesses unless it is already
1323  * marked busy.
1324  */
1325 #define NFT_SET_ELEM_BUSY_MASK  (1 << 2)
1326 
1327 #if defined(__LITTLE_ENDIAN_BITFIELD)
1328 #define NFT_SET_ELEM_BUSY_BIT   2
1329 #elif defined(__BIG_ENDIAN_BITFIELD)
1330 #define NFT_SET_ELEM_BUSY_BIT   (BITS_PER_LONG - BITS_PER_BYTE + 2)
1331 #else
1332 #error
1333 #endif
1334 
1335 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1336 {
1337         unsigned long *word = (unsigned long *)ext;
1338 
1339         BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1340         return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1341 }
1342 
1343 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1344 {
1345         unsigned long *word = (unsigned long *)ext;
1346 
1347         clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1348 }
1349 
1350 /**
1351  *      struct nft_trans - nf_tables object update in transaction
1352  *
1353  *      @list: used internally
1354  *      @msg_type: message type
1355  *      @put_net: ctx->net needs to be put
1356  *      @ctx: transaction context
1357  *      @data: internal information related to the transaction
1358  */
1359 struct nft_trans {
1360         struct list_head                list;
1361         int                             msg_type;
1362         bool                            put_net;
1363         struct nft_ctx                  ctx;
1364         char                            data[0];
1365 };
1366 
1367 struct nft_trans_rule {
1368         struct nft_rule                 *rule;
1369         struct nft_flow_rule            *flow;
1370         u32                             rule_id;
1371 };
1372 
1373 #define nft_trans_rule(trans)   \
1374         (((struct nft_trans_rule *)trans->data)->rule)
1375 #define nft_trans_flow_rule(trans)      \
1376         (((struct nft_trans_rule *)trans->data)->flow)
1377 #define nft_trans_rule_id(trans)        \
1378         (((struct nft_trans_rule *)trans->data)->rule_id)
1379 
1380 struct nft_trans_set {
1381         struct nft_set                  *set;
1382         u32                             set_id;
1383         bool                            bound;
1384 };
1385 
1386 #define nft_trans_set(trans)    \
1387         (((struct nft_trans_set *)trans->data)->set)
1388 #define nft_trans_set_id(trans) \
1389         (((struct nft_trans_set *)trans->data)->set_id)
1390 #define nft_trans_set_bound(trans)      \
1391         (((struct nft_trans_set *)trans->data)->bound)
1392 
1393 struct nft_trans_chain {
1394         bool                            update;
1395         char                            *name;
1396         struct nft_stats __percpu       *stats;
1397         u8                              policy;
1398 };
1399 
1400 #define nft_trans_chain_update(trans)   \
1401         (((struct nft_trans_chain *)trans->data)->update)
1402 #define nft_trans_chain_name(trans)     \
1403         (((struct nft_trans_chain *)trans->data)->name)
1404 #define nft_trans_chain_stats(trans)    \
1405         (((struct nft_trans_chain *)trans->data)->stats)
1406 #define nft_trans_chain_policy(trans)   \
1407         (((struct nft_trans_chain *)trans->data)->policy)
1408 
1409 struct nft_trans_table {
1410         bool                            update;
1411         bool                            enable;
1412 };
1413 
1414 #define nft_trans_table_update(trans)   \
1415         (((struct nft_trans_table *)trans->data)->update)
1416 #define nft_trans_table_enable(trans)   \
1417         (((struct nft_trans_table *)trans->data)->enable)
1418 
1419 struct nft_trans_elem {
1420         struct nft_set                  *set;
1421         struct nft_set_elem             elem;
1422         bool                            bound;
1423 };
1424 
1425 #define nft_trans_elem_set(trans)       \
1426         (((struct nft_trans_elem *)trans->data)->set)
1427 #define nft_trans_elem(trans)   \
1428         (((struct nft_trans_elem *)trans->data)->elem)
1429 #define nft_trans_elem_set_bound(trans) \
1430         (((struct nft_trans_elem *)trans->data)->bound)
1431 
1432 struct nft_trans_obj {
1433         struct nft_object               *obj;
1434         struct nft_object               *newobj;
1435         bool                            update;
1436 };
1437 
1438 #define nft_trans_obj(trans)    \
1439         (((struct nft_trans_obj *)trans->data)->obj)
1440 #define nft_trans_obj_newobj(trans) \
1441         (((struct nft_trans_obj *)trans->data)->newobj)
1442 #define nft_trans_obj_update(trans)     \
1443         (((struct nft_trans_obj *)trans->data)->update)
1444 
1445 struct nft_trans_flowtable {
1446         struct nft_flowtable            *flowtable;
1447 };
1448 
1449 #define nft_trans_flowtable(trans)      \
1450         (((struct nft_trans_flowtable *)trans->data)->flowtable)
1451 
1452 int __init nft_chain_filter_init(void);
1453 void nft_chain_filter_fini(void);
1454 
1455 void __init nft_chain_route_init(void);
1456 void nft_chain_route_fini(void);
1457 #endif /* _NET_NF_TABLES_H */
/* [<][>][^][v][top][bottom][index][help] */