• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #ifndef _LINUX_NF_TABLES_H
2 #define _LINUX_NF_TABLES_H
3 
4 #define NFT_CHAIN_MAXNAMELEN	32
5 #define NFT_USERDATA_MAXLEN	256
6 
7 enum nft_registers {
8 	NFT_REG_VERDICT,
9 	NFT_REG_1,
10 	NFT_REG_2,
11 	NFT_REG_3,
12 	NFT_REG_4,
13 	__NFT_REG_MAX
14 };
15 #define NFT_REG_MAX	(__NFT_REG_MAX - 1)
16 
17 /**
18  * enum nft_verdicts - nf_tables internal verdicts
19  *
20  * @NFT_CONTINUE: continue evaluation of the current rule
21  * @NFT_BREAK: terminate evaluation of the current rule
22  * @NFT_JUMP: push the current chain on the jump stack and jump to a chain
23  * @NFT_GOTO: jump to a chain without pushing the current chain on the jump stack
24  * @NFT_RETURN: return to the topmost chain on the jump stack
25  *
26  * The nf_tables verdicts share their numeric space with the netfilter verdicts.
27  */
28 enum nft_verdicts {
29 	NFT_CONTINUE	= -1,
30 	NFT_BREAK	= -2,
31 	NFT_JUMP	= -3,
32 	NFT_GOTO	= -4,
33 	NFT_RETURN	= -5,
34 };
35 
36 /**
37  * enum nf_tables_msg_types - nf_tables netlink message types
38  *
39  * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes)
40  * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes)
41  * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes)
42  * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes)
43  * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes)
44  * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes)
45  * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)
46  * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)
47  * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)
48  * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes)
49  * @NFT_MSG_GETSET: get a set (enum nft_set_attributes)
50  * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes)
51  * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes)
52  * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes)
53  * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes)
54  * @NFT_MSG_NEWGEN: announce a new generation, only for events (enum nft_gen_attributes)
55  * @NFT_MSG_GETGEN: get the rule-set generation (enum nft_gen_attributes)
56  */
57 enum nf_tables_msg_types {
58 	NFT_MSG_NEWTABLE,
59 	NFT_MSG_GETTABLE,
60 	NFT_MSG_DELTABLE,
61 	NFT_MSG_NEWCHAIN,
62 	NFT_MSG_GETCHAIN,
63 	NFT_MSG_DELCHAIN,
64 	NFT_MSG_NEWRULE,
65 	NFT_MSG_GETRULE,
66 	NFT_MSG_DELRULE,
67 	NFT_MSG_NEWSET,
68 	NFT_MSG_GETSET,
69 	NFT_MSG_DELSET,
70 	NFT_MSG_NEWSETELEM,
71 	NFT_MSG_GETSETELEM,
72 	NFT_MSG_DELSETELEM,
73 	NFT_MSG_NEWGEN,
74 	NFT_MSG_GETGEN,
75 	NFT_MSG_MAX,
76 };
77 
78 /**
79  * enum nft_list_attributes - nf_tables generic list netlink attributes
80  *
81  * @NFTA_LIST_ELEM: list element (NLA_NESTED)
82  */
83 enum nft_list_attributes {
84 	NFTA_LIST_UNPEC,
85 	NFTA_LIST_ELEM,
86 	__NFTA_LIST_MAX
87 };
88 #define NFTA_LIST_MAX		(__NFTA_LIST_MAX - 1)
89 
90 /**
91  * enum nft_hook_attributes - nf_tables netfilter hook netlink attributes
92  *
93  * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
94  * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
95  */
96 enum nft_hook_attributes {
97 	NFTA_HOOK_UNSPEC,
98 	NFTA_HOOK_HOOKNUM,
99 	NFTA_HOOK_PRIORITY,
100 	__NFTA_HOOK_MAX
101 };
102 #define NFTA_HOOK_MAX		(__NFTA_HOOK_MAX - 1)
103 
104 /**
105  * enum nft_table_flags - nf_tables table flags
106  *
107  * @NFT_TABLE_F_DORMANT: this table is not active
108  */
109 enum nft_table_flags {
110 	NFT_TABLE_F_DORMANT	= 0x1,
111 };
112 
113 /**
114  * enum nft_table_attributes - nf_tables table netlink attributes
115  *
116  * @NFTA_TABLE_NAME: name of the table (NLA_STRING)
117  * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
118  * @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
119  */
120 enum nft_table_attributes {
121 	NFTA_TABLE_UNSPEC,
122 	NFTA_TABLE_NAME,
123 	NFTA_TABLE_FLAGS,
124 	NFTA_TABLE_USE,
125 	__NFTA_TABLE_MAX
126 };
127 #define NFTA_TABLE_MAX		(__NFTA_TABLE_MAX - 1)
128 
129 /**
130  * enum nft_chain_attributes - nf_tables chain netlink attributes
131  *
132  * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING)
133  * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64)
134  * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING)
135  * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes)
136  * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32)
137  * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
138  * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
139  * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
140  */
141 enum nft_chain_attributes {
142 	NFTA_CHAIN_UNSPEC,
143 	NFTA_CHAIN_TABLE,
144 	NFTA_CHAIN_HANDLE,
145 	NFTA_CHAIN_NAME,
146 	NFTA_CHAIN_HOOK,
147 	NFTA_CHAIN_POLICY,
148 	NFTA_CHAIN_USE,
149 	NFTA_CHAIN_TYPE,
150 	NFTA_CHAIN_COUNTERS,
151 	__NFTA_CHAIN_MAX
152 };
153 #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
154 
155 /**
156  * enum nft_rule_attributes - nf_tables rule netlink attributes
157  *
158  * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING)
159  * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING)
160  * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64)
161  * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes)
162  * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes)
163  * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
164  * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
165  */
166 enum nft_rule_attributes {
167 	NFTA_RULE_UNSPEC,
168 	NFTA_RULE_TABLE,
169 	NFTA_RULE_CHAIN,
170 	NFTA_RULE_HANDLE,
171 	NFTA_RULE_EXPRESSIONS,
172 	NFTA_RULE_COMPAT,
173 	NFTA_RULE_POSITION,
174 	NFTA_RULE_USERDATA,
175 	__NFTA_RULE_MAX
176 };
177 #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
178 
179 /**
180  * enum nft_rule_compat_flags - nf_tables rule compat flags
181  *
182  * @NFT_RULE_COMPAT_F_INV: invert the check result
183  */
184 enum nft_rule_compat_flags {
185 	NFT_RULE_COMPAT_F_INV	= (1 << 1),
186 	NFT_RULE_COMPAT_F_MASK	= NFT_RULE_COMPAT_F_INV,
187 };
188 
189 /**
190  * enum nft_rule_compat_attributes - nf_tables rule compat attributes
191  *
192  * @NFTA_RULE_COMPAT_PROTO: numerice value of handled protocol (NLA_U32)
193  * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32)
194  */
195 enum nft_rule_compat_attributes {
196 	NFTA_RULE_COMPAT_UNSPEC,
197 	NFTA_RULE_COMPAT_PROTO,
198 	NFTA_RULE_COMPAT_FLAGS,
199 	__NFTA_RULE_COMPAT_MAX
200 };
201 #define NFTA_RULE_COMPAT_MAX	(__NFTA_RULE_COMPAT_MAX - 1)
202 
203 /**
204  * enum nft_set_flags - nf_tables set flags
205  *
206  * @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink
207  * @NFT_SET_CONSTANT: set contents may not change while bound
208  * @NFT_SET_INTERVAL: set contains intervals
209  * @NFT_SET_MAP: set is used as a dictionary
210  */
211 enum nft_set_flags {
212 	NFT_SET_ANONYMOUS		= 0x1,
213 	NFT_SET_CONSTANT		= 0x2,
214 	NFT_SET_INTERVAL		= 0x4,
215 	NFT_SET_MAP			= 0x8,
216 };
217 
218 /**
219  * enum nft_set_policies - set selection policy
220  *
221  * @NFT_SET_POL_PERFORMANCE: prefer high performance over low memory use
222  * @NFT_SET_POL_MEMORY: prefer low memory use over high performance
223  */
224 enum nft_set_policies {
225 	NFT_SET_POL_PERFORMANCE,
226 	NFT_SET_POL_MEMORY,
227 };
228 
229 /**
230  * enum nft_set_desc_attributes - set element description
231  *
232  * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
233  */
234 enum nft_set_desc_attributes {
235 	NFTA_SET_DESC_UNSPEC,
236 	NFTA_SET_DESC_SIZE,
237 	__NFTA_SET_DESC_MAX
238 };
239 #define NFTA_SET_DESC_MAX	(__NFTA_SET_DESC_MAX - 1)
240 
241 /**
242  * enum nft_set_attributes - nf_tables set netlink attributes
243  *
244  * @NFTA_SET_TABLE: table name (NLA_STRING)
245  * @NFTA_SET_NAME: set name (NLA_STRING)
246  * @NFTA_SET_FLAGS: bitmask of enum nft_set_flags (NLA_U32)
247  * @NFTA_SET_KEY_TYPE: key data type, informational purpose only (NLA_U32)
248  * @NFTA_SET_KEY_LEN: key data length (NLA_U32)
249  * @NFTA_SET_DATA_TYPE: mapping data type (NLA_U32)
250  * @NFTA_SET_DATA_LEN: mapping data length (NLA_U32)
251  * @NFTA_SET_POLICY: selection policy (NLA_U32)
252  * @NFTA_SET_DESC: set description (NLA_NESTED)
253  * @NFTA_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
254  */
255 enum nft_set_attributes {
256 	NFTA_SET_UNSPEC,
257 	NFTA_SET_TABLE,
258 	NFTA_SET_NAME,
259 	NFTA_SET_FLAGS,
260 	NFTA_SET_KEY_TYPE,
261 	NFTA_SET_KEY_LEN,
262 	NFTA_SET_DATA_TYPE,
263 	NFTA_SET_DATA_LEN,
264 	NFTA_SET_POLICY,
265 	NFTA_SET_DESC,
266 	NFTA_SET_ID,
267 	__NFTA_SET_MAX
268 };
269 #define NFTA_SET_MAX		(__NFTA_SET_MAX - 1)
270 
271 /**
272  * enum nft_set_elem_flags - nf_tables set element flags
273  *
274  * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
275  */
276 enum nft_set_elem_flags {
277 	NFT_SET_ELEM_INTERVAL_END	= 0x1,
278 };
279 
280 /**
281  * enum nft_set_elem_attributes - nf_tables set element netlink attributes
282  *
283  * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
284  * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
285  * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
286  */
287 enum nft_set_elem_attributes {
288 	NFTA_SET_ELEM_UNSPEC,
289 	NFTA_SET_ELEM_KEY,
290 	NFTA_SET_ELEM_DATA,
291 	NFTA_SET_ELEM_FLAGS,
292 	__NFTA_SET_ELEM_MAX
293 };
294 #define NFTA_SET_ELEM_MAX	(__NFTA_SET_ELEM_MAX - 1)
295 
296 /**
297  * enum nft_set_elem_list_attributes - nf_tables set element list netlink attributes
298  *
299  * @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING)
300  * @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING)
301  * @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes)
302  * @NFTA_SET_ELEM_LIST_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
303  */
304 enum nft_set_elem_list_attributes {
305 	NFTA_SET_ELEM_LIST_UNSPEC,
306 	NFTA_SET_ELEM_LIST_TABLE,
307 	NFTA_SET_ELEM_LIST_SET,
308 	NFTA_SET_ELEM_LIST_ELEMENTS,
309 	NFTA_SET_ELEM_LIST_SET_ID,
310 	__NFTA_SET_ELEM_LIST_MAX
311 };
312 #define NFTA_SET_ELEM_LIST_MAX	(__NFTA_SET_ELEM_LIST_MAX - 1)
313 
314 /**
315  * enum nft_data_types - nf_tables data types
316  *
317  * @NFT_DATA_VALUE: generic data
318  * @NFT_DATA_VERDICT: netfilter verdict
319  *
320  * The type of data is usually determined by the kernel directly and is not
321  * explicitly specified by userspace. The only difference are sets, where
322  * userspace specifies the key and mapping data types.
323  *
324  * The values 0xffffff00-0xffffffff are reserved for internally used types.
325  * The remaining range can be freely used by userspace to encode types, all
326  * values are equivalent to NFT_DATA_VALUE.
327  */
328 enum nft_data_types {
329 	NFT_DATA_VALUE,
330 	NFT_DATA_VERDICT	= 0xffffff00U,
331 };
332 
333 #define NFT_DATA_RESERVED_MASK	0xffffff00U
334 
335 /**
336  * enum nft_data_attributes - nf_tables data netlink attributes
337  *
338  * @NFTA_DATA_VALUE: generic data (NLA_BINARY)
339  * @NFTA_DATA_VERDICT: nf_tables verdict (NLA_NESTED: nft_verdict_attributes)
340  */
341 enum nft_data_attributes {
342 	NFTA_DATA_UNSPEC,
343 	NFTA_DATA_VALUE,
344 	NFTA_DATA_VERDICT,
345 	__NFTA_DATA_MAX
346 };
347 #define NFTA_DATA_MAX		(__NFTA_DATA_MAX - 1)
348 
349 /**
350  * enum nft_verdict_attributes - nf_tables verdict netlink attributes
351  *
352  * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
353  * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
354  */
355 enum nft_verdict_attributes {
356 	NFTA_VERDICT_UNSPEC,
357 	NFTA_VERDICT_CODE,
358 	NFTA_VERDICT_CHAIN,
359 	__NFTA_VERDICT_MAX
360 };
361 #define NFTA_VERDICT_MAX	(__NFTA_VERDICT_MAX - 1)
362 
363 /**
364  * enum nft_expr_attributes - nf_tables expression netlink attributes
365  *
366  * @NFTA_EXPR_NAME: name of the expression type (NLA_STRING)
367  * @NFTA_EXPR_DATA: type specific data (NLA_NESTED)
368  */
369 enum nft_expr_attributes {
370 	NFTA_EXPR_UNSPEC,
371 	NFTA_EXPR_NAME,
372 	NFTA_EXPR_DATA,
373 	__NFTA_EXPR_MAX
374 };
375 #define NFTA_EXPR_MAX		(__NFTA_EXPR_MAX - 1)
376 
377 /**
378  * enum nft_immediate_attributes - nf_tables immediate expression netlink attributes
379  *
380  * @NFTA_IMMEDIATE_DREG: destination register to load data into (NLA_U32)
381  * @NFTA_IMMEDIATE_DATA: data to load (NLA_NESTED: nft_data_attributes)
382  */
383 enum nft_immediate_attributes {
384 	NFTA_IMMEDIATE_UNSPEC,
385 	NFTA_IMMEDIATE_DREG,
386 	NFTA_IMMEDIATE_DATA,
387 	__NFTA_IMMEDIATE_MAX
388 };
389 #define NFTA_IMMEDIATE_MAX	(__NFTA_IMMEDIATE_MAX - 1)
390 
391 /**
392  * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
393  *
394  * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers)
395  * @NFTA_BITWISE_DREG: destination register (NLA_U32: nft_registers)
396  * @NFTA_BITWISE_LEN: length of operands (NLA_U32)
397  * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
398  * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
399  *
400  * The bitwise expression performs the following operation:
401  *
402  * dreg = (sreg & mask) ^ xor
403  *
404  * which allow to express all bitwise operations:
405  *
406  * 		mask	xor
407  * NOT:		1	1
408  * OR:		0	x
409  * XOR:		1	x
410  * AND:		x	0
411  */
412 enum nft_bitwise_attributes {
413 	NFTA_BITWISE_UNSPEC,
414 	NFTA_BITWISE_SREG,
415 	NFTA_BITWISE_DREG,
416 	NFTA_BITWISE_LEN,
417 	NFTA_BITWISE_MASK,
418 	NFTA_BITWISE_XOR,
419 	__NFTA_BITWISE_MAX
420 };
421 #define NFTA_BITWISE_MAX	(__NFTA_BITWISE_MAX - 1)
422 
423 /**
424  * enum nft_byteorder_ops - nf_tables byteorder operators
425  *
426  * @NFT_BYTEORDER_NTOH: network to host operator
427  * @NFT_BYTEORDER_HTON: host to network opertaor
428  */
429 enum nft_byteorder_ops {
430 	NFT_BYTEORDER_NTOH,
431 	NFT_BYTEORDER_HTON,
432 };
433 
434 /**
435  * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes
436  *
437  * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers)
438  * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers)
439  * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops)
440  * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32)
441  * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4)
442  */
443 enum nft_byteorder_attributes {
444 	NFTA_BYTEORDER_UNSPEC,
445 	NFTA_BYTEORDER_SREG,
446 	NFTA_BYTEORDER_DREG,
447 	NFTA_BYTEORDER_OP,
448 	NFTA_BYTEORDER_LEN,
449 	NFTA_BYTEORDER_SIZE,
450 	__NFTA_BYTEORDER_MAX
451 };
452 #define NFTA_BYTEORDER_MAX	(__NFTA_BYTEORDER_MAX - 1)
453 
454 /**
455  * enum nft_cmp_ops - nf_tables relational operator
456  *
457  * @NFT_CMP_EQ: equal
458  * @NFT_CMP_NEQ: not equal
459  * @NFT_CMP_LT: less than
460  * @NFT_CMP_LTE: less than or equal to
461  * @NFT_CMP_GT: greater than
462  * @NFT_CMP_GTE: greater than or equal to
463  */
464 enum nft_cmp_ops {
465 	NFT_CMP_EQ,
466 	NFT_CMP_NEQ,
467 	NFT_CMP_LT,
468 	NFT_CMP_LTE,
469 	NFT_CMP_GT,
470 	NFT_CMP_GTE,
471 };
472 
473 /**
474  * enum nft_cmp_attributes - nf_tables cmp expression netlink attributes
475  *
476  * @NFTA_CMP_SREG: source register of data to compare (NLA_U32: nft_registers)
477  * @NFTA_CMP_OP: cmp operation (NLA_U32: nft_cmp_ops)
478  * @NFTA_CMP_DATA: data to compare against (NLA_NESTED: nft_data_attributes)
479  */
480 enum nft_cmp_attributes {
481 	NFTA_CMP_UNSPEC,
482 	NFTA_CMP_SREG,
483 	NFTA_CMP_OP,
484 	NFTA_CMP_DATA,
485 	__NFTA_CMP_MAX
486 };
487 #define NFTA_CMP_MAX		(__NFTA_CMP_MAX - 1)
488 
489 /**
490  * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
491  *
492  * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
493  * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
494  * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
495  * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
496  */
497 enum nft_lookup_attributes {
498 	NFTA_LOOKUP_UNSPEC,
499 	NFTA_LOOKUP_SET,
500 	NFTA_LOOKUP_SREG,
501 	NFTA_LOOKUP_DREG,
502 	NFTA_LOOKUP_SET_ID,
503 	__NFTA_LOOKUP_MAX
504 };
505 #define NFTA_LOOKUP_MAX		(__NFTA_LOOKUP_MAX - 1)
506 
507 /**
508  * enum nft_payload_bases - nf_tables payload expression offset bases
509  *
510  * @NFT_PAYLOAD_LL_HEADER: link layer header
511  * @NFT_PAYLOAD_NETWORK_HEADER: network header
512  * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
513  */
514 enum nft_payload_bases {
515 	NFT_PAYLOAD_LL_HEADER,
516 	NFT_PAYLOAD_NETWORK_HEADER,
517 	NFT_PAYLOAD_TRANSPORT_HEADER,
518 };
519 
520 /**
521  * enum nft_payload_attributes - nf_tables payload expression netlink attributes
522  *
523  * @NFTA_PAYLOAD_DREG: destination register to load data into (NLA_U32: nft_registers)
524  * @NFTA_PAYLOAD_BASE: payload base (NLA_U32: nft_payload_bases)
525  * @NFTA_PAYLOAD_OFFSET: payload offset relative to base (NLA_U32)
526  * @NFTA_PAYLOAD_LEN: payload length (NLA_U32)
527  */
528 enum nft_payload_attributes {
529 	NFTA_PAYLOAD_UNSPEC,
530 	NFTA_PAYLOAD_DREG,
531 	NFTA_PAYLOAD_BASE,
532 	NFTA_PAYLOAD_OFFSET,
533 	NFTA_PAYLOAD_LEN,
534 	__NFTA_PAYLOAD_MAX
535 };
536 #define NFTA_PAYLOAD_MAX	(__NFTA_PAYLOAD_MAX - 1)
537 
538 /**
539  * enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes
540  *
541  * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers)
542  * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8)
543  * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32)
544  * @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
545  */
546 enum nft_exthdr_attributes {
547 	NFTA_EXTHDR_UNSPEC,
548 	NFTA_EXTHDR_DREG,
549 	NFTA_EXTHDR_TYPE,
550 	NFTA_EXTHDR_OFFSET,
551 	NFTA_EXTHDR_LEN,
552 	__NFTA_EXTHDR_MAX
553 };
554 #define NFTA_EXTHDR_MAX		(__NFTA_EXTHDR_MAX - 1)
555 
556 /**
557  * enum nft_meta_keys - nf_tables meta expression keys
558  *
559  * @NFT_META_LEN: packet length (skb->len)
560  * @NFT_META_PROTOCOL: packet ethertype protocol (skb->protocol), invalid in OUTPUT
561  * @NFT_META_PRIORITY: packet priority (skb->priority)
562  * @NFT_META_MARK: packet mark (skb->mark)
563  * @NFT_META_IIF: packet input interface index (dev->ifindex)
564  * @NFT_META_OIF: packet output interface index (dev->ifindex)
565  * @NFT_META_IIFNAME: packet input interface name (dev->name)
566  * @NFT_META_OIFNAME: packet output interface name (dev->name)
567  * @NFT_META_IIFTYPE: packet input interface type (dev->type)
568  * @NFT_META_OIFTYPE: packet output interface type (dev->type)
569  * @NFT_META_SKUID: originating socket UID (fsuid)
570  * @NFT_META_SKGID: originating socket GID (fsgid)
571  * @NFT_META_NFTRACE: packet nftrace bit
572  * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
573  * @NFT_META_SECMARK: packet secmark (skb->secmark)
574  * @NFT_META_NFPROTO: netfilter protocol
575  * @NFT_META_L4PROTO: layer 4 protocol number
576  * @NFT_META_BRI_IIFNAME: packet input bridge interface name
577  * @NFT_META_BRI_OIFNAME: packet output bridge interface name
578  * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
579  * @NFT_META_CPU: cpu id through smp_processor_id()
580  * @NFT_META_IIFGROUP: packet input interface group
581  * @NFT_META_OIFGROUP: packet output interface group
582  */
583 enum nft_meta_keys {
584 	NFT_META_LEN,
585 	NFT_META_PROTOCOL,
586 	NFT_META_PRIORITY,
587 	NFT_META_MARK,
588 	NFT_META_IIF,
589 	NFT_META_OIF,
590 	NFT_META_IIFNAME,
591 	NFT_META_OIFNAME,
592 	NFT_META_IIFTYPE,
593 	NFT_META_OIFTYPE,
594 	NFT_META_SKUID,
595 	NFT_META_SKGID,
596 	NFT_META_NFTRACE,
597 	NFT_META_RTCLASSID,
598 	NFT_META_SECMARK,
599 	NFT_META_NFPROTO,
600 	NFT_META_L4PROTO,
601 	NFT_META_BRI_IIFNAME,
602 	NFT_META_BRI_OIFNAME,
603 	NFT_META_PKTTYPE,
604 	NFT_META_CPU,
605 	NFT_META_IIFGROUP,
606 	NFT_META_OIFGROUP,
607 };
608 
609 /**
610  * enum nft_meta_attributes - nf_tables meta expression netlink attributes
611  *
612  * @NFTA_META_DREG: destination register (NLA_U32)
613  * @NFTA_META_KEY: meta data item to load (NLA_U32: nft_meta_keys)
614  * @NFTA_META_SREG: source register (NLA_U32)
615  */
616 enum nft_meta_attributes {
617 	NFTA_META_UNSPEC,
618 	NFTA_META_DREG,
619 	NFTA_META_KEY,
620 	NFTA_META_SREG,
621 	__NFTA_META_MAX
622 };
623 #define NFTA_META_MAX		(__NFTA_META_MAX - 1)
624 
625 /**
626  * enum nft_ct_keys - nf_tables ct expression keys
627  *
628  * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)
629  * @NFT_CT_DIRECTION: conntrack direction (enum ip_conntrack_dir)
630  * @NFT_CT_STATUS: conntrack status (bitmask of enum ip_conntrack_status)
631  * @NFT_CT_MARK: conntrack mark value
632  * @NFT_CT_SECMARK: conntrack secmark value
633  * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
634  * @NFT_CT_HELPER: connection tracking helper assigned to conntrack
635  * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
636  * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
637  * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
638  * @NFT_CT_PROTOCOL: conntrack layer 4 protocol
639  * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
640  * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
641  */
642 enum nft_ct_keys {
643 	NFT_CT_STATE,
644 	NFT_CT_DIRECTION,
645 	NFT_CT_STATUS,
646 	NFT_CT_MARK,
647 	NFT_CT_SECMARK,
648 	NFT_CT_EXPIRATION,
649 	NFT_CT_HELPER,
650 	NFT_CT_L3PROTOCOL,
651 	NFT_CT_SRC,
652 	NFT_CT_DST,
653 	NFT_CT_PROTOCOL,
654 	NFT_CT_PROTO_SRC,
655 	NFT_CT_PROTO_DST,
656 	NFT_CT_LABELS,
657 };
658 
659 /**
660  * enum nft_ct_attributes - nf_tables ct expression netlink attributes
661  *
662  * @NFTA_CT_DREG: destination register (NLA_U32)
663  * @NFTA_CT_KEY: conntrack data item to load (NLA_U32: nft_ct_keys)
664  * @NFTA_CT_DIRECTION: direction in case of directional keys (NLA_U8)
665  * @NFTA_CT_SREG: source register (NLA_U32)
666  */
667 enum nft_ct_attributes {
668 	NFTA_CT_UNSPEC,
669 	NFTA_CT_DREG,
670 	NFTA_CT_KEY,
671 	NFTA_CT_DIRECTION,
672 	NFTA_CT_SREG,
673 	__NFTA_CT_MAX
674 };
675 #define NFTA_CT_MAX		(__NFTA_CT_MAX - 1)
676 
677 /**
678  * enum nft_limit_attributes - nf_tables limit expression netlink attributes
679  *
680  * @NFTA_LIMIT_RATE: refill rate (NLA_U64)
681  * @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
682  */
683 enum nft_limit_attributes {
684 	NFTA_LIMIT_UNSPEC,
685 	NFTA_LIMIT_RATE,
686 	NFTA_LIMIT_UNIT,
687 	__NFTA_LIMIT_MAX
688 };
689 #define NFTA_LIMIT_MAX		(__NFTA_LIMIT_MAX - 1)
690 
691 /**
692  * enum nft_counter_attributes - nf_tables counter expression netlink attributes
693  *
694  * @NFTA_COUNTER_BYTES: number of bytes (NLA_U64)
695  * @NFTA_COUNTER_PACKETS: number of packets (NLA_U64)
696  */
697 enum nft_counter_attributes {
698 	NFTA_COUNTER_UNSPEC,
699 	NFTA_COUNTER_BYTES,
700 	NFTA_COUNTER_PACKETS,
701 	__NFTA_COUNTER_MAX
702 };
703 #define NFTA_COUNTER_MAX	(__NFTA_COUNTER_MAX - 1)
704 
705 /**
706  * enum nft_log_attributes - nf_tables log expression netlink attributes
707  *
708  * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32)
709  * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING)
710  * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32)
711  * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32)
712  * @NFTA_LOG_LEVEL: log level (NLA_U32)
713  * @NFTA_LOG_FLAGS: logging flags (NLA_U32)
714  */
715 enum nft_log_attributes {
716 	NFTA_LOG_UNSPEC,
717 	NFTA_LOG_GROUP,
718 	NFTA_LOG_PREFIX,
719 	NFTA_LOG_SNAPLEN,
720 	NFTA_LOG_QTHRESHOLD,
721 	NFTA_LOG_LEVEL,
722 	NFTA_LOG_FLAGS,
723 	__NFTA_LOG_MAX
724 };
725 #define NFTA_LOG_MAX		(__NFTA_LOG_MAX - 1)
726 
727 /**
728  * enum nft_queue_attributes - nf_tables queue expression netlink attributes
729  *
730  * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16)
731  * @NFTA_QUEUE_TOTAL: number of queues to load balance packets on (NLA_U16)
732  * @NFTA_QUEUE_FLAGS: various flags (NLA_U16)
733  */
734 enum nft_queue_attributes {
735 	NFTA_QUEUE_UNSPEC,
736 	NFTA_QUEUE_NUM,
737 	NFTA_QUEUE_TOTAL,
738 	NFTA_QUEUE_FLAGS,
739 	__NFTA_QUEUE_MAX
740 };
741 #define NFTA_QUEUE_MAX		(__NFTA_QUEUE_MAX - 1)
742 
743 #define NFT_QUEUE_FLAG_BYPASS		0x01 /* for compatibility with v2 */
744 #define NFT_QUEUE_FLAG_CPU_FANOUT	0x02 /* use current CPU (no hashing) */
745 #define NFT_QUEUE_FLAG_MASK		0x03
746 
747 /**
748  * enum nft_reject_types - nf_tables reject expression reject types
749  *
750  * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
751  * @NFT_REJECT_TCP_RST: reject using TCP RST
752  * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet
753  */
754 enum nft_reject_types {
755 	NFT_REJECT_ICMP_UNREACH,
756 	NFT_REJECT_TCP_RST,
757 	NFT_REJECT_ICMPX_UNREACH,
758 };
759 
760 /**
761  * enum nft_reject_code - Generic reject codes for IPv4/IPv6
762  *
763  * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host / network unreachable
764  * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
765  * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
766  * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratively prohibited
767  *
768  * These codes are mapped to real ICMP and ICMPv6 codes.
769  */
770 enum nft_reject_inet_code {
771 	NFT_REJECT_ICMPX_NO_ROUTE	= 0,
772 	NFT_REJECT_ICMPX_PORT_UNREACH,
773 	NFT_REJECT_ICMPX_HOST_UNREACH,
774 	NFT_REJECT_ICMPX_ADMIN_PROHIBITED,
775 	__NFT_REJECT_ICMPX_MAX
776 };
777 #define NFT_REJECT_ICMPX_MAX	(__NFT_REJECT_ICMPX_MAX - 1)
778 
779 /**
780  * enum nft_reject_attributes - nf_tables reject expression netlink attributes
781  *
782  * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types)
783  * @NFTA_REJECT_ICMP_CODE: ICMP code to use (NLA_U8)
784  */
785 enum nft_reject_attributes {
786 	NFTA_REJECT_UNSPEC,
787 	NFTA_REJECT_TYPE,
788 	NFTA_REJECT_ICMP_CODE,
789 	__NFTA_REJECT_MAX
790 };
791 #define NFTA_REJECT_MAX		(__NFTA_REJECT_MAX - 1)
792 
793 /**
794  * enum nft_nat_types - nf_tables nat expression NAT types
795  *
796  * @NFT_NAT_SNAT: source NAT
797  * @NFT_NAT_DNAT: destination NAT
798  */
799 enum nft_nat_types {
800 	NFT_NAT_SNAT,
801 	NFT_NAT_DNAT,
802 };
803 
804 /**
805  * enum nft_nat_attributes - nf_tables nat expression netlink attributes
806  *
807  * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types)
808  * @NFTA_NAT_FAMILY: NAT family (NLA_U32)
809  * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers)
810  * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers)
811  * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
812  * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
813  * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
814  */
815 enum nft_nat_attributes {
816 	NFTA_NAT_UNSPEC,
817 	NFTA_NAT_TYPE,
818 	NFTA_NAT_FAMILY,
819 	NFTA_NAT_REG_ADDR_MIN,
820 	NFTA_NAT_REG_ADDR_MAX,
821 	NFTA_NAT_REG_PROTO_MIN,
822 	NFTA_NAT_REG_PROTO_MAX,
823 	NFTA_NAT_FLAGS,
824 	__NFTA_NAT_MAX
825 };
826 #define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)
827 
828 /**
829  * enum nft_masq_attributes - nf_tables masquerade expression attributes
830  *
831  * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
832  */
833 enum nft_masq_attributes {
834 	NFTA_MASQ_UNSPEC,
835 	NFTA_MASQ_FLAGS,
836 	__NFTA_MASQ_MAX
837 };
838 #define NFTA_MASQ_MAX		(__NFTA_MASQ_MAX - 1)
839 
840 /**
841  * enum nft_gen_attributes - nf_tables ruleset generation attributes
842  *
843  * @NFTA_GEN_ID: Ruleset generation ID (NLA_U32)
844  */
845 enum nft_gen_attributes {
846 	NFTA_GEN_UNSPEC,
847 	NFTA_GEN_ID,
848 	__NFTA_GEN_MAX
849 };
850 #define NFTA_GEN_MAX		(__NFTA_GEN_MAX - 1)
851 
852 #endif /* _LINUX_NF_TABLES_H */
853