1 #ifndef _NFT_H_ 2 #define _NFT_H_ 3 4 #include "xshared.h" 5 #include "nft-shared.h" 6 #include "nft-cache.h" 7 #include "nft-chain.h" 8 #include "nft-cmd.h" 9 #include <libiptc/linux_list.h> 10 11 enum nft_table_type { 12 NFT_TABLE_MANGLE = 0, 13 NFT_TABLE_SECURITY, 14 NFT_TABLE_RAW, 15 NFT_TABLE_FILTER, 16 NFT_TABLE_NAT, 17 NFT_TABLE_BROUTE, 18 }; 19 #define NFT_TABLE_MAX (NFT_TABLE_BROUTE + 1) 20 21 struct builtin_chain { 22 const char *name; 23 const char *type; 24 uint32_t prio; 25 uint32_t hook; 26 }; 27 28 struct builtin_table { 29 const char *name; 30 enum nft_table_type type; 31 struct builtin_chain chains[NF_INET_NUMHOOKS]; 32 }; 33 34 enum nft_cache_level { 35 NFT_CL_TABLES, 36 NFT_CL_CHAINS, 37 NFT_CL_SETS, 38 NFT_CL_RULES, 39 NFT_CL_FAKE /* must be last entry */ 40 }; 41 42 struct nft_cache { 43 struct { 44 struct nft_chain *base_chains[NF_INET_NUMHOOKS]; 45 struct nft_chain_list *chains; 46 struct nftnl_set_list *sets; 47 bool exists; 48 bool sorted; 49 bool tainted; 50 } table[NFT_TABLE_MAX]; 51 }; 52 53 enum obj_update_type { 54 NFT_COMPAT_TABLE_ADD, 55 NFT_COMPAT_TABLE_FLUSH, 56 NFT_COMPAT_CHAIN_ADD, 57 NFT_COMPAT_CHAIN_USER_ADD, 58 NFT_COMPAT_CHAIN_DEL, 59 NFT_COMPAT_CHAIN_USER_FLUSH, 60 NFT_COMPAT_CHAIN_UPDATE, 61 NFT_COMPAT_CHAIN_RENAME, 62 NFT_COMPAT_CHAIN_ZERO, 63 NFT_COMPAT_RULE_APPEND, 64 NFT_COMPAT_RULE_INSERT, 65 NFT_COMPAT_RULE_REPLACE, 66 NFT_COMPAT_RULE_DELETE, 67 NFT_COMPAT_RULE_FLUSH, 68 NFT_COMPAT_SET_ADD, 69 NFT_COMPAT_RULE_LIST, 70 NFT_COMPAT_RULE_CHECK, 71 NFT_COMPAT_CHAIN_RESTORE, 72 NFT_COMPAT_RULE_SAVE, 73 NFT_COMPAT_RULE_ZERO, 74 NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE, 75 NFT_COMPAT_RULE_CHANGE_COUNTERS, 76 }; 77 78 struct cache_chain { 79 struct list_head head; 80 char *name; 81 }; 82 83 struct nft_cache_req { 84 enum nft_cache_level level; 85 char *table; 86 bool all_chains; 87 struct list_head chain_list; 88 }; 89 90 struct nft_handle { 91 int family; 92 struct mnl_socket *nl; 93 int nlsndbuffsiz; 94 int nlrcvbuffsiz; 95 uint32_t portid; 96 uint32_t seq; 97 uint32_t nft_genid; 98 uint32_t rule_id; 99 struct list_head obj_list; 100 int obj_list_num; 101 struct nftnl_batch *batch; 102 struct list_head err_list; 103 struct nft_family_ops *ops; 104 const struct builtin_table *tables; 105 unsigned int cache_index; 106 struct nft_cache __cache[2]; 107 struct nft_cache *cache; 108 struct nft_cache_req cache_req; 109 bool restore; 110 bool noflush; 111 int8_t config_done; 112 struct list_head cmd_list; 113 bool cache_init; 114 int verbose; 115 116 /* meta data, for error reporting */ 117 struct { 118 unsigned int lineno; 119 } error; 120 }; 121 122 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, 123 int (*cb)(const struct nlmsghdr *nlh, void *data), 124 void *data); 125 int nft_init(struct nft_handle *h, int family); 126 void nft_fini(struct nft_handle *h); 127 int nft_restart(struct nft_handle *h); 128 129 /* 130 * Operations with tables. 131 */ 132 struct nftnl_table; 133 struct nftnl_chain_list; 134 135 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, void *data), void *data); 136 bool nft_table_find(struct nft_handle *h, const char *tablename); 137 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); 138 int nft_table_flush(struct nft_handle *h, const char *table); 139 const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table); 140 int nft_xt_fake_builtin_chains(struct nft_handle *h, const char *table, const char *chain); 141 142 /* 143 * Operations with chains. 144 */ 145 struct nftnl_chain; 146 147 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); 148 int nft_chain_save(struct nft_chain *c, void *data); 149 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); 150 int nft_chain_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); 151 int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table); 152 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); 153 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose); 154 const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t, const char *chain); 155 bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain); 156 void nft_bridge_chain_postprocess(struct nft_handle *h, 157 struct nftnl_chain *c); 158 int nft_chain_foreach(struct nft_handle *h, const char *table, 159 int (*cb)(struct nft_chain *c, void *data), 160 void *data); 161 162 163 /* 164 * Operations with sets. 165 */ 166 struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h, 167 uint32_t set_id); 168 169 /* 170 * Operations with rule-set. 171 */ 172 struct nft_rule_ctx { 173 int command; 174 }; 175 176 struct nftnl_rule *nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *rule, const char *chain, const char *table, struct iptables_command_state *cs); 177 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose); 178 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); 179 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); 180 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); 181 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); 182 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); 183 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); 184 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); 185 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format); 186 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose); 187 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); 188 bool nft_rule_is_policy_rule(struct nftnl_rule *r); 189 190 /* 191 * Operations used in userspace tools 192 */ 193 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); 194 int add_verdict(struct nftnl_rule *r, int verdict); 195 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, 196 struct nftnl_rule *r, struct xt_entry_match *m); 197 int add_target(struct nftnl_rule *r, struct xt_entry_target *t); 198 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); 199 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); 200 int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); 201 char *get_comment(const void *data, uint32_t data_len); 202 203 enum nft_rule_print { 204 NFT_RULE_APPEND, 205 NFT_RULE_DEL, 206 }; 207 208 bool nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, 209 enum nft_rule_print type, unsigned int format); 210 211 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); 212 213 /* 214 * global commit and abort 215 */ 216 int nft_commit(struct nft_handle *h); 217 int nft_bridge_commit(struct nft_handle *h); 218 int nft_abort(struct nft_handle *h); 219 220 /* 221 * revision compatibility. 222 */ 223 int nft_compatible_revision(const char *name, uint8_t rev, int opt); 224 225 /* 226 * Error reporting. 227 */ 228 const char *nft_strerror(int err); 229 230 /* For xtables.c */ 231 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 232 /* For xtables-arptables.c */ 233 int nft_init_arp(struct nft_handle *h, const char *pname); 234 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 235 /* For xtables-eb.c */ 236 int nft_init_eb(struct nft_handle *h, const char *pname); 237 void nft_fini_eb(struct nft_handle *h); 238 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 239 240 /* 241 * Translation from iptables to nft 242 */ 243 struct xt_buf; 244 245 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); 246 bool xlate_find_protomatch(const struct iptables_command_state *cs, uint16_t proto); 247 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); 248 int xlate_action(const struct iptables_command_state *cs, bool goto_set, 249 struct xt_xlate *xl); 250 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname, 251 bool invert); 252 253 /* 254 * ARP 255 */ 256 257 struct arpt_entry; 258 259 int nft_arp_rule_append(struct nft_handle *h, const char *chain, 260 const char *table, struct arpt_entry *fw, 261 bool verbose); 262 int nft_arp_rule_insert(struct nft_handle *h, const char *chain, 263 const char *table, struct arpt_entry *fw, 264 int rulenum, bool verbose); 265 266 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); 267 268 bool nft_is_table_compatible(struct nft_handle *h, 269 const char *table, const char *chain); 270 bool nft_is_table_tainted(struct nft_handle *h, const char *table); 271 void nft_assert_table_compatible(struct nft_handle *h, 272 const char *table, const char *chain); 273 274 int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, 275 const char *chain, const char *policy); 276 277 #endif 278