nf_tables.h (45351B)
1/* SPDX-License-Identifier: GPL-2.0 */ 2#ifndef _NET_NF_TABLES_H 3#define _NET_NF_TABLES_H 4 5#include <asm/unaligned.h> 6#include <linux/list.h> 7#include <linux/netfilter.h> 8#include <linux/netfilter/nfnetlink.h> 9#include <linux/netfilter/x_tables.h> 10#include <linux/netfilter/nf_tables.h> 11#include <linux/u64_stats_sync.h> 12#include <linux/rhashtable.h> 13#include <net/netfilter/nf_flow_table.h> 14#include <net/netlink.h> 15#include <net/flow_offload.h> 16#include <net/netns/generic.h> 17 18#define NFT_MAX_HOOKS (NF_INET_INGRESS + 1) 19 20struct module; 21 22#define NFT_JUMP_STACK_SIZE 16 23 24enum { 25 NFT_PKTINFO_L4PROTO = (1 << 0), 26 NFT_PKTINFO_INNER = (1 << 1), 27}; 28 29struct nft_pktinfo { 30 struct sk_buff *skb; 31 const struct nf_hook_state *state; 32 u8 flags; 33 u8 tprot; 34 u16 fragoff; 35 unsigned int thoff; 36 unsigned int inneroff; 37}; 38 39static inline struct sock *nft_sk(const struct nft_pktinfo *pkt) 40{ 41 return pkt->state->sk; 42} 43 44static inline unsigned int nft_thoff(const struct nft_pktinfo *pkt) 45{ 46 return pkt->thoff; 47} 48 49static inline struct net *nft_net(const struct nft_pktinfo *pkt) 50{ 51 return pkt->state->net; 52} 53 54static inline unsigned int nft_hook(const struct nft_pktinfo *pkt) 55{ 56 return pkt->state->hook; 57} 58 59static inline u8 nft_pf(const struct nft_pktinfo *pkt) 60{ 61 return pkt->state->pf; 62} 63 64static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt) 65{ 66 return pkt->state->in; 67} 68 69static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt) 70{ 71 return pkt->state->out; 72} 73 74static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 75 struct sk_buff *skb, 76 const struct nf_hook_state *state) 77{ 78 pkt->skb = skb; 79 pkt->state = state; 80} 81 82static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt) 83{ 84 pkt->flags = 0; 85 pkt->tprot = 0; 86 pkt->thoff = 0; 87 pkt->fragoff = 0; 88} 89 90/** 91 * struct nft_verdict - nf_tables verdict 92 * 93 * @code: nf_tables/netfilter verdict code 94 * @chain: destination chain for NFT_JUMP/NFT_GOTO 95 */ 96struct nft_verdict { 97 u32 code; 98 struct nft_chain *chain; 99}; 100 101struct nft_data { 102 union { 103 u32 data[4]; 104 struct nft_verdict verdict; 105 }; 106} __attribute__((aligned(__alignof__(u64)))); 107 108#define NFT_REG32_NUM 20 109 110/** 111 * struct nft_regs - nf_tables register set 112 * 113 * @data: data registers 114 * @verdict: verdict register 115 * 116 * The first four data registers alias to the verdict register. 117 */ 118struct nft_regs { 119 union { 120 u32 data[NFT_REG32_NUM]; 121 struct nft_verdict verdict; 122 }; 123}; 124 125struct nft_regs_track { 126 struct { 127 const struct nft_expr *selector; 128 const struct nft_expr *bitwise; 129 u8 num_reg; 130 } regs[NFT_REG32_NUM]; 131 132 const struct nft_expr *cur; 133 const struct nft_expr *last; 134}; 135 136/* Store/load an u8, u16 or u64 integer to/from the u32 data register. 137 * 138 * Note, when using concatenations, register allocation happens at 32-bit 139 * level. So for store instruction, pad the rest part with zero to avoid 140 * garbage values. 141 */ 142 143static inline void nft_reg_store8(u32 *dreg, u8 val) 144{ 145 *dreg = 0; 146 *(u8 *)dreg = val; 147} 148 149static inline u8 nft_reg_load8(const u32 *sreg) 150{ 151 return *(u8 *)sreg; 152} 153 154static inline void nft_reg_store16(u32 *dreg, u16 val) 155{ 156 *dreg = 0; 157 *(u16 *)dreg = val; 158} 159 160static inline u16 nft_reg_load16(const u32 *sreg) 161{ 162 return *(u16 *)sreg; 163} 164 165static inline void nft_reg_store64(u32 *dreg, u64 val) 166{ 167 put_unaligned(val, (u64 *)dreg); 168} 169 170static inline u64 nft_reg_load64(const u32 *sreg) 171{ 172 return get_unaligned((u64 *)sreg); 173} 174 175static inline void nft_data_copy(u32 *dst, const struct nft_data *src, 176 unsigned int len) 177{ 178 if (len % NFT_REG32_SIZE) 179 dst[len / NFT_REG32_SIZE] = 0; 180 memcpy(dst, src, len); 181} 182 183/** 184 * struct nft_ctx - nf_tables rule/set context 185 * 186 * @net: net namespace 187 * @table: the table the chain is contained in 188 * @chain: the chain the rule is contained in 189 * @nla: netlink attributes 190 * @portid: netlink portID of the original message 191 * @seq: netlink sequence number 192 * @family: protocol family 193 * @level: depth of the chains 194 * @report: notify via unicast netlink message 195 */ 196struct nft_ctx { 197 struct net *net; 198 struct nft_table *table; 199 struct nft_chain *chain; 200 const struct nlattr * const *nla; 201 u32 portid; 202 u32 seq; 203 u16 flags; 204 u8 family; 205 u8 level; 206 bool report; 207}; 208 209struct nft_data_desc { 210 enum nft_data_types type; 211 unsigned int len; 212}; 213 214int nft_data_init(const struct nft_ctx *ctx, 215 struct nft_data *data, unsigned int size, 216 struct nft_data_desc *desc, const struct nlattr *nla); 217void nft_data_hold(const struct nft_data *data, enum nft_data_types type); 218void nft_data_release(const struct nft_data *data, enum nft_data_types type); 219int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 220 enum nft_data_types type, unsigned int len); 221 222static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) 223{ 224 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; 225} 226 227static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 228{ 229 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE; 230} 231 232int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest); 233int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg); 234 235int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len); 236int nft_parse_register_store(const struct nft_ctx *ctx, 237 const struct nlattr *attr, u8 *dreg, 238 const struct nft_data *data, 239 enum nft_data_types type, unsigned int len); 240 241/** 242 * struct nft_userdata - user defined data associated with an object 243 * 244 * @len: length of the data 245 * @data: content 246 * 247 * The presence of user data is indicated in an object specific fashion, 248 * so a length of zero can't occur and the value "len" indicates data 249 * of length len + 1. 250 */ 251struct nft_userdata { 252 u8 len; 253 unsigned char data[]; 254}; 255 256/** 257 * struct nft_set_elem - generic representation of set elements 258 * 259 * @key: element key 260 * @key_end: closing element key 261 * @priv: element private data and extensions 262 */ 263struct nft_set_elem { 264 union { 265 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 266 struct nft_data val; 267 } key; 268 union { 269 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 270 struct nft_data val; 271 } key_end; 272 union { 273 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 274 struct nft_data val; 275 } data; 276 void *priv; 277}; 278 279struct nft_set; 280struct nft_set_iter { 281 u8 genmask; 282 unsigned int count; 283 unsigned int skip; 284 int err; 285 int (*fn)(const struct nft_ctx *ctx, 286 struct nft_set *set, 287 const struct nft_set_iter *iter, 288 struct nft_set_elem *elem); 289}; 290 291/** 292 * struct nft_set_desc - description of set elements 293 * 294 * @klen: key length 295 * @dlen: data length 296 * @size: number of set elements 297 * @field_len: length of each field in concatenation, bytes 298 * @field_count: number of concatenated fields in element 299 * @expr: set must support for expressions 300 */ 301struct nft_set_desc { 302 unsigned int klen; 303 unsigned int dlen; 304 unsigned int size; 305 u8 field_len[NFT_REG32_COUNT]; 306 u8 field_count; 307 bool expr; 308}; 309 310/** 311 * enum nft_set_class - performance class 312 * 313 * @NFT_LOOKUP_O_1: constant, O(1) 314 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N) 315 * @NFT_LOOKUP_O_N: linear, O(N) 316 */ 317enum nft_set_class { 318 NFT_SET_CLASS_O_1, 319 NFT_SET_CLASS_O_LOG_N, 320 NFT_SET_CLASS_O_N, 321}; 322 323/** 324 * struct nft_set_estimate - estimation of memory and performance 325 * characteristics 326 * 327 * @size: required memory 328 * @lookup: lookup performance class 329 * @space: memory class 330 */ 331struct nft_set_estimate { 332 u64 size; 333 enum nft_set_class lookup; 334 enum nft_set_class space; 335}; 336 337#define NFT_EXPR_MAXATTR 16 338#define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ 339 ALIGN(size, __alignof__(struct nft_expr))) 340 341/** 342 * struct nft_expr - nf_tables expression 343 * 344 * @ops: expression ops 345 * @data: expression private data 346 */ 347struct nft_expr { 348 const struct nft_expr_ops *ops; 349 unsigned char data[] 350 __attribute__((aligned(__alignof__(u64)))); 351}; 352 353static inline void *nft_expr_priv(const struct nft_expr *expr) 354{ 355 return (void *)expr->data; 356} 357 358int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src); 359void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 360int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 361 const struct nft_expr *expr); 362bool nft_expr_reduce_bitwise(struct nft_regs_track *track, 363 const struct nft_expr *expr); 364 365struct nft_set_ext; 366 367/** 368 * struct nft_set_ops - nf_tables set operations 369 * 370 * @lookup: look up an element within the set 371 * @update: update an element if exists, add it if doesn't exist 372 * @delete: delete an element 373 * @insert: insert new element into set 374 * @activate: activate new element in the next generation 375 * @deactivate: lookup for element and deactivate it in the next generation 376 * @flush: deactivate element in the next generation 377 * @remove: remove element from set 378 * @walk: iterate over all set elements 379 * @get: get set elements 380 * @privsize: function to return size of set private data 381 * @init: initialize private data of new set instance 382 * @destroy: destroy private data of set instance 383 * @elemsize: element private size 384 * 385 * Operations lookup, update and delete have simpler interfaces, are faster 386 * and currently only used in the packet path. All the rest are slower, 387 * control plane functions. 388 */ 389struct nft_set_ops { 390 bool (*lookup)(const struct net *net, 391 const struct nft_set *set, 392 const u32 *key, 393 const struct nft_set_ext **ext); 394 bool (*update)(struct nft_set *set, 395 const u32 *key, 396 void *(*new)(struct nft_set *, 397 const struct nft_expr *, 398 struct nft_regs *), 399 const struct nft_expr *expr, 400 struct nft_regs *regs, 401 const struct nft_set_ext **ext); 402 bool (*delete)(const struct nft_set *set, 403 const u32 *key); 404 405 int (*insert)(const struct net *net, 406 const struct nft_set *set, 407 const struct nft_set_elem *elem, 408 struct nft_set_ext **ext); 409 void (*activate)(const struct net *net, 410 const struct nft_set *set, 411 const struct nft_set_elem *elem); 412 void * (*deactivate)(const struct net *net, 413 const struct nft_set *set, 414 const struct nft_set_elem *elem); 415 bool (*flush)(const struct net *net, 416 const struct nft_set *set, 417 void *priv); 418 void (*remove)(const struct net *net, 419 const struct nft_set *set, 420 const struct nft_set_elem *elem); 421 void (*walk)(const struct nft_ctx *ctx, 422 struct nft_set *set, 423 struct nft_set_iter *iter); 424 void * (*get)(const struct net *net, 425 const struct nft_set *set, 426 const struct nft_set_elem *elem, 427 unsigned int flags); 428 429 u64 (*privsize)(const struct nlattr * const nla[], 430 const struct nft_set_desc *desc); 431 bool (*estimate)(const struct nft_set_desc *desc, 432 u32 features, 433 struct nft_set_estimate *est); 434 int (*init)(const struct nft_set *set, 435 const struct nft_set_desc *desc, 436 const struct nlattr * const nla[]); 437 void (*destroy)(const struct nft_set *set); 438 void (*gc_init)(const struct nft_set *set); 439 440 unsigned int elemsize; 441}; 442 443/** 444 * struct nft_set_type - nf_tables set type 445 * 446 * @ops: set ops for this type 447 * @features: features supported by the implementation 448 */ 449struct nft_set_type { 450 const struct nft_set_ops ops; 451 u32 features; 452}; 453#define to_set_type(o) container_of(o, struct nft_set_type, ops) 454 455struct nft_set_elem_expr { 456 u8 size; 457 unsigned char data[] 458 __attribute__((aligned(__alignof__(struct nft_expr)))); 459}; 460 461#define nft_setelem_expr_at(__elem_expr, __offset) \ 462 ((struct nft_expr *)&__elem_expr->data[__offset]) 463 464#define nft_setelem_expr_foreach(__expr, __elem_expr, __size) \ 465 for (__expr = nft_setelem_expr_at(__elem_expr, 0), __size = 0; \ 466 __size < (__elem_expr)->size; \ 467 __size += (__expr)->ops->size, __expr = ((void *)(__expr)) + (__expr)->ops->size) 468 469#define NFT_SET_EXPR_MAX 2 470 471/** 472 * struct nft_set - nf_tables set instance 473 * 474 * @list: table set list node 475 * @bindings: list of set bindings 476 * @table: table this set belongs to 477 * @net: netnamespace this set belongs to 478 * @name: name of the set 479 * @handle: unique handle of the set 480 * @ktype: key type (numeric type defined by userspace, not used in the kernel) 481 * @dtype: data type (verdict or numeric type defined by userspace) 482 * @objtype: object type (see NFT_OBJECT_* definitions) 483 * @size: maximum set size 484 * @field_len: length of each field in concatenation, bytes 485 * @field_count: number of concatenated fields in element 486 * @use: number of rules references to this set 487 * @nelems: number of elements 488 * @ndeact: number of deactivated elements queued for removal 489 * @timeout: default timeout value in jiffies 490 * @gc_int: garbage collection interval in msecs 491 * @policy: set parameterization (see enum nft_set_policies) 492 * @udlen: user data length 493 * @udata: user data 494 * @expr: stateful expression 495 * @ops: set ops 496 * @flags: set flags 497 * @genmask: generation mask 498 * @klen: key length 499 * @dlen: data length 500 * @data: private set data 501 */ 502struct nft_set { 503 struct list_head list; 504 struct list_head bindings; 505 struct nft_table *table; 506 possible_net_t net; 507 char *name; 508 u64 handle; 509 u32 ktype; 510 u32 dtype; 511 u32 objtype; 512 u32 size; 513 u8 field_len[NFT_REG32_COUNT]; 514 u8 field_count; 515 u32 use; 516 atomic_t nelems; 517 u32 ndeact; 518 u64 timeout; 519 u32 gc_int; 520 u16 policy; 521 u16 udlen; 522 unsigned char *udata; 523 /* runtime data below here */ 524 const struct nft_set_ops *ops ____cacheline_aligned; 525 u16 flags:14, 526 genmask:2; 527 u8 klen; 528 u8 dlen; 529 u8 num_exprs; 530 struct nft_expr *exprs[NFT_SET_EXPR_MAX]; 531 struct list_head catchall_list; 532 unsigned char data[] 533 __attribute__((aligned(__alignof__(u64)))); 534}; 535 536static inline bool nft_set_is_anonymous(const struct nft_set *set) 537{ 538 return set->flags & NFT_SET_ANONYMOUS; 539} 540 541static inline void *nft_set_priv(const struct nft_set *set) 542{ 543 return (void *)set->data; 544} 545 546static inline struct nft_set *nft_set_container_of(const void *priv) 547{ 548 return (void *)priv - offsetof(struct nft_set, data); 549} 550 551struct nft_set *nft_set_lookup_global(const struct net *net, 552 const struct nft_table *table, 553 const struct nlattr *nla_set_name, 554 const struct nlattr *nla_set_id, 555 u8 genmask); 556 557struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 558 const struct nft_set *set); 559void *nft_set_catchall_gc(const struct nft_set *set); 560 561static inline unsigned long nft_set_gc_interval(const struct nft_set *set) 562{ 563 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ; 564} 565 566/** 567 * struct nft_set_binding - nf_tables set binding 568 * 569 * @list: set bindings list node 570 * @chain: chain containing the rule bound to the set 571 * @flags: set action flags 572 * 573 * A set binding contains all information necessary for validation 574 * of new elements added to a bound set. 575 */ 576struct nft_set_binding { 577 struct list_head list; 578 const struct nft_chain *chain; 579 u32 flags; 580}; 581 582enum nft_trans_phase; 583void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 584 struct nft_set_binding *binding, 585 enum nft_trans_phase phase); 586int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 587 struct nft_set_binding *binding); 588void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set); 589 590/** 591 * enum nft_set_extensions - set extension type IDs 592 * 593 * @NFT_SET_EXT_KEY: element key 594 * @NFT_SET_EXT_KEY_END: upper bound element key, for ranges 595 * @NFT_SET_EXT_DATA: mapping data 596 * @NFT_SET_EXT_FLAGS: element flags 597 * @NFT_SET_EXT_TIMEOUT: element timeout 598 * @NFT_SET_EXT_EXPIRATION: element expiration time 599 * @NFT_SET_EXT_USERDATA: user data associated with the element 600 * @NFT_SET_EXT_EXPRESSIONS: expressions assiciated with the element 601 * @NFT_SET_EXT_OBJREF: stateful object reference associated with element 602 * @NFT_SET_EXT_NUM: number of extension types 603 */ 604enum nft_set_extensions { 605 NFT_SET_EXT_KEY, 606 NFT_SET_EXT_KEY_END, 607 NFT_SET_EXT_DATA, 608 NFT_SET_EXT_FLAGS, 609 NFT_SET_EXT_TIMEOUT, 610 NFT_SET_EXT_EXPIRATION, 611 NFT_SET_EXT_USERDATA, 612 NFT_SET_EXT_EXPRESSIONS, 613 NFT_SET_EXT_OBJREF, 614 NFT_SET_EXT_NUM 615}; 616 617/** 618 * struct nft_set_ext_type - set extension type 619 * 620 * @len: fixed part length of the extension 621 * @align: alignment requirements of the extension 622 */ 623struct nft_set_ext_type { 624 u8 len; 625 u8 align; 626}; 627 628extern const struct nft_set_ext_type nft_set_ext_types[]; 629 630/** 631 * struct nft_set_ext_tmpl - set extension template 632 * 633 * @len: length of extension area 634 * @offset: offsets of individual extension types 635 */ 636struct nft_set_ext_tmpl { 637 u16 len; 638 u8 offset[NFT_SET_EXT_NUM]; 639}; 640 641/** 642 * struct nft_set_ext - set extensions 643 * 644 * @genmask: generation mask 645 * @offset: offsets of individual extension types 646 * @data: beginning of extension data 647 */ 648struct nft_set_ext { 649 u8 genmask; 650 u8 offset[NFT_SET_EXT_NUM]; 651 char data[]; 652}; 653 654static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) 655{ 656 memset(tmpl, 0, sizeof(*tmpl)); 657 tmpl->len = sizeof(struct nft_set_ext); 658} 659 660static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id, 661 unsigned int len) 662{ 663 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align); 664 BUG_ON(tmpl->len > U8_MAX); 665 tmpl->offset[id] = tmpl->len; 666 tmpl->len += nft_set_ext_types[id].len + len; 667} 668 669static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id) 670{ 671 nft_set_ext_add_length(tmpl, id, 0); 672} 673 674static inline void nft_set_ext_init(struct nft_set_ext *ext, 675 const struct nft_set_ext_tmpl *tmpl) 676{ 677 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset)); 678} 679 680static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 681{ 682 return !!ext->offset[id]; 683} 684 685static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id) 686{ 687 return ext && __nft_set_ext_exists(ext, id); 688} 689 690static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id) 691{ 692 return (void *)ext + ext->offset[id]; 693} 694 695static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext) 696{ 697 return nft_set_ext(ext, NFT_SET_EXT_KEY); 698} 699 700static inline struct nft_data *nft_set_ext_key_end(const struct nft_set_ext *ext) 701{ 702 return nft_set_ext(ext, NFT_SET_EXT_KEY_END); 703} 704 705static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext) 706{ 707 return nft_set_ext(ext, NFT_SET_EXT_DATA); 708} 709 710static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext) 711{ 712 return nft_set_ext(ext, NFT_SET_EXT_FLAGS); 713} 714 715static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext) 716{ 717 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT); 718} 719 720static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext) 721{ 722 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION); 723} 724 725static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext) 726{ 727 return nft_set_ext(ext, NFT_SET_EXT_USERDATA); 728} 729 730static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ext *ext) 731{ 732 return nft_set_ext(ext, NFT_SET_EXT_EXPRESSIONS); 733} 734 735static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) 736{ 737 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && 738 time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext)); 739} 740 741static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, 742 void *elem) 743{ 744 return elem + set->ops->elemsize; 745} 746 747static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext) 748{ 749 return nft_set_ext(ext, NFT_SET_EXT_OBJREF); 750} 751 752struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 753 const struct nft_set *set, 754 const struct nlattr *attr); 755 756void *nft_set_elem_init(const struct nft_set *set, 757 const struct nft_set_ext_tmpl *tmpl, 758 const u32 *key, const u32 *key_end, const u32 *data, 759 u64 timeout, u64 expiration, gfp_t gfp); 760int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 761 struct nft_expr *expr_array[]); 762void nft_set_elem_destroy(const struct nft_set *set, void *elem, 763 bool destroy_expr); 764 765/** 766 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch 767 * 768 * @rcu: rcu head 769 * @set: set the elements belong to 770 * @cnt: count of elements 771 */ 772struct nft_set_gc_batch_head { 773 struct rcu_head rcu; 774 const struct nft_set *set; 775 unsigned int cnt; 776}; 777 778#define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \ 779 sizeof(struct nft_set_gc_batch_head)) / \ 780 sizeof(void *)) 781 782/** 783 * struct nft_set_gc_batch - nf_tables set garbage collection batch 784 * 785 * @head: GC batch head 786 * @elems: garbage collection elements 787 */ 788struct nft_set_gc_batch { 789 struct nft_set_gc_batch_head head; 790 void *elems[NFT_SET_GC_BATCH_SIZE]; 791}; 792 793struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 794 gfp_t gfp); 795void nft_set_gc_batch_release(struct rcu_head *rcu); 796 797static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb) 798{ 799 if (gcb != NULL) 800 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release); 801} 802 803static inline struct nft_set_gc_batch * 804nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb, 805 gfp_t gfp) 806{ 807 if (gcb != NULL) { 808 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems)) 809 return gcb; 810 nft_set_gc_batch_complete(gcb); 811 } 812 return nft_set_gc_batch_alloc(set, gfp); 813} 814 815static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, 816 void *elem) 817{ 818 gcb->elems[gcb->head.cnt++] = elem; 819} 820 821struct nft_expr_ops; 822/** 823 * struct nft_expr_type - nf_tables expression type 824 * 825 * @select_ops: function to select nft_expr_ops 826 * @release_ops: release nft_expr_ops 827 * @ops: default ops, used when no select_ops functions is present 828 * @list: used internally 829 * @name: Identifier 830 * @owner: module reference 831 * @policy: netlink attribute policy 832 * @maxattr: highest netlink attribute number 833 * @family: address family for AF-specific types 834 * @flags: expression type flags 835 */ 836struct nft_expr_type { 837 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, 838 const struct nlattr * const tb[]); 839 void (*release_ops)(const struct nft_expr_ops *ops); 840 const struct nft_expr_ops *ops; 841 struct list_head list; 842 const char *name; 843 struct module *owner; 844 const struct nla_policy *policy; 845 unsigned int maxattr; 846 u8 family; 847 u8 flags; 848}; 849 850#define NFT_EXPR_STATEFUL 0x1 851#define NFT_EXPR_GC 0x2 852 853enum nft_trans_phase { 854 NFT_TRANS_PREPARE, 855 NFT_TRANS_ABORT, 856 NFT_TRANS_COMMIT, 857 NFT_TRANS_RELEASE 858}; 859 860struct nft_flow_rule; 861struct nft_offload_ctx; 862 863/** 864 * struct nft_expr_ops - nf_tables expression operations 865 * 866 * @eval: Expression evaluation function 867 * @size: full expression size, including private data size 868 * @init: initialization function 869 * @activate: activate expression in the next generation 870 * @deactivate: deactivate expression in next generation 871 * @destroy: destruction function, called after synchronize_rcu 872 * @dump: function to dump parameters 873 * @type: expression type 874 * @validate: validate expression, called during loop detection 875 * @data: extra data to attach to this expression operation 876 */ 877struct nft_expr_ops { 878 void (*eval)(const struct nft_expr *expr, 879 struct nft_regs *regs, 880 const struct nft_pktinfo *pkt); 881 int (*clone)(struct nft_expr *dst, 882 const struct nft_expr *src); 883 unsigned int size; 884 885 int (*init)(const struct nft_ctx *ctx, 886 const struct nft_expr *expr, 887 const struct nlattr * const tb[]); 888 void (*activate)(const struct nft_ctx *ctx, 889 const struct nft_expr *expr); 890 void (*deactivate)(const struct nft_ctx *ctx, 891 const struct nft_expr *expr, 892 enum nft_trans_phase phase); 893 void (*destroy)(const struct nft_ctx *ctx, 894 const struct nft_expr *expr); 895 void (*destroy_clone)(const struct nft_ctx *ctx, 896 const struct nft_expr *expr); 897 int (*dump)(struct sk_buff *skb, 898 const struct nft_expr *expr); 899 int (*validate)(const struct nft_ctx *ctx, 900 const struct nft_expr *expr, 901 const struct nft_data **data); 902 bool (*reduce)(struct nft_regs_track *track, 903 const struct nft_expr *expr); 904 bool (*gc)(struct net *net, 905 const struct nft_expr *expr); 906 int (*offload)(struct nft_offload_ctx *ctx, 907 struct nft_flow_rule *flow, 908 const struct nft_expr *expr); 909 bool (*offload_action)(const struct nft_expr *expr); 910 void (*offload_stats)(struct nft_expr *expr, 911 const struct flow_stats *stats); 912 const struct nft_expr_type *type; 913 void *data; 914}; 915 916/** 917 * struct nft_rule - nf_tables rule 918 * 919 * @list: used internally 920 * @handle: rule handle 921 * @genmask: generation mask 922 * @dlen: length of expression data 923 * @udata: user data is appended to the rule 924 * @data: expression data 925 */ 926struct nft_rule { 927 struct list_head list; 928 u64 handle:42, 929 genmask:2, 930 dlen:12, 931 udata:1; 932 unsigned char data[] 933 __attribute__((aligned(__alignof__(struct nft_expr)))); 934}; 935 936static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) 937{ 938 return (struct nft_expr *)&rule->data[0]; 939} 940 941static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) 942{ 943 return ((void *)expr) + expr->ops->size; 944} 945 946static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) 947{ 948 return (struct nft_expr *)&rule->data[rule->dlen]; 949} 950 951static inline bool nft_expr_more(const struct nft_rule *rule, 952 const struct nft_expr *expr) 953{ 954 return expr != nft_expr_last(rule) && expr->ops; 955} 956 957static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule) 958{ 959 return (void *)&rule->data[rule->dlen]; 960} 961 962void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule); 963 964static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext, 965 struct nft_regs *regs, 966 const struct nft_pktinfo *pkt) 967{ 968 struct nft_set_elem_expr *elem_expr; 969 struct nft_expr *expr; 970 u32 size; 971 972 if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) { 973 elem_expr = nft_set_ext_expr(ext); 974 nft_setelem_expr_foreach(expr, elem_expr, size) { 975 expr->ops->eval(expr, regs, pkt); 976 if (regs->verdict.code == NFT_BREAK) 977 return; 978 } 979 } 980} 981 982/* 983 * The last pointer isn't really necessary, but the compiler isn't able to 984 * determine that the result of nft_expr_last() is always the same since it 985 * can't assume that the dlen value wasn't changed within calls in the loop. 986 */ 987#define nft_rule_for_each_expr(expr, last, rule) \ 988 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ 989 (expr) != (last); \ 990 (expr) = nft_expr_next(expr)) 991 992#define NFT_CHAIN_POLICY_UNSET U8_MAX 993 994struct nft_rule_dp { 995 u64 is_last:1, 996 dlen:12, 997 handle:42; /* for tracing */ 998 unsigned char data[] 999 __attribute__((aligned(__alignof__(struct nft_expr)))); 1000}; 1001 1002struct nft_rule_blob { 1003 unsigned long size; 1004 unsigned char data[] 1005 __attribute__((aligned(__alignof__(struct nft_rule_dp)))); 1006}; 1007 1008/** 1009 * struct nft_chain - nf_tables chain 1010 * 1011 * @rules: list of rules in the chain 1012 * @list: used internally 1013 * @rhlhead: used internally 1014 * @table: table that this chain belongs to 1015 * @handle: chain handle 1016 * @use: number of jump references to this chain 1017 * @flags: bitmask of enum nft_chain_flags 1018 * @name: name of the chain 1019 */ 1020struct nft_chain { 1021 struct nft_rule_blob __rcu *blob_gen_0; 1022 struct nft_rule_blob __rcu *blob_gen_1; 1023 struct list_head rules; 1024 struct list_head list; 1025 struct rhlist_head rhlhead; 1026 struct nft_table *table; 1027 u64 handle; 1028 u32 use; 1029 u8 flags:5, 1030 bound:1, 1031 genmask:2; 1032 char *name; 1033 u16 udlen; 1034 u8 *udata; 1035 1036 /* Only used during control plane commit phase: */ 1037 struct nft_rule_blob *blob_next; 1038}; 1039 1040int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain); 1041 1042enum nft_chain_types { 1043 NFT_CHAIN_T_DEFAULT = 0, 1044 NFT_CHAIN_T_ROUTE, 1045 NFT_CHAIN_T_NAT, 1046 NFT_CHAIN_T_MAX 1047}; 1048 1049/** 1050 * struct nft_chain_type - nf_tables chain type info 1051 * 1052 * @name: name of the type 1053 * @type: numeric identifier 1054 * @family: address family 1055 * @owner: module owner 1056 * @hook_mask: mask of valid hooks 1057 * @hooks: array of hook functions 1058 * @ops_register: base chain register function 1059 * @ops_unregister: base chain unregister function 1060 */ 1061struct nft_chain_type { 1062 const char *name; 1063 enum nft_chain_types type; 1064 int family; 1065 struct module *owner; 1066 unsigned int hook_mask; 1067 nf_hookfn *hooks[NFT_MAX_HOOKS]; 1068 int (*ops_register)(struct net *net, const struct nf_hook_ops *ops); 1069 void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops); 1070}; 1071 1072int nft_chain_validate_dependency(const struct nft_chain *chain, 1073 enum nft_chain_types type); 1074int nft_chain_validate_hooks(const struct nft_chain *chain, 1075 unsigned int hook_flags); 1076 1077static inline bool nft_chain_is_bound(struct nft_chain *chain) 1078{ 1079 return (chain->flags & NFT_CHAIN_BINDING) && chain->bound; 1080} 1081 1082void nft_chain_del(struct nft_chain *chain); 1083void nf_tables_chain_destroy(struct nft_ctx *ctx); 1084 1085struct nft_stats { 1086 u64 bytes; 1087 u64 pkts; 1088 struct u64_stats_sync syncp; 1089}; 1090 1091struct nft_hook { 1092 struct list_head list; 1093 struct nf_hook_ops ops; 1094 struct rcu_head rcu; 1095}; 1096 1097/** 1098 * struct nft_base_chain - nf_tables base chain 1099 * 1100 * @ops: netfilter hook ops 1101 * @hook_list: list of netfilter hooks (for NFPROTO_NETDEV family) 1102 * @type: chain type 1103 * @policy: default policy 1104 * @stats: per-cpu chain stats 1105 * @chain: the chain 1106 * @flow_block: flow block (for hardware offload) 1107 */ 1108struct nft_base_chain { 1109 struct nf_hook_ops ops; 1110 struct list_head hook_list; 1111 const struct nft_chain_type *type; 1112 u8 policy; 1113 u8 flags; 1114 struct nft_stats __percpu *stats; 1115 struct nft_chain chain; 1116 struct flow_block flow_block; 1117}; 1118 1119static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) 1120{ 1121 return container_of(chain, struct nft_base_chain, chain); 1122} 1123 1124static inline bool nft_is_base_chain(const struct nft_chain *chain) 1125{ 1126 return chain->flags & NFT_CHAIN_BASE; 1127} 1128 1129int __nft_release_basechain(struct nft_ctx *ctx); 1130 1131unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); 1132 1133/** 1134 * struct nft_table - nf_tables table 1135 * 1136 * @list: used internally 1137 * @chains_ht: chains in the table 1138 * @chains: same, for stable walks 1139 * @sets: sets in the table 1140 * @objects: stateful objects in the table 1141 * @flowtables: flow tables in the table 1142 * @hgenerator: handle generator state 1143 * @handle: table handle 1144 * @use: number of chain references to this table 1145 * @flags: table flag (see enum nft_table_flags) 1146 * @genmask: generation mask 1147 * @afinfo: address family info 1148 * @name: name of the table 1149 */ 1150struct nft_table { 1151 struct list_head list; 1152 struct rhltable chains_ht; 1153 struct list_head chains; 1154 struct list_head sets; 1155 struct list_head objects; 1156 struct list_head flowtables; 1157 u64 hgenerator; 1158 u64 handle; 1159 u32 use; 1160 u16 family:6, 1161 flags:8, 1162 genmask:2; 1163 u32 nlpid; 1164 char *name; 1165 u16 udlen; 1166 u8 *udata; 1167}; 1168 1169static inline bool nft_table_has_owner(const struct nft_table *table) 1170{ 1171 return table->flags & NFT_TABLE_F_OWNER; 1172} 1173 1174static inline bool nft_base_chain_netdev(int family, u32 hooknum) 1175{ 1176 return family == NFPROTO_NETDEV || 1177 (family == NFPROTO_INET && hooknum == NF_INET_INGRESS); 1178} 1179 1180void nft_register_chain_type(const struct nft_chain_type *); 1181void nft_unregister_chain_type(const struct nft_chain_type *); 1182 1183int nft_register_expr(struct nft_expr_type *); 1184void nft_unregister_expr(struct nft_expr_type *); 1185 1186int nft_verdict_dump(struct sk_buff *skb, int type, 1187 const struct nft_verdict *v); 1188 1189/** 1190 * struct nft_object_hash_key - key to lookup nft_object 1191 * 1192 * @name: name of the stateful object to look up 1193 * @table: table the object belongs to 1194 */ 1195struct nft_object_hash_key { 1196 const char *name; 1197 const struct nft_table *table; 1198}; 1199 1200/** 1201 * struct nft_object - nf_tables stateful object 1202 * 1203 * @list: table stateful object list node 1204 * @key: keys that identify this object 1205 * @rhlhead: nft_objname_ht node 1206 * @genmask: generation mask 1207 * @use: number of references to this stateful object 1208 * @handle: unique object handle 1209 * @ops: object operations 1210 * @data: object data, layout depends on type 1211 */ 1212struct nft_object { 1213 struct list_head list; 1214 struct rhlist_head rhlhead; 1215 struct nft_object_hash_key key; 1216 u32 genmask:2, 1217 use:30; 1218 u64 handle; 1219 u16 udlen; 1220 u8 *udata; 1221 /* runtime data below here */ 1222 const struct nft_object_ops *ops ____cacheline_aligned; 1223 unsigned char data[] 1224 __attribute__((aligned(__alignof__(u64)))); 1225}; 1226 1227static inline void *nft_obj_data(const struct nft_object *obj) 1228{ 1229 return (void *)obj->data; 1230} 1231 1232#define nft_expr_obj(expr) *((struct nft_object **)nft_expr_priv(expr)) 1233 1234struct nft_object *nft_obj_lookup(const struct net *net, 1235 const struct nft_table *table, 1236 const struct nlattr *nla, u32 objtype, 1237 u8 genmask); 1238 1239void nft_obj_notify(struct net *net, const struct nft_table *table, 1240 struct nft_object *obj, u32 portid, u32 seq, 1241 int event, u16 flags, int family, int report, gfp_t gfp); 1242 1243/** 1244 * struct nft_object_type - stateful object type 1245 * 1246 * @select_ops: function to select nft_object_ops 1247 * @ops: default ops, used when no select_ops functions is present 1248 * @list: list node in list of object types 1249 * @type: stateful object numeric type 1250 * @owner: module owner 1251 * @maxattr: maximum netlink attribute 1252 * @policy: netlink attribute policy 1253 */ 1254struct nft_object_type { 1255 const struct nft_object_ops *(*select_ops)(const struct nft_ctx *, 1256 const struct nlattr * const tb[]); 1257 const struct nft_object_ops *ops; 1258 struct list_head list; 1259 u32 type; 1260 unsigned int maxattr; 1261 struct module *owner; 1262 const struct nla_policy *policy; 1263}; 1264 1265/** 1266 * struct nft_object_ops - stateful object operations 1267 * 1268 * @eval: stateful object evaluation function 1269 * @size: stateful object size 1270 * @init: initialize object from netlink attributes 1271 * @destroy: release existing stateful object 1272 * @dump: netlink dump stateful object 1273 * @update: update stateful object 1274 */ 1275struct nft_object_ops { 1276 void (*eval)(struct nft_object *obj, 1277 struct nft_regs *regs, 1278 const struct nft_pktinfo *pkt); 1279 unsigned int size; 1280 int (*init)(const struct nft_ctx *ctx, 1281 const struct nlattr *const tb[], 1282 struct nft_object *obj); 1283 void (*destroy)(const struct nft_ctx *ctx, 1284 struct nft_object *obj); 1285 int (*dump)(struct sk_buff *skb, 1286 struct nft_object *obj, 1287 bool reset); 1288 void (*update)(struct nft_object *obj, 1289 struct nft_object *newobj); 1290 const struct nft_object_type *type; 1291}; 1292 1293int nft_register_obj(struct nft_object_type *obj_type); 1294void nft_unregister_obj(struct nft_object_type *obj_type); 1295 1296#define NFT_NETDEVICE_MAX 256 1297 1298/** 1299 * struct nft_flowtable - nf_tables flow table 1300 * 1301 * @list: flow table list node in table list 1302 * @table: the table the flow table is contained in 1303 * @name: name of this flow table 1304 * @hooknum: hook number 1305 * @ops_len: number of hooks in array 1306 * @genmask: generation mask 1307 * @use: number of references to this flow table 1308 * @handle: unique object handle 1309 * @dev_name: array of device names 1310 * @data: rhashtable and garbage collector 1311 * @ops: array of hooks 1312 */ 1313struct nft_flowtable { 1314 struct list_head list; 1315 struct nft_table *table; 1316 char *name; 1317 int hooknum; 1318 int ops_len; 1319 u32 genmask:2, 1320 use:30; 1321 u64 handle; 1322 /* runtime data below here */ 1323 struct list_head hook_list ____cacheline_aligned; 1324 struct nf_flowtable data; 1325}; 1326 1327struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 1328 const struct nlattr *nla, 1329 u8 genmask); 1330 1331void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 1332 struct nft_flowtable *flowtable, 1333 enum nft_trans_phase phase); 1334 1335void nft_register_flowtable_type(struct nf_flowtable_type *type); 1336void nft_unregister_flowtable_type(struct nf_flowtable_type *type); 1337 1338/** 1339 * struct nft_traceinfo - nft tracing information and state 1340 * 1341 * @trace: other struct members are initialised 1342 * @nf_trace: copy of skb->nf_trace before rule evaluation 1343 * @type: event type (enum nft_trace_types) 1344 * @skbid: hash of skb to be used as trace id 1345 * @packet_dumped: packet headers sent in a previous traceinfo message 1346 * @pkt: pktinfo currently processed 1347 * @basechain: base chain currently processed 1348 * @chain: chain currently processed 1349 * @rule: rule that was evaluated 1350 * @verdict: verdict given by rule 1351 */ 1352struct nft_traceinfo { 1353 bool trace; 1354 bool nf_trace; 1355 bool packet_dumped; 1356 enum nft_trace_types type:8; 1357 u32 skbid; 1358 const struct nft_pktinfo *pkt; 1359 const struct nft_base_chain *basechain; 1360 const struct nft_chain *chain; 1361 const struct nft_rule_dp *rule; 1362 const struct nft_verdict *verdict; 1363}; 1364 1365void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt, 1366 const struct nft_verdict *verdict, 1367 const struct nft_chain *basechain); 1368 1369void nft_trace_notify(struct nft_traceinfo *info); 1370 1371#define MODULE_ALIAS_NFT_CHAIN(family, name) \ 1372 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) 1373 1374#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ 1375 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) 1376 1377#define MODULE_ALIAS_NFT_EXPR(name) \ 1378 MODULE_ALIAS("nft-expr-" name) 1379 1380#define MODULE_ALIAS_NFT_OBJ(type) \ 1381 MODULE_ALIAS("nft-obj-" __stringify(type)) 1382 1383#if IS_ENABLED(CONFIG_NF_TABLES) 1384 1385/* 1386 * The gencursor defines two generations, the currently active and the 1387 * next one. Objects contain a bitmask of 2 bits specifying the generations 1388 * they're active in. A set bit means they're inactive in the generation 1389 * represented by that bit. 1390 * 1391 * New objects start out as inactive in the current and active in the 1392 * next generation. When committing the ruleset the bitmask is cleared, 1393 * meaning they're active in all generations. When removing an object, 1394 * it is set inactive in the next generation. After committing the ruleset, 1395 * the objects are removed. 1396 */ 1397static inline unsigned int nft_gencursor_next(const struct net *net) 1398{ 1399 return net->nft.gencursor + 1 == 1 ? 1 : 0; 1400} 1401 1402static inline u8 nft_genmask_next(const struct net *net) 1403{ 1404 return 1 << nft_gencursor_next(net); 1405} 1406 1407static inline u8 nft_genmask_cur(const struct net *net) 1408{ 1409 /* Use READ_ONCE() to prevent refetching the value for atomicity */ 1410 return 1 << READ_ONCE(net->nft.gencursor); 1411} 1412 1413#define NFT_GENMASK_ANY ((1 << 0) | (1 << 1)) 1414 1415/* 1416 * Generic transaction helpers 1417 */ 1418 1419/* Check if this object is currently active. */ 1420#define nft_is_active(__net, __obj) \ 1421 (((__obj)->genmask & nft_genmask_cur(__net)) == 0) 1422 1423/* Check if this object is active in the next generation. */ 1424#define nft_is_active_next(__net, __obj) \ 1425 (((__obj)->genmask & nft_genmask_next(__net)) == 0) 1426 1427/* This object becomes active in the next generation. */ 1428#define nft_activate_next(__net, __obj) \ 1429 (__obj)->genmask = nft_genmask_cur(__net) 1430 1431/* This object becomes inactive in the next generation. */ 1432#define nft_deactivate_next(__net, __obj) \ 1433 (__obj)->genmask = nft_genmask_next(__net) 1434 1435/* After committing the ruleset, clear the stale generation bit. */ 1436#define nft_clear(__net, __obj) \ 1437 (__obj)->genmask &= ~nft_genmask_next(__net) 1438#define nft_active_genmask(__obj, __genmask) \ 1439 !((__obj)->genmask & __genmask) 1440 1441/* 1442 * Set element transaction helpers 1443 */ 1444 1445static inline bool nft_set_elem_active(const struct nft_set_ext *ext, 1446 u8 genmask) 1447{ 1448 return !(ext->genmask & genmask); 1449} 1450 1451static inline void nft_set_elem_change_active(const struct net *net, 1452 const struct nft_set *set, 1453 struct nft_set_ext *ext) 1454{ 1455 ext->genmask ^= nft_genmask_next(net); 1456} 1457 1458#endif /* IS_ENABLED(CONFIG_NF_TABLES) */ 1459 1460/* 1461 * We use a free bit in the genmask field to indicate the element 1462 * is busy, meaning it is currently being processed either by 1463 * the netlink API or GC. 1464 * 1465 * Even though the genmask is only a single byte wide, this works 1466 * because the extension structure if fully constant once initialized, 1467 * so there are no non-atomic write accesses unless it is already 1468 * marked busy. 1469 */ 1470#define NFT_SET_ELEM_BUSY_MASK (1 << 2) 1471 1472#if defined(__LITTLE_ENDIAN_BITFIELD) 1473#define NFT_SET_ELEM_BUSY_BIT 2 1474#elif defined(__BIG_ENDIAN_BITFIELD) 1475#define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2) 1476#else 1477#error 1478#endif 1479 1480static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext) 1481{ 1482 unsigned long *word = (unsigned long *)ext; 1483 1484 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0); 1485 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word); 1486} 1487 1488static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) 1489{ 1490 unsigned long *word = (unsigned long *)ext; 1491 1492 clear_bit(NFT_SET_ELEM_BUSY_BIT, word); 1493} 1494 1495/** 1496 * struct nft_trans - nf_tables object update in transaction 1497 * 1498 * @list: used internally 1499 * @msg_type: message type 1500 * @put_net: ctx->net needs to be put 1501 * @ctx: transaction context 1502 * @data: internal information related to the transaction 1503 */ 1504struct nft_trans { 1505 struct list_head list; 1506 int msg_type; 1507 bool put_net; 1508 struct nft_ctx ctx; 1509 char data[]; 1510}; 1511 1512struct nft_trans_rule { 1513 struct nft_rule *rule; 1514 struct nft_flow_rule *flow; 1515 u32 rule_id; 1516}; 1517 1518#define nft_trans_rule(trans) \ 1519 (((struct nft_trans_rule *)trans->data)->rule) 1520#define nft_trans_flow_rule(trans) \ 1521 (((struct nft_trans_rule *)trans->data)->flow) 1522#define nft_trans_rule_id(trans) \ 1523 (((struct nft_trans_rule *)trans->data)->rule_id) 1524 1525struct nft_trans_set { 1526 struct nft_set *set; 1527 u32 set_id; 1528 bool bound; 1529}; 1530 1531#define nft_trans_set(trans) \ 1532 (((struct nft_trans_set *)trans->data)->set) 1533#define nft_trans_set_id(trans) \ 1534 (((struct nft_trans_set *)trans->data)->set_id) 1535#define nft_trans_set_bound(trans) \ 1536 (((struct nft_trans_set *)trans->data)->bound) 1537 1538struct nft_trans_chain { 1539 bool update; 1540 char *name; 1541 struct nft_stats __percpu *stats; 1542 u8 policy; 1543 u32 chain_id; 1544}; 1545 1546#define nft_trans_chain_update(trans) \ 1547 (((struct nft_trans_chain *)trans->data)->update) 1548#define nft_trans_chain_name(trans) \ 1549 (((struct nft_trans_chain *)trans->data)->name) 1550#define nft_trans_chain_stats(trans) \ 1551 (((struct nft_trans_chain *)trans->data)->stats) 1552#define nft_trans_chain_policy(trans) \ 1553 (((struct nft_trans_chain *)trans->data)->policy) 1554#define nft_trans_chain_id(trans) \ 1555 (((struct nft_trans_chain *)trans->data)->chain_id) 1556 1557struct nft_trans_table { 1558 bool update; 1559}; 1560 1561#define nft_trans_table_update(trans) \ 1562 (((struct nft_trans_table *)trans->data)->update) 1563 1564struct nft_trans_elem { 1565 struct nft_set *set; 1566 struct nft_set_elem elem; 1567 bool bound; 1568}; 1569 1570#define nft_trans_elem_set(trans) \ 1571 (((struct nft_trans_elem *)trans->data)->set) 1572#define nft_trans_elem(trans) \ 1573 (((struct nft_trans_elem *)trans->data)->elem) 1574#define nft_trans_elem_set_bound(trans) \ 1575 (((struct nft_trans_elem *)trans->data)->bound) 1576 1577struct nft_trans_obj { 1578 struct nft_object *obj; 1579 struct nft_object *newobj; 1580 bool update; 1581}; 1582 1583#define nft_trans_obj(trans) \ 1584 (((struct nft_trans_obj *)trans->data)->obj) 1585#define nft_trans_obj_newobj(trans) \ 1586 (((struct nft_trans_obj *)trans->data)->newobj) 1587#define nft_trans_obj_update(trans) \ 1588 (((struct nft_trans_obj *)trans->data)->update) 1589 1590struct nft_trans_flowtable { 1591 struct nft_flowtable *flowtable; 1592 bool update; 1593 struct list_head hook_list; 1594 u32 flags; 1595}; 1596 1597#define nft_trans_flowtable(trans) \ 1598 (((struct nft_trans_flowtable *)trans->data)->flowtable) 1599#define nft_trans_flowtable_update(trans) \ 1600 (((struct nft_trans_flowtable *)trans->data)->update) 1601#define nft_trans_flowtable_hooks(trans) \ 1602 (((struct nft_trans_flowtable *)trans->data)->hook_list) 1603#define nft_trans_flowtable_flags(trans) \ 1604 (((struct nft_trans_flowtable *)trans->data)->flags) 1605 1606int __init nft_chain_filter_init(void); 1607void nft_chain_filter_fini(void); 1608 1609void __init nft_chain_route_init(void); 1610void nft_chain_route_fini(void); 1611 1612void nf_tables_trans_destroy_flush_work(void); 1613 1614int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result); 1615__be64 nf_jiffies64_to_msecs(u64 input); 1616 1617#ifdef CONFIG_MODULES 1618__printf(2, 3) int nft_request_module(struct net *net, const char *fmt, ...); 1619#else 1620static inline int nft_request_module(struct net *net, const char *fmt, ...) { return -ENOENT; } 1621#endif 1622 1623struct nftables_pernet { 1624 struct list_head tables; 1625 struct list_head commit_list; 1626 struct list_head module_list; 1627 struct list_head notify_list; 1628 struct mutex commit_mutex; 1629 unsigned int base_seq; 1630 u8 validate_state; 1631}; 1632 1633extern unsigned int nf_tables_net_id; 1634 1635static inline struct nftables_pernet *nft_pernet(const struct net *net) 1636{ 1637 return net_generic(net, nf_tables_net_id); 1638} 1639 1640#define __NFT_REDUCE_READONLY 1UL 1641#define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY 1642 1643static inline bool nft_reduce_is_readonly(const struct nft_expr *expr) 1644{ 1645 return expr->ops->reduce == NFT_REDUCE_READONLY; 1646} 1647 1648void nft_reg_track_update(struct nft_regs_track *track, 1649 const struct nft_expr *expr, u8 dreg, u8 len); 1650void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len); 1651void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg); 1652 1653static inline bool nft_reg_track_cmp(struct nft_regs_track *track, 1654 const struct nft_expr *expr, u8 dreg) 1655{ 1656 return track->regs[dreg].selector && 1657 track->regs[dreg].selector->ops == expr->ops && 1658 track->regs[dreg].num_reg == 0; 1659} 1660 1661#endif /* _NET_NF_TABLES_H */