LXR linux/include/net/netfilter/nf

   1#ifndef _NET_NF_TABLES_H
   2#define _NET_NF_TABLES_H
   3
   4#include <linux/list.h>
   5#include <linux/netfilter.h>
   6#include <linux/netfilter/nfnetlink.h>
   7#include <linux/netfilter/x_tables.h>
   8#include <linux/netfilter/nf_tables.h>
   9#include <linux/u64_stats_sync.h>
  10#include <net/netlink.h>
  11
  12#define NFT_JUMP_STACK_SIZE     16
  13
  14struct nft_pktinfo {
  15        struct sk_buff                  *skb;
  16        const struct net_device         *in;
  17        const struct net_device         *out;
  18        const struct nf_hook_ops        *ops;
  19        u8                              nhoff;
  20        u8                              thoff;
  21        u8                              tprot;
  22        /* for x_tables compatibility */
  23        struct xt_action_param          xt;
  24};
  25
  26static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  27                                   const struct nf_hook_ops *ops,
  28                                   struct sk_buff *skb,
  29                                   const struct net_device *in,
  30                                   const struct net_device *out)
  31{
  32        pkt->skb = skb;
  33        pkt->in = pkt->xt.in = in;
  34        pkt->out = pkt->xt.out = out;
  35        pkt->ops = ops;
  36        pkt->xt.hooknum = ops->hooknum;
  37        pkt->xt.family = ops->pf;
  38}
  39
  40struct nft_data {
  41        union {
  42                u32                             data[4];
  43                struct {
  44                        u32                     verdict;
  45                        struct nft_chain        *chain;
  46                };
  47        };
  48} __attribute__((aligned(__alignof__(u64))));
  49
  50static inline int nft_data_cmp(const struct nft_data *d1,
  51                               const struct nft_data *d2,
  52                               unsigned int len)
  53{
  54        return memcmp(d1->data, d2->data, len);
  55}
  56
  57static inline void nft_data_copy(struct nft_data *dst,
  58                                 const struct nft_data *src)
  59{
  60        BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64));
  61        *(u64 *)&dst->data[0] = *(u64 *)&src->data[0];
  62        *(u64 *)&dst->data[2] = *(u64 *)&src->data[2];
  63}
  64
  65static inline void nft_data_debug(const struct nft_data *data)
  66{
  67        pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
  68                 data->data[0], data->data[1],
  69                 data->data[2], data->data[3]);
  70}
  71
  72/**
  73 *      struct nft_ctx - nf_tables rule/set context
  74 *
  75 *      @net: net namespace
  76 *      @afi: address family info
  77 *      @table: the table the chain is contained in
  78 *      @chain: the chain the rule is contained in
  79 *      @nla: netlink attributes
  80 *      @portid: netlink portID of the original message
  81 *      @seq: netlink sequence number
  82 *      @report: notify via unicast netlink message
  83 */
  84struct nft_ctx {
  85        struct net                      *net;
  86        struct nft_af_info              *afi;
  87        struct nft_table                *table;
  88        struct nft_chain                *chain;
  89        const struct nlattr * const     *nla;
  90        u32                             portid;
  91        u32                             seq;
  92        bool                            report;
  93};
  94
  95struct nft_data_desc {
  96        enum nft_data_types             type;
  97        unsigned int                    len;
  98};
  99
 100int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
 101                  struct nft_data_desc *desc, const struct nlattr *nla);
 102void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
 103int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 104                  enum nft_data_types type, unsigned int len);
 105
 106static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 107{
 108        return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 109}
 110
 111static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 112{
 113        return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1;
 114}
 115
 116int nft_validate_input_register(enum nft_registers reg);
 117int nft_validate_output_register(enum nft_registers reg);
 118int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
 119                           const struct nft_data *data,
 120                           enum nft_data_types type);
 121
 122/**
 123 *      struct nft_set_elem - generic representation of set elements
 124 *
 125 *      @cookie: implementation specific element cookie
 126 *      @key: element key
 127 *      @data: element data (maps only)
 128 *      @flags: element flags (end of interval)
 129 *
 130 *      The cookie can be used to store a handle to the element for subsequent
 131 *      removal.
 132 */
 133struct nft_set_elem {
 134        void                    *cookie;
 135        struct nft_data         key;
 136        struct nft_data         data;
 137        u32                     flags;
 138};
 139
 140struct nft_set;
 141struct nft_set_iter {
 142        unsigned int    count;
 143        unsigned int    skip;
 144        int             err;
 145        int             (*fn)(const struct nft_ctx *ctx,
 146                              const struct nft_set *set,
 147                              const struct nft_set_iter *iter,
 148                              const struct nft_set_elem *elem);
 149};
 150
 151/**
 152 *      struct nft_set_desc - description of set elements
 153 *
 154 *      @klen: key length
 155 *      @dlen: data length
 156 *      @size: number of set elements
 157 */
 158struct nft_set_desc {
 159        unsigned int            klen;
 160        unsigned int            dlen;
 161        unsigned int            size;
 162};
 163
 164/**
 165 *      enum nft_set_class - performance class
 166 *
 167 *      @NFT_LOOKUP_O_1: constant, O(1)
 168 *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 169 *      @NFT_LOOKUP_O_N: linear, O(N)
 170 */
 171enum nft_set_class {
 172        NFT_SET_CLASS_O_1,
 173        NFT_SET_CLASS_O_LOG_N,
 174        NFT_SET_CLASS_O_N,
 175};
 176
 177/**
 178 *      struct nft_set_estimate - estimation of memory and performance
 179 *                                characteristics
 180 *
 181 *      @size: required memory
 182 *      @class: lookup performance class
 183 */
 184struct nft_set_estimate {
 185        unsigned int            size;
 186        enum nft_set_class      class;
 187};
 188
 189/**
 190 *      struct nft_set_ops - nf_tables set operations
 191 *
 192 *      @lookup: look up an element within the set
 193 *      @insert: insert new element into set
 194 *      @remove: remove element from set
 195 *      @walk: iterate over all set elemeennts
 196 *      @privsize: function to return size of set private data
 197 *      @init: initialize private data of new set instance
 198 *      @destroy: destroy private data of set instance
 199 *      @list: nf_tables_set_ops list node
 200 *      @owner: module reference
 201 *      @features: features supported by the implementation
 202 */
 203struct nft_set_ops {
 204        bool                            (*lookup)(const struct nft_set *set,
 205                                                  const struct nft_data *key,
 206                                                  struct nft_data *data);
 207        int                             (*get)(const struct nft_set *set,
 208                                               struct nft_set_elem *elem);
 209        int                             (*insert)(const struct nft_set *set,
 210                                                  const struct nft_set_elem *elem);
 211        void                            (*remove)(const struct nft_set *set,
 212                                                  const struct nft_set_elem *elem);
 213        void                            (*walk)(const struct nft_ctx *ctx,
 214                                                const struct nft_set *set,
 215                                                struct nft_set_iter *iter);
 216
 217        unsigned int                    (*privsize)(const struct nlattr * const nla[]);
 218        bool                            (*estimate)(const struct nft_set_desc *desc,
 219                                                    u32 features,
 220                                                    struct nft_set_estimate *est);
 221        int                             (*init)(const struct nft_set *set,
 222                                                const struct nft_set_desc *desc,
 223                                                const struct nlattr * const nla[]);
 224        void                            (*destroy)(const struct nft_set *set);
 225
 226        struct list_head                list;
 227        struct module                   *owner;
 228        u32                             features;
 229};
 230
 231int nft_register_set(struct nft_set_ops *ops);
 232void nft_unregister_set(struct nft_set_ops *ops);
 233
 234/**
 235 *      struct nft_set - nf_tables set instance
 236 *
 237 *      @list: table set list node
 238 *      @bindings: list of set bindings
 239 *      @name: name of the set
 240 *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 241 *      @dtype: data type (verdict or numeric type defined by userspace)
 242 *      @size: maximum set size
 243 *      @nelems: number of elements
 244 *      @ops: set ops
 245 *      @flags: set flags
 246 *      @klen: key length
 247 *      @dlen: data length
 248 *      @data: private set data
 249 */
 250struct nft_set {
 251        struct list_head                list;
 252        struct list_head                bindings;
 253        char                            name[IFNAMSIZ];
 254        u32                             ktype;
 255        u32                             dtype;
 256        u32                             size;
 257        u32                             nelems;
 258        /* runtime data below here */
 259        const struct nft_set_ops        *ops ____cacheline_aligned;
 260        u16                             flags;
 261        u8                              klen;
 262        u8                              dlen;
 263        unsigned char                   data[]
 264                __attribute__((aligned(__alignof__(u64))));
 265};
 266
 267static inline void *nft_set_priv(const struct nft_set *set)
 268{
 269        return (void *)set->data;
 270}
 271
 272struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
 273                                     const struct nlattr *nla);
 274struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
 275                                          const struct nlattr *nla);
 276
 277/**
 278 *      struct nft_set_binding - nf_tables set binding
 279 *
 280 *      @list: set bindings list node
 281 *      @chain: chain containing the rule bound to the set
 282 *
 283 *      A set binding contains all information necessary for validation
 284 *      of new elements added to a bound set.
 285 */
 286struct nft_set_binding {
 287        struct list_head                list;
 288        const struct nft_chain          *chain;
 289};
 290
 291int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 292                       struct nft_set_binding *binding);
 293void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
 294                          struct nft_set_binding *binding);
 295
 296
 297/**
 298 *      struct nft_expr_type - nf_tables expression type
 299 *
 300 *      @select_ops: function to select nft_expr_ops
 301 *      @ops: default ops, used when no select_ops functions is present
 302 *      @list: used internally
 303 *      @name: Identifier
 304 *      @owner: module reference
 305 *      @policy: netlink attribute policy
 306 *      @maxattr: highest netlink attribute number
 307 *      @family: address family for AF-specific types
 308 */
 309struct nft_expr_type {
 310        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 311                                                       const struct nlattr * const tb[]);
 312        const struct nft_expr_ops       *ops;
 313        struct list_head                list;
 314        const char                      *name;
 315        struct module                   *owner;
 316        const struct nla_policy         *policy;
 317        unsigned int                    maxattr;
 318        u8                              family;
 319};
 320
 321/**
 322 *      struct nft_expr_ops - nf_tables expression operations
 323 *
 324 *      @eval: Expression evaluation function
 325 *      @size: full expression size, including private data size
 326 *      @init: initialization function
 327 *      @destroy: destruction function
 328 *      @dump: function to dump parameters
 329 *      @type: expression type
 330 *      @validate: validate expression, called during loop detection
 331 *      @data: extra data to attach to this expression operation
 332 */
 333struct nft_expr;
 334struct nft_expr_ops {
 335        void                            (*eval)(const struct nft_expr *expr,
 336                                                struct nft_data data[NFT_REG_MAX + 1],
 337                                                const struct nft_pktinfo *pkt);
 338        unsigned int                    size;
 339
 340        int                             (*init)(const struct nft_ctx *ctx,
 341                                                const struct nft_expr *expr,
 342                                                const struct nlattr * const tb[]);
 343        void                            (*destroy)(const struct nft_ctx *ctx,
 344                                                   const struct nft_expr *expr);
 345        int                             (*dump)(struct sk_buff *skb,
 346                                                const struct nft_expr *expr);
 347        int                             (*validate)(const struct nft_ctx *ctx,
 348                                                    const struct nft_expr *expr,
 349                                                    const struct nft_data **data);
 350        const struct nft_expr_type      *type;
 351        void                            *data;
 352};
 353
 354#define NFT_EXPR_MAXATTR                16
 355#define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 356                                         ALIGN(size, __alignof__(struct nft_expr)))
 357
 358/**
 359 *      struct nft_expr - nf_tables expression
 360 *
 361 *      @ops: expression ops
 362 *      @data: expression private data
 363 */
 364struct nft_expr {
 365        const struct nft_expr_ops       *ops;
 366        unsigned char                   data[];
 367};
 368
 369static inline void *nft_expr_priv(const struct nft_expr *expr)
 370{
 371        return (void *)expr->data;
 372}
 373
 374/**
 375 *      struct nft_rule - nf_tables rule
 376 *
 377 *      @list: used internally
 378 *      @handle: rule handle
 379 *      @genmask: generation mask
 380 *      @dlen: length of expression data
 381 *      @ulen: length of user data (used for comments)
 382 *      @data: expression data
 383 */
 384struct nft_rule {
 385        struct list_head                list;
 386        u64                             handle:42,
 387                                        genmask:2,
 388                                        dlen:12,
 389                                        ulen:8;
 390        unsigned char                   data[]
 391                __attribute__((aligned(__alignof__(struct nft_expr))));
 392};
 393
 394/**
 395 *      struct nft_trans - nf_tables object update in transaction
 396 *
 397 *      @rcu_head: rcu head to defer release of transaction data
 398 *      @list: used internally
 399 *      @msg_type: message type
 400 *      @ctx: transaction context
 401 *      @data: internal information related to the transaction
 402 */
 403struct nft_trans {
 404        struct rcu_head                 rcu_head;
 405        struct list_head                list;
 406        int                             msg_type;
 407        struct nft_ctx                  ctx;
 408        char                            data[0];
 409};
 410
 411struct nft_trans_rule {
 412        struct nft_rule                 *rule;
 413};
 414
 415#define nft_trans_rule(trans)   \
 416        (((struct nft_trans_rule *)trans->data)->rule)
 417
 418struct nft_trans_set {
 419        struct nft_set  *set;
 420        u32             set_id;
 421};
 422
 423#define nft_trans_set(trans)    \
 424        (((struct nft_trans_set *)trans->data)->set)
 425#define nft_trans_set_id(trans) \
 426        (((struct nft_trans_set *)trans->data)->set_id)
 427
 428struct nft_trans_chain {
 429        bool            update;
 430        char            name[NFT_CHAIN_MAXNAMELEN];
 431        struct nft_stats __percpu *stats;
 432        u8              policy;
 433};
 434
 435#define nft_trans_chain_update(trans)   \
 436        (((struct nft_trans_chain *)trans->data)->update)
 437#define nft_trans_chain_name(trans)     \
 438        (((struct nft_trans_chain *)trans->data)->name)
 439#define nft_trans_chain_stats(trans)    \
 440        (((struct nft_trans_chain *)trans->data)->stats)
 441#define nft_trans_chain_policy(trans)   \
 442        (((struct nft_trans_chain *)trans->data)->policy)
 443
 444struct nft_trans_table {
 445        bool            update;
 446        bool            enable;
 447};
 448
 449#define nft_trans_table_update(trans)   \
 450        (((struct nft_trans_table *)trans->data)->update)
 451#define nft_trans_table_enable(trans)   \
 452        (((struct nft_trans_table *)trans->data)->enable)
 453
 454struct nft_trans_elem {
 455        struct nft_set          *set;
 456        struct nft_set_elem     elem;
 457};
 458
 459#define nft_trans_elem_set(trans)       \
 460        (((struct nft_trans_elem *)trans->data)->set)
 461#define nft_trans_elem(trans)   \
 462        (((struct nft_trans_elem *)trans->data)->elem)
 463
 464static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 465{
 466        return (struct nft_expr *)&rule->data[0];
 467}
 468
 469static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 470{
 471        return ((void *)expr) + expr->ops->size;
 472}
 473
 474static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 475{
 476        return (struct nft_expr *)&rule->data[rule->dlen];
 477}
 478
 479static inline void *nft_userdata(const struct nft_rule *rule)
 480{
 481        return (void *)&rule->data[rule->dlen];
 482}
 483
 484/*
 485 * The last pointer isn't really necessary, but the compiler isn't able to
 486 * determine that the result of nft_expr_last() is always the same since it
 487 * can't assume that the dlen value wasn't changed within calls in the loop.
 488 */
 489#define nft_rule_for_each_expr(expr, last, rule) \
 490        for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 491             (expr) != (last); \
 492             (expr) = nft_expr_next(expr))
 493
 494enum nft_chain_flags {
 495        NFT_BASE_CHAIN                  = 0x1,
 496        NFT_CHAIN_INACTIVE              = 0x2,
 497};
 498
 499/**
 500 *      struct nft_chain - nf_tables chain
 501 *
 502 *      @rules: list of rules in the chain
 503 *      @list: used internally
 504 *      @net: net namespace that this chain belongs to
 505 *      @table: table that this chain belongs to
 506 *      @handle: chain handle
 507 *      @use: number of jump references to this chain
 508 *      @level: length of longest path to this chain
 509 *      @flags: bitmask of enum nft_chain_flags
 510 *      @name: name of the chain
 511 */
 512struct nft_chain {
 513        struct list_head                rules;
 514        struct list_head                list;
 515        struct net                      *net;
 516        struct nft_table                *table;
 517        u64                             handle;
 518        u32                             use;
 519        u16                             level;
 520        u8                              flags;
 521        char                            name[NFT_CHAIN_MAXNAMELEN];
 522};
 523
 524enum nft_chain_type {
 525        NFT_CHAIN_T_DEFAULT = 0,
 526        NFT_CHAIN_T_ROUTE,
 527        NFT_CHAIN_T_NAT,
 528        NFT_CHAIN_T_MAX
 529};
 530
 531struct nft_stats {
 532        u64                     bytes;
 533        u64                     pkts;
 534        struct u64_stats_sync   syncp;
 535};
 536
 537#define NFT_HOOK_OPS_MAX                2
 538
 539/**
 540 *      struct nft_base_chain - nf_tables base chain
 541 *
 542 *      @ops: netfilter hook ops
 543 *      @type: chain type
 544 *      @policy: default policy
 545 *      @stats: per-cpu chain stats
 546 *      @chain: the chain
 547 */
 548struct nft_base_chain {
 549        struct nf_hook_ops              ops[NFT_HOOK_OPS_MAX];
 550        const struct nf_chain_type      *type;
 551        u8                              policy;
 552        struct nft_stats __percpu       *stats;
 553        struct nft_chain                chain;
 554};
 555
 556static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
 557{
 558        return container_of(chain, struct nft_base_chain, chain);
 559}
 560
 561unsigned int nft_do_chain(struct nft_pktinfo *pkt,
 562                          const struct nf_hook_ops *ops);
 563
 564/**
 565 *      struct nft_table - nf_tables table
 566 *
 567 *      @list: used internally
 568 *      @chains: chains in the table
 569 *      @sets: sets in the table
 570 *      @hgenerator: handle generator state
 571 *      @use: number of chain references to this table
 572 *      @flags: table flag (see enum nft_table_flags)
 573 *      @name: name of the table
 574 */
 575struct nft_table {
 576        struct list_head                list;
 577        struct list_head                chains;
 578        struct list_head                sets;
 579        u64                             hgenerator;
 580        u32                             use;
 581        u16                             flags;
 582        char                            name[];
 583};
 584
 585/**
 586 *      struct nft_af_info - nf_tables address family info
 587 *
 588 *      @list: used internally
 589 *      @family: address family
 590 *      @nhooks: number of hooks in this family
 591 *      @owner: module owner
 592 *      @tables: used internally
 593 *      @nops: number of hook ops in this family
 594 *      @hook_ops_init: initialization function for chain hook ops
 595 *      @hooks: hookfn overrides for packet validation
 596 */
 597struct nft_af_info {
 598        struct list_head                list;
 599        int                             family;
 600        unsigned int                    nhooks;
 601        struct module                   *owner;
 602        struct list_head                tables;
 603        unsigned int                    nops;
 604        void                            (*hook_ops_init)(struct nf_hook_ops *,
 605                                                         unsigned int);
 606        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 607};
 608
 609int nft_register_afinfo(struct net *, struct nft_af_info *);
 610void nft_unregister_afinfo(struct nft_af_info *);
 611
 612/**
 613 *      struct nf_chain_type - nf_tables chain type info
 614 *
 615 *      @name: name of the type
 616 *      @type: numeric identifier
 617 *      @family: address family
 618 *      @owner: module owner
 619 *      @hook_mask: mask of valid hooks
 620 *      @hooks: hookfn overrides
 621 */
 622struct nf_chain_type {
 623        const char                      *name;
 624        enum nft_chain_type             type;
 625        int                             family;
 626        struct module                   *owner;
 627        unsigned int                    hook_mask;
 628        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 629};
 630
 631int nft_register_chain_type(const struct nf_chain_type *);
 632void nft_unregister_chain_type(const struct nf_chain_type *);
 633
 634int nft_register_expr(struct nft_expr_type *);
 635void nft_unregister_expr(struct nft_expr_type *);
 636
 637#define nft_dereference(p)                                      \
 638        nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)
 639
 640#define MODULE_ALIAS_NFT_FAMILY(family) \
 641        MODULE_ALIAS("nft-afinfo-" __stringify(family))
 642
 643#define MODULE_ALIAS_NFT_CHAIN(family, name) \
 644        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
 645
 646#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
 647        MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
 648
 649#define MODULE_ALIAS_NFT_EXPR(name) \
 650        MODULE_ALIAS("nft-expr-" name)
 651
 652#define MODULE_ALIAS_NFT_SET() \
 653        MODULE_ALIAS("nft-set")
 654
 655#endif /* _NET_NF_TABLES_H */
 656