1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 #ifndef _LINUX_NF_TABLES_H 3 #define _LINUX_NF_TABLES_H 4 5 #define NFT_NAME_MAXLEN 256 6 #define NFT_TABLE_MAXNAMELEN NFT_NAME_MAXLEN 7 #define NFT_CHAIN_MAXNAMELEN NFT_NAME_MAXLEN 8 #define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN 9 #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN 10 #define NFT_USERDATA_MAXLEN 256 11 #define NFT_OSF_MAXGENRELEN 16 12 13 /** 14 * enum nft_registers - nf_tables registers 15 * 16 * nf_tables used to have five registers: a verdict register and four data 17 * registers of size 16. The data registers have been changed to 16 registers 18 * of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still 19 * map to areas of size 16, the 4 byte registers are addressed using 20 * NFT_REG32_00 - NFT_REG32_15. 21 */ 22 enum nft_registers { 23 NFT_REG_VERDICT, 24 NFT_REG_1, 25 NFT_REG_2, 26 NFT_REG_3, 27 NFT_REG_4, 28 __NFT_REG_MAX, 29 30 NFT_REG32_00 = 8, 31 NFT_REG32_01, 32 NFT_REG32_02, 33 NFT_REG32_03, 34 NFT_REG32_04, 35 NFT_REG32_05, 36 NFT_REG32_06, 37 NFT_REG32_07, 38 NFT_REG32_08, 39 NFT_REG32_09, 40 NFT_REG32_10, 41 NFT_REG32_11, 42 NFT_REG32_12, 43 NFT_REG32_13, 44 NFT_REG32_14, 45 NFT_REG32_15, 46 }; 47 #define NFT_REG_MAX (__NFT_REG_MAX - 1) 48 49 #define NFT_REG_SIZE 16 50 #define NFT_REG32_SIZE 4 51 #define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1) 52 53 /** 54 * enum nft_verdicts - nf_tables internal verdicts 55 * 56 * @NFT_CONTINUE: continue evaluation of the current rule 57 * @NFT_BREAK: terminate evaluation of the current rule 58 * @NFT_JUMP: push the current chain on the jump stack and jump to a chain 59 * @NFT_GOTO: jump to a chain without pushing the current chain on the jump stack 60 * @NFT_RETURN: return to the topmost chain on the jump stack 61 * 62 * The nf_tables verdicts share their numeric space with the netfilter verdicts. 63 */ 64 enum nft_verdicts { 65 NFT_CONTINUE = -1, 66 NFT_BREAK = -2, 67 NFT_JUMP = -3, 68 NFT_GOTO = -4, 69 NFT_RETURN = -5, 70 }; 71 72 /** 73 * enum nf_tables_msg_types - nf_tables netlink message types 74 * 75 * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes) 76 * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes) 77 * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes) 78 * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes) 79 * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes) 80 * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes) 81 * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes) 82 * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes) 83 * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes) 84 * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes) 85 * @NFT_MSG_GETSET: get a set (enum nft_set_attributes) 86 * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes) 87 * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes) 88 * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes) 89 * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes) 90 * @NFT_MSG_NEWGEN: announce a new generation, only for events (enum nft_gen_attributes) 91 * @NFT_MSG_GETGEN: get the rule-set generation (enum nft_gen_attributes) 92 * @NFT_MSG_TRACE: trace event (enum nft_trace_attributes) 93 * @NFT_MSG_NEWOBJ: create a stateful object (enum nft_obj_attributes) 94 * @NFT_MSG_GETOBJ: get a stateful object (enum nft_obj_attributes) 95 * @NFT_MSG_DELOBJ: delete a stateful object (enum nft_obj_attributes) 96 * @NFT_MSG_GETOBJ_RESET: get and reset a stateful object (enum nft_obj_attributes) 97 * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes) 98 * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes) 99 * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes) 100 */ 101 enum nf_tables_msg_types { 102 NFT_MSG_NEWTABLE, 103 NFT_MSG_GETTABLE, 104 NFT_MSG_DELTABLE, 105 NFT_MSG_NEWCHAIN, 106 NFT_MSG_GETCHAIN, 107 NFT_MSG_DELCHAIN, 108 NFT_MSG_NEWRULE, 109 NFT_MSG_GETRULE, 110 NFT_MSG_DELRULE, 111 NFT_MSG_NEWSET, 112 NFT_MSG_GETSET, 113 NFT_MSG_DELSET, 114 NFT_MSG_NEWSETELEM, 115 NFT_MSG_GETSETELEM, 116 NFT_MSG_DELSETELEM, 117 NFT_MSG_NEWGEN, 118 NFT_MSG_GETGEN, 119 NFT_MSG_TRACE, 120 NFT_MSG_NEWOBJ, 121 NFT_MSG_GETOBJ, 122 NFT_MSG_DELOBJ, 123 NFT_MSG_GETOBJ_RESET, 124 NFT_MSG_NEWFLOWTABLE, 125 NFT_MSG_GETFLOWTABLE, 126 NFT_MSG_DELFLOWTABLE, 127 NFT_MSG_MAX, 128 }; 129 130 /** 131 * enum nft_list_attributes - nf_tables generic list netlink attributes 132 * 133 * @NFTA_LIST_ELEM: list element (NLA_NESTED) 134 */ 135 enum nft_list_attributes { 136 NFTA_LIST_UNSPEC, 137 NFTA_LIST_ELEM, 138 __NFTA_LIST_MAX 139 }; 140 #define NFTA_LIST_MAX (__NFTA_LIST_MAX - 1) 141 142 /** 143 * enum nft_hook_attributes - nf_tables netfilter hook netlink attributes 144 * 145 * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) 146 * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) 147 * @NFTA_HOOK_DEV: netdevice name (NLA_STRING) 148 * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED) 149 */ 150 enum nft_hook_attributes { 151 NFTA_HOOK_UNSPEC, 152 NFTA_HOOK_HOOKNUM, 153 NFTA_HOOK_PRIORITY, 154 NFTA_HOOK_DEV, 155 NFTA_HOOK_DEVS, 156 __NFTA_HOOK_MAX 157 }; 158 #define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1) 159 160 /** 161 * enum nft_table_flags - nf_tables table flags 162 * 163 * @NFT_TABLE_F_DORMANT: this table is not active 164 */ 165 enum nft_table_flags { 166 NFT_TABLE_F_DORMANT = 0x1, 167 }; 168 #define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT) 169 170 /** 171 * enum nft_table_attributes - nf_tables table netlink attributes 172 * 173 * @NFTA_TABLE_NAME: name of the table (NLA_STRING) 174 * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) 175 * @NFTA_TABLE_USE: number of chains in this table (NLA_U32) 176 * @NFTA_TABLE_USERDATA: user data (NLA_BINARY) 177 */ 178 enum nft_table_attributes { 179 NFTA_TABLE_UNSPEC, 180 NFTA_TABLE_NAME, 181 NFTA_TABLE_FLAGS, 182 NFTA_TABLE_USE, 183 NFTA_TABLE_HANDLE, 184 NFTA_TABLE_PAD, 185 NFTA_TABLE_USERDATA, 186 __NFTA_TABLE_MAX 187 }; 188 #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) 189 190 enum nft_chain_flags { 191 NFT_CHAIN_BASE = (1 << 0), 192 NFT_CHAIN_HW_OFFLOAD = (1 << 1), 193 NFT_CHAIN_BINDING = (1 << 2), 194 }; 195 #define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \ 196 NFT_CHAIN_HW_OFFLOAD | \ 197 NFT_CHAIN_BINDING) 198 199 /** 200 * enum nft_chain_attributes - nf_tables chain netlink attributes 201 * 202 * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING) 203 * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64) 204 * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING) 205 * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes) 206 * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32) 207 * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) 208 * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) 209 * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) 210 * @NFTA_CHAIN_FLAGS: chain flags 211 * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32) 212 * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY) 213 */ 214 enum nft_chain_attributes { 215 NFTA_CHAIN_UNSPEC, 216 NFTA_CHAIN_TABLE, 217 NFTA_CHAIN_HANDLE, 218 NFTA_CHAIN_NAME, 219 NFTA_CHAIN_HOOK, 220 NFTA_CHAIN_POLICY, 221 NFTA_CHAIN_USE, 222 NFTA_CHAIN_TYPE, 223 NFTA_CHAIN_COUNTERS, 224 NFTA_CHAIN_PAD, 225 NFTA_CHAIN_FLAGS, 226 NFTA_CHAIN_ID, 227 NFTA_CHAIN_USERDATA, 228 __NFTA_CHAIN_MAX 229 }; 230 #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) 231 232 /** 233 * enum nft_rule_attributes - nf_tables rule netlink attributes 234 * 235 * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING) 236 * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING) 237 * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64) 238 * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) 239 * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) 240 * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) 241 * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) 242 * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32) 243 * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32) 244 */ 245 enum nft_rule_attributes { 246 NFTA_RULE_UNSPEC, 247 NFTA_RULE_TABLE, 248 NFTA_RULE_CHAIN, 249 NFTA_RULE_HANDLE, 250 NFTA_RULE_EXPRESSIONS, 251 NFTA_RULE_COMPAT, 252 NFTA_RULE_POSITION, 253 NFTA_RULE_USERDATA, 254 NFTA_RULE_PAD, 255 NFTA_RULE_ID, 256 NFTA_RULE_POSITION_ID, 257 NFTA_RULE_CHAIN_ID, 258 __NFTA_RULE_MAX 259 }; 260 #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) 261 262 /** 263 * enum nft_rule_compat_flags - nf_tables rule compat flags 264 * 265 * @NFT_RULE_COMPAT_F_UNUSED: unused 266 * @NFT_RULE_COMPAT_F_INV: invert the check result 267 */ 268 enum nft_rule_compat_flags { 269 NFT_RULE_COMPAT_F_UNUSED = (1 << 0), 270 NFT_RULE_COMPAT_F_INV = (1 << 1), 271 NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, 272 }; 273 274 /** 275 * enum nft_rule_compat_attributes - nf_tables rule compat attributes 276 * 277 * @NFTA_RULE_COMPAT_PROTO: numeric value of handled protocol (NLA_U32) 278 * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32) 279 */ 280 enum nft_rule_compat_attributes { 281 NFTA_RULE_COMPAT_UNSPEC, 282 NFTA_RULE_COMPAT_PROTO, 283 NFTA_RULE_COMPAT_FLAGS, 284 __NFTA_RULE_COMPAT_MAX 285 }; 286 #define NFTA_RULE_COMPAT_MAX (__NFTA_RULE_COMPAT_MAX - 1) 287 288 /** 289 * enum nft_set_flags - nf_tables set flags 290 * 291 * @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink 292 * @NFT_SET_CONSTANT: set contents may not change while bound 293 * @NFT_SET_INTERVAL: set contains intervals 294 * @NFT_SET_MAP: set is used as a dictionary 295 * @NFT_SET_TIMEOUT: set uses timeouts 296 * @NFT_SET_EVAL: set can be updated from the evaluation path 297 * @NFT_SET_OBJECT: set contains stateful objects 298 * @NFT_SET_CONCAT: set contains a concatenation 299 */ 300 enum nft_set_flags { 301 NFT_SET_ANONYMOUS = 0x1, 302 NFT_SET_CONSTANT = 0x2, 303 NFT_SET_INTERVAL = 0x4, 304 NFT_SET_MAP = 0x8, 305 NFT_SET_TIMEOUT = 0x10, 306 NFT_SET_EVAL = 0x20, 307 NFT_SET_OBJECT = 0x40, 308 NFT_SET_CONCAT = 0x80, 309 }; 310 311 /** 312 * enum nft_set_policies - set selection policy 313 * 314 * @NFT_SET_POL_PERFORMANCE: prefer high performance over low memory use 315 * @NFT_SET_POL_MEMORY: prefer low memory use over high performance 316 */ 317 enum nft_set_policies { 318 NFT_SET_POL_PERFORMANCE, 319 NFT_SET_POL_MEMORY, 320 }; 321 322 /** 323 * enum nft_set_desc_attributes - set element description 324 * 325 * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) 326 * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED) 327 */ 328 enum nft_set_desc_attributes { 329 NFTA_SET_DESC_UNSPEC, 330 NFTA_SET_DESC_SIZE, 331 NFTA_SET_DESC_CONCAT, 332 __NFTA_SET_DESC_MAX 333 }; 334 #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) 335 336 /** 337 * enum nft_set_field_attributes - attributes of concatenated fields 338 * 339 * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) 340 */ 341 enum nft_set_field_attributes { 342 NFTA_SET_FIELD_UNSPEC, 343 NFTA_SET_FIELD_LEN, 344 __NFTA_SET_FIELD_MAX 345 }; 346 #define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) 347 348 /** 349 * enum nft_set_attributes - nf_tables set netlink attributes 350 * 351 * @NFTA_SET_TABLE: table name (NLA_STRING) 352 * @NFTA_SET_NAME: set name (NLA_STRING) 353 * @NFTA_SET_FLAGS: bitmask of enum nft_set_flags (NLA_U32) 354 * @NFTA_SET_KEY_TYPE: key data type, informational purpose only (NLA_U32) 355 * @NFTA_SET_KEY_LEN: key data length (NLA_U32) 356 * @NFTA_SET_DATA_TYPE: mapping data type (NLA_U32) 357 * @NFTA_SET_DATA_LEN: mapping data length (NLA_U32) 358 * @NFTA_SET_POLICY: selection policy (NLA_U32) 359 * @NFTA_SET_DESC: set description (NLA_NESTED) 360 * @NFTA_SET_ID: uniquely identifies a set in a transaction (NLA_U32) 361 * @NFTA_SET_TIMEOUT: default timeout value (NLA_U64) 362 * @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32) 363 * @NFTA_SET_USERDATA: user data (NLA_BINARY) 364 * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*) 365 * @NFTA_SET_HANDLE: set handle (NLA_U64) 366 * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes) 367 */ 368 enum nft_set_attributes { 369 NFTA_SET_UNSPEC, 370 NFTA_SET_TABLE, 371 NFTA_SET_NAME, 372 NFTA_SET_FLAGS, 373 NFTA_SET_KEY_TYPE, 374 NFTA_SET_KEY_LEN, 375 NFTA_SET_DATA_TYPE, 376 NFTA_SET_DATA_LEN, 377 NFTA_SET_POLICY, 378 NFTA_SET_DESC, 379 NFTA_SET_ID, 380 NFTA_SET_TIMEOUT, 381 NFTA_SET_GC_INTERVAL, 382 NFTA_SET_USERDATA, 383 NFTA_SET_PAD, 384 NFTA_SET_OBJ_TYPE, 385 NFTA_SET_HANDLE, 386 NFTA_SET_EXPR, 387 __NFTA_SET_MAX 388 }; 389 #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) 390 391 /** 392 * enum nft_set_elem_flags - nf_tables set element flags 393 * 394 * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval 395 */ 396 enum nft_set_elem_flags { 397 NFT_SET_ELEM_INTERVAL_END = 0x1, 398 }; 399 400 /** 401 * enum nft_set_elem_attributes - nf_tables set element netlink attributes 402 * 403 * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data) 404 * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes) 405 * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32) 406 * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64) 407 * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64) 408 * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) 409 * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) 410 * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING) 411 * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data) 412 */ 413 enum nft_set_elem_attributes { 414 NFTA_SET_ELEM_UNSPEC, 415 NFTA_SET_ELEM_KEY, 416 NFTA_SET_ELEM_DATA, 417 NFTA_SET_ELEM_FLAGS, 418 NFTA_SET_ELEM_TIMEOUT, 419 NFTA_SET_ELEM_EXPIRATION, 420 NFTA_SET_ELEM_USERDATA, 421 NFTA_SET_ELEM_EXPR, 422 NFTA_SET_ELEM_PAD, 423 NFTA_SET_ELEM_OBJREF, 424 NFTA_SET_ELEM_KEY_END, 425 __NFTA_SET_ELEM_MAX 426 }; 427 #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) 428 429 /** 430 * enum nft_set_elem_list_attributes - nf_tables set element list netlink attributes 431 * 432 * @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING) 433 * @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING) 434 * @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes) 435 * @NFTA_SET_ELEM_LIST_SET_ID: uniquely identifies a set in a transaction (NLA_U32) 436 */ 437 enum nft_set_elem_list_attributes { 438 NFTA_SET_ELEM_LIST_UNSPEC, 439 NFTA_SET_ELEM_LIST_TABLE, 440 NFTA_SET_ELEM_LIST_SET, 441 NFTA_SET_ELEM_LIST_ELEMENTS, 442 NFTA_SET_ELEM_LIST_SET_ID, 443 __NFTA_SET_ELEM_LIST_MAX 444 }; 445 #define NFTA_SET_ELEM_LIST_MAX (__NFTA_SET_ELEM_LIST_MAX - 1) 446 447 /** 448 * enum nft_data_types - nf_tables data types 449 * 450 * @NFT_DATA_VALUE: generic data 451 * @NFT_DATA_VERDICT: netfilter verdict 452 * 453 * The type of data is usually determined by the kernel directly and is not 454 * explicitly specified by userspace. The only difference are sets, where 455 * userspace specifies the key and mapping data types. 456 * 457 * The values 0xffffff00-0xffffffff are reserved for internally used types. 458 * The remaining range can be freely used by userspace to encode types, all 459 * values are equivalent to NFT_DATA_VALUE. 460 */ 461 enum nft_data_types { 462 NFT_DATA_VALUE, 463 NFT_DATA_VERDICT = 0xffffff00U, 464 }; 465 466 #define NFT_DATA_RESERVED_MASK 0xffffff00U 467 468 /** 469 * enum nft_data_attributes - nf_tables data netlink attributes 470 * 471 * @NFTA_DATA_VALUE: generic data (NLA_BINARY) 472 * @NFTA_DATA_VERDICT: nf_tables verdict (NLA_NESTED: nft_verdict_attributes) 473 */ 474 enum nft_data_attributes { 475 NFTA_DATA_UNSPEC, 476 NFTA_DATA_VALUE, 477 NFTA_DATA_VERDICT, 478 __NFTA_DATA_MAX 479 }; 480 #define NFTA_DATA_MAX (__NFTA_DATA_MAX - 1) 481 482 /* Maximum length of a value */ 483 #define NFT_DATA_VALUE_MAXLEN 64 484 485 /** 486 * enum nft_verdict_attributes - nf_tables verdict netlink attributes 487 * 488 * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts) 489 * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING) 490 * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32) 491 */ 492 enum nft_verdict_attributes { 493 NFTA_VERDICT_UNSPEC, 494 NFTA_VERDICT_CODE, 495 NFTA_VERDICT_CHAIN, 496 NFTA_VERDICT_CHAIN_ID, 497 __NFTA_VERDICT_MAX 498 }; 499 #define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1) 500 501 /** 502 * enum nft_expr_attributes - nf_tables expression netlink attributes 503 * 504 * @NFTA_EXPR_NAME: name of the expression type (NLA_STRING) 505 * @NFTA_EXPR_DATA: type specific data (NLA_NESTED) 506 */ 507 enum nft_expr_attributes { 508 NFTA_EXPR_UNSPEC, 509 NFTA_EXPR_NAME, 510 NFTA_EXPR_DATA, 511 __NFTA_EXPR_MAX 512 }; 513 #define NFTA_EXPR_MAX (__NFTA_EXPR_MAX - 1) 514 515 /** 516 * enum nft_immediate_attributes - nf_tables immediate expression netlink attributes 517 * 518 * @NFTA_IMMEDIATE_DREG: destination register to load data into (NLA_U32) 519 * @NFTA_IMMEDIATE_DATA: data to load (NLA_NESTED: nft_data_attributes) 520 */ 521 enum nft_immediate_attributes { 522 NFTA_IMMEDIATE_UNSPEC, 523 NFTA_IMMEDIATE_DREG, 524 NFTA_IMMEDIATE_DATA, 525 __NFTA_IMMEDIATE_MAX 526 }; 527 #define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1) 528 529 /** 530 * enum nft_bitwise_ops - nf_tables bitwise operations 531 * 532 * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and 533 * XOR boolean operations 534 * @NFT_BITWISE_LSHIFT: left-shift operation 535 * @NFT_BITWISE_RSHIFT: right-shift operation 536 */ 537 enum nft_bitwise_ops { 538 NFT_BITWISE_BOOL, 539 NFT_BITWISE_LSHIFT, 540 NFT_BITWISE_RSHIFT, 541 }; 542 543 /** 544 * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes 545 * 546 * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers) 547 * @NFTA_BITWISE_DREG: destination register (NLA_U32: nft_registers) 548 * @NFTA_BITWISE_LEN: length of operands (NLA_U32) 549 * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes) 550 * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes) 551 * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops) 552 * @NFTA_BITWISE_DATA: argument for non-boolean operations 553 * (NLA_NESTED: nft_data_attributes) 554 * 555 * The bitwise expression supports boolean and shift operations. It implements 556 * the boolean operations by performing the following operation: 557 * 558 * dreg = (sreg & mask) ^ xor 559 * 560 * with these mask and xor values: 561 * 562 * mask xor 563 * NOT: 1 1 564 * OR: ~x x 565 * XOR: 1 x 566 * AND: x 0 567 */ 568 enum nft_bitwise_attributes { 569 NFTA_BITWISE_UNSPEC, 570 NFTA_BITWISE_SREG, 571 NFTA_BITWISE_DREG, 572 NFTA_BITWISE_LEN, 573 NFTA_BITWISE_MASK, 574 NFTA_BITWISE_XOR, 575 NFTA_BITWISE_OP, 576 NFTA_BITWISE_DATA, 577 __NFTA_BITWISE_MAX 578 }; 579 #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) 580 581 /** 582 * enum nft_byteorder_ops - nf_tables byteorder operators 583 * 584 * @NFT_BYTEORDER_NTOH: network to host operator 585 * @NFT_BYTEORDER_HTON: host to network operator 586 */ 587 enum nft_byteorder_ops { 588 NFT_BYTEORDER_NTOH, 589 NFT_BYTEORDER_HTON, 590 }; 591 592 /** 593 * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes 594 * 595 * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers) 596 * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers) 597 * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops) 598 * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32) 599 * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4) 600 */ 601 enum nft_byteorder_attributes { 602 NFTA_BYTEORDER_UNSPEC, 603 NFTA_BYTEORDER_SREG, 604 NFTA_BYTEORDER_DREG, 605 NFTA_BYTEORDER_OP, 606 NFTA_BYTEORDER_LEN, 607 NFTA_BYTEORDER_SIZE, 608 __NFTA_BYTEORDER_MAX 609 }; 610 #define NFTA_BYTEORDER_MAX (__NFTA_BYTEORDER_MAX - 1) 611 612 /** 613 * enum nft_cmp_ops - nf_tables relational operator 614 * 615 * @NFT_CMP_EQ: equal 616 * @NFT_CMP_NEQ: not equal 617 * @NFT_CMP_LT: less than 618 * @NFT_CMP_LTE: less than or equal to 619 * @NFT_CMP_GT: greater than 620 * @NFT_CMP_GTE: greater than or equal to 621 */ 622 enum nft_cmp_ops { 623 NFT_CMP_EQ, 624 NFT_CMP_NEQ, 625 NFT_CMP_LT, 626 NFT_CMP_LTE, 627 NFT_CMP_GT, 628 NFT_CMP_GTE, 629 }; 630 631 /** 632 * enum nft_cmp_attributes - nf_tables cmp expression netlink attributes 633 * 634 * @NFTA_CMP_SREG: source register of data to compare (NLA_U32: nft_registers) 635 * @NFTA_CMP_OP: cmp operation (NLA_U32: nft_cmp_ops) 636 * @NFTA_CMP_DATA: data to compare against (NLA_NESTED: nft_data_attributes) 637 */ 638 enum nft_cmp_attributes { 639 NFTA_CMP_UNSPEC, 640 NFTA_CMP_SREG, 641 NFTA_CMP_OP, 642 NFTA_CMP_DATA, 643 __NFTA_CMP_MAX 644 }; 645 #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) 646 647 /** 648 * enum nft_range_ops - nf_tables range operator 649 * 650 * @NFT_RANGE_EQ: equal 651 * @NFT_RANGE_NEQ: not equal 652 */ 653 enum nft_range_ops { 654 NFT_RANGE_EQ, 655 NFT_RANGE_NEQ, 656 }; 657 658 /** 659 * enum nft_range_attributes - nf_tables range expression netlink attributes 660 * 661 * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers) 662 * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops) 663 * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes) 664 * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes) 665 */ 666 enum nft_range_attributes { 667 NFTA_RANGE_UNSPEC, 668 NFTA_RANGE_SREG, 669 NFTA_RANGE_OP, 670 NFTA_RANGE_FROM_DATA, 671 NFTA_RANGE_TO_DATA, 672 __NFTA_RANGE_MAX 673 }; 674 #define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1) 675 676 enum nft_lookup_flags { 677 NFT_LOOKUP_F_INV = (1 << 0), 678 }; 679 680 /** 681 * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes 682 * 683 * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) 684 * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) 685 * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) 686 * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32) 687 * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags) 688 */ 689 enum nft_lookup_attributes { 690 NFTA_LOOKUP_UNSPEC, 691 NFTA_LOOKUP_SET, 692 NFTA_LOOKUP_SREG, 693 NFTA_LOOKUP_DREG, 694 NFTA_LOOKUP_SET_ID, 695 NFTA_LOOKUP_FLAGS, 696 __NFTA_LOOKUP_MAX 697 }; 698 #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1) 699 700 enum nft_dynset_ops { 701 NFT_DYNSET_OP_ADD, 702 NFT_DYNSET_OP_UPDATE, 703 NFT_DYNSET_OP_DELETE, 704 }; 705 706 enum nft_dynset_flags { 707 NFT_DYNSET_F_INV = (1 << 0), 708 }; 709 710 /** 711 * enum nft_dynset_attributes - dynset expression attributes 712 * 713 * @NFTA_DYNSET_SET_NAME: name of set the to add data to (NLA_STRING) 714 * @NFTA_DYNSET_SET_ID: uniquely identifier of the set in the transaction (NLA_U32) 715 * @NFTA_DYNSET_OP: operation (NLA_U32) 716 * @NFTA_DYNSET_SREG_KEY: source register of the key (NLA_U32) 717 * @NFTA_DYNSET_SREG_DATA: source register of the data (NLA_U32) 718 * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) 719 * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) 720 * @NFTA_DYNSET_FLAGS: flags (NLA_U32) 721 */ 722 enum nft_dynset_attributes { 723 NFTA_DYNSET_UNSPEC, 724 NFTA_DYNSET_SET_NAME, 725 NFTA_DYNSET_SET_ID, 726 NFTA_DYNSET_OP, 727 NFTA_DYNSET_SREG_KEY, 728 NFTA_DYNSET_SREG_DATA, 729 NFTA_DYNSET_TIMEOUT, 730 NFTA_DYNSET_EXPR, 731 NFTA_DYNSET_PAD, 732 NFTA_DYNSET_FLAGS, 733 __NFTA_DYNSET_MAX, 734 }; 735 #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) 736 737 /** 738 * enum nft_payload_bases - nf_tables payload expression offset bases 739 * 740 * @NFT_PAYLOAD_LL_HEADER: link layer header 741 * @NFT_PAYLOAD_NETWORK_HEADER: network header 742 * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header 743 */ 744 enum nft_payload_bases { 745 NFT_PAYLOAD_LL_HEADER, 746 NFT_PAYLOAD_NETWORK_HEADER, 747 NFT_PAYLOAD_TRANSPORT_HEADER, 748 }; 749 750 /** 751 * enum nft_payload_csum_types - nf_tables payload expression checksum types 752 * 753 * @NFT_PAYLOAD_CSUM_NONE: no checksumming 754 * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791) 755 * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309) 756 */ 757 enum nft_payload_csum_types { 758 NFT_PAYLOAD_CSUM_NONE, 759 NFT_PAYLOAD_CSUM_INET, 760 NFT_PAYLOAD_CSUM_SCTP, 761 }; 762 763 enum nft_payload_csum_flags { 764 NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0), 765 }; 766 767 /** 768 * enum nft_payload_attributes - nf_tables payload expression netlink attributes 769 * 770 * @NFTA_PAYLOAD_DREG: destination register to load data into (NLA_U32: nft_registers) 771 * @NFTA_PAYLOAD_BASE: payload base (NLA_U32: nft_payload_bases) 772 * @NFTA_PAYLOAD_OFFSET: payload offset relative to base (NLA_U32) 773 * @NFTA_PAYLOAD_LEN: payload length (NLA_U32) 774 * @NFTA_PAYLOAD_SREG: source register to load data from (NLA_U32: nft_registers) 775 * @NFTA_PAYLOAD_CSUM_TYPE: checksum type (NLA_U32) 776 * @NFTA_PAYLOAD_CSUM_OFFSET: checksum offset relative to base (NLA_U32) 777 * @NFTA_PAYLOAD_CSUM_FLAGS: checksum flags (NLA_U32) 778 */ 779 enum nft_payload_attributes { 780 NFTA_PAYLOAD_UNSPEC, 781 NFTA_PAYLOAD_DREG, 782 NFTA_PAYLOAD_BASE, 783 NFTA_PAYLOAD_OFFSET, 784 NFTA_PAYLOAD_LEN, 785 NFTA_PAYLOAD_SREG, 786 NFTA_PAYLOAD_CSUM_TYPE, 787 NFTA_PAYLOAD_CSUM_OFFSET, 788 NFTA_PAYLOAD_CSUM_FLAGS, 789 __NFTA_PAYLOAD_MAX 790 }; 791 #define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1) 792 793 enum nft_exthdr_flags { 794 NFT_EXTHDR_F_PRESENT = (1 << 0), 795 }; 796 797 /** 798 * enum nft_exthdr_op - nf_tables match options 799 * 800 * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers 801 * @NFT_EXTHDR_OP_TCP: match against tcp options 802 * @NFT_EXTHDR_OP_IPV4: match against ipv4 options 803 * @NFT_EXTHDR_OP_SCTP: match against sctp chunks 804 */ 805 enum nft_exthdr_op { 806 NFT_EXTHDR_OP_IPV6, 807 NFT_EXTHDR_OP_TCPOPT, 808 NFT_EXTHDR_OP_IPV4, 809 NFT_EXTHDR_OP_SCTP, 810 __NFT_EXTHDR_OP_MAX 811 }; 812 #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) 813 814 /** 815 * enum nft_exthdr_attributes - nf_tables extension header expression netlink attributes 816 * 817 * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers) 818 * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8) 819 * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32) 820 * @NFTA_EXTHDR_LEN: extension header length (NLA_U32) 821 * @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32) 822 * @NFTA_EXTHDR_OP: option match type (NLA_U32) 823 * @NFTA_EXTHDR_SREG: option match type (NLA_U32) 824 */ 825 enum nft_exthdr_attributes { 826 NFTA_EXTHDR_UNSPEC, 827 NFTA_EXTHDR_DREG, 828 NFTA_EXTHDR_TYPE, 829 NFTA_EXTHDR_OFFSET, 830 NFTA_EXTHDR_LEN, 831 NFTA_EXTHDR_FLAGS, 832 NFTA_EXTHDR_OP, 833 NFTA_EXTHDR_SREG, 834 __NFTA_EXTHDR_MAX 835 }; 836 #define NFTA_EXTHDR_MAX (__NFTA_EXTHDR_MAX - 1) 837 838 /** 839 * enum nft_meta_keys - nf_tables meta expression keys 840 * 841 * @NFT_META_LEN: packet length (skb->len) 842 * @NFT_META_PROTOCOL: packet ethertype protocol (skb->protocol), invalid in OUTPUT 843 * @NFT_META_PRIORITY: packet priority (skb->priority) 844 * @NFT_META_MARK: packet mark (skb->mark) 845 * @NFT_META_IIF: packet input interface index (dev->ifindex) 846 * @NFT_META_OIF: packet output interface index (dev->ifindex) 847 * @NFT_META_IIFNAME: packet input interface name (dev->name) 848 * @NFT_META_OIFNAME: packet output interface name (dev->name) 849 * @NFT_META_IIFTYPE: packet input interface type (dev->type) 850 * @NFT_META_OIFTYPE: packet output interface type (dev->type) 851 * @NFT_META_SKUID: originating socket UID (fsuid) 852 * @NFT_META_SKGID: originating socket GID (fsgid) 853 * @NFT_META_NFTRACE: packet nftrace bit 854 * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid) 855 * @NFT_META_SECMARK: packet secmark (skb->secmark) 856 * @NFT_META_NFPROTO: netfilter protocol 857 * @NFT_META_L4PROTO: layer 4 protocol number 858 * @NFT_META_BRI_IIFNAME: packet input bridge interface name 859 * @NFT_META_BRI_OIFNAME: packet output bridge interface name 860 * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback 861 * @NFT_META_CPU: cpu id through smp_processor_id() 862 * @NFT_META_IIFGROUP: packet input interface group 863 * @NFT_META_OIFGROUP: packet output interface group 864 * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) 865 * @NFT_META_PRANDOM: a 32bit pseudo-random number 866 * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) 867 * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) 868 * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) 869 * @NFT_META_BRI_IIFPVID: packet input bridge port pvid 870 * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto 871 * @NFT_META_TIME_NS: time since epoch (in nanoseconds) 872 * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) 873 * @NFT_META_TIME_HOUR: hour of day (in seconds) 874 * @NFT_META_SDIF: slave device interface index 875 * @NFT_META_SDIFNAME: slave device interface name 876 */ 877 enum nft_meta_keys { 878 NFT_META_LEN, 879 NFT_META_PROTOCOL, 880 NFT_META_PRIORITY, 881 NFT_META_MARK, 882 NFT_META_IIF, 883 NFT_META_OIF, 884 NFT_META_IIFNAME, 885 NFT_META_OIFNAME, 886 NFT_META_IIFTYPE, 887 NFT_META_OIFTYPE, 888 NFT_META_SKUID, 889 NFT_META_SKGID, 890 NFT_META_NFTRACE, 891 NFT_META_RTCLASSID, 892 NFT_META_SECMARK, 893 NFT_META_NFPROTO, 894 NFT_META_L4PROTO, 895 NFT_META_BRI_IIFNAME, 896 NFT_META_BRI_OIFNAME, 897 NFT_META_PKTTYPE, 898 NFT_META_CPU, 899 NFT_META_IIFGROUP, 900 NFT_META_OIFGROUP, 901 NFT_META_CGROUP, 902 NFT_META_PRANDOM, 903 NFT_META_SECPATH, 904 NFT_META_IIFKIND, 905 NFT_META_OIFKIND, 906 NFT_META_BRI_IIFPVID, 907 NFT_META_BRI_IIFVPROTO, 908 NFT_META_TIME_NS, 909 NFT_META_TIME_DAY, 910 NFT_META_TIME_HOUR, 911 NFT_META_SDIF, 912 NFT_META_SDIFNAME, 913 }; 914 915 /** 916 * enum nft_rt_keys - nf_tables routing expression keys 917 * 918 * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid) 919 * @NFT_RT_NEXTHOP4: routing nexthop for IPv4 920 * @NFT_RT_NEXTHOP6: routing nexthop for IPv6 921 * @NFT_RT_TCPMSS: fetch current path tcp mss 922 * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL 923 */ 924 enum nft_rt_keys { 925 NFT_RT_CLASSID, 926 NFT_RT_NEXTHOP4, 927 NFT_RT_NEXTHOP6, 928 NFT_RT_TCPMSS, 929 NFT_RT_XFRM, 930 __NFT_RT_MAX 931 }; 932 #define NFT_RT_MAX (__NFT_RT_MAX - 1) 933 934 /** 935 * enum nft_hash_types - nf_tables hash expression types 936 * 937 * @NFT_HASH_JENKINS: Jenkins Hash 938 * @NFT_HASH_SYM: Symmetric Hash 939 */ 940 enum nft_hash_types { 941 NFT_HASH_JENKINS, 942 NFT_HASH_SYM, 943 }; 944 945 /** 946 * enum nft_hash_attributes - nf_tables hash expression netlink attributes 947 * 948 * @NFTA_HASH_SREG: source register (NLA_U32) 949 * @NFTA_HASH_DREG: destination register (NLA_U32) 950 * @NFTA_HASH_LEN: source data length (NLA_U32) 951 * @NFTA_HASH_MODULUS: modulus value (NLA_U32) 952 * @NFTA_HASH_SEED: seed value (NLA_U32) 953 * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32) 954 * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types) 955 * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING) 956 * @NFTA_HASH_SET_ID: id of the map (NLA_U32) 957 */ 958 enum nft_hash_attributes { 959 NFTA_HASH_UNSPEC, 960 NFTA_HASH_SREG, 961 NFTA_HASH_DREG, 962 NFTA_HASH_LEN, 963 NFTA_HASH_MODULUS, 964 NFTA_HASH_SEED, 965 NFTA_HASH_OFFSET, 966 NFTA_HASH_TYPE, 967 NFTA_HASH_SET_NAME, /* deprecated */ 968 NFTA_HASH_SET_ID, /* deprecated */ 969 __NFTA_HASH_MAX, 970 }; 971 #define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) 972 973 /** 974 * enum nft_meta_attributes - nf_tables meta expression netlink attributes 975 * 976 * @NFTA_META_DREG: destination register (NLA_U32) 977 * @NFTA_META_KEY: meta data item to load (NLA_U32: nft_meta_keys) 978 * @NFTA_META_SREG: source register (NLA_U32) 979 */ 980 enum nft_meta_attributes { 981 NFTA_META_UNSPEC, 982 NFTA_META_DREG, 983 NFTA_META_KEY, 984 NFTA_META_SREG, 985 __NFTA_META_MAX 986 }; 987 #define NFTA_META_MAX (__NFTA_META_MAX - 1) 988 989 /** 990 * enum nft_rt_attributes - nf_tables routing expression netlink attributes 991 * 992 * @NFTA_RT_DREG: destination register (NLA_U32) 993 * @NFTA_RT_KEY: routing data item to load (NLA_U32: nft_rt_keys) 994 */ 995 enum nft_rt_attributes { 996 NFTA_RT_UNSPEC, 997 NFTA_RT_DREG, 998 NFTA_RT_KEY, 999 __NFTA_RT_MAX 1000 }; 1001 #define NFTA_RT_MAX (__NFTA_RT_MAX - 1) 1002 1003 /** 1004 * enum nft_socket_attributes - nf_tables socket expression netlink attributes 1005 * 1006 * @NFTA_SOCKET_KEY: socket key to match 1007 * @NFTA_SOCKET_DREG: destination register 1008 */ 1009 enum nft_socket_attributes { 1010 NFTA_SOCKET_UNSPEC, 1011 NFTA_SOCKET_KEY, 1012 NFTA_SOCKET_DREG, 1013 __NFTA_SOCKET_MAX 1014 }; 1015 #define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) 1016 1017 /* 1018 * enum nft_socket_keys - nf_tables socket expression keys 1019 * 1020 * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option 1021 * @NFT_SOCKET_MARK: Value of the socket mark 1022 * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0) 1023 */ 1024 enum nft_socket_keys { 1025 NFT_SOCKET_TRANSPARENT, 1026 NFT_SOCKET_MARK, 1027 NFT_SOCKET_WILDCARD, 1028 __NFT_SOCKET_MAX 1029 }; 1030 #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) 1031 1032 /** 1033 * enum nft_ct_keys - nf_tables ct expression keys 1034 * 1035 * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info) 1036 * @NFT_CT_DIRECTION: conntrack direction (enum ip_conntrack_dir) 1037 * @NFT_CT_STATUS: conntrack status (bitmask of enum ip_conntrack_status) 1038 * @NFT_CT_MARK: conntrack mark value 1039 * @NFT_CT_SECMARK: conntrack secmark value 1040 * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms 1041 * @NFT_CT_HELPER: connection tracking helper assigned to conntrack 1042 * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol 1043 * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated) 1044 * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated) 1045 * @NFT_CT_PROTOCOL: conntrack layer 4 protocol 1046 * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source 1047 * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination 1048 * @NFT_CT_LABELS: conntrack labels 1049 * @NFT_CT_PKTS: conntrack packets 1050 * @NFT_CT_BYTES: conntrack bytes 1051 * @NFT_CT_AVGPKT: conntrack average bytes per packet 1052 * @NFT_CT_ZONE: conntrack zone 1053 * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack 1054 * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address) 1055 * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) 1056 * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) 1057 * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) 1058 * @NFT_CT_ID: conntrack id 1059 */ 1060 enum nft_ct_keys { 1061 NFT_CT_STATE, 1062 NFT_CT_DIRECTION, 1063 NFT_CT_STATUS, 1064 NFT_CT_MARK, 1065 NFT_CT_SECMARK, 1066 NFT_CT_EXPIRATION, 1067 NFT_CT_HELPER, 1068 NFT_CT_L3PROTOCOL, 1069 NFT_CT_SRC, 1070 NFT_CT_DST, 1071 NFT_CT_PROTOCOL, 1072 NFT_CT_PROTO_SRC, 1073 NFT_CT_PROTO_DST, 1074 NFT_CT_LABELS, 1075 NFT_CT_PKTS, 1076 NFT_CT_BYTES, 1077 NFT_CT_AVGPKT, 1078 NFT_CT_ZONE, 1079 NFT_CT_EVENTMASK, 1080 NFT_CT_SRC_IP, 1081 NFT_CT_DST_IP, 1082 NFT_CT_SRC_IP6, 1083 NFT_CT_DST_IP6, 1084 NFT_CT_ID, 1085 __NFT_CT_MAX 1086 }; 1087 #define NFT_CT_MAX (__NFT_CT_MAX - 1) 1088 1089 /** 1090 * enum nft_ct_attributes - nf_tables ct expression netlink attributes 1091 * 1092 * @NFTA_CT_DREG: destination register (NLA_U32) 1093 * @NFTA_CT_KEY: conntrack data item to load (NLA_U32: nft_ct_keys) 1094 * @NFTA_CT_DIRECTION: direction in case of directional keys (NLA_U8) 1095 * @NFTA_CT_SREG: source register (NLA_U32) 1096 */ 1097 enum nft_ct_attributes { 1098 NFTA_CT_UNSPEC, 1099 NFTA_CT_DREG, 1100 NFTA_CT_KEY, 1101 NFTA_CT_DIRECTION, 1102 NFTA_CT_SREG, 1103 __NFTA_CT_MAX 1104 }; 1105 #define NFTA_CT_MAX (__NFTA_CT_MAX - 1) 1106 1107 /** 1108 * enum nft_flow_attributes - ct offload expression attributes 1109 * @NFTA_FLOW_TABLE_NAME: flow table name (NLA_STRING) 1110 */ 1111 enum nft_offload_attributes { 1112 NFTA_FLOW_UNSPEC, 1113 NFTA_FLOW_TABLE_NAME, 1114 __NFTA_FLOW_MAX, 1115 }; 1116 #define NFTA_FLOW_MAX (__NFTA_FLOW_MAX - 1) 1117 1118 enum nft_limit_type { 1119 NFT_LIMIT_PKTS, 1120 NFT_LIMIT_PKT_BYTES 1121 }; 1122 1123 enum nft_limit_flags { 1124 NFT_LIMIT_F_INV = (1 << 0), 1125 }; 1126 1127 /** 1128 * enum nft_limit_attributes - nf_tables limit expression netlink attributes 1129 * 1130 * @NFTA_LIMIT_RATE: refill rate (NLA_U64) 1131 * @NFTA_LIMIT_UNIT: refill unit (NLA_U64) 1132 * @NFTA_LIMIT_BURST: burst (NLA_U32) 1133 * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type) 1134 * @NFTA_LIMIT_FLAGS: flags (NLA_U32: enum nft_limit_flags) 1135 */ 1136 enum nft_limit_attributes { 1137 NFTA_LIMIT_UNSPEC, 1138 NFTA_LIMIT_RATE, 1139 NFTA_LIMIT_UNIT, 1140 NFTA_LIMIT_BURST, 1141 NFTA_LIMIT_TYPE, 1142 NFTA_LIMIT_FLAGS, 1143 NFTA_LIMIT_PAD, 1144 __NFTA_LIMIT_MAX 1145 }; 1146 #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) 1147 1148 enum nft_connlimit_flags { 1149 NFT_CONNLIMIT_F_INV = (1 << 0), 1150 }; 1151 1152 /** 1153 * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes 1154 * 1155 * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32) 1156 * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags) 1157 */ 1158 enum nft_connlimit_attributes { 1159 NFTA_CONNLIMIT_UNSPEC, 1160 NFTA_CONNLIMIT_COUNT, 1161 NFTA_CONNLIMIT_FLAGS, 1162 __NFTA_CONNLIMIT_MAX 1163 }; 1164 #define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1) 1165 1166 /** 1167 * enum nft_counter_attributes - nf_tables counter expression netlink attributes 1168 * 1169 * @NFTA_COUNTER_BYTES: number of bytes (NLA_U64) 1170 * @NFTA_COUNTER_PACKETS: number of packets (NLA_U64) 1171 */ 1172 enum nft_counter_attributes { 1173 NFTA_COUNTER_UNSPEC, 1174 NFTA_COUNTER_BYTES, 1175 NFTA_COUNTER_PACKETS, 1176 NFTA_COUNTER_PAD, 1177 __NFTA_COUNTER_MAX 1178 }; 1179 #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) 1180 1181 /** 1182 * enum nft_log_attributes - nf_tables log expression netlink attributes 1183 * 1184 * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32) 1185 * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING) 1186 * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32) 1187 * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32) 1188 * @NFTA_LOG_LEVEL: log level (NLA_U32) 1189 * @NFTA_LOG_FLAGS: logging flags (NLA_U32) 1190 */ 1191 enum nft_log_attributes { 1192 NFTA_LOG_UNSPEC, 1193 NFTA_LOG_GROUP, 1194 NFTA_LOG_PREFIX, 1195 NFTA_LOG_SNAPLEN, 1196 NFTA_LOG_QTHRESHOLD, 1197 NFTA_LOG_LEVEL, 1198 NFTA_LOG_FLAGS, 1199 __NFTA_LOG_MAX 1200 }; 1201 #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) 1202 1203 /** 1204 * enum nft_log_level - nf_tables log levels 1205 * 1206 * @NFT_LOGLEVEL_EMERG: system is unusable 1207 * @NFT_LOGLEVEL_ALERT: action must be taken immediately 1208 * @NFT_LOGLEVEL_CRIT: critical conditions 1209 * @NFT_LOGLEVEL_ERR: error conditions 1210 * @NFT_LOGLEVEL_WARNING: warning conditions 1211 * @NFT_LOGLEVEL_NOTICE: normal but significant condition 1212 * @NFT_LOGLEVEL_INFO: informational 1213 * @NFT_LOGLEVEL_DEBUG: debug-level messages 1214 * @NFT_LOGLEVEL_AUDIT: enabling audit logging 1215 */ 1216 enum nft_log_level { 1217 NFT_LOGLEVEL_EMERG, 1218 NFT_LOGLEVEL_ALERT, 1219 NFT_LOGLEVEL_CRIT, 1220 NFT_LOGLEVEL_ERR, 1221 NFT_LOGLEVEL_WARNING, 1222 NFT_LOGLEVEL_NOTICE, 1223 NFT_LOGLEVEL_INFO, 1224 NFT_LOGLEVEL_DEBUG, 1225 NFT_LOGLEVEL_AUDIT, 1226 __NFT_LOGLEVEL_MAX 1227 }; 1228 #define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1) 1229 1230 /** 1231 * enum nft_queue_attributes - nf_tables queue expression netlink attributes 1232 * 1233 * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16) 1234 * @NFTA_QUEUE_TOTAL: number of queues to load balance packets on (NLA_U16) 1235 * @NFTA_QUEUE_FLAGS: various flags (NLA_U16) 1236 * @NFTA_QUEUE_SREG_QNUM: source register of queue number (NLA_U32: nft_registers) 1237 */ 1238 enum nft_queue_attributes { 1239 NFTA_QUEUE_UNSPEC, 1240 NFTA_QUEUE_NUM, 1241 NFTA_QUEUE_TOTAL, 1242 NFTA_QUEUE_FLAGS, 1243 NFTA_QUEUE_SREG_QNUM, 1244 __NFTA_QUEUE_MAX 1245 }; 1246 #define NFTA_QUEUE_MAX (__NFTA_QUEUE_MAX - 1) 1247 1248 #define NFT_QUEUE_FLAG_BYPASS 0x01 /* for compatibility with v2 */ 1249 #define NFT_QUEUE_FLAG_CPU_FANOUT 0x02 /* use current CPU (no hashing) */ 1250 #define NFT_QUEUE_FLAG_MASK 0x03 1251 1252 enum nft_quota_flags { 1253 NFT_QUOTA_F_INV = (1 << 0), 1254 NFT_QUOTA_F_DEPLETED = (1 << 1), 1255 }; 1256 1257 /** 1258 * enum nft_quota_attributes - nf_tables quota expression netlink attributes 1259 * 1260 * @NFTA_QUOTA_BYTES: quota in bytes (NLA_U16) 1261 * @NFTA_QUOTA_FLAGS: flags (NLA_U32) 1262 * @NFTA_QUOTA_CONSUMED: quota already consumed in bytes (NLA_U64) 1263 */ 1264 enum nft_quota_attributes { 1265 NFTA_QUOTA_UNSPEC, 1266 NFTA_QUOTA_BYTES, 1267 NFTA_QUOTA_FLAGS, 1268 NFTA_QUOTA_PAD, 1269 NFTA_QUOTA_CONSUMED, 1270 __NFTA_QUOTA_MAX 1271 }; 1272 #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) 1273 1274 /** 1275 * enum nft_secmark_attributes - nf_tables secmark object netlink attributes 1276 * 1277 * @NFTA_SECMARK_CTX: security context (NLA_STRING) 1278 */ 1279 enum nft_secmark_attributes { 1280 NFTA_SECMARK_UNSPEC, 1281 NFTA_SECMARK_CTX, 1282 __NFTA_SECMARK_MAX, 1283 }; 1284 #define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) 1285 1286 /* Max security context length */ 1287 #define NFT_SECMARK_CTX_MAXLEN 256 1288 1289 /** 1290 * enum nft_reject_types - nf_tables reject expression reject types 1291 * 1292 * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable 1293 * @NFT_REJECT_TCP_RST: reject using TCP RST 1294 * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet 1295 */ 1296 enum nft_reject_types { 1297 NFT_REJECT_ICMP_UNREACH, 1298 NFT_REJECT_TCP_RST, 1299 NFT_REJECT_ICMPX_UNREACH, 1300 }; 1301 1302 /** 1303 * enum nft_reject_code - Generic reject codes for IPv4/IPv6 1304 * 1305 * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host / network unreachable 1306 * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable 1307 * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable 1308 * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratively prohibited 1309 * 1310 * These codes are mapped to real ICMP and ICMPv6 codes. 1311 */ 1312 enum nft_reject_inet_code { 1313 NFT_REJECT_ICMPX_NO_ROUTE = 0, 1314 NFT_REJECT_ICMPX_PORT_UNREACH, 1315 NFT_REJECT_ICMPX_HOST_UNREACH, 1316 NFT_REJECT_ICMPX_ADMIN_PROHIBITED, 1317 __NFT_REJECT_ICMPX_MAX 1318 }; 1319 #define NFT_REJECT_ICMPX_MAX (__NFT_REJECT_ICMPX_MAX - 1) 1320 1321 /** 1322 * enum nft_reject_attributes - nf_tables reject expression netlink attributes 1323 * 1324 * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types) 1325 * @NFTA_REJECT_ICMP_CODE: ICMP code to use (NLA_U8) 1326 */ 1327 enum nft_reject_attributes { 1328 NFTA_REJECT_UNSPEC, 1329 NFTA_REJECT_TYPE, 1330 NFTA_REJECT_ICMP_CODE, 1331 __NFTA_REJECT_MAX 1332 }; 1333 #define NFTA_REJECT_MAX (__NFTA_REJECT_MAX - 1) 1334 1335 /** 1336 * enum nft_nat_types - nf_tables nat expression NAT types 1337 * 1338 * @NFT_NAT_SNAT: source NAT 1339 * @NFT_NAT_DNAT: destination NAT 1340 */ 1341 enum nft_nat_types { 1342 NFT_NAT_SNAT, 1343 NFT_NAT_DNAT, 1344 }; 1345 1346 /** 1347 * enum nft_nat_attributes - nf_tables nat expression netlink attributes 1348 * 1349 * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types) 1350 * @NFTA_NAT_FAMILY: NAT family (NLA_U32) 1351 * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) 1352 * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) 1353 * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) 1354 * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) 1355 * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) 1356 */ 1357 enum nft_nat_attributes { 1358 NFTA_NAT_UNSPEC, 1359 NFTA_NAT_TYPE, 1360 NFTA_NAT_FAMILY, 1361 NFTA_NAT_REG_ADDR_MIN, 1362 NFTA_NAT_REG_ADDR_MAX, 1363 NFTA_NAT_REG_PROTO_MIN, 1364 NFTA_NAT_REG_PROTO_MAX, 1365 NFTA_NAT_FLAGS, 1366 __NFTA_NAT_MAX 1367 }; 1368 #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) 1369 1370 /** 1371 * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes 1372 * 1373 * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers) 1374 * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers) 1375 * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers) 1376 */ 1377 enum nft_tproxy_attributes { 1378 NFTA_TPROXY_UNSPEC, 1379 NFTA_TPROXY_FAMILY, 1380 NFTA_TPROXY_REG_ADDR, 1381 NFTA_TPROXY_REG_PORT, 1382 __NFTA_TPROXY_MAX 1383 }; 1384 #define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1) 1385 1386 /** 1387 * enum nft_masq_attributes - nf_tables masquerade expression attributes 1388 * 1389 * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) 1390 * @NFTA_MASQ_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) 1391 * @NFTA_MASQ_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) 1392 */ 1393 enum nft_masq_attributes { 1394 NFTA_MASQ_UNSPEC, 1395 NFTA_MASQ_FLAGS, 1396 NFTA_MASQ_REG_PROTO_MIN, 1397 NFTA_MASQ_REG_PROTO_MAX, 1398 __NFTA_MASQ_MAX 1399 }; 1400 #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) 1401 1402 /** 1403 * enum nft_redir_attributes - nf_tables redirect expression netlink attributes 1404 * 1405 * @NFTA_REDIR_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) 1406 * @NFTA_REDIR_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) 1407 * @NFTA_REDIR_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) 1408 */ 1409 enum nft_redir_attributes { 1410 NFTA_REDIR_UNSPEC, 1411 NFTA_REDIR_REG_PROTO_MIN, 1412 NFTA_REDIR_REG_PROTO_MAX, 1413 NFTA_REDIR_FLAGS, 1414 __NFTA_REDIR_MAX 1415 }; 1416 #define NFTA_REDIR_MAX (__NFTA_REDIR_MAX - 1) 1417 1418 /** 1419 * enum nft_dup_attributes - nf_tables dup expression netlink attributes 1420 * 1421 * @NFTA_DUP_SREG_ADDR: source register of address (NLA_U32: nft_registers) 1422 * @NFTA_DUP_SREG_DEV: source register of output interface (NLA_U32: nft_register) 1423 */ 1424 enum nft_dup_attributes { 1425 NFTA_DUP_UNSPEC, 1426 NFTA_DUP_SREG_ADDR, 1427 NFTA_DUP_SREG_DEV, 1428 __NFTA_DUP_MAX 1429 }; 1430 #define NFTA_DUP_MAX (__NFTA_DUP_MAX - 1) 1431 1432 /** 1433 * enum nft_fwd_attributes - nf_tables fwd expression netlink attributes 1434 * 1435 * @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register) 1436 * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register) 1437 * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto) 1438 */ 1439 enum nft_fwd_attributes { 1440 NFTA_FWD_UNSPEC, 1441 NFTA_FWD_SREG_DEV, 1442 NFTA_FWD_SREG_ADDR, 1443 NFTA_FWD_NFPROTO, 1444 __NFTA_FWD_MAX 1445 }; 1446 #define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1) 1447 1448 /** 1449 * enum nft_objref_attributes - nf_tables stateful object expression netlink attributes 1450 * 1451 * @NFTA_OBJREF_IMM_TYPE: object type for immediate reference (NLA_U32: nft_register) 1452 * @NFTA_OBJREF_IMM_NAME: object name for immediate reference (NLA_STRING) 1453 * @NFTA_OBJREF_SET_SREG: source register of the data to look for (NLA_U32: nft_registers) 1454 * @NFTA_OBJREF_SET_NAME: name of the set where to look for (NLA_STRING) 1455 * @NFTA_OBJREF_SET_ID: id of the set where to look for in this transaction (NLA_U32) 1456 */ 1457 enum nft_objref_attributes { 1458 NFTA_OBJREF_UNSPEC, 1459 NFTA_OBJREF_IMM_TYPE, 1460 NFTA_OBJREF_IMM_NAME, 1461 NFTA_OBJREF_SET_SREG, 1462 NFTA_OBJREF_SET_NAME, 1463 NFTA_OBJREF_SET_ID, 1464 __NFTA_OBJREF_MAX 1465 }; 1466 #define NFTA_OBJREF_MAX (__NFTA_OBJREF_MAX - 1) 1467 1468 /** 1469 * enum nft_gen_attributes - nf_tables ruleset generation attributes 1470 * 1471 * @NFTA_GEN_ID: Ruleset generation ID (NLA_U32) 1472 */ 1473 enum nft_gen_attributes { 1474 NFTA_GEN_UNSPEC, 1475 NFTA_GEN_ID, 1476 NFTA_GEN_PROC_PID, 1477 NFTA_GEN_PROC_NAME, 1478 __NFTA_GEN_MAX 1479 }; 1480 #define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1) 1481 1482 /* 1483 * enum nft_fib_attributes - nf_tables fib expression netlink attributes 1484 * 1485 * @NFTA_FIB_DREG: destination register (NLA_U32) 1486 * @NFTA_FIB_RESULT: desired result (NLA_U32) 1487 * @NFTA_FIB_FLAGS: flowi fields to initialize when querying the FIB (NLA_U32) 1488 * 1489 * The FIB expression performs a route lookup according 1490 * to the packet data. 1491 */ 1492 enum nft_fib_attributes { 1493 NFTA_FIB_UNSPEC, 1494 NFTA_FIB_DREG, 1495 NFTA_FIB_RESULT, 1496 NFTA_FIB_FLAGS, 1497 __NFTA_FIB_MAX 1498 }; 1499 #define NFTA_FIB_MAX (__NFTA_FIB_MAX - 1) 1500 1501 enum nft_fib_result { 1502 NFT_FIB_RESULT_UNSPEC, 1503 NFT_FIB_RESULT_OIF, 1504 NFT_FIB_RESULT_OIFNAME, 1505 NFT_FIB_RESULT_ADDRTYPE, 1506 __NFT_FIB_RESULT_MAX 1507 }; 1508 #define NFT_FIB_RESULT_MAX (__NFT_FIB_RESULT_MAX - 1) 1509 1510 enum nft_fib_flags { 1511 NFTA_FIB_F_SADDR = 1 << 0, /* look up src */ 1512 NFTA_FIB_F_DADDR = 1 << 1, /* look up dst */ 1513 NFTA_FIB_F_MARK = 1 << 2, /* use skb->mark */ 1514 NFTA_FIB_F_IIF = 1 << 3, /* restrict to iif */ 1515 NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */ 1516 NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ 1517 }; 1518 1519 enum nft_ct_helper_attributes { 1520 NFTA_CT_HELPER_UNSPEC, 1521 NFTA_CT_HELPER_NAME, 1522 NFTA_CT_HELPER_L3PROTO, 1523 NFTA_CT_HELPER_L4PROTO, 1524 __NFTA_CT_HELPER_MAX, 1525 }; 1526 #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) 1527 1528 enum nft_ct_timeout_timeout_attributes { 1529 NFTA_CT_TIMEOUT_UNSPEC, 1530 NFTA_CT_TIMEOUT_L3PROTO, 1531 NFTA_CT_TIMEOUT_L4PROTO, 1532 NFTA_CT_TIMEOUT_DATA, 1533 __NFTA_CT_TIMEOUT_MAX, 1534 }; 1535 #define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) 1536 1537 enum nft_ct_expectation_attributes { 1538 NFTA_CT_EXPECT_UNSPEC, 1539 NFTA_CT_EXPECT_L3PROTO, 1540 NFTA_CT_EXPECT_L4PROTO, 1541 NFTA_CT_EXPECT_DPORT, 1542 NFTA_CT_EXPECT_TIMEOUT, 1543 NFTA_CT_EXPECT_SIZE, 1544 __NFTA_CT_EXPECT_MAX, 1545 }; 1546 #define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1) 1547 1548 #define NFT_OBJECT_UNSPEC 0 1549 #define NFT_OBJECT_COUNTER 1 1550 #define NFT_OBJECT_QUOTA 2 1551 #define NFT_OBJECT_CT_HELPER 3 1552 #define NFT_OBJECT_LIMIT 4 1553 #define NFT_OBJECT_CONNLIMIT 5 1554 #define NFT_OBJECT_TUNNEL 6 1555 #define NFT_OBJECT_CT_TIMEOUT 7 1556 #define NFT_OBJECT_SECMARK 8 1557 #define NFT_OBJECT_CT_EXPECT 9 1558 #define NFT_OBJECT_SYNPROXY 10 1559 #define __NFT_OBJECT_MAX 11 1560 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) 1561 1562 /** 1563 * enum nft_object_attributes - nf_tables stateful object netlink attributes 1564 * 1565 * @NFTA_OBJ_TABLE: name of the table containing the expression (NLA_STRING) 1566 * @NFTA_OBJ_NAME: name of this expression type (NLA_STRING) 1567 * @NFTA_OBJ_TYPE: stateful object type (NLA_U32) 1568 * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED) 1569 * @NFTA_OBJ_USE: number of references to this expression (NLA_U32) 1570 * @NFTA_OBJ_HANDLE: object handle (NLA_U64) 1571 * @NFTA_OBJ_USERDATA: user data (NLA_BINARY) 1572 */ 1573 enum nft_object_attributes { 1574 NFTA_OBJ_UNSPEC, 1575 NFTA_OBJ_TABLE, 1576 NFTA_OBJ_NAME, 1577 NFTA_OBJ_TYPE, 1578 NFTA_OBJ_DATA, 1579 NFTA_OBJ_USE, 1580 NFTA_OBJ_HANDLE, 1581 NFTA_OBJ_PAD, 1582 NFTA_OBJ_USERDATA, 1583 __NFTA_OBJ_MAX 1584 }; 1585 #define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1) 1586 1587 /** 1588 * enum nft_flowtable_flags - nf_tables flowtable flags 1589 * 1590 * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled 1591 * @NFT_FLOWTABLE_COUNTER: enable flow counters 1592 */ 1593 enum nft_flowtable_flags { 1594 NFT_FLOWTABLE_HW_OFFLOAD = 0x1, 1595 NFT_FLOWTABLE_COUNTER = 0x2, 1596 NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD | 1597 NFT_FLOWTABLE_COUNTER) 1598 }; 1599 1600 /** 1601 * enum nft_flowtable_attributes - nf_tables flow table netlink attributes 1602 * 1603 * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) 1604 * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) 1605 * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) 1606 * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) 1607 * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) 1608 * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) 1609 */ 1610 enum nft_flowtable_attributes { 1611 NFTA_FLOWTABLE_UNSPEC, 1612 NFTA_FLOWTABLE_TABLE, 1613 NFTA_FLOWTABLE_NAME, 1614 NFTA_FLOWTABLE_HOOK, 1615 NFTA_FLOWTABLE_USE, 1616 NFTA_FLOWTABLE_HANDLE, 1617 NFTA_FLOWTABLE_PAD, 1618 NFTA_FLOWTABLE_FLAGS, 1619 __NFTA_FLOWTABLE_MAX 1620 }; 1621 #define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1) 1622 1623 /** 1624 * enum nft_flowtable_hook_attributes - nf_tables flow table hook netlink attributes 1625 * 1626 * @NFTA_FLOWTABLE_HOOK_NUM: netfilter hook number (NLA_U32) 1627 * @NFTA_FLOWTABLE_HOOK_PRIORITY: netfilter hook priority (NLA_U32) 1628 * @NFTA_FLOWTABLE_HOOK_DEVS: input devices this flow table is bound to (NLA_NESTED) 1629 */ 1630 enum nft_flowtable_hook_attributes { 1631 NFTA_FLOWTABLE_HOOK_UNSPEC, 1632 NFTA_FLOWTABLE_HOOK_NUM, 1633 NFTA_FLOWTABLE_HOOK_PRIORITY, 1634 NFTA_FLOWTABLE_HOOK_DEVS, 1635 __NFTA_FLOWTABLE_HOOK_MAX 1636 }; 1637 #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) 1638 1639 /** 1640 * enum nft_osf_attributes - nftables osf expression netlink attributes 1641 * 1642 * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) 1643 * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) 1644 * @NFTA_OSF_FLAGS: flags (NLA_U32) 1645 */ 1646 enum nft_osf_attributes { 1647 NFTA_OSF_UNSPEC, 1648 NFTA_OSF_DREG, 1649 NFTA_OSF_TTL, 1650 NFTA_OSF_FLAGS, 1651 __NFTA_OSF_MAX, 1652 }; 1653 #define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) 1654 1655 enum nft_osf_flags { 1656 NFT_OSF_F_VERSION = (1 << 0), 1657 }; 1658 1659 /** 1660 * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes 1661 * 1662 * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) 1663 * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) 1664 * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) 1665 */ 1666 enum nft_synproxy_attributes { 1667 NFTA_SYNPROXY_UNSPEC, 1668 NFTA_SYNPROXY_MSS, 1669 NFTA_SYNPROXY_WSCALE, 1670 NFTA_SYNPROXY_FLAGS, 1671 __NFTA_SYNPROXY_MAX, 1672 }; 1673 #define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) 1674 1675 /** 1676 * enum nft_device_attributes - nf_tables device netlink attributes 1677 * 1678 * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) 1679 */ 1680 enum nft_devices_attributes { 1681 NFTA_DEVICE_UNSPEC, 1682 NFTA_DEVICE_NAME, 1683 __NFTA_DEVICE_MAX 1684 }; 1685 #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) 1686 1687 /* 1688 * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes 1689 * 1690 * @NFTA_XFRM_DREG: destination register (NLA_U32) 1691 * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32) 1692 * @NFTA_XFRM_DIR: direction (NLA_U8) 1693 * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32) 1694 */ 1695 enum nft_xfrm_attributes { 1696 NFTA_XFRM_UNSPEC, 1697 NFTA_XFRM_DREG, 1698 NFTA_XFRM_KEY, 1699 NFTA_XFRM_DIR, 1700 NFTA_XFRM_SPNUM, 1701 __NFTA_XFRM_MAX 1702 }; 1703 #define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1) 1704 1705 enum nft_xfrm_keys { 1706 NFT_XFRM_KEY_UNSPEC, 1707 NFT_XFRM_KEY_DADDR_IP4, 1708 NFT_XFRM_KEY_DADDR_IP6, 1709 NFT_XFRM_KEY_SADDR_IP4, 1710 NFT_XFRM_KEY_SADDR_IP6, 1711 NFT_XFRM_KEY_REQID, 1712 NFT_XFRM_KEY_SPI, 1713 __NFT_XFRM_KEY_MAX, 1714 }; 1715 #define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1) 1716 1717 /** 1718 * enum nft_trace_attributes - nf_tables trace netlink attributes 1719 * 1720 * @NFTA_TRACE_TABLE: name of the table (NLA_STRING) 1721 * @NFTA_TRACE_CHAIN: name of the chain (NLA_STRING) 1722 * @NFTA_TRACE_RULE_HANDLE: numeric handle of the rule (NLA_U64) 1723 * @NFTA_TRACE_TYPE: type of the event (NLA_U32: nft_trace_types) 1724 * @NFTA_TRACE_VERDICT: verdict returned by hook (NLA_NESTED: nft_verdicts) 1725 * @NFTA_TRACE_ID: pseudo-id, same for each skb traced (NLA_U32) 1726 * @NFTA_TRACE_LL_HEADER: linklayer header (NLA_BINARY) 1727 * @NFTA_TRACE_NETWORK_HEADER: network header (NLA_BINARY) 1728 * @NFTA_TRACE_TRANSPORT_HEADER: transport header (NLA_BINARY) 1729 * @NFTA_TRACE_IIF: indev ifindex (NLA_U32) 1730 * @NFTA_TRACE_IIFTYPE: netdev->type of indev (NLA_U16) 1731 * @NFTA_TRACE_OIF: outdev ifindex (NLA_U32) 1732 * @NFTA_TRACE_OIFTYPE: netdev->type of outdev (NLA_U16) 1733 * @NFTA_TRACE_MARK: nfmark (NLA_U32) 1734 * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32) 1735 * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32) 1736 */ 1737 enum nft_trace_attributes { 1738 NFTA_TRACE_UNSPEC, 1739 NFTA_TRACE_TABLE, 1740 NFTA_TRACE_CHAIN, 1741 NFTA_TRACE_RULE_HANDLE, 1742 NFTA_TRACE_TYPE, 1743 NFTA_TRACE_VERDICT, 1744 NFTA_TRACE_ID, 1745 NFTA_TRACE_LL_HEADER, 1746 NFTA_TRACE_NETWORK_HEADER, 1747 NFTA_TRACE_TRANSPORT_HEADER, 1748 NFTA_TRACE_IIF, 1749 NFTA_TRACE_IIFTYPE, 1750 NFTA_TRACE_OIF, 1751 NFTA_TRACE_OIFTYPE, 1752 NFTA_TRACE_MARK, 1753 NFTA_TRACE_NFPROTO, 1754 NFTA_TRACE_POLICY, 1755 NFTA_TRACE_PAD, 1756 __NFTA_TRACE_MAX 1757 }; 1758 #define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1) 1759 1760 enum nft_trace_types { 1761 NFT_TRACETYPE_UNSPEC, 1762 NFT_TRACETYPE_POLICY, 1763 NFT_TRACETYPE_RETURN, 1764 NFT_TRACETYPE_RULE, 1765 __NFT_TRACETYPE_MAX 1766 }; 1767 #define NFT_TRACETYPE_MAX (__NFT_TRACETYPE_MAX - 1) 1768 1769 /** 1770 * enum nft_ng_attributes - nf_tables number generator expression netlink attributes 1771 * 1772 * @NFTA_NG_DREG: destination register (NLA_U32) 1773 * @NFTA_NG_MODULUS: maximum counter value (NLA_U32) 1774 * @NFTA_NG_TYPE: operation type (NLA_U32) 1775 * @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32) 1776 * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING) 1777 * @NFTA_NG_SET_ID: id of the map (NLA_U32) 1778 */ 1779 enum nft_ng_attributes { 1780 NFTA_NG_UNSPEC, 1781 NFTA_NG_DREG, 1782 NFTA_NG_MODULUS, 1783 NFTA_NG_TYPE, 1784 NFTA_NG_OFFSET, 1785 NFTA_NG_SET_NAME, /* deprecated */ 1786 NFTA_NG_SET_ID, /* deprecated */ 1787 __NFTA_NG_MAX 1788 }; 1789 #define NFTA_NG_MAX (__NFTA_NG_MAX - 1) 1790 1791 enum nft_ng_types { 1792 NFT_NG_INCREMENTAL, 1793 NFT_NG_RANDOM, 1794 __NFT_NG_MAX 1795 }; 1796 #define NFT_NG_MAX (__NFT_NG_MAX - 1) 1797 1798 enum nft_tunnel_key_ip_attributes { 1799 NFTA_TUNNEL_KEY_IP_UNSPEC, 1800 NFTA_TUNNEL_KEY_IP_SRC, 1801 NFTA_TUNNEL_KEY_IP_DST, 1802 __NFTA_TUNNEL_KEY_IP_MAX 1803 }; 1804 #define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1) 1805 1806 enum nft_tunnel_ip6_attributes { 1807 NFTA_TUNNEL_KEY_IP6_UNSPEC, 1808 NFTA_TUNNEL_KEY_IP6_SRC, 1809 NFTA_TUNNEL_KEY_IP6_DST, 1810 NFTA_TUNNEL_KEY_IP6_FLOWLABEL, 1811 __NFTA_TUNNEL_KEY_IP6_MAX 1812 }; 1813 #define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1) 1814 1815 enum nft_tunnel_opts_attributes { 1816 NFTA_TUNNEL_KEY_OPTS_UNSPEC, 1817 NFTA_TUNNEL_KEY_OPTS_VXLAN, 1818 NFTA_TUNNEL_KEY_OPTS_ERSPAN, 1819 NFTA_TUNNEL_KEY_OPTS_GENEVE, 1820 __NFTA_TUNNEL_KEY_OPTS_MAX 1821 }; 1822 #define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1) 1823 1824 enum nft_tunnel_opts_vxlan_attributes { 1825 NFTA_TUNNEL_KEY_VXLAN_UNSPEC, 1826 NFTA_TUNNEL_KEY_VXLAN_GBP, 1827 __NFTA_TUNNEL_KEY_VXLAN_MAX 1828 }; 1829 #define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1) 1830 1831 enum nft_tunnel_opts_erspan_attributes { 1832 NFTA_TUNNEL_KEY_ERSPAN_UNSPEC, 1833 NFTA_TUNNEL_KEY_ERSPAN_VERSION, 1834 NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX, 1835 NFTA_TUNNEL_KEY_ERSPAN_V2_HWID, 1836 NFTA_TUNNEL_KEY_ERSPAN_V2_DIR, 1837 __NFTA_TUNNEL_KEY_ERSPAN_MAX 1838 }; 1839 #define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1) 1840 1841 enum nft_tunnel_opts_geneve_attributes { 1842 NFTA_TUNNEL_KEY_GENEVE_UNSPEC, 1843 NFTA_TUNNEL_KEY_GENEVE_CLASS, 1844 NFTA_TUNNEL_KEY_GENEVE_TYPE, 1845 NFTA_TUNNEL_KEY_GENEVE_DATA, 1846 __NFTA_TUNNEL_KEY_GENEVE_MAX 1847 }; 1848 #define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1) 1849 1850 enum nft_tunnel_flags { 1851 NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0), 1852 NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1), 1853 NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2), 1854 }; 1855 #define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \ 1856 NFT_TUNNEL_F_DONT_FRAGMENT | \ 1857 NFT_TUNNEL_F_SEQ_NUMBER) 1858 1859 enum nft_tunnel_key_attributes { 1860 NFTA_TUNNEL_KEY_UNSPEC, 1861 NFTA_TUNNEL_KEY_ID, 1862 NFTA_TUNNEL_KEY_IP, 1863 NFTA_TUNNEL_KEY_IP6, 1864 NFTA_TUNNEL_KEY_FLAGS, 1865 NFTA_TUNNEL_KEY_TOS, 1866 NFTA_TUNNEL_KEY_TTL, 1867 NFTA_TUNNEL_KEY_SPORT, 1868 NFTA_TUNNEL_KEY_DPORT, 1869 NFTA_TUNNEL_KEY_OPTS, 1870 __NFTA_TUNNEL_KEY_MAX 1871 }; 1872 #define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1) 1873 1874 enum nft_tunnel_keys { 1875 NFT_TUNNEL_PATH, 1876 NFT_TUNNEL_ID, 1877 __NFT_TUNNEL_MAX 1878 }; 1879 #define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) 1880 1881 enum nft_tunnel_mode { 1882 NFT_TUNNEL_MODE_NONE, 1883 NFT_TUNNEL_MODE_RX, 1884 NFT_TUNNEL_MODE_TX, 1885 __NFT_TUNNEL_MODE_MAX 1886 }; 1887 #define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1) 1888 1889 enum nft_tunnel_attributes { 1890 NFTA_TUNNEL_UNSPEC, 1891 NFTA_TUNNEL_KEY, 1892 NFTA_TUNNEL_DREG, 1893 NFTA_TUNNEL_MODE, 1894 __NFTA_TUNNEL_MAX 1895 }; 1896 #define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1) 1897 1898 #endif /* _LINUX_NF_TABLES_H */ 1899