LXR linux/include/net/netfilter/nf

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef _NET_NF_TABLES_H
   3#define _NET_NF_TABLES_H
   4
   5#include <asm/unaligned.h>
   6#include <linux/list.h>
   7#include <linux/netfilter.h>
   8#include <linux/netfilter/nfnetlink.h>
   9#include <linux/netfilter/x_tables.h>
  10#include <linux/netfilter/nf_tables.h>
  11#include <linux/u64_stats_sync.h>
  12#include <linux/rhashtable.h>
  13#include <net/netfilter/nf_flow_table.h>
  14#include <net/netlink.h>
  15#include <net/flow_offload.h>
  16
  17struct module;
  18
  19#define NFT_JUMP_STACK_SIZE     16
  20
  21struct nft_pktinfo {
  22        struct sk_buff                  *skb;
  23        bool                            tprot_set;
  24        u8                              tprot;
  25        /* for x_tables compatibility */
  26        struct xt_action_param          xt;
  27};
  28
  29static inline struct net *nft_net(const struct nft_pktinfo *pkt)
  30{
  31        return pkt->xt.state->net;
  32}
  33
  34static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
  35{
  36        return pkt->xt.state->hook;
  37}
  38
  39static inline u8 nft_pf(const struct nft_pktinfo *pkt)
  40{
  41        return pkt->xt.state->pf;
  42}
  43
  44static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
  45{
  46        return pkt->xt.state->in;
  47}
  48
  49static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
  50{
  51        return pkt->xt.state->out;
  52}
  53
  54static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
  55                                   struct sk_buff *skb,
  56                                   const struct nf_hook_state *state)
  57{
  58        pkt->skb = skb;
  59        pkt->xt.state = state;
  60}
  61
  62static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
  63                                          struct sk_buff *skb)
  64{
  65        pkt->tprot_set = false;
  66        pkt->tprot = 0;
  67        pkt->xt.thoff = 0;
  68        pkt->xt.fragoff = 0;
  69}
  70
  71/**
  72 *      struct nft_verdict - nf_tables verdict
  73 *
  74 *      @code: nf_tables/netfilter verdict code
  75 *      @chain: destination chain for NFT_JUMP/NFT_GOTO
  76 */
  77struct nft_verdict {
  78        u32                             code;
  79        struct nft_chain                *chain;
  80};
  81
  82struct nft_data {
  83        union {
  84                u32                     data[4];
  85                struct nft_verdict      verdict;
  86        };
  87} __attribute__((aligned(__alignof__(u64))));
  88
  89/**
  90 *      struct nft_regs - nf_tables register set
  91 *
  92 *      @data: data registers
  93 *      @verdict: verdict register
  94 *
  95 *      The first four data registers alias to the verdict register.
  96 */
  97struct nft_regs {
  98        union {
  99                u32                     data[20];
 100                struct nft_verdict      verdict;
 101        };
 102};
 103
 104/* Store/load an u8, u16 or u64 integer to/from the u32 data register.
 105 *
 106 * Note, when using concatenations, register allocation happens at 32-bit
 107 * level. So for store instruction, pad the rest part with zero to avoid
 108 * garbage values.
 109 */
 110
 111static inline void nft_reg_store8(u32 *dreg, u8 val)
 112{
 113        *dreg = 0;
 114        *(u8 *)dreg = val;
 115}
 116
 117static inline u8 nft_reg_load8(const u32 *sreg)
 118{
 119        return *(u8 *)sreg;
 120}
 121
 122static inline void nft_reg_store16(u32 *dreg, u16 val)
 123{
 124        *dreg = 0;
 125        *(u16 *)dreg = val;
 126}
 127
 128static inline u16 nft_reg_load16(const u32 *sreg)
 129{
 130        return *(u16 *)sreg;
 131}
 132
 133static inline void nft_reg_store64(u32 *dreg, u64 val)
 134{
 135        put_unaligned(val, (u64 *)dreg);
 136}
 137
 138static inline u64 nft_reg_load64(const u32 *sreg)
 139{
 140        return get_unaligned((u64 *)sreg);
 141}
 142
 143static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 144                                 unsigned int len)
 145{
 146        memcpy(dst, src, len);
 147}
 148
 149static inline void nft_data_debug(const struct nft_data *data)
 150{
 151        pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
 152                 data->data[0], data->data[1],
 153                 data->data[2], data->data[3]);
 154}
 155
 156/**
 157 *      struct nft_ctx - nf_tables rule/set context
 158 *
 159 *      @net: net namespace
 160 *      @table: the table the chain is contained in
 161 *      @chain: the chain the rule is contained in
 162 *      @nla: netlink attributes
 163 *      @portid: netlink portID of the original message
 164 *      @seq: netlink sequence number
 165 *      @family: protocol family
 166 *      @level: depth of the chains
 167 *      @report: notify via unicast netlink message
 168 */
 169struct nft_ctx {
 170        struct net                      *net;
 171        struct nft_table                *table;
 172        struct nft_chain                *chain;
 173        const struct nlattr * const     *nla;
 174        u32                             portid;
 175        u32                             seq;
 176        u16                             flags;
 177        u8                              family;
 178        u8                              level;
 179        bool                            report;
 180};
 181
 182struct nft_data_desc {
 183        enum nft_data_types             type;
 184        unsigned int                    len;
 185};
 186
 187int nft_data_init(const struct nft_ctx *ctx,
 188                  struct nft_data *data, unsigned int size,
 189                  struct nft_data_desc *desc, const struct nlattr *nla);
 190void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 191void nft_data_release(const struct nft_data *data, enum nft_data_types type);
 192int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
 193                  enum nft_data_types type, unsigned int len);
 194
 195static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
 196{
 197        return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
 198}
 199
 200static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
 201{
 202        return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
 203}
 204
 205int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
 206unsigned int nft_parse_register(const struct nlattr *attr);
 207int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
 208
 209int nft_validate_register_load(enum nft_registers reg, unsigned int len);
 210int nft_validate_register_store(const struct nft_ctx *ctx,
 211                                enum nft_registers reg,
 212                                const struct nft_data *data,
 213                                enum nft_data_types type, unsigned int len);
 214
 215/**
 216 *      struct nft_userdata - user defined data associated with an object
 217 *
 218 *      @len: length of the data
 219 *      @data: content
 220 *
 221 *      The presence of user data is indicated in an object specific fashion,
 222 *      so a length of zero can't occur and the value "len" indicates data
 223 *      of length len + 1.
 224 */
 225struct nft_userdata {
 226        u8                      len;
 227        unsigned char           data[];
 228};
 229
 230/**
 231 *      struct nft_set_elem - generic representation of set elements
 232 *
 233 *      @key: element key
 234 *      @key_end: closing element key
 235 *      @priv: element private data and extensions
 236 */
 237struct nft_set_elem {
 238        union {
 239                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 240                struct nft_data val;
 241        } key;
 242        union {
 243                u32             buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
 244                struct nft_data val;
 245        } key_end;
 246        void                    *priv;
 247};
 248
 249struct nft_set;
 250struct nft_set_iter {
 251        u8              genmask;
 252        unsigned int    count;
 253        unsigned int    skip;
 254        int             err;
 255        int             (*fn)(const struct nft_ctx *ctx,
 256                              struct nft_set *set,
 257                              const struct nft_set_iter *iter,
 258                              struct nft_set_elem *elem);
 259};
 260
 261/**
 262 *      struct nft_set_desc - description of set elements
 263 *
 264 *      @klen: key length
 265 *      @dlen: data length
 266 *      @size: number of set elements
 267 *      @field_len: length of each field in concatenation, bytes
 268 *      @field_count: number of concatenated fields in element
 269 *      @expr: set must support for expressions
 270 */
 271struct nft_set_desc {
 272        unsigned int            klen;
 273        unsigned int            dlen;
 274        unsigned int            size;
 275        u8                      field_len[NFT_REG32_COUNT];
 276        u8                      field_count;
 277        bool                    expr;
 278};
 279
 280/**
 281 *      enum nft_set_class - performance class
 282 *
 283 *      @NFT_LOOKUP_O_1: constant, O(1)
 284 *      @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
 285 *      @NFT_LOOKUP_O_N: linear, O(N)
 286 */
 287enum nft_set_class {
 288        NFT_SET_CLASS_O_1,
 289        NFT_SET_CLASS_O_LOG_N,
 290        NFT_SET_CLASS_O_N,
 291};
 292
 293/**
 294 *      struct nft_set_estimate - estimation of memory and performance
 295 *                                characteristics
 296 *
 297 *      @size: required memory
 298 *      @lookup: lookup performance class
 299 *      @space: memory class
 300 */
 301struct nft_set_estimate {
 302        u64                     size;
 303        enum nft_set_class      lookup;
 304        enum nft_set_class      space;
 305};
 306
 307struct nft_set_ext;
 308struct nft_expr;
 309
 310/**
 311 *      struct nft_set_ops - nf_tables set operations
 312 *
 313 *      @lookup: look up an element within the set
 314 *      @update: update an element if exists, add it if doesn't exist
 315 *      @delete: delete an element
 316 *      @insert: insert new element into set
 317 *      @activate: activate new element in the next generation
 318 *      @deactivate: lookup for element and deactivate it in the next generation
 319 *      @flush: deactivate element in the next generation
 320 *      @remove: remove element from set
 321 *      @walk: iterate over all set elements
 322 *      @get: get set elements
 323 *      @privsize: function to return size of set private data
 324 *      @init: initialize private data of new set instance
 325 *      @destroy: destroy private data of set instance
 326 *      @elemsize: element private size
 327 *
 328 *      Operations lookup, update and delete have simpler interfaces, are faster
 329 *      and currently only used in the packet path. All the rest are slower,
 330 *      control plane functions.
 331 */
 332struct nft_set_ops {
 333        bool                            (*lookup)(const struct net *net,
 334                                                  const struct nft_set *set,
 335                                                  const u32 *key,
 336                                                  const struct nft_set_ext **ext);
 337        bool                            (*update)(struct nft_set *set,
 338                                                  const u32 *key,
 339                                                  void *(*new)(struct nft_set *,
 340                                                               const struct nft_expr *,
 341                                                               struct nft_regs *),
 342                                                  const struct nft_expr *expr,
 343                                                  struct nft_regs *regs,
 344                                                  const struct nft_set_ext **ext);
 345        bool                            (*delete)(const struct nft_set *set,
 346                                                  const u32 *key);
 347
 348        int                             (*insert)(const struct net *net,
 349                                                  const struct nft_set *set,
 350                                                  const struct nft_set_elem *elem,
 351                                                  struct nft_set_ext **ext);
 352        void                            (*activate)(const struct net *net,
 353                                                    const struct nft_set *set,
 354                                                    const struct nft_set_elem *elem);
 355        void *                          (*deactivate)(const struct net *net,
 356                                                      const struct nft_set *set,
 357                                                      const struct nft_set_elem *elem);
 358        bool                            (*flush)(const struct net *net,
 359                                                 const struct nft_set *set,
 360                                                 void *priv);
 361        void                            (*remove)(const struct net *net,
 362                                                  const struct nft_set *set,
 363                                                  const struct nft_set_elem *elem);
 364        void                            (*walk)(const struct nft_ctx *ctx,
 365                                                struct nft_set *set,
 366                                                struct nft_set_iter *iter);
 367        void *                          (*get)(const struct net *net,
 368                                               const struct nft_set *set,
 369                                               const struct nft_set_elem *elem,
 370                                               unsigned int flags);
 371
 372        u64                             (*privsize)(const struct nlattr * const nla[],
 373                                                    const struct nft_set_desc *desc);
 374        bool                            (*estimate)(const struct nft_set_desc *desc,
 375                                                    u32 features,
 376                                                    struct nft_set_estimate *est);
 377        int                             (*init)(const struct nft_set *set,
 378                                                const struct nft_set_desc *desc,
 379                                                const struct nlattr * const nla[]);
 380        void                            (*destroy)(const struct nft_set *set);
 381        void                            (*gc_init)(const struct nft_set *set);
 382
 383        unsigned int                    elemsize;
 384};
 385
 386/**
 387 *      struct nft_set_type - nf_tables set type
 388 *
 389 *      @ops: set ops for this type
 390 *      @features: features supported by the implementation
 391 */
 392struct nft_set_type {
 393        const struct nft_set_ops        ops;
 394        u32                             features;
 395};
 396#define to_set_type(o) container_of(o, struct nft_set_type, ops)
 397
 398/**
 399 *      struct nft_set - nf_tables set instance
 400 *
 401 *      @list: table set list node
 402 *      @bindings: list of set bindings
 403 *      @table: table this set belongs to
 404 *      @net: netnamespace this set belongs to
 405 *      @name: name of the set
 406 *      @handle: unique handle of the set
 407 *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
 408 *      @dtype: data type (verdict or numeric type defined by userspace)
 409 *      @objtype: object type (see NFT_OBJECT_* definitions)
 410 *      @size: maximum set size
 411 *      @field_len: length of each field in concatenation, bytes
 412 *      @field_count: number of concatenated fields in element
 413 *      @use: number of rules references to this set
 414 *      @nelems: number of elements
 415 *      @ndeact: number of deactivated elements queued for removal
 416 *      @timeout: default timeout value in jiffies
 417 *      @gc_int: garbage collection interval in msecs
 418 *      @policy: set parameterization (see enum nft_set_policies)
 419 *      @udlen: user data length
 420 *      @udata: user data
 421 *      @expr: stateful expression
 422 *      @ops: set ops
 423 *      @flags: set flags
 424 *      @genmask: generation mask
 425 *      @klen: key length
 426 *      @dlen: data length
 427 *      @data: private set data
 428 */
 429struct nft_set {
 430        struct list_head                list;
 431        struct list_head                bindings;
 432        struct nft_table                *table;
 433        possible_net_t                  net;
 434        char                            *name;
 435        u64                             handle;
 436        u32                             ktype;
 437        u32                             dtype;
 438        u32                             objtype;
 439        u32                             size;
 440        u8                              field_len[NFT_REG32_COUNT];
 441        u8                              field_count;
 442        u32                             use;
 443        atomic_t                        nelems;
 444        u32                             ndeact;
 445        u64                             timeout;
 446        u32                             gc_int;
 447        u16                             policy;
 448        u16                             udlen;
 449        unsigned char                   *udata;
 450        struct nft_expr                 *expr;
 451        /* runtime data below here */
 452        const struct nft_set_ops        *ops ____cacheline_aligned;
 453        u16                             flags:14,
 454                                        genmask:2;
 455        u8                              klen;
 456        u8                              dlen;
 457        unsigned char                   data[]
 458                __attribute__((aligned(__alignof__(u64))));
 459};
 460
 461static inline bool nft_set_is_anonymous(const struct nft_set *set)
 462{
 463        return set->flags & NFT_SET_ANONYMOUS;
 464}
 465
 466static inline void *nft_set_priv(const struct nft_set *set)
 467{
 468        return (void *)set->data;
 469}
 470
 471static inline struct nft_set *nft_set_container_of(const void *priv)
 472{
 473        return (void *)priv - offsetof(struct nft_set, data);
 474}
 475
 476struct nft_set *nft_set_lookup_global(const struct net *net,
 477                                      const struct nft_table *table,
 478                                      const struct nlattr *nla_set_name,
 479                                      const struct nlattr *nla_set_id,
 480                                      u8 genmask);
 481
 482static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
 483{
 484        return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
 485}
 486
 487/**
 488 *      struct nft_set_binding - nf_tables set binding
 489 *
 490 *      @list: set bindings list node
 491 *      @chain: chain containing the rule bound to the set
 492 *      @flags: set action flags
 493 *
 494 *      A set binding contains all information necessary for validation
 495 *      of new elements added to a bound set.
 496 */
 497struct nft_set_binding {
 498        struct list_head                list;
 499        const struct nft_chain          *chain;
 500        u32                             flags;
 501};
 502
 503enum nft_trans_phase;
 504void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 505                              struct nft_set_binding *binding,
 506                              enum nft_trans_phase phase);
 507int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 508                       struct nft_set_binding *binding);
 509void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
 510
 511/**
 512 *      enum nft_set_extensions - set extension type IDs
 513 *
 514 *      @NFT_SET_EXT_KEY: element key
 515 *      @NFT_SET_EXT_KEY_END: upper bound element key, for ranges
 516 *      @NFT_SET_EXT_DATA: mapping data
 517 *      @NFT_SET_EXT_FLAGS: element flags
 518 *      @NFT_SET_EXT_TIMEOUT: element timeout
 519 *      @NFT_SET_EXT_EXPIRATION: element expiration time
 520 *      @NFT_SET_EXT_USERDATA: user data associated with the element
 521 *      @NFT_SET_EXT_EXPR: expression assiociated with the element
 522 *      @NFT_SET_EXT_OBJREF: stateful object reference associated with element
 523 *      @NFT_SET_EXT_NUM: number of extension types
 524 */
 525enum nft_set_extensions {
 526        NFT_SET_EXT_KEY,
 527        NFT_SET_EXT_KEY_END,
 528        NFT_SET_EXT_DATA,
 529        NFT_SET_EXT_FLAGS,
 530        NFT_SET_EXT_TIMEOUT,
 531        NFT_SET_EXT_EXPIRATION,
 532        NFT_SET_EXT_USERDATA,
 533        NFT_SET_EXT_EXPR,
 534        NFT_SET_EXT_OBJREF,
 535        NFT_SET_EXT_NUM
 536};
 537
 538/**
 539 *      struct nft_set_ext_type - set extension type
 540 *
 541 *      @len: fixed part length of the extension
 542 *      @align: alignment requirements of the extension
 543 */
 544struct nft_set_ext_type {
 545        u8      len;
 546        u8      align;
 547};
 548
 549extern const struct nft_set_ext_type nft_set_ext_types[];
 550
 551/**
 552 *      struct nft_set_ext_tmpl - set extension template
 553 *
 554 *      @len: length of extension area
 555 *      @offset: offsets of individual extension types
 556 */
 557struct nft_set_ext_tmpl {
 558        u16     len;
 559        u8      offset[NFT_SET_EXT_NUM];
 560};
 561
 562/**
 563 *      struct nft_set_ext - set extensions
 564 *
 565 *      @genmask: generation mask
 566 *      @offset: offsets of individual extension types
 567 *      @data: beginning of extension data
 568 */
 569struct nft_set_ext {
 570        u8      genmask;
 571        u8      offset[NFT_SET_EXT_NUM];
 572        char    data[];
 573};
 574
 575static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
 576{
 577        memset(tmpl, 0, sizeof(*tmpl));
 578        tmpl->len = sizeof(struct nft_set_ext);
 579}
 580
 581static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
 582                                          unsigned int len)
 583{
 584        tmpl->len        = ALIGN(tmpl->len, nft_set_ext_types[id].align);
 585        BUG_ON(tmpl->len > U8_MAX);
 586        tmpl->offset[id] = tmpl->len;
 587        tmpl->len       += nft_set_ext_types[id].len + len;
 588}
 589
 590static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
 591{
 592        nft_set_ext_add_length(tmpl, id, 0);
 593}
 594
 595static inline void nft_set_ext_init(struct nft_set_ext *ext,
 596                                    const struct nft_set_ext_tmpl *tmpl)
 597{
 598        memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
 599}
 600
 601static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 602{
 603        return !!ext->offset[id];
 604}
 605
 606static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
 607{
 608        return ext && __nft_set_ext_exists(ext, id);
 609}
 610
 611static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
 612{
 613        return (void *)ext + ext->offset[id];
 614}
 615
 616static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
 617{
 618        return nft_set_ext(ext, NFT_SET_EXT_KEY);
 619}
 620
 621static inline struct nft_data *nft_set_ext_key_end(const struct nft_set_ext *ext)
 622{
 623        return nft_set_ext(ext, NFT_SET_EXT_KEY_END);
 624}
 625
 626static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
 627{
 628        return nft_set_ext(ext, NFT_SET_EXT_DATA);
 629}
 630
 631static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
 632{
 633        return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
 634}
 635
 636static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
 637{
 638        return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
 639}
 640
 641static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
 642{
 643        return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
 644}
 645
 646static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
 647{
 648        return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
 649}
 650
 651static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
 652{
 653        return nft_set_ext(ext, NFT_SET_EXT_EXPR);
 654}
 655
 656static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
 657{
 658        return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
 659               time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
 660}
 661
 662static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
 663                                                   void *elem)
 664{
 665        return elem + set->ops->elemsize;
 666}
 667
 668static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
 669{
 670        return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
 671}
 672
 673struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
 674                                         const struct nft_set *set,
 675                                         const struct nlattr *attr);
 676
 677void *nft_set_elem_init(const struct nft_set *set,
 678                        const struct nft_set_ext_tmpl *tmpl,
 679                        const u32 *key, const u32 *key_end, const u32 *data,
 680                        u64 timeout, u64 expiration, gfp_t gfp);
 681void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 682                          bool destroy_expr);
 683
 684/**
 685 *      struct nft_set_gc_batch_head - nf_tables set garbage collection batch
 686 *
 687 *      @rcu: rcu head
 688 *      @set: set the elements belong to
 689 *      @cnt: count of elements
 690 */
 691struct nft_set_gc_batch_head {
 692        struct rcu_head                 rcu;
 693        const struct nft_set            *set;
 694        unsigned int                    cnt;
 695};
 696
 697#define NFT_SET_GC_BATCH_SIZE   ((PAGE_SIZE -                             \
 698                                  sizeof(struct nft_set_gc_batch_head)) / \
 699                                 sizeof(void *))
 700
 701/**
 702 *      struct nft_set_gc_batch - nf_tables set garbage collection batch
 703 *
 704 *      @head: GC batch head
 705 *      @elems: garbage collection elements
 706 */
 707struct nft_set_gc_batch {
 708        struct nft_set_gc_batch_head    head;
 709        void                            *elems[NFT_SET_GC_BATCH_SIZE];
 710};
 711
 712struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
 713                                                gfp_t gfp);
 714void nft_set_gc_batch_release(struct rcu_head *rcu);
 715
 716static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
 717{
 718        if (gcb != NULL)
 719                call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
 720}
 721
 722static inline struct nft_set_gc_batch *
 723nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
 724                       gfp_t gfp)
 725{
 726        if (gcb != NULL) {
 727                if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
 728                        return gcb;
 729                nft_set_gc_batch_complete(gcb);
 730        }
 731        return nft_set_gc_batch_alloc(set, gfp);
 732}
 733
 734static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
 735                                        void *elem)
 736{
 737        gcb->elems[gcb->head.cnt++] = elem;
 738}
 739
 740struct nft_expr_ops;
 741/**
 742 *      struct nft_expr_type - nf_tables expression type
 743 *
 744 *      @select_ops: function to select nft_expr_ops
 745 *      @release_ops: release nft_expr_ops
 746 *      @ops: default ops, used when no select_ops functions is present
 747 *      @list: used internally
 748 *      @name: Identifier
 749 *      @owner: module reference
 750 *      @policy: netlink attribute policy
 751 *      @maxattr: highest netlink attribute number
 752 *      @family: address family for AF-specific types
 753 *      @flags: expression type flags
 754 */
 755struct nft_expr_type {
 756        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
 757                                                       const struct nlattr * const tb[]);
 758        void                            (*release_ops)(const struct nft_expr_ops *ops);
 759        const struct nft_expr_ops       *ops;
 760        struct list_head                list;
 761        const char                      *name;
 762        struct module                   *owner;
 763        const struct nla_policy         *policy;
 764        unsigned int                    maxattr;
 765        u8                              family;
 766        u8                              flags;
 767};
 768
 769#define NFT_EXPR_STATEFUL               0x1
 770#define NFT_EXPR_GC                     0x2
 771
 772enum nft_trans_phase {
 773        NFT_TRANS_PREPARE,
 774        NFT_TRANS_ABORT,
 775        NFT_TRANS_COMMIT,
 776        NFT_TRANS_RELEASE
 777};
 778
 779struct nft_flow_rule;
 780struct nft_offload_ctx;
 781
 782/**
 783 *      struct nft_expr_ops - nf_tables expression operations
 784 *
 785 *      @eval: Expression evaluation function
 786 *      @size: full expression size, including private data size
 787 *      @init: initialization function
 788 *      @activate: activate expression in the next generation
 789 *      @deactivate: deactivate expression in next generation
 790 *      @destroy: destruction function, called after synchronize_rcu
 791 *      @dump: function to dump parameters
 792 *      @type: expression type
 793 *      @validate: validate expression, called during loop detection
 794 *      @data: extra data to attach to this expression operation
 795 */
 796struct nft_expr;
 797struct nft_expr_ops {
 798        void                            (*eval)(const struct nft_expr *expr,
 799                                                struct nft_regs *regs,
 800                                                const struct nft_pktinfo *pkt);
 801        int                             (*clone)(struct nft_expr *dst,
 802                                                 const struct nft_expr *src);
 803        unsigned int                    size;
 804
 805        int                             (*init)(const struct nft_ctx *ctx,
 806                                                const struct nft_expr *expr,
 807                                                const struct nlattr * const tb[]);
 808        void                            (*activate)(const struct nft_ctx *ctx,
 809                                                    const struct nft_expr *expr);
 810        void                            (*deactivate)(const struct nft_ctx *ctx,
 811                                                      const struct nft_expr *expr,
 812                                                      enum nft_trans_phase phase);
 813        void                            (*destroy)(const struct nft_ctx *ctx,
 814                                                   const struct nft_expr *expr);
 815        void                            (*destroy_clone)(const struct nft_ctx *ctx,
 816                                                         const struct nft_expr *expr);
 817        int                             (*dump)(struct sk_buff *skb,
 818                                                const struct nft_expr *expr);
 819        int                             (*validate)(const struct nft_ctx *ctx,
 820                                                    const struct nft_expr *expr,
 821                                                    const struct nft_data **data);
 822        bool                            (*gc)(struct net *net,
 823                                              const struct nft_expr *expr);
 824        int                             (*offload)(struct nft_offload_ctx *ctx,
 825                                                   struct nft_flow_rule *flow,
 826                                                   const struct nft_expr *expr);
 827        u32                             offload_flags;
 828        const struct nft_expr_type      *type;
 829        void                            *data;
 830};
 831
 832#define NFT_EXPR_MAXATTR                16
 833#define NFT_EXPR_SIZE(size)             (sizeof(struct nft_expr) + \
 834                                         ALIGN(size, __alignof__(struct nft_expr)))
 835
 836/**
 837 *      struct nft_expr - nf_tables expression
 838 *
 839 *      @ops: expression ops
 840 *      @data: expression private data
 841 */
 842struct nft_expr {
 843        const struct nft_expr_ops       *ops;
 844        unsigned char                   data[]
 845                __attribute__((aligned(__alignof__(u64))));
 846};
 847
 848static inline void *nft_expr_priv(const struct nft_expr *expr)
 849{
 850        return (void *)expr->data;
 851}
 852
 853int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
 854void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 855int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
 856                  const struct nft_expr *expr);
 857
 858/**
 859 *      struct nft_rule - nf_tables rule
 860 *
 861 *      @list: used internally
 862 *      @handle: rule handle
 863 *      @genmask: generation mask
 864 *      @dlen: length of expression data
 865 *      @udata: user data is appended to the rule
 866 *      @data: expression data
 867 */
 868struct nft_rule {
 869        struct list_head                list;
 870        u64                             handle:42,
 871                                        genmask:2,
 872                                        dlen:12,
 873                                        udata:1;
 874        unsigned char                   data[]
 875                __attribute__((aligned(__alignof__(struct nft_expr))));
 876};
 877
 878static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
 879{
 880        return (struct nft_expr *)&rule->data[0];
 881}
 882
 883static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
 884{
 885        return ((void *)expr) + expr->ops->size;
 886}
 887
 888static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 889{
 890        return (struct nft_expr *)&rule->data[rule->dlen];
 891}
 892
 893static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 894{
 895        return (void *)&rule->data[rule->dlen];
 896}
 897
 898static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
 899                                            struct nft_regs *regs,
 900                                            const struct nft_pktinfo *pkt)
 901{
 902        struct nft_expr *expr;
 903
 904        if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
 905                expr = nft_set_ext_expr(ext);
 906                expr->ops->eval(expr, regs, pkt);
 907        }
 908}
 909
 910/*
 911 * The last pointer isn't really necessary, but the compiler isn't able to
 912 * determine that the result of nft_expr_last() is always the same since it
 913 * can't assume that the dlen value wasn't changed within calls in the loop.
 914 */
 915#define nft_rule_for_each_expr(expr, last, rule) \
 916        for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
 917             (expr) != (last); \
 918             (expr) = nft_expr_next(expr))
 919
 920enum nft_chain_flags {
 921        NFT_BASE_CHAIN                  = 0x1,
 922        NFT_CHAIN_HW_OFFLOAD            = 0x2,
 923};
 924
 925#define NFT_CHAIN_POLICY_UNSET          U8_MAX
 926
 927/**
 928 *      struct nft_chain - nf_tables chain
 929 *
 930 *      @rules: list of rules in the chain
 931 *      @list: used internally
 932 *      @rhlhead: used internally
 933 *      @table: table that this chain belongs to
 934 *      @handle: chain handle
 935 *      @use: number of jump references to this chain
 936 *      @flags: bitmask of enum nft_chain_flags
 937 *      @name: name of the chain
 938 */
 939struct nft_chain {
 940        struct nft_rule                 *__rcu *rules_gen_0;
 941        struct nft_rule                 *__rcu *rules_gen_1;
 942        struct list_head                rules;
 943        struct list_head                list;
 944        struct rhlist_head              rhlhead;
 945        struct nft_table                *table;
 946        u64                             handle;
 947        u32                             use;
 948        u8                              flags:6,
 949                                        genmask:2;
 950        char                            *name;
 951
 952        /* Only used during control plane commit phase: */
 953        struct nft_rule                 **rules_next;
 954};
 955
 956int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
 957
 958enum nft_chain_types {
 959        NFT_CHAIN_T_DEFAULT = 0,
 960        NFT_CHAIN_T_ROUTE,
 961        NFT_CHAIN_T_NAT,
 962        NFT_CHAIN_T_MAX
 963};
 964
 965/**
 966 *      struct nft_chain_type - nf_tables chain type info
 967 *
 968 *      @name: name of the type
 969 *      @type: numeric identifier
 970 *      @family: address family
 971 *      @owner: module owner
 972 *      @hook_mask: mask of valid hooks
 973 *      @hooks: array of hook functions
 974 *      @ops_register: base chain register function
 975 *      @ops_unregister: base chain unregister function
 976 */
 977struct nft_chain_type {
 978        const char                      *name;
 979        enum nft_chain_types            type;
 980        int                             family;
 981        struct module                   *owner;
 982        unsigned int                    hook_mask;
 983        nf_hookfn                       *hooks[NF_MAX_HOOKS];
 984        int                             (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
 985        void                            (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
 986};
 987
 988int nft_chain_validate_dependency(const struct nft_chain *chain,
 989                                  enum nft_chain_types type);
 990int nft_chain_validate_hooks(const struct nft_chain *chain,
 991                             unsigned int hook_flags);
 992
 993struct nft_stats {
 994        u64                     bytes;
 995        u64                     pkts;
 996        struct u64_stats_sync   syncp;
 997};
 998
 999struct nft_hook {
1000        struct list_head        list;

1001        struct nf_hook_ops      ops;
1002        struct rcu_head         rcu;
1003};
1004
1005/**
1006 *      struct nft_base_chain - nf_tables base chain
1007 *
1008 *      @ops: netfilter hook ops
1009 *      @hook_list: list of netfilter hooks (for NFPROTO_NETDEV family)
1010 *      @type: chain type
1011 *      @policy: default policy
1012 *      @stats: per-cpu chain stats
1013 *      @chain: the chain
1014 *      @flow_block: flow block (for hardware offload)
1015 */
1016struct nft_base_chain {
1017        struct nf_hook_ops              ops;
1018        struct list_head                hook_list;
1019        const struct nft_chain_type     *type;
1020        u8                              policy;
1021        u8                              flags;
1022        struct nft_stats __percpu       *stats;
1023        struct nft_chain                chain;
1024        struct flow_block               flow_block;
1025};
1026
1027static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
1028{
1029        return container_of(chain, struct nft_base_chain, chain);
1030}
1031
1032static inline bool nft_is_base_chain(const struct nft_chain *chain)
1033{
1034        return chain->flags & NFT_BASE_CHAIN;
1035}
1036
1037int __nft_release_basechain(struct nft_ctx *ctx);
1038
1039unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
1040
1041/**
1042 *      struct nft_table - nf_tables table
1043 *
1044 *      @list: used internally
1045 *      @chains_ht: chains in the table
1046 *      @chains: same, for stable walks
1047 *      @sets: sets in the table
1048 *      @objects: stateful objects in the table
1049 *      @flowtables: flow tables in the table
1050 *      @hgenerator: handle generator state
1051 *      @handle: table handle
1052 *      @use: number of chain references to this table
1053 *      @flags: table flag (see enum nft_table_flags)
1054 *      @genmask: generation mask
1055 *      @afinfo: address family info
1056 *      @name: name of the table
1057 */
1058struct nft_table {
1059        struct list_head                list;
1060        struct rhltable                 chains_ht;
1061        struct list_head                chains;
1062        struct list_head                sets;
1063        struct list_head                objects;
1064        struct list_head                flowtables;
1065        u64                             hgenerator;
1066        u64                             handle;
1067        u32                             use;
1068        u16                             family:6,
1069                                        flags:8,
1070                                        genmask:2;
1071        char                            *name;
1072};
1073
1074void nft_register_chain_type(const struct nft_chain_type *);
1075void nft_unregister_chain_type(const struct nft_chain_type *);
1076
1077int nft_register_expr(struct nft_expr_type *);
1078void nft_unregister_expr(struct nft_expr_type *);
1079
1080int nft_verdict_dump(struct sk_buff *skb, int type,
1081                     const struct nft_verdict *v);
1082
1083/**
1084 *      struct nft_object_hash_key - key to lookup nft_object
1085 *
1086 *      @name: name of the stateful object to look up
1087 *      @table: table the object belongs to
1088 */
1089struct nft_object_hash_key {
1090        const char                      *name;
1091        const struct nft_table          *table;
1092};
1093
1094/**
1095 *      struct nft_object - nf_tables stateful object
1096 *
1097 *      @list: table stateful object list node
1098 *      @key:  keys that identify this object
1099 *      @rhlhead: nft_objname_ht node
1100 *      @genmask: generation mask
1101 *      @use: number of references to this stateful object
1102 *      @handle: unique object handle
1103 *      @ops: object operations
1104 *      @data: object data, layout depends on type
1105 */
1106struct nft_object {
1107        struct list_head                list;
1108        struct rhlist_head              rhlhead;
1109        struct nft_object_hash_key      key;
1110        u32                             genmask:2,
1111                                        use:30;
1112        u64                             handle;
1113        /* runtime data below here */
1114        const struct nft_object_ops     *ops ____cacheline_aligned;
1115        unsigned char                   data[]
1116                __attribute__((aligned(__alignof__(u64))));
1117};
1118
1119static inline void *nft_obj_data(const struct nft_object *obj)
1120{
1121        return (void *)obj->data;
1122}
1123
1124#define nft_expr_obj(expr)      *((struct nft_object **)nft_expr_priv(expr))
1125
1126struct nft_object *nft_obj_lookup(const struct net *net,
1127                                  const struct nft_table *table,
1128                                  const struct nlattr *nla, u32 objtype,
1129                                  u8 genmask);
1130
1131void nft_obj_notify(struct net *net, const struct nft_table *table,
1132                    struct nft_object *obj, u32 portid, u32 seq,
1133                    int event, int family, int report, gfp_t gfp);
1134
1135/**
1136 *      struct nft_object_type - stateful object type
1137 *
1138 *      @select_ops: function to select nft_object_ops
1139 *      @ops: default ops, used when no select_ops functions is present
1140 *      @list: list node in list of object types
1141 *      @type: stateful object numeric type
1142 *      @owner: module owner
1143 *      @maxattr: maximum netlink attribute
1144 *      @policy: netlink attribute policy
1145 */
1146struct nft_object_type {
1147        const struct nft_object_ops     *(*select_ops)(const struct nft_ctx *,
1148                                                       const struct nlattr * const tb[]);
1149        const struct nft_object_ops     *ops;
1150        struct list_head                list;
1151        u32                             type;
1152        unsigned int                    maxattr;
1153        struct module                   *owner;
1154        const struct nla_policy         *policy;
1155};
1156
1157/**
1158 *      struct nft_object_ops - stateful object operations
1159 *
1160 *      @eval: stateful object evaluation function
1161 *      @size: stateful object size
1162 *      @init: initialize object from netlink attributes
1163 *      @destroy: release existing stateful object
1164 *      @dump: netlink dump stateful object
1165 *      @update: update stateful object
1166 */
1167struct nft_object_ops {
1168        void                            (*eval)(struct nft_object *obj,
1169                                                struct nft_regs *regs,
1170                                                const struct nft_pktinfo *pkt);
1171        unsigned int                    size;
1172        int                             (*init)(const struct nft_ctx *ctx,
1173                                                const struct nlattr *const tb[],
1174                                                struct nft_object *obj);
1175        void                            (*destroy)(const struct nft_ctx *ctx,
1176                                                   struct nft_object *obj);
1177        int                             (*dump)(struct sk_buff *skb,
1178                                                struct nft_object *obj,
1179                                                bool reset);
1180        void                            (*update)(struct nft_object *obj,
1181                                                  struct nft_object *newobj);
1182        const struct nft_object_type    *type;
1183};
1184
1185int nft_register_obj(struct nft_object_type *obj_type);
1186void nft_unregister_obj(struct nft_object_type *obj_type);
1187
1188#define NFT_NETDEVICE_MAX       256
1189
1190/**
1191 *      struct nft_flowtable - nf_tables flow table
1192 *
1193 *      @list: flow table list node in table list
1194 *      @table: the table the flow table is contained in
1195 *      @name: name of this flow table
1196 *      @hooknum: hook number
1197 *      @ops_len: number of hooks in array
1198 *      @genmask: generation mask
1199 *      @use: number of references to this flow table
1200 *      @handle: unique object handle
1201 *      @dev_name: array of device names
1202 *      @data: rhashtable and garbage collector
1203 *      @ops: array of hooks
1204 */
1205struct nft_flowtable {
1206        struct list_head                list;
1207        struct nft_table                *table;
1208        char                            *name;
1209        int                             hooknum;
1210        int                             ops_len;
1211        u32                             genmask:2,
1212                                        use:30;
1213        u64                             handle;
1214        /* runtime data below here */
1215        struct list_head                hook_list ____cacheline_aligned;
1216        struct nf_flowtable             data;
1217};
1218
1219struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1220                                           const struct nlattr *nla,
1221                                           u8 genmask);
1222
1223void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
1224                                    struct nft_flowtable *flowtable,
1225                                    enum nft_trans_phase phase);
1226
1227void nft_register_flowtable_type(struct nf_flowtable_type *type);
1228void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1229
1230/**
1231 *      struct nft_traceinfo - nft tracing information and state
1232 *
1233 *      @pkt: pktinfo currently processed
1234 *      @basechain: base chain currently processed
1235 *      @chain: chain currently processed
1236 *      @rule:  rule that was evaluated
1237 *      @verdict: verdict given by rule
1238 *      @type: event type (enum nft_trace_types)
1239 *      @packet_dumped: packet headers sent in a previous traceinfo message
1240 *      @trace: other struct members are initialised
1241 */
1242struct nft_traceinfo {
1243        const struct nft_pktinfo        *pkt;
1244        const struct nft_base_chain     *basechain;
1245        const struct nft_chain          *chain;
1246        const struct nft_rule           *rule;
1247        const struct nft_verdict        *verdict;
1248        enum nft_trace_types            type;
1249        bool                            packet_dumped;
1250        bool                            trace;
1251};
1252
1253void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1254                    const struct nft_verdict *verdict,
1255                    const struct nft_chain *basechain);
1256
1257void nft_trace_notify(struct nft_traceinfo *info);
1258
1259#define MODULE_ALIAS_NFT_CHAIN(family, name) \
1260        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1261
1262#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1263        MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1264
1265#define MODULE_ALIAS_NFT_EXPR(name) \
1266        MODULE_ALIAS("nft-expr-" name)
1267
1268#define MODULE_ALIAS_NFT_OBJ(type) \
1269        MODULE_ALIAS("nft-obj-" __stringify(type))
1270
1271#if IS_ENABLED(CONFIG_NF_TABLES)
1272
1273/*
1274 * The gencursor defines two generations, the currently active and the
1275 * next one. Objects contain a bitmask of 2 bits specifying the generations
1276 * they're active in. A set bit means they're inactive in the generation
1277 * represented by that bit.
1278 *
1279 * New objects start out as inactive in the current and active in the
1280 * next generation. When committing the ruleset the bitmask is cleared,
1281 * meaning they're active in all generations. When removing an object,
1282 * it is set inactive in the next generation. After committing the ruleset,
1283 * the objects are removed.
1284 */
1285static inline unsigned int nft_gencursor_next(const struct net *net)
1286{
1287        return net->nft.gencursor + 1 == 1 ? 1 : 0;
1288}
1289
1290static inline u8 nft_genmask_next(const struct net *net)
1291{
1292        return 1 << nft_gencursor_next(net);
1293}
1294
1295static inline u8 nft_genmask_cur(const struct net *net)
1296{
1297        /* Use READ_ONCE() to prevent refetching the value for atomicity */
1298        return 1 << READ_ONCE(net->nft.gencursor);
1299}
1300
1301#define NFT_GENMASK_ANY         ((1 << 0) | (1 << 1))
1302
1303/*
1304 * Generic transaction helpers
1305 */
1306
1307/* Check if this object is currently active. */
1308#define nft_is_active(__net, __obj)                             \
1309        (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1310
1311/* Check if this object is active in the next generation. */
1312#define nft_is_active_next(__net, __obj)                        \
1313        (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1314
1315/* This object becomes active in the next generation. */
1316#define nft_activate_next(__net, __obj)                         \
1317        (__obj)->genmask = nft_genmask_cur(__net)
1318
1319/* This object becomes inactive in the next generation. */
1320#define nft_deactivate_next(__net, __obj)                       \
1321        (__obj)->genmask = nft_genmask_next(__net)
1322
1323/* After committing the ruleset, clear the stale generation bit. */
1324#define nft_clear(__net, __obj)                                 \
1325        (__obj)->genmask &= ~nft_genmask_next(__net)
1326#define nft_active_genmask(__obj, __genmask)                    \
1327        !((__obj)->genmask & __genmask)
1328
1329/*
1330 * Set element transaction helpers
1331 */
1332
1333static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1334                                       u8 genmask)
1335{
1336        return !(ext->genmask & genmask);
1337}
1338
1339static inline void nft_set_elem_change_active(const struct net *net,
1340                                              const struct nft_set *set,
1341                                              struct nft_set_ext *ext)
1342{
1343        ext->genmask ^= nft_genmask_next(net);
1344}
1345
1346#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1347
1348/*
1349 * We use a free bit in the genmask field to indicate the element
1350 * is busy, meaning it is currently being processed either by
1351 * the netlink API or GC.
1352 *
1353 * Even though the genmask is only a single byte wide, this works
1354 * because the extension structure if fully constant once initialized,
1355 * so there are no non-atomic write accesses unless it is already
1356 * marked busy.
1357 */
1358#define NFT_SET_ELEM_BUSY_MASK  (1 << 2)
1359
1360#if defined(__LITTLE_ENDIAN_BITFIELD)
1361#define NFT_SET_ELEM_BUSY_BIT   2
1362#elif defined(__BIG_ENDIAN_BITFIELD)
1363#define NFT_SET_ELEM_BUSY_BIT   (BITS_PER_LONG - BITS_PER_BYTE + 2)
1364#else
1365#error
1366#endif
1367
1368static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1369{
1370        unsigned long *word = (unsigned long *)ext;
1371
1372        BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1373        return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1374}
1375
1376static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1377{
1378        unsigned long *word = (unsigned long *)ext;
1379
1380        clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1381}
1382
1383/**
1384 *      struct nft_trans - nf_tables object update in transaction
1385 *
1386 *      @list: used internally
1387 *      @msg_type: message type
1388 *      @put_net: ctx->net needs to be put
1389 *      @ctx: transaction context
1390 *      @data: internal information related to the transaction
1391 */
1392struct nft_trans {
1393        struct list_head                list;
1394        int                             msg_type;
1395        bool                            put_net;
1396        struct nft_ctx                  ctx;
1397        char                            data[];
1398};
1399
1400struct nft_trans_rule {
1401        struct nft_rule                 *rule;
1402        struct nft_flow_rule            *flow;
1403        u32                             rule_id;
1404};
1405
1406#define nft_trans_rule(trans)   \
1407        (((struct nft_trans_rule *)trans->data)->rule)
1408#define nft_trans_flow_rule(trans)      \
1409        (((struct nft_trans_rule *)trans->data)->flow)
1410#define nft_trans_rule_id(trans)        \
1411        (((struct nft_trans_rule *)trans->data)->rule_id)
1412
1413struct nft_trans_set {
1414        struct nft_set                  *set;
1415        u32                             set_id;
1416        bool                            bound;
1417};
1418
1419#define nft_trans_set(trans)    \
1420        (((struct nft_trans_set *)trans->data)->set)
1421#define nft_trans_set_id(trans) \
1422        (((struct nft_trans_set *)trans->data)->set_id)
1423#define nft_trans_set_bound(trans)      \
1424        (((struct nft_trans_set *)trans->data)->bound)
1425
1426struct nft_trans_chain {
1427        bool                            update;
1428        char                            *name;
1429        struct nft_stats __percpu       *stats;
1430        u8                              policy;
1431};
1432
1433#define nft_trans_chain_update(trans)   \
1434        (((struct nft_trans_chain *)trans->data)->update)
1435#define nft_trans_chain_name(trans)     \
1436        (((struct nft_trans_chain *)trans->data)->name)
1437#define nft_trans_chain_stats(trans)    \
1438        (((struct nft_trans_chain *)trans->data)->stats)
1439#define nft_trans_chain_policy(trans)   \
1440        (((struct nft_trans_chain *)trans->data)->policy)
1441
1442struct nft_trans_table {
1443        bool                            update;
1444        bool                            enable;
1445};
1446
1447#define nft_trans_table_update(trans)   \
1448        (((struct nft_trans_table *)trans->data)->update)
1449#define nft_trans_table_enable(trans)   \
1450        (((struct nft_trans_table *)trans->data)->enable)
1451
1452struct nft_trans_elem {
1453        struct nft_set                  *set;
1454        struct nft_set_elem             elem;
1455        bool                            bound;
1456};
1457
1458#define nft_trans_elem_set(trans)       \
1459        (((struct nft_trans_elem *)trans->data)->set)
1460#define nft_trans_elem(trans)   \
1461        (((struct nft_trans_elem *)trans->data)->elem)
1462#define nft_trans_elem_set_bound(trans) \
1463        (((struct nft_trans_elem *)trans->data)->bound)
1464
1465struct nft_trans_obj {
1466        struct nft_object               *obj;
1467        struct nft_object               *newobj;
1468        bool                            update;
1469};
1470
1471#define nft_trans_obj(trans)    \
1472        (((struct nft_trans_obj *)trans->data)->obj)
1473#define nft_trans_obj_newobj(trans) \
1474        (((struct nft_trans_obj *)trans->data)->newobj)
1475#define nft_trans_obj_update(trans)     \
1476        (((struct nft_trans_obj *)trans->data)->update)
1477
1478struct nft_trans_flowtable {
1479        struct nft_flowtable            *flowtable;
1480};
1481
1482#define nft_trans_flowtable(trans)      \
1483        (((struct nft_trans_flowtable *)trans->data)->flowtable)
1484
1485int __init nft_chain_filter_init(void);
1486void nft_chain_filter_fini(void);
1487
1488void __init nft_chain_route_init(void);
1489void nft_chain_route_fini(void);
1490#endif /* _NET_NF_TABLES_H */
1491