1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _NET_NF_TABLES_H
3 #define _NET_NF_TABLES_H
4
5 #include <asm/unaligned.h>
6 #include <linux/list.h>
7 #include <linux/netfilter.h>
8 #include <linux/netfilter/nfnetlink.h>
9 #include <linux/netfilter/x_tables.h>
10 #include <linux/netfilter/nf_tables.h>
11 #include <linux/u64_stats_sync.h>
12 #include <linux/rhashtable.h>
13 #include <net/netfilter/nf_flow_table.h>
14 #include <net/netlink.h>
15 #include <net/flow_offload.h>
16 #include <net/netns/generic.h>
17
18 #define NFT_MAX_HOOKS (NF_INET_INGRESS + 1)
19
20 struct module;
21
22 #define NFT_JUMP_STACK_SIZE 16
23
24 enum {
25 NFT_PKTINFO_L4PROTO = (1 << 0),
26 NFT_PKTINFO_INNER = (1 << 1),
27 };
28
29 struct nft_pktinfo {
30 struct sk_buff *skb;
31 const struct nf_hook_state *state;
32 u8 flags;
33 u8 tprot;
34 u16 fragoff;
35 unsigned int thoff;
36 unsigned int inneroff;
37 };
38
nft_sk(const struct nft_pktinfo * pkt)39 static inline struct sock *nft_sk(const struct nft_pktinfo *pkt)
40 {
41 return pkt->state->sk;
42 }
43
nft_thoff(const struct nft_pktinfo * pkt)44 static inline unsigned int nft_thoff(const struct nft_pktinfo *pkt)
45 {
46 return pkt->thoff;
47 }
48
nft_net(const struct nft_pktinfo * pkt)49 static inline struct net *nft_net(const struct nft_pktinfo *pkt)
50 {
51 return pkt->state->net;
52 }
53
nft_hook(const struct nft_pktinfo * pkt)54 static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
55 {
56 return pkt->state->hook;
57 }
58
nft_pf(const struct nft_pktinfo * pkt)59 static inline u8 nft_pf(const struct nft_pktinfo *pkt)
60 {
61 return pkt->state->pf;
62 }
63
nft_in(const struct nft_pktinfo * pkt)64 static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
65 {
66 return pkt->state->in;
67 }
68
nft_out(const struct nft_pktinfo * pkt)69 static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
70 {
71 return pkt->state->out;
72 }
73
nft_set_pktinfo(struct nft_pktinfo * pkt,struct sk_buff * skb,const struct nf_hook_state * state)74 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
75 struct sk_buff *skb,
76 const struct nf_hook_state *state)
77 {
78 pkt->skb = skb;
79 pkt->state = state;
80 }
81
nft_set_pktinfo_unspec(struct nft_pktinfo * pkt)82 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt)
83 {
84 pkt->flags = 0;
85 pkt->tprot = 0;
86 pkt->thoff = 0;
87 pkt->fragoff = 0;
88 }
89
90 /**
91 * struct nft_verdict - nf_tables verdict
92 *
93 * @code: nf_tables/netfilter verdict code
94 * @chain: destination chain for NFT_JUMP/NFT_GOTO
95 */
96 struct nft_verdict {
97 u32 code;
98 struct nft_chain *chain;
99 };
100
101 struct nft_data {
102 union {
103 u32 data[4];
104 struct nft_verdict verdict;
105 };
106 } __attribute__((aligned(__alignof__(u64))));
107
108 #define NFT_REG32_NUM 20
109
110 /**
111 * struct nft_regs - nf_tables register set
112 *
113 * @data: data registers
114 * @verdict: verdict register
115 *
116 * The first four data registers alias to the verdict register.
117 */
118 struct nft_regs {
119 union {
120 u32 data[NFT_REG32_NUM];
121 struct nft_verdict verdict;
122 };
123 };
124
125 struct nft_regs_track {
126 struct {
127 const struct nft_expr *selector;
128 const struct nft_expr *bitwise;
129 u8 num_reg;
130 } regs[NFT_REG32_NUM];
131
132 const struct nft_expr *cur;
133 const struct nft_expr *last;
134 };
135
136 /* Store/load an u8, u16 or u64 integer to/from the u32 data register.
137 *
138 * Note, when using concatenations, register allocation happens at 32-bit
139 * level. So for store instruction, pad the rest part with zero to avoid
140 * garbage values.
141 */
142
nft_reg_store8(u32 * dreg,u8 val)143 static inline void nft_reg_store8(u32 *dreg, u8 val)
144 {
145 *dreg = 0;
146 *(u8 *)dreg = val;
147 }
148
nft_reg_load8(const u32 * sreg)149 static inline u8 nft_reg_load8(const u32 *sreg)
150 {
151 return *(u8 *)sreg;
152 }
153
nft_reg_store16(u32 * dreg,u16 val)154 static inline void nft_reg_store16(u32 *dreg, u16 val)
155 {
156 *dreg = 0;
157 *(u16 *)dreg = val;
158 }
159
nft_reg_load16(const u32 * sreg)160 static inline u16 nft_reg_load16(const u32 *sreg)
161 {
162 return *(u16 *)sreg;
163 }
164
nft_reg_store64(u32 * dreg,u64 val)165 static inline void nft_reg_store64(u32 *dreg, u64 val)
166 {
167 put_unaligned(val, (u64 *)dreg);
168 }
169
nft_reg_load64(const u32 * sreg)170 static inline u64 nft_reg_load64(const u32 *sreg)
171 {
172 return get_unaligned((u64 *)sreg);
173 }
174
nft_data_copy(u32 * dst,const struct nft_data * src,unsigned int len)175 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
176 unsigned int len)
177 {
178 if (len % NFT_REG32_SIZE)
179 dst[len / NFT_REG32_SIZE] = 0;
180 memcpy(dst, src, len);
181 }
182
183 /**
184 * struct nft_ctx - nf_tables rule/set context
185 *
186 * @net: net namespace
187 * @table: the table the chain is contained in
188 * @chain: the chain the rule is contained in
189 * @nla: netlink attributes
190 * @portid: netlink portID of the original message
191 * @seq: netlink sequence number
192 * @family: protocol family
193 * @level: depth of the chains
194 * @report: notify via unicast netlink message
195 */
196 struct nft_ctx {
197 struct net *net;
198 struct nft_table *table;
199 struct nft_chain *chain;
200 const struct nlattr * const *nla;
201 u32 portid;
202 u32 seq;
203 u16 flags;
204 u8 family;
205 u8 level;
206 bool report;
207 };
208
209 enum nft_data_desc_flags {
210 NFT_DATA_DESC_SETELEM = (1 << 0),
211 };
212
213 struct nft_data_desc {
214 enum nft_data_types type;
215 unsigned int size;
216 unsigned int len;
217 unsigned int flags;
218 };
219
220 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
221 struct nft_data_desc *desc, const struct nlattr *nla);
222 void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
223 void nft_data_release(const struct nft_data *data, enum nft_data_types type);
224 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
225 enum nft_data_types type, unsigned int len);
226
nft_dreg_to_type(enum nft_registers reg)227 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
228 {
229 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
230 }
231
nft_type_to_reg(enum nft_data_types type)232 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
233 {
234 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
235 }
236
237 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
238 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
239
240 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
241 int nft_parse_register_store(const struct nft_ctx *ctx,
242 const struct nlattr *attr, u8 *dreg,
243 const struct nft_data *data,
244 enum nft_data_types type, unsigned int len);
245
246 /**
247 * struct nft_userdata - user defined data associated with an object
248 *
249 * @len: length of the data
250 * @data: content
251 *
252 * The presence of user data is indicated in an object specific fashion,
253 * so a length of zero can't occur and the value "len" indicates data
254 * of length len + 1.
255 */
256 struct nft_userdata {
257 u8 len;
258 unsigned char data[];
259 };
260
261 /**
262 * struct nft_set_elem - generic representation of set elements
263 *
264 * @key: element key
265 * @key_end: closing element key
266 * @priv: element private data and extensions
267 */
268 struct nft_set_elem {
269 union {
270 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
271 struct nft_data val;
272 } key;
273 union {
274 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
275 struct nft_data val;
276 } key_end;
277 union {
278 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
279 struct nft_data val;
280 } data;
281 void *priv;
282 };
283
284 struct nft_set;
285 struct nft_set_iter {
286 u8 genmask;
287 unsigned int count;
288 unsigned int skip;
289 int err;
290 int (*fn)(const struct nft_ctx *ctx,
291 struct nft_set *set,
292 const struct nft_set_iter *iter,
293 struct nft_set_elem *elem);
294 };
295
296 /**
297 * struct nft_set_desc - description of set elements
298 *
299 * @klen: key length
300 * @dlen: data length
301 * @size: number of set elements
302 * @field_len: length of each field in concatenation, bytes
303 * @field_count: number of concatenated fields in element
304 * @expr: set must support for expressions
305 */
306 struct nft_set_desc {
307 unsigned int klen;
308 unsigned int dlen;
309 unsigned int size;
310 u8 field_len[NFT_REG32_COUNT];
311 u8 field_count;
312 bool expr;
313 };
314
315 /**
316 * enum nft_set_class - performance class
317 *
318 * @NFT_LOOKUP_O_1: constant, O(1)
319 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
320 * @NFT_LOOKUP_O_N: linear, O(N)
321 */
322 enum nft_set_class {
323 NFT_SET_CLASS_O_1,
324 NFT_SET_CLASS_O_LOG_N,
325 NFT_SET_CLASS_O_N,
326 };
327
328 /**
329 * struct nft_set_estimate - estimation of memory and performance
330 * characteristics
331 *
332 * @size: required memory
333 * @lookup: lookup performance class
334 * @space: memory class
335 */
336 struct nft_set_estimate {
337 u64 size;
338 enum nft_set_class lookup;
339 enum nft_set_class space;
340 };
341
342 #define NFT_EXPR_MAXATTR 16
343 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
344 ALIGN(size, __alignof__(struct nft_expr)))
345
346 /**
347 * struct nft_expr - nf_tables expression
348 *
349 * @ops: expression ops
350 * @data: expression private data
351 */
352 struct nft_expr {
353 const struct nft_expr_ops *ops;
354 unsigned char data[]
355 __attribute__((aligned(__alignof__(u64))));
356 };
357
nft_expr_priv(const struct nft_expr * expr)358 static inline void *nft_expr_priv(const struct nft_expr *expr)
359 {
360 return (void *)expr->data;
361 }
362
363 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
364 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
365 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
366 const struct nft_expr *expr);
367 bool nft_expr_reduce_bitwise(struct nft_regs_track *track,
368 const struct nft_expr *expr);
369
370 struct nft_set_ext;
371
372 /**
373 * struct nft_set_ops - nf_tables set operations
374 *
375 * @lookup: look up an element within the set
376 * @update: update an element if exists, add it if doesn't exist
377 * @delete: delete an element
378 * @insert: insert new element into set
379 * @activate: activate new element in the next generation
380 * @deactivate: lookup for element and deactivate it in the next generation
381 * @flush: deactivate element in the next generation
382 * @remove: remove element from set
383 * @walk: iterate over all set elements
384 * @get: get set elements
385 * @privsize: function to return size of set private data
386 * @init: initialize private data of new set instance
387 * @destroy: destroy private data of set instance
388 * @elemsize: element private size
389 *
390 * Operations lookup, update and delete have simpler interfaces, are faster
391 * and currently only used in the packet path. All the rest are slower,
392 * control plane functions.
393 */
394 struct nft_set_ops {
395 bool (*lookup)(const struct net *net,
396 const struct nft_set *set,
397 const u32 *key,
398 const struct nft_set_ext **ext);
399 bool (*update)(struct nft_set *set,
400 const u32 *key,
401 void *(*new)(struct nft_set *,
402 const struct nft_expr *,
403 struct nft_regs *),
404 const struct nft_expr *expr,
405 struct nft_regs *regs,
406 const struct nft_set_ext **ext);
407 bool (*delete)(const struct nft_set *set,
408 const u32 *key);
409
410 int (*insert)(const struct net *net,
411 const struct nft_set *set,
412 const struct nft_set_elem *elem,
413 struct nft_set_ext **ext);
414 void (*activate)(const struct net *net,
415 const struct nft_set *set,
416 const struct nft_set_elem *elem);
417 void * (*deactivate)(const struct net *net,
418 const struct nft_set *set,
419 const struct nft_set_elem *elem);
420 bool (*flush)(const struct net *net,
421 const struct nft_set *set,
422 void *priv);
423 void (*remove)(const struct net *net,
424 const struct nft_set *set,
425 const struct nft_set_elem *elem);
426 void (*walk)(const struct nft_ctx *ctx,
427 struct nft_set *set,
428 struct nft_set_iter *iter);
429 void * (*get)(const struct net *net,
430 const struct nft_set *set,
431 const struct nft_set_elem *elem,
432 unsigned int flags);
433
434 u64 (*privsize)(const struct nlattr * const nla[],
435 const struct nft_set_desc *desc);
436 bool (*estimate)(const struct nft_set_desc *desc,
437 u32 features,
438 struct nft_set_estimate *est);
439 int (*init)(const struct nft_set *set,
440 const struct nft_set_desc *desc,
441 const struct nlattr * const nla[]);
442 void (*destroy)(const struct nft_set *set);
443 void (*gc_init)(const struct nft_set *set);
444
445 unsigned int elemsize;
446 };
447
448 /**
449 * struct nft_set_type - nf_tables set type
450 *
451 * @ops: set ops for this type
452 * @features: features supported by the implementation
453 */
454 struct nft_set_type {
455 const struct nft_set_ops ops;
456 u32 features;
457 };
458 #define to_set_type(o) container_of(o, struct nft_set_type, ops)
459
460 struct nft_set_elem_expr {
461 u8 size;
462 unsigned char data[]
463 __attribute__((aligned(__alignof__(struct nft_expr))));
464 };
465
466 #define nft_setelem_expr_at(__elem_expr, __offset) \
467 ((struct nft_expr *)&__elem_expr->data[__offset])
468
469 #define nft_setelem_expr_foreach(__expr, __elem_expr, __size) \
470 for (__expr = nft_setelem_expr_at(__elem_expr, 0), __size = 0; \
471 __size < (__elem_expr)->size; \
472 __size += (__expr)->ops->size, __expr = ((void *)(__expr)) + (__expr)->ops->size)
473
474 #define NFT_SET_EXPR_MAX 2
475
476 /**
477 * struct nft_set - nf_tables set instance
478 *
479 * @list: table set list node
480 * @bindings: list of set bindings
481 * @table: table this set belongs to
482 * @net: netnamespace this set belongs to
483 * @name: name of the set
484 * @handle: unique handle of the set
485 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
486 * @dtype: data type (verdict or numeric type defined by userspace)
487 * @objtype: object type (see NFT_OBJECT_* definitions)
488 * @size: maximum set size
489 * @field_len: length of each field in concatenation, bytes
490 * @field_count: number of concatenated fields in element
491 * @use: number of rules references to this set
492 * @nelems: number of elements
493 * @ndeact: number of deactivated elements queued for removal
494 * @timeout: default timeout value in jiffies
495 * @gc_int: garbage collection interval in msecs
496 * @policy: set parameterization (see enum nft_set_policies)
497 * @udlen: user data length
498 * @udata: user data
499 * @expr: stateful expression
500 * @ops: set ops
501 * @flags: set flags
502 * @genmask: generation mask
503 * @klen: key length
504 * @dlen: data length
505 * @data: private set data
506 */
507 struct nft_set {
508 struct list_head list;
509 struct list_head bindings;
510 struct nft_table *table;
511 possible_net_t net;
512 char *name;
513 u64 handle;
514 u32 ktype;
515 u32 dtype;
516 u32 objtype;
517 u32 size;
518 u8 field_len[NFT_REG32_COUNT];
519 u8 field_count;
520 u32 use;
521 atomic_t nelems;
522 u32 ndeact;
523 u64 timeout;
524 u32 gc_int;
525 u16 policy;
526 u16 udlen;
527 unsigned char *udata;
528 /* runtime data below here */
529 const struct nft_set_ops *ops ____cacheline_aligned;
530 u16 flags:14,
531 genmask:2;
532 u8 klen;
533 u8 dlen;
534 u8 num_exprs;
535 struct nft_expr *exprs[NFT_SET_EXPR_MAX];
536 struct list_head catchall_list;
537 unsigned char data[]
538 __attribute__((aligned(__alignof__(u64))));
539 };
540
nft_set_is_anonymous(const struct nft_set * set)541 static inline bool nft_set_is_anonymous(const struct nft_set *set)
542 {
543 return set->flags & NFT_SET_ANONYMOUS;
544 }
545
nft_set_priv(const struct nft_set * set)546 static inline void *nft_set_priv(const struct nft_set *set)
547 {
548 return (void *)set->data;
549 }
550
nft_set_container_of(const void * priv)551 static inline struct nft_set *nft_set_container_of(const void *priv)
552 {
553 return (void *)priv - offsetof(struct nft_set, data);
554 }
555
556 struct nft_set *nft_set_lookup_global(const struct net *net,
557 const struct nft_table *table,
558 const struct nlattr *nla_set_name,
559 const struct nlattr *nla_set_id,
560 u8 genmask);
561
562 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
563 const struct nft_set *set);
564 void *nft_set_catchall_gc(const struct nft_set *set);
565
nft_set_gc_interval(const struct nft_set * set)566 static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
567 {
568 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
569 }
570
571 /**
572 * struct nft_set_binding - nf_tables set binding
573 *
574 * @list: set bindings list node
575 * @chain: chain containing the rule bound to the set
576 * @flags: set action flags
577 *
578 * A set binding contains all information necessary for validation
579 * of new elements added to a bound set.
580 */
581 struct nft_set_binding {
582 struct list_head list;
583 const struct nft_chain *chain;
584 u32 flags;
585 };
586
587 enum nft_trans_phase;
588 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
589 struct nft_set_binding *binding,
590 enum nft_trans_phase phase);
591 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
592 struct nft_set_binding *binding);
593 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
594
595 /**
596 * enum nft_set_extensions - set extension type IDs
597 *
598 * @NFT_SET_EXT_KEY: element key
599 * @NFT_SET_EXT_KEY_END: upper bound element key, for ranges
600 * @NFT_SET_EXT_DATA: mapping data
601 * @NFT_SET_EXT_FLAGS: element flags
602 * @NFT_SET_EXT_TIMEOUT: element timeout
603 * @NFT_SET_EXT_EXPIRATION: element expiration time
604 * @NFT_SET_EXT_USERDATA: user data associated with the element
605 * @NFT_SET_EXT_EXPRESSIONS: expressions assiciated with the element
606 * @NFT_SET_EXT_OBJREF: stateful object reference associated with element
607 * @NFT_SET_EXT_NUM: number of extension types
608 */
609 enum nft_set_extensions {
610 NFT_SET_EXT_KEY,
611 NFT_SET_EXT_KEY_END,
612 NFT_SET_EXT_DATA,
613 NFT_SET_EXT_FLAGS,
614 NFT_SET_EXT_TIMEOUT,
615 NFT_SET_EXT_EXPIRATION,
616 NFT_SET_EXT_USERDATA,
617 NFT_SET_EXT_EXPRESSIONS,
618 NFT_SET_EXT_OBJREF,
619 NFT_SET_EXT_NUM
620 };
621
622 /**
623 * struct nft_set_ext_type - set extension type
624 *
625 * @len: fixed part length of the extension
626 * @align: alignment requirements of the extension
627 */
628 struct nft_set_ext_type {
629 u8 len;
630 u8 align;
631 };
632
633 extern const struct nft_set_ext_type nft_set_ext_types[];
634
635 /**
636 * struct nft_set_ext_tmpl - set extension template
637 *
638 * @len: length of extension area
639 * @offset: offsets of individual extension types
640 */
641 struct nft_set_ext_tmpl {
642 u16 len;
643 u8 offset[NFT_SET_EXT_NUM];
644 };
645
646 /**
647 * struct nft_set_ext - set extensions
648 *
649 * @genmask: generation mask
650 * @offset: offsets of individual extension types
651 * @data: beginning of extension data
652 */
653 struct nft_set_ext {
654 u8 genmask;
655 u8 offset[NFT_SET_EXT_NUM];
656 char data[];
657 };
658
nft_set_ext_prepare(struct nft_set_ext_tmpl * tmpl)659 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
660 {
661 memset(tmpl, 0, sizeof(*tmpl));
662 tmpl->len = sizeof(struct nft_set_ext);
663 }
664
nft_set_ext_add_length(struct nft_set_ext_tmpl * tmpl,u8 id,unsigned int len)665 static inline int nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
666 unsigned int len)
667 {
668 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align);
669 if (tmpl->len > U8_MAX)
670 return -EINVAL;
671
672 tmpl->offset[id] = tmpl->len;
673 tmpl->len += nft_set_ext_types[id].len + len;
674
675 return 0;
676 }
677
nft_set_ext_add(struct nft_set_ext_tmpl * tmpl,u8 id)678 static inline int nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
679 {
680 return nft_set_ext_add_length(tmpl, id, 0);
681 }
682
nft_set_ext_init(struct nft_set_ext * ext,const struct nft_set_ext_tmpl * tmpl)683 static inline void nft_set_ext_init(struct nft_set_ext *ext,
684 const struct nft_set_ext_tmpl *tmpl)
685 {
686 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
687 }
688
__nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)689 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
690 {
691 return !!ext->offset[id];
692 }
693
nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)694 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
695 {
696 return ext && __nft_set_ext_exists(ext, id);
697 }
698
nft_set_ext(const struct nft_set_ext * ext,u8 id)699 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
700 {
701 return (void *)ext + ext->offset[id];
702 }
703
nft_set_ext_key(const struct nft_set_ext * ext)704 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
705 {
706 return nft_set_ext(ext, NFT_SET_EXT_KEY);
707 }
708
nft_set_ext_key_end(const struct nft_set_ext * ext)709 static inline struct nft_data *nft_set_ext_key_end(const struct nft_set_ext *ext)
710 {
711 return nft_set_ext(ext, NFT_SET_EXT_KEY_END);
712 }
713
nft_set_ext_data(const struct nft_set_ext * ext)714 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
715 {
716 return nft_set_ext(ext, NFT_SET_EXT_DATA);
717 }
718
nft_set_ext_flags(const struct nft_set_ext * ext)719 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
720 {
721 return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
722 }
723
nft_set_ext_timeout(const struct nft_set_ext * ext)724 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
725 {
726 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
727 }
728
nft_set_ext_expiration(const struct nft_set_ext * ext)729 static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
730 {
731 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
732 }
733
nft_set_ext_userdata(const struct nft_set_ext * ext)734 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
735 {
736 return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
737 }
738
nft_set_ext_expr(const struct nft_set_ext * ext)739 static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
740 {
741 return nft_set_ext(ext, NFT_SET_EXT_EXPRESSIONS);
742 }
743
nft_set_elem_expired(const struct nft_set_ext * ext)744 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
745 {
746 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
747 time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
748 }
749
nft_set_elem_ext(const struct nft_set * set,void * elem)750 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
751 void *elem)
752 {
753 return elem + set->ops->elemsize;
754 }
755
nft_set_ext_obj(const struct nft_set_ext * ext)756 static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
757 {
758 return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
759 }
760
761 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
762 const struct nft_set *set,
763 const struct nlattr *attr);
764
765 void *nft_set_elem_init(const struct nft_set *set,
766 const struct nft_set_ext_tmpl *tmpl,
767 const u32 *key, const u32 *key_end, const u32 *data,
768 u64 timeout, u64 expiration, gfp_t gfp);
769 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
770 struct nft_expr *expr_array[]);
771 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
772 bool destroy_expr);
773
774 /**
775 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch
776 *
777 * @rcu: rcu head
778 * @set: set the elements belong to
779 * @cnt: count of elements
780 */
781 struct nft_set_gc_batch_head {
782 struct rcu_head rcu;
783 const struct nft_set *set;
784 unsigned int cnt;
785 };
786
787 #define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \
788 sizeof(struct nft_set_gc_batch_head)) / \
789 sizeof(void *))
790
791 /**
792 * struct nft_set_gc_batch - nf_tables set garbage collection batch
793 *
794 * @head: GC batch head
795 * @elems: garbage collection elements
796 */
797 struct nft_set_gc_batch {
798 struct nft_set_gc_batch_head head;
799 void *elems[NFT_SET_GC_BATCH_SIZE];
800 };
801
802 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
803 gfp_t gfp);
804 void nft_set_gc_batch_release(struct rcu_head *rcu);
805
nft_set_gc_batch_complete(struct nft_set_gc_batch * gcb)806 static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
807 {
808 if (gcb != NULL)
809 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
810 }
811
812 static inline struct nft_set_gc_batch *
nft_set_gc_batch_check(const struct nft_set * set,struct nft_set_gc_batch * gcb,gfp_t gfp)813 nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
814 gfp_t gfp)
815 {
816 if (gcb != NULL) {
817 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
818 return gcb;
819 nft_set_gc_batch_complete(gcb);
820 }
821 return nft_set_gc_batch_alloc(set, gfp);
822 }
823
nft_set_gc_batch_add(struct nft_set_gc_batch * gcb,void * elem)824 static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
825 void *elem)
826 {
827 gcb->elems[gcb->head.cnt++] = elem;
828 }
829
830 struct nft_expr_ops;
831 /**
832 * struct nft_expr_type - nf_tables expression type
833 *
834 * @select_ops: function to select nft_expr_ops
835 * @release_ops: release nft_expr_ops
836 * @ops: default ops, used when no select_ops functions is present
837 * @list: used internally
838 * @name: Identifier
839 * @owner: module reference
840 * @policy: netlink attribute policy
841 * @maxattr: highest netlink attribute number
842 * @family: address family for AF-specific types
843 * @flags: expression type flags
844 */
845 struct nft_expr_type {
846 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
847 const struct nlattr * const tb[]);
848 void (*release_ops)(const struct nft_expr_ops *ops);
849 const struct nft_expr_ops *ops;
850 struct list_head list;
851 const char *name;
852 struct module *owner;
853 const struct nla_policy *policy;
854 unsigned int maxattr;
855 u8 family;
856 u8 flags;
857 };
858
859 #define NFT_EXPR_STATEFUL 0x1
860 #define NFT_EXPR_GC 0x2
861
862 enum nft_trans_phase {
863 NFT_TRANS_PREPARE,
864 NFT_TRANS_ABORT,
865 NFT_TRANS_COMMIT,
866 NFT_TRANS_RELEASE
867 };
868
869 struct nft_flow_rule;
870 struct nft_offload_ctx;
871
872 /**
873 * struct nft_expr_ops - nf_tables expression operations
874 *
875 * @eval: Expression evaluation function
876 * @size: full expression size, including private data size
877 * @init: initialization function
878 * @activate: activate expression in the next generation
879 * @deactivate: deactivate expression in next generation
880 * @destroy: destruction function, called after synchronize_rcu
881 * @dump: function to dump parameters
882 * @type: expression type
883 * @validate: validate expression, called during loop detection
884 * @data: extra data to attach to this expression operation
885 */
886 struct nft_expr_ops {
887 void (*eval)(const struct nft_expr *expr,
888 struct nft_regs *regs,
889 const struct nft_pktinfo *pkt);
890 int (*clone)(struct nft_expr *dst,
891 const struct nft_expr *src);
892 unsigned int size;
893
894 int (*init)(const struct nft_ctx *ctx,
895 const struct nft_expr *expr,
896 const struct nlattr * const tb[]);
897 void (*activate)(const struct nft_ctx *ctx,
898 const struct nft_expr *expr);
899 void (*deactivate)(const struct nft_ctx *ctx,
900 const struct nft_expr *expr,
901 enum nft_trans_phase phase);
902 void (*destroy)(const struct nft_ctx *ctx,
903 const struct nft_expr *expr);
904 void (*destroy_clone)(const struct nft_ctx *ctx,
905 const struct nft_expr *expr);
906 int (*dump)(struct sk_buff *skb,
907 const struct nft_expr *expr);
908 int (*validate)(const struct nft_ctx *ctx,
909 const struct nft_expr *expr,
910 const struct nft_data **data);
911 bool (*reduce)(struct nft_regs_track *track,
912 const struct nft_expr *expr);
913 bool (*gc)(struct net *net,
914 const struct nft_expr *expr);
915 int (*offload)(struct nft_offload_ctx *ctx,
916 struct nft_flow_rule *flow,
917 const struct nft_expr *expr);
918 bool (*offload_action)(const struct nft_expr *expr);
919 void (*offload_stats)(struct nft_expr *expr,
920 const struct flow_stats *stats);
921 const struct nft_expr_type *type;
922 void *data;
923 };
924
925 /**
926 * struct nft_rule - nf_tables rule
927 *
928 * @list: used internally
929 * @handle: rule handle
930 * @genmask: generation mask
931 * @dlen: length of expression data
932 * @udata: user data is appended to the rule
933 * @data: expression data
934 */
935 struct nft_rule {
936 struct list_head list;
937 u64 handle:42,
938 genmask:2,
939 dlen:12,
940 udata:1;
941 unsigned char data[]
942 __attribute__((aligned(__alignof__(struct nft_expr))));
943 };
944
nft_expr_first(const struct nft_rule * rule)945 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
946 {
947 return (struct nft_expr *)&rule->data[0];
948 }
949
nft_expr_next(const struct nft_expr * expr)950 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
951 {
952 return ((void *)expr) + expr->ops->size;
953 }
954
nft_expr_last(const struct nft_rule * rule)955 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
956 {
957 return (struct nft_expr *)&rule->data[rule->dlen];
958 }
959
nft_expr_more(const struct nft_rule * rule,const struct nft_expr * expr)960 static inline bool nft_expr_more(const struct nft_rule *rule,
961 const struct nft_expr *expr)
962 {
963 return expr != nft_expr_last(rule) && expr->ops;
964 }
965
nft_userdata(const struct nft_rule * rule)966 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
967 {
968 return (void *)&rule->data[rule->dlen];
969 }
970
971 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule);
972
nft_set_elem_update_expr(const struct nft_set_ext * ext,struct nft_regs * regs,const struct nft_pktinfo * pkt)973 static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
974 struct nft_regs *regs,
975 const struct nft_pktinfo *pkt)
976 {
977 struct nft_set_elem_expr *elem_expr;
978 struct nft_expr *expr;
979 u32 size;
980
981 if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) {
982 elem_expr = nft_set_ext_expr(ext);
983 nft_setelem_expr_foreach(expr, elem_expr, size) {
984 expr->ops->eval(expr, regs, pkt);
985 if (regs->verdict.code == NFT_BREAK)
986 return;
987 }
988 }
989 }
990
991 /*
992 * The last pointer isn't really necessary, but the compiler isn't able to
993 * determine that the result of nft_expr_last() is always the same since it
994 * can't assume that the dlen value wasn't changed within calls in the loop.
995 */
996 #define nft_rule_for_each_expr(expr, last, rule) \
997 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
998 (expr) != (last); \
999 (expr) = nft_expr_next(expr))
1000
1001 #define NFT_CHAIN_POLICY_UNSET U8_MAX
1002
1003 struct nft_rule_dp {
1004 u64 is_last:1,
1005 dlen:12,
1006 handle:42; /* for tracing */
1007 unsigned char data[]
1008 __attribute__((aligned(__alignof__(struct nft_expr))));
1009 };
1010
1011 struct nft_rule_blob {
1012 unsigned long size;
1013 unsigned char data[]
1014 __attribute__((aligned(__alignof__(struct nft_rule_dp))));
1015 };
1016
1017 /**
1018 * struct nft_chain - nf_tables chain
1019 *
1020 * @rules: list of rules in the chain
1021 * @list: used internally
1022 * @rhlhead: used internally
1023 * @table: table that this chain belongs to
1024 * @handle: chain handle
1025 * @use: number of jump references to this chain
1026 * @flags: bitmask of enum nft_chain_flags
1027 * @name: name of the chain
1028 */
1029 struct nft_chain {
1030 struct nft_rule_blob __rcu *blob_gen_0;
1031 struct nft_rule_blob __rcu *blob_gen_1;
1032 struct list_head rules;
1033 struct list_head list;
1034 struct rhlist_head rhlhead;
1035 struct nft_table *table;
1036 u64 handle;
1037 u32 use;
1038 u8 flags:5,
1039 bound:1,
1040 genmask:2;
1041 char *name;
1042 u16 udlen;
1043 u8 *udata;
1044
1045 /* Only used during control plane commit phase: */
1046 struct nft_rule_blob *blob_next;
1047 };
1048
1049 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
1050
1051 enum nft_chain_types {
1052 NFT_CHAIN_T_DEFAULT = 0,
1053 NFT_CHAIN_T_ROUTE,
1054 NFT_CHAIN_T_NAT,
1055 NFT_CHAIN_T_MAX
1056 };
1057
1058 /**
1059 * struct nft_chain_type - nf_tables chain type info
1060 *
1061 * @name: name of the type
1062 * @type: numeric identifier
1063 * @family: address family
1064 * @owner: module owner
1065 * @hook_mask: mask of valid hooks
1066 * @hooks: array of hook functions
1067 * @ops_register: base chain register function
1068 * @ops_unregister: base chain unregister function
1069 */
1070 struct nft_chain_type {
1071 const char *name;
1072 enum nft_chain_types type;
1073 int family;
1074 struct module *owner;
1075 unsigned int hook_mask;
1076 nf_hookfn *hooks[NFT_MAX_HOOKS];
1077 int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
1078 void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
1079 };
1080
1081 int nft_chain_validate_dependency(const struct nft_chain *chain,
1082 enum nft_chain_types type);
1083 int nft_chain_validate_hooks(const struct nft_chain *chain,
1084 unsigned int hook_flags);
1085
nft_chain_is_bound(struct nft_chain * chain)1086 static inline bool nft_chain_is_bound(struct nft_chain *chain)
1087 {
1088 return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
1089 }
1090
1091 void nft_chain_del(struct nft_chain *chain);
1092 void nf_tables_chain_destroy(struct nft_ctx *ctx);
1093
1094 struct nft_stats {
1095 u64 bytes;
1096 u64 pkts;
1097 struct u64_stats_sync syncp;
1098 };
1099
1100 struct nft_hook {
1101 struct list_head list;
1102 struct nf_hook_ops ops;
1103 struct rcu_head rcu;
1104 };
1105
1106 /**
1107 * struct nft_base_chain - nf_tables base chain
1108 *
1109 * @ops: netfilter hook ops
1110 * @hook_list: list of netfilter hooks (for NFPROTO_NETDEV family)
1111 * @type: chain type
1112 * @policy: default policy
1113 * @stats: per-cpu chain stats
1114 * @chain: the chain
1115 * @flow_block: flow block (for hardware offload)
1116 */
1117 struct nft_base_chain {
1118 struct nf_hook_ops ops;
1119 struct list_head hook_list;
1120 const struct nft_chain_type *type;
1121 u8 policy;
1122 u8 flags;
1123 struct nft_stats __percpu *stats;
1124 struct nft_chain chain;
1125 struct flow_block flow_block;
1126 };
1127
nft_base_chain(const struct nft_chain * chain)1128 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
1129 {
1130 return container_of(chain, struct nft_base_chain, chain);
1131 }
1132
nft_is_base_chain(const struct nft_chain * chain)1133 static inline bool nft_is_base_chain(const struct nft_chain *chain)
1134 {
1135 return chain->flags & NFT_CHAIN_BASE;
1136 }
1137
1138 int __nft_release_basechain(struct nft_ctx *ctx);
1139
1140 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
1141
1142 /**
1143 * struct nft_table - nf_tables table
1144 *
1145 * @list: used internally
1146 * @chains_ht: chains in the table
1147 * @chains: same, for stable walks
1148 * @sets: sets in the table
1149 * @objects: stateful objects in the table
1150 * @flowtables: flow tables in the table
1151 * @hgenerator: handle generator state
1152 * @handle: table handle
1153 * @use: number of chain references to this table
1154 * @flags: table flag (see enum nft_table_flags)
1155 * @genmask: generation mask
1156 * @afinfo: address family info
1157 * @name: name of the table
1158 */
1159 struct nft_table {
1160 struct list_head list;
1161 struct rhltable chains_ht;
1162 struct list_head chains;
1163 struct list_head sets;
1164 struct list_head objects;
1165 struct list_head flowtables;
1166 u64 hgenerator;
1167 u64 handle;
1168 u32 use;
1169 u16 family:6,
1170 flags:8,
1171 genmask:2;
1172 u32 nlpid;
1173 char *name;
1174 u16 udlen;
1175 u8 *udata;
1176 };
1177
nft_table_has_owner(const struct nft_table * table)1178 static inline bool nft_table_has_owner(const struct nft_table *table)
1179 {
1180 return table->flags & NFT_TABLE_F_OWNER;
1181 }
1182
nft_base_chain_netdev(int family,u32 hooknum)1183 static inline bool nft_base_chain_netdev(int family, u32 hooknum)
1184 {
1185 return family == NFPROTO_NETDEV ||
1186 (family == NFPROTO_INET && hooknum == NF_INET_INGRESS);
1187 }
1188
1189 void nft_register_chain_type(const struct nft_chain_type *);
1190 void nft_unregister_chain_type(const struct nft_chain_type *);
1191
1192 int nft_register_expr(struct nft_expr_type *);
1193 void nft_unregister_expr(struct nft_expr_type *);
1194
1195 int nft_verdict_dump(struct sk_buff *skb, int type,
1196 const struct nft_verdict *v);
1197
1198 /**
1199 * struct nft_object_hash_key - key to lookup nft_object
1200 *
1201 * @name: name of the stateful object to look up
1202 * @table: table the object belongs to
1203 */
1204 struct nft_object_hash_key {
1205 const char *name;
1206 const struct nft_table *table;
1207 };
1208
1209 /**
1210 * struct nft_object - nf_tables stateful object
1211 *
1212 * @list: table stateful object list node
1213 * @key: keys that identify this object
1214 * @rhlhead: nft_objname_ht node
1215 * @genmask: generation mask
1216 * @use: number of references to this stateful object
1217 * @handle: unique object handle
1218 * @ops: object operations
1219 * @data: object data, layout depends on type
1220 */
1221 struct nft_object {
1222 struct list_head list;
1223 struct rhlist_head rhlhead;
1224 struct nft_object_hash_key key;
1225 u32 genmask:2,
1226 use:30;
1227 u64 handle;
1228 u16 udlen;
1229 u8 *udata;
1230 /* runtime data below here */
1231 const struct nft_object_ops *ops ____cacheline_aligned;
1232 unsigned char data[]
1233 __attribute__((aligned(__alignof__(u64))));
1234 };
1235
nft_obj_data(const struct nft_object * obj)1236 static inline void *nft_obj_data(const struct nft_object *obj)
1237 {
1238 return (void *)obj->data;
1239 }
1240
1241 #define nft_expr_obj(expr) *((struct nft_object **)nft_expr_priv(expr))
1242
1243 struct nft_object *nft_obj_lookup(const struct net *net,
1244 const struct nft_table *table,
1245 const struct nlattr *nla, u32 objtype,
1246 u8 genmask);
1247
1248 void nft_obj_notify(struct net *net, const struct nft_table *table,
1249 struct nft_object *obj, u32 portid, u32 seq,
1250 int event, u16 flags, int family, int report, gfp_t gfp);
1251
1252 /**
1253 * struct nft_object_type - stateful object type
1254 *
1255 * @select_ops: function to select nft_object_ops
1256 * @ops: default ops, used when no select_ops functions is present
1257 * @list: list node in list of object types
1258 * @type: stateful object numeric type
1259 * @owner: module owner
1260 * @maxattr: maximum netlink attribute
1261 * @policy: netlink attribute policy
1262 */
1263 struct nft_object_type {
1264 const struct nft_object_ops *(*select_ops)(const struct nft_ctx *,
1265 const struct nlattr * const tb[]);
1266 const struct nft_object_ops *ops;
1267 struct list_head list;
1268 u32 type;
1269 unsigned int maxattr;
1270 struct module *owner;
1271 const struct nla_policy *policy;
1272 };
1273
1274 /**
1275 * struct nft_object_ops - stateful object operations
1276 *
1277 * @eval: stateful object evaluation function
1278 * @size: stateful object size
1279 * @init: initialize object from netlink attributes
1280 * @destroy: release existing stateful object
1281 * @dump: netlink dump stateful object
1282 * @update: update stateful object
1283 */
1284 struct nft_object_ops {
1285 void (*eval)(struct nft_object *obj,
1286 struct nft_regs *regs,
1287 const struct nft_pktinfo *pkt);
1288 unsigned int size;
1289 int (*init)(const struct nft_ctx *ctx,
1290 const struct nlattr *const tb[],
1291 struct nft_object *obj);
1292 void (*destroy)(const struct nft_ctx *ctx,
1293 struct nft_object *obj);
1294 int (*dump)(struct sk_buff *skb,
1295 struct nft_object *obj,
1296 bool reset);
1297 void (*update)(struct nft_object *obj,
1298 struct nft_object *newobj);
1299 const struct nft_object_type *type;
1300 };
1301
1302 int nft_register_obj(struct nft_object_type *obj_type);
1303 void nft_unregister_obj(struct nft_object_type *obj_type);
1304
1305 #define NFT_NETDEVICE_MAX 256
1306
1307 /**
1308 * struct nft_flowtable - nf_tables flow table
1309 *
1310 * @list: flow table list node in table list
1311 * @table: the table the flow table is contained in
1312 * @name: name of this flow table
1313 * @hooknum: hook number
1314 * @ops_len: number of hooks in array
1315 * @genmask: generation mask
1316 * @use: number of references to this flow table
1317 * @handle: unique object handle
1318 * @dev_name: array of device names
1319 * @data: rhashtable and garbage collector
1320 * @ops: array of hooks
1321 */
1322 struct nft_flowtable {
1323 struct list_head list;
1324 struct nft_table *table;
1325 char *name;
1326 int hooknum;
1327 int ops_len;
1328 u32 genmask:2,
1329 use:30;
1330 u64 handle;
1331 /* runtime data below here */
1332 struct list_head hook_list ____cacheline_aligned;
1333 struct nf_flowtable data;
1334 };
1335
1336 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1337 const struct nlattr *nla,
1338 u8 genmask);
1339
1340 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
1341 struct nft_flowtable *flowtable,
1342 enum nft_trans_phase phase);
1343
1344 void nft_register_flowtable_type(struct nf_flowtable_type *type);
1345 void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1346
1347 /**
1348 * struct nft_traceinfo - nft tracing information and state
1349 *
1350 * @trace: other struct members are initialised
1351 * @nf_trace: copy of skb->nf_trace before rule evaluation
1352 * @type: event type (enum nft_trace_types)
1353 * @skbid: hash of skb to be used as trace id
1354 * @packet_dumped: packet headers sent in a previous traceinfo message
1355 * @pkt: pktinfo currently processed
1356 * @basechain: base chain currently processed
1357 * @chain: chain currently processed
1358 * @rule: rule that was evaluated
1359 * @verdict: verdict given by rule
1360 */
1361 struct nft_traceinfo {
1362 bool trace;
1363 bool nf_trace;
1364 bool packet_dumped;
1365 enum nft_trace_types type:8;
1366 u32 skbid;
1367 const struct nft_pktinfo *pkt;
1368 const struct nft_base_chain *basechain;
1369 const struct nft_chain *chain;
1370 const struct nft_rule_dp *rule;
1371 const struct nft_verdict *verdict;
1372 };
1373
1374 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1375 const struct nft_verdict *verdict,
1376 const struct nft_chain *basechain);
1377
1378 void nft_trace_notify(struct nft_traceinfo *info);
1379
1380 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
1381 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1382
1383 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1384 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1385
1386 #define MODULE_ALIAS_NFT_EXPR(name) \
1387 MODULE_ALIAS("nft-expr-" name)
1388
1389 #define MODULE_ALIAS_NFT_OBJ(type) \
1390 MODULE_ALIAS("nft-obj-" __stringify(type))
1391
1392 #if IS_ENABLED(CONFIG_NF_TABLES)
1393
1394 /*
1395 * The gencursor defines two generations, the currently active and the
1396 * next one. Objects contain a bitmask of 2 bits specifying the generations
1397 * they're active in. A set bit means they're inactive in the generation
1398 * represented by that bit.
1399 *
1400 * New objects start out as inactive in the current and active in the
1401 * next generation. When committing the ruleset the bitmask is cleared,
1402 * meaning they're active in all generations. When removing an object,
1403 * it is set inactive in the next generation. After committing the ruleset,
1404 * the objects are removed.
1405 */
nft_gencursor_next(const struct net * net)1406 static inline unsigned int nft_gencursor_next(const struct net *net)
1407 {
1408 return net->nft.gencursor + 1 == 1 ? 1 : 0;
1409 }
1410
nft_genmask_next(const struct net * net)1411 static inline u8 nft_genmask_next(const struct net *net)
1412 {
1413 return 1 << nft_gencursor_next(net);
1414 }
1415
nft_genmask_cur(const struct net * net)1416 static inline u8 nft_genmask_cur(const struct net *net)
1417 {
1418 /* Use READ_ONCE() to prevent refetching the value for atomicity */
1419 return 1 << READ_ONCE(net->nft.gencursor);
1420 }
1421
1422 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
1423
1424 /*
1425 * Generic transaction helpers
1426 */
1427
1428 /* Check if this object is currently active. */
1429 #define nft_is_active(__net, __obj) \
1430 (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1431
1432 /* Check if this object is active in the next generation. */
1433 #define nft_is_active_next(__net, __obj) \
1434 (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1435
1436 /* This object becomes active in the next generation. */
1437 #define nft_activate_next(__net, __obj) \
1438 (__obj)->genmask = nft_genmask_cur(__net)
1439
1440 /* This object becomes inactive in the next generation. */
1441 #define nft_deactivate_next(__net, __obj) \
1442 (__obj)->genmask = nft_genmask_next(__net)
1443
1444 /* After committing the ruleset, clear the stale generation bit. */
1445 #define nft_clear(__net, __obj) \
1446 (__obj)->genmask &= ~nft_genmask_next(__net)
1447 #define nft_active_genmask(__obj, __genmask) \
1448 !((__obj)->genmask & __genmask)
1449
1450 /*
1451 * Set element transaction helpers
1452 */
1453
nft_set_elem_active(const struct nft_set_ext * ext,u8 genmask)1454 static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1455 u8 genmask)
1456 {
1457 return !(ext->genmask & genmask);
1458 }
1459
nft_set_elem_change_active(const struct net * net,const struct nft_set * set,struct nft_set_ext * ext)1460 static inline void nft_set_elem_change_active(const struct net *net,
1461 const struct nft_set *set,
1462 struct nft_set_ext *ext)
1463 {
1464 ext->genmask ^= nft_genmask_next(net);
1465 }
1466
1467 #endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1468
1469 /*
1470 * We use a free bit in the genmask field to indicate the element
1471 * is busy, meaning it is currently being processed either by
1472 * the netlink API or GC.
1473 *
1474 * Even though the genmask is only a single byte wide, this works
1475 * because the extension structure if fully constant once initialized,
1476 * so there are no non-atomic write accesses unless it is already
1477 * marked busy.
1478 */
1479 #define NFT_SET_ELEM_BUSY_MASK (1 << 2)
1480
1481 #if defined(__LITTLE_ENDIAN_BITFIELD)
1482 #define NFT_SET_ELEM_BUSY_BIT 2
1483 #elif defined(__BIG_ENDIAN_BITFIELD)
1484 #define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2)
1485 #else
1486 #error
1487 #endif
1488
nft_set_elem_mark_busy(struct nft_set_ext * ext)1489 static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1490 {
1491 unsigned long *word = (unsigned long *)ext;
1492
1493 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1494 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1495 }
1496
nft_set_elem_clear_busy(struct nft_set_ext * ext)1497 static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1498 {
1499 unsigned long *word = (unsigned long *)ext;
1500
1501 clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1502 }
1503
1504 /**
1505 * struct nft_trans - nf_tables object update in transaction
1506 *
1507 * @list: used internally
1508 * @msg_type: message type
1509 * @put_net: ctx->net needs to be put
1510 * @ctx: transaction context
1511 * @data: internal information related to the transaction
1512 */
1513 struct nft_trans {
1514 struct list_head list;
1515 int msg_type;
1516 bool put_net;
1517 struct nft_ctx ctx;
1518 char data[];
1519 };
1520
1521 struct nft_trans_rule {
1522 struct nft_rule *rule;
1523 struct nft_flow_rule *flow;
1524 u32 rule_id;
1525 };
1526
1527 #define nft_trans_rule(trans) \
1528 (((struct nft_trans_rule *)trans->data)->rule)
1529 #define nft_trans_flow_rule(trans) \
1530 (((struct nft_trans_rule *)trans->data)->flow)
1531 #define nft_trans_rule_id(trans) \
1532 (((struct nft_trans_rule *)trans->data)->rule_id)
1533
1534 struct nft_trans_set {
1535 struct nft_set *set;
1536 u32 set_id;
1537 bool bound;
1538 };
1539
1540 #define nft_trans_set(trans) \
1541 (((struct nft_trans_set *)trans->data)->set)
1542 #define nft_trans_set_id(trans) \
1543 (((struct nft_trans_set *)trans->data)->set_id)
1544 #define nft_trans_set_bound(trans) \
1545 (((struct nft_trans_set *)trans->data)->bound)
1546
1547 struct nft_trans_chain {
1548 bool update;
1549 char *name;
1550 struct nft_stats __percpu *stats;
1551 u8 policy;
1552 u32 chain_id;
1553 };
1554
1555 #define nft_trans_chain_update(trans) \
1556 (((struct nft_trans_chain *)trans->data)->update)
1557 #define nft_trans_chain_name(trans) \
1558 (((struct nft_trans_chain *)trans->data)->name)
1559 #define nft_trans_chain_stats(trans) \
1560 (((struct nft_trans_chain *)trans->data)->stats)
1561 #define nft_trans_chain_policy(trans) \
1562 (((struct nft_trans_chain *)trans->data)->policy)
1563 #define nft_trans_chain_id(trans) \
1564 (((struct nft_trans_chain *)trans->data)->chain_id)
1565
1566 struct nft_trans_table {
1567 bool update;
1568 };
1569
1570 #define nft_trans_table_update(trans) \
1571 (((struct nft_trans_table *)trans->data)->update)
1572
1573 struct nft_trans_elem {
1574 struct nft_set *set;
1575 struct nft_set_elem elem;
1576 bool bound;
1577 };
1578
1579 #define nft_trans_elem_set(trans) \
1580 (((struct nft_trans_elem *)trans->data)->set)
1581 #define nft_trans_elem(trans) \
1582 (((struct nft_trans_elem *)trans->data)->elem)
1583 #define nft_trans_elem_set_bound(trans) \
1584 (((struct nft_trans_elem *)trans->data)->bound)
1585
1586 struct nft_trans_obj {
1587 struct nft_object *obj;
1588 struct nft_object *newobj;
1589 bool update;
1590 };
1591
1592 #define nft_trans_obj(trans) \
1593 (((struct nft_trans_obj *)trans->data)->obj)
1594 #define nft_trans_obj_newobj(trans) \
1595 (((struct nft_trans_obj *)trans->data)->newobj)
1596 #define nft_trans_obj_update(trans) \
1597 (((struct nft_trans_obj *)trans->data)->update)
1598
1599 struct nft_trans_flowtable {
1600 struct nft_flowtable *flowtable;
1601 bool update;
1602 struct list_head hook_list;
1603 u32 flags;
1604 };
1605
1606 #define nft_trans_flowtable(trans) \
1607 (((struct nft_trans_flowtable *)trans->data)->flowtable)
1608 #define nft_trans_flowtable_update(trans) \
1609 (((struct nft_trans_flowtable *)trans->data)->update)
1610 #define nft_trans_flowtable_hooks(trans) \
1611 (((struct nft_trans_flowtable *)trans->data)->hook_list)
1612 #define nft_trans_flowtable_flags(trans) \
1613 (((struct nft_trans_flowtable *)trans->data)->flags)
1614
1615 int __init nft_chain_filter_init(void);
1616 void nft_chain_filter_fini(void);
1617
1618 void __init nft_chain_route_init(void);
1619 void nft_chain_route_fini(void);
1620
1621 void nf_tables_trans_destroy_flush_work(void);
1622
1623 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
1624 __be64 nf_jiffies64_to_msecs(u64 input);
1625
1626 #ifdef CONFIG_MODULES
1627 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, ...);
1628 #else
nft_request_module(struct net * net,const char * fmt,...)1629 static inline int nft_request_module(struct net *net, const char *fmt, ...) { return -ENOENT; }
1630 #endif
1631
1632 struct nftables_pernet {
1633 struct list_head tables;
1634 struct list_head commit_list;
1635 struct list_head module_list;
1636 struct list_head notify_list;
1637 struct mutex commit_mutex;
1638 u64 table_handle;
1639 unsigned int base_seq;
1640 u8 validate_state;
1641 };
1642
1643 extern unsigned int nf_tables_net_id;
1644
nft_pernet(const struct net * net)1645 static inline struct nftables_pernet *nft_pernet(const struct net *net)
1646 {
1647 return net_generic(net, nf_tables_net_id);
1648 }
1649
1650 #define __NFT_REDUCE_READONLY 1UL
1651 #define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY
1652
nft_reduce_is_readonly(const struct nft_expr * expr)1653 static inline bool nft_reduce_is_readonly(const struct nft_expr *expr)
1654 {
1655 return expr->ops->reduce == NFT_REDUCE_READONLY;
1656 }
1657
1658 void nft_reg_track_update(struct nft_regs_track *track,
1659 const struct nft_expr *expr, u8 dreg, u8 len);
1660 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len);
1661 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg);
1662
nft_reg_track_cmp(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg)1663 static inline bool nft_reg_track_cmp(struct nft_regs_track *track,
1664 const struct nft_expr *expr, u8 dreg)
1665 {
1666 return track->regs[dreg].selector &&
1667 track->regs[dreg].selector->ops == expr->ops &&
1668 track->regs[dreg].num_reg == 0;
1669 }
1670
1671 #endif /* _NET_NF_TABLES_H */
1672