LXR linux/include/net/netfilter/nf

   1#ifndef _NET_NF_TABLES_H
   2#define _NET_NF_TABLES_H
   3
   4#include <linux/module.h>
   5#include <linux/list.h>
   6#include <linux/netfilter.h>
   7#include <linux/netfilter/nfnetlink.h>
   8#include <linux/netfilter/x_tables.h>
   9#include <linux/netfilter/nf_tables.h>
  10#include <linux/u64_stats_sync.h>
  11#include <net/netlink.h>
  12
  13#define NFT_JUMP_STACK_SIZE     16
  14
  15struct nft_pktinfo {
  16        struct sk_buff                  *skb;
  17        const struct net_device         *in;
  18        const struct net_device         *out;
  19        const struct nf_hook_ops        *ops;
  20        u8                              nhoff;
  21        u8                              thoff;
  22        u8                              tprot;
  23        /* for x_tables compatibility */
  24        struct xt_action_param          xt;
  25};
  26
  27static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  28                                   const struct nf_hook_ops *ops,
  29                                   struct sk_buff *skb,
  30                                   const struct nf_hook_state *state)
  31{
  32        pkt->skb = skb;
  33        pkt->in = pkt->xt.in = state->in;
  34        pkt->out = pkt->xt.out = state->out;
  35        pkt->ops = ops;
  36        pkt->xt.hooknum = ops->hooknum;
  37        pkt->xt.family = ops->pf;
  38}
  39
  40/**
  41 *      struct nft_verdict - nf_tables verdict
  42 *
  43 *      @code: nf_tables/netfilter verdict code
  44 *      @chain: destination chain for NFT_JUMP/NFT_GOTO
  45 */
  46struct nft_verdict {
  47        u32                             code;
  48        struct nft_chain                *chain;
  49};
  50
  51struct nft_data {
  52        union {
  53                u32                     data[4];
  54                struct nft_verdict      verdict;
  55        };
  56} __attribute__((aligned(__alignof__(u64))));
  57
  58/**
  59 *      struct nft_regs - nf_tables register set
  60 *
  61 *      @data: data registers
  62 *      @verdict: verdict register
  63 *
  64 *      The first four data registers alias to the verdict register.
  65 */
  66struct nft_regs {
  67        union {
  68                u32                     data[20];
  69                struct nft_verdict      verdict;
  70        };
  71};
  72
  73static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
  74                                 unsigned int len)
  75{
  76        memcpy(dst, src, len);
  77}
  78
  79static inline void nft_data_debug(const struct nft_data *data)
  80{
  81        pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
  82                 data->data[0], data->data[1],
  83                 data->data[2], data->data[3]);
  84}
  85
  86/**
  87 *      struct nft_ctx - nf_tables rule/set context
  88 *
  89 *      @net: net namespace
  90 *      @afi: address family info
  91 *      @table: the table the chain is contained in
  92 *      @chain: the chain the rule is contained in
  93 *      @nla: netlink attributes
  94 *      @portid: netlink portID of the original message
  95 *      @seq: netlink sequence number
  96 *      @report: notify via unicast netlink message
  97 */
  98struct nft_ctx {
  99        struct net                      *net;
 100        struct nft_af_info              *afi;
 101        struct nft_table                *table;
 102        struct nft_chain                *chain;
 103        const struct nlattr * const     *nla;
 104        u32                             portid;
 105        u32                             seq;
 106        bool                            report;
 107};
 108
 109struct nft_data_desc {
 110        enum nft_data_types             type;
 111        unsigned int                    len;
 112};
 113
 114int nft_data_init(const struct nft_ctx *ctx,
 115                  struct nft_data *data, unsigned int size,
 116                  struct nft_data_desc *desc, const struct nlattr *nla);
 117void nft_data_uninit(const struct nft_data *data, enum nft_data_types type);
 118int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 119                  enum nft_data_types type, unsigned int len);
 120
 121static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 122{
 123        return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 124}
 125
 126static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 127{
 128        return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
 129}
 130
 131unsigned int nft_parse_register(const struct nlattr *attr);
 132int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
 133
 134int nft_validate_register_load(enum nft_registers reg, unsigned int len);
 135int nft_validate_register_store(const struct nft_ctx *ctx,
 136                                enum nft_registers reg,
 137                                const struct nft_data *data,
 138                                enum nft_data_types type, unsigned int len);
 139
 140/**
 141 *      struct nft_userdata - user defined data associated with an object
 142 *
 143 *      @len: length of the data
 144 *      @data: content
 145 *
 146 *      The presence of user data is indicated in an object specific fashion,
 147 *      so a length of zero can't occur and the value "len" indicates data
 148 *      of length len + 1.
 149 */
 150struct nft_userdata {
 151        u8                      len;
 152        unsigned char           data[0];
 153};
 154
 155/**
 156 *      struct nft_set_elem - generic representation of set elements
 157 *
 158 *      @key: element key
 159 *      @priv: element private data and extensions
 160 */
 161struct nft_set_elem {
 162        union {
 163                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 164                struct nft_data val;
 165        } key;
 166        void                    *priv;
 167};
 168
 169struct nft_set;
 170struct nft_set_iter {
 171        unsigned int    count;
 172        unsigned int    skip;
 173        int             err;
 174        int             (*fn)(const struct nft_ctx *ctx,
 175                              const struct nft_set *set,
 176                              const struct nft_set_iter *iter,
 177                              const struct nft_set_elem *elem);
 178};
 179
 180/**
 181 *      struct nft_set_desc - description of set elements
 182 *
 183 *      @klen: key length
 184 *      @dlen: data length
 185 *      @size: number of set elements
 186 */
 187struct nft_set_desc {
 188        unsigned int            klen;
 189        unsigned int            dlen;
 190        unsigned int            size;
 191};
 192
 193/**
 194 *      enum nft_set_class - performance class
 195 *
 196 *      @NFT_LOOKUP_O_1: constant, O(1)
 197 *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 198 *      @NFT_LOOKUP_O_N: linear, O(N)
 199 */
 200enum nft_set_class {
 201        NFT_SET_CLASS_O_1,
 202        NFT_SET_CLASS_O_LOG_N,
 203        NFT_SET_CLASS_O_N,
 204};
 205
 206/**
 207 *      struct nft_set_estimate - estimation of memory and performance
 208 *                                characteristics
 209 *
 210 *      @size: required memory
 211 *      @class: lookup performance class
 212 */
 213struct nft_set_estimate {
 214        unsigned int            size;
 215        enum nft_set_class      class;
 216};
 217
 218struct nft_set_ext;
 219struct nft_expr;
 220
 221/**
 222 *      struct nft_set_ops - nf_tables set operations
 223 *
 224 *      @lookup: look up an element within the set
 225 *      @insert: insert new element into set
 226 *      @activate: activate new element in the next generation
 227 *      @deactivate: deactivate element in the next generation
 228 *      @remove: remove element from set
 229 *      @walk: iterate over all set elemeennts
 230 *      @privsize: function to return size of set private data
 231 *      @init: initialize private data of new set instance
 232 *      @destroy: destroy private data of set instance
 233 *      @list: nf_tables_set_ops list node
 234 *      @owner: module reference
 235 *      @elemsize: element private size
 236 *      @features: features supported by the implementation
 237 */
 238struct nft_set_ops {
 239        bool                            (*lookup)(const struct nft_set *set,
 240                                                  const u32 *key,
 241                                                  const struct nft_set_ext **ext);
 242        bool                            (*update)(struct nft_set *set,
 243                                                  const u32 *key,
 244                                                  void *(*new)(struct nft_set *,
 245                                                               const struct nft_expr *,
 246                                                               struct nft_regs *),
 247                                                  const struct nft_expr *expr,
 248                                                  struct nft_regs *regs,
 249                                                  const struct nft_set_ext **ext);
 250
 251        int                             (*insert)(const struct nft_set *set,
 252                                                  const struct nft_set_elem *elem);
 253        void                            (*activate)(const struct nft_set *set,
 254                                                    const struct nft_set_elem *elem);
 255        void *                          (*deactivate)(const struct nft_set *set,
 256                                                      const struct nft_set_elem *elem);
 257        void                            (*remove)(const struct nft_set *set,
 258                                                  const struct nft_set_elem *elem);
 259        void                            (*walk)(const struct nft_ctx *ctx,
 260                                                const struct nft_set *set,
 261                                                struct nft_set_iter *iter);
 262
 263        unsigned int                    (*privsize)(const struct nlattr * const nla[]);
 264        bool                            (*estimate)(const struct nft_set_desc *desc,
 265                                                    u32 features,
 266                                                    struct nft_set_estimate *est);
 267        int                             (*init)(const struct nft_set *set,
 268                                                const struct nft_set_desc *desc,
 269                                                const struct nlattr * const nla[]);
 270        void                            (*destroy)(const struct nft_set *set);
 271
 272        struct list_head                list;
 273        struct module                   *owner;
 274        unsigned int                    elemsize;
 275        u32                             features;
 276};
 277
 278int nft_register_set(struct nft_set_ops *ops);
 279void nft_unregister_set(struct nft_set_ops *ops);
 280
 281/**
 282 *      struct nft_set - nf_tables set instance
 283 *
 284 *      @list: table set list node
 285 *      @bindings: list of set bindings
 286 *      @name: name of the set
 287 *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 288 *      @dtype: data type (verdict or numeric type defined by userspace)
 289 *      @size: maximum set size
 290 *      @nelems: number of elements
 291 *      @ndeact: number of deactivated elements queued for removal
 292 *      @timeout: default timeout value in msecs
 293 *      @gc_int: garbage collection interval in msecs
 294 *      @policy: set parameterization (see enum nft_set_policies)
 295 *      @ops: set ops
 296 *      @pnet: network namespace
 297 *      @flags: set flags
 298 *      @klen: key length
 299 *      @dlen: data length
 300 *      @data: private set data
 301 */
 302struct nft_set {
 303        struct list_head                list;
 304        struct list_head                bindings;
 305        char                            name[IFNAMSIZ];
 306        u32                             ktype;
 307        u32                             dtype;
 308        u32                             size;
 309        atomic_t                        nelems;
 310        u32                             ndeact;
 311        u64                             timeout;
 312        u32                             gc_int;
 313        u16                             policy;
 314        /* runtime data below here */
 315        const struct nft_set_ops        *ops ____cacheline_aligned;
 316        possible_net_t                  pnet;
 317        u16                             flags;
 318        u8                              klen;
 319        u8                              dlen;
 320        unsigned char                   data[]
 321                __attribute__((aligned(__alignof__(u64))));
 322};
 323
 324static inline void *nft_set_priv(const struct nft_set *set)
 325{
 326        return (void *)set->data;
 327}
 328
 329static inline struct nft_set *nft_set_container_of(const void *priv)
 330{
 331        return (void *)priv - offsetof(struct nft_set, data);
 332}
 333
 334struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
 335                                     const struct nlattr *nla);
 336struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
 337                                          const struct nlattr *nla);
 338
 339static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
 340{
 341        return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
 342}
 343
 344/**
 345 *      struct nft_set_binding - nf_tables set binding
 346 *
 347 *      @list: set bindings list node
 348 *      @chain: chain containing the rule bound to the set
 349 *      @flags: set action flags
 350 *
 351 *      A set binding contains all information necessary for validation
 352 *      of new elements added to a bound set.
 353 */
 354struct nft_set_binding {
 355        struct list_head                list;
 356        const struct nft_chain          *chain;
 357        u32                             flags;
 358};
 359
 360int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 361                       struct nft_set_binding *binding);
 362void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
 363                          struct nft_set_binding *binding);
 364
 365/**
 366 *      enum nft_set_extensions - set extension type IDs
 367 *
 368 *      @NFT_SET_EXT_KEY: element key
 369 *      @NFT_SET_EXT_DATA: mapping data
 370 *      @NFT_SET_EXT_FLAGS: element flags
 371 *      @NFT_SET_EXT_TIMEOUT: element timeout
 372 *      @NFT_SET_EXT_EXPIRATION: element expiration time
 373 *      @NFT_SET_EXT_USERDATA: user data associated with the element
 374 *      @NFT_SET_EXT_EXPR: expression assiociated with the element
 375 *      @NFT_SET_EXT_NUM: number of extension types
 376 */
 377enum nft_set_extensions {
 378        NFT_SET_EXT_KEY,
 379        NFT_SET_EXT_DATA,
 380        NFT_SET_EXT_FLAGS,
 381        NFT_SET_EXT_TIMEOUT,
 382        NFT_SET_EXT_EXPIRATION,
 383        NFT_SET_EXT_USERDATA,
 384        NFT_SET_EXT_EXPR,
 385        NFT_SET_EXT_NUM
 386};
 387
 388/**
 389 *      struct nft_set_ext_type - set extension type
 390 *
 391 *      @len: fixed part length of the extension
 392 *      @align: alignment requirements of the extension
 393 */
 394struct nft_set_ext_type {
 395        u8      len;
 396        u8      align;
 397};
 398
 399extern const struct nft_set_ext_type nft_set_ext_types[];
 400
 401/**
 402 *      struct nft_set_ext_tmpl - set extension template
 403 *
 404 *      @len: length of extension area
 405 *      @offset: offsets of individual extension types
 406 */
 407struct nft_set_ext_tmpl {
 408        u16     len;
 409        u8      offset[NFT_SET_EXT_NUM];
 410};
 411
 412/**
 413 *      struct nft_set_ext - set extensions
 414 *
 415 *      @genmask: generation mask
 416 *      @offset: offsets of individual extension types
 417 *      @data: beginning of extension data
 418 */
 419struct nft_set_ext {
 420        u8      genmask;
 421        u8      offset[NFT_SET_EXT_NUM];
 422        char    data[0];
 423};
 424
 425static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
 426{
 427        memset(tmpl, 0, sizeof(*tmpl));
 428        tmpl->len = sizeof(struct nft_set_ext);
 429}
 430
 431static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
 432                                          unsigned int len)
 433{
 434        tmpl->len        = ALIGN(tmpl->len, nft_set_ext_types[id].align);
 435        BUG_ON(tmpl->len > U8_MAX);
 436        tmpl->offset[id] = tmpl->len;
 437        tmpl->len       += nft_set_ext_types[id].len + len;
 438}
 439
 440static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
 441{
 442        nft_set_ext_add_length(tmpl, id, 0);
 443}
 444
 445static inline void nft_set_ext_init(struct nft_set_ext *ext,
 446                                    const struct nft_set_ext_tmpl *tmpl)
 447{
 448        memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
 449}
 450
 451static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 452{
 453        return !!ext->offset[id];
 454}
 455
 456static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 457{
 458        return ext && __nft_set_ext_exists(ext, id);
 459}
 460
 461static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
 462{
 463        return (void *)ext + ext->offset[id];
 464}
 465
 466static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
 467{
 468        return nft_set_ext(ext, NFT_SET_EXT_KEY);
 469}
 470
 471static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
 472{
 473        return nft_set_ext(ext, NFT_SET_EXT_DATA);
 474}
 475
 476static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
 477{
 478        return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 479}
 480
 481static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
 482{
 483        return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
 484}
 485
 486static inline unsigned long *nft_set_ext_expiration(const struct nft_set_ext *ext)
 487{
 488        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 489}
 490
 491static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
 492{
 493        return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
 494}
 495
 496static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
 497{
 498        return nft_set_ext(ext, NFT_SET_EXT_EXPR);
 499}
 500
 501static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 502{
 503        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
 504               time_is_before_eq_jiffies(*nft_set_ext_expiration(ext));
 505}
 506
 507static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
 508                                                   void *elem)
 509{
 510        return elem + set->ops->elemsize;
 511}
 512
 513void *nft_set_elem_init(const struct nft_set *set,
 514                        const struct nft_set_ext_tmpl *tmpl,
 515                        const u32 *key, const u32 *data,
 516                        u64 timeout, gfp_t gfp);
 517void nft_set_elem_destroy(const struct nft_set *set, void *elem);
 518
 519/**
 520 *      struct nft_set_gc_batch_head - nf_tables set garbage collection batch
 521 *
 522 *      @rcu: rcu head
 523 *      @set: set the elements belong to
 524 *      @cnt: count of elements
 525 */
 526struct nft_set_gc_batch_head {
 527        struct rcu_head                 rcu;
 528        const struct nft_set            *set;
 529        unsigned int                    cnt;
 530};
 531
 532#define NFT_SET_GC_BATCH_SIZE   ((PAGE_SIZE -                             \
 533                                  sizeof(struct nft_set_gc_batch_head)) / \
 534                                 sizeof(void *))
 535
 536/**
 537 *      struct nft_set_gc_batch - nf_tables set garbage collection batch
 538 *
 539 *      @head: GC batch head
 540 *      @elems: garbage collection elements
 541 */
 542struct nft_set_gc_batch {
 543        struct nft_set_gc_batch_head    head;
 544        void                            *elems[NFT_SET_GC_BATCH_SIZE];
 545};
 546
 547struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
 548                                                gfp_t gfp);
 549void nft_set_gc_batch_release(struct rcu_head *rcu);
 550
 551static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
 552{
 553        if (gcb != NULL)
 554                call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
 555}
 556
 557static inline struct nft_set_gc_batch *
 558nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
 559                       gfp_t gfp)
 560{
 561        if (gcb != NULL) {
 562                if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
 563                        return gcb;
 564                nft_set_gc_batch_complete(gcb);
 565        }
 566        return nft_set_gc_batch_alloc(set, gfp);
 567}
 568
 569static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
 570                                        void *elem)
 571{
 572        gcb->elems[gcb->head.cnt++] = elem;
 573}
 574
 575/**
 576 *      struct nft_expr_type - nf_tables expression type
 577 *
 578 *      @select_ops: function to select nft_expr_ops
 579 *      @ops: default ops, used when no select_ops functions is present
 580 *      @list: used internally
 581 *      @name: Identifier
 582 *      @owner: module reference
 583 *      @policy: netlink attribute policy
 584 *      @maxattr: highest netlink attribute number
 585 *      @family: address family for AF-specific types
 586 *      @flags: expression type flags
 587 */
 588struct nft_expr_type {
 589        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 590                                                       const struct nlattr * const tb[]);
 591        const struct nft_expr_ops       *ops;
 592        struct list_head                list;
 593        const char                      *name;
 594        struct module                   *owner;
 595        const struct nla_policy         *policy;
 596        unsigned int                    maxattr;
 597        u8                              family;
 598        u8                              flags;
 599};
 600
 601#define NFT_EXPR_STATEFUL               0x1
 602
 603/**
 604 *      struct nft_expr_ops - nf_tables expression operations
 605 *
 606 *      @eval: Expression evaluation function
 607 *      @size: full expression size, including private data size
 608 *      @init: initialization function
 609 *      @destroy: destruction function
 610 *      @dump: function to dump parameters
 611 *      @type: expression type
 612 *      @validate: validate expression, called during loop detection
 613 *      @data: extra data to attach to this expression operation
 614 */
 615struct nft_expr;
 616struct nft_expr_ops {
 617        void                            (*eval)(const struct nft_expr *expr,
 618                                                struct nft_regs *regs,
 619                                                const struct nft_pktinfo *pkt);
 620        unsigned int                    size;
 621
 622        int                             (*init)(const struct nft_ctx *ctx,
 623                                                const struct nft_expr *expr,
 624                                                const struct nlattr * const tb[]);
 625        void                            (*destroy)(const struct nft_ctx *ctx,
 626                                                   const struct nft_expr *expr);
 627        int                             (*dump)(struct sk_buff *skb,
 628                                                const struct nft_expr *expr);
 629        int                             (*validate)(const struct nft_ctx *ctx,
 630                                                    const struct nft_expr *expr,
 631                                                    const struct nft_data **data);
 632        const struct nft_expr_type      *type;
 633        void                            *data;
 634};
 635
 636#define NFT_EXPR_MAXATTR                16
 637#define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 638                                         ALIGN(size, __alignof__(struct nft_expr)))
 639
 640/**
 641 *      struct nft_expr - nf_tables expression
 642 *
 643 *      @ops: expression ops
 644 *      @data: expression private data
 645 */
 646struct nft_expr {
 647        const struct nft_expr_ops       *ops;
 648        unsigned char                   data[];
 649};
 650
 651static inline void *nft_expr_priv(const struct nft_expr *expr)
 652{
 653        return (void *)expr->data;
 654}
 655
 656struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
 657                               const struct nlattr *nla);
 658void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 659int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
 660                  const struct nft_expr *expr);
 661
 662static inline void nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
 663{
 664        __module_get(src->ops->type->owner);
 665        memcpy(dst, src, src->ops->size);
 666}
 667
 668/**
 669 *      struct nft_rule - nf_tables rule
 670 *
 671 *      @list: used internally
 672 *      @handle: rule handle
 673 *      @genmask: generation mask
 674 *      @dlen: length of expression data
 675 *      @udata: user data is appended to the rule
 676 *      @data: expression data
 677 */
 678struct nft_rule {
 679        struct list_head                list;
 680        u64                             handle:42,
 681                                        genmask:2,
 682                                        dlen:12,
 683                                        udata:1;
 684        unsigned char                   data[]
 685                __attribute__((aligned(__alignof__(struct nft_expr))));
 686};
 687
 688static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 689{
 690        return (struct nft_expr *)&rule->data[0];
 691}
 692
 693static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 694{
 695        return ((void *)expr) + expr->ops->size;
 696}
 697
 698static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 699{
 700        return (struct nft_expr *)&rule->data[rule->dlen];
 701}
 702
 703static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 704{
 705        return (void *)&rule->data[rule->dlen];
 706}
 707
 708/*
 709 * The last pointer isn't really necessary, but the compiler isn't able to
 710 * determine that the result of nft_expr_last() is always the same since it
 711 * can't assume that the dlen value wasn't changed within calls in the loop.
 712 */
 713#define nft_rule_for_each_expr(expr, last, rule) \
 714        for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 715             (expr) != (last); \
 716             (expr) = nft_expr_next(expr))
 717
 718enum nft_chain_flags {
 719        NFT_BASE_CHAIN                  = 0x1,
 720        NFT_CHAIN_INACTIVE              = 0x2,
 721};
 722
 723/**
 724 *      struct nft_chain - nf_tables chain
 725 *
 726 *      @rules: list of rules in the chain
 727 *      @list: used internally
 728 *      @table: table that this chain belongs to
 729 *      @handle: chain handle
 730 *      @use: number of jump references to this chain
 731 *      @level: length of longest path to this chain
 732 *      @flags: bitmask of enum nft_chain_flags
 733 *      @name: name of the chain
 734 */
 735struct nft_chain {
 736        struct list_head                rules;
 737        struct list_head                list;
 738        struct nft_table                *table;
 739        u64                             handle;
 740        u32                             use;
 741        u16                             level;
 742        u8                              flags;
 743        char                            name[NFT_CHAIN_MAXNAMELEN];
 744};
 745
 746enum nft_chain_type {
 747        NFT_CHAIN_T_DEFAULT = 0,
 748        NFT_CHAIN_T_ROUTE,
 749        NFT_CHAIN_T_NAT,
 750        NFT_CHAIN_T_MAX
 751};
 752
 753/**
 754 *      struct nf_chain_type - nf_tables chain type info
 755 *
 756 *      @name: name of the type
 757 *      @type: numeric identifier
 758 *      @family: address family
 759 *      @owner: module owner
 760 *      @hook_mask: mask of valid hooks
 761 *      @hooks: hookfn overrides
 762 */
 763struct nf_chain_type {
 764        const char                      *name;
 765        enum nft_chain_type             type;
 766        int                             family;
 767        struct module                   *owner;
 768        unsigned int                    hook_mask;
 769        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 770};
 771
 772int nft_chain_validate_dependency(const struct nft_chain *chain,
 773                                  enum nft_chain_type type);
 774int nft_chain_validate_hooks(const struct nft_chain *chain,
 775                             unsigned int hook_flags);
 776
 777struct nft_stats {
 778        u64                     bytes;
 779        u64                     pkts;
 780        struct u64_stats_sync   syncp;
 781};
 782
 783#define NFT_HOOK_OPS_MAX                2
 784#define NFT_BASECHAIN_DISABLED          (1 << 0)
 785
 786/**
 787 *      struct nft_base_chain - nf_tables base chain
 788 *
 789 *      @ops: netfilter hook ops
 790 *      @pnet: net namespace that this chain belongs to
 791 *      @type: chain type
 792 *      @policy: default policy
 793 *      @stats: per-cpu chain stats
 794 *      @chain: the chain
 795 *      @dev_name: device name that this base chain is attached to (if any)
 796 */
 797struct nft_base_chain {
 798        struct nf_hook_ops              ops[NFT_HOOK_OPS_MAX];
 799        possible_net_t                  pnet;
 800        const struct nf_chain_type      *type;
 801        u8                              policy;
 802        u8                              flags;
 803        struct nft_stats __percpu       *stats;
 804        struct nft_chain                chain;
 805        char                            dev_name[IFNAMSIZ];
 806};
 807
 808static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
 809{
 810        return container_of(chain, struct nft_base_chain, chain);
 811}
 812
 813int nft_register_basechain(struct nft_base_chain *basechain,
 814                           unsigned int hook_nops);
 815void nft_unregister_basechain(struct nft_base_chain *basechain,
 816                              unsigned int hook_nops);
 817
 818unsigned int nft_do_chain(struct nft_pktinfo *pkt,
 819                          const struct nf_hook_ops *ops);
 820
 821/**
 822 *      struct nft_table - nf_tables table
 823 *
 824 *      @list: used internally
 825 *      @chains: chains in the table
 826 *      @sets: sets in the table
 827 *      @hgenerator: handle generator state
 828 *      @use: number of chain references to this table
 829 *      @flags: table flag (see enum nft_table_flags)
 830 *      @name: name of the table
 831 */
 832struct nft_table {
 833        struct list_head                list;
 834        struct list_head                chains;
 835        struct list_head                sets;
 836        u64                             hgenerator;
 837        u32                             use;
 838        u16                             flags;
 839        char                            name[NFT_TABLE_MAXNAMELEN];
 840};
 841
 842enum nft_af_flags {
 843        NFT_AF_NEEDS_DEV        = (1 << 0),
 844};
 845
 846/**
 847 *      struct nft_af_info - nf_tables address family info
 848 *
 849 *      @list: used internally
 850 *      @family: address family
 851 *      @nhooks: number of hooks in this family
 852 *      @owner: module owner
 853 *      @tables: used internally
 854 *      @flags: family flags
 855 *      @nops: number of hook ops in this family
 856 *      @hook_ops_init: initialization function for chain hook ops
 857 *      @hooks: hookfn overrides for packet validation
 858 */
 859struct nft_af_info {
 860        struct list_head                list;
 861        int                             family;
 862        unsigned int                    nhooks;
 863        struct module                   *owner;
 864        struct list_head                tables;
 865        u32                             flags;
 866        unsigned int                    nops;
 867        void                            (*hook_ops_init)(struct nf_hook_ops *,
 868                                                         unsigned int);
 869        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 870};
 871
 872int nft_register_afinfo(struct net *, struct nft_af_info *);
 873void nft_unregister_afinfo(struct nft_af_info *);
 874
 875int nft_register_chain_type(const struct nf_chain_type *);
 876void nft_unregister_chain_type(const struct nf_chain_type *);
 877
 878int nft_register_expr(struct nft_expr_type *);
 879void nft_unregister_expr(struct nft_expr_type *);
 880
 881#define nft_dereference(p)                                      \
 882        nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)
 883
 884#define MODULE_ALIAS_NFT_FAMILY(family) \
 885        MODULE_ALIAS("nft-afinfo-" __stringify(family))
 886
 887#define MODULE_ALIAS_NFT_CHAIN(family, name) \
 888        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
 889
 890#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
 891        MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
 892
 893#define MODULE_ALIAS_NFT_EXPR(name) \
 894        MODULE_ALIAS("nft-expr-" name)
 895
 896#define MODULE_ALIAS_NFT_SET() \
 897        MODULE_ALIAS("nft-set")
 898
 899/*
 900 * The gencursor defines two generations, the currently active and the
 901 * next one. Objects contain a bitmask of 2 bits specifying the generations
 902 * they're active in. A set bit means they're inactive in the generation
 903 * represented by that bit.
 904 *
 905 * New objects start out as inactive in the current and active in the
 906 * next generation. When committing the ruleset the bitmask is cleared,
 907 * meaning they're active in all generations. When removing an object,
 908 * it is set inactive in the next generation. After committing the ruleset,
 909 * the objects are removed.
 910 */
 911static inline unsigned int nft_gencursor_next(const struct net *net)
 912{
 913        return net->nft.gencursor + 1 == 1 ? 1 : 0;
 914}
 915
 916static inline u8 nft_genmask_next(const struct net *net)
 917{
 918        return 1 << nft_gencursor_next(net);
 919}
 920
 921static inline u8 nft_genmask_cur(const struct net *net)
 922{
 923        /* Use ACCESS_ONCE() to prevent refetching the value for atomicity */
 924        return 1 << ACCESS_ONCE(net->nft.gencursor);
 925}
 926
 927#define NFT_GENMASK_ANY         ((1 << 0) | (1 << 1))
 928
 929/*
 930 * Set element transaction helpers
 931 */
 932
 933static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
 934                                       u8 genmask)
 935{
 936        return !(ext->genmask & genmask);
 937}
 938
 939static inline void nft_set_elem_change_active(const struct nft_set *set,
 940                                              struct nft_set_ext *ext)
 941{
 942        ext->genmask ^= nft_genmask_next(read_pnet(&set->pnet));
 943}
 944
 945/*
 946 * We use a free bit in the genmask field to indicate the element
 947 * is busy, meaning it is currently being processed either by
 948 * the netlink API or GC.
 949 *
 950 * Even though the genmask is only a single byte wide, this works
 951 * because the extension structure if fully constant once initialized,
 952 * so there are no non-atomic write accesses unless it is already
 953 * marked busy.
 954 */
 955#define NFT_SET_ELEM_BUSY_MASK  (1 << 2)
 956
 957#if defined(__LITTLE_ENDIAN_BITFIELD)
 958#define NFT_SET_ELEM_BUSY_BIT   2
 959#elif defined(__BIG_ENDIAN_BITFIELD)
 960#define NFT_SET_ELEM_BUSY_BIT   (BITS_PER_LONG - BITS_PER_BYTE + 2)
 961#else
 962#error
 963#endif
 964
 965static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
 966{
 967        unsigned long *word = (unsigned long *)ext;
 968
 969        BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
 970        return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
 971}
 972
 973static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
 974{
 975        unsigned long *word = (unsigned long *)ext;
 976
 977        clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
 978}
 979
 980/**
 981 *      struct nft_trans - nf_tables object update in transaction
 982 *
 983 *      @list: used internally
 984 *      @msg_type: message type
 985 *      @ctx: transaction context
 986 *      @data: internal information related to the transaction
 987 */
 988struct nft_trans {
 989        struct list_head                list;
 990        int                             msg_type;
 991        struct nft_ctx                  ctx;
 992        char                            data[0];
 993};
 994
 995struct nft_trans_rule {
 996        struct nft_rule                 *rule;
 997};
 998
 999#define nft_trans_rule(trans)   \
1000        (((struct nft_trans_rule *)trans->data)->rule)

1001
1002struct nft_trans_set {
1003        struct nft_set                  *set;
1004        u32                             set_id;
1005};
1006
1007#define nft_trans_set(trans)    \
1008        (((struct nft_trans_set *)trans->data)->set)
1009#define nft_trans_set_id(trans) \
1010        (((struct nft_trans_set *)trans->data)->set_id)
1011
1012struct nft_trans_chain {
1013        bool                            update;
1014        char                            name[NFT_CHAIN_MAXNAMELEN];
1015        struct nft_stats __percpu       *stats;
1016        u8                              policy;
1017};
1018
1019#define nft_trans_chain_update(trans)   \
1020        (((struct nft_trans_chain *)trans->data)->update)
1021#define nft_trans_chain_name(trans)     \
1022        (((struct nft_trans_chain *)trans->data)->name)
1023#define nft_trans_chain_stats(trans)    \
1024        (((struct nft_trans_chain *)trans->data)->stats)
1025#define nft_trans_chain_policy(trans)   \
1026        (((struct nft_trans_chain *)trans->data)->policy)
1027
1028struct nft_trans_table {
1029        bool                            update;
1030        bool                            enable;
1031};
1032
1033#define nft_trans_table_update(trans)   \
1034        (((struct nft_trans_table *)trans->data)->update)
1035#define nft_trans_table_enable(trans)   \
1036        (((struct nft_trans_table *)trans->data)->enable)
1037
1038struct nft_trans_elem {
1039        struct nft_set                  *set;
1040        struct nft_set_elem             elem;
1041};
1042
1043#define nft_trans_elem_set(trans)       \
1044        (((struct nft_trans_elem *)trans->data)->set)
1045#define nft_trans_elem(trans)   \
1046        (((struct nft_trans_elem *)trans->data)->elem)
1047
1048#endif /* _NET_NF_TABLES_H */
1049