1 #ifndef _NFT_H_ 2 #define _NFT_H_ 3 4 #include "xshared.h" 5 #include "nft-shared.h" 6 #include <libiptc/linux_list.h> 7 8 #define FILTER 0 9 #define MANGLE 1 10 #define RAW 2 11 #define SECURITY 3 12 #define NAT 4 13 #define TABLES_MAX 5 14 15 struct builtin_chain { 16 const char *name; 17 const char *type; 18 uint32_t prio; 19 uint32_t hook; 20 }; 21 22 struct builtin_table { 23 const char *name; 24 struct builtin_chain chains[NF_INET_NUMHOOKS]; 25 bool initialized; 26 }; 27 28 struct nft_handle { 29 int family; 30 struct mnl_socket *nl; 31 uint32_t portid; 32 uint32_t seq; 33 struct list_head obj_list; 34 int obj_list_num; 35 struct mnl_nlmsg_batch *batch; 36 struct nft_family_ops *ops; 37 struct builtin_table *tables; 38 struct nftnl_rule_list *rule_cache; 39 bool restore; 40 bool batch_support; 41 }; 42 43 extern struct builtin_table xtables_ipv4[TABLES_MAX]; 44 extern struct builtin_table xtables_arp[TABLES_MAX]; 45 extern struct builtin_table xtables_bridge[TABLES_MAX]; 46 47 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, 48 int (*cb)(const struct nlmsghdr *nlh, void *data), 49 void *data); 50 int nft_init(struct nft_handle *h, struct builtin_table *t); 51 void nft_fini(struct nft_handle *h); 52 53 /* 54 * Operations with tables. 55 */ 56 struct nftnl_table; 57 struct nftnl_chain_list; 58 59 int nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags); 60 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); 61 bool nft_table_find(struct nft_handle *h, const char *tablename); 62 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); 63 64 /* 65 * Operations with chains. 66 */ 67 struct nftnl_chain; 68 69 int nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags); 70 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); 71 struct nftnl_chain_list *nft_chain_dump(struct nft_handle *h); 72 struct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, const char *table, const char *chain); 73 int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list, const char *table); 74 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); 75 int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table); 76 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); 77 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table); 78 79 /* 80 * Operations with rule-set. 81 */ 82 struct nftnl_rule; 83 84 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, uint64_t handle, bool verbose); 85 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); 86 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); 87 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); 88 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); 89 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); 90 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); 91 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); 92 int nft_rule_save(struct nft_handle *h, const char *table, bool counters); 93 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); 94 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); 95 96 /* 97 * Operations used in userspace tools 98 */ 99 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); 100 int add_verdict(struct nftnl_rule *r, int verdict); 101 int add_match(struct nftnl_rule *r, struct xt_entry_match *m); 102 int add_target(struct nftnl_rule *r, struct xt_entry_target *t); 103 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); 104 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); 105 int add_comment(struct nftnl_rule *r, const char *comment); 106 char *get_comment(const void *data, uint32_t data_len); 107 108 enum nft_rule_print { 109 NFT_RULE_APPEND, 110 NFT_RULE_DEL, 111 }; 112 113 void nft_rule_print_save(const void *data, 114 struct nftnl_rule *r, enum nft_rule_print type, 115 unsigned int format); 116 117 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); 118 119 /* 120 * global commit and abort 121 */ 122 int nft_commit(struct nft_handle *h); 123 int nft_abort(struct nft_handle *h); 124 125 /* 126 * revision compatibility. 127 */ 128 int nft_compatible_revision(const char *name, uint8_t rev, int opt); 129 130 /* 131 * Error reporting. 132 */ 133 const char *nft_strerror(int err); 134 135 /* For xtables.c */ 136 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 137 /* For xtables-arptables.c */ 138 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table); 139 /* For xtables-eb.c */ 140 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table); 141 142 /* 143 * Parse config for tables and chain helper functions 144 */ 145 #define XTABLES_CONFIG_DEFAULT "/etc/xtables.conf" 146 147 struct nftnl_table_list; 148 struct nftnl_chain_list; 149 150 extern int xtables_config_parse(const char *filename, struct nftnl_table_list *table_list, struct nftnl_chain_list *chain_list); 151 152 enum { 153 NFT_LOAD_VERBOSE = (1 << 0), 154 }; 155 156 int nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t flags); 157 158 /* 159 * Translation from iptables to nft 160 */ 161 struct xt_buf; 162 163 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); 164 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); 165 int xlate_action(const struct iptables_command_state *cs, bool goto_set, 166 struct xt_xlate *xl); 167 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname, 168 bool invert); 169 170 /* 171 * ARP 172 */ 173 174 struct arpt_entry; 175 176 int nft_arp_rule_append(struct nft_handle *h, const char *chain, 177 const char *table, struct arpt_entry *fw, 178 bool verbose); 179 int nft_arp_rule_insert(struct nft_handle *h, const char *chain, 180 const char *table, struct arpt_entry *fw, 181 int rulenum, bool verbose); 182 183 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); 184 185 int nft_is_ruleset_compatible(struct nft_handle *h); 186 187 #endif 188