1 #ifndef _NFT_H_ 2 #define _NFT_H_ 3 4 #include "xshared.h" 5 #include "nft-shared.h" 6 #include <libiptc/linux_list.h> 7 8 enum nft_table_type { 9 NFT_TABLE_FILTER = 0, 10 NFT_TABLE_MANGLE, 11 NFT_TABLE_RAW, 12 NFT_TABLE_SECURITY, 13 NFT_TABLE_NAT, 14 }; 15 #define NFT_TABLE_MAX (NFT_TABLE_NAT + 1) 16 17 struct builtin_chain { 18 const char *name; 19 const char *type; 20 uint32_t prio; 21 uint32_t hook; 22 }; 23 24 struct builtin_table { 25 const char *name; 26 enum nft_table_type type; 27 struct builtin_chain chains[NF_INET_NUMHOOKS]; 28 }; 29 30 enum nft_cache_level { 31 NFT_CL_NONE, 32 NFT_CL_TABLES, 33 NFT_CL_CHAINS, 34 NFT_CL_SETS, 35 NFT_CL_RULES 36 }; 37 38 struct nft_cache { 39 struct nftnl_table_list *tables; 40 struct { 41 struct nftnl_chain_list *chains; 42 struct nftnl_set_list *sets; 43 bool initialized; 44 } table[NFT_TABLE_MAX]; 45 }; 46 47 struct nft_handle { 48 int family; 49 struct mnl_socket *nl; 50 int nlsndbuffsiz; 51 int nlrcvbuffsiz; 52 uint32_t portid; 53 uint32_t seq; 54 uint32_t nft_genid; 55 uint32_t rule_id; 56 struct list_head obj_list; 57 int obj_list_num; 58 struct nftnl_batch *batch; 59 struct list_head err_list; 60 struct nft_family_ops *ops; 61 const struct builtin_table *tables; 62 unsigned int cache_index; 63 struct nft_cache __cache[2]; 64 struct nft_cache *cache; 65 enum nft_cache_level cache_level; 66 bool restore; 67 bool noflush; 68 int8_t config_done; 69 70 /* meta data, for error reporting */ 71 struct { 72 unsigned int lineno; 73 } error; 74 }; 75 76 extern const struct builtin_table xtables_ipv4[NFT_TABLE_MAX]; 77 extern const struct builtin_table xtables_arp[NFT_TABLE_MAX]; 78 extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX]; 79 80 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, 81 int (*cb)(const struct nlmsghdr *nlh, void *data), 82 void *data); 83 int nft_init(struct nft_handle *h, const struct builtin_table *t); 84 void nft_fini(struct nft_handle *h); 85 int nft_restart(struct nft_handle *h); 86 87 /* 88 * Operations with tables. 89 */ 90 struct nftnl_table; 91 struct nftnl_chain_list; 92 93 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, void *data), void *data); 94 bool nft_table_find(struct nft_handle *h, const char *tablename); 95 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); 96 int nft_table_flush(struct nft_handle *h, const char *table); 97 void nft_table_new(struct nft_handle *h, const char *table); 98 const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table); 99 100 /* 101 * Operations with chains. 102 */ 103 struct nftnl_chain; 104 105 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); 106 int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list); 107 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); 108 int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); 109 int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table); 110 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); 111 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose); 112 const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t, const char *chain); 113 bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain); 114 void nft_bridge_chain_postprocess(struct nft_handle *h, 115 struct nftnl_chain *c); 116 117 118 /* 119 * Operations with rule-set. 120 */ 121 struct nftnl_rule; 122 123 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, struct nftnl_rule *ref, bool verbose); 124 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); 125 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); 126 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); 127 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); 128 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); 129 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); 130 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); 131 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format); 132 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose); 133 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); 134 135 /* 136 * Operations used in userspace tools 137 */ 138 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); 139 int add_verdict(struct nftnl_rule *r, int verdict); 140 int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m); 141 int add_target(struct nftnl_rule *r, struct xt_entry_target *t); 142 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); 143 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); 144 char *get_comment(const void *data, uint32_t data_len); 145 146 enum nft_rule_print { 147 NFT_RULE_APPEND, 148 NFT_RULE_DEL, 149 }; 150 151 void nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, 152 enum nft_rule_print type, unsigned int format); 153 154 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); 155 156 /* 157 * global commit and abort 158 */ 159 int nft_commit(struct nft_handle *h); 160 int nft_bridge_commit(struct nft_handle *h); 161 int nft_abort(struct nft_handle *h); 162 int nft_abort_policy_rule(struct nft_handle *h, const char *table); 163 164 /* 165 * revision compatibility. 166 */ 167 int nft_compatible_revision(const char *name, uint8_t rev, int opt); 168 169 /* 170 * Error reporting. 171 */ 172 const char *nft_strerror(int err); 173 174 /* For xtables.c */ 175 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 176 /* For xtables-arptables.c */ 177 int nft_init_arp(struct nft_handle *h, const char *pname); 178 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 179 /* For xtables-eb.c */ 180 int nft_init_eb(struct nft_handle *h, const char *pname); 181 int ebt_get_current_chain(const char *chain); 182 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 183 184 /* 185 * Translation from iptables to nft 186 */ 187 struct xt_buf; 188 189 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); 190 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); 191 int xlate_action(const struct iptables_command_state *cs, bool goto_set, 192 struct xt_xlate *xl); 193 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname, 194 bool invert); 195 196 /* 197 * ARP 198 */ 199 200 struct arpt_entry; 201 202 int nft_arp_rule_append(struct nft_handle *h, const char *chain, 203 const char *table, struct arpt_entry *fw, 204 bool verbose); 205 int nft_arp_rule_insert(struct nft_handle *h, const char *chain, 206 const char *table, struct arpt_entry *fw, 207 int rulenum, bool verbose); 208 209 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); 210 211 bool nft_is_table_compatible(struct nft_handle *h, 212 const char *table, const char *chain); 213 void nft_assert_table_compatible(struct nft_handle *h, 214 const char *table, const char *chain); 215 216 int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, 217 const char *chain, const char *policy); 218 219 #endif 220