1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 #ifndef _LINUX_NF_TABLES_H 3 #define _LINUX_NF_TABLES_H 4 5 #define NFT_NAME_MAXLEN 256 6 #define NFT_TABLE_MAXNAMELEN NFT_NAME_MAXLEN 7 #define NFT_CHAIN_MAXNAMELEN NFT_NAME_MAXLEN 8 #define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN 9 #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN 10 #define NFT_USERDATA_MAXLEN 256 11 12 /** 13 * enum nft_registers - nf_tables registers 14 * 15 * nf_tables used to have five registers: a verdict register and four data 16 * registers of size 16. The data registers have been changed to 16 registers 17 * of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still 18 * map to areas of size 16, the 4 byte registers are addressed using 19 * NFT_REG32_00 - NFT_REG32_15. 20 */ 21 enum nft_registers { 22 NFT_REG_VERDICT, 23 NFT_REG_1, 24 NFT_REG_2, 25 NFT_REG_3, 26 NFT_REG_4, 27 __NFT_REG_MAX, 28 29 NFT_REG32_00 = 8, 30 NFT_REG32_01, 31 NFT_REG32_02, 32 NFT_REG32_03, 33 NFT_REG32_04, 34 NFT_REG32_05, 35 NFT_REG32_06, 36 NFT_REG32_07, 37 NFT_REG32_08, 38 NFT_REG32_09, 39 NFT_REG32_10, 40 NFT_REG32_11, 41 NFT_REG32_12, 42 NFT_REG32_13, 43 NFT_REG32_14, 44 NFT_REG32_15, 45 }; 46 #define NFT_REG_MAX (__NFT_REG_MAX - 1) 47 48 #define NFT_REG_SIZE 16 49 #define NFT_REG32_SIZE 4 50 51 /** 52 * enum nft_verdicts - nf_tables internal verdicts 53 * 54 * @NFT_CONTINUE: continue evaluation of the current rule 55 * @NFT_BREAK: terminate evaluation of the current rule 56 * @NFT_JUMP: push the current chain on the jump stack and jump to a chain 57 * @NFT_GOTO: jump to a chain without pushing the current chain on the jump stack 58 * @NFT_RETURN: return to the topmost chain on the jump stack 59 * 60 * The nf_tables verdicts share their numeric space with the netfilter verdicts. 61 */ 62 enum nft_verdicts { 63 NFT_CONTINUE = -1, 64 NFT_BREAK = -2, 65 NFT_JUMP = -3, 66 NFT_GOTO = -4, 67 NFT_RETURN = -5, 68 }; 69 70 /** 71 * enum nf_tables_msg_types - nf_tables netlink message types 72 * 73 * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes) 74 * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes) 75 * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes) 76 * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes) 77 * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes) 78 * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes) 79 * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes) 80 * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes) 81 * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes) 82 * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes) 83 * @NFT_MSG_GETSET: get a set (enum nft_set_attributes) 84 * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes) 85 * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes) 86 * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes) 87 * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes) 88 * @NFT_MSG_NEWGEN: announce a new generation, only for events (enum nft_gen_attributes) 89 * @NFT_MSG_GETGEN: get the rule-set generation (enum nft_gen_attributes) 90 * @NFT_MSG_TRACE: trace event (enum nft_trace_attributes) 91 * @NFT_MSG_NEWOBJ: create a stateful object (enum nft_obj_attributes) 92 * @NFT_MSG_GETOBJ: get a stateful object (enum nft_obj_attributes) 93 * @NFT_MSG_DELOBJ: delete a stateful object (enum nft_obj_attributes) 94 * @NFT_MSG_GETOBJ_RESET: get and reset a stateful object (enum nft_obj_attributes) 95 */ 96 enum nf_tables_msg_types { 97 NFT_MSG_NEWTABLE, 98 NFT_MSG_GETTABLE, 99 NFT_MSG_DELTABLE, 100 NFT_MSG_NEWCHAIN, 101 NFT_MSG_GETCHAIN, 102 NFT_MSG_DELCHAIN, 103 NFT_MSG_NEWRULE, 104 NFT_MSG_GETRULE, 105 NFT_MSG_DELRULE, 106 NFT_MSG_NEWSET, 107 NFT_MSG_GETSET, 108 NFT_MSG_DELSET, 109 NFT_MSG_NEWSETELEM, 110 NFT_MSG_GETSETELEM, 111 NFT_MSG_DELSETELEM, 112 NFT_MSG_NEWGEN, 113 NFT_MSG_GETGEN, 114 NFT_MSG_TRACE, 115 NFT_MSG_NEWOBJ, 116 NFT_MSG_GETOBJ, 117 NFT_MSG_DELOBJ, 118 NFT_MSG_GETOBJ_RESET, 119 NFT_MSG_MAX, 120 }; 121 122 /** 123 * enum nft_list_attributes - nf_tables generic list netlink attributes 124 * 125 * @NFTA_LIST_ELEM: list element (NLA_NESTED) 126 */ 127 enum nft_list_attributes { 128 NFTA_LIST_UNPEC, 129 NFTA_LIST_ELEM, 130 __NFTA_LIST_MAX 131 }; 132 #define NFTA_LIST_MAX (__NFTA_LIST_MAX - 1) 133 134 /** 135 * enum nft_hook_attributes - nf_tables netfilter hook netlink attributes 136 * 137 * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) 138 * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) 139 * @NFTA_HOOK_DEV: netdevice name (NLA_STRING) 140 */ 141 enum nft_hook_attributes { 142 NFTA_HOOK_UNSPEC, 143 NFTA_HOOK_HOOKNUM, 144 NFTA_HOOK_PRIORITY, 145 NFTA_HOOK_DEV, 146 __NFTA_HOOK_MAX 147 }; 148 #define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1) 149 150 /** 151 * enum nft_table_flags - nf_tables table flags 152 * 153 * @NFT_TABLE_F_DORMANT: this table is not active 154 */ 155 enum nft_table_flags { 156 NFT_TABLE_F_DORMANT = 0x1, 157 }; 158 159 /** 160 * enum nft_table_attributes - nf_tables table netlink attributes 161 * 162 * @NFTA_TABLE_NAME: name of the table (NLA_STRING) 163 * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) 164 * @NFTA_TABLE_USE: number of chains in this table (NLA_U32) 165 */ 166 enum nft_table_attributes { 167 NFTA_TABLE_UNSPEC, 168 NFTA_TABLE_NAME, 169 NFTA_TABLE_FLAGS, 170 NFTA_TABLE_USE, 171 __NFTA_TABLE_MAX 172 }; 173 #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) 174 175 /** 176 * enum nft_chain_attributes - nf_tables chain netlink attributes 177 * 178 * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING) 179 * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64) 180 * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING) 181 * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes) 182 * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32) 183 * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) 184 * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) 185 * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) 186 */ 187 enum nft_chain_attributes { 188 NFTA_CHAIN_UNSPEC, 189 NFTA_CHAIN_TABLE, 190 NFTA_CHAIN_HANDLE, 191 NFTA_CHAIN_NAME, 192 NFTA_CHAIN_HOOK, 193 NFTA_CHAIN_POLICY, 194 NFTA_CHAIN_USE, 195 NFTA_CHAIN_TYPE, 196 NFTA_CHAIN_COUNTERS, 197 NFTA_CHAIN_PAD, 198 __NFTA_CHAIN_MAX 199 }; 200 #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) 201 202 /** 203 * enum nft_rule_attributes - nf_tables rule netlink attributes 204 * 205 * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING) 206 * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING) 207 * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64) 208 * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) 209 * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) 210 * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) 211 * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) 212 * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32) 213 */ 214 enum nft_rule_attributes { 215 NFTA_RULE_UNSPEC, 216 NFTA_RULE_TABLE, 217 NFTA_RULE_CHAIN, 218 NFTA_RULE_HANDLE, 219 NFTA_RULE_EXPRESSIONS, 220 NFTA_RULE_COMPAT, 221 NFTA_RULE_POSITION, 222 NFTA_RULE_USERDATA, 223 NFTA_RULE_PAD, 224 NFTA_RULE_ID, 225 __NFTA_RULE_MAX 226 }; 227 #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) 228 229 /** 230 * enum nft_rule_compat_flags - nf_tables rule compat flags 231 * 232 * @NFT_RULE_COMPAT_F_INV: invert the check result 233 */ 234 enum nft_rule_compat_flags { 235 NFT_RULE_COMPAT_F_INV = (1 << 1), 236 NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, 237 }; 238 239 /** 240 * enum nft_rule_compat_attributes - nf_tables rule compat attributes 241 * 242 * @NFTA_RULE_COMPAT_PROTO: numeric value of handled protocol (NLA_U32) 243 * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32) 244 */ 245 enum nft_rule_compat_attributes { 246 NFTA_RULE_COMPAT_UNSPEC, 247 NFTA_RULE_COMPAT_PROTO, 248 NFTA_RULE_COMPAT_FLAGS, 249 __NFTA_RULE_COMPAT_MAX 250 }; 251 #define NFTA_RULE_COMPAT_MAX (__NFTA_RULE_COMPAT_MAX - 1) 252 253 /** 254 * enum nft_set_flags - nf_tables set flags 255 * 256 * @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink 257 * @NFT_SET_CONSTANT: set contents may not change while bound 258 * @NFT_SET_INTERVAL: set contains intervals 259 * @NFT_SET_MAP: set is used as a dictionary 260 * @NFT_SET_TIMEOUT: set uses timeouts 261 * @NFT_SET_EVAL: set contains expressions for evaluation 262 * @NFT_SET_OBJECT: set contains stateful objects 263 */ 264 enum nft_set_flags { 265 NFT_SET_ANONYMOUS = 0x1, 266 NFT_SET_CONSTANT = 0x2, 267 NFT_SET_INTERVAL = 0x4, 268 NFT_SET_MAP = 0x8, 269 NFT_SET_TIMEOUT = 0x10, 270 NFT_SET_EVAL = 0x20, 271 NFT_SET_OBJECT = 0x40, 272 }; 273 274 /** 275 * enum nft_set_policies - set selection policy 276 * 277 * @NFT_SET_POL_PERFORMANCE: prefer high performance over low memory use 278 * @NFT_SET_POL_MEMORY: prefer low memory use over high performance 279 */ 280 enum nft_set_policies { 281 NFT_SET_POL_PERFORMANCE, 282 NFT_SET_POL_MEMORY, 283 }; 284 285 /** 286 * enum nft_set_desc_attributes - set element description 287 * 288 * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) 289 */ 290 enum nft_set_desc_attributes { 291 NFTA_SET_DESC_UNSPEC, 292 NFTA_SET_DESC_SIZE, 293 __NFTA_SET_DESC_MAX 294 }; 295 #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) 296 297 /** 298 * enum nft_set_attributes - nf_tables set netlink attributes 299 * 300 * @NFTA_SET_TABLE: table name (NLA_STRING) 301 * @NFTA_SET_NAME: set name (NLA_STRING) 302 * @NFTA_SET_FLAGS: bitmask of enum nft_set_flags (NLA_U32) 303 * @NFTA_SET_KEY_TYPE: key data type, informational purpose only (NLA_U32) 304 * @NFTA_SET_KEY_LEN: key data length (NLA_U32) 305 * @NFTA_SET_DATA_TYPE: mapping data type (NLA_U32) 306 * @NFTA_SET_DATA_LEN: mapping data length (NLA_U32) 307 * @NFTA_SET_POLICY: selection policy (NLA_U32) 308 * @NFTA_SET_DESC: set description (NLA_NESTED) 309 * @NFTA_SET_ID: uniquely identifies a set in a transaction (NLA_U32) 310 * @NFTA_SET_TIMEOUT: default timeout value (NLA_U64) 311 * @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32) 312 * @NFTA_SET_USERDATA: user data (NLA_BINARY) 313 * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*) 314 */ 315 enum nft_set_attributes { 316 NFTA_SET_UNSPEC, 317 NFTA_SET_TABLE, 318 NFTA_SET_NAME, 319 NFTA_SET_FLAGS, 320 NFTA_SET_KEY_TYPE, 321 NFTA_SET_KEY_LEN, 322 NFTA_SET_DATA_TYPE, 323 NFTA_SET_DATA_LEN, 324 NFTA_SET_POLICY, 325 NFTA_SET_DESC, 326 NFTA_SET_ID, 327 NFTA_SET_TIMEOUT, 328 NFTA_SET_GC_INTERVAL, 329 NFTA_SET_USERDATA, 330 NFTA_SET_PAD, 331 NFTA_SET_OBJ_TYPE, 332 __NFTA_SET_MAX 333 }; 334 #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) 335 336 /** 337 * enum nft_set_elem_flags - nf_tables set element flags 338 * 339 * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval 340 */ 341 enum nft_set_elem_flags { 342 NFT_SET_ELEM_INTERVAL_END = 0x1, 343 }; 344 345 /** 346 * enum nft_set_elem_attributes - nf_tables set element netlink attributes 347 * 348 * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data) 349 * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes) 350 * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32) 351 * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64) 352 * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64) 353 * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) 354 * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) 355 * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING) 356 */ 357 enum nft_set_elem_attributes { 358 NFTA_SET_ELEM_UNSPEC, 359 NFTA_SET_ELEM_KEY, 360 NFTA_SET_ELEM_DATA, 361 NFTA_SET_ELEM_FLAGS, 362 NFTA_SET_ELEM_TIMEOUT, 363 NFTA_SET_ELEM_EXPIRATION, 364 NFTA_SET_ELEM_USERDATA, 365 NFTA_SET_ELEM_EXPR, 366 NFTA_SET_ELEM_PAD, 367 NFTA_SET_ELEM_OBJREF, 368 __NFTA_SET_ELEM_MAX 369 }; 370 #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) 371 372 /** 373 * enum nft_set_elem_list_attributes - nf_tables set element list netlink attributes 374 * 375 * @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING) 376 * @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING) 377 * @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes) 378 * @NFTA_SET_ELEM_LIST_SET_ID: uniquely identifies a set in a transaction (NLA_U32) 379 */ 380 enum nft_set_elem_list_attributes { 381 NFTA_SET_ELEM_LIST_UNSPEC, 382 NFTA_SET_ELEM_LIST_TABLE, 383 NFTA_SET_ELEM_LIST_SET, 384 NFTA_SET_ELEM_LIST_ELEMENTS, 385 NFTA_SET_ELEM_LIST_SET_ID, 386 __NFTA_SET_ELEM_LIST_MAX 387 }; 388 #define NFTA_SET_ELEM_LIST_MAX (__NFTA_SET_ELEM_LIST_MAX - 1) 389 390 /** 391 * enum nft_data_types - nf_tables data types 392 * 393 * @NFT_DATA_VALUE: generic data 394 * @NFT_DATA_VERDICT: netfilter verdict 395 * 396 * The type of data is usually determined by the kernel directly and is not 397 * explicitly specified by userspace. The only difference are sets, where 398 * userspace specifies the key and mapping data types. 399 * 400 * The values 0xffffff00-0xffffffff are reserved for internally used types. 401 * The remaining range can be freely used by userspace to encode types, all 402 * values are equivalent to NFT_DATA_VALUE. 403 */ 404 enum nft_data_types { 405 NFT_DATA_VALUE, 406 NFT_DATA_VERDICT = 0xffffff00U, 407 }; 408 409 #define NFT_DATA_RESERVED_MASK 0xffffff00U 410 411 /** 412 * enum nft_data_attributes - nf_tables data netlink attributes 413 * 414 * @NFTA_DATA_VALUE: generic data (NLA_BINARY) 415 * @NFTA_DATA_VERDICT: nf_tables verdict (NLA_NESTED: nft_verdict_attributes) 416 */ 417 enum nft_data_attributes { 418 NFTA_DATA_UNSPEC, 419 NFTA_DATA_VALUE, 420 NFTA_DATA_VERDICT, 421 __NFTA_DATA_MAX 422 }; 423 #define NFTA_DATA_MAX (__NFTA_DATA_MAX - 1) 424 425 /* Maximum length of a value */ 426 #define NFT_DATA_VALUE_MAXLEN 64 427 428 /** 429 * enum nft_verdict_attributes - nf_tables verdict netlink attributes 430 * 431 * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts) 432 * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING) 433 */ 434 enum nft_verdict_attributes { 435 NFTA_VERDICT_UNSPEC, 436 NFTA_VERDICT_CODE, 437 NFTA_VERDICT_CHAIN, 438 __NFTA_VERDICT_MAX 439 }; 440 #define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1) 441 442 /** 443 * enum nft_expr_attributes - nf_tables expression netlink attributes 444 * 445 * @NFTA_EXPR_NAME: name of the expression type (NLA_STRING) 446 * @NFTA_EXPR_DATA: type specific data (NLA_NESTED) 447 */ 448 enum nft_expr_attributes { 449 NFTA_EXPR_UNSPEC, 450 NFTA_EXPR_NAME, 451 NFTA_EXPR_DATA, 452 __NFTA_EXPR_MAX 453 }; 454 #define NFTA_EXPR_MAX (__NFTA_EXPR_MAX - 1) 455 456 /** 457 * enum nft_immediate_attributes - nf_tables immediate expression netlink attributes 458 * 459 * @NFTA_IMMEDIATE_DREG: destination register to load data into (NLA_U32) 460 * @NFTA_IMMEDIATE_DATA: data to load (NLA_NESTED: nft_data_attributes) 461 */ 462 enum nft_immediate_attributes { 463 NFTA_IMMEDIATE_UNSPEC, 464 NFTA_IMMEDIATE_DREG, 465 NFTA_IMMEDIATE_DATA, 466 __NFTA_IMMEDIATE_MAX 467 }; 468 #define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1) 469 470 /** 471 * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes 472 * 473 * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers) 474 * @NFTA_BITWISE_DREG: destination register (NLA_U32: nft_registers) 475 * @NFTA_BITWISE_LEN: length of operands (NLA_U32) 476 * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes) 477 * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes) 478 * 479 * The bitwise expression performs the following operation: 480 * 481 * dreg = (sreg & mask) ^ xor 482 * 483 * which allow to express all bitwise operations: 484 * 485 * mask xor 486 * NOT: 1 1 487 * OR: 0 x 488 * XOR: 1 x 489 * AND: x 0 490 */ 491 enum nft_bitwise_attributes { 492 NFTA_BITWISE_UNSPEC, 493 NFTA_BITWISE_SREG, 494 NFTA_BITWISE_DREG, 495 NFTA_BITWISE_LEN, 496 NFTA_BITWISE_MASK, 497 NFTA_BITWISE_XOR, 498 __NFTA_BITWISE_MAX 499 }; 500 #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) 501 502 /** 503 * enum nft_byteorder_ops - nf_tables byteorder operators 504 * 505 * @NFT_BYTEORDER_NTOH: network to host operator 506 * @NFT_BYTEORDER_HTON: host to network operator 507 */ 508 enum nft_byteorder_ops { 509 NFT_BYTEORDER_NTOH, 510 NFT_BYTEORDER_HTON, 511 }; 512 513 /** 514 * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes 515 * 516 * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers) 517 * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers) 518 * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops) 519 * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32) 520 * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4) 521 */ 522 enum nft_byteorder_attributes { 523 NFTA_BYTEORDER_UNSPEC, 524 NFTA_BYTEORDER_SREG, 525 NFTA_BYTEORDER_DREG, 526 NFTA_BYTEORDER_OP, 527 NFTA_BYTEORDER_LEN, 528 NFTA_BYTEORDER_SIZE, 529 __NFTA_BYTEORDER_MAX 530 }; 531 #define NFTA_BYTEORDER_MAX (__NFTA_BYTEORDER_MAX - 1) 532 533 /** 534 * enum nft_cmp_ops - nf_tables relational operator 535 * 536 * @NFT_CMP_EQ: equal 537 * @NFT_CMP_NEQ: not equal 538 * @NFT_CMP_LT: less than 539 * @NFT_CMP_LTE: less than or equal to 540 * @NFT_CMP_GT: greater than 541 * @NFT_CMP_GTE: greater than or equal to 542 */ 543 enum nft_cmp_ops { 544 NFT_CMP_EQ, 545 NFT_CMP_NEQ, 546 NFT_CMP_LT, 547 NFT_CMP_LTE, 548 NFT_CMP_GT, 549 NFT_CMP_GTE, 550 }; 551 552 /** 553 * enum nft_cmp_attributes - nf_tables cmp expression netlink attributes 554 * 555 * @NFTA_CMP_SREG: source register of data to compare (NLA_U32: nft_registers) 556 * @NFTA_CMP_OP: cmp operation (NLA_U32: nft_cmp_ops) 557 * @NFTA_CMP_DATA: data to compare against (NLA_NESTED: nft_data_attributes) 558 */ 559 enum nft_cmp_attributes { 560 NFTA_CMP_UNSPEC, 561 NFTA_CMP_SREG, 562 NFTA_CMP_OP, 563 NFTA_CMP_DATA, 564 __NFTA_CMP_MAX 565 }; 566 #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) 567 568 /** 569 * enum nft_range_ops - nf_tables range operator 570 * 571 * @NFT_RANGE_EQ: equal 572 * @NFT_RANGE_NEQ: not equal 573 */ 574 enum nft_range_ops { 575 NFT_RANGE_EQ, 576 NFT_RANGE_NEQ, 577 }; 578 579 /** 580 * enum nft_range_attributes - nf_tables range expression netlink attributes 581 * 582 * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers) 583 * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops) 584 * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes) 585 * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes) 586 */ 587 enum nft_range_attributes { 588 NFTA_RANGE_UNSPEC, 589 NFTA_RANGE_SREG, 590 NFTA_RANGE_OP, 591 NFTA_RANGE_FROM_DATA, 592 NFTA_RANGE_TO_DATA, 593 __NFTA_RANGE_MAX 594 }; 595 #define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1) 596 597 enum nft_lookup_flags { 598 NFT_LOOKUP_F_INV = (1 << 0), 599 }; 600 601 /** 602 * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes 603 * 604 * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) 605 * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) 606 * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) 607 * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32) 608 * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags) 609 */ 610 enum nft_lookup_attributes { 611 NFTA_LOOKUP_UNSPEC, 612 NFTA_LOOKUP_SET, 613 NFTA_LOOKUP_SREG, 614 NFTA_LOOKUP_DREG, 615 NFTA_LOOKUP_SET_ID, 616 NFTA_LOOKUP_FLAGS, 617 __NFTA_LOOKUP_MAX 618 }; 619 #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1) 620 621 enum nft_dynset_ops { 622 NFT_DYNSET_OP_ADD, 623 NFT_DYNSET_OP_UPDATE, 624 }; 625 626 enum nft_dynset_flags { 627 NFT_DYNSET_F_INV = (1 << 0), 628 }; 629 630 /** 631 * enum nft_dynset_attributes - dynset expression attributes 632 * 633 * @NFTA_DYNSET_SET_NAME: name of set the to add data to (NLA_STRING) 634 * @NFTA_DYNSET_SET_ID: uniquely identifier of the set in the transaction (NLA_U32) 635 * @NFTA_DYNSET_OP: operation (NLA_U32) 636 * @NFTA_DYNSET_SREG_KEY: source register of the key (NLA_U32) 637 * @NFTA_DYNSET_SREG_DATA: source register of the data (NLA_U32) 638 * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) 639 * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) 640 * @NFTA_DYNSET_FLAGS: flags (NLA_U32) 641 */ 642 enum nft_dynset_attributes { 643 NFTA_DYNSET_UNSPEC, 644 NFTA_DYNSET_SET_NAME, 645 NFTA_DYNSET_SET_ID, 646 NFTA_DYNSET_OP, 647 NFTA_DYNSET_SREG_KEY, 648 NFTA_DYNSET_SREG_DATA, 649 NFTA_DYNSET_TIMEOUT, 650 NFTA_DYNSET_EXPR, 651 NFTA_DYNSET_PAD, 652 NFTA_DYNSET_FLAGS, 653 __NFTA_DYNSET_MAX, 654 }; 655 #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) 656 657 /** 658 * enum nft_payload_bases - nf_tables payload expression offset bases 659 * 660 * @NFT_PAYLOAD_LL_HEADER: link layer header 661 * @NFT_PAYLOAD_NETWORK_HEADER: network header 662 * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header 663 */ 664 enum nft_payload_bases { 665 NFT_PAYLOAD_LL_HEADER, 666 NFT_PAYLOAD_NETWORK_HEADER, 667 NFT_PAYLOAD_TRANSPORT_HEADER, 668 }; 669 670 /** 671 * enum nft_payload_csum_types - nf_tables payload expression checksum types 672 * 673 * @NFT_PAYLOAD_CSUM_NONE: no checksumming 674 * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791) 675 */ 676 enum nft_payload_csum_types { 677 NFT_PAYLOAD_CSUM_NONE, 678 NFT_PAYLOAD_CSUM_INET, 679 }; 680 681 enum nft_payload_csum_flags { 682 NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0), 683 }; 684 685 /** 686 * enum nft_payload_attributes - nf_tables payload expression netlink attributes 687 * 688 * @NFTA_PAYLOAD_DREG: destination register to load data into (NLA_U32: nft_registers) 689 * @NFTA_PAYLOAD_BASE: payload base (NLA_U32: nft_payload_bases) 690 * @NFTA_PAYLOAD_OFFSET: payload offset relative to base (NLA_U32) 691 * @NFTA_PAYLOAD_LEN: payload length (NLA_U32) 692 * @NFTA_PAYLOAD_SREG: source register to load data from (NLA_U32: nft_registers) 693 * @NFTA_PAYLOAD_CSUM_TYPE: checksum type (NLA_U32) 694 * @NFTA_PAYLOAD_CSUM_OFFSET: checksum offset relative to base (NLA_U32) 695 * @NFTA_PAYLOAD_CSUM_FLAGS: checksum flags (NLA_U32) 696 */ 697 enum nft_payload_attributes { 698 NFTA_PAYLOAD_UNSPEC, 699 NFTA_PAYLOAD_DREG, 700 NFTA_PAYLOAD_BASE, 701 NFTA_PAYLOAD_OFFSET, 702 NFTA_PAYLOAD_LEN, 703 NFTA_PAYLOAD_SREG, 704 NFTA_PAYLOAD_CSUM_TYPE, 705 NFTA_PAYLOAD_CSUM_OFFSET, 706 NFTA_PAYLOAD_CSUM_FLAGS, 707 __NFTA_PAYLOAD_MAX 708 }; 709 #define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1) 710 711 enum nft_exthdr_flags { 712 NFT_EXTHDR_F_PRESENT = (1 << 0), 713 }; 714 715 /** 716 * enum nft_exthdr_op - nf_tables match options 717 * 718 * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers 719 * @NFT_EXTHDR_OP_TCP: match against tcp options 720 */ 721 enum nft_exthdr_op { 722 NFT_EXTHDR_OP_IPV6, 723 NFT_EXTHDR_OP_TCPOPT, 724 __NFT_EXTHDR_OP_MAX 725 }; 726 #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) 727 728 /** 729 * enum nft_exthdr_attributes - nf_tables extension header expression netlink attributes 730 * 731 * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers) 732 * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8) 733 * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32) 734 * @NFTA_EXTHDR_LEN: extension header length (NLA_U32) 735 * @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32) 736 * @NFTA_EXTHDR_OP: option match type (NLA_U32) 737 * @NFTA_EXTHDR_SREG: option match type (NLA_U32) 738 */ 739 enum nft_exthdr_attributes { 740 NFTA_EXTHDR_UNSPEC, 741 NFTA_EXTHDR_DREG, 742 NFTA_EXTHDR_TYPE, 743 NFTA_EXTHDR_OFFSET, 744 NFTA_EXTHDR_LEN, 745 NFTA_EXTHDR_FLAGS, 746 NFTA_EXTHDR_OP, 747 NFTA_EXTHDR_SREG, 748 __NFTA_EXTHDR_MAX 749 }; 750 #define NFTA_EXTHDR_MAX (__NFTA_EXTHDR_MAX - 1) 751 752 /** 753 * enum nft_meta_keys - nf_tables meta expression keys 754 * 755 * @NFT_META_LEN: packet length (skb->len) 756 * @NFT_META_PROTOCOL: packet ethertype protocol (skb->protocol), invalid in OUTPUT 757 * @NFT_META_PRIORITY: packet priority (skb->priority) 758 * @NFT_META_MARK: packet mark (skb->mark) 759 * @NFT_META_IIF: packet input interface index (dev->ifindex) 760 * @NFT_META_OIF: packet output interface index (dev->ifindex) 761 * @NFT_META_IIFNAME: packet input interface name (dev->name) 762 * @NFT_META_OIFNAME: packet output interface name (dev->name) 763 * @NFT_META_IIFTYPE: packet input interface type (dev->type) 764 * @NFT_META_OIFTYPE: packet output interface type (dev->type) 765 * @NFT_META_SKUID: originating socket UID (fsuid) 766 * @NFT_META_SKGID: originating socket GID (fsgid) 767 * @NFT_META_NFTRACE: packet nftrace bit 768 * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid) 769 * @NFT_META_SECMARK: packet secmark (skb->secmark) 770 * @NFT_META_NFPROTO: netfilter protocol 771 * @NFT_META_L4PROTO: layer 4 protocol number 772 * @NFT_META_BRI_IIFNAME: packet input bridge interface name 773 * @NFT_META_BRI_OIFNAME: packet output bridge interface name 774 * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback 775 * @NFT_META_CPU: cpu id through smp_processor_id() 776 * @NFT_META_IIFGROUP: packet input interface group 777 * @NFT_META_OIFGROUP: packet output interface group 778 * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) 779 * @NFT_META_PRANDOM: a 32bit pseudo-random number 780 */ 781 enum nft_meta_keys { 782 NFT_META_LEN, 783 NFT_META_PROTOCOL, 784 NFT_META_PRIORITY, 785 NFT_META_MARK, 786 NFT_META_IIF, 787 NFT_META_OIF, 788 NFT_META_IIFNAME, 789 NFT_META_OIFNAME, 790 NFT_META_IIFTYPE, 791 NFT_META_OIFTYPE, 792 NFT_META_SKUID, 793 NFT_META_SKGID, 794 NFT_META_NFTRACE, 795 NFT_META_RTCLASSID, 796 NFT_META_SECMARK, 797 NFT_META_NFPROTO, 798 NFT_META_L4PROTO, 799 NFT_META_BRI_IIFNAME, 800 NFT_META_BRI_OIFNAME, 801 NFT_META_PKTTYPE, 802 NFT_META_CPU, 803 NFT_META_IIFGROUP, 804 NFT_META_OIFGROUP, 805 NFT_META_CGROUP, 806 NFT_META_PRANDOM, 807 }; 808 809 /** 810 * enum nft_rt_keys - nf_tables routing expression keys 811 * 812 * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid) 813 * @NFT_RT_NEXTHOP4: routing nexthop for IPv4 814 * @NFT_RT_NEXTHOP6: routing nexthop for IPv6 815 * @NFT_RT_TCPMSS: fetch current path tcp mss 816 */ 817 enum nft_rt_keys { 818 NFT_RT_CLASSID, 819 NFT_RT_NEXTHOP4, 820 NFT_RT_NEXTHOP6, 821 NFT_RT_TCPMSS, 822 }; 823 824 /** 825 * enum nft_hash_types - nf_tables hash expression types 826 * 827 * @NFT_HASH_JENKINS: Jenkins Hash 828 * @NFT_HASH_SYM: Symmetric Hash 829 */ 830 enum nft_hash_types { 831 NFT_HASH_JENKINS, 832 NFT_HASH_SYM, 833 }; 834 835 /** 836 * enum nft_hash_attributes - nf_tables hash expression netlink attributes 837 * 838 * @NFTA_HASH_SREG: source register (NLA_U32) 839 * @NFTA_HASH_DREG: destination register (NLA_U32) 840 * @NFTA_HASH_LEN: source data length (NLA_U32) 841 * @NFTA_HASH_MODULUS: modulus value (NLA_U32) 842 * @NFTA_HASH_SEED: seed value (NLA_U32) 843 * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32) 844 * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types) 845 */ 846 enum nft_hash_attributes { 847 NFTA_HASH_UNSPEC, 848 NFTA_HASH_SREG, 849 NFTA_HASH_DREG, 850 NFTA_HASH_LEN, 851 NFTA_HASH_MODULUS, 852 NFTA_HASH_SEED, 853 NFTA_HASH_OFFSET, 854 NFTA_HASH_TYPE, 855 __NFTA_HASH_MAX, 856 }; 857 #define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) 858 859 /** 860 * enum nft_meta_attributes - nf_tables meta expression netlink attributes 861 * 862 * @NFTA_META_DREG: destination register (NLA_U32) 863 * @NFTA_META_KEY: meta data item to load (NLA_U32: nft_meta_keys) 864 * @NFTA_META_SREG: source register (NLA_U32) 865 */ 866 enum nft_meta_attributes { 867 NFTA_META_UNSPEC, 868 NFTA_META_DREG, 869 NFTA_META_KEY, 870 NFTA_META_SREG, 871 __NFTA_META_MAX 872 }; 873 #define NFTA_META_MAX (__NFTA_META_MAX - 1) 874 875 /** 876 * enum nft_rt_attributes - nf_tables routing expression netlink attributes 877 * 878 * @NFTA_RT_DREG: destination register (NLA_U32) 879 * @NFTA_RT_KEY: routing data item to load (NLA_U32: nft_rt_keys) 880 */ 881 enum nft_rt_attributes { 882 NFTA_RT_UNSPEC, 883 NFTA_RT_DREG, 884 NFTA_RT_KEY, 885 __NFTA_RT_MAX 886 }; 887 #define NFTA_RT_MAX (__NFTA_RT_MAX - 1) 888 889 /** 890 * enum nft_ct_keys - nf_tables ct expression keys 891 * 892 * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info) 893 * @NFT_CT_DIRECTION: conntrack direction (enum ip_conntrack_dir) 894 * @NFT_CT_STATUS: conntrack status (bitmask of enum ip_conntrack_status) 895 * @NFT_CT_MARK: conntrack mark value 896 * @NFT_CT_SECMARK: conntrack secmark value 897 * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms 898 * @NFT_CT_HELPER: connection tracking helper assigned to conntrack 899 * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol 900 * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address) 901 * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address) 902 * @NFT_CT_PROTOCOL: conntrack layer 4 protocol 903 * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source 904 * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination 905 * @NFT_CT_LABELS: conntrack labels 906 * @NFT_CT_PKTS: conntrack packets 907 * @NFT_CT_BYTES: conntrack bytes 908 * @NFT_CT_AVGPKT: conntrack average bytes per packet 909 * @NFT_CT_ZONE: conntrack zone 910 * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack 911 */ 912 enum nft_ct_keys { 913 NFT_CT_STATE, 914 NFT_CT_DIRECTION, 915 NFT_CT_STATUS, 916 NFT_CT_MARK, 917 NFT_CT_SECMARK, 918 NFT_CT_EXPIRATION, 919 NFT_CT_HELPER, 920 NFT_CT_L3PROTOCOL, 921 NFT_CT_SRC, 922 NFT_CT_DST, 923 NFT_CT_PROTOCOL, 924 NFT_CT_PROTO_SRC, 925 NFT_CT_PROTO_DST, 926 NFT_CT_LABELS, 927 NFT_CT_PKTS, 928 NFT_CT_BYTES, 929 NFT_CT_AVGPKT, 930 NFT_CT_ZONE, 931 NFT_CT_EVENTMASK, 932 }; 933 934 /** 935 * enum nft_ct_attributes - nf_tables ct expression netlink attributes 936 * 937 * @NFTA_CT_DREG: destination register (NLA_U32) 938 * @NFTA_CT_KEY: conntrack data item to load (NLA_U32: nft_ct_keys) 939 * @NFTA_CT_DIRECTION: direction in case of directional keys (NLA_U8) 940 * @NFTA_CT_SREG: source register (NLA_U32) 941 */ 942 enum nft_ct_attributes { 943 NFTA_CT_UNSPEC, 944 NFTA_CT_DREG, 945 NFTA_CT_KEY, 946 NFTA_CT_DIRECTION, 947 NFTA_CT_SREG, 948 __NFTA_CT_MAX 949 }; 950 #define NFTA_CT_MAX (__NFTA_CT_MAX - 1) 951 952 enum nft_limit_type { 953 NFT_LIMIT_PKTS, 954 NFT_LIMIT_PKT_BYTES 955 }; 956 957 enum nft_limit_flags { 958 NFT_LIMIT_F_INV = (1 << 0), 959 }; 960 961 /** 962 * enum nft_limit_attributes - nf_tables limit expression netlink attributes 963 * 964 * @NFTA_LIMIT_RATE: refill rate (NLA_U64) 965 * @NFTA_LIMIT_UNIT: refill unit (NLA_U64) 966 * @NFTA_LIMIT_BURST: burst (NLA_U32) 967 * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type) 968 * @NFTA_LIMIT_FLAGS: flags (NLA_U32: enum nft_limit_flags) 969 */ 970 enum nft_limit_attributes { 971 NFTA_LIMIT_UNSPEC, 972 NFTA_LIMIT_RATE, 973 NFTA_LIMIT_UNIT, 974 NFTA_LIMIT_BURST, 975 NFTA_LIMIT_TYPE, 976 NFTA_LIMIT_FLAGS, 977 NFTA_LIMIT_PAD, 978 __NFTA_LIMIT_MAX 979 }; 980 #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) 981 982 /** 983 * enum nft_counter_attributes - nf_tables counter expression netlink attributes 984 * 985 * @NFTA_COUNTER_BYTES: number of bytes (NLA_U64) 986 * @NFTA_COUNTER_PACKETS: number of packets (NLA_U64) 987 */ 988 enum nft_counter_attributes { 989 NFTA_COUNTER_UNSPEC, 990 NFTA_COUNTER_BYTES, 991 NFTA_COUNTER_PACKETS, 992 NFTA_COUNTER_PAD, 993 __NFTA_COUNTER_MAX 994 }; 995 #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) 996 997 /** 998 * enum nft_log_attributes - nf_tables log expression netlink attributes 999 * 1000 * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32) 1001 * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING) 1002 * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32) 1003 * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32) 1004 * @NFTA_LOG_LEVEL: log level (NLA_U32) 1005 * @NFTA_LOG_FLAGS: logging flags (NLA_U32) 1006 */ 1007 enum nft_log_attributes { 1008 NFTA_LOG_UNSPEC, 1009 NFTA_LOG_GROUP, 1010 NFTA_LOG_PREFIX, 1011 NFTA_LOG_SNAPLEN, 1012 NFTA_LOG_QTHRESHOLD, 1013 NFTA_LOG_LEVEL, 1014 NFTA_LOG_FLAGS, 1015 __NFTA_LOG_MAX 1016 }; 1017 #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) 1018 1019 /** 1020 * enum nft_queue_attributes - nf_tables queue expression netlink attributes 1021 * 1022 * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16) 1023 * @NFTA_QUEUE_TOTAL: number of queues to load balance packets on (NLA_U16) 1024 * @NFTA_QUEUE_FLAGS: various flags (NLA_U16) 1025 * @NFTA_QUEUE_SREG_QNUM: source register of queue number (NLA_U32: nft_registers) 1026 */ 1027 enum nft_queue_attributes { 1028 NFTA_QUEUE_UNSPEC, 1029 NFTA_QUEUE_NUM, 1030 NFTA_QUEUE_TOTAL, 1031 NFTA_QUEUE_FLAGS, 1032 NFTA_QUEUE_SREG_QNUM, 1033 __NFTA_QUEUE_MAX 1034 }; 1035 #define NFTA_QUEUE_MAX (__NFTA_QUEUE_MAX - 1) 1036 1037 #define NFT_QUEUE_FLAG_BYPASS 0x01 /* for compatibility with v2 */ 1038 #define NFT_QUEUE_FLAG_CPU_FANOUT 0x02 /* use current CPU (no hashing) */ 1039 #define NFT_QUEUE_FLAG_MASK 0x03 1040 1041 enum nft_quota_flags { 1042 NFT_QUOTA_F_INV = (1 << 0), 1043 NFT_QUOTA_F_DEPLETED = (1 << 1), 1044 }; 1045 1046 /** 1047 * enum nft_quota_attributes - nf_tables quota expression netlink attributes 1048 * 1049 * @NFTA_QUOTA_BYTES: quota in bytes (NLA_U16) 1050 * @NFTA_QUOTA_FLAGS: flags (NLA_U32) 1051 * @NFTA_QUOTA_CONSUMED: quota already consumed in bytes (NLA_U64) 1052 */ 1053 enum nft_quota_attributes { 1054 NFTA_QUOTA_UNSPEC, 1055 NFTA_QUOTA_BYTES, 1056 NFTA_QUOTA_FLAGS, 1057 NFTA_QUOTA_PAD, 1058 NFTA_QUOTA_CONSUMED, 1059 __NFTA_QUOTA_MAX 1060 }; 1061 #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) 1062 1063 /** 1064 * enum nft_reject_types - nf_tables reject expression reject types 1065 * 1066 * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable 1067 * @NFT_REJECT_TCP_RST: reject using TCP RST 1068 * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet 1069 */ 1070 enum nft_reject_types { 1071 NFT_REJECT_ICMP_UNREACH, 1072 NFT_REJECT_TCP_RST, 1073 NFT_REJECT_ICMPX_UNREACH, 1074 }; 1075 1076 /** 1077 * enum nft_reject_code - Generic reject codes for IPv4/IPv6 1078 * 1079 * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host / network unreachable 1080 * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable 1081 * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable 1082 * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratively prohibited 1083 * 1084 * These codes are mapped to real ICMP and ICMPv6 codes. 1085 */ 1086 enum nft_reject_inet_code { 1087 NFT_REJECT_ICMPX_NO_ROUTE = 0, 1088 NFT_REJECT_ICMPX_PORT_UNREACH, 1089 NFT_REJECT_ICMPX_HOST_UNREACH, 1090 NFT_REJECT_ICMPX_ADMIN_PROHIBITED, 1091 __NFT_REJECT_ICMPX_MAX 1092 }; 1093 #define NFT_REJECT_ICMPX_MAX (__NFT_REJECT_ICMPX_MAX - 1) 1094 1095 /** 1096 * enum nft_reject_attributes - nf_tables reject expression netlink attributes 1097 * 1098 * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types) 1099 * @NFTA_REJECT_ICMP_CODE: ICMP code to use (NLA_U8) 1100 */ 1101 enum nft_reject_attributes { 1102 NFTA_REJECT_UNSPEC, 1103 NFTA_REJECT_TYPE, 1104 NFTA_REJECT_ICMP_CODE, 1105 __NFTA_REJECT_MAX 1106 }; 1107 #define NFTA_REJECT_MAX (__NFTA_REJECT_MAX - 1) 1108 1109 /** 1110 * enum nft_nat_types - nf_tables nat expression NAT types 1111 * 1112 * @NFT_NAT_SNAT: source NAT 1113 * @NFT_NAT_DNAT: destination NAT 1114 */ 1115 enum nft_nat_types { 1116 NFT_NAT_SNAT, 1117 NFT_NAT_DNAT, 1118 }; 1119 1120 /** 1121 * enum nft_nat_attributes - nf_tables nat expression netlink attributes 1122 * 1123 * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types) 1124 * @NFTA_NAT_FAMILY: NAT family (NLA_U32) 1125 * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) 1126 * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) 1127 * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) 1128 * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) 1129 * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) 1130 */ 1131 enum nft_nat_attributes { 1132 NFTA_NAT_UNSPEC, 1133 NFTA_NAT_TYPE, 1134 NFTA_NAT_FAMILY, 1135 NFTA_NAT_REG_ADDR_MIN, 1136 NFTA_NAT_REG_ADDR_MAX, 1137 NFTA_NAT_REG_PROTO_MIN, 1138 NFTA_NAT_REG_PROTO_MAX, 1139 NFTA_NAT_FLAGS, 1140 __NFTA_NAT_MAX 1141 }; 1142 #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) 1143 1144 /** 1145 * enum nft_masq_attributes - nf_tables masquerade expression attributes 1146 * 1147 * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) 1148 * @NFTA_MASQ_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) 1149 * @NFTA_MASQ_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) 1150 */ 1151 enum nft_masq_attributes { 1152 NFTA_MASQ_UNSPEC, 1153 NFTA_MASQ_FLAGS, 1154 NFTA_MASQ_REG_PROTO_MIN, 1155 NFTA_MASQ_REG_PROTO_MAX, 1156 __NFTA_MASQ_MAX 1157 }; 1158 #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) 1159 1160 /** 1161 * enum nft_redir_attributes - nf_tables redirect expression netlink attributes 1162 * 1163 * @NFTA_REDIR_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) 1164 * @NFTA_REDIR_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) 1165 * @NFTA_REDIR_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) 1166 */ 1167 enum nft_redir_attributes { 1168 NFTA_REDIR_UNSPEC, 1169 NFTA_REDIR_REG_PROTO_MIN, 1170 NFTA_REDIR_REG_PROTO_MAX, 1171 NFTA_REDIR_FLAGS, 1172 __NFTA_REDIR_MAX 1173 }; 1174 #define NFTA_REDIR_MAX (__NFTA_REDIR_MAX - 1) 1175 1176 /** 1177 * enum nft_dup_attributes - nf_tables dup expression netlink attributes 1178 * 1179 * @NFTA_DUP_SREG_ADDR: source register of address (NLA_U32: nft_registers) 1180 * @NFTA_DUP_SREG_DEV: source register of output interface (NLA_U32: nft_register) 1181 */ 1182 enum nft_dup_attributes { 1183 NFTA_DUP_UNSPEC, 1184 NFTA_DUP_SREG_ADDR, 1185 NFTA_DUP_SREG_DEV, 1186 __NFTA_DUP_MAX 1187 }; 1188 #define NFTA_DUP_MAX (__NFTA_DUP_MAX - 1) 1189 1190 /** 1191 * enum nft_fwd_attributes - nf_tables fwd expression netlink attributes 1192 * 1193 * @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register) 1194 */ 1195 enum nft_fwd_attributes { 1196 NFTA_FWD_UNSPEC, 1197 NFTA_FWD_SREG_DEV, 1198 __NFTA_FWD_MAX 1199 }; 1200 #define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1) 1201 1202 /** 1203 * enum nft_objref_attributes - nf_tables stateful object expression netlink attributes 1204 * 1205 * @NFTA_OBJREF_IMM_TYPE: object type for immediate reference (NLA_U32: nft_register) 1206 * @NFTA_OBJREF_IMM_NAME: object name for immediate reference (NLA_STRING) 1207 * @NFTA_OBJREF_SET_SREG: source register of the data to look for (NLA_U32: nft_registers) 1208 * @NFTA_OBJREF_SET_NAME: name of the set where to look for (NLA_STRING) 1209 * @NFTA_OBJREF_SET_ID: id of the set where to look for in this transaction (NLA_U32) 1210 */ 1211 enum nft_objref_attributes { 1212 NFTA_OBJREF_UNSPEC, 1213 NFTA_OBJREF_IMM_TYPE, 1214 NFTA_OBJREF_IMM_NAME, 1215 NFTA_OBJREF_SET_SREG, 1216 NFTA_OBJREF_SET_NAME, 1217 NFTA_OBJREF_SET_ID, 1218 __NFTA_OBJREF_MAX 1219 }; 1220 #define NFTA_OBJREF_MAX (__NFTA_OBJREF_MAX - 1) 1221 1222 /** 1223 * enum nft_gen_attributes - nf_tables ruleset generation attributes 1224 * 1225 * @NFTA_GEN_ID: Ruleset generation ID (NLA_U32) 1226 */ 1227 enum nft_gen_attributes { 1228 NFTA_GEN_UNSPEC, 1229 NFTA_GEN_ID, 1230 NFTA_GEN_PROC_PID, 1231 NFTA_GEN_PROC_NAME, 1232 __NFTA_GEN_MAX 1233 }; 1234 #define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1) 1235 1236 /* 1237 * enum nft_fib_attributes - nf_tables fib expression netlink attributes 1238 * 1239 * @NFTA_FIB_DREG: destination register (NLA_U32) 1240 * @NFTA_FIB_RESULT: desired result (NLA_U32) 1241 * @NFTA_FIB_FLAGS: flowi fields to initialize when querying the FIB (NLA_U32) 1242 * 1243 * The FIB expression performs a route lookup according 1244 * to the packet data. 1245 */ 1246 enum nft_fib_attributes { 1247 NFTA_FIB_UNSPEC, 1248 NFTA_FIB_DREG, 1249 NFTA_FIB_RESULT, 1250 NFTA_FIB_FLAGS, 1251 __NFTA_FIB_MAX 1252 }; 1253 #define NFTA_FIB_MAX (__NFTA_FIB_MAX - 1) 1254 1255 enum nft_fib_result { 1256 NFT_FIB_RESULT_UNSPEC, 1257 NFT_FIB_RESULT_OIF, 1258 NFT_FIB_RESULT_OIFNAME, 1259 NFT_FIB_RESULT_ADDRTYPE, 1260 __NFT_FIB_RESULT_MAX 1261 }; 1262 #define NFT_FIB_RESULT_MAX (__NFT_FIB_RESULT_MAX - 1) 1263 1264 enum nft_fib_flags { 1265 NFTA_FIB_F_SADDR = 1 << 0, /* look up src */ 1266 NFTA_FIB_F_DADDR = 1 << 1, /* look up dst */ 1267 NFTA_FIB_F_MARK = 1 << 2, /* use skb->mark */ 1268 NFTA_FIB_F_IIF = 1 << 3, /* restrict to iif */ 1269 NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */ 1270 NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ 1271 }; 1272 1273 enum nft_ct_helper_attributes { 1274 NFTA_CT_HELPER_UNSPEC, 1275 NFTA_CT_HELPER_NAME, 1276 NFTA_CT_HELPER_L3PROTO, 1277 NFTA_CT_HELPER_L4PROTO, 1278 __NFTA_CT_HELPER_MAX, 1279 }; 1280 #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) 1281 1282 #define NFT_OBJECT_UNSPEC 0 1283 #define NFT_OBJECT_COUNTER 1 1284 #define NFT_OBJECT_QUOTA 2 1285 #define NFT_OBJECT_CT_HELPER 3 1286 #define NFT_OBJECT_LIMIT 4 1287 #define __NFT_OBJECT_MAX 5 1288 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) 1289 1290 /** 1291 * enum nft_object_attributes - nf_tables stateful object netlink attributes 1292 * 1293 * @NFTA_OBJ_TABLE: name of the table containing the expression (NLA_STRING) 1294 * @NFTA_OBJ_NAME: name of this expression type (NLA_STRING) 1295 * @NFTA_OBJ_TYPE: stateful object type (NLA_U32) 1296 * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED) 1297 * @NFTA_OBJ_USE: number of references to this expression (NLA_U32) 1298 */ 1299 enum nft_object_attributes { 1300 NFTA_OBJ_UNSPEC, 1301 NFTA_OBJ_TABLE, 1302 NFTA_OBJ_NAME, 1303 NFTA_OBJ_TYPE, 1304 NFTA_OBJ_DATA, 1305 NFTA_OBJ_USE, 1306 __NFTA_OBJ_MAX 1307 }; 1308 #define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1) 1309 1310 /** 1311 * enum nft_trace_attributes - nf_tables trace netlink attributes 1312 * 1313 * @NFTA_TRACE_TABLE: name of the table (NLA_STRING) 1314 * @NFTA_TRACE_CHAIN: name of the chain (NLA_STRING) 1315 * @NFTA_TRACE_RULE_HANDLE: numeric handle of the rule (NLA_U64) 1316 * @NFTA_TRACE_TYPE: type of the event (NLA_U32: nft_trace_types) 1317 * @NFTA_TRACE_VERDICT: verdict returned by hook (NLA_NESTED: nft_verdicts) 1318 * @NFTA_TRACE_ID: pseudo-id, same for each skb traced (NLA_U32) 1319 * @NFTA_TRACE_LL_HEADER: linklayer header (NLA_BINARY) 1320 * @NFTA_TRACE_NETWORK_HEADER: network header (NLA_BINARY) 1321 * @NFTA_TRACE_TRANSPORT_HEADER: transport header (NLA_BINARY) 1322 * @NFTA_TRACE_IIF: indev ifindex (NLA_U32) 1323 * @NFTA_TRACE_IIFTYPE: netdev->type of indev (NLA_U16) 1324 * @NFTA_TRACE_OIF: outdev ifindex (NLA_U32) 1325 * @NFTA_TRACE_OIFTYPE: netdev->type of outdev (NLA_U16) 1326 * @NFTA_TRACE_MARK: nfmark (NLA_U32) 1327 * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32) 1328 * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32) 1329 */ 1330 enum nft_trace_attributes { 1331 NFTA_TRACE_UNSPEC, 1332 NFTA_TRACE_TABLE, 1333 NFTA_TRACE_CHAIN, 1334 NFTA_TRACE_RULE_HANDLE, 1335 NFTA_TRACE_TYPE, 1336 NFTA_TRACE_VERDICT, 1337 NFTA_TRACE_ID, 1338 NFTA_TRACE_LL_HEADER, 1339 NFTA_TRACE_NETWORK_HEADER, 1340 NFTA_TRACE_TRANSPORT_HEADER, 1341 NFTA_TRACE_IIF, 1342 NFTA_TRACE_IIFTYPE, 1343 NFTA_TRACE_OIF, 1344 NFTA_TRACE_OIFTYPE, 1345 NFTA_TRACE_MARK, 1346 NFTA_TRACE_NFPROTO, 1347 NFTA_TRACE_POLICY, 1348 NFTA_TRACE_PAD, 1349 __NFTA_TRACE_MAX 1350 }; 1351 #define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1) 1352 1353 enum nft_trace_types { 1354 NFT_TRACETYPE_UNSPEC, 1355 NFT_TRACETYPE_POLICY, 1356 NFT_TRACETYPE_RETURN, 1357 NFT_TRACETYPE_RULE, 1358 __NFT_TRACETYPE_MAX 1359 }; 1360 #define NFT_TRACETYPE_MAX (__NFT_TRACETYPE_MAX - 1) 1361 1362 /** 1363 * enum nft_ng_attributes - nf_tables number generator expression netlink attributes 1364 * 1365 * @NFTA_NG_DREG: destination register (NLA_U32) 1366 * @NFTA_NG_MODULUS: maximum counter value (NLA_U32) 1367 * @NFTA_NG_TYPE: operation type (NLA_U32) 1368 * @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32) 1369 */ 1370 enum nft_ng_attributes { 1371 NFTA_NG_UNSPEC, 1372 NFTA_NG_DREG, 1373 NFTA_NG_MODULUS, 1374 NFTA_NG_TYPE, 1375 NFTA_NG_OFFSET, 1376 __NFTA_NG_MAX 1377 }; 1378 #define NFTA_NG_MAX (__NFTA_NG_MAX - 1) 1379 1380 enum nft_ng_types { 1381 NFT_NG_INCREMENTAL, 1382 NFT_NG_RANDOM, 1383 __NFT_NG_MAX 1384 }; 1385 #define NFT_NG_MAX (__NFT_NG_MAX - 1) 1386 1387 #endif /* _LINUX_NF_TABLES_H */ 1388