1 #ifndef _NFT_H_ 2 #define _NFT_H_ 3 4 #include "xshared.h" 5 #include "nft-shared.h" 6 #include "nft-cache.h" 7 #include "nft-chain.h" 8 #include "nft-cmd.h" 9 #include <libiptc/linux_list.h> 10 11 enum nft_table_type { 12 NFT_TABLE_MANGLE = 0, 13 NFT_TABLE_SECURITY, 14 NFT_TABLE_RAW, 15 NFT_TABLE_FILTER, 16 NFT_TABLE_NAT, 17 }; 18 #define NFT_TABLE_MAX (NFT_TABLE_NAT + 1) 19 20 struct builtin_chain { 21 const char *name; 22 const char *type; 23 uint32_t prio; 24 uint32_t hook; 25 }; 26 27 struct builtin_table { 28 const char *name; 29 enum nft_table_type type; 30 struct builtin_chain chains[NF_INET_NUMHOOKS]; 31 }; 32 33 enum nft_cache_level { 34 NFT_CL_TABLES, 35 NFT_CL_CHAINS, 36 NFT_CL_SETS, 37 NFT_CL_RULES, 38 NFT_CL_FAKE /* must be last entry */ 39 }; 40 41 struct nft_cache { 42 struct { 43 struct nft_chain *base_chains[NF_INET_NUMHOOKS]; 44 struct nft_chain_list *chains; 45 struct nftnl_set_list *sets; 46 bool exists; 47 } table[NFT_TABLE_MAX]; 48 }; 49 50 enum obj_update_type { 51 NFT_COMPAT_TABLE_ADD, 52 NFT_COMPAT_TABLE_FLUSH, 53 NFT_COMPAT_CHAIN_ADD, 54 NFT_COMPAT_CHAIN_USER_ADD, 55 NFT_COMPAT_CHAIN_USER_DEL, 56 NFT_COMPAT_CHAIN_USER_FLUSH, 57 NFT_COMPAT_CHAIN_UPDATE, 58 NFT_COMPAT_CHAIN_RENAME, 59 NFT_COMPAT_CHAIN_ZERO, 60 NFT_COMPAT_RULE_APPEND, 61 NFT_COMPAT_RULE_INSERT, 62 NFT_COMPAT_RULE_REPLACE, 63 NFT_COMPAT_RULE_DELETE, 64 NFT_COMPAT_RULE_FLUSH, 65 NFT_COMPAT_SET_ADD, 66 NFT_COMPAT_RULE_LIST, 67 NFT_COMPAT_RULE_CHECK, 68 NFT_COMPAT_CHAIN_RESTORE, 69 NFT_COMPAT_RULE_SAVE, 70 NFT_COMPAT_RULE_ZERO, 71 NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE, 72 }; 73 74 struct cache_chain { 75 struct list_head head; 76 char *name; 77 }; 78 79 struct nft_cache_req { 80 enum nft_cache_level level; 81 char *table; 82 bool all_chains; 83 struct list_head chain_list; 84 }; 85 86 struct nft_handle { 87 int family; 88 struct mnl_socket *nl; 89 int nlsndbuffsiz; 90 int nlrcvbuffsiz; 91 uint32_t portid; 92 uint32_t seq; 93 uint32_t nft_genid; 94 uint32_t rule_id; 95 struct list_head obj_list; 96 int obj_list_num; 97 struct nftnl_batch *batch; 98 struct list_head err_list; 99 struct nft_family_ops *ops; 100 const struct builtin_table *tables; 101 unsigned int cache_index; 102 struct nft_cache __cache[2]; 103 struct nft_cache *cache; 104 struct nft_cache_req cache_req; 105 bool restore; 106 bool noflush; 107 int8_t config_done; 108 struct list_head cmd_list; 109 bool cache_init; 110 111 /* meta data, for error reporting */ 112 struct { 113 unsigned int lineno; 114 } error; 115 }; 116 117 extern const struct builtin_table xtables_ipv4[NFT_TABLE_MAX]; 118 extern const struct builtin_table xtables_arp[NFT_TABLE_MAX]; 119 extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX]; 120 121 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, 122 int (*cb)(const struct nlmsghdr *nlh, void *data), 123 void *data); 124 int nft_init(struct nft_handle *h, int family, const struct builtin_table *t); 125 void nft_fini(struct nft_handle *h); 126 int nft_restart(struct nft_handle *h); 127 128 /* 129 * Operations with tables. 130 */ 131 struct nftnl_table; 132 struct nftnl_chain_list; 133 134 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, void *data), void *data); 135 bool nft_table_find(struct nft_handle *h, const char *tablename); 136 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); 137 int nft_table_flush(struct nft_handle *h, const char *table); 138 const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table); 139 int nft_xt_fake_builtin_chains(struct nft_handle *h, const char *table, const char *chain); 140 141 /* 142 * Operations with chains. 143 */ 144 struct nftnl_chain; 145 146 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); 147 int nft_chain_save(struct nft_chain *c, void *data); 148 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); 149 int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); 150 int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table); 151 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); 152 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose); 153 const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t, const char *chain); 154 bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain); 155 void nft_bridge_chain_postprocess(struct nft_handle *h, 156 struct nftnl_chain *c); 157 int nft_chain_foreach(struct nft_handle *h, const char *table, 158 int (*cb)(struct nft_chain *c, void *data), 159 void *data); 160 161 162 /* 163 * Operations with sets. 164 */ 165 struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h, 166 uint32_t set_id); 167 168 /* 169 * Operations with rule-set. 170 */ 171 struct nftnl_rule; 172 173 struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, void *data); 174 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose); 175 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); 176 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); 177 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); 178 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); 179 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); 180 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); 181 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); 182 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format); 183 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose); 184 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); 185 186 /* 187 * Operations used in userspace tools 188 */ 189 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); 190 int add_verdict(struct nftnl_rule *r, int verdict); 191 int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m); 192 int add_target(struct nftnl_rule *r, struct xt_entry_target *t); 193 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); 194 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); 195 char *get_comment(const void *data, uint32_t data_len); 196 197 enum nft_rule_print { 198 NFT_RULE_APPEND, 199 NFT_RULE_DEL, 200 }; 201 202 void nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, 203 enum nft_rule_print type, unsigned int format); 204 205 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); 206 207 /* 208 * global commit and abort 209 */ 210 int nft_commit(struct nft_handle *h); 211 int nft_bridge_commit(struct nft_handle *h); 212 int nft_abort(struct nft_handle *h); 213 214 /* 215 * revision compatibility. 216 */ 217 int nft_compatible_revision(const char *name, uint8_t rev, int opt); 218 219 /* 220 * Error reporting. 221 */ 222 const char *nft_strerror(int err); 223 224 /* For xtables.c */ 225 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 226 /* For xtables-arptables.c */ 227 int nft_init_arp(struct nft_handle *h, const char *pname); 228 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 229 /* For xtables-eb.c */ 230 int nft_init_eb(struct nft_handle *h, const char *pname); 231 void nft_fini_eb(struct nft_handle *h); 232 int ebt_get_current_chain(const char *chain); 233 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 234 235 /* 236 * Translation from iptables to nft 237 */ 238 struct xt_buf; 239 240 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); 241 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); 242 int xlate_action(const struct iptables_command_state *cs, bool goto_set, 243 struct xt_xlate *xl); 244 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname, 245 bool invert); 246 247 /* 248 * ARP 249 */ 250 251 struct arpt_entry; 252 253 int nft_arp_rule_append(struct nft_handle *h, const char *chain, 254 const char *table, struct arpt_entry *fw, 255 bool verbose); 256 int nft_arp_rule_insert(struct nft_handle *h, const char *chain, 257 const char *table, struct arpt_entry *fw, 258 int rulenum, bool verbose); 259 260 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); 261 262 bool nft_is_table_compatible(struct nft_handle *h, 263 const char *table, const char *chain); 264 void nft_assert_table_compatible(struct nft_handle *h, 265 const char *table, const char *chain); 266 267 int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, 268 const char *chain, const char *policy); 269 270 #endif 271