1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _NET_NF_TABLES_H
3 #define _NET_NF_TABLES_H
4
5 #include <asm/unaligned.h>
6 #include <linux/list.h>
7 #include <linux/netfilter.h>
8 #include <linux/netfilter/nfnetlink.h>
9 #include <linux/netfilter/x_tables.h>
10 #include <linux/netfilter/nf_tables.h>
11 #include <linux/u64_stats_sync.h>
12 #include <linux/rhashtable.h>
13 #include <net/netfilter/nf_flow_table.h>
14 #include <net/netlink.h>
15 #include <net/flow_offload.h>
16
17 #define NFT_MAX_HOOKS (NF_INET_INGRESS + 1)
18
19 struct module;
20
21 #define NFT_JUMP_STACK_SIZE 16
22
23 struct nft_pktinfo {
24 struct sk_buff *skb;
25 bool tprot_set;
26 u8 tprot;
27 /* for x_tables compatibility */
28 struct xt_action_param xt;
29 };
30
nft_sk(const struct nft_pktinfo * pkt)31 static inline struct sock *nft_sk(const struct nft_pktinfo *pkt)
32 {
33 return pkt->xt.state->sk;
34 }
35
nft_thoff(const struct nft_pktinfo * pkt)36 static inline unsigned int nft_thoff(const struct nft_pktinfo *pkt)
37 {
38 return pkt->xt.thoff;
39 }
40
nft_net(const struct nft_pktinfo * pkt)41 static inline struct net *nft_net(const struct nft_pktinfo *pkt)
42 {
43 return pkt->xt.state->net;
44 }
45
nft_hook(const struct nft_pktinfo * pkt)46 static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
47 {
48 return pkt->xt.state->hook;
49 }
50
nft_pf(const struct nft_pktinfo * pkt)51 static inline u8 nft_pf(const struct nft_pktinfo *pkt)
52 {
53 return pkt->xt.state->pf;
54 }
55
nft_in(const struct nft_pktinfo * pkt)56 static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
57 {
58 return pkt->xt.state->in;
59 }
60
nft_out(const struct nft_pktinfo * pkt)61 static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
62 {
63 return pkt->xt.state->out;
64 }
65
nft_set_pktinfo(struct nft_pktinfo * pkt,struct sk_buff * skb,const struct nf_hook_state * state)66 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
67 struct sk_buff *skb,
68 const struct nf_hook_state *state)
69 {
70 pkt->skb = skb;
71 pkt->xt.state = state;
72 }
73
nft_set_pktinfo_unspec(struct nft_pktinfo * pkt,struct sk_buff * skb)74 static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
75 struct sk_buff *skb)
76 {
77 pkt->tprot_set = false;
78 pkt->tprot = 0;
79 pkt->xt.thoff = 0;
80 pkt->xt.fragoff = 0;
81 }
82
83 /**
84 * struct nft_verdict - nf_tables verdict
85 *
86 * @code: nf_tables/netfilter verdict code
87 * @chain: destination chain for NFT_JUMP/NFT_GOTO
88 */
89 struct nft_verdict {
90 u32 code;
91 struct nft_chain *chain;
92 };
93
94 struct nft_data {
95 union {
96 u32 data[4];
97 struct nft_verdict verdict;
98 };
99 } __attribute__((aligned(__alignof__(u64))));
100
101 /**
102 * struct nft_regs - nf_tables register set
103 *
104 * @data: data registers
105 * @verdict: verdict register
106 *
107 * The first four data registers alias to the verdict register.
108 */
109 struct nft_regs {
110 union {
111 u32 data[20];
112 struct nft_verdict verdict;
113 };
114 };
115
116 /* Store/load an u8, u16 or u64 integer to/from the u32 data register.
117 *
118 * Note, when using concatenations, register allocation happens at 32-bit
119 * level. So for store instruction, pad the rest part with zero to avoid
120 * garbage values.
121 */
122
nft_reg_store8(u32 * dreg,u8 val)123 static inline void nft_reg_store8(u32 *dreg, u8 val)
124 {
125 *dreg = 0;
126 *(u8 *)dreg = val;
127 }
128
nft_reg_load8(const u32 * sreg)129 static inline u8 nft_reg_load8(const u32 *sreg)
130 {
131 return *(u8 *)sreg;
132 }
133
nft_reg_store16(u32 * dreg,u16 val)134 static inline void nft_reg_store16(u32 *dreg, u16 val)
135 {
136 *dreg = 0;
137 *(u16 *)dreg = val;
138 }
139
nft_reg_load16(const u32 * sreg)140 static inline u16 nft_reg_load16(const u32 *sreg)
141 {
142 return *(u16 *)sreg;
143 }
144
nft_reg_store64(u64 * dreg,u64 val)145 static inline void nft_reg_store64(u64 *dreg, u64 val)
146 {
147 put_unaligned(val, dreg);
148 }
149
nft_reg_load64(const u32 * sreg)150 static inline u64 nft_reg_load64(const u32 *sreg)
151 {
152 return get_unaligned((u64 *)sreg);
153 }
154
nft_data_copy(u32 * dst,const struct nft_data * src,unsigned int len)155 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
156 unsigned int len)
157 {
158 if (len % NFT_REG32_SIZE)
159 dst[len / NFT_REG32_SIZE] = 0;
160 memcpy(dst, src, len);
161 }
162
163 /**
164 * struct nft_ctx - nf_tables rule/set context
165 *
166 * @net: net namespace
167 * @table: the table the chain is contained in
168 * @chain: the chain the rule is contained in
169 * @nla: netlink attributes
170 * @portid: netlink portID of the original message
171 * @seq: netlink sequence number
172 * @family: protocol family
173 * @level: depth of the chains
174 * @report: notify via unicast netlink message
175 */
176 struct nft_ctx {
177 struct net *net;
178 struct nft_table *table;
179 struct nft_chain *chain;
180 const struct nlattr * const *nla;
181 u32 portid;
182 u32 seq;
183 u16 flags;
184 u8 family;
185 u8 level;
186 bool report;
187 };
188
189 enum nft_data_desc_flags {
190 NFT_DATA_DESC_SETELEM = (1 << 0),
191 };
192
193 struct nft_data_desc {
194 enum nft_data_types type;
195 unsigned int size;
196 unsigned int len;
197 unsigned int flags;
198 };
199
200 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
201 struct nft_data_desc *desc, const struct nlattr *nla);
202 void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
203 void nft_data_release(const struct nft_data *data, enum nft_data_types type);
204 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
205 enum nft_data_types type, unsigned int len);
206
nft_dreg_to_type(enum nft_registers reg)207 static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
208 {
209 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
210 }
211
nft_type_to_reg(enum nft_data_types type)212 static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
213 {
214 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
215 }
216
217 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
218 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
219
220 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
221 int nft_parse_register_store(const struct nft_ctx *ctx,
222 const struct nlattr *attr, u8 *dreg,
223 const struct nft_data *data,
224 enum nft_data_types type, unsigned int len);
225
226 /**
227 * struct nft_userdata - user defined data associated with an object
228 *
229 * @len: length of the data
230 * @data: content
231 *
232 * The presence of user data is indicated in an object specific fashion,
233 * so a length of zero can't occur and the value "len" indicates data
234 * of length len + 1.
235 */
236 struct nft_userdata {
237 u8 len;
238 unsigned char data[];
239 };
240
241 /**
242 * struct nft_set_elem - generic representation of set elements
243 *
244 * @key: element key
245 * @key_end: closing element key
246 * @priv: element private data and extensions
247 */
248 struct nft_set_elem {
249 union {
250 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
251 struct nft_data val;
252 } key;
253 union {
254 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
255 struct nft_data val;
256 } key_end;
257 union {
258 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
259 struct nft_data val;
260 } data;
261 void *priv;
262 };
263
264 struct nft_set;
265 struct nft_set_iter {
266 u8 genmask;
267 unsigned int count;
268 unsigned int skip;
269 int err;
270 int (*fn)(const struct nft_ctx *ctx,
271 struct nft_set *set,
272 const struct nft_set_iter *iter,
273 struct nft_set_elem *elem);
274 };
275
276 /**
277 * struct nft_set_desc - description of set elements
278 *
279 * @klen: key length
280 * @dlen: data length
281 * @size: number of set elements
282 * @field_len: length of each field in concatenation, bytes
283 * @field_count: number of concatenated fields in element
284 * @expr: set must support for expressions
285 */
286 struct nft_set_desc {
287 unsigned int klen;
288 unsigned int dlen;
289 unsigned int size;
290 u8 field_len[NFT_REG32_COUNT];
291 u8 field_count;
292 bool expr;
293 };
294
295 /**
296 * enum nft_set_class - performance class
297 *
298 * @NFT_LOOKUP_O_1: constant, O(1)
299 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
300 * @NFT_LOOKUP_O_N: linear, O(N)
301 */
302 enum nft_set_class {
303 NFT_SET_CLASS_O_1,
304 NFT_SET_CLASS_O_LOG_N,
305 NFT_SET_CLASS_O_N,
306 };
307
308 /**
309 * struct nft_set_estimate - estimation of memory and performance
310 * characteristics
311 *
312 * @size: required memory
313 * @lookup: lookup performance class
314 * @space: memory class
315 */
316 struct nft_set_estimate {
317 u64 size;
318 enum nft_set_class lookup;
319 enum nft_set_class space;
320 };
321
322 struct nft_set_ext;
323 struct nft_expr;
324
325 /**
326 * struct nft_set_ops - nf_tables set operations
327 *
328 * @lookup: look up an element within the set
329 * @update: update an element if exists, add it if doesn't exist
330 * @delete: delete an element
331 * @insert: insert new element into set
332 * @activate: activate new element in the next generation
333 * @deactivate: lookup for element and deactivate it in the next generation
334 * @flush: deactivate element in the next generation
335 * @remove: remove element from set
336 * @walk: iterate over all set elements
337 * @get: get set elements
338 * @privsize: function to return size of set private data
339 * @init: initialize private data of new set instance
340 * @destroy: destroy private data of set instance
341 * @elemsize: element private size
342 *
343 * Operations lookup, update and delete have simpler interfaces, are faster
344 * and currently only used in the packet path. All the rest are slower,
345 * control plane functions.
346 */
347 struct nft_set_ops {
348 bool (*lookup)(const struct net *net,
349 const struct nft_set *set,
350 const u32 *key,
351 const struct nft_set_ext **ext);
352 bool (*update)(struct nft_set *set,
353 const u32 *key,
354 void *(*new)(struct nft_set *,
355 const struct nft_expr *,
356 struct nft_regs *),
357 const struct nft_expr *expr,
358 struct nft_regs *regs,
359 const struct nft_set_ext **ext);
360 bool (*delete)(const struct nft_set *set,
361 const u32 *key);
362
363 int (*insert)(const struct net *net,
364 const struct nft_set *set,
365 const struct nft_set_elem *elem,
366 struct nft_set_ext **ext);
367 void (*activate)(const struct net *net,
368 const struct nft_set *set,
369 const struct nft_set_elem *elem);
370 void * (*deactivate)(const struct net *net,
371 const struct nft_set *set,
372 const struct nft_set_elem *elem);
373 bool (*flush)(const struct net *net,
374 const struct nft_set *set,
375 void *priv);
376 void (*remove)(const struct net *net,
377 const struct nft_set *set,
378 const struct nft_set_elem *elem);
379 void (*walk)(const struct nft_ctx *ctx,
380 struct nft_set *set,
381 struct nft_set_iter *iter);
382 void * (*get)(const struct net *net,
383 const struct nft_set *set,
384 const struct nft_set_elem *elem,
385 unsigned int flags);
386 void (*commit)(const struct nft_set *set);
387 void (*abort)(const struct nft_set *set);
388 u64 (*privsize)(const struct nlattr * const nla[],
389 const struct nft_set_desc *desc);
390 bool (*estimate)(const struct nft_set_desc *desc,
391 u32 features,
392 struct nft_set_estimate *est);
393 int (*init)(const struct nft_set *set,
394 const struct nft_set_desc *desc,
395 const struct nlattr * const nla[]);
396 void (*destroy)(const struct nft_ctx *ctx,
397 const struct nft_set *set);
398 void (*gc_init)(const struct nft_set *set);
399
400 unsigned int elemsize;
401 };
402
403 /**
404 * struct nft_set_type - nf_tables set type
405 *
406 * @ops: set ops for this type
407 * @features: features supported by the implementation
408 */
409 struct nft_set_type {
410 const struct nft_set_ops ops;
411 u32 features;
412 };
413 #define to_set_type(o) container_of(o, struct nft_set_type, ops)
414
415 /**
416 * struct nft_set - nf_tables set instance
417 *
418 * @list: table set list node
419 * @bindings: list of set bindings
420 * @refs: internal refcounting for async set destruction
421 * @table: table this set belongs to
422 * @net: netnamespace this set belongs to
423 * @name: name of the set
424 * @handle: unique handle of the set
425 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
426 * @dtype: data type (verdict or numeric type defined by userspace)
427 * @objtype: object type (see NFT_OBJECT_* definitions)
428 * @size: maximum set size
429 * @field_len: length of each field in concatenation, bytes
430 * @field_count: number of concatenated fields in element
431 * @use: number of rules references to this set
432 * @nelems: number of elements
433 * @ndeact: number of deactivated elements queued for removal
434 * @timeout: default timeout value in jiffies
435 * @gc_int: garbage collection interval in msecs
436 * @policy: set parameterization (see enum nft_set_policies)
437 * @udlen: user data length
438 * @udata: user data
439 * @expr: stateful expression
440 * @ops: set ops
441 * @flags: set flags
442 * @dead: set will be freed, never cleared
443 * @genmask: generation mask
444 * @klen: key length
445 * @dlen: data length
446 * @data: private set data
447 */
448 struct nft_set {
449 struct list_head list;
450 struct list_head bindings;
451 refcount_t refs;
452 struct nft_table *table;
453 possible_net_t net;
454 char *name;
455 u64 handle;
456 u32 ktype;
457 u32 dtype;
458 u32 objtype;
459 u32 size;
460 u8 field_len[NFT_REG32_COUNT];
461 u8 field_count;
462 u32 use;
463 atomic_t nelems;
464 u32 ndeact;
465 u64 timeout;
466 u32 gc_int;
467 u16 policy;
468 u16 udlen;
469 unsigned char *udata;
470 struct nft_expr *expr;
471 struct list_head pending_update;
472 /* runtime data below here */
473 const struct nft_set_ops *ops ____cacheline_aligned;
474 u16 flags:13,
475 dead:1,
476 genmask:2;
477 u8 klen;
478 u8 dlen;
479 unsigned char data[]
480 __attribute__((aligned(__alignof__(u64))));
481 };
482
nft_set_is_anonymous(const struct nft_set * set)483 static inline bool nft_set_is_anonymous(const struct nft_set *set)
484 {
485 return set->flags & NFT_SET_ANONYMOUS;
486 }
487
nft_set_priv(const struct nft_set * set)488 static inline void *nft_set_priv(const struct nft_set *set)
489 {
490 return (void *)set->data;
491 }
492
nft_set_gc_is_pending(const struct nft_set * s)493 static inline bool nft_set_gc_is_pending(const struct nft_set *s)
494 {
495 return refcount_read(&s->refs) != 1;
496 }
497
nft_set_container_of(const void * priv)498 static inline struct nft_set *nft_set_container_of(const void *priv)
499 {
500 return (void *)priv - offsetof(struct nft_set, data);
501 }
502
503 struct nft_set *nft_set_lookup_global(const struct net *net,
504 const struct nft_table *table,
505 const struct nlattr *nla_set_name,
506 const struct nlattr *nla_set_id,
507 u8 genmask);
508
nft_set_gc_interval(const struct nft_set * set)509 static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
510 {
511 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
512 }
513
514 /**
515 * struct nft_set_binding - nf_tables set binding
516 *
517 * @list: set bindings list node
518 * @chain: chain containing the rule bound to the set
519 * @flags: set action flags
520 *
521 * A set binding contains all information necessary for validation
522 * of new elements added to a bound set.
523 */
524 struct nft_set_binding {
525 struct list_head list;
526 const struct nft_chain *chain;
527 u32 flags;
528 };
529
530 enum nft_trans_phase;
531 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set);
532 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
533 struct nft_set_binding *binding,
534 enum nft_trans_phase phase);
535 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
536 struct nft_set_binding *binding);
537 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
538
539 /**
540 * enum nft_set_extensions - set extension type IDs
541 *
542 * @NFT_SET_EXT_KEY: element key
543 * @NFT_SET_EXT_KEY_END: upper bound element key, for ranges
544 * @NFT_SET_EXT_DATA: mapping data
545 * @NFT_SET_EXT_FLAGS: element flags
546 * @NFT_SET_EXT_TIMEOUT: element timeout
547 * @NFT_SET_EXT_EXPIRATION: element expiration time
548 * @NFT_SET_EXT_USERDATA: user data associated with the element
549 * @NFT_SET_EXT_EXPR: expression assiociated with the element
550 * @NFT_SET_EXT_OBJREF: stateful object reference associated with element
551 * @NFT_SET_EXT_NUM: number of extension types
552 */
553 enum nft_set_extensions {
554 NFT_SET_EXT_KEY,
555 NFT_SET_EXT_KEY_END,
556 NFT_SET_EXT_DATA,
557 NFT_SET_EXT_FLAGS,
558 NFT_SET_EXT_TIMEOUT,
559 NFT_SET_EXT_EXPIRATION,
560 NFT_SET_EXT_USERDATA,
561 NFT_SET_EXT_EXPR,
562 NFT_SET_EXT_OBJREF,
563 NFT_SET_EXT_NUM
564 };
565
566 /**
567 * struct nft_set_ext_type - set extension type
568 *
569 * @len: fixed part length of the extension
570 * @align: alignment requirements of the extension
571 */
572 struct nft_set_ext_type {
573 u8 len;
574 u8 align;
575 };
576
577 extern const struct nft_set_ext_type nft_set_ext_types[];
578
579 /**
580 * struct nft_set_ext_tmpl - set extension template
581 *
582 * @len: length of extension area
583 * @offset: offsets of individual extension types
584 */
585 struct nft_set_ext_tmpl {
586 u16 len;
587 u8 offset[NFT_SET_EXT_NUM];
588 };
589
590 /**
591 * struct nft_set_ext - set extensions
592 *
593 * @genmask: generation mask
594 * @offset: offsets of individual extension types
595 * @data: beginning of extension data
596 */
597 struct nft_set_ext {
598 u8 genmask;
599 u8 offset[NFT_SET_EXT_NUM];
600 char data[];
601 };
602
nft_set_ext_prepare(struct nft_set_ext_tmpl * tmpl)603 static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
604 {
605 memset(tmpl, 0, sizeof(*tmpl));
606 tmpl->len = sizeof(struct nft_set_ext);
607 }
608
nft_set_ext_add_length(struct nft_set_ext_tmpl * tmpl,u8 id,unsigned int len)609 static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
610 unsigned int len)
611 {
612 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align);
613 BUG_ON(tmpl->len > U8_MAX);
614 tmpl->offset[id] = tmpl->len;
615 tmpl->len += nft_set_ext_types[id].len + len;
616 }
617
nft_set_ext_add(struct nft_set_ext_tmpl * tmpl,u8 id)618 static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
619 {
620 nft_set_ext_add_length(tmpl, id, 0);
621 }
622
nft_set_ext_init(struct nft_set_ext * ext,const struct nft_set_ext_tmpl * tmpl)623 static inline void nft_set_ext_init(struct nft_set_ext *ext,
624 const struct nft_set_ext_tmpl *tmpl)
625 {
626 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
627 }
628
__nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)629 static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
630 {
631 return !!ext->offset[id];
632 }
633
nft_set_ext_exists(const struct nft_set_ext * ext,u8 id)634 static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
635 {
636 return ext && __nft_set_ext_exists(ext, id);
637 }
638
nft_set_ext(const struct nft_set_ext * ext,u8 id)639 static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
640 {
641 return (void *)ext + ext->offset[id];
642 }
643
nft_set_ext_key(const struct nft_set_ext * ext)644 static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
645 {
646 return nft_set_ext(ext, NFT_SET_EXT_KEY);
647 }
648
nft_set_ext_key_end(const struct nft_set_ext * ext)649 static inline struct nft_data *nft_set_ext_key_end(const struct nft_set_ext *ext)
650 {
651 return nft_set_ext(ext, NFT_SET_EXT_KEY_END);
652 }
653
nft_set_ext_data(const struct nft_set_ext * ext)654 static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
655 {
656 return nft_set_ext(ext, NFT_SET_EXT_DATA);
657 }
658
nft_set_ext_flags(const struct nft_set_ext * ext)659 static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
660 {
661 return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
662 }
663
nft_set_ext_timeout(const struct nft_set_ext * ext)664 static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
665 {
666 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
667 }
668
nft_set_ext_expiration(const struct nft_set_ext * ext)669 static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
670 {
671 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
672 }
673
nft_set_ext_userdata(const struct nft_set_ext * ext)674 static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
675 {
676 return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
677 }
678
nft_set_ext_expr(const struct nft_set_ext * ext)679 static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
680 {
681 return nft_set_ext(ext, NFT_SET_EXT_EXPR);
682 }
683
nft_set_elem_expired(const struct nft_set_ext * ext)684 static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
685 {
686 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
687 time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
688 }
689
nft_set_elem_ext(const struct nft_set * set,void * elem)690 static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
691 void *elem)
692 {
693 return elem + set->ops->elemsize;
694 }
695
nft_set_ext_obj(const struct nft_set_ext * ext)696 static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
697 {
698 return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
699 }
700
701 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
702 const struct nft_set *set,
703 const struct nlattr *attr);
704
705 void *nft_set_elem_init(const struct nft_set *set,
706 const struct nft_set_ext_tmpl *tmpl,
707 const u32 *key, const u32 *key_end, const u32 *data,
708 u64 timeout, u64 expiration, gfp_t gfp);
709 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
710 bool destroy_expr);
711 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
712 const struct nft_set *set, void *elem);
713
714 struct nft_expr_ops;
715 /**
716 * struct nft_expr_type - nf_tables expression type
717 *
718 * @select_ops: function to select nft_expr_ops
719 * @release_ops: release nft_expr_ops
720 * @ops: default ops, used when no select_ops functions is present
721 * @list: used internally
722 * @name: Identifier
723 * @owner: module reference
724 * @policy: netlink attribute policy
725 * @maxattr: highest netlink attribute number
726 * @family: address family for AF-specific types
727 * @flags: expression type flags
728 */
729 struct nft_expr_type {
730 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
731 const struct nlattr * const tb[]);
732 void (*release_ops)(const struct nft_expr_ops *ops);
733 const struct nft_expr_ops *ops;
734 struct list_head list;
735 const char *name;
736 struct module *owner;
737 const struct nla_policy *policy;
738 unsigned int maxattr;
739 u8 family;
740 u8 flags;
741 };
742
743 #define NFT_EXPR_STATEFUL 0x1
744 #define NFT_EXPR_GC 0x2
745
746 enum nft_trans_phase {
747 NFT_TRANS_PREPARE,
748 NFT_TRANS_PREPARE_ERROR,
749 NFT_TRANS_ABORT,
750 NFT_TRANS_COMMIT,
751 NFT_TRANS_RELEASE
752 };
753
754 struct nft_flow_rule;
755 struct nft_offload_ctx;
756
757 /**
758 * struct nft_expr_ops - nf_tables expression operations
759 *
760 * @eval: Expression evaluation function
761 * @size: full expression size, including private data size
762 * @init: initialization function
763 * @activate: activate expression in the next generation
764 * @deactivate: deactivate expression in next generation
765 * @destroy: destruction function, called after synchronize_rcu
766 * @dump: function to dump parameters
767 * @type: expression type
768 * @validate: validate expression, called during loop detection
769 * @data: extra data to attach to this expression operation
770 */
771 struct nft_expr;
772 struct nft_expr_ops {
773 void (*eval)(const struct nft_expr *expr,
774 struct nft_regs *regs,
775 const struct nft_pktinfo *pkt);
776 int (*clone)(struct nft_expr *dst,
777 const struct nft_expr *src);
778 unsigned int size;
779
780 int (*init)(const struct nft_ctx *ctx,
781 const struct nft_expr *expr,
782 const struct nlattr * const tb[]);
783 void (*activate)(const struct nft_ctx *ctx,
784 const struct nft_expr *expr);
785 void (*deactivate)(const struct nft_ctx *ctx,
786 const struct nft_expr *expr,
787 enum nft_trans_phase phase);
788 void (*destroy)(const struct nft_ctx *ctx,
789 const struct nft_expr *expr);
790 void (*destroy_clone)(const struct nft_ctx *ctx,
791 const struct nft_expr *expr);
792 int (*dump)(struct sk_buff *skb,
793 const struct nft_expr *expr);
794 int (*validate)(const struct nft_ctx *ctx,
795 const struct nft_expr *expr,
796 const struct nft_data **data);
797 bool (*gc)(struct net *net,
798 const struct nft_expr *expr);
799 int (*offload)(struct nft_offload_ctx *ctx,
800 struct nft_flow_rule *flow,
801 const struct nft_expr *expr);
802 bool (*offload_action)(const struct nft_expr *expr);
803 const struct nft_expr_type *type;
804 void *data;
805 };
806
807 #define NFT_EXPR_MAXATTR 16
808 #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
809 ALIGN(size, __alignof__(struct nft_expr)))
810
811 /**
812 * struct nft_expr - nf_tables expression
813 *
814 * @ops: expression ops
815 * @data: expression private data
816 */
817 struct nft_expr {
818 const struct nft_expr_ops *ops;
819 unsigned char data[]
820 __attribute__((aligned(__alignof__(u64))));
821 };
822
nft_expr_priv(const struct nft_expr * expr)823 static inline void *nft_expr_priv(const struct nft_expr *expr)
824 {
825 return (void *)expr->data;
826 }
827
828 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
829 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
830 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
831 const struct nft_expr *expr);
832
833 /**
834 * struct nft_rule - nf_tables rule
835 *
836 * @list: used internally
837 * @handle: rule handle
838 * @genmask: generation mask
839 * @dlen: length of expression data
840 * @udata: user data is appended to the rule
841 * @data: expression data
842 */
843 struct nft_rule {
844 struct list_head list;
845 u64 handle:42,
846 genmask:2,
847 dlen:12,
848 udata:1;
849 unsigned char data[]
850 __attribute__((aligned(__alignof__(struct nft_expr))));
851 };
852
nft_expr_first(const struct nft_rule * rule)853 static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
854 {
855 return (struct nft_expr *)&rule->data[0];
856 }
857
nft_expr_next(const struct nft_expr * expr)858 static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
859 {
860 return ((void *)expr) + expr->ops->size;
861 }
862
nft_expr_last(const struct nft_rule * rule)863 static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
864 {
865 return (struct nft_expr *)&rule->data[rule->dlen];
866 }
867
nft_expr_more(const struct nft_rule * rule,const struct nft_expr * expr)868 static inline bool nft_expr_more(const struct nft_rule *rule,
869 const struct nft_expr *expr)
870 {
871 return expr != nft_expr_last(rule) && expr->ops;
872 }
873
nft_userdata(const struct nft_rule * rule)874 static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
875 {
876 return (void *)&rule->data[rule->dlen];
877 }
878
879 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule);
880 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
881 enum nft_trans_phase phase);
882 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule);
883
nft_set_elem_update_expr(const struct nft_set_ext * ext,struct nft_regs * regs,const struct nft_pktinfo * pkt)884 static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
885 struct nft_regs *regs,
886 const struct nft_pktinfo *pkt)
887 {
888 struct nft_expr *expr;
889
890 if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
891 expr = nft_set_ext_expr(ext);
892 expr->ops->eval(expr, regs, pkt);
893 }
894 }
895
896 /*
897 * The last pointer isn't really necessary, but the compiler isn't able to
898 * determine that the result of nft_expr_last() is always the same since it
899 * can't assume that the dlen value wasn't changed within calls in the loop.
900 */
901 #define nft_rule_for_each_expr(expr, last, rule) \
902 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
903 (expr) != (last); \
904 (expr) = nft_expr_next(expr))
905
906 #define NFT_CHAIN_POLICY_UNSET U8_MAX
907
908 /**
909 * struct nft_chain - nf_tables chain
910 *
911 * @rules: list of rules in the chain
912 * @list: used internally
913 * @rhlhead: used internally
914 * @table: table that this chain belongs to
915 * @handle: chain handle
916 * @use: number of jump references to this chain
917 * @flags: bitmask of enum nft_chain_flags
918 * @name: name of the chain
919 */
920 struct nft_chain {
921 struct nft_rule *__rcu *rules_gen_0;
922 struct nft_rule *__rcu *rules_gen_1;
923 struct list_head rules;
924 struct list_head list;
925 struct rhlist_head rhlhead;
926 struct nft_table *table;
927 u64 handle;
928 u32 use;
929 u8 flags:5,
930 bound:1,
931 genmask:2;
932 char *name;
933 u16 udlen;
934 u8 *udata;
935
936 /* Only used during control plane commit phase: */
937 struct nft_rule **rules_next;
938 };
939
940 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
941 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
942 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
943
944 enum nft_chain_types {
945 NFT_CHAIN_T_DEFAULT = 0,
946 NFT_CHAIN_T_ROUTE,
947 NFT_CHAIN_T_NAT,
948 NFT_CHAIN_T_MAX
949 };
950
951 /**
952 * struct nft_chain_type - nf_tables chain type info
953 *
954 * @name: name of the type
955 * @type: numeric identifier
956 * @family: address family
957 * @owner: module owner
958 * @hook_mask: mask of valid hooks
959 * @hooks: array of hook functions
960 * @ops_register: base chain register function
961 * @ops_unregister: base chain unregister function
962 */
963 struct nft_chain_type {
964 const char *name;
965 enum nft_chain_types type;
966 int family;
967 struct module *owner;
968 unsigned int hook_mask;
969 nf_hookfn *hooks[NFT_MAX_HOOKS];
970 int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
971 void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
972 };
973
974 int nft_chain_validate_dependency(const struct nft_chain *chain,
975 enum nft_chain_types type);
976 int nft_chain_validate_hooks(const struct nft_chain *chain,
977 unsigned int hook_flags);
978
nft_chain_binding(const struct nft_chain * chain)979 static inline bool nft_chain_binding(const struct nft_chain *chain)
980 {
981 return chain->flags & NFT_CHAIN_BINDING;
982 }
983
nft_chain_is_bound(struct nft_chain * chain)984 static inline bool nft_chain_is_bound(struct nft_chain *chain)
985 {
986 return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
987 }
988
989 int nft_chain_add(struct nft_table *table, struct nft_chain *chain);
990 void nft_chain_del(struct nft_chain *chain);
991 void nf_tables_chain_destroy(struct nft_ctx *ctx);
992
993 struct nft_stats {
994 u64 bytes;
995 u64 pkts;
996 struct u64_stats_sync syncp;
997 };
998
999 struct nft_hook {
1000 struct list_head list;
1001 struct nf_hook_ops ops;
1002 struct rcu_head rcu;
1003 };
1004
1005 /**
1006 * struct nft_base_chain - nf_tables base chain
1007 *
1008 * @ops: netfilter hook ops
1009 * @hook_list: list of netfilter hooks (for NFPROTO_NETDEV family)
1010 * @type: chain type
1011 * @policy: default policy
1012 * @stats: per-cpu chain stats
1013 * @chain: the chain
1014 * @flow_block: flow block (for hardware offload)
1015 */
1016 struct nft_base_chain {
1017 struct nf_hook_ops ops;
1018 struct list_head hook_list;
1019 const struct nft_chain_type *type;
1020 u8 policy;
1021 u8 flags;
1022 struct nft_stats __percpu *stats;
1023 struct nft_chain chain;
1024 struct flow_block flow_block;
1025 };
1026
nft_base_chain(const struct nft_chain * chain)1027 static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
1028 {
1029 return container_of(chain, struct nft_base_chain, chain);
1030 }
1031
nft_is_base_chain(const struct nft_chain * chain)1032 static inline bool nft_is_base_chain(const struct nft_chain *chain)
1033 {
1034 return chain->flags & NFT_CHAIN_BASE;
1035 }
1036
1037 int __nft_release_basechain(struct nft_ctx *ctx);
1038
1039 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
1040
nft_use_inc(u32 * use)1041 static inline bool nft_use_inc(u32 *use)
1042 {
1043 if (*use == UINT_MAX)
1044 return false;
1045
1046 (*use)++;
1047
1048 return true;
1049 }
1050
nft_use_dec(u32 * use)1051 static inline void nft_use_dec(u32 *use)
1052 {
1053 WARN_ON_ONCE((*use)-- == 0);
1054 }
1055
1056 /* For error and abort path: restore use counter to previous state. */
nft_use_inc_restore(u32 * use)1057 static inline void nft_use_inc_restore(u32 *use)
1058 {
1059 WARN_ON_ONCE(!nft_use_inc(use));
1060 }
1061
1062 #define nft_use_dec_restore nft_use_dec
1063
1064 /**
1065 * struct nft_table - nf_tables table
1066 *
1067 * @list: used internally
1068 * @chains_ht: chains in the table
1069 * @chains: same, for stable walks
1070 * @sets: sets in the table
1071 * @objects: stateful objects in the table
1072 * @flowtables: flow tables in the table
1073 * @hgenerator: handle generator state
1074 * @handle: table handle
1075 * @use: number of chain references to this table
1076 * @flags: table flag (see enum nft_table_flags)
1077 * @genmask: generation mask
1078 * @afinfo: address family info
1079 * @name: name of the table
1080 */
1081 struct nft_table {
1082 struct list_head list;
1083 struct rhltable chains_ht;
1084 struct list_head chains;
1085 struct list_head sets;
1086 struct list_head objects;
1087 struct list_head flowtables;
1088 u64 hgenerator;
1089 u64 handle;
1090 u32 use;
1091 u16 family:6,
1092 flags:8,
1093 genmask:2;
1094 char *name;
1095 u16 udlen;
1096 u8 *udata;
1097 };
1098
nft_base_chain_netdev(int family,u32 hooknum)1099 static inline bool nft_base_chain_netdev(int family, u32 hooknum)
1100 {
1101 return family == NFPROTO_NETDEV ||
1102 (family == NFPROTO_INET && hooknum == NF_INET_INGRESS);
1103 }
1104
1105 void nft_register_chain_type(const struct nft_chain_type *);
1106 void nft_unregister_chain_type(const struct nft_chain_type *);
1107
1108 int nft_register_expr(struct nft_expr_type *);
1109 void nft_unregister_expr(struct nft_expr_type *);
1110
1111 int nft_verdict_dump(struct sk_buff *skb, int type,
1112 const struct nft_verdict *v);
1113
1114 /**
1115 * struct nft_object_hash_key - key to lookup nft_object
1116 *
1117 * @name: name of the stateful object to look up
1118 * @table: table the object belongs to
1119 */
1120 struct nft_object_hash_key {
1121 const char *name;
1122 const struct nft_table *table;
1123 };
1124
1125 /**
1126 * struct nft_object - nf_tables stateful object
1127 *
1128 * @list: table stateful object list node
1129 * @key: keys that identify this object
1130 * @rhlhead: nft_objname_ht node
1131 * @genmask: generation mask
1132 * @use: number of references to this stateful object
1133 * @handle: unique object handle
1134 * @ops: object operations
1135 * @data: object data, layout depends on type
1136 */
1137 struct nft_object {
1138 struct list_head list;
1139 struct rhlist_head rhlhead;
1140 struct nft_object_hash_key key;
1141 u32 genmask:2;
1142 u32 use;
1143 u64 handle;
1144 u16 udlen;
1145 u8 *udata;
1146 /* runtime data below here */
1147 const struct nft_object_ops *ops ____cacheline_aligned;
1148 unsigned char data[]
1149 __attribute__((aligned(__alignof__(u64))));
1150 };
1151
nft_obj_data(const struct nft_object * obj)1152 static inline void *nft_obj_data(const struct nft_object *obj)
1153 {
1154 return (void *)obj->data;
1155 }
1156
1157 #define nft_expr_obj(expr) *((struct nft_object **)nft_expr_priv(expr))
1158
1159 struct nft_object *nft_obj_lookup(const struct net *net,
1160 const struct nft_table *table,
1161 const struct nlattr *nla, u32 objtype,
1162 u8 genmask);
1163
1164 void nft_obj_notify(struct net *net, const struct nft_table *table,
1165 struct nft_object *obj, u32 portid, u32 seq,
1166 int event, int family, int report, gfp_t gfp);
1167
1168 /**
1169 * struct nft_object_type - stateful object type
1170 *
1171 * @select_ops: function to select nft_object_ops
1172 * @ops: default ops, used when no select_ops functions is present
1173 * @list: list node in list of object types
1174 * @type: stateful object numeric type
1175 * @owner: module owner
1176 * @maxattr: maximum netlink attribute
1177 * @policy: netlink attribute policy
1178 */
1179 struct nft_object_type {
1180 const struct nft_object_ops *(*select_ops)(const struct nft_ctx *,
1181 const struct nlattr * const tb[]);
1182 const struct nft_object_ops *ops;
1183 struct list_head list;
1184 u32 type;
1185 unsigned int maxattr;
1186 struct module *owner;
1187 const struct nla_policy *policy;
1188 };
1189
1190 /**
1191 * struct nft_object_ops - stateful object operations
1192 *
1193 * @eval: stateful object evaluation function
1194 * @size: stateful object size
1195 * @init: initialize object from netlink attributes
1196 * @destroy: release existing stateful object
1197 * @dump: netlink dump stateful object
1198 * @update: update stateful object
1199 */
1200 struct nft_object_ops {
1201 void (*eval)(struct nft_object *obj,
1202 struct nft_regs *regs,
1203 const struct nft_pktinfo *pkt);
1204 unsigned int size;
1205 int (*init)(const struct nft_ctx *ctx,
1206 const struct nlattr *const tb[],
1207 struct nft_object *obj);
1208 void (*destroy)(const struct nft_ctx *ctx,
1209 struct nft_object *obj);
1210 int (*dump)(struct sk_buff *skb,
1211 struct nft_object *obj,
1212 bool reset);
1213 void (*update)(struct nft_object *obj,
1214 struct nft_object *newobj);
1215 const struct nft_object_type *type;
1216 };
1217
1218 int nft_register_obj(struct nft_object_type *obj_type);
1219 void nft_unregister_obj(struct nft_object_type *obj_type);
1220
1221 #define NFT_NETDEVICE_MAX 256
1222
1223 /**
1224 * struct nft_flowtable - nf_tables flow table
1225 *
1226 * @list: flow table list node in table list
1227 * @table: the table the flow table is contained in
1228 * @name: name of this flow table
1229 * @hooknum: hook number
1230 * @ops_len: number of hooks in array
1231 * @genmask: generation mask
1232 * @use: number of references to this flow table
1233 * @handle: unique object handle
1234 * @dev_name: array of device names
1235 * @data: rhashtable and garbage collector
1236 * @ops: array of hooks
1237 */
1238 struct nft_flowtable {
1239 struct list_head list;
1240 struct nft_table *table;
1241 char *name;
1242 int hooknum;
1243 int ops_len;
1244 u32 genmask:2;
1245 u32 use;
1246 u64 handle;
1247 /* runtime data below here */
1248 struct list_head hook_list ____cacheline_aligned;
1249 struct nf_flowtable data;
1250 };
1251
1252 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1253 const struct nlattr *nla,
1254 u8 genmask);
1255
1256 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
1257 struct nft_flowtable *flowtable,
1258 enum nft_trans_phase phase);
1259
1260 void nft_register_flowtable_type(struct nf_flowtable_type *type);
1261 void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1262
1263 /**
1264 * struct nft_traceinfo - nft tracing information and state
1265 *
1266 * @pkt: pktinfo currently processed
1267 * @basechain: base chain currently processed
1268 * @chain: chain currently processed
1269 * @rule: rule that was evaluated
1270 * @verdict: verdict given by rule
1271 * @type: event type (enum nft_trace_types)
1272 * @packet_dumped: packet headers sent in a previous traceinfo message
1273 * @trace: other struct members are initialised
1274 */
1275 struct nft_traceinfo {
1276 const struct nft_pktinfo *pkt;
1277 const struct nft_base_chain *basechain;
1278 const struct nft_chain *chain;
1279 const struct nft_rule *rule;
1280 const struct nft_verdict *verdict;
1281 enum nft_trace_types type;
1282 bool packet_dumped;
1283 bool trace;
1284 };
1285
1286 void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1287 const struct nft_verdict *verdict,
1288 const struct nft_chain *basechain);
1289
1290 void nft_trace_notify(struct nft_traceinfo *info);
1291
1292 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
1293 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
1294
1295 #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1296 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1297
1298 #define MODULE_ALIAS_NFT_EXPR(name) \
1299 MODULE_ALIAS("nft-expr-" name)
1300
1301 #define MODULE_ALIAS_NFT_OBJ(type) \
1302 MODULE_ALIAS("nft-obj-" __stringify(type))
1303
1304 #if IS_ENABLED(CONFIG_NF_TABLES)
1305
1306 /*
1307 * The gencursor defines two generations, the currently active and the
1308 * next one. Objects contain a bitmask of 2 bits specifying the generations
1309 * they're active in. A set bit means they're inactive in the generation
1310 * represented by that bit.
1311 *
1312 * New objects start out as inactive in the current and active in the
1313 * next generation. When committing the ruleset the bitmask is cleared,
1314 * meaning they're active in all generations. When removing an object,
1315 * it is set inactive in the next generation. After committing the ruleset,
1316 * the objects are removed.
1317 */
nft_gencursor_next(const struct net * net)1318 static inline unsigned int nft_gencursor_next(const struct net *net)
1319 {
1320 return net->nft.gencursor + 1 == 1 ? 1 : 0;
1321 }
1322
nft_genmask_next(const struct net * net)1323 static inline u8 nft_genmask_next(const struct net *net)
1324 {
1325 return 1 << nft_gencursor_next(net);
1326 }
1327
nft_genmask_cur(const struct net * net)1328 static inline u8 nft_genmask_cur(const struct net *net)
1329 {
1330 /* Use READ_ONCE() to prevent refetching the value for atomicity */
1331 return 1 << READ_ONCE(net->nft.gencursor);
1332 }
1333
1334 #define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
1335
1336 /*
1337 * Generic transaction helpers
1338 */
1339
1340 /* Check if this object is currently active. */
1341 #define nft_is_active(__net, __obj) \
1342 (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1343
1344 /* Check if this object is active in the next generation. */
1345 #define nft_is_active_next(__net, __obj) \
1346 (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1347
1348 /* This object becomes active in the next generation. */
1349 #define nft_activate_next(__net, __obj) \
1350 (__obj)->genmask = nft_genmask_cur(__net)
1351
1352 /* This object becomes inactive in the next generation. */
1353 #define nft_deactivate_next(__net, __obj) \
1354 (__obj)->genmask = nft_genmask_next(__net)
1355
1356 /* After committing the ruleset, clear the stale generation bit. */
1357 #define nft_clear(__net, __obj) \
1358 (__obj)->genmask &= ~nft_genmask_next(__net)
1359 #define nft_active_genmask(__obj, __genmask) \
1360 !((__obj)->genmask & __genmask)
1361
1362 /*
1363 * Set element transaction helpers
1364 */
1365
nft_set_elem_active(const struct nft_set_ext * ext,u8 genmask)1366 static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1367 u8 genmask)
1368 {
1369 return !(ext->genmask & genmask);
1370 }
1371
nft_set_elem_change_active(const struct net * net,const struct nft_set * set,struct nft_set_ext * ext)1372 static inline void nft_set_elem_change_active(const struct net *net,
1373 const struct nft_set *set,
1374 struct nft_set_ext *ext)
1375 {
1376 ext->genmask ^= nft_genmask_next(net);
1377 }
1378
1379 #endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1380
1381 #define NFT_SET_ELEM_DEAD_MASK (1 << 2)
1382
1383 #if defined(__LITTLE_ENDIAN_BITFIELD)
1384 #define NFT_SET_ELEM_DEAD_BIT 2
1385 #elif defined(__BIG_ENDIAN_BITFIELD)
1386 #define NFT_SET_ELEM_DEAD_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2)
1387 #else
1388 #error
1389 #endif
1390
nft_set_elem_dead(struct nft_set_ext * ext)1391 static inline void nft_set_elem_dead(struct nft_set_ext *ext)
1392 {
1393 unsigned long *word = (unsigned long *)ext;
1394
1395 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1396 set_bit(NFT_SET_ELEM_DEAD_BIT, word);
1397 }
1398
nft_set_elem_is_dead(const struct nft_set_ext * ext)1399 static inline int nft_set_elem_is_dead(const struct nft_set_ext *ext)
1400 {
1401 unsigned long *word = (unsigned long *)ext;
1402
1403 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1404 return test_bit(NFT_SET_ELEM_DEAD_BIT, word);
1405 }
1406
1407 /**
1408 * struct nft_trans - nf_tables object update in transaction
1409 *
1410 * @list: used internally
1411 * @binding_list: list of objects with possible bindings
1412 * @msg_type: message type
1413 * @put_net: ctx->net needs to be put
1414 * @ctx: transaction context
1415 * @data: internal information related to the transaction
1416 */
1417 struct nft_trans {
1418 struct list_head list;
1419 struct list_head binding_list;
1420 int msg_type;
1421 bool put_net;
1422 struct nft_ctx ctx;
1423 char data[];
1424 };
1425
1426 struct nft_trans_rule {
1427 struct nft_rule *rule;
1428 struct nft_flow_rule *flow;
1429 u32 rule_id;
1430 bool bound;
1431 };
1432
1433 #define nft_trans_rule(trans) \
1434 (((struct nft_trans_rule *)trans->data)->rule)
1435 #define nft_trans_flow_rule(trans) \
1436 (((struct nft_trans_rule *)trans->data)->flow)
1437 #define nft_trans_rule_id(trans) \
1438 (((struct nft_trans_rule *)trans->data)->rule_id)
1439 #define nft_trans_rule_bound(trans) \
1440 (((struct nft_trans_rule *)trans->data)->bound)
1441
1442 struct nft_trans_set {
1443 struct nft_set *set;
1444 u32 set_id;
1445 bool bound;
1446 };
1447
1448 #define nft_trans_set(trans) \
1449 (((struct nft_trans_set *)trans->data)->set)
1450 #define nft_trans_set_id(trans) \
1451 (((struct nft_trans_set *)trans->data)->set_id)
1452 #define nft_trans_set_bound(trans) \
1453 (((struct nft_trans_set *)trans->data)->bound)
1454
1455 struct nft_trans_chain {
1456 struct nft_chain *chain;
1457 bool update;
1458 char *name;
1459 struct nft_stats __percpu *stats;
1460 u8 policy;
1461 bool bound;
1462 u32 chain_id;
1463 };
1464
1465 #define nft_trans_chain(trans) \
1466 (((struct nft_trans_chain *)trans->data)->chain)
1467 #define nft_trans_chain_update(trans) \
1468 (((struct nft_trans_chain *)trans->data)->update)
1469 #define nft_trans_chain_name(trans) \
1470 (((struct nft_trans_chain *)trans->data)->name)
1471 #define nft_trans_chain_stats(trans) \
1472 (((struct nft_trans_chain *)trans->data)->stats)
1473 #define nft_trans_chain_policy(trans) \
1474 (((struct nft_trans_chain *)trans->data)->policy)
1475 #define nft_trans_chain_bound(trans) \
1476 (((struct nft_trans_chain *)trans->data)->bound)
1477 #define nft_trans_chain_id(trans) \
1478 (((struct nft_trans_chain *)trans->data)->chain_id)
1479
1480 struct nft_trans_table {
1481 bool update;
1482 };
1483
1484 #define nft_trans_table_update(trans) \
1485 (((struct nft_trans_table *)trans->data)->update)
1486
1487 struct nft_trans_elem {
1488 struct nft_set *set;
1489 struct nft_set_elem elem;
1490 bool bound;
1491 };
1492
1493 #define nft_trans_elem_set(trans) \
1494 (((struct nft_trans_elem *)trans->data)->set)
1495 #define nft_trans_elem(trans) \
1496 (((struct nft_trans_elem *)trans->data)->elem)
1497 #define nft_trans_elem_set_bound(trans) \
1498 (((struct nft_trans_elem *)trans->data)->bound)
1499
1500 struct nft_trans_obj {
1501 struct nft_object *obj;
1502 struct nft_object *newobj;
1503 bool update;
1504 };
1505
1506 #define nft_trans_obj(trans) \
1507 (((struct nft_trans_obj *)trans->data)->obj)
1508 #define nft_trans_obj_newobj(trans) \
1509 (((struct nft_trans_obj *)trans->data)->newobj)
1510 #define nft_trans_obj_update(trans) \
1511 (((struct nft_trans_obj *)trans->data)->update)
1512
1513 struct nft_trans_flowtable {
1514 struct nft_flowtable *flowtable;
1515 bool update;
1516 struct list_head hook_list;
1517 u32 flags;
1518 };
1519
1520 #define nft_trans_flowtable(trans) \
1521 (((struct nft_trans_flowtable *)trans->data)->flowtable)
1522 #define nft_trans_flowtable_update(trans) \
1523 (((struct nft_trans_flowtable *)trans->data)->update)
1524 #define nft_trans_flowtable_hooks(trans) \
1525 (((struct nft_trans_flowtable *)trans->data)->hook_list)
1526 #define nft_trans_flowtable_flags(trans) \
1527 (((struct nft_trans_flowtable *)trans->data)->flags)
1528
1529 #define NFT_TRANS_GC_BATCHCOUNT 256
1530
1531 struct nft_trans_gc {
1532 struct list_head list;
1533 struct net *net;
1534 struct nft_set *set;
1535 u32 seq;
1536 u16 count;
1537 void *priv[NFT_TRANS_GC_BATCHCOUNT];
1538 struct rcu_head rcu;
1539 };
1540
1541 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
1542 unsigned int gc_seq, gfp_t gfp);
1543 void nft_trans_gc_destroy(struct nft_trans_gc *trans);
1544
1545 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
1546 unsigned int gc_seq, gfp_t gfp);
1547 void nft_trans_gc_queue_async_done(struct nft_trans_gc *gc);
1548
1549 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp);
1550 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans);
1551
1552 void nft_trans_gc_elem_add(struct nft_trans_gc *gc, void *priv);
1553
1554 void nft_setelem_data_deactivate(const struct net *net,
1555 const struct nft_set *set,
1556 struct nft_set_elem *elem);
1557
1558 int __init nft_chain_filter_init(void);
1559 void nft_chain_filter_fini(void);
1560
1561 void __init nft_chain_route_init(void);
1562 void nft_chain_route_fini(void);
1563
1564 void nf_tables_trans_destroy_flush_work(void);
1565
1566 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
1567 __be64 nf_jiffies64_to_msecs(u64 input);
1568
1569 struct nftables_pernet {
1570 struct list_head tables;
1571 struct list_head commit_list;
1572 struct list_head binding_list;
1573 struct list_head module_list;
1574 struct list_head notify_list;
1575 struct mutex commit_mutex;
1576 unsigned int base_seq;
1577 u8 validate_state;
1578 unsigned int gc_seq;
1579 };
1580
1581 #endif /* _NET_NF_TABLES_H */
1582