LXR linux/include/net/netfilter/nf

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef _NET_NF_TABLES_H
   3#define _NET_NF_TABLES_H
   4
   5#include <linux/list.h>
   6#include <linux/netfilter.h>
   7#include <linux/netfilter/nfnetlink.h>
   8#include <linux/netfilter/x_tables.h>
   9#include <linux/netfilter/nf_tables.h>
  10#include <linux/u64_stats_sync.h>
  11#include <linux/rhashtable.h>
  12#include <net/netfilter/nf_flow_table.h>
  13#include <net/netlink.h>
  14
  15struct module;
  16
  17#define NFT_JUMP_STACK_SIZE     16
  18
  19struct nft_pktinfo {
  20        struct sk_buff                  *skb;
  21        bool                            tprot_set;
  22        u8                              tprot;
  23        /* for x_tables compatibility */
  24        struct xt_action_param          xt;
  25};
  26
  27static inline struct net *nft_net(const struct nft_pktinfo *pkt)
  28{
  29        return pkt->xt.state->net;
  30}
  31
  32static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
  33{
  34        return pkt->xt.state->hook;
  35}
  36
  37static inline u8 nft_pf(const struct nft_pktinfo *pkt)
  38{
  39        return pkt->xt.state->pf;
  40}
  41
  42static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
  43{
  44        return pkt->xt.state->in;
  45}
  46
  47static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
  48{
  49        return pkt->xt.state->out;
  50}
  51
  52static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  53                                   struct sk_buff *skb,
  54                                   const struct nf_hook_state *state)
  55{
  56        pkt->skb = skb;
  57        pkt->xt.state = state;
  58}
  59
  60static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
  61                                          struct sk_buff *skb)
  62{
  63        pkt->tprot_set = false;
  64        pkt->tprot = 0;
  65        pkt->xt.thoff = 0;
  66        pkt->xt.fragoff = 0;
  67}
  68
  69/**
  70 *      struct nft_verdict - nf_tables verdict
  71 *
  72 *      @code: nf_tables/netfilter verdict code
  73 *      @chain: destination chain for NFT_JUMP/NFT_GOTO
  74 */
  75struct nft_verdict {
  76        u32                             code;
  77        struct nft_chain                *chain;
  78};
  79
  80struct nft_data {
  81        union {
  82                u32                     data[4];
  83                struct nft_verdict      verdict;
  84        };
  85} __attribute__((aligned(__alignof__(u64))));
  86
  87/**
  88 *      struct nft_regs - nf_tables register set
  89 *
  90 *      @data: data registers
  91 *      @verdict: verdict register
  92 *
  93 *      The first four data registers alias to the verdict register.
  94 */
  95struct nft_regs {
  96        union {
  97                u32                     data[20];
  98                struct nft_verdict      verdict;
  99        };
 100};
 101
 102/* Store/load an u16 or u8 integer to/from the u32 data register.
 103 *
 104 * Note, when using concatenations, register allocation happens at 32-bit
 105 * level. So for store instruction, pad the rest part with zero to avoid
 106 * garbage values.
 107 */
 108
 109static inline void nft_reg_store16(u32 *dreg, u16 val)
 110{
 111        *dreg = 0;
 112        *(u16 *)dreg = val;
 113}
 114
 115static inline void nft_reg_store8(u32 *dreg, u8 val)
 116{
 117        *dreg = 0;
 118        *(u8 *)dreg = val;
 119}
 120
 121static inline u16 nft_reg_load16(u32 *sreg)
 122{
 123        return *(u16 *)sreg;
 124}
 125
 126static inline u8 nft_reg_load8(u32 *sreg)
 127{
 128        return *(u8 *)sreg;
 129}
 130
 131static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 132                                 unsigned int len)
 133{
 134        memcpy(dst, src, len);
 135}
 136
 137static inline void nft_data_debug(const struct nft_data *data)
 138{
 139        pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
 140                 data->data[0], data->data[1],
 141                 data->data[2], data->data[3]);
 142}
 143
 144/**
 145 *      struct nft_ctx - nf_tables rule/set context
 146 *
 147 *      @net: net namespace
 148 *      @table: the table the chain is contained in
 149 *      @chain: the chain the rule is contained in
 150 *      @nla: netlink attributes
 151 *      @portid: netlink portID of the original message
 152 *      @seq: netlink sequence number
 153 *      @family: protocol family
 154 *      @level: depth of the chains
 155 *      @report: notify via unicast netlink message
 156 */
 157struct nft_ctx {
 158        struct net                      *net;
 159        struct nft_table                *table;
 160        struct nft_chain                *chain;
 161        const struct nlattr * const     *nla;
 162        u32                             portid;
 163        u32                             seq;
 164        u8                              family;
 165        u8                              level;
 166        bool                            report;
 167};
 168
 169struct nft_data_desc {
 170        enum nft_data_types             type;
 171        unsigned int                    len;
 172};
 173
 174int nft_data_init(const struct nft_ctx *ctx,
 175                  struct nft_data *data, unsigned int size,
 176                  struct nft_data_desc *desc, const struct nlattr *nla);
 177void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 178void nft_data_release(const struct nft_data *data, enum nft_data_types type);
 179int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 180                  enum nft_data_types type, unsigned int len);
 181
 182static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 183{
 184        return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 185}
 186
 187static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 188{
 189        return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
 190}
 191
 192int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
 193unsigned int nft_parse_register(const struct nlattr *attr);
 194int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
 195
 196int nft_validate_register_load(enum nft_registers reg, unsigned int len);
 197int nft_validate_register_store(const struct nft_ctx *ctx,
 198                                enum nft_registers reg,
 199                                const struct nft_data *data,
 200                                enum nft_data_types type, unsigned int len);
 201
 202/**
 203 *      struct nft_userdata - user defined data associated with an object
 204 *
 205 *      @len: length of the data
 206 *      @data: content
 207 *
 208 *      The presence of user data is indicated in an object specific fashion,
 209 *      so a length of zero can't occur and the value "len" indicates data
 210 *      of length len + 1.
 211 */
 212struct nft_userdata {
 213        u8                      len;
 214        unsigned char           data[0];
 215};
 216
 217/**
 218 *      struct nft_set_elem - generic representation of set elements
 219 *
 220 *      @key: element key
 221 *      @priv: element private data and extensions
 222 */
 223struct nft_set_elem {
 224        union {
 225                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 226                struct nft_data val;
 227        } key;
 228        void                    *priv;
 229};
 230
 231struct nft_set;
 232struct nft_set_iter {
 233        u8              genmask;
 234        unsigned int    count;
 235        unsigned int    skip;
 236        int             err;
 237        int             (*fn)(const struct nft_ctx *ctx,
 238                              struct nft_set *set,
 239                              const struct nft_set_iter *iter,
 240                              struct nft_set_elem *elem);
 241};
 242
 243/**
 244 *      struct nft_set_desc - description of set elements
 245 *
 246 *      @klen: key length
 247 *      @dlen: data length
 248 *      @size: number of set elements
 249 */
 250struct nft_set_desc {
 251        unsigned int            klen;
 252        unsigned int            dlen;
 253        unsigned int            size;
 254};
 255
 256/**
 257 *      enum nft_set_class - performance class
 258 *
 259 *      @NFT_LOOKUP_O_1: constant, O(1)
 260 *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 261 *      @NFT_LOOKUP_O_N: linear, O(N)
 262 */
 263enum nft_set_class {
 264        NFT_SET_CLASS_O_1,
 265        NFT_SET_CLASS_O_LOG_N,
 266        NFT_SET_CLASS_O_N,
 267};
 268
 269/**
 270 *      struct nft_set_estimate - estimation of memory and performance
 271 *                                characteristics
 272 *
 273 *      @size: required memory
 274 *      @lookup: lookup performance class
 275 *      @space: memory class
 276 */
 277struct nft_set_estimate {
 278        u64                     size;
 279        enum nft_set_class      lookup;
 280        enum nft_set_class      space;
 281};
 282
 283struct nft_set_ext;
 284struct nft_expr;
 285
 286/**
 287 *      struct nft_set_ops - nf_tables set operations
 288 *
 289 *      @lookup: look up an element within the set
 290 *      @insert: insert new element into set
 291 *      @activate: activate new element in the next generation
 292 *      @deactivate: lookup for element and deactivate it in the next generation
 293 *      @flush: deactivate element in the next generation
 294 *      @remove: remove element from set
 295 *      @walk: iterate over all set elemeennts
 296 *      @get: get set elements
 297 *      @privsize: function to return size of set private data
 298 *      @init: initialize private data of new set instance
 299 *      @destroy: destroy private data of set instance
 300 *      @elemsize: element private size
 301 */
 302struct nft_set_ops {
 303        bool                            (*lookup)(const struct net *net,
 304                                                  const struct nft_set *set,
 305                                                  const u32 *key,
 306                                                  const struct nft_set_ext **ext);
 307        bool                            (*update)(struct nft_set *set,
 308                                                  const u32 *key,
 309                                                  void *(*new)(struct nft_set *,
 310                                                               const struct nft_expr *,
 311                                                               struct nft_regs *),
 312                                                  const struct nft_expr *expr,
 313                                                  struct nft_regs *regs,
 314                                                  const struct nft_set_ext **ext);
 315
 316        int                             (*insert)(const struct net *net,
 317                                                  const struct nft_set *set,
 318                                                  const struct nft_set_elem *elem,
 319                                                  struct nft_set_ext **ext);
 320        void                            (*activate)(const struct net *net,
 321                                                    const struct nft_set *set,
 322                                                    const struct nft_set_elem *elem);
 323        void *                          (*deactivate)(const struct net *net,
 324                                                      const struct nft_set *set,
 325                                                      const struct nft_set_elem *elem);
 326        bool                            (*flush)(const struct net *net,
 327                                                 const struct nft_set *set,
 328                                                 void *priv);
 329        void                            (*remove)(const struct net *net,
 330                                                  const struct nft_set *set,
 331                                                  const struct nft_set_elem *elem);
 332        void                            (*walk)(const struct nft_ctx *ctx,
 333                                                struct nft_set *set,
 334                                                struct nft_set_iter *iter);
 335        void *                          (*get)(const struct net *net,
 336                                               const struct nft_set *set,
 337                                               const struct nft_set_elem *elem,
 338                                               unsigned int flags);
 339
 340        u64                             (*privsize)(const struct nlattr * const nla[],
 341                                                    const struct nft_set_desc *desc);
 342        bool                            (*estimate)(const struct nft_set_desc *desc,
 343                                                    u32 features,
 344                                                    struct nft_set_estimate *est);
 345        int                             (*init)(const struct nft_set *set,
 346                                                const struct nft_set_desc *desc,
 347                                                const struct nlattr * const nla[]);
 348        void                            (*destroy)(const struct nft_set *set);
 349        void                            (*gc_init)(const struct nft_set *set);
 350
 351        unsigned int                    elemsize;
 352};
 353
 354/**
 355 *      struct nft_set_type - nf_tables set type
 356 *
 357 *      @ops: set ops for this type
 358 *      @list: used internally
 359 *      @owner: module reference
 360 *      @features: features supported by the implementation
 361 */
 362struct nft_set_type {
 363        const struct nft_set_ops        ops;
 364        struct list_head                list;
 365        struct module                   *owner;
 366        u32                             features;
 367};
 368#define to_set_type(o) container_of(o, struct nft_set_type, ops)
 369
 370int nft_register_set(struct nft_set_type *type);
 371void nft_unregister_set(struct nft_set_type *type);
 372
 373/**
 374 *      struct nft_set - nf_tables set instance
 375 *
 376 *      @list: table set list node
 377 *      @bindings: list of set bindings
 378 *      @table: table this set belongs to
 379 *      @net: netnamespace this set belongs to
 380 *      @name: name of the set
 381 *      @handle: unique handle of the set
 382 *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 383 *      @dtype: data type (verdict or numeric type defined by userspace)
 384 *      @objtype: object type (see NFT_OBJECT_* definitions)
 385 *      @size: maximum set size
 386 *      @use: number of rules references to this set
 387 *      @nelems: number of elements
 388 *      @ndeact: number of deactivated elements queued for removal
 389 *      @timeout: default timeout value in jiffies
 390 *      @gc_int: garbage collection interval in msecs
 391 *      @policy: set parameterization (see enum nft_set_policies)
 392 *      @udlen: user data length
 393 *      @udata: user data
 394 *      @ops: set ops
 395 *      @flags: set flags
 396 *      @genmask: generation mask
 397 *      @klen: key length
 398 *      @dlen: data length
 399 *      @data: private set data
 400 */
 401struct nft_set {
 402        struct list_head                list;
 403        struct list_head                bindings;
 404        struct nft_table                *table;
 405        possible_net_t                  net;
 406        char                            *name;
 407        u64                             handle;
 408        u32                             ktype;
 409        u32                             dtype;
 410        u32                             objtype;
 411        u32                             size;
 412        u32                             use;
 413        atomic_t                        nelems;
 414        u32                             ndeact;
 415        u64                             timeout;
 416        u32                             gc_int;
 417        u16                             policy;
 418        u16                             udlen;
 419        unsigned char                   *udata;
 420        /* runtime data below here */
 421        const struct nft_set_ops        *ops ____cacheline_aligned;
 422        u16                             flags:13,
 423                                        bound:1,
 424                                        genmask:2;
 425        u8                              klen;
 426        u8                              dlen;
 427        unsigned char                   data[]
 428                __attribute__((aligned(__alignof__(u64))));
 429};
 430
 431static inline bool nft_set_is_anonymous(const struct nft_set *set)
 432{
 433        return set->flags & NFT_SET_ANONYMOUS;
 434}
 435
 436static inline void *nft_set_priv(const struct nft_set *set)
 437{
 438        return (void *)set->data;
 439}
 440
 441static inline struct nft_set *nft_set_container_of(const void *priv)
 442{
 443        return (void *)priv - offsetof(struct nft_set, data);
 444}
 445
 446struct nft_set *nft_set_lookup_global(const struct net *net,
 447                                      const struct nft_table *table,
 448                                      const struct nlattr *nla_set_name,
 449                                      const struct nlattr *nla_set_id,
 450                                      u8 genmask);
 451
 452static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
 453{
 454        return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
 455}
 456
 457/**
 458 *      struct nft_set_binding - nf_tables set binding
 459 *
 460 *      @list: set bindings list node
 461 *      @chain: chain containing the rule bound to the set
 462 *      @flags: set action flags
 463 *
 464 *      A set binding contains all information necessary for validation
 465 *      of new elements added to a bound set.
 466 */
 467struct nft_set_binding {
 468        struct list_head                list;
 469        const struct nft_chain          *chain;
 470        u32                             flags;
 471};
 472
 473enum nft_trans_phase;
 474void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 475                              struct nft_set_binding *binding,
 476                              enum nft_trans_phase phase);
 477int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 478                       struct nft_set_binding *binding);
 479void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
 480
 481/**
 482 *      enum nft_set_extensions - set extension type IDs
 483 *
 484 *      @NFT_SET_EXT_KEY: element key
 485 *      @NFT_SET_EXT_DATA: mapping data
 486 *      @NFT_SET_EXT_FLAGS: element flags
 487 *      @NFT_SET_EXT_TIMEOUT: element timeout
 488 *      @NFT_SET_EXT_EXPIRATION: element expiration time
 489 *      @NFT_SET_EXT_USERDATA: user data associated with the element
 490 *      @NFT_SET_EXT_EXPR: expression assiociated with the element
 491 *      @NFT_SET_EXT_OBJREF: stateful object reference associated with element
 492 *      @NFT_SET_EXT_NUM: number of extension types
 493 */
 494enum nft_set_extensions {
 495        NFT_SET_EXT_KEY,
 496        NFT_SET_EXT_DATA,
 497        NFT_SET_EXT_FLAGS,
 498        NFT_SET_EXT_TIMEOUT,
 499        NFT_SET_EXT_EXPIRATION,
 500        NFT_SET_EXT_USERDATA,
 501        NFT_SET_EXT_EXPR,
 502        NFT_SET_EXT_OBJREF,
 503        NFT_SET_EXT_NUM
 504};
 505
 506/**
 507 *      struct nft_set_ext_type - set extension type
 508 *
 509 *      @len: fixed part length of the extension
 510 *      @align: alignment requirements of the extension
 511 */
 512struct nft_set_ext_type {
 513        u8      len;
 514        u8      align;
 515};
 516
 517extern const struct nft_set_ext_type nft_set_ext_types[];
 518
 519/**
 520 *      struct nft_set_ext_tmpl - set extension template
 521 *
 522 *      @len: length of extension area
 523 *      @offset: offsets of individual extension types
 524 */
 525struct nft_set_ext_tmpl {
 526        u16     len;
 527        u8      offset[NFT_SET_EXT_NUM];
 528};
 529
 530/**
 531 *      struct nft_set_ext - set extensions
 532 *
 533 *      @genmask: generation mask
 534 *      @offset: offsets of individual extension types
 535 *      @data: beginning of extension data
 536 */
 537struct nft_set_ext {
 538        u8      genmask;
 539        u8      offset[NFT_SET_EXT_NUM];
 540        char    data[0];
 541};
 542
 543static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
 544{
 545        memset(tmpl, 0, sizeof(*tmpl));
 546        tmpl->len = sizeof(struct nft_set_ext);
 547}
 548
 549static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
 550                                          unsigned int len)
 551{
 552        tmpl->len        = ALIGN(tmpl->len, nft_set_ext_types[id].align);
 553        BUG_ON(tmpl->len > U8_MAX);
 554        tmpl->offset[id] = tmpl->len;
 555        tmpl->len       += nft_set_ext_types[id].len + len;
 556}
 557
 558static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
 559{
 560        nft_set_ext_add_length(tmpl, id, 0);
 561}
 562
 563static inline void nft_set_ext_init(struct nft_set_ext *ext,
 564                                    const struct nft_set_ext_tmpl *tmpl)
 565{
 566        memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
 567}
 568
 569static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 570{
 571        return !!ext->offset[id];
 572}
 573
 574static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 575{
 576        return ext && __nft_set_ext_exists(ext, id);
 577}
 578
 579static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
 580{
 581        return (void *)ext + ext->offset[id];
 582}
 583
 584static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
 585{
 586        return nft_set_ext(ext, NFT_SET_EXT_KEY);
 587}
 588
 589static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
 590{
 591        return nft_set_ext(ext, NFT_SET_EXT_DATA);
 592}
 593
 594static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
 595{
 596        return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 597}
 598
 599static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
 600{
 601        return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
 602}
 603
 604static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
 605{
 606        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 607}
 608
 609static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
 610{
 611        return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
 612}
 613
 614static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
 615{
 616        return nft_set_ext(ext, NFT_SET_EXT_EXPR);
 617}
 618
 619static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 620{
 621        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
 622               time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
 623}
 624
 625static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
 626                                                   void *elem)
 627{
 628        return elem + set->ops->elemsize;
 629}
 630
 631static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
 632{
 633        return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
 634}
 635
 636void *nft_set_elem_init(const struct nft_set *set,
 637                        const struct nft_set_ext_tmpl *tmpl,
 638                        const u32 *key, const u32 *data,
 639                        u64 timeout, gfp_t gfp);
 640void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 641                          bool destroy_expr);
 642
 643/**
 644 *      struct nft_set_gc_batch_head - nf_tables set garbage collection batch
 645 *
 646 *      @rcu: rcu head
 647 *      @set: set the elements belong to
 648 *      @cnt: count of elements
 649 */
 650struct nft_set_gc_batch_head {
 651        struct rcu_head                 rcu;
 652        const struct nft_set            *set;
 653        unsigned int                    cnt;
 654};
 655
 656#define NFT_SET_GC_BATCH_SIZE   ((PAGE_SIZE -                             \
 657                                  sizeof(struct nft_set_gc_batch_head)) / \
 658                                 sizeof(void *))
 659
 660/**
 661 *      struct nft_set_gc_batch - nf_tables set garbage collection batch
 662 *
 663 *      @head: GC batch head
 664 *      @elems: garbage collection elements
 665 */
 666struct nft_set_gc_batch {
 667        struct nft_set_gc_batch_head    head;
 668        void                            *elems[NFT_SET_GC_BATCH_SIZE];
 669};
 670
 671struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
 672                                                gfp_t gfp);
 673void nft_set_gc_batch_release(struct rcu_head *rcu);
 674
 675static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
 676{
 677        if (gcb != NULL)
 678                call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
 679}
 680
 681static inline struct nft_set_gc_batch *
 682nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
 683                       gfp_t gfp)
 684{
 685        if (gcb != NULL) {
 686                if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
 687                        return gcb;
 688                nft_set_gc_batch_complete(gcb);
 689        }
 690        return nft_set_gc_batch_alloc(set, gfp);
 691}
 692
 693static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
 694                                        void *elem)
 695{
 696        gcb->elems[gcb->head.cnt++] = elem;
 697}
 698
 699struct nft_expr_ops;
 700/**
 701 *      struct nft_expr_type - nf_tables expression type
 702 *
 703 *      @select_ops: function to select nft_expr_ops
 704 *      @release_ops: release nft_expr_ops
 705 *      @ops: default ops, used when no select_ops functions is present
 706 *      @list: used internally
 707 *      @name: Identifier
 708 *      @owner: module reference
 709 *      @policy: netlink attribute policy
 710 *      @maxattr: highest netlink attribute number
 711 *      @family: address family for AF-specific types
 712 *      @flags: expression type flags
 713 */
 714struct nft_expr_type {
 715        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 716                                                       const struct nlattr * const tb[]);
 717        void                            (*release_ops)(const struct nft_expr_ops *ops);
 718        const struct nft_expr_ops       *ops;
 719        struct list_head                list;
 720        const char                      *name;
 721        struct module                   *owner;
 722        const struct nla_policy         *policy;
 723        unsigned int                    maxattr;
 724        u8                              family;
 725        u8                              flags;
 726};
 727
 728#define NFT_EXPR_STATEFUL               0x1
 729#define NFT_EXPR_GC                     0x2
 730
 731enum nft_trans_phase {
 732        NFT_TRANS_PREPARE,
 733        NFT_TRANS_ABORT,
 734        NFT_TRANS_COMMIT,
 735        NFT_TRANS_RELEASE
 736};
 737
 738/**
 739 *      struct nft_expr_ops - nf_tables expression operations
 740 *
 741 *      @eval: Expression evaluation function
 742 *      @size: full expression size, including private data size
 743 *      @init: initialization function
 744 *      @activate: activate expression in the next generation
 745 *      @deactivate: deactivate expression in next generation
 746 *      @destroy: destruction function, called after synchronize_rcu
 747 *      @dump: function to dump parameters
 748 *      @type: expression type
 749 *      @validate: validate expression, called during loop detection
 750 *      @data: extra data to attach to this expression operation
 751 */
 752struct nft_expr;
 753struct nft_expr_ops {
 754        void                            (*eval)(const struct nft_expr *expr,
 755                                                struct nft_regs *regs,
 756                                                const struct nft_pktinfo *pkt);
 757        int                             (*clone)(struct nft_expr *dst,
 758                                                 const struct nft_expr *src);
 759        unsigned int                    size;
 760
 761        int                             (*init)(const struct nft_ctx *ctx,
 762                                                const struct nft_expr *expr,
 763                                                const struct nlattr * const tb[]);
 764        void                            (*activate)(const struct nft_ctx *ctx,
 765                                                    const struct nft_expr *expr);
 766        void                            (*deactivate)(const struct nft_ctx *ctx,
 767                                                      const struct nft_expr *expr,
 768                                                      enum nft_trans_phase phase);
 769        void                            (*destroy)(const struct nft_ctx *ctx,
 770                                                   const struct nft_expr *expr);
 771        void                            (*destroy_clone)(const struct nft_ctx *ctx,
 772                                                         const struct nft_expr *expr);
 773        int                             (*dump)(struct sk_buff *skb,
 774                                                const struct nft_expr *expr);
 775        int                             (*validate)(const struct nft_ctx *ctx,
 776                                                    const struct nft_expr *expr,
 777                                                    const struct nft_data **data);
 778        bool                            (*gc)(struct net *net,
 779                                              const struct nft_expr *expr);
 780        const struct nft_expr_type      *type;
 781        void                            *data;
 782};
 783
 784#define NFT_EXPR_MAXATTR                16
 785#define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 786                                         ALIGN(size, __alignof__(struct nft_expr)))
 787
 788/**
 789 *      struct nft_expr - nf_tables expression
 790 *
 791 *      @ops: expression ops
 792 *      @data: expression private data
 793 */
 794struct nft_expr {
 795        const struct nft_expr_ops       *ops;
 796        unsigned char                   data[];
 797};
 798
 799static inline void *nft_expr_priv(const struct nft_expr *expr)
 800{
 801        return (void *)expr->data;
 802}
 803
 804struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
 805                               const struct nlattr *nla);
 806void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 807int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
 808                  const struct nft_expr *expr);
 809
 810/**
 811 *      struct nft_rule - nf_tables rule
 812 *
 813 *      @list: used internally
 814 *      @handle: rule handle
 815 *      @genmask: generation mask
 816 *      @dlen: length of expression data
 817 *      @udata: user data is appended to the rule
 818 *      @data: expression data
 819 */
 820struct nft_rule {
 821        struct list_head                list;
 822        u64                             handle:42,
 823                                        genmask:2,
 824                                        dlen:12,
 825                                        udata:1;
 826        unsigned char                   data[]
 827                __attribute__((aligned(__alignof__(struct nft_expr))));
 828};
 829
 830static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 831{
 832        return (struct nft_expr *)&rule->data[0];
 833}
 834
 835static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 836{
 837        return ((void *)expr) + expr->ops->size;
 838}
 839
 840static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 841{
 842        return (struct nft_expr *)&rule->data[rule->dlen];
 843}
 844
 845static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 846{
 847        return (void *)&rule->data[rule->dlen];
 848}
 849
 850/*
 851 * The last pointer isn't really necessary, but the compiler isn't able to
 852 * determine that the result of nft_expr_last() is always the same since it
 853 * can't assume that the dlen value wasn't changed within calls in the loop.
 854 */
 855#define nft_rule_for_each_expr(expr, last, rule) \
 856        for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 857             (expr) != (last); \
 858             (expr) = nft_expr_next(expr))
 859
 860enum nft_chain_flags {
 861        NFT_BASE_CHAIN                  = 0x1,
 862};
 863
 864/**
 865 *      struct nft_chain - nf_tables chain
 866 *
 867 *      @rules: list of rules in the chain
 868 *      @list: used internally
 869 *      @rhlhead: used internally
 870 *      @table: table that this chain belongs to
 871 *      @handle: chain handle
 872 *      @use: number of jump references to this chain
 873 *      @flags: bitmask of enum nft_chain_flags
 874 *      @name: name of the chain
 875 */
 876struct nft_chain {
 877        struct nft_rule                 *__rcu *rules_gen_0;
 878        struct nft_rule                 *__rcu *rules_gen_1;
 879        struct list_head                rules;
 880        struct list_head                list;
 881        struct rhlist_head              rhlhead;
 882        struct nft_table                *table;
 883        u64                             handle;
 884        u32                             use;
 885        u8                              flags:6,
 886                                        genmask:2;
 887        char                            *name;
 888
 889        /* Only used during control plane commit phase: */
 890        struct nft_rule                 **rules_next;
 891};
 892
 893int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
 894
 895enum nft_chain_types {
 896        NFT_CHAIN_T_DEFAULT = 0,
 897        NFT_CHAIN_T_ROUTE,
 898        NFT_CHAIN_T_NAT,
 899        NFT_CHAIN_T_MAX
 900};
 901
 902/**
 903 *      struct nft_chain_type - nf_tables chain type info
 904 *
 905 *      @name: name of the type
 906 *      @type: numeric identifier
 907 *      @family: address family
 908 *      @owner: module owner
 909 *      @hook_mask: mask of valid hooks
 910 *      @hooks: array of hook functions
 911 *      @ops_register: base chain register function
 912 *      @ops_unregister: base chain unregister function
 913 */
 914struct nft_chain_type {
 915        const char                      *name;
 916        enum nft_chain_types            type;
 917        int                             family;
 918        struct module                   *owner;
 919        unsigned int                    hook_mask;
 920        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 921        int                             (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
 922        void                            (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
 923};
 924
 925int nft_chain_validate_dependency(const struct nft_chain *chain,
 926                                  enum nft_chain_types type);
 927int nft_chain_validate_hooks(const struct nft_chain *chain,
 928                             unsigned int hook_flags);
 929
 930struct nft_stats {
 931        u64                     bytes;
 932        u64                     pkts;
 933        struct u64_stats_sync   syncp;
 934};
 935
 936/**
 937 *      struct nft_base_chain - nf_tables base chain
 938 *
 939 *      @ops: netfilter hook ops
 940 *      @type: chain type
 941 *      @policy: default policy
 942 *      @stats: per-cpu chain stats
 943 *      @chain: the chain
 944 *      @dev_name: device name that this base chain is attached to (if any)
 945 */
 946struct nft_base_chain {
 947        struct nf_hook_ops              ops;
 948        const struct nft_chain_type     *type;
 949        u8                              policy;
 950        u8                              flags;
 951        struct nft_stats __percpu       *stats;
 952        struct nft_chain                chain;
 953        char                            dev_name[IFNAMSIZ];
 954};
 955
 956static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
 957{
 958        return container_of(chain, struct nft_base_chain, chain);
 959}
 960
 961static inline bool nft_is_base_chain(const struct nft_chain *chain)
 962{
 963        return chain->flags & NFT_BASE_CHAIN;
 964}
 965
 966int __nft_release_basechain(struct nft_ctx *ctx);
 967
 968unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
 969
 970/**
 971 *      struct nft_table - nf_tables table
 972 *
 973 *      @list: used internally
 974 *      @chains_ht: chains in the table
 975 *      @chains: same, for stable walks
 976 *      @sets: sets in the table
 977 *      @objects: stateful objects in the table
 978 *      @flowtables: flow tables in the table
 979 *      @hgenerator: handle generator state
 980 *      @handle: table handle
 981 *      @use: number of chain references to this table
 982 *      @flags: table flag (see enum nft_table_flags)
 983 *      @genmask: generation mask
 984 *      @afinfo: address family info
 985 *      @name: name of the table
 986 */
 987struct nft_table {
 988        struct list_head                list;
 989        struct rhltable                 chains_ht;
 990        struct list_head                chains;
 991        struct list_head                sets;
 992        struct list_head                objects;
 993        struct list_head                flowtables;
 994        u64                             hgenerator;
 995        u64                             handle;
 996        u32                             use;
 997        u16                             family:6,
 998                                        flags:8,
 999                                        genmask:2;
1000        char                            *name;

1001};
1002
1003void nft_register_chain_type(const struct nft_chain_type *);
1004void nft_unregister_chain_type(const struct nft_chain_type *);
1005
1006int nft_register_expr(struct nft_expr_type *);
1007void nft_unregister_expr(struct nft_expr_type *);
1008
1009int nft_verdict_dump(struct sk_buff *skb, int type,
1010                     const struct nft_verdict *v);
1011
1012/**
1013 *      struct nft_object_hash_key - key to lookup nft_object
1014 *
1015 *      @name: name of the stateful object to look up
1016 *      @table: table the object belongs to
1017 */
1018struct nft_object_hash_key {
1019        const char                      *name;
1020        const struct nft_table          *table;
1021};
1022
1023/**
1024 *      struct nft_object - nf_tables stateful object
1025 *
1026 *      @list: table stateful object list node
1027 *      @key:  keys that identify this object
1028 *      @rhlhead: nft_objname_ht node
1029 *      @genmask: generation mask
1030 *      @use: number of references to this stateful object
1031 *      @handle: unique object handle
1032 *      @ops: object operations
1033 *      @data: object data, layout depends on type
1034 */
1035struct nft_object {
1036        struct list_head                list;
1037        struct rhlist_head              rhlhead;
1038        struct nft_object_hash_key      key;
1039        u32                             genmask:2,
1040                                        use:30;
1041        u64                             handle;
1042        /* runtime data below here */
1043        const struct nft_object_ops     *ops ____cacheline_aligned;
1044        unsigned char                   data[]
1045                __attribute__((aligned(__alignof__(u64))));
1046};
1047
1048static inline void *nft_obj_data(const struct nft_object *obj)
1049{
1050        return (void *)obj->data;
1051}
1052
1053#define nft_expr_obj(expr)      *((struct nft_object **)nft_expr_priv(expr))
1054
1055struct nft_object *nft_obj_lookup(const struct net *net,
1056                                  const struct nft_table *table,
1057                                  const struct nlattr *nla, u32 objtype,
1058                                  u8 genmask);
1059
1060void nft_obj_notify(struct net *net, const struct nft_table *table,
1061                    struct nft_object *obj, u32 portid, u32 seq,
1062                    int event, int family, int report, gfp_t gfp);
1063
1064/**
1065 *      struct nft_object_type - stateful object type
1066 *
1067 *      @select_ops: function to select nft_object_ops
1068 *      @ops: default ops, used when no select_ops functions is present
1069 *      @list: list node in list of object types
1070 *      @type: stateful object numeric type
1071 *      @owner: module owner
1072 *      @maxattr: maximum netlink attribute
1073 *      @policy: netlink attribute policy
1074 */
1075struct nft_object_type {
1076        const struct nft_object_ops     *(*select_ops)(const struct nft_ctx *,
1077                                                       const struct nlattr * const tb[]);
1078        const struct nft_object_ops     *ops;
1079        struct list_head                list;
1080        u32                             type;
1081        unsigned int                    maxattr;
1082        struct module                   *owner;
1083        const struct nla_policy         *policy;
1084};
1085
1086/**
1087 *      struct nft_object_ops - stateful object operations
1088 *
1089 *      @eval: stateful object evaluation function
1090 *      @size: stateful object size
1091 *      @init: initialize object from netlink attributes
1092 *      @destroy: release existing stateful object
1093 *      @dump: netlink dump stateful object
1094 */
1095struct nft_object_ops {
1096        void                            (*eval)(struct nft_object *obj,
1097                                                struct nft_regs *regs,
1098                                                const struct nft_pktinfo *pkt);
1099        unsigned int                    size;
1100        int                             (*init)(const struct nft_ctx *ctx,
1101                                                const struct nlattr *const tb[],
1102                                                struct nft_object *obj);
1103        void                            (*destroy)(const struct nft_ctx *ctx,
1104                                                   struct nft_object *obj);
1105        int                             (*dump)(struct sk_buff *skb,
1106                                                struct nft_object *obj,
1107                                                bool reset);
1108        const struct nft_object_type    *type;
1109};
1110
1111int nft_register_obj(struct nft_object_type *obj_type);
1112void nft_unregister_obj(struct nft_object_type *obj_type);
1113
1114#define NFT_FLOWTABLE_DEVICE_MAX        8
1115
1116/**
1117 *      struct nft_flowtable - nf_tables flow table
1118 *
1119 *      @list: flow table list node in table list
1120 *      @table: the table the flow table is contained in
1121 *      @name: name of this flow table
1122 *      @hooknum: hook number
1123 *      @priority: hook priority
1124 *      @ops_len: number of hooks in array
1125 *      @genmask: generation mask
1126 *      @use: number of references to this flow table
1127 *      @handle: unique object handle
1128 *      @dev_name: array of device names
1129 *      @data: rhashtable and garbage collector
1130 *      @ops: array of hooks
1131 */
1132struct nft_flowtable {
1133        struct list_head                list;
1134        struct nft_table                *table;
1135        char                            *name;
1136        int                             hooknum;
1137        int                             priority;
1138        int                             ops_len;
1139        u32                             genmask:2,
1140                                        use:30;
1141        u64                             handle;
1142        /* runtime data below here */
1143        struct nf_hook_ops              *ops ____cacheline_aligned;
1144        struct nf_flowtable             data;
1145};
1146
1147struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1148                                           const struct nlattr *nla,
1149                                           u8 genmask);
1150
1151void nft_register_flowtable_type(struct nf_flowtable_type *type);
1152void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1153
1154/**
1155 *      struct nft_traceinfo - nft tracing information and state
1156 *
1157 *      @pkt: pktinfo currently processed
1158 *      @basechain: base chain currently processed
1159 *      @chain: chain currently processed
1160 *      @rule:  rule that was evaluated
1161 *      @verdict: verdict given by rule
1162 *      @type: event type (enum nft_trace_types)
1163 *      @packet_dumped: packet headers sent in a previous traceinfo message
1164 *      @trace: other struct members are initialised
1165 */
1166struct nft_traceinfo {
1167        const struct nft_pktinfo        *pkt;
1168        const struct nft_base_chain     *basechain;
1169        const struct nft_chain          *chain;
1170        const struct nft_rule           *rule;
1171        const struct nft_verdict        *verdict;
1172        enum nft_trace_types            type;
1173        bool                            packet_dumped;
1174        bool                            trace;
1175};
1176
1177void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1178                    const struct nft_verdict *verdict,
1179                    const struct nft_chain *basechain);
1180
1181void nft_trace_notify(struct nft_traceinfo *info);
1182
1183#define MODULE_ALIAS_NFT_CHAIN(family, name) \
1184        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1185
1186#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1187        MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1188
1189#define MODULE_ALIAS_NFT_EXPR(name) \
1190        MODULE_ALIAS("nft-expr-" name)
1191
1192#define MODULE_ALIAS_NFT_SET() \
1193        MODULE_ALIAS("nft-set")
1194
1195#define MODULE_ALIAS_NFT_OBJ(type) \
1196        MODULE_ALIAS("nft-obj-" __stringify(type))
1197
1198/*
1199 * The gencursor defines two generations, the currently active and the
1200 * next one. Objects contain a bitmask of 2 bits specifying the generations
1201 * they're active in. A set bit means they're inactive in the generation
1202 * represented by that bit.
1203 *
1204 * New objects start out as inactive in the current and active in the
1205 * next generation. When committing the ruleset the bitmask is cleared,
1206 * meaning they're active in all generations. When removing an object,
1207 * it is set inactive in the next generation. After committing the ruleset,
1208 * the objects are removed.
1209 */
1210static inline unsigned int nft_gencursor_next(const struct net *net)
1211{
1212        return net->nft.gencursor + 1 == 1 ? 1 : 0;
1213}
1214
1215static inline u8 nft_genmask_next(const struct net *net)
1216{
1217        return 1 << nft_gencursor_next(net);
1218}
1219
1220static inline u8 nft_genmask_cur(const struct net *net)
1221{
1222        /* Use READ_ONCE() to prevent refetching the value for atomicity */
1223        return 1 << READ_ONCE(net->nft.gencursor);
1224}
1225
1226#define NFT_GENMASK_ANY         ((1 << 0) | (1 << 1))
1227
1228/*
1229 * Generic transaction helpers
1230 */
1231
1232/* Check if this object is currently active. */
1233#define nft_is_active(__net, __obj)                             \
1234        (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1235
1236/* Check if this object is active in the next generation. */
1237#define nft_is_active_next(__net, __obj)                        \
1238        (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1239
1240/* This object becomes active in the next generation. */
1241#define nft_activate_next(__net, __obj)                         \
1242        (__obj)->genmask = nft_genmask_cur(__net)
1243
1244/* This object becomes inactive in the next generation. */
1245#define nft_deactivate_next(__net, __obj)                       \
1246        (__obj)->genmask = nft_genmask_next(__net)
1247
1248/* After committing the ruleset, clear the stale generation bit. */
1249#define nft_clear(__net, __obj)                                 \
1250        (__obj)->genmask &= ~nft_genmask_next(__net)
1251#define nft_active_genmask(__obj, __genmask)                    \
1252        !((__obj)->genmask & __genmask)
1253
1254/*
1255 * Set element transaction helpers
1256 */
1257
1258static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1259                                       u8 genmask)
1260{
1261        return !(ext->genmask & genmask);
1262}
1263
1264static inline void nft_set_elem_change_active(const struct net *net,
1265                                              const struct nft_set *set,
1266                                              struct nft_set_ext *ext)
1267{
1268        ext->genmask ^= nft_genmask_next(net);
1269}
1270
1271/*
1272 * We use a free bit in the genmask field to indicate the element
1273 * is busy, meaning it is currently being processed either by
1274 * the netlink API or GC.
1275 *
1276 * Even though the genmask is only a single byte wide, this works
1277 * because the extension structure if fully constant once initialized,
1278 * so there are no non-atomic write accesses unless it is already
1279 * marked busy.
1280 */
1281#define NFT_SET_ELEM_BUSY_MASK  (1 << 2)
1282
1283#if defined(__LITTLE_ENDIAN_BITFIELD)
1284#define NFT_SET_ELEM_BUSY_BIT   2
1285#elif defined(__BIG_ENDIAN_BITFIELD)
1286#define NFT_SET_ELEM_BUSY_BIT   (BITS_PER_LONG - BITS_PER_BYTE + 2)
1287#else
1288#error
1289#endif
1290
1291static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1292{
1293        unsigned long *word = (unsigned long *)ext;
1294
1295        BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1296        return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1297}
1298
1299static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1300{
1301        unsigned long *word = (unsigned long *)ext;
1302
1303        clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1304}
1305
1306/**
1307 *      struct nft_trans - nf_tables object update in transaction
1308 *
1309 *      @list: used internally
1310 *      @msg_type: message type
1311 *      @put_net: ctx->net needs to be put
1312 *      @ctx: transaction context
1313 *      @data: internal information related to the transaction
1314 */
1315struct nft_trans {
1316        struct list_head                list;
1317        int                             msg_type;
1318        bool                            put_net;
1319        struct nft_ctx                  ctx;
1320        char                            data[0];
1321};
1322
1323struct nft_trans_rule {
1324        struct nft_rule                 *rule;
1325        u32                             rule_id;
1326};
1327
1328#define nft_trans_rule(trans)   \
1329        (((struct nft_trans_rule *)trans->data)->rule)
1330#define nft_trans_rule_id(trans)        \
1331        (((struct nft_trans_rule *)trans->data)->rule_id)
1332
1333struct nft_trans_set {
1334        struct nft_set                  *set;
1335        u32                             set_id;
1336};
1337
1338#define nft_trans_set(trans)    \
1339        (((struct nft_trans_set *)trans->data)->set)
1340#define nft_trans_set_id(trans) \
1341        (((struct nft_trans_set *)trans->data)->set_id)
1342
1343struct nft_trans_chain {
1344        bool                            update;
1345        char                            *name;
1346        struct nft_stats __percpu       *stats;
1347        u8                              policy;
1348};
1349
1350#define nft_trans_chain_update(trans)   \
1351        (((struct nft_trans_chain *)trans->data)->update)
1352#define nft_trans_chain_name(trans)     \
1353        (((struct nft_trans_chain *)trans->data)->name)
1354#define nft_trans_chain_stats(trans)    \
1355        (((struct nft_trans_chain *)trans->data)->stats)
1356#define nft_trans_chain_policy(trans)   \
1357        (((struct nft_trans_chain *)trans->data)->policy)
1358
1359struct nft_trans_table {
1360        bool                            update;
1361        bool                            enable;
1362};
1363
1364#define nft_trans_table_update(trans)   \
1365        (((struct nft_trans_table *)trans->data)->update)
1366#define nft_trans_table_enable(trans)   \
1367        (((struct nft_trans_table *)trans->data)->enable)
1368
1369struct nft_trans_elem {
1370        struct nft_set                  *set;
1371        struct nft_set_elem             elem;
1372};
1373
1374#define nft_trans_elem_set(trans)       \
1375        (((struct nft_trans_elem *)trans->data)->set)
1376#define nft_trans_elem(trans)   \
1377        (((struct nft_trans_elem *)trans->data)->elem)
1378
1379struct nft_trans_obj {
1380        struct nft_object               *obj;
1381};
1382
1383#define nft_trans_obj(trans)    \
1384        (((struct nft_trans_obj *)trans->data)->obj)
1385
1386struct nft_trans_flowtable {
1387        struct nft_flowtable            *flowtable;
1388};
1389
1390#define nft_trans_flowtable(trans)      \
1391        (((struct nft_trans_flowtable *)trans->data)->flowtable)
1392
1393int __init nft_chain_filter_init(void);
1394void nft_chain_filter_fini(void);
1395
1396void __init nft_chain_route_init(void);
1397void nft_chain_route_fini(void);
1398#endif /* _NET_NF_TABLES_H */
1399