linux/include/net/netfilter/nf_tables.h
<<
>>
Prefs 
   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef _NET_NF_TABLES_H
   3#define _NET_NF_TABLES_H
   4
   5#include <linux/list.h>
   6#include <linux/netfilter.h>
   7#include <linux/netfilter/nfnetlink.h>
   8#include <linux/netfilter/x_tables.h>
   9#include <linux/netfilter/nf_tables.h>
  10#include <linux/u64_stats_sync.h>
  11#include <linux/rhashtable.h>
  12#include <net/netfilter/nf_flow_table.h>
  13#include <net/netlink.h>
  14#include <net/flow_offload.h>
  15
  16struct module;
  17
  18#define NFT_JUMP_STACK_SIZE     16
  19
  20struct nft_pktinfo {
  21        struct sk_buff                  *skb;
  22        bool                            tprot_set;
  23        u8                              tprot;
  24        /* for x_tables compatibility */
  25        struct xt_action_param          xt;
  26};
  27
  28static inline struct net *nft_net(const struct nft_pktinfo *pkt)
  29{
  30        return pkt->xt.state->net;
  31}
  32
  33static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
  34{
  35        return pkt->xt.state->hook;
  36}
  37
  38static inline u8 nft_pf(const struct nft_pktinfo *pkt)
  39{
  40        return pkt->xt.state->pf;
  41}
  42
  43static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
  44{
  45        return pkt->xt.state->in;
  46}
  47
  48static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
  49{
  50        return pkt->xt.state->out;
  51}
  52
  53static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  54                                   struct sk_buff *skb,
  55                                   const struct nf_hook_state *state)
  56{
  57        pkt->skb = skb;
  58        pkt->xt.state = state;
  59}
  60
  61static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
  62                                          struct sk_buff *skb)
  63{
  64        pkt->tprot_set = false;
  65        pkt->tprot = 0;
  66        pkt->xt.thoff = 0;
  67        pkt->xt.fragoff = 0;
  68}
  69
  70/**
  71 *      struct nft_verdict - nf_tables verdict
  72 *
  73 *      @code: nf_tables/netfilter verdict code
  74 *      @chain: destination chain for NFT_JUMP/NFT_GOTO
  75 */
  76struct nft_verdict {
  77        u32                             code;
  78        struct nft_chain                *chain;
  79};
  80
  81struct nft_data {
  82        union {
  83                u32                     data[4];
  84                struct nft_verdict      verdict;
  85        };
  86} __attribute__((aligned(__alignof__(u64))));
  87
  88/**
  89 *      struct nft_regs - nf_tables register set
  90 *
  91 *      @data: data registers
  92 *      @verdict: verdict register
  93 *
  94 *      The first four data registers alias to the verdict register.
  95 */
  96struct nft_regs {
  97        union {
  98                u32                     data[20];
  99                struct nft_verdict      verdict;
 100        };
 101};
 102
 103/* Store/load an u16 or u8 integer to/from the u32 data register.
 104 *
 105 * Note, when using concatenations, register allocation happens at 32-bit
 106 * level. So for store instruction, pad the rest part with zero to avoid
 107 * garbage values.
 108 */
 109
 110static inline void nft_reg_store16(u32 *dreg, u16 val)
 111{
 112        *dreg = 0;
 113        *(u16 *)dreg = val;
 114}
 115
 116static inline void nft_reg_store8(u32 *dreg, u8 val)
 117{
 118        *dreg = 0;
 119        *(u8 *)dreg = val;
 120}
 121
 122static inline u16 nft_reg_load16(u32 *sreg)
 123{
 124        return *(u16 *)sreg;
 125}
 126
 127static inline u8 nft_reg_load8(u32 *sreg)
 128{
 129        return *(u8 *)sreg;
 130}
 131
 132static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 133                                 unsigned int len)
 134{
 135        memcpy(dst, src, len);
 136}
 137
 138static inline void nft_data_debug(const struct nft_data *data)
 139{
 140        pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
 141                 data->data[0], data->data[1],
 142                 data->data[2], data->data[3]);
 143}
 144
 145/**
 146 *      struct nft_ctx - nf_tables rule/set context
 147 *
 148 *      @net: net namespace
 149 *      @table: the table the chain is contained in
 150 *      @chain: the chain the rule is contained in
 151 *      @nla: netlink attributes
 152 *      @portid: netlink portID of the original message
 153 *      @seq: netlink sequence number
 154 *      @family: protocol family
 155 *      @level: depth of the chains
 156 *      @report: notify via unicast netlink message
 157 */
 158struct nft_ctx {
 159        struct net                      *net;
 160        struct nft_table                *table;
 161        struct nft_chain                *chain;
 162        const struct nlattr * const     *nla;
 163        u32                             portid;
 164        u32                             seq;
 165        u16                             flags;
 166        u8                              family;
 167        u8                              level;
 168        bool                            report;
 169};
 170
 171struct nft_data_desc {
 172        enum nft_data_types             type;
 173        unsigned int                    len;
 174};
 175
 176int nft_data_init(const struct nft_ctx *ctx,
 177                  struct nft_data *data, unsigned int size,
 178                  struct nft_data_desc *desc, const struct nlattr *nla);
 179void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 180void nft_data_release(const struct nft_data *data, enum nft_data_types type);
 181int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 182                  enum nft_data_types type, unsigned int len);
 183
 184static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 185{
 186        return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 187}
 188
 189static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 190{
 191        return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
 192}
 193
 194int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
 195unsigned int nft_parse_register(const struct nlattr *attr);
 196int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
 197
 198int nft_validate_register_load(enum nft_registers reg, unsigned int len);
 199int nft_validate_register_store(const struct nft_ctx *ctx,
 200                                enum nft_registers reg,
 201                                const struct nft_data *data,
 202                                enum nft_data_types type, unsigned int len);
 203
 204/**
 205 *      struct nft_userdata - user defined data associated with an object
 206 *
 207 *      @len: length of the data
 208 *      @data: content
 209 *
 210 *      The presence of user data is indicated in an object specific fashion,
 211 *      so a length of zero can't occur and the value "len" indicates data
 212 *      of length len + 1.
 213 */
 214struct nft_userdata {
 215        u8                      len;
 216        unsigned char           data[0];
 217};
 218
 219/**
 220 *      struct nft_set_elem - generic representation of set elements
 221 *
 222 *      @key: element key
 223 *      @priv: element private data and extensions
 224 */
 225struct nft_set_elem {
 226        union {
 227                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 228                struct nft_data val;
 229        } key;
 230        void                    *priv;
 231};
 232
 233struct nft_set;
 234struct nft_set_iter {
 235        u8              genmask;
 236        unsigned int    count;
 237        unsigned int    skip;
 238        int             err;
 239        int             (*fn)(const struct nft_ctx *ctx,
 240                              struct nft_set *set,
 241                              const struct nft_set_iter *iter,
 242                              struct nft_set_elem *elem);
 243};
 244
 245/**
 246 *      struct nft_set_desc - description of set elements
 247 *
 248 *      @klen: key length
 249 *      @dlen: data length
 250 *      @size: number of set elements
 251 */
 252struct nft_set_desc {
 253        unsigned int            klen;
 254        unsigned int            dlen;
 255        unsigned int            size;
 256};
 257
 258/**
 259 *      enum nft_set_class - performance class
 260 *
 261 *      @NFT_LOOKUP_O_1: constant, O(1)
 262 *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 263 *      @NFT_LOOKUP_O_N: linear, O(N)
 264 */
 265enum nft_set_class {
 266        NFT_SET_CLASS_O_1,
 267        NFT_SET_CLASS_O_LOG_N,
 268        NFT_SET_CLASS_O_N,
 269};
 270
 271/**
 272 *      struct nft_set_estimate - estimation of memory and performance
 273 *                                characteristics
 274 *
 275 *      @size: required memory
 276 *      @lookup: lookup performance class
 277 *      @space: memory class
 278 */
 279struct nft_set_estimate {
 280        u64                     size;
 281        enum nft_set_class      lookup;
 282        enum nft_set_class      space;
 283};
 284
 285struct nft_set_ext;
 286struct nft_expr;
 287
 288/**
 289 *      struct nft_set_ops - nf_tables set operations
 290 *
 291 *      @lookup: look up an element within the set
 292 *      @insert: insert new element into set
 293 *      @activate: activate new element in the next generation
 294 *      @deactivate: lookup for element and deactivate it in the next generation
 295 *      @flush: deactivate element in the next generation
 296 *      @remove: remove element from set
 297 *      @walk: iterate over all set elemeennts
 298 *      @get: get set elements
 299 *      @privsize: function to return size of set private data
 300 *      @init: initialize private data of new set instance
 301 *      @destroy: destroy private data of set instance
 302 *      @elemsize: element private size
 303 */
 304struct nft_set_ops {
 305        bool                            (*lookup)(const struct net *net,
 306                                                  const struct nft_set *set,
 307                                                  const u32 *key,
 308                                                  const struct nft_set_ext **ext);
 309        bool                            (*update)(struct nft_set *set,
 310                                                  const u32 *key,
 311                                                  void *(*new)(struct nft_set *,
 312                                                               const struct nft_expr *,
 313                                                               struct nft_regs *),
 314                                                  const struct nft_expr *expr,
 315                                                  struct nft_regs *regs,
 316                                                  const struct nft_set_ext **ext);
 317
 318        int                             (*insert)(const struct net *net,
 319                                                  const struct nft_set *set,
 320                                                  const struct nft_set_elem *elem,
 321                                                  struct nft_set_ext **ext);
 322        void                            (*activate)(const struct net *net,
 323                                                    const struct nft_set *set,
 324                                                    const struct nft_set_elem *elem);
 325        void *                          (*deactivate)(const struct net *net,
 326                                                      const struct nft_set *set,
 327                                                      const struct nft_set_elem *elem);
 328        bool                            (*flush)(const struct net *net,
 329                                                 const struct nft_set *set,
 330                                                 void *priv);
 331        void                            (*remove)(const struct net *net,
 332                                                  const struct nft_set *set,
 333                                                  const struct nft_set_elem *elem);
 334        void                            (*walk)(const struct nft_ctx *ctx,
 335                                                struct nft_set *set,
 336                                                struct nft_set_iter *iter);
 337        void *                          (*get)(const struct net *net,
 338                                               const struct nft_set *set,
 339                                               const struct nft_set_elem *elem,
 340                                               unsigned int flags);
 341
 342        u64                             (*privsize)(const struct nlattr * const nla[],
 343                                                    const struct nft_set_desc *desc);
 344        bool                            (*estimate)(const struct nft_set_desc *desc,
 345                                                    u32 features,
 346                                                    struct nft_set_estimate *est);
 347        int                             (*init)(const struct nft_set *set,
 348                                                const struct nft_set_desc *desc,
 349                                                const struct nlattr * const nla[]);
 350        void                            (*destroy)(const struct nft_set *set);
 351        void                            (*gc_init)(const struct nft_set *set);
 352
 353        unsigned int                    elemsize;
 354};
 355
 356/**
 357 *      struct nft_set_type - nf_tables set type
 358 *
 359 *      @ops: set ops for this type
 360 *      @list: used internally
 361 *      @owner: module reference
 362 *      @features: features supported by the implementation
 363 */
 364struct nft_set_type {
 365        const struct nft_set_ops        ops;
 366        struct list_head                list;
 367        struct module                   *owner;
 368        u32                             features;
 369};
 370#define to_set_type(o) container_of(o, struct nft_set_type, ops)
 371
 372int nft_register_set(struct nft_set_type *type);
 373void nft_unregister_set(struct nft_set_type *type);
 374
 375/**
 376 *      struct nft_set - nf_tables set instance
 377 *
 378 *      @list: table set list node
 379 *      @bindings: list of set bindings
 380 *      @table: table this set belongs to
 381 *      @net: netnamespace this set belongs to
 382 *      @name: name of the set
 383 *      @handle: unique handle of the set
 384 *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 385 *      @dtype: data type (verdict or numeric type defined by userspace)
 386 *      @objtype: object type (see NFT_OBJECT_* definitions)
 387 *      @size: maximum set size
 388 *      @use: number of rules references to this set
 389 *      @nelems: number of elements
 390 *      @ndeact: number of deactivated elements queued for removal
 391 *      @timeout: default timeout value in jiffies
 392 *      @gc_int: garbage collection interval in msecs
 393 *      @policy: set parameterization (see enum nft_set_policies)
 394 *      @udlen: user data length
 395 *      @udata: user data
 396 *      @ops: set ops
 397 *      @flags: set flags
 398 *      @genmask: generation mask
 399 *      @klen: key length
 400 *      @dlen: data length
 401 *      @data: private set data
 402 */
 403struct nft_set {
 404        struct list_head                list;
 405        struct list_head                bindings;
 406        struct nft_table                *table;
 407        possible_net_t                  net;
 408        char                            *name;
 409        u64                             handle;
 410        u32                             ktype;
 411        u32                             dtype;
 412        u32                             objtype;
 413        u32                             size;
 414        u32                             use;
 415        atomic_t                        nelems;
 416        u32                             ndeact;
 417        u64                             timeout;
 418        u32                             gc_int;
 419        u16                             policy;
 420        u16                             udlen;
 421        unsigned char                   *udata;
 422        /* runtime data below here */
 423        const struct nft_set_ops        *ops ____cacheline_aligned;
 424        u16                             flags:14,
 425                                        genmask:2;
 426        u8                              klen;
 427        u8                              dlen;
 428        unsigned char                   data[]
 429                __attribute__((aligned(__alignof__(u64))));
 430};
 431
 432static inline bool nft_set_is_anonymous(const struct nft_set *set)
 433{
 434        return set->flags & NFT_SET_ANONYMOUS;
 435}
 436
 437static inline void *nft_set_priv(const struct nft_set *set)
 438{
 439        return (void *)set->data;
 440}
 441
 442static inline struct nft_set *nft_set_container_of(const void *priv)
 443{
 444        return (void *)priv - offsetof(struct nft_set, data);
 445}
 446
 447struct nft_set *nft_set_lookup_global(const struct net *net,
 448                                      const struct nft_table *table,
 449                                      const struct nlattr *nla_set_name,
 450                                      const struct nlattr *nla_set_id,
 451                                      u8 genmask);
 452
 453static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
 454{
 455        return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
 456}
 457
 458/**
 459 *      struct nft_set_binding - nf_tables set binding
 460 *
 461 *      @list: set bindings list node
 462 *      @chain: chain containing the rule bound to the set
 463 *      @flags: set action flags
 464 *
 465 *      A set binding contains all information necessary for validation
 466 *      of new elements added to a bound set.
 467 */
 468struct nft_set_binding {
 469        struct list_head                list;
 470        const struct nft_chain          *chain;
 471        u32                             flags;
 472};
 473
 474enum nft_trans_phase;
 475void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 476                              struct nft_set_binding *binding,
 477                              enum nft_trans_phase phase);
 478int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 479                       struct nft_set_binding *binding);
 480void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
 481
 482/**
 483 *      enum nft_set_extensions - set extension type IDs
 484 *
 485 *      @NFT_SET_EXT_KEY: element key
 486 *      @NFT_SET_EXT_DATA: mapping data
 487 *      @NFT_SET_EXT_FLAGS: element flags
 488 *      @NFT_SET_EXT_TIMEOUT: element timeout
 489 *      @NFT_SET_EXT_EXPIRATION: element expiration time
 490 *      @NFT_SET_EXT_USERDATA: user data associated with the element
 491 *      @NFT_SET_EXT_EXPR: expression assiociated with the element
 492 *      @NFT_SET_EXT_OBJREF: stateful object reference associated with element
 493 *      @NFT_SET_EXT_NUM: number of extension types
 494 */
 495enum nft_set_extensions {
 496        NFT_SET_EXT_KEY,
 497        NFT_SET_EXT_DATA,
 498        NFT_SET_EXT_FLAGS,
 499        NFT_SET_EXT_TIMEOUT,
 500        NFT_SET_EXT_EXPIRATION,
 501        NFT_SET_EXT_USERDATA,
 502        NFT_SET_EXT_EXPR,
 503        NFT_SET_EXT_OBJREF,
 504        NFT_SET_EXT_NUM
 505};
 506
 507/**
 508 *      struct nft_set_ext_type - set extension type
 509 *
 510 *      @len: fixed part length of the extension
 511 *      @align: alignment requirements of the extension
 512 */
 513struct nft_set_ext_type {
 514        u8      len;
 515        u8      align;
 516};
 517
 518extern const struct nft_set_ext_type nft_set_ext_types[];
 519
 520/**
 521 *      struct nft_set_ext_tmpl - set extension template
 522 *
 523 *      @len: length of extension area
 524 *      @offset: offsets of individual extension types
 525 */
 526struct nft_set_ext_tmpl {
 527        u16     len;
 528        u8      offset[NFT_SET_EXT_NUM];
 529};
 530
 531/**
 532 *      struct nft_set_ext - set extensions
 533 *
 534 *      @genmask: generation mask
 535 *      @offset: offsets of individual extension types
 536 *      @data: beginning of extension data
 537 */
 538struct nft_set_ext {
 539        u8      genmask;
 540        u8      offset[NFT_SET_EXT_NUM];
 541        char    data[0];
 542};
 543
 544static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
 545{
 546        memset(tmpl, 0, sizeof(*tmpl));
 547        tmpl->len = sizeof(struct nft_set_ext);
 548}
 549
 550static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
 551                                          unsigned int len)
 552{
 553        tmpl->len        = ALIGN(tmpl->len, nft_set_ext_types[id].align);
 554        BUG_ON(tmpl->len > U8_MAX);
 555        tmpl->offset[id] = tmpl->len;
 556        tmpl->len       += nft_set_ext_types[id].len + len;
 557}
 558
 559static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
 560{
 561        nft_set_ext_add_length(tmpl, id, 0);
 562}
 563
 564static inline void nft_set_ext_init(struct nft_set_ext *ext,
 565                                    const struct nft_set_ext_tmpl *tmpl)
 566{
 567        memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
 568}
 569
 570static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 571{
 572        return !!ext->offset[id];
 573}
 574
 575static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 576{
 577        return ext && __nft_set_ext_exists(ext, id);
 578}
 579
 580static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
 581{
 582        return (void *)ext + ext->offset[id];
 583}
 584
 585static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
 586{
 587        return nft_set_ext(ext, NFT_SET_EXT_KEY);
 588}
 589
 590static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
 591{
 592        return nft_set_ext(ext, NFT_SET_EXT_DATA);
 593}
 594
 595static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
 596{
 597        return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 598}
 599
 600static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
 601{
 602        return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
 603}
 604
 605static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
 606{
 607        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 608}
 609
 610static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
 611{
 612        return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
 613}
 614
 615static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
 616{
 617        return nft_set_ext(ext, NFT_SET_EXT_EXPR);
 618}
 619
 620static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 621{
 622        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
 623               time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
 624}
 625
 626static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
 627                                                   void *elem)
 628{
 629        return elem + set->ops->elemsize;
 630}
 631
 632static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
 633{
 634        return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
 635}
 636
 637void *nft_set_elem_init(const struct nft_set *set,
 638                        const struct nft_set_ext_tmpl *tmpl,
 639                        const u32 *key, const u32 *data,
 640                        u64 timeout, u64 expiration, gfp_t gfp);
 641void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 642                          bool destroy_expr);
 643
 644/**
 645 *      struct nft_set_gc_batch_head - nf_tables set garbage collection batch
 646 *
 647 *      @rcu: rcu head
 648 *      @set: set the elements belong to
 649 *      @cnt: count of elements
 650 */
 651struct nft_set_gc_batch_head {
 652        struct rcu_head                 rcu;
 653        const struct nft_set            *set;
 654        unsigned int                    cnt;
 655};
 656
 657#define NFT_SET_GC_BATCH_SIZE   ((PAGE_SIZE -                             \
 658                                  sizeof(struct nft_set_gc_batch_head)) / \
 659                                 sizeof(void *))
 660
 661/**
 662 *      struct nft_set_gc_batch - nf_tables set garbage collection batch
 663 *
 664 *      @head: GC batch head
 665 *      @elems: garbage collection elements
 666 */
 667struct nft_set_gc_batch {
 668        struct nft_set_gc_batch_head    head;
 669        void                            *elems[NFT_SET_GC_BATCH_SIZE];
 670};
 671
 672struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
 673                                                gfp_t gfp);
 674void nft_set_gc_batch_release(struct rcu_head *rcu);
 675
 676static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
 677{
 678        if (gcb != NULL)
 679                call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
 680}
 681
 682static inline struct nft_set_gc_batch *
 683nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
 684                       gfp_t gfp)
 685{
 686        if (gcb != NULL) {
 687                if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
 688                        return gcb;
 689                nft_set_gc_batch_complete(gcb);
 690        }
 691        return nft_set_gc_batch_alloc(set, gfp);
 692}
 693
 694static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
 695                                        void *elem)
 696{
 697        gcb->elems[gcb->head.cnt++] = elem;
 698}
 699
 700struct nft_expr_ops;
 701/**
 702 *      struct nft_expr_type - nf_tables expression type
 703 *
 704 *      @select_ops: function to select nft_expr_ops
 705 *      @release_ops: release nft_expr_ops
 706 *      @ops: default ops, used when no select_ops functions is present
 707 *      @list: used internally
 708 *      @name: Identifier
 709 *      @owner: module reference
 710 *      @policy: netlink attribute policy
 711 *      @maxattr: highest netlink attribute number
 712 *      @family: address family for AF-specific types
 713 *      @flags: expression type flags
 714 */
 715struct nft_expr_type {
 716        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 717                                                       const struct nlattr * const tb[]);
 718        void                            (*release_ops)(const struct nft_expr_ops *ops);
 719        const struct nft_expr_ops       *ops;
 720        struct list_head                list;
 721        const char                      *name;
 722        struct module                   *owner;
 723        const struct nla_policy         *policy;
 724        unsigned int                    maxattr;
 725        u8                              family;
 726        u8                              flags;
 727};
 728
 729#define NFT_EXPR_STATEFUL               0x1
 730#define NFT_EXPR_GC                     0x2
 731
 732enum nft_trans_phase {
 733        NFT_TRANS_PREPARE,
 734        NFT_TRANS_ABORT,
 735        NFT_TRANS_COMMIT,
 736        NFT_TRANS_RELEASE
 737};
 738
 739struct nft_flow_rule;
 740struct nft_offload_ctx;
 741
 742/**
 743 *      struct nft_expr_ops - nf_tables expression operations
 744 *
 745 *      @eval: Expression evaluation function
 746 *      @size: full expression size, including private data size
 747 *      @init: initialization function
 748 *      @activate: activate expression in the next generation
 749 *      @deactivate: deactivate expression in next generation
 750 *      @destroy: destruction function, called after synchronize_rcu
 751 *      @dump: function to dump parameters
 752 *      @type: expression type
 753 *      @validate: validate expression, called during loop detection
 754 *      @data: extra data to attach to this expression operation
 755 */
 756struct nft_expr;
 757struct nft_expr_ops {
 758        void                            (*eval)(const struct nft_expr *expr,
 759                                                struct nft_regs *regs,
 760                                                const struct nft_pktinfo *pkt);
 761        int                             (*clone)(struct nft_expr *dst,
 762                                                 const struct nft_expr *src);
 763        unsigned int                    size;
 764
 765        int                             (*init)(const struct nft_ctx *ctx,
 766                                                const struct nft_expr *expr,
 767                                                const struct nlattr * const tb[]);
 768        void                            (*activate)(const struct nft_ctx *ctx,
 769                                                    const struct nft_expr *expr);
 770        void                            (*deactivate)(const struct nft_ctx *ctx,
 771                                                      const struct nft_expr *expr,
 772                                                      enum nft_trans_phase phase);
 773        void                            (*destroy)(const struct nft_ctx *ctx,
 774                                                   const struct nft_expr *expr);
 775        void                            (*destroy_clone)(const struct nft_ctx *ctx,
 776                                                         const struct nft_expr *expr);
 777        int                             (*dump)(struct sk_buff *skb,
 778                                                const struct nft_expr *expr);
 779        int                             (*validate)(const struct nft_ctx *ctx,
 780                                                    const struct nft_expr *expr,
 781                                                    const struct nft_data **data);
 782        bool                            (*gc)(struct net *net,
 783                                              const struct nft_expr *expr);
 784        int                             (*offload)(struct nft_offload_ctx *ctx,
 785                                                   struct nft_flow_rule *flow,
 786                                                   const struct nft_expr *expr);
 787        u32                             offload_flags;
 788        const struct nft_expr_type      *type;
 789        void                            *data;
 790};
 791
 792#define NFT_EXPR_MAXATTR                16
 793#define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 794                                         ALIGN(size, __alignof__(struct nft_expr)))
 795
 796/**
 797 *      struct nft_expr - nf_tables expression
 798 *
 799 *      @ops: expression ops
 800 *      @data: expression private data
 801 */
 802struct nft_expr {
 803        const struct nft_expr_ops       *ops;
 804        unsigned char                   data[];
 805};
 806
 807static inline void *nft_expr_priv(const struct nft_expr *expr)
 808{
 809        return (void *)expr->data;
 810}
 811
 812struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
 813                               const struct nlattr *nla);
 814void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 815int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
 816                  const struct nft_expr *expr);
 817
 818/**
 819 *      struct nft_rule - nf_tables rule
 820 *
 821 *      @list: used internally
 822 *      @handle: rule handle
 823 *      @genmask: generation mask
 824 *      @dlen: length of expression data
 825 *      @udata: user data is appended to the rule
 826 *      @data: expression data
 827 */
 828struct nft_rule {
 829        struct list_head                list;
 830        u64                             handle:42,
 831                                        genmask:2,
 832                                        dlen:12,
 833                                        udata:1;
 834        unsigned char                   data[]
 835                __attribute__((aligned(__alignof__(struct nft_expr))));
 836};
 837
 838static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 839{
 840        return (struct nft_expr *)&rule->data[0];
 841}
 842
 843static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 844{
 845        return ((void *)expr) + expr->ops->size;
 846}
 847
 848static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 849{
 850        return (struct nft_expr *)&rule->data[rule->dlen];
 851}
 852
 853static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 854{
 855        return (void *)&rule->data[rule->dlen];
 856}
 857
 858/*
 859 * The last pointer isn't really necessary, but the compiler isn't able to
 860 * determine that the result of nft_expr_last() is always the same since it
 861 * can't assume that the dlen value wasn't changed within calls in the loop.
 862 */
 863#define nft_rule_for_each_expr(expr, last, rule) \
 864        for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 865             (expr) != (last); \
 866             (expr) = nft_expr_next(expr))
 867
 868enum nft_chain_flags {
 869        NFT_BASE_CHAIN                  = 0x1,
 870        NFT_CHAIN_HW_OFFLOAD            = 0x2,
 871};
 872
 873/**
 874 *      struct nft_chain - nf_tables chain
 875 *
 876 *      @rules: list of rules in the chain
 877 *      @list: used internally
 878 *      @rhlhead: used internally
 879 *      @table: table that this chain belongs to
 880 *      @handle: chain handle
 881 *      @use: number of jump references to this chain
 882 *      @flags: bitmask of enum nft_chain_flags
 883 *      @name: name of the chain
 884 */
 885struct nft_chain {
 886        struct nft_rule                 *__rcu *rules_gen_0;
 887        struct nft_rule                 *__rcu *rules_gen_1;
 888        struct list_head                rules;
 889        struct list_head                list;
 890        struct rhlist_head              rhlhead;
 891        struct nft_table                *table;
 892        u64                             handle;
 893        u32                             use;
 894        u8                              flags:6,
 895                                        genmask:2;
 896        char                            *name;
 897
 898        /* Only used during control plane commit phase: */
 899        struct nft_rule                 **rules_next;
 900};
 901
 902int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
 903
 904enum nft_chain_types {
 905        NFT_CHAIN_T_DEFAULT = 0,
 906        NFT_CHAIN_T_ROUTE,
 907        NFT_CHAIN_T_NAT,
 908        NFT_CHAIN_T_MAX
 909};
 910
 911/**
 912 *      struct nft_chain_type - nf_tables chain type info
 913 *
 914 *      @name: name of the type
 915 *      @type: numeric identifier
 916 *      @family: address family
 917 *      @owner: module owner
 918 *      @hook_mask: mask of valid hooks
 919 *      @hooks: array of hook functions
 920 *      @ops_register: base chain register function
 921 *      @ops_unregister: base chain unregister function
 922 */
 923struct nft_chain_type {
 924        const char                      *name;
 925        enum nft_chain_types            type;
 926        int                             family;
 927        struct module                   *owner;
 928        unsigned int                    hook_mask;
 929        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 930        int                             (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
 931        void                            (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
 932};
 933
 934int nft_chain_validate_dependency(const struct nft_chain *chain,
 935                                  enum nft_chain_types type);
 936int nft_chain_validate_hooks(const struct nft_chain *chain,
 937                             unsigned int hook_flags);
 938
 939struct nft_stats {
 940        u64                     bytes;
 941        u64                     pkts;
 942        struct u64_stats_sync   syncp;
 943};
 944
 945/**
 946 *      struct nft_base_chain - nf_tables base chain
 947 *
 948 *      @ops: netfilter hook ops
 949 *      @type: chain type
 950 *      @policy: default policy
 951 *      @stats: per-cpu chain stats
 952 *      @chain: the chain
 953 *      @dev_name: device name that this base chain is attached to (if any)
 954 *      @flow_block: flow block (for hardware offload)
 955 */
 956struct nft_base_chain {
 957        struct nf_hook_ops              ops;
 958        const struct nft_chain_type     *type;
 959        u8                              policy;
 960        u8                              flags;
 961        struct nft_stats __percpu       *stats;
 962        struct nft_chain                chain;
 963        char                            dev_name[IFNAMSIZ];
 964        struct flow_block               flow_block;
 965};
 966
 967static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
 968{
 969        return container_of(chain, struct nft_base_chain, chain);
 970}
 971
 972static inline bool nft_is_base_chain(const struct nft_chain *chain)
 973{
 974        return chain->flags & NFT_BASE_CHAIN;
 975}
 976
 977int __nft_release_basechain(struct nft_ctx *ctx);
 978
 979unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
 980
 981/**
 982 *      struct nft_table - nf_tables table
 983 *
 984 *      @list: used internally
 985 *      @chains_ht: chains in the table
 986 *      @chains: same, for stable walks
 987 *      @sets: sets in the table
 988 *      @objects: stateful objects in the table
 989 *      @flowtables: flow tables in the table
 990 *      @hgenerator: handle generator state
 991 *      @handle: table handle
 992 *      @use: number of chain references to this table
 993 *      @flags: table flag (see enum nft_table_flags)
 994 *      @genmask: generation mask
 995 *      @afinfo: address family info
 996 *      @name: name of the table
 997 */
 998struct nft_table {
 999        struct list_head                list;
1000        struct rhltable                 chains_ht;

1001        struct list_head                chains;
1002        struct list_head                sets;
1003        struct list_head                objects;
1004        struct list_head                flowtables;
1005        u64                             hgenerator;
1006        u64                             handle;
1007        u32                             use;
1008        u16                             family:6,
1009                                        flags:8,
1010                                        genmask:2;
1011        char                            *name;
1012};
1013
1014void nft_register_chain_type(const struct nft_chain_type *);
1015void nft_unregister_chain_type(const struct nft_chain_type *);
1016
1017int nft_register_expr(struct nft_expr_type *);
1018void nft_unregister_expr(struct nft_expr_type *);
1019
1020int nft_verdict_dump(struct sk_buff *skb, int type,
1021                     const struct nft_verdict *v);
1022
1023/**
1024 *      struct nft_object_hash_key - key to lookup nft_object
1025 *
1026 *      @name: name of the stateful object to look up
1027 *      @table: table the object belongs to
1028 */
1029struct nft_object_hash_key {
1030        const char                      *name;
1031        const struct nft_table          *table;
1032};
1033
1034/**
1035 *      struct nft_object - nf_tables stateful object
1036 *
1037 *      @list: table stateful object list node
1038 *      @key:  keys that identify this object
1039 *      @rhlhead: nft_objname_ht node
1040 *      @genmask: generation mask
1041 *      @use: number of references to this stateful object
1042 *      @handle: unique object handle
1043 *      @ops: object operations
1044 *      @data: object data, layout depends on type
1045 */
1046struct nft_object {
1047        struct list_head                list;
1048        struct rhlist_head              rhlhead;
1049        struct nft_object_hash_key      key;
1050        u32                             genmask:2,
1051                                        use:30;
1052        u64                             handle;
1053        /* runtime data below here */
1054        const struct nft_object_ops     *ops ____cacheline_aligned;
1055        unsigned char                   data[]
1056                __attribute__((aligned(__alignof__(u64))));
1057};
1058
1059static inline void *nft_obj_data(const struct nft_object *obj)
1060{
1061        return (void *)obj->data;
1062}
1063
1064#define nft_expr_obj(expr)      *((struct nft_object **)nft_expr_priv(expr))
1065
1066struct nft_object *nft_obj_lookup(const struct net *net,
1067                                  const struct nft_table *table,
1068                                  const struct nlattr *nla, u32 objtype,
1069                                  u8 genmask);
1070
1071void nft_obj_notify(struct net *net, const struct nft_table *table,
1072                    struct nft_object *obj, u32 portid, u32 seq,
1073                    int event, int family, int report, gfp_t gfp);
1074
1075/**
1076 *      struct nft_object_type - stateful object type
1077 *
1078 *      @select_ops: function to select nft_object_ops
1079 *      @ops: default ops, used when no select_ops functions is present
1080 *      @list: list node in list of object types
1081 *      @type: stateful object numeric type
1082 *      @owner: module owner
1083 *      @maxattr: maximum netlink attribute
1084 *      @policy: netlink attribute policy
1085 */
1086struct nft_object_type {
1087        const struct nft_object_ops     *(*select_ops)(const struct nft_ctx *,
1088                                                       const struct nlattr * const tb[]);
1089        const struct nft_object_ops     *ops;
1090        struct list_head                list;
1091        u32                             type;
1092        unsigned int                    maxattr;
1093        struct module                   *owner;
1094        const struct nla_policy         *policy;
1095};
1096
1097/**
1098 *      struct nft_object_ops - stateful object operations
1099 *
1100 *      @eval: stateful object evaluation function
1101 *      @size: stateful object size
1102 *      @init: initialize object from netlink attributes
1103 *      @destroy: release existing stateful object
1104 *      @dump: netlink dump stateful object
1105 */
1106struct nft_object_ops {
1107        void                            (*eval)(struct nft_object *obj,
1108                                                struct nft_regs *regs,
1109                                                const struct nft_pktinfo *pkt);
1110        unsigned int                    size;
1111        int                             (*init)(const struct nft_ctx *ctx,
1112                                                const struct nlattr *const tb[],
1113                                                struct nft_object *obj);
1114        void                            (*destroy)(const struct nft_ctx *ctx,
1115                                                   struct nft_object *obj);
1116        int                             (*dump)(struct sk_buff *skb,
1117                                                struct nft_object *obj,
1118                                                bool reset);
1119        const struct nft_object_type    *type;
1120};
1121
1122int nft_register_obj(struct nft_object_type *obj_type);
1123void nft_unregister_obj(struct nft_object_type *obj_type);
1124
1125#define NFT_FLOWTABLE_DEVICE_MAX        8
1126
1127/**
1128 *      struct nft_flowtable - nf_tables flow table
1129 *
1130 *      @list: flow table list node in table list
1131 *      @table: the table the flow table is contained in
1132 *      @name: name of this flow table
1133 *      @hooknum: hook number
1134 *      @priority: hook priority
1135 *      @ops_len: number of hooks in array
1136 *      @genmask: generation mask
1137 *      @use: number of references to this flow table
1138 *      @handle: unique object handle
1139 *      @dev_name: array of device names
1140 *      @data: rhashtable and garbage collector
1141 *      @ops: array of hooks
1142 */
1143struct nft_flowtable {
1144        struct list_head                list;
1145        struct nft_table                *table;
1146        char                            *name;
1147        int                             hooknum;
1148        int                             priority;
1149        int                             ops_len;
1150        u32                             genmask:2,
1151                                        use:30;
1152        u64                             handle;
1153        /* runtime data below here */
1154        struct nf_hook_ops              *ops ____cacheline_aligned;
1155        struct nf_flowtable             data;
1156};
1157
1158struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1159                                           const struct nlattr *nla,
1160                                           u8 genmask);
1161
1162void nft_register_flowtable_type(struct nf_flowtable_type *type);
1163void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1164
1165/**
1166 *      struct nft_traceinfo - nft tracing information and state
1167 *
1168 *      @pkt: pktinfo currently processed
1169 *      @basechain: base chain currently processed
1170 *      @chain: chain currently processed
1171 *      @rule:  rule that was evaluated
1172 *      @verdict: verdict given by rule
1173 *      @type: event type (enum nft_trace_types)
1174 *      @packet_dumped: packet headers sent in a previous traceinfo message
1175 *      @trace: other struct members are initialised
1176 */
1177struct nft_traceinfo {
1178        const struct nft_pktinfo        *pkt;
1179        const struct nft_base_chain     *basechain;
1180        const struct nft_chain          *chain;
1181        const struct nft_rule           *rule;
1182        const struct nft_verdict        *verdict;
1183        enum nft_trace_types            type;
1184        bool                            packet_dumped;
1185        bool                            trace;
1186};
1187
1188void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1189                    const struct nft_verdict *verdict,
1190                    const struct nft_chain *basechain);
1191
1192void nft_trace_notify(struct nft_traceinfo *info);
1193
1194#define MODULE_ALIAS_NFT_CHAIN(family, name) \
1195        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1196
1197#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1198        MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1199
1200#define MODULE_ALIAS_NFT_EXPR(name) \
1201        MODULE_ALIAS("nft-expr-" name)
1202
1203#define MODULE_ALIAS_NFT_SET() \
1204        MODULE_ALIAS("nft-set")
1205
1206#define MODULE_ALIAS_NFT_OBJ(type) \
1207        MODULE_ALIAS("nft-obj-" __stringify(type))
1208
1209/*
1210 * The gencursor defines two generations, the currently active and the
1211 * next one. Objects contain a bitmask of 2 bits specifying the generations
1212 * they're active in. A set bit means they're inactive in the generation
1213 * represented by that bit.
1214 *
1215 * New objects start out as inactive in the current and active in the
1216 * next generation. When committing the ruleset the bitmask is cleared,
1217 * meaning they're active in all generations. When removing an object,
1218 * it is set inactive in the next generation. After committing the ruleset,
1219 * the objects are removed.
1220 */
1221static inline unsigned int nft_gencursor_next(const struct net *net)
1222{
1223        return net->nft.gencursor + 1 == 1 ? 1 : 0;
1224}
1225
1226static inline u8 nft_genmask_next(const struct net *net)
1227{
1228        return 1 << nft_gencursor_next(net);
1229}
1230
1231static inline u8 nft_genmask_cur(const struct net *net)
1232{
1233        /* Use READ_ONCE() to prevent refetching the value for atomicity */
1234        return 1 << READ_ONCE(net->nft.gencursor);
1235}
1236
1237#define NFT_GENMASK_ANY         ((1 << 0) | (1 << 1))
1238
1239/*
1240 * Generic transaction helpers
1241 */
1242
1243/* Check if this object is currently active. */
1244#define nft_is_active(__net, __obj)                             \
1245        (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1246
1247/* Check if this object is active in the next generation. */
1248#define nft_is_active_next(__net, __obj)                        \
1249        (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1250
1251/* This object becomes active in the next generation. */
1252#define nft_activate_next(__net, __obj)                         \
1253        (__obj)->genmask = nft_genmask_cur(__net)
1254
1255/* This object becomes inactive in the next generation. */
1256#define nft_deactivate_next(__net, __obj)                       \
1257        (__obj)->genmask = nft_genmask_next(__net)
1258
1259/* After committing the ruleset, clear the stale generation bit. */
1260#define nft_clear(__net, __obj)                                 \
1261        (__obj)->genmask &= ~nft_genmask_next(__net)
1262#define nft_active_genmask(__obj, __genmask)                    \
1263        !((__obj)->genmask & __genmask)
1264
1265/*
1266 * Set element transaction helpers
1267 */
1268
1269static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1270                                       u8 genmask)
1271{
1272        return !(ext->genmask & genmask);
1273}
1274
1275static inline void nft_set_elem_change_active(const struct net *net,
1276                                              const struct nft_set *set,
1277                                              struct nft_set_ext *ext)
1278{
1279        ext->genmask ^= nft_genmask_next(net);
1280}
1281
1282/*
1283 * We use a free bit in the genmask field to indicate the element
1284 * is busy, meaning it is currently being processed either by
1285 * the netlink API or GC.
1286 *
1287 * Even though the genmask is only a single byte wide, this works
1288 * because the extension structure if fully constant once initialized,
1289 * so there are no non-atomic write accesses unless it is already
1290 * marked busy.
1291 */
1292#define NFT_SET_ELEM_BUSY_MASK  (1 << 2)
1293
1294#if defined(__LITTLE_ENDIAN_BITFIELD)
1295#define NFT_SET_ELEM_BUSY_BIT   2
1296#elif defined(__BIG_ENDIAN_BITFIELD)
1297#define NFT_SET_ELEM_BUSY_BIT   (BITS_PER_LONG - BITS_PER_BYTE + 2)
1298#else
1299#error
1300#endif
1301
1302static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1303{
1304        unsigned long *word = (unsigned long *)ext;
1305
1306        BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1307        return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1308}
1309
1310static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1311{
1312        unsigned long *word = (unsigned long *)ext;
1313
1314        clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1315}
1316
1317/**
1318 *      struct nft_trans - nf_tables object update in transaction
1319 *
1320 *      @list: used internally
1321 *      @msg_type: message type
1322 *      @put_net: ctx->net needs to be put
1323 *      @ctx: transaction context
1324 *      @data: internal information related to the transaction
1325 */
1326struct nft_trans {
1327        struct list_head                list;
1328        int                             msg_type;
1329        bool                            put_net;
1330        struct nft_ctx                  ctx;
1331        char                            data[0];
1332};
1333
1334struct nft_trans_rule {
1335        struct nft_rule                 *rule;
1336        struct nft_flow_rule            *flow;
1337        u32                             rule_id;
1338};
1339
1340#define nft_trans_rule(trans)   \
1341        (((struct nft_trans_rule *)trans->data)->rule)
1342#define nft_trans_flow_rule(trans)      \
1343        (((struct nft_trans_rule *)trans->data)->flow)
1344#define nft_trans_rule_id(trans)        \
1345        (((struct nft_trans_rule *)trans->data)->rule_id)
1346
1347struct nft_trans_set {
1348        struct nft_set                  *set;
1349        u32                             set_id;
1350        bool                            bound;
1351};
1352
1353#define nft_trans_set(trans)    \
1354        (((struct nft_trans_set *)trans->data)->set)
1355#define nft_trans_set_id(trans) \
1356        (((struct nft_trans_set *)trans->data)->set_id)
1357#define nft_trans_set_bound(trans)      \
1358        (((struct nft_trans_set *)trans->data)->bound)
1359
1360struct nft_trans_chain {
1361        bool                            update;
1362        char                            *name;
1363        struct nft_stats __percpu       *stats;
1364        u8                              policy;
1365};
1366
1367#define nft_trans_chain_update(trans)   \
1368        (((struct nft_trans_chain *)trans->data)->update)
1369#define nft_trans_chain_name(trans)     \
1370        (((struct nft_trans_chain *)trans->data)->name)
1371#define nft_trans_chain_stats(trans)    \
1372        (((struct nft_trans_chain *)trans->data)->stats)
1373#define nft_trans_chain_policy(trans)   \
1374        (((struct nft_trans_chain *)trans->data)->policy)
1375
1376struct nft_trans_table {
1377        bool                            update;
1378        bool                            enable;
1379};
1380
1381#define nft_trans_table_update(trans)   \
1382        (((struct nft_trans_table *)trans->data)->update)
1383#define nft_trans_table_enable(trans)   \
1384        (((struct nft_trans_table *)trans->data)->enable)
1385
1386struct nft_trans_elem {
1387        struct nft_set                  *set;
1388        struct nft_set_elem             elem;
1389        bool                            bound;
1390};
1391
1392#define nft_trans_elem_set(trans)       \
1393        (((struct nft_trans_elem *)trans->data)->set)
1394#define nft_trans_elem(trans)   \
1395        (((struct nft_trans_elem *)trans->data)->elem)
1396#define nft_trans_elem_set_bound(trans) \
1397        (((struct nft_trans_elem *)trans->data)->bound)
1398
1399struct nft_trans_obj {
1400        struct nft_object               *obj;
1401};
1402
1403#define nft_trans_obj(trans)    \
1404        (((struct nft_trans_obj *)trans->data)->obj)
1405
1406struct nft_trans_flowtable {
1407        struct nft_flowtable            *flowtable;
1408};
1409
1410#define nft_trans_flowtable(trans)      \
1411        (((struct nft_trans_flowtable *)trans->data)->flowtable)
1412
1413int __init nft_chain_filter_init(void);
1414void nft_chain_filter_fini(void);
1415
1416void __init nft_chain_route_init(void);
1417void nft_chain_route_fini(void);
1418#endif /* _NET_NF_TABLES_H */
1419
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.