LXR linux/include/net/netfilter/nf

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef _NET_NF_TABLES_H
   3#define _NET_NF_TABLES_H
   4
   5#include <asm/unaligned.h>
   6#include <linux/list.h>
   7#include <linux/netfilter.h>
   8#include <linux/netfilter/nfnetlink.h>
   9#include <linux/netfilter/x_tables.h>
  10#include <linux/netfilter/nf_tables.h>
  11#include <linux/u64_stats_sync.h>
  12#include <linux/rhashtable.h>
  13#include <net/netfilter/nf_flow_table.h>
  14#include <net/netlink.h>
  15#include <net/flow_offload.h>
  16#include <net/netns/generic.h>
  17
  18#define NFT_MAX_HOOKS   (NF_INET_INGRESS + 1)
  19
  20struct module;
  21
  22#define NFT_JUMP_STACK_SIZE     16
  23
  24enum {
  25        NFT_PKTINFO_L4PROTO     = (1 << 0),
  26        NFT_PKTINFO_INNER       = (1 << 1),
  27};
  28
  29struct nft_pktinfo {
  30        struct sk_buff                  *skb;
  31        const struct nf_hook_state      *state;
  32        u8                              flags;
  33        u8                              tprot;
  34        u16                             fragoff;
  35        unsigned int                    thoff;
  36        unsigned int                    inneroff;
  37};
  38
  39static inline struct sock *nft_sk(const struct nft_pktinfo *pkt)
  40{
  41        return pkt->state->sk;
  42}
  43
  44static inline unsigned int nft_thoff(const struct nft_pktinfo *pkt)
  45{
  46        return pkt->thoff;
  47}
  48
  49static inline struct net *nft_net(const struct nft_pktinfo *pkt)
  50{
  51        return pkt->state->net;
  52}
  53
  54static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
  55{
  56        return pkt->state->hook;
  57}
  58
  59static inline u8 nft_pf(const struct nft_pktinfo *pkt)
  60{
  61        return pkt->state->pf;
  62}
  63
  64static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
  65{
  66        return pkt->state->in;
  67}
  68
  69static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
  70{
  71        return pkt->state->out;
  72}
  73
  74static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  75                                   struct sk_buff *skb,
  76                                   const struct nf_hook_state *state)
  77{
  78        pkt->skb = skb;
  79        pkt->state = state;
  80}
  81
  82static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt)
  83{
  84        pkt->flags = 0;
  85        pkt->tprot = 0;
  86        pkt->thoff = 0;
  87        pkt->fragoff = 0;
  88}
  89
  90/**
  91 *      struct nft_verdict - nf_tables verdict
  92 *
  93 *      @code: nf_tables/netfilter verdict code
  94 *      @chain: destination chain for NFT_JUMP/NFT_GOTO
  95 */
  96struct nft_verdict {
  97        u32                             code;
  98        struct nft_chain                *chain;
  99};
 100
 101struct nft_data {
 102        union {
 103                u32                     data[4];
 104                struct nft_verdict      verdict;
 105        };
 106} __attribute__((aligned(__alignof__(u64))));
 107
 108/**
 109 *      struct nft_regs - nf_tables register set
 110 *
 111 *      @data: data registers
 112 *      @verdict: verdict register
 113 *
 114 *      The first four data registers alias to the verdict register.
 115 */
 116struct nft_regs {
 117        union {
 118                u32                     data[20];
 119                struct nft_verdict      verdict;
 120        };
 121};
 122
 123/* Store/load an u8, u16 or u64 integer to/from the u32 data register.
 124 *
 125 * Note, when using concatenations, register allocation happens at 32-bit
 126 * level. So for store instruction, pad the rest part with zero to avoid
 127 * garbage values.
 128 */
 129
 130static inline void nft_reg_store8(u32 *dreg, u8 val)
 131{
 132        *dreg = 0;
 133        *(u8 *)dreg = val;
 134}
 135
 136static inline u8 nft_reg_load8(const u32 *sreg)
 137{
 138        return *(u8 *)sreg;
 139}
 140
 141static inline void nft_reg_store16(u32 *dreg, u16 val)
 142{
 143        *dreg = 0;
 144        *(u16 *)dreg = val;
 145}
 146
 147static inline u16 nft_reg_load16(const u32 *sreg)
 148{
 149        return *(u16 *)sreg;
 150}
 151
 152static inline void nft_reg_store64(u32 *dreg, u64 val)
 153{
 154        put_unaligned(val, (u64 *)dreg);
 155}
 156
 157static inline u64 nft_reg_load64(const u32 *sreg)
 158{
 159        return get_unaligned((u64 *)sreg);
 160}
 161
 162static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 163                                 unsigned int len)
 164{
 165        if (len % NFT_REG32_SIZE)
 166                dst[len / NFT_REG32_SIZE] = 0;
 167        memcpy(dst, src, len);
 168}
 169
 170/**
 171 *      struct nft_ctx - nf_tables rule/set context
 172 *
 173 *      @net: net namespace
 174 *      @table: the table the chain is contained in
 175 *      @chain: the chain the rule is contained in
 176 *      @nla: netlink attributes
 177 *      @portid: netlink portID of the original message
 178 *      @seq: netlink sequence number
 179 *      @family: protocol family
 180 *      @level: depth of the chains
 181 *      @report: notify via unicast netlink message
 182 */
 183struct nft_ctx {
 184        struct net                      *net;
 185        struct nft_table                *table;
 186        struct nft_chain                *chain;
 187        const struct nlattr * const     *nla;
 188        u32                             portid;
 189        u32                             seq;
 190        u16                             flags;
 191        u8                              family;
 192        u8                              level;
 193        bool                            report;
 194};
 195
 196struct nft_data_desc {
 197        enum nft_data_types             type;
 198        unsigned int                    len;
 199};
 200
 201int nft_data_init(const struct nft_ctx *ctx,
 202                  struct nft_data *data, unsigned int size,
 203                  struct nft_data_desc *desc, const struct nlattr *nla);
 204void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 205void nft_data_release(const struct nft_data *data, enum nft_data_types type);
 206int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 207                  enum nft_data_types type, unsigned int len);
 208
 209static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 210{
 211        return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 212}
 213
 214static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 215{
 216        return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
 217}
 218
 219int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
 220int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
 221
 222int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
 223int nft_parse_register_store(const struct nft_ctx *ctx,
 224                             const struct nlattr *attr, u8 *dreg,
 225                             const struct nft_data *data,
 226                             enum nft_data_types type, unsigned int len);
 227
 228/**
 229 *      struct nft_userdata - user defined data associated with an object
 230 *
 231 *      @len: length of the data
 232 *      @data: content
 233 *
 234 *      The presence of user data is indicated in an object specific fashion,
 235 *      so a length of zero can't occur and the value "len" indicates data
 236 *      of length len + 1.
 237 */
 238struct nft_userdata {
 239        u8                      len;
 240        unsigned char           data[];
 241};
 242
 243/**
 244 *      struct nft_set_elem - generic representation of set elements
 245 *
 246 *      @key: element key
 247 *      @key_end: closing element key
 248 *      @priv: element private data and extensions
 249 */
 250struct nft_set_elem {
 251        union {
 252                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 253                struct nft_data val;
 254        } key;
 255        union {
 256                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 257                struct nft_data val;
 258        } key_end;
 259        union {
 260                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 261                struct nft_data val;
 262        } data;
 263        void                    *priv;
 264};
 265
 266struct nft_set;
 267struct nft_set_iter {
 268        u8              genmask;
 269        unsigned int    count;
 270        unsigned int    skip;
 271        int             err;
 272        int             (*fn)(const struct nft_ctx *ctx,
 273                              struct nft_set *set,
 274                              const struct nft_set_iter *iter,
 275                              struct nft_set_elem *elem);
 276};
 277
 278/**
 279 *      struct nft_set_desc - description of set elements
 280 *
 281 *      @klen: key length
 282 *      @dlen: data length
 283 *      @size: number of set elements
 284 *      @field_len: length of each field in concatenation, bytes
 285 *      @field_count: number of concatenated fields in element
 286 *      @expr: set must support for expressions
 287 */
 288struct nft_set_desc {
 289        unsigned int            klen;
 290        unsigned int            dlen;
 291        unsigned int            size;
 292        u8                      field_len[NFT_REG32_COUNT];
 293        u8                      field_count;
 294        bool                    expr;
 295};
 296
 297/**
 298 *      enum nft_set_class - performance class
 299 *
 300 *      @NFT_LOOKUP_O_1: constant, O(1)
 301 *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 302 *      @NFT_LOOKUP_O_N: linear, O(N)
 303 */
 304enum nft_set_class {
 305        NFT_SET_CLASS_O_1,
 306        NFT_SET_CLASS_O_LOG_N,
 307        NFT_SET_CLASS_O_N,
 308};
 309
 310/**
 311 *      struct nft_set_estimate - estimation of memory and performance
 312 *                                characteristics
 313 *
 314 *      @size: required memory
 315 *      @lookup: lookup performance class
 316 *      @space: memory class
 317 */
 318struct nft_set_estimate {
 319        u64                     size;
 320        enum nft_set_class      lookup;
 321        enum nft_set_class      space;
 322};
 323
 324#define NFT_EXPR_MAXATTR                16
 325#define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 326                                         ALIGN(size, __alignof__(struct nft_expr)))
 327
 328/**
 329 *      struct nft_expr - nf_tables expression
 330 *
 331 *      @ops: expression ops
 332 *      @data: expression private data
 333 */
 334struct nft_expr {
 335        const struct nft_expr_ops       *ops;
 336        unsigned char                   data[]
 337                __attribute__((aligned(__alignof__(u64))));
 338};
 339
 340static inline void *nft_expr_priv(const struct nft_expr *expr)
 341{
 342        return (void *)expr->data;
 343}
 344
 345int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
 346void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 347int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
 348                  const struct nft_expr *expr);
 349
 350struct nft_set_ext;
 351
 352/**
 353 *      struct nft_set_ops - nf_tables set operations
 354 *
 355 *      @lookup: look up an element within the set
 356 *      @update: update an element if exists, add it if doesn't exist
 357 *      @delete: delete an element
 358 *      @insert: insert new element into set
 359 *      @activate: activate new element in the next generation
 360 *      @deactivate: lookup for element and deactivate it in the next generation
 361 *      @flush: deactivate element in the next generation
 362 *      @remove: remove element from set
 363 *      @walk: iterate over all set elements
 364 *      @get: get set elements
 365 *      @privsize: function to return size of set private data
 366 *      @init: initialize private data of new set instance
 367 *      @destroy: destroy private data of set instance
 368 *      @elemsize: element private size
 369 *
 370 *      Operations lookup, update and delete have simpler interfaces, are faster
 371 *      and currently only used in the packet path. All the rest are slower,
 372 *      control plane functions.
 373 */
 374struct nft_set_ops {
 375        bool                            (*lookup)(const struct net *net,
 376                                                  const struct nft_set *set,
 377                                                  const u32 *key,
 378                                                  const struct nft_set_ext **ext);
 379        bool                            (*update)(struct nft_set *set,
 380                                                  const u32 *key,
 381                                                  void *(*new)(struct nft_set *,
 382                                                               const struct nft_expr *,
 383                                                               struct nft_regs *),
 384                                                  const struct nft_expr *expr,
 385                                                  struct nft_regs *regs,
 386                                                  const struct nft_set_ext **ext);
 387        bool                            (*delete)(const struct nft_set *set,
 388                                                  const u32 *key);
 389
 390        int                             (*insert)(const struct net *net,
 391                                                  const struct nft_set *set,
 392                                                  const struct nft_set_elem *elem,
 393                                                  struct nft_set_ext **ext);
 394        void                            (*activate)(const struct net *net,
 395                                                    const struct nft_set *set,
 396                                                    const struct nft_set_elem *elem);
 397        void *                          (*deactivate)(const struct net *net,
 398                                                      const struct nft_set *set,
 399                                                      const struct nft_set_elem *elem);
 400        bool                            (*flush)(const struct net *net,
 401                                                 const struct nft_set *set,
 402                                                 void *priv);
 403        void                            (*remove)(const struct net *net,
 404                                                  const struct nft_set *set,
 405                                                  const struct nft_set_elem *elem);
 406        void                            (*walk)(const struct nft_ctx *ctx,
 407                                                struct nft_set *set,
 408                                                struct nft_set_iter *iter);
 409        void *                          (*get)(const struct net *net,
 410                                               const struct nft_set *set,
 411                                               const struct nft_set_elem *elem,
 412                                               unsigned int flags);
 413
 414        u64                             (*privsize)(const struct nlattr * const nla[],
 415                                                    const struct nft_set_desc *desc);
 416        bool                            (*estimate)(const struct nft_set_desc *desc,
 417                                                    u32 features,
 418                                                    struct nft_set_estimate *est);
 419        int                             (*init)(const struct nft_set *set,
 420                                                const struct nft_set_desc *desc,
 421                                                const struct nlattr * const nla[]);
 422        void                            (*destroy)(const struct nft_set *set);
 423        void                            (*gc_init)(const struct nft_set *set);
 424
 425        unsigned int                    elemsize;
 426};
 427
 428/**
 429 *      struct nft_set_type - nf_tables set type
 430 *
 431 *      @ops: set ops for this type
 432 *      @features: features supported by the implementation
 433 */
 434struct nft_set_type {
 435        const struct nft_set_ops        ops;
 436        u32                             features;
 437};
 438#define to_set_type(o) container_of(o, struct nft_set_type, ops)
 439
 440struct nft_set_elem_expr {
 441        u8                              size;
 442        unsigned char                   data[]
 443                __attribute__((aligned(__alignof__(struct nft_expr))));
 444};
 445
 446#define nft_setelem_expr_at(__elem_expr, __offset)                      \
 447        ((struct nft_expr *)&__elem_expr->data[__offset])
 448
 449#define nft_setelem_expr_foreach(__expr, __elem_expr, __size)           \
 450        for (__expr = nft_setelem_expr_at(__elem_expr, 0), __size = 0;  \
 451             __size < (__elem_expr)->size;                              \
 452             __size += (__expr)->ops->size, __expr = ((void *)(__expr)) + (__expr)->ops->size)
 453
 454#define NFT_SET_EXPR_MAX        2
 455
 456/**
 457 *      struct nft_set - nf_tables set instance
 458 *
 459 *      @list: table set list node
 460 *      @bindings: list of set bindings
 461 *      @table: table this set belongs to
 462 *      @net: netnamespace this set belongs to
 463 *      @name: name of the set
 464 *      @handle: unique handle of the set
 465 *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 466 *      @dtype: data type (verdict or numeric type defined by userspace)
 467 *      @objtype: object type (see NFT_OBJECT_* definitions)
 468 *      @size: maximum set size
 469 *      @field_len: length of each field in concatenation, bytes
 470 *      @field_count: number of concatenated fields in element
 471 *      @use: number of rules references to this set
 472 *      @nelems: number of elements
 473 *      @ndeact: number of deactivated elements queued for removal
 474 *      @timeout: default timeout value in jiffies
 475 *      @gc_int: garbage collection interval in msecs
 476 *      @policy: set parameterization (see enum nft_set_policies)
 477 *      @udlen: user data length
 478 *      @udata: user data
 479 *      @expr: stateful expression
 480 *      @ops: set ops
 481 *      @flags: set flags
 482 *      @genmask: generation mask
 483 *      @klen: key length
 484 *      @dlen: data length
 485 *      @data: private set data
 486 */
 487struct nft_set {
 488        struct list_head                list;
 489        struct list_head                bindings;
 490        struct nft_table                *table;
 491        possible_net_t                  net;
 492        char                            *name;
 493        u64                             handle;
 494        u32                             ktype;
 495        u32                             dtype;
 496        u32                             objtype;
 497        u32                             size;
 498        u8                              field_len[NFT_REG32_COUNT];
 499        u8                              field_count;
 500        u32                             use;
 501        atomic_t                        nelems;
 502        u32                             ndeact;
 503        u64                             timeout;
 504        u32                             gc_int;
 505        u16                             policy;
 506        u16                             udlen;
 507        unsigned char                   *udata;
 508        /* runtime data below here */
 509        const struct nft_set_ops        *ops ____cacheline_aligned;
 510        u16                             flags:14,
 511                                        genmask:2;
 512        u8                              klen;
 513        u8                              dlen;
 514        u8                              num_exprs;
 515        struct nft_expr                 *exprs[NFT_SET_EXPR_MAX];
 516        struct list_head                catchall_list;
 517        unsigned char                   data[]
 518                __attribute__((aligned(__alignof__(u64))));
 519};
 520
 521static inline bool nft_set_is_anonymous(const struct nft_set *set)
 522{
 523        return set->flags & NFT_SET_ANONYMOUS;
 524}
 525
 526static inline void *nft_set_priv(const struct nft_set *set)
 527{
 528        return (void *)set->data;
 529}
 530
 531static inline struct nft_set *nft_set_container_of(const void *priv)
 532{
 533        return (void *)priv - offsetof(struct nft_set, data);
 534}
 535
 536struct nft_set *nft_set_lookup_global(const struct net *net,
 537                                      const struct nft_table *table,
 538                                      const struct nlattr *nla_set_name,
 539                                      const struct nlattr *nla_set_id,
 540                                      u8 genmask);
 541
 542struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
 543                                            const struct nft_set *set);
 544void *nft_set_catchall_gc(const struct nft_set *set);
 545
 546static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
 547{
 548        return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
 549}
 550
 551/**
 552 *      struct nft_set_binding - nf_tables set binding
 553 *
 554 *      @list: set bindings list node
 555 *      @chain: chain containing the rule bound to the set
 556 *      @flags: set action flags
 557 *
 558 *      A set binding contains all information necessary for validation
 559 *      of new elements added to a bound set.
 560 */
 561struct nft_set_binding {
 562        struct list_head                list;
 563        const struct nft_chain          *chain;
 564        u32                             flags;
 565};
 566
 567enum nft_trans_phase;
 568void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 569                              struct nft_set_binding *binding,
 570                              enum nft_trans_phase phase);
 571int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 572                       struct nft_set_binding *binding);
 573void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
 574
 575/**
 576 *      enum nft_set_extensions - set extension type IDs
 577 *
 578 *      @NFT_SET_EXT_KEY: element key
 579 *      @NFT_SET_EXT_KEY_END: upper bound element key, for ranges
 580 *      @NFT_SET_EXT_DATA: mapping data
 581 *      @NFT_SET_EXT_FLAGS: element flags
 582 *      @NFT_SET_EXT_TIMEOUT: element timeout
 583 *      @NFT_SET_EXT_EXPIRATION: element expiration time
 584 *      @NFT_SET_EXT_USERDATA: user data associated with the element
 585 *      @NFT_SET_EXT_EXPRESSIONS: expressions assiciated with the element
 586 *      @NFT_SET_EXT_OBJREF: stateful object reference associated with element
 587 *      @NFT_SET_EXT_NUM: number of extension types
 588 */
 589enum nft_set_extensions {
 590        NFT_SET_EXT_KEY,
 591        NFT_SET_EXT_KEY_END,
 592        NFT_SET_EXT_DATA,
 593        NFT_SET_EXT_FLAGS,
 594        NFT_SET_EXT_TIMEOUT,
 595        NFT_SET_EXT_EXPIRATION,
 596        NFT_SET_EXT_USERDATA,
 597        NFT_SET_EXT_EXPRESSIONS,
 598        NFT_SET_EXT_OBJREF,
 599        NFT_SET_EXT_NUM
 600};
 601
 602/**
 603 *      struct nft_set_ext_type - set extension type
 604 *
 605 *      @len: fixed part length of the extension
 606 *      @align: alignment requirements of the extension
 607 */
 608struct nft_set_ext_type {
 609        u8      len;
 610        u8      align;
 611};
 612
 613extern const struct nft_set_ext_type nft_set_ext_types[];
 614
 615/**
 616 *      struct nft_set_ext_tmpl - set extension template
 617 *
 618 *      @len: length of extension area
 619 *      @offset: offsets of individual extension types
 620 */
 621struct nft_set_ext_tmpl {
 622        u16     len;
 623        u8      offset[NFT_SET_EXT_NUM];
 624};
 625
 626/**
 627 *      struct nft_set_ext - set extensions
 628 *
 629 *      @genmask: generation mask
 630 *      @offset: offsets of individual extension types
 631 *      @data: beginning of extension data
 632 */
 633struct nft_set_ext {
 634        u8      genmask;
 635        u8      offset[NFT_SET_EXT_NUM];
 636        char    data[];
 637};
 638
 639static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
 640{
 641        memset(tmpl, 0, sizeof(*tmpl));
 642        tmpl->len = sizeof(struct nft_set_ext);
 643}
 644
 645static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
 646                                          unsigned int len)
 647{
 648        tmpl->len        = ALIGN(tmpl->len, nft_set_ext_types[id].align);
 649        BUG_ON(tmpl->len > U8_MAX);
 650        tmpl->offset[id] = tmpl->len;
 651        tmpl->len       += nft_set_ext_types[id].len + len;
 652}
 653
 654static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
 655{
 656        nft_set_ext_add_length(tmpl, id, 0);
 657}
 658
 659static inline void nft_set_ext_init(struct nft_set_ext *ext,
 660                                    const struct nft_set_ext_tmpl *tmpl)
 661{
 662        memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
 663}
 664
 665static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 666{
 667        return !!ext->offset[id];
 668}
 669
 670static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 671{
 672        return ext && __nft_set_ext_exists(ext, id);
 673}
 674
 675static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
 676{
 677        return (void *)ext + ext->offset[id];
 678}
 679
 680static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
 681{
 682        return nft_set_ext(ext, NFT_SET_EXT_KEY);
 683}
 684
 685static inline struct nft_data *nft_set_ext_key_end(const struct nft_set_ext *ext)
 686{
 687        return nft_set_ext(ext, NFT_SET_EXT_KEY_END);
 688}
 689
 690static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
 691{
 692        return nft_set_ext(ext, NFT_SET_EXT_DATA);
 693}
 694
 695static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
 696{
 697        return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 698}
 699
 700static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
 701{
 702        return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
 703}
 704
 705static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
 706{
 707        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 708}
 709
 710static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
 711{
 712        return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
 713}
 714
 715static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
 716{
 717        return nft_set_ext(ext, NFT_SET_EXT_EXPRESSIONS);
 718}
 719
 720static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 721{
 722        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
 723               time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
 724}
 725
 726static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
 727                                                   void *elem)
 728{
 729        return elem + set->ops->elemsize;
 730}
 731
 732static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
 733{
 734        return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
 735}
 736
 737struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
 738                                         const struct nft_set *set,
 739                                         const struct nlattr *attr);
 740
 741void *nft_set_elem_init(const struct nft_set *set,
 742                        const struct nft_set_ext_tmpl *tmpl,
 743                        const u32 *key, const u32 *key_end, const u32 *data,
 744                        u64 timeout, u64 expiration, gfp_t gfp);
 745int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
 746                            struct nft_expr *expr_array[]);
 747void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 748                          bool destroy_expr);
 749
 750/**
 751 *      struct nft_set_gc_batch_head - nf_tables set garbage collection batch
 752 *
 753 *      @rcu: rcu head
 754 *      @set: set the elements belong to
 755 *      @cnt: count of elements
 756 */
 757struct nft_set_gc_batch_head {
 758        struct rcu_head                 rcu;
 759        const struct nft_set            *set;
 760        unsigned int                    cnt;
 761};
 762
 763#define NFT_SET_GC_BATCH_SIZE   ((PAGE_SIZE -                             \
 764                                  sizeof(struct nft_set_gc_batch_head)) / \
 765                                 sizeof(void *))
 766
 767/**
 768 *      struct nft_set_gc_batch - nf_tables set garbage collection batch
 769 *
 770 *      @head: GC batch head
 771 *      @elems: garbage collection elements
 772 */
 773struct nft_set_gc_batch {
 774        struct nft_set_gc_batch_head    head;
 775        void                            *elems[NFT_SET_GC_BATCH_SIZE];
 776};
 777
 778struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
 779                                                gfp_t gfp);
 780void nft_set_gc_batch_release(struct rcu_head *rcu);
 781
 782static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
 783{
 784        if (gcb != NULL)
 785                call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
 786}
 787
 788static inline struct nft_set_gc_batch *
 789nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
 790                       gfp_t gfp)
 791{
 792        if (gcb != NULL) {
 793                if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
 794                        return gcb;
 795                nft_set_gc_batch_complete(gcb);
 796        }
 797        return nft_set_gc_batch_alloc(set, gfp);
 798}
 799
 800static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
 801                                        void *elem)
 802{
 803        gcb->elems[gcb->head.cnt++] = elem;
 804}
 805
 806struct nft_expr_ops;
 807/**
 808 *      struct nft_expr_type - nf_tables expression type
 809 *
 810 *      @select_ops: function to select nft_expr_ops
 811 *      @release_ops: release nft_expr_ops
 812 *      @ops: default ops, used when no select_ops functions is present
 813 *      @list: used internally
 814 *      @name: Identifier
 815 *      @owner: module reference
 816 *      @policy: netlink attribute policy
 817 *      @maxattr: highest netlink attribute number
 818 *      @family: address family for AF-specific types
 819 *      @flags: expression type flags
 820 */
 821struct nft_expr_type {
 822        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 823                                                       const struct nlattr * const tb[]);
 824        void                            (*release_ops)(const struct nft_expr_ops *ops);
 825        const struct nft_expr_ops       *ops;
 826        struct list_head                list;
 827        const char                      *name;
 828        struct module                   *owner;
 829        const struct nla_policy         *policy;
 830        unsigned int                    maxattr;
 831        u8                              family;
 832        u8                              flags;
 833};
 834
 835#define NFT_EXPR_STATEFUL               0x1
 836#define NFT_EXPR_GC                     0x2
 837
 838enum nft_trans_phase {
 839        NFT_TRANS_PREPARE,
 840        NFT_TRANS_ABORT,
 841        NFT_TRANS_COMMIT,
 842        NFT_TRANS_RELEASE
 843};
 844
 845struct nft_flow_rule;
 846struct nft_offload_ctx;
 847
 848/**
 849 *      struct nft_expr_ops - nf_tables expression operations
 850 *
 851 *      @eval: Expression evaluation function
 852 *      @size: full expression size, including private data size
 853 *      @init: initialization function
 854 *      @activate: activate expression in the next generation
 855 *      @deactivate: deactivate expression in next generation
 856 *      @destroy: destruction function, called after synchronize_rcu
 857 *      @dump: function to dump parameters
 858 *      @type: expression type
 859 *      @validate: validate expression, called during loop detection
 860 *      @data: extra data to attach to this expression operation
 861 */
 862struct nft_expr_ops {
 863        void                            (*eval)(const struct nft_expr *expr,
 864                                                struct nft_regs *regs,
 865                                                const struct nft_pktinfo *pkt);
 866        int                             (*clone)(struct nft_expr *dst,
 867                                                 const struct nft_expr *src);
 868        unsigned int                    size;
 869
 870        int                             (*init)(const struct nft_ctx *ctx,
 871                                                const struct nft_expr *expr,
 872                                                const struct nlattr * const tb[]);
 873        void                            (*activate)(const struct nft_ctx *ctx,
 874                                                    const struct nft_expr *expr);
 875        void                            (*deactivate)(const struct nft_ctx *ctx,
 876                                                      const struct nft_expr *expr,
 877                                                      enum nft_trans_phase phase);
 878        void                            (*destroy)(const struct nft_ctx *ctx,
 879                                                   const struct nft_expr *expr);
 880        void                            (*destroy_clone)(const struct nft_ctx *ctx,
 881                                                         const struct nft_expr *expr);
 882        int                             (*dump)(struct sk_buff *skb,
 883                                                const struct nft_expr *expr);
 884        int                             (*validate)(const struct nft_ctx *ctx,
 885                                                    const struct nft_expr *expr,
 886                                                    const struct nft_data **data);
 887        bool                            (*gc)(struct net *net,
 888                                              const struct nft_expr *expr);
 889        int                             (*offload)(struct nft_offload_ctx *ctx,
 890                                                   struct nft_flow_rule *flow,
 891                                                   const struct nft_expr *expr);
 892        void                            (*offload_stats)(struct nft_expr *expr,
 893                                                         const struct flow_stats *stats);
 894        u32                             offload_flags;
 895        const struct nft_expr_type      *type;
 896        void                            *data;
 897};
 898
 899/**
 900 *      struct nft_rule - nf_tables rule
 901 *
 902 *      @list: used internally
 903 *      @handle: rule handle
 904 *      @genmask: generation mask
 905 *      @dlen: length of expression data
 906 *      @udata: user data is appended to the rule
 907 *      @data: expression data
 908 */
 909struct nft_rule {
 910        struct list_head                list;
 911        u64                             handle:42,
 912                                        genmask:2,
 913                                        dlen:12,
 914                                        udata:1;
 915        unsigned char                   data[]
 916                __attribute__((aligned(__alignof__(struct nft_expr))));
 917};
 918
 919static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 920{
 921        return (struct nft_expr *)&rule->data[0];
 922}
 923
 924static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 925{
 926        return ((void *)expr) + expr->ops->size;
 927}
 928
 929static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 930{
 931        return (struct nft_expr *)&rule->data[rule->dlen];
 932}
 933
 934static inline bool nft_expr_more(const struct nft_rule *rule,
 935                                 const struct nft_expr *expr)
 936{
 937        return expr != nft_expr_last(rule) && expr->ops;
 938}
 939
 940static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 941{
 942        return (void *)&rule->data[rule->dlen];
 943}
 944
 945void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule);
 946
 947static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
 948                                            struct nft_regs *regs,
 949                                            const struct nft_pktinfo *pkt)
 950{
 951        struct nft_set_elem_expr *elem_expr;
 952        struct nft_expr *expr;
 953        u32 size;
 954
 955        if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) {
 956                elem_expr = nft_set_ext_expr(ext);
 957                nft_setelem_expr_foreach(expr, elem_expr, size) {
 958                        expr->ops->eval(expr, regs, pkt);
 959                        if (regs->verdict.code == NFT_BREAK)
 960                                return;
 961                }
 962        }
 963}
 964
 965/*
 966 * The last pointer isn't really necessary, but the compiler isn't able to
 967 * determine that the result of nft_expr_last() is always the same since it
 968 * can't assume that the dlen value wasn't changed within calls in the loop.
 969 */
 970#define nft_rule_for_each_expr(expr, last, rule) \
 971        for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 972             (expr) != (last); \
 973             (expr) = nft_expr_next(expr))
 974
 975#define NFT_CHAIN_POLICY_UNSET          U8_MAX
 976
 977/**
 978 *      struct nft_chain - nf_tables chain
 979 *
 980 *      @rules: list of rules in the chain
 981 *      @list: used internally
 982 *      @rhlhead: used internally
 983 *      @table: table that this chain belongs to
 984 *      @handle: chain handle
 985 *      @use: number of jump references to this chain
 986 *      @flags: bitmask of enum nft_chain_flags
 987 *      @name: name of the chain
 988 */
 989struct nft_chain {
 990        struct nft_rule                 *__rcu *rules_gen_0;
 991        struct nft_rule                 *__rcu *rules_gen_1;
 992        struct list_head                rules;
 993        struct list_head                list;
 994        struct rhlist_head              rhlhead;
 995        struct nft_table                *table;
 996        u64                             handle;
 997        u32                             use;
 998        u8                              flags:5,
 999                                        bound:1,
1000                                        genmask:2;

1001        char                            *name;
1002        u16                             udlen;
1003        u8                              *udata;
1004
1005        /* Only used during control plane commit phase: */
1006        struct nft_rule                 **rules_next;
1007};
1008
1009int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
1010
1011enum nft_chain_types {
1012        NFT_CHAIN_T_DEFAULT = 0,
1013        NFT_CHAIN_T_ROUTE,
1014        NFT_CHAIN_T_NAT,
1015        NFT_CHAIN_T_MAX
1016};
1017
1018/**
1019 *      struct nft_chain_type - nf_tables chain type info
1020 *
1021 *      @name: name of the type
1022 *      @type: numeric identifier
1023 *      @family: address family
1024 *      @owner: module owner
1025 *      @hook_mask: mask of valid hooks
1026 *      @hooks: array of hook functions
1027 *      @ops_register: base chain register function
1028 *      @ops_unregister: base chain unregister function
1029 */
1030struct nft_chain_type {
1031        const char                      *name;
1032        enum nft_chain_types            type;
1033        int                             family;
1034        struct module                   *owner;
1035        unsigned int                    hook_mask;
1036        nf_hookfn                       *hooks[NFT_MAX_HOOKS];
1037        int                             (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
1038        void                            (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
1039};
1040
1041int nft_chain_validate_dependency(const struct nft_chain *chain,
1042                                  enum nft_chain_types type);
1043int nft_chain_validate_hooks(const struct nft_chain *chain,
1044                             unsigned int hook_flags);
1045
1046static inline bool nft_chain_is_bound(struct nft_chain *chain)
1047{
1048        return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
1049}
1050
1051void nft_chain_del(struct nft_chain *chain);
1052void nf_tables_chain_destroy(struct nft_ctx *ctx);
1053
1054struct nft_stats {
1055        u64                     bytes;
1056        u64                     pkts;
1057        struct u64_stats_sync   syncp;
1058};
1059
1060struct nft_hook {
1061        struct list_head        list;
1062        bool                    inactive;
1063        struct nf_hook_ops      ops;
1064        struct rcu_head         rcu;
1065};
1066
1067/**
1068 *      struct nft_base_chain - nf_tables base chain
1069 *
1070 *      @ops: netfilter hook ops
1071 *      @hook_list: list of netfilter hooks (for NFPROTO_NETDEV family)
1072 *      @type: chain type
1073 *      @policy: default policy
1074 *      @stats: per-cpu chain stats
1075 *      @chain: the chain
1076 *      @flow_block: flow block (for hardware offload)
1077 */
1078struct nft_base_chain {
1079        struct nf_hook_ops              ops;
1080        struct list_head                hook_list;
1081        const struct nft_chain_type     *type;
1082        u8                              policy;
1083        u8                              flags;
1084        struct nft_stats __percpu       *stats;
1085        struct nft_chain                chain;
1086        struct flow_block               flow_block;
1087};
1088
1089static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
1090{
1091        return container_of(chain, struct nft_base_chain, chain);
1092}
1093
1094static inline bool nft_is_base_chain(const struct nft_chain *chain)
1095{
1096        return chain->flags & NFT_CHAIN_BASE;
1097}
1098
1099int __nft_release_basechain(struct nft_ctx *ctx);
1100
1101unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
1102
1103/**
1104 *      struct nft_table - nf_tables table
1105 *
1106 *      @list: used internally
1107 *      @chains_ht: chains in the table
1108 *      @chains: same, for stable walks
1109 *      @sets: sets in the table
1110 *      @objects: stateful objects in the table
1111 *      @flowtables: flow tables in the table
1112 *      @hgenerator: handle generator state
1113 *      @handle: table handle
1114 *      @use: number of chain references to this table
1115 *      @flags: table flag (see enum nft_table_flags)
1116 *      @genmask: generation mask
1117 *      @afinfo: address family info
1118 *      @name: name of the table
1119 */
1120struct nft_table {
1121        struct list_head                list;
1122        struct rhltable                 chains_ht;
1123        struct list_head                chains;
1124        struct list_head                sets;
1125        struct list_head                objects;
1126        struct list_head                flowtables;
1127        u64                             hgenerator;
1128        u64                             handle;
1129        u32                             use;
1130        u16                             family:6,
1131                                        flags:8,
1132                                        genmask:2;
1133        u32                             nlpid;
1134        char                            *name;
1135        u16                             udlen;
1136        u8                              *udata;
1137};
1138
1139static inline bool nft_table_has_owner(const struct nft_table *table)
1140{
1141        return table->flags & NFT_TABLE_F_OWNER;
1142}
1143
1144static inline bool nft_base_chain_netdev(int family, u32 hooknum)
1145{
1146        return family == NFPROTO_NETDEV ||
1147               (family == NFPROTO_INET && hooknum == NF_INET_INGRESS);
1148}
1149
1150void nft_register_chain_type(const struct nft_chain_type *);
1151void nft_unregister_chain_type(const struct nft_chain_type *);
1152
1153int nft_register_expr(struct nft_expr_type *);
1154void nft_unregister_expr(struct nft_expr_type *);
1155
1156int nft_verdict_dump(struct sk_buff *skb, int type,
1157                     const struct nft_verdict *v);
1158
1159/**
1160 *      struct nft_object_hash_key - key to lookup nft_object
1161 *
1162 *      @name: name of the stateful object to look up
1163 *      @table: table the object belongs to
1164 */
1165struct nft_object_hash_key {
1166        const char                      *name;
1167        const struct nft_table          *table;
1168};
1169
1170/**
1171 *      struct nft_object - nf_tables stateful object
1172 *
1173 *      @list: table stateful object list node
1174 *      @key:  keys that identify this object
1175 *      @rhlhead: nft_objname_ht node
1176 *      @genmask: generation mask
1177 *      @use: number of references to this stateful object
1178 *      @handle: unique object handle
1179 *      @ops: object operations
1180 *      @data: object data, layout depends on type
1181 */
1182struct nft_object {
1183        struct list_head                list;
1184        struct rhlist_head              rhlhead;
1185        struct nft_object_hash_key      key;
1186        u32                             genmask:2,
1187                                        use:30;
1188        u64                             handle;
1189        u16                             udlen;
1190        u8                              *udata;
1191        /* runtime data below here */
1192        const struct nft_object_ops     *ops ____cacheline_aligned;
1193        unsigned char                   data[]
1194                __attribute__((aligned(__alignof__(u64))));
1195};
1196
1197static inline void *nft_obj_data(const struct nft_object *obj)
1198{
1199        return (void *)obj->data;
1200}
1201
1202#define nft_expr_obj(expr)      *((struct nft_object **)nft_expr_priv(expr))
1203
1204struct nft_object *nft_obj_lookup(const struct net *net,
1205                                  const struct nft_table *table,
1206                                  const struct nlattr *nla, u32 objtype,
1207                                  u8 genmask);
1208
1209void nft_obj_notify(struct net *net, const struct nft_table *table,
1210                    struct nft_object *obj, u32 portid, u32 seq,
1211                    int event, u16 flags, int family, int report, gfp_t gfp);
1212
1213/**
1214 *      struct nft_object_type - stateful object type
1215 *
1216 *      @select_ops: function to select nft_object_ops
1217 *      @ops: default ops, used when no select_ops functions is present
1218 *      @list: list node in list of object types
1219 *      @type: stateful object numeric type
1220 *      @owner: module owner
1221 *      @maxattr: maximum netlink attribute
1222 *      @policy: netlink attribute policy
1223 */
1224struct nft_object_type {
1225        const struct nft_object_ops     *(*select_ops)(const struct nft_ctx *,
1226                                                       const struct nlattr * const tb[]);
1227        const struct nft_object_ops     *ops;
1228        struct list_head                list;
1229        u32                             type;
1230        unsigned int                    maxattr;
1231        struct module                   *owner;
1232        const struct nla_policy         *policy;
1233};
1234
1235/**
1236 *      struct nft_object_ops - stateful object operations
1237 *
1238 *      @eval: stateful object evaluation function
1239 *      @size: stateful object size
1240 *      @init: initialize object from netlink attributes
1241 *      @destroy: release existing stateful object
1242 *      @dump: netlink dump stateful object
1243 *      @update: update stateful object
1244 */
1245struct nft_object_ops {
1246        void                            (*eval)(struct nft_object *obj,
1247                                                struct nft_regs *regs,
1248                                                const struct nft_pktinfo *pkt);
1249        unsigned int                    size;
1250        int                             (*init)(const struct nft_ctx *ctx,
1251                                                const struct nlattr *const tb[],
1252                                                struct nft_object *obj);
1253        void                            (*destroy)(const struct nft_ctx *ctx,
1254                                                   struct nft_object *obj);
1255        int                             (*dump)(struct sk_buff *skb,
1256                                                struct nft_object *obj,
1257                                                bool reset);
1258        void                            (*update)(struct nft_object *obj,
1259                                                  struct nft_object *newobj);
1260        const struct nft_object_type    *type;
1261};
1262
1263int nft_register_obj(struct nft_object_type *obj_type);
1264void nft_unregister_obj(struct nft_object_type *obj_type);
1265
1266#define NFT_NETDEVICE_MAX       256
1267
1268/**
1269 *      struct nft_flowtable - nf_tables flow table
1270 *
1271 *      @list: flow table list node in table list
1272 *      @table: the table the flow table is contained in
1273 *      @name: name of this flow table
1274 *      @hooknum: hook number
1275 *      @ops_len: number of hooks in array
1276 *      @genmask: generation mask
1277 *      @use: number of references to this flow table
1278 *      @handle: unique object handle
1279 *      @dev_name: array of device names
1280 *      @data: rhashtable and garbage collector
1281 *      @ops: array of hooks
1282 */
1283struct nft_flowtable {
1284        struct list_head                list;
1285        struct nft_table                *table;
1286        char                            *name;
1287        int                             hooknum;
1288        int                             ops_len;
1289        u32                             genmask:2,
1290                                        use:30;
1291        u64                             handle;
1292        /* runtime data below here */
1293        struct list_head                hook_list ____cacheline_aligned;
1294        struct nf_flowtable             data;
1295};
1296
1297struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1298                                           const struct nlattr *nla,
1299                                           u8 genmask);
1300
1301void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
1302                                    struct nft_flowtable *flowtable,
1303                                    enum nft_trans_phase phase);
1304
1305void nft_register_flowtable_type(struct nf_flowtable_type *type);
1306void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1307
1308/**
1309 *      struct nft_traceinfo - nft tracing information and state
1310 *
1311 *      @pkt: pktinfo currently processed
1312 *      @basechain: base chain currently processed
1313 *      @chain: chain currently processed
1314 *      @rule:  rule that was evaluated
1315 *      @verdict: verdict given by rule
1316 *      @type: event type (enum nft_trace_types)
1317 *      @packet_dumped: packet headers sent in a previous traceinfo message
1318 *      @trace: other struct members are initialised
1319 */
1320struct nft_traceinfo {
1321        const struct nft_pktinfo        *pkt;
1322        const struct nft_base_chain     *basechain;
1323        const struct nft_chain          *chain;
1324        const struct nft_rule           *rule;
1325        const struct nft_verdict        *verdict;
1326        enum nft_trace_types            type;
1327        bool                            packet_dumped;
1328        bool                            trace;
1329};
1330
1331void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1332                    const struct nft_verdict *verdict,
1333                    const struct nft_chain *basechain);
1334
1335void nft_trace_notify(struct nft_traceinfo *info);
1336
1337#define MODULE_ALIAS_NFT_CHAIN(family, name) \
1338        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1339
1340#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1341        MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1342
1343#define MODULE_ALIAS_NFT_EXPR(name) \
1344        MODULE_ALIAS("nft-expr-" name)
1345
1346#define MODULE_ALIAS_NFT_OBJ(type) \
1347        MODULE_ALIAS("nft-obj-" __stringify(type))
1348
1349#if IS_ENABLED(CONFIG_NF_TABLES)
1350
1351/*
1352 * The gencursor defines two generations, the currently active and the
1353 * next one. Objects contain a bitmask of 2 bits specifying the generations
1354 * they're active in. A set bit means they're inactive in the generation
1355 * represented by that bit.
1356 *
1357 * New objects start out as inactive in the current and active in the
1358 * next generation. When committing the ruleset the bitmask is cleared,
1359 * meaning they're active in all generations. When removing an object,
1360 * it is set inactive in the next generation. After committing the ruleset,
1361 * the objects are removed.
1362 */
1363static inline unsigned int nft_gencursor_next(const struct net *net)
1364{
1365        return net->nft.gencursor + 1 == 1 ? 1 : 0;
1366}
1367
1368static inline u8 nft_genmask_next(const struct net *net)
1369{
1370        return 1 << nft_gencursor_next(net);
1371}
1372
1373static inline u8 nft_genmask_cur(const struct net *net)
1374{
1375        /* Use READ_ONCE() to prevent refetching the value for atomicity */
1376        return 1 << READ_ONCE(net->nft.gencursor);
1377}
1378
1379#define NFT_GENMASK_ANY         ((1 << 0) | (1 << 1))
1380
1381/*
1382 * Generic transaction helpers
1383 */
1384
1385/* Check if this object is currently active. */
1386#define nft_is_active(__net, __obj)                             \
1387        (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1388
1389/* Check if this object is active in the next generation. */
1390#define nft_is_active_next(__net, __obj)                        \
1391        (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1392
1393/* This object becomes active in the next generation. */
1394#define nft_activate_next(__net, __obj)                         \
1395        (__obj)->genmask = nft_genmask_cur(__net)
1396
1397/* This object becomes inactive in the next generation. */
1398#define nft_deactivate_next(__net, __obj)                       \
1399        (__obj)->genmask = nft_genmask_next(__net)
1400
1401/* After committing the ruleset, clear the stale generation bit. */
1402#define nft_clear(__net, __obj)                                 \
1403        (__obj)->genmask &= ~nft_genmask_next(__net)
1404#define nft_active_genmask(__obj, __genmask)                    \
1405        !((__obj)->genmask & __genmask)
1406
1407/*
1408 * Set element transaction helpers
1409 */
1410
1411static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1412                                       u8 genmask)
1413{
1414        return !(ext->genmask & genmask);
1415}
1416
1417static inline void nft_set_elem_change_active(const struct net *net,
1418                                              const struct nft_set *set,
1419                                              struct nft_set_ext *ext)
1420{
1421        ext->genmask ^= nft_genmask_next(net);
1422}
1423
1424#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1425
1426/*
1427 * We use a free bit in the genmask field to indicate the element
1428 * is busy, meaning it is currently being processed either by
1429 * the netlink API or GC.
1430 *
1431 * Even though the genmask is only a single byte wide, this works
1432 * because the extension structure if fully constant once initialized,
1433 * so there are no non-atomic write accesses unless it is already
1434 * marked busy.
1435 */
1436#define NFT_SET_ELEM_BUSY_MASK  (1 << 2)
1437
1438#if defined(__LITTLE_ENDIAN_BITFIELD)
1439#define NFT_SET_ELEM_BUSY_BIT   2
1440#elif defined(__BIG_ENDIAN_BITFIELD)
1441#define NFT_SET_ELEM_BUSY_BIT   (BITS_PER_LONG - BITS_PER_BYTE + 2)
1442#else
1443#error
1444#endif
1445
1446static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1447{
1448        unsigned long *word = (unsigned long *)ext;
1449
1450        BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1451        return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1452}
1453
1454static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1455{
1456        unsigned long *word = (unsigned long *)ext;
1457
1458        clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1459}
1460
1461/**
1462 *      struct nft_trans - nf_tables object update in transaction
1463 *
1464 *      @list: used internally
1465 *      @msg_type: message type
1466 *      @put_net: ctx->net needs to be put
1467 *      @ctx: transaction context
1468 *      @data: internal information related to the transaction
1469 */
1470struct nft_trans {
1471        struct list_head                list;
1472        int                             msg_type;
1473        bool                            put_net;
1474        struct nft_ctx                  ctx;
1475        char                            data[];
1476};
1477
1478struct nft_trans_rule {
1479        struct nft_rule                 *rule;
1480        struct nft_flow_rule            *flow;
1481        u32                             rule_id;
1482};
1483
1484#define nft_trans_rule(trans)   \
1485        (((struct nft_trans_rule *)trans->data)->rule)
1486#define nft_trans_flow_rule(trans)      \
1487        (((struct nft_trans_rule *)trans->data)->flow)
1488#define nft_trans_rule_id(trans)        \
1489        (((struct nft_trans_rule *)trans->data)->rule_id)
1490
1491struct nft_trans_set {
1492        struct nft_set                  *set;
1493        u32                             set_id;
1494        bool                            bound;
1495};
1496
1497#define nft_trans_set(trans)    \
1498        (((struct nft_trans_set *)trans->data)->set)
1499#define nft_trans_set_id(trans) \
1500        (((struct nft_trans_set *)trans->data)->set_id)
1501#define nft_trans_set_bound(trans)      \
1502        (((struct nft_trans_set *)trans->data)->bound)
1503
1504struct nft_trans_chain {
1505        bool                            update;
1506        char                            *name;
1507        struct nft_stats __percpu       *stats;
1508        u8                              policy;
1509        u32                             chain_id;
1510};
1511
1512#define nft_trans_chain_update(trans)   \
1513        (((struct nft_trans_chain *)trans->data)->update)
1514#define nft_trans_chain_name(trans)     \
1515        (((struct nft_trans_chain *)trans->data)->name)
1516#define nft_trans_chain_stats(trans)    \
1517        (((struct nft_trans_chain *)trans->data)->stats)
1518#define nft_trans_chain_policy(trans)   \
1519        (((struct nft_trans_chain *)trans->data)->policy)
1520#define nft_trans_chain_id(trans)       \
1521        (((struct nft_trans_chain *)trans->data)->chain_id)
1522
1523struct nft_trans_table {
1524        bool                            update;
1525};
1526
1527#define nft_trans_table_update(trans)   \
1528        (((struct nft_trans_table *)trans->data)->update)
1529
1530struct nft_trans_elem {
1531        struct nft_set                  *set;
1532        struct nft_set_elem             elem;
1533        bool                            bound;
1534};
1535
1536#define nft_trans_elem_set(trans)       \
1537        (((struct nft_trans_elem *)trans->data)->set)
1538#define nft_trans_elem(trans)   \
1539        (((struct nft_trans_elem *)trans->data)->elem)
1540#define nft_trans_elem_set_bound(trans) \
1541        (((struct nft_trans_elem *)trans->data)->bound)
1542
1543struct nft_trans_obj {
1544        struct nft_object               *obj;
1545        struct nft_object               *newobj;
1546        bool                            update;
1547};
1548
1549#define nft_trans_obj(trans)    \
1550        (((struct nft_trans_obj *)trans->data)->obj)
1551#define nft_trans_obj_newobj(trans) \
1552        (((struct nft_trans_obj *)trans->data)->newobj)
1553#define nft_trans_obj_update(trans)     \
1554        (((struct nft_trans_obj *)trans->data)->update)
1555
1556struct nft_trans_flowtable {
1557        struct nft_flowtable            *flowtable;
1558        bool                            update;
1559        struct list_head                hook_list;
1560        u32                             flags;
1561};
1562
1563#define nft_trans_flowtable(trans)      \
1564        (((struct nft_trans_flowtable *)trans->data)->flowtable)
1565#define nft_trans_flowtable_update(trans)       \
1566        (((struct nft_trans_flowtable *)trans->data)->update)
1567#define nft_trans_flowtable_hooks(trans)        \
1568        (((struct nft_trans_flowtable *)trans->data)->hook_list)
1569#define nft_trans_flowtable_flags(trans)        \
1570        (((struct nft_trans_flowtable *)trans->data)->flags)
1571
1572int __init nft_chain_filter_init(void);
1573void nft_chain_filter_fini(void);
1574
1575void __init nft_chain_route_init(void);
1576void nft_chain_route_fini(void);
1577
1578void nf_tables_trans_destroy_flush_work(void);
1579
1580int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
1581__be64 nf_jiffies64_to_msecs(u64 input);
1582
1583#ifdef CONFIG_MODULES
1584__printf(2, 3) int nft_request_module(struct net *net, const char *fmt, ...);
1585#else
1586static inline int nft_request_module(struct net *net, const char *fmt, ...) { return -ENOENT; }
1587#endif
1588
1589struct nftables_pernet {
1590        struct list_head        tables;
1591        struct list_head        commit_list;
1592        struct list_head        module_list;
1593        struct list_head        notify_list;
1594        struct mutex            commit_mutex;
1595        unsigned int            base_seq;
1596        u8                      validate_state;
1597};
1598
1599extern unsigned int nf_tables_net_id;
1600
1601static inline struct nftables_pernet *nft_pernet(const struct net *net)
1602{
1603        return net_generic(net, nf_tables_net_id);
1604}
1605
1606#endif /* _NET_NF_TABLES_H */
1607