projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: nf_nat: skip nat clash resolution for same-origin entries
[linux-block.git] / include / net / netfilter / nf_tables.h
CommitLineData
b2441318 1/* SPDX-License-Identifier: GPL-2.0 */
96518518
PM		 2#ifndef _NET_NF_TABLES_H
3#define _NET_NF_TABLES_H
4
0b2d8a7b 5#include <linux/module.h>
96518518
PM		 6#include <linux/list.h>
7#include <linux/netfilter.h>
67a8fc27 8#include <linux/netfilter/nfnetlink.h>
0ca743a5 9#include <linux/netfilter/x_tables.h>
96518518 10#include <linux/netfilter/nf_tables.h>
ce355e20 11#include <linux/u64_stats_sync.h>
1b2470e5 12#include <linux/rhashtable.h>
3b49e2e9 13#include <net/netfilter/nf_flow_table.h>
96518518
PM		 14#include <net/netlink.h>
15
20a69341
PM		 16#define NFT_JUMP_STACK_SIZE 16
17
96518518
PM		 18struct nft_pktinfo {
19 struct sk_buff *skb;
beac5afa 20 bool tprot_set;
4566bf27 21 u8 tprot;
0ca743a5
PNA		 22 /* for x_tables compatibility */
23 struct xt_action_param xt;
96518518
PM		 24};
25
0e5a1c7e
PNA		 26static inline struct net *nft_net(const struct nft_pktinfo *pkt)
27{
28 return pkt->xt.state->net;
29}
30
31static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
32{
33 return pkt->xt.state->hook;
34}
35
36static inline u8 nft_pf(const struct nft_pktinfo *pkt)
37{
38 return pkt->xt.state->pf;
39}
40
41static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
42{
43 return pkt->xt.state->in;
44}
45
46static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
47{
48 return pkt->xt.state->out;
49}
50
0ca743a5 51static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
0ca743a5 52 struct sk_buff *skb,
073bfd56 53 const struct nf_hook_state *state)
0ca743a5
PNA		 54{
55 pkt->skb = skb;
613dbd95 56 pkt->xt.state = state;
0ca743a5
PNA		 57}
58
7a4473a3
PNA		 59static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
60 struct sk_buff *skb)
beac5afa
PNA		 61{
62 pkt->tprot_set = false;
63 pkt->tprot = 0;
64 pkt->xt.thoff = 0;
65 pkt->xt.fragoff = 0;
66}
67
a55e22e9
PM		 68/**
69 * struct nft_verdict - nf_tables verdict
70 *
71 * @code: nf_tables/netfilter verdict code
72 * @chain: destination chain for NFT_JUMP/NFT_GOTO
73 */
74struct nft_verdict {
75 u32 code;
76 struct nft_chain *chain;
77};
78
96518518
PM		 79struct nft_data {
80 union {
1ca2e170
PM		 81 u32 data[4];
82 struct nft_verdict verdict;
96518518
PM		 83 };
84} __attribute__((aligned(__alignof__(u64))));
85
a55e22e9
PM		 86/**
87 * struct nft_regs - nf_tables register set
88 *
89 * @data: data registers
90 * @verdict: verdict register
91 *
92 * The first four data registers alias to the verdict register.
93 */
94struct nft_regs {
95 union {
49499c3e 96 u32 data[20];
a55e22e9
PM		 97 struct nft_verdict verdict;
98 };
99};
100
10596608
LZ		 101/* Store/load an u16 or u8 integer to/from the u32 data register.
102 *
103 * Note, when using concatenations, register allocation happens at 32-bit
104 * level. So for store instruction, pad the rest part with zero to avoid
105 * garbage values.
106 */
107
108static inline void nft_reg_store16(u32 *dreg, u16 val)
109{
110 *dreg = 0;
111 *(u16 *)dreg = val;
112}
113
114static inline void nft_reg_store8(u32 *dreg, u8 val)
115{
116 *dreg = 0;
117 *(u8 *)dreg = val;
118}
119
120static inline u16 nft_reg_load16(u32 *sreg)
121{
122 return *(u16 *)sreg;
123}
124
125static inline u8 nft_reg_load8(u32 *sreg)
126{
127 return *(u8 *)sreg;
128}
129
49499c3e
PM		 130static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
131 unsigned int len)
96518518 132{
49499c3e 133 memcpy(dst, src, len);
96518518
PM		 134}
135
136static inline void nft_data_debug(const struct nft_data *data)
137{
138 pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",
139 data->data[0], data->data[1],
140 data->data[2], data->data[3]);
141}
142
143/**
20a69341 144 * struct nft_ctx - nf_tables rule/set context
96518518 145 *
99633ab2 146 * @net: net namespace
96518518
PM		 147 * @table: the table the chain is contained in
148 * @chain: the chain the rule is contained in
0ca743a5 149 * @nla: netlink attributes
128ad332
PNA		 150 * @portid: netlink portID of the original message
151 * @seq: netlink sequence number
36596dad 152 * @family: protocol family
26b2f552 153 * @level: depth of the chains
128ad332 154 * @report: notify via unicast netlink message
96518518
PM		 155 */
156struct nft_ctx {
99633ab2 157 struct net *net;
7c95f6d8
PNA		 158 struct nft_table *table;
159 struct nft_chain *chain;
0ca743a5 160 const struct nlattr * const *nla;
128ad332
PNA		 161 u32 portid;
162 u32 seq;
36596dad 163 u8 family;
26b2f552 164 u8 level;
128ad332 165 bool report;
96518518
PM		 166};
167
96518518
PM		 168struct nft_data_desc {
169 enum nft_data_types type;
170 unsigned int len;
171};
172
d0a11fc3
PM		 173int nft_data_init(const struct nft_ctx *ctx,
174 struct nft_data *data, unsigned int size,
5eccdfaa 175 struct nft_data_desc *desc, const struct nlattr *nla);
bb7b40ae 176void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
59105446 177void nft_data_release(const struct nft_data *data, enum nft_data_types type);
5eccdfaa
JP		 178int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
179 enum nft_data_types type, unsigned int len);
96518518
PM		 180
181static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg)
182{
183 return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
184}
185
20a69341
PM		 186static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
187{
bf798657 188 return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
20a69341
PM		 189}
190
f1d505bb 191int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
b1c96ed3
PM		 192unsigned int nft_parse_register(const struct nlattr *attr);
193int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
194
d07db988 195int nft_validate_register_load(enum nft_registers reg, unsigned int len);
1ec10212
PM		 196int nft_validate_register_store(const struct nft_ctx *ctx,
197 enum nft_registers reg,
198 const struct nft_data *data,
199 enum nft_data_types type, unsigned int len);
96518518 200
86f1ec32
PM		 201/**
202 * struct nft_userdata - user defined data associated with an object
203 *
204 * @len: length of the data
205 * @data: content
206 *
207 * The presence of user data is indicated in an object specific fashion,
208 * so a length of zero can't occur and the value "len" indicates data
209 * of length len + 1.
210 */
211struct nft_userdata {
212 u8 len;
213 unsigned char data[0];
214};
215
20a69341
PM		 216/**
217 * struct nft_set_elem - generic representation of set elements
218 *
20a69341 219 * @key: element key
fe2811eb 220 * @priv: element private data and extensions
20a69341
PM		 221 */
222struct nft_set_elem {
7d740264
PM		 223 union {
224 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
225 struct nft_data val;
226 } key;
fe2811eb 227 void *priv;
20a69341
PM		 228};
229
230struct nft_set;
231struct nft_set_iter {
8588ac09 232 u8 genmask;
20a69341
PM		 233 unsigned int count;
234 unsigned int skip;
235 int err;
236 int (*fn)(const struct nft_ctx *ctx,
de70185d 237 struct nft_set *set,
20a69341 238 const struct nft_set_iter *iter,
de70185d 239 struct nft_set_elem *elem);
20a69341
PM		 240};
241
c50b960c
PM		 242/**
243 * struct nft_set_desc - description of set elements
244 *
245 * @klen: key length
246 * @dlen: data length
247 * @size: number of set elements
248 */
249struct nft_set_desc {
250 unsigned int klen;
251 unsigned int dlen;
252 unsigned int size;
253};
254
255/**
256 * enum nft_set_class - performance class
257 *
258 * @NFT_LOOKUP_O_1: constant, O(1)
259 * @NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)
260 * @NFT_LOOKUP_O_N: linear, O(N)
261 */
262enum nft_set_class {
263 NFT_SET_CLASS_O_1,
264 NFT_SET_CLASS_O_LOG_N,
265 NFT_SET_CLASS_O_N,
266};
267
268/**
269 * struct nft_set_estimate - estimation of memory and performance
270 * characteristics
271 *
272 * @size: required memory
55af753c 273 * @lookup: lookup performance class
0b5a7874 274 * @space: memory class
c50b960c
PM		 275 */
276struct nft_set_estimate {
4ef360dd 277 u64 size;
55af753c 278 enum nft_set_class lookup;
0b5a7874 279 enum nft_set_class space;
c50b960c
PM		 280};
281
b2832dd6 282struct nft_set_ext;
22fe54d5 283struct nft_expr;
b2832dd6 284
20a69341
PM		 285/**
286 * struct nft_set_ops - nf_tables set operations
287 *
288 * @lookup: look up an element within the set
289 * @insert: insert new element into set
cc02e457 290 * @activate: activate new element in the next generation
8411b644 291 * @deactivate: lookup for element and deactivate it in the next generation
1ba1c414 292 * @flush: deactivate element in the next generation
20a69341
PM		 293 * @remove: remove element from set
294 * @walk: iterate over all set elemeennts
ba0e4d99 295 * @get: get set elements
20a69341
PM		 296 * @privsize: function to return size of set private data
297 * @init: initialize private data of new set instance
298 * @destroy: destroy private data of set instance
fe2811eb 299 * @elemsize: element private size
20a69341
PM		 300 */
301struct nft_set_ops {
42a55769
PNA		 302 bool (*lookup)(const struct net *net,
303 const struct nft_set *set,
8cd8937a 304 const u32 *key,
b2832dd6 305 const struct nft_set_ext **ext);
22fe54d5 306 bool (*update)(struct nft_set *set,
8cd8937a 307 const u32 *key,
22fe54d5
PM		 308 void *(*new)(struct nft_set *,
309 const struct nft_expr *,
a55e22e9 310 struct nft_regs *),
22fe54d5 311 const struct nft_expr *expr,
a55e22e9 312 struct nft_regs *regs,
22fe54d5
PM		 313 const struct nft_set_ext **ext);
314
42a55769
PNA		 315 int (*insert)(const struct net *net,
316 const struct nft_set *set,
c016c7e4
PNA		 317 const struct nft_set_elem *elem,
318 struct nft_set_ext **ext);
42a55769
PNA		 319 void (*activate)(const struct net *net,
320 const struct nft_set *set,
cc02e457 321 const struct nft_set_elem *elem);
42a55769
PNA		 322 void * (*deactivate)(const struct net *net,
323 const struct nft_set *set,
cc02e457 324 const struct nft_set_elem *elem);
1ba1c414
PNA		 325 bool (*flush)(const struct net *net,
326 const struct nft_set *set,
327 void *priv);
5cb82a38
PNA		 328 void (*remove)(const struct net *net,
329 const struct nft_set *set,
20a69341
PM		 330 const struct nft_set_elem *elem);
331 void (*walk)(const struct nft_ctx *ctx,
de70185d 332 struct nft_set *set,
20a69341 333 struct nft_set_iter *iter);
ba0e4d99
PNA		 334 void * (*get)(const struct net *net,
335 const struct nft_set *set,
336 const struct nft_set_elem *elem,
337 unsigned int flags);
20a69341 338
4ef360dd 339 u64 (*privsize)(const struct nlattr * const nla[],
347b408d 340 const struct nft_set_desc *desc);
c50b960c
PM		 341 bool (*estimate)(const struct nft_set_desc *desc,
342 u32 features,
343 struct nft_set_estimate *est);
20a69341 344 int (*init)(const struct nft_set *set,
c50b960c 345 const struct nft_set_desc *desc,
20a69341
PM		 346 const struct nlattr * const nla[]);
347 void (*destroy)(const struct nft_set *set);
79b174ad 348 void (*gc_init)(const struct nft_set *set);
20a69341 349
fe2811eb 350 unsigned int elemsize;
71cc0873
PS		 351};
352
353/**
354 * struct nft_set_type - nf_tables set type
355 *
356 * @ops: set ops for this type
357 * @list: used internally
358 * @owner: module reference
359 * @features: features supported by the implementation
360 */
361struct nft_set_type {
362 const struct nft_set_ops ops;
363 struct list_head list;
364 struct module *owner;
20a69341
PM		 365 u32 features;
366};
71cc0873 367#define to_set_type(o) container_of(o, struct nft_set_type, ops)
20a69341 368
2b664957
PNA		 369int nft_register_set(struct nft_set_type *type);
370void nft_unregister_set(struct nft_set_type *type);
20a69341
PM		 371
372/**
373 * struct nft_set - nf_tables set instance
374 *
375 * @list: table set list node
376 * @bindings: list of set bindings
3453c927
PNA		 377 * @table: table this set belongs to
378 * @net: netnamespace this set belongs to
20a69341 379 * @name: name of the set
3ecbfd65 380 * @handle: unique handle of the set
20a69341
PM		 381 * @ktype: key type (numeric type defined by userspace, not used in the kernel)
382 * @dtype: data type (verdict or numeric type defined by userspace)
8aeff920 383 * @objtype: object type (see NFT_OBJECT_* definitions)
c50b960c
PM		 384 * @size: maximum set size
385 * @nelems: number of elements
3dd0673a 386 * @ndeact: number of deactivated elements queued for removal
d3e2a111 387 * @timeout: default timeout value in jiffies
761da293 388 * @gc_int: garbage collection interval in msecs
9363dc4b 389 * @policy: set parameterization (see enum nft_set_policies)
e6d8ecac
CFG		 390 * @udlen: user data length
391 * @udata: user data
20a69341
PM		 392 * @ops: set ops
393 * @flags: set flags
37a9cc52 394 * @genmask: generation mask
20a69341
PM		 395 * @klen: key length
396 * @dlen: data length
397 * @data: private set data
398 */
399struct nft_set {
400 struct list_head list;
401 struct list_head bindings;
3453c927
PNA		 402 struct nft_table *table;
403 possible_net_t net;
38745490 404 char *name;
3ecbfd65 405 u64 handle;
20a69341
PM		 406 u32 ktype;
407 u32 dtype;
8aeff920 408 u32 objtype;
c50b960c 409 u32 size;
3dd0673a
PM		 410 atomic_t nelems;
411 u32 ndeact;
761da293
PM		 412 u64 timeout;
413 u32 gc_int;
9363dc4b 414 u16 policy;
e6d8ecac
CFG		 415 u16 udlen;
416 unsigned char *udata;
20a69341
PM		 417 /* runtime data below here */
418 const struct nft_set_ops *ops ____cacheline_aligned;
37a9cc52
PNA		 419 u16 flags:14,
420 genmask:2;
20a69341
PM		 421 u8 klen;
422 u8 dlen;
423 unsigned char data[]
424 __attribute__((aligned(__alignof__(u64))));
425};
426
408070d6
PNA		 427static inline bool nft_set_is_anonymous(const struct nft_set *set)
428{
429 return set->flags & NFT_SET_ANONYMOUS;
430}
431
20a69341
PM		 432static inline void *nft_set_priv(const struct nft_set *set)
433{
434 return (void *)set->data;
435}
436
9d098292
PM		 437static inline struct nft_set *nft_set_container_of(const void *priv)
438{
439 return (void *)priv - offsetof(struct nft_set, data);
440}
441
10659cba
PNA		 442struct nft_set *nft_set_lookup_global(const struct net *net,
443 const struct nft_table *table,
444 const struct nlattr *nla_set_name,
445 const struct nlattr *nla_set_id,
446 u8 genmask);
20a69341 447
761da293
PM		 448static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
449{
450 return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
451}
452
20a69341
PM		 453/**
454 * struct nft_set_binding - nf_tables set binding
455 *
456 * @list: set bindings list node
457 * @chain: chain containing the rule bound to the set
11113e19 458 * @flags: set action flags
20a69341
PM		 459 *
460 * A set binding contains all information necessary for validation
461 * of new elements added to a bound set.
462 */
463struct nft_set_binding {
464 struct list_head list;
465 const struct nft_chain *chain;
11113e19 466 u32 flags;
20a69341
PM		 467};
468
5eccdfaa
JP		 469int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
470 struct nft_set_binding *binding);
471void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
472 struct nft_set_binding *binding);
cd5125d8
FW		 473void nf_tables_rebind_set(const struct nft_ctx *ctx, struct nft_set *set,
474 struct nft_set_binding *binding);
475void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
20a69341 476
3ac4c07a
PM		 477/**
478 * enum nft_set_extensions - set extension type IDs
479 *
480 * @NFT_SET_EXT_KEY: element key
481 * @NFT_SET_EXT_DATA: mapping data
482 * @NFT_SET_EXT_FLAGS: element flags
c3e1b005
PM		 483 * @NFT_SET_EXT_TIMEOUT: element timeout
484 * @NFT_SET_EXT_EXPIRATION: element expiration time
68e942e8 485 * @NFT_SET_EXT_USERDATA: user data associated with the element
f25ad2e9 486 * @NFT_SET_EXT_EXPR: expression assiociated with the element
8aeff920 487 * @NFT_SET_EXT_OBJREF: stateful object reference associated with element
3ac4c07a
PM		 488 * @NFT_SET_EXT_NUM: number of extension types
489 */
490enum nft_set_extensions {
491 NFT_SET_EXT_KEY,
492 NFT_SET_EXT_DATA,
493 NFT_SET_EXT_FLAGS,
c3e1b005
PM		 494 NFT_SET_EXT_TIMEOUT,
495 NFT_SET_EXT_EXPIRATION,
68e942e8 496 NFT_SET_EXT_USERDATA,
f25ad2e9 497 NFT_SET_EXT_EXPR,
8aeff920 498 NFT_SET_EXT_OBJREF,
3ac4c07a
PM		 499 NFT_SET_EXT_NUM
500};
501
502/**
503 * struct nft_set_ext_type - set extension type
504 *
505 * @len: fixed part length of the extension
506 * @align: alignment requirements of the extension
507 */
508struct nft_set_ext_type {
509 u8 len;
510 u8 align;
511};
512
513extern const struct nft_set_ext_type nft_set_ext_types[];
514
515/**
516 * struct nft_set_ext_tmpl - set extension template
517 *
518 * @len: length of extension area
519 * @offset: offsets of individual extension types
520 */
521struct nft_set_ext_tmpl {
522 u16 len;
523 u8 offset[NFT_SET_EXT_NUM];
524};
525
526/**
527 * struct nft_set_ext - set extensions
528 *
cc02e457 529 * @genmask: generation mask
3ac4c07a
PM		 530 * @offset: offsets of individual extension types
531 * @data: beginning of extension data
532 */
533struct nft_set_ext {
cc02e457 534 u8 genmask;
3ac4c07a
PM		 535 u8 offset[NFT_SET_EXT_NUM];
536 char data[0];
537};
538
539static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
540{
541 memset(tmpl, 0, sizeof(*tmpl));
542 tmpl->len = sizeof(struct nft_set_ext);
543}
544
545static inline void nft_set_ext_add_length(struct nft_set_ext_tmpl *tmpl, u8 id,
546 unsigned int len)
547{
548 tmpl->len = ALIGN(tmpl->len, nft_set_ext_types[id].align);
549 BUG_ON(tmpl->len > U8_MAX);
550 tmpl->offset[id] = tmpl->len;
551 tmpl->len += nft_set_ext_types[id].len + len;
552}
553
554static inline void nft_set_ext_add(struct nft_set_ext_tmpl *tmpl, u8 id)
555{
556 nft_set_ext_add_length(tmpl, id, 0);
557}
558
559static inline void nft_set_ext_init(struct nft_set_ext *ext,
560 const struct nft_set_ext_tmpl *tmpl)
561{
562 memcpy(ext->offset, tmpl->offset, sizeof(ext->offset));
563}
564
565static inline bool __nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
566{
567 return !!ext->offset[id];
568}
569
570static inline bool nft_set_ext_exists(const struct nft_set_ext *ext, u8 id)
571{
572 return ext && __nft_set_ext_exists(ext, id);
573}
574
575static inline void *nft_set_ext(const struct nft_set_ext *ext, u8 id)
576{
577 return (void *)ext + ext->offset[id];
578}
579
580static inline struct nft_data *nft_set_ext_key(const struct nft_set_ext *ext)
581{
582 return nft_set_ext(ext, NFT_SET_EXT_KEY);
583}
584
585static inline struct nft_data *nft_set_ext_data(const struct nft_set_ext *ext)
586{
587 return nft_set_ext(ext, NFT_SET_EXT_DATA);
588}
589
590static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
591{
592 return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
593}
ef1f7df9 594
c3e1b005
PM		 595static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
596{
597 return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
598}
599
8e1102d5 600static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
c3e1b005
PM		 601{
602 return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
603}
604
68e942e8
PM		 605static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
606{
607 return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
608}
609
f25ad2e9
PM		 610static inline struct nft_expr *nft_set_ext_expr(const struct nft_set_ext *ext)
611{
612 return nft_set_ext(ext, NFT_SET_EXT_EXPR);
613}
614
c3e1b005
PM		 615static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
616{
617 return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
8e1102d5 618 time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext));
c3e1b005
PM		 619}
620
fe2811eb
PM		 621static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,
622 void *elem)
623{
624 return elem + set->ops->elemsize;
625}
626
8aeff920
PNA		 627static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
628{
629 return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
630}
631
22fe54d5
PM		 632void *nft_set_elem_init(const struct nft_set *set,
633 const struct nft_set_ext_tmpl *tmpl,
49499c3e 634 const u32 *key, const u32 *data,
22fe54d5 635 u64 timeout, gfp_t gfp);
61f9e292
LZ		 636void nft_set_elem_destroy(const struct nft_set *set, void *elem,
637 bool destroy_expr);
61edafbb 638
cfed7e1b
PM		 639/**
640 * struct nft_set_gc_batch_head - nf_tables set garbage collection batch
641 *
642 * @rcu: rcu head
643 * @set: set the elements belong to
644 * @cnt: count of elements
645 */
646struct nft_set_gc_batch_head {
647 struct rcu_head rcu;
648 const struct nft_set *set;
649 unsigned int cnt;
650};
651
652#define NFT_SET_GC_BATCH_SIZE ((PAGE_SIZE - \
653 sizeof(struct nft_set_gc_batch_head)) / \
654 sizeof(void *))
655
656/**
657 * struct nft_set_gc_batch - nf_tables set garbage collection batch
658 *
659 * @head: GC batch head
660 * @elems: garbage collection elements
661 */
662struct nft_set_gc_batch {
663 struct nft_set_gc_batch_head head;
664 void *elems[NFT_SET_GC_BATCH_SIZE];
665};
666
667struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
668 gfp_t gfp);
669void nft_set_gc_batch_release(struct rcu_head *rcu);
670
671static inline void nft_set_gc_batch_complete(struct nft_set_gc_batch *gcb)
672{
673 if (gcb != NULL)
674 call_rcu(&gcb->head.rcu, nft_set_gc_batch_release);
675}
676
677static inline struct nft_set_gc_batch *
678nft_set_gc_batch_check(const struct nft_set *set, struct nft_set_gc_batch *gcb,
679 gfp_t gfp)
680{
681 if (gcb != NULL) {
682 if (gcb->head.cnt + 1 < ARRAY_SIZE(gcb->elems))
683 return gcb;
684 nft_set_gc_batch_complete(gcb);
685 }
686 return nft_set_gc_batch_alloc(set, gfp);
687}
688
689static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
690 void *elem)
691{
692 gcb->elems[gcb->head.cnt++] = elem;
693}
694
96518518 695/**
ef1f7df9 696 * struct nft_expr_type - nf_tables expression type
96518518 697 *
ef1f7df9
PM		 698 * @select_ops: function to select nft_expr_ops
699 * @ops: default ops, used when no select_ops functions is present
96518518
PM		 700 * @list: used internally
701 * @name: Identifier
702 * @owner: module reference
703 * @policy: netlink attribute policy
704 * @maxattr: highest netlink attribute number
64d46806 705 * @family: address family for AF-specific types
151d799a 706 * @flags: expression type flags
ef1f7df9
PM		 707 */
708struct nft_expr_type {
0ca743a5
PNA		 709 const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
710 const struct nlattr * const tb[]);
ef1f7df9
PM		 711 const struct nft_expr_ops *ops;
712 struct list_head list;
713 const char *name;
714 struct module *owner;
715 const struct nla_policy *policy;
716 unsigned int maxattr;
64d46806 717 u8 family;
151d799a 718 u8 flags;
ef1f7df9
PM		 719};
720
151d799a 721#define NFT_EXPR_STATEFUL 0x1
79b174ad 722#define NFT_EXPR_GC 0x2
151d799a 723
ef1f7df9
PM		 724/**
725 * struct nft_expr_ops - nf_tables expression operations
726 *
727 * @eval: Expression evaluation function
96518518 728 * @size: full expression size, including private data size
ef1f7df9 729 * @init: initialization function
cd5125d8
FW		 730 * @activate: activate expression in the next generation
731 * @deactivate: deactivate expression in next generation
732 * @destroy: destruction function, called after synchronize_rcu
ef1f7df9
PM		 733 * @dump: function to dump parameters
734 * @type: expression type
0ca743a5
PNA		 735 * @validate: validate expression, called during loop detection
736 * @data: extra data to attach to this expression operation
96518518
PM		 737 */
738struct nft_expr;
739struct nft_expr_ops {
740 void (*eval)(const struct nft_expr *expr,
a55e22e9 741 struct nft_regs *regs,
96518518 742 const struct nft_pktinfo *pkt);
086f3321
PNA		 743 int (*clone)(struct nft_expr *dst,
744 const struct nft_expr *src);
ef1f7df9
PM		 745 unsigned int size;
746
96518518
PM		 747 int (*init)(const struct nft_ctx *ctx,
748 const struct nft_expr *expr,
749 const struct nlattr * const tb[]);
bb7b40ae
PNA		 750 void (*activate)(const struct nft_ctx *ctx,
751 const struct nft_expr *expr);
752 void (*deactivate)(const struct nft_ctx *ctx,
753 const struct nft_expr *expr);
62472bce
PM		 754 void (*destroy)(const struct nft_ctx *ctx,
755 const struct nft_expr *expr);
371ebcbb
PNA		 756 void (*destroy_clone)(const struct nft_ctx *ctx,
757 const struct nft_expr *expr);
96518518
PM		 758 int (*dump)(struct sk_buff *skb,
759 const struct nft_expr *expr);
0ca743a5
PNA		 760 int (*validate)(const struct nft_ctx *ctx,
761 const struct nft_expr *expr,
762 const struct nft_data **data);
79b174ad
PNA		 763 bool (*gc)(struct net *net,
764 const struct nft_expr *expr);
ef1f7df9 765 const struct nft_expr_type *type;
0ca743a5 766 void *data;
96518518
PM		 767};
768
ef1f7df9 769#define NFT_EXPR_MAXATTR 16
96518518
PM		 770#define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \
771 ALIGN(size, __alignof__(struct nft_expr)))
772
773/**
774 * struct nft_expr - nf_tables expression
775 *
776 * @ops: expression ops
777 * @data: expression private data
778 */
779struct nft_expr {
780 const struct nft_expr_ops *ops;
781 unsigned char data[];
782};
783
784static inline void *nft_expr_priv(const struct nft_expr *expr)
785{
786 return (void *)expr->data;
787}
788
0b2d8a7b
PM		 789struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
790 const struct nlattr *nla);
791void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
792int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
793 const struct nft_expr *expr);
794
086f3321 795static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
0b2d8a7b 796{
086f3321
PNA		 797 int err;
798
086f3321
PNA		 799 if (src->ops->clone) {
800 dst->ops = src->ops;
801 err = src->ops->clone(dst, src);
802 if (err < 0)
803 return err;
804 } else {
805 memcpy(dst, src, src->ops->size);
806 }
61f9e292
LZ		 807
808 __module_get(src->ops->type->owner);
086f3321 809 return 0;
0b2d8a7b
PM		 810}
811
96518518
PM		 812/**
813 * struct nft_rule - nf_tables rule
814 *
815 * @list: used internally
96518518 816 * @handle: rule handle
0628b123 817 * @genmask: generation mask
96518518 818 * @dlen: length of expression data
86f1ec32 819 * @udata: user data is appended to the rule
96518518
PM		 820 * @data: expression data
821 */
822struct nft_rule {
823 struct list_head list;
0768b3b3 824 u64 handle:42,
0628b123 825 genmask:2,
0768b3b3 826 dlen:12,
86f1ec32 827 udata:1;
96518518
PM		 828 unsigned char data[]
829 __attribute__((aligned(__alignof__(struct nft_expr))));
830};
831
832static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
833{
834 return (struct nft_expr *)&rule->data[0];
835}
836
837static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr)
838{
839 return ((void *)expr) + expr->ops->size;
840}
841
842static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
843{
844 return (struct nft_expr *)&rule->data[rule->dlen];
845}
846
86f1ec32 847static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
0768b3b3
PNA		 848{
849 return (void *)&rule->data[rule->dlen];
850}
851
96518518
PM		 852/*
853 * The last pointer isn't really necessary, but the compiler isn't able to
854 * determine that the result of nft_expr_last() is always the same since it
855 * can't assume that the dlen value wasn't changed within calls in the loop.
856 */
857#define nft_rule_for_each_expr(expr, last, rule) \
858 for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \
859 (expr) != (last); \
860 (expr) = nft_expr_next(expr))
861
862enum nft_chain_flags {
863 NFT_BASE_CHAIN = 0x1,
96518518
PM		 864};
865
866/**
867 * struct nft_chain - nf_tables chain
868 *
869 * @rules: list of rules in the chain
870 * @list: used internally
1b2470e5 871 * @rhlhead: used internally
b5bc89bf 872 * @table: table that this chain belongs to
96518518 873 * @handle: chain handle
96518518 874 * @use: number of jump references to this chain
a0a7379e 875 * @flags: bitmask of enum nft_chain_flags
96518518
PM		 876 * @name: name of the chain
877 */
878struct nft_chain {
0cbc06b3
FW		 879 struct nft_rule *__rcu *rules_gen_0;
880 struct nft_rule *__rcu *rules_gen_1;
96518518
PM		 881 struct list_head rules;
882 struct list_head list;
1b2470e5 883 struct rhlist_head rhlhead;
b5bc89bf 884 struct nft_table *table;
96518518 885 u64 handle;
a0a7379e 886 u32 use;
664b0f8c
PNA		 887 u8 flags:6,
888 genmask:2;
b7263e07 889 char *name;
0cbc06b3
FW		 890
891 /* Only used during control plane commit phase: */
892 struct nft_rule **rules_next;
96518518
PM		 893};
894
a654de8f
PNA		 895int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
896
32537e91 897enum nft_chain_types {
9370761c
PNA		 898 NFT_CHAIN_T_DEFAULT = 0,
899 NFT_CHAIN_T_ROUTE,
900 NFT_CHAIN_T_NAT,
901 NFT_CHAIN_T_MAX
902};
903
1a1e1a12 904/**
32537e91 905 * struct nft_chain_type - nf_tables chain type info
1a1e1a12
PM		 906 *
907 * @name: name of the type
908 * @type: numeric identifier
909 * @family: address family
910 * @owner: module owner
911 * @hook_mask: mask of valid hooks
c2f9eafe 912 * @hooks: array of hook functions
4e25ceb8
FW		 913 * @ops_register: base chain register function
914 * @ops_unregister: base chain unregister function
1a1e1a12 915 */
32537e91 916struct nft_chain_type {
1a1e1a12 917 const char *name;
32537e91 918 enum nft_chain_types type;
1a1e1a12
PM		 919 int family;
920 struct module *owner;
921 unsigned int hook_mask;
922 nf_hookfn *hooks[NF_MAX_HOOKS];
4e25ceb8
FW		 923 int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
924 void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
1a1e1a12
PM		 925};
926
7210e4e3 927int nft_chain_validate_dependency(const struct nft_chain *chain,
32537e91 928 enum nft_chain_types type);
75e8d06d
PNA		 929int nft_chain_validate_hooks(const struct nft_chain *chain,
930 unsigned int hook_flags);
7210e4e3 931
0ca743a5 932struct nft_stats {
ce355e20
ED		 933 u64 bytes;
934 u64 pkts;
935 struct u64_stats_sync syncp;
0ca743a5
PNA		 936};
937
96518518
PM		 938/**
939 * struct nft_base_chain - nf_tables base chain
940 *
941 * @ops: netfilter hook ops
9370761c 942 * @type: chain type
0ca743a5
PNA		 943 * @policy: default policy
944 * @stats: per-cpu chain stats
96518518 945 * @chain: the chain
2cbce139 946 * @dev_name: device name that this base chain is attached to (if any)
96518518
PM		 947 */
948struct nft_base_chain {
c974a3a3 949 struct nf_hook_ops ops;
32537e91 950 const struct nft_chain_type *type;
0ca743a5 951 u8 policy;
835b8033 952 u8 flags;
0ca743a5 953 struct nft_stats __percpu *stats;
96518518 954 struct nft_chain chain;
2cbce139 955 char dev_name[IFNAMSIZ];
96518518
PM		 956};
957
958static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain)
959{
960 return container_of(chain, struct nft_base_chain, chain);
961}
962
f323d954
PNA		 963static inline bool nft_is_base_chain(const struct nft_chain *chain)
964{
965 return chain->flags & NFT_BASE_CHAIN;
966}
967
5ebe0b0e 968int __nft_release_basechain(struct nft_ctx *ctx);
835b8033 969
06198b34 970unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
96518518 971
96518518
PM		 972/**
973 * struct nft_table - nf_tables table
974 *
975 * @list: used internally
1b2470e5
FW		 976 * @chains_ht: chains in the table
977 * @chains: same, for stable walks
96518518 978 * @sets: sets in the table
e5009240 979 * @objects: stateful objects in the table
3b49e2e9 980 * @flowtables: flow tables in the table
96518518 981 * @hgenerator: handle generator state
3ecbfd65 982 * @handle: table handle
96518518
PM		 983 * @use: number of chain references to this table
984 * @flags: table flag (see enum nft_table_flags)
f2a6d766 985 * @genmask: generation mask
36596dad 986 * @afinfo: address family info
96518518
PM		 987 * @name: name of the table
988 */
989struct nft_table {
990 struct list_head list;
1b2470e5 991 struct rhltable chains_ht;
96518518
PM		 992 struct list_head chains;
993 struct list_head sets;
e5009240 994 struct list_head objects;
3b49e2e9 995 struct list_head flowtables;
96518518 996 u64 hgenerator;
3ecbfd65 997 u64 handle;
96518518 998 u32 use;
98319cb9
PNA		 999 u16 family:6,
1000 flags:8,
f2a6d766 1001 genmask:2;
e46abbcc 1002 char *name;
ebddf1a8
PNA		 1003};
1004
cc07eeb0 1005void nft_register_chain_type(const struct nft_chain_type *);
32537e91 1006void nft_unregister_chain_type(const struct nft_chain_type *);
96518518 1007
5eccdfaa
JP		 1008int nft_register_expr(struct nft_expr_type *);
1009void nft_unregister_expr(struct nft_expr_type *);
96518518 1010
33d5a7b1
FW		 1011int nft_verdict_dump(struct sk_buff *skb, int type,
1012 const struct nft_verdict *v);
1013
e5009240
PNA		 1014/**
1015 * struct nft_object - nf_tables stateful object
1016 *
1017 * @list: table stateful object list node
18965317 1018 * @table: table this object belongs to
e5009240
PNA		 1019 * @name: name of this stateful object
1020 * @genmask: generation mask
1021 * @use: number of references to this stateful object
3ecbfd65 1022 * @handle: unique object handle
dfc46034 1023 * @ops: object operations
3ecbfd65 1024 * @data: object data, layout depends on type
e5009240
PNA		 1025 */
1026struct nft_object {
1027 struct list_head list;
61509575 1028 char *name;
18965317 1029 struct nft_table *table;
e5009240
PNA		 1030 u32 genmask:2,
1031 use:30;
3ecbfd65 1032 u64 handle;
e5009240 1033 /* runtime data below here */
dfc46034 1034 const struct nft_object_ops *ops ____cacheline_aligned;
e5009240
PNA		 1035 unsigned char data[]
1036 __attribute__((aligned(__alignof__(u64))));
1037};
1038
1039static inline void *nft_obj_data(const struct nft_object *obj)
1040{
1041 return (void *)obj->data;
1042}
1043
1044#define nft_expr_obj(expr) *((struct nft_object **)nft_expr_priv(expr))
1045
cac20fcd
PNA		 1046struct nft_object *nft_obj_lookup(const struct nft_table *table,
1047 const struct nlattr *nla, u32 objtype,
1048 u8 genmask);
e5009240 1049
25e94a99
PNA		 1050void nft_obj_notify(struct net *net, struct nft_table *table,
1051 struct nft_object *obj, u32 portid, u32 seq,
1052 int event, int family, int report, gfp_t gfp);
2599e989 1053
e5009240
PNA		 1054/**
1055 * struct nft_object_type - stateful object type
1056 *
dfc46034
PBG		 1057 * @select_ops: function to select nft_object_ops
1058 * @ops: default ops, used when no select_ops functions is present
e5009240
PNA		 1059 * @list: list node in list of object types
1060 * @type: stateful object numeric type
e5009240
PNA		 1061 * @owner: module owner
1062 * @maxattr: maximum netlink attribute
1063 * @policy: netlink attribute policy
dfc46034
PBG		 1064 */
1065struct nft_object_type {
1066 const struct nft_object_ops *(*select_ops)(const struct nft_ctx *,
1067 const struct nlattr * const tb[]);
1068 const struct nft_object_ops *ops;
1069 struct list_head list;
1070 u32 type;
1071 unsigned int maxattr;
1072 struct module *owner;
1073 const struct nla_policy *policy;
1074};
1075
1076/**
1077 * struct nft_object_ops - stateful object operations
1078 *
1079 * @eval: stateful object evaluation function
1080 * @size: stateful object size
e5009240
PNA		 1081 * @init: initialize object from netlink attributes
1082 * @destroy: release existing stateful object
1083 * @dump: netlink dump stateful object
1084 */
dfc46034 1085struct nft_object_ops {
e5009240
PNA		 1086 void (*eval)(struct nft_object *obj,
1087 struct nft_regs *regs,
1088 const struct nft_pktinfo *pkt);
e5009240 1089 unsigned int size;
84fba055
FW		 1090 int (*init)(const struct nft_ctx *ctx,
1091 const struct nlattr *const tb[],
e5009240 1092 struct nft_object *obj);
00bfb320
PNA		 1093 void (*destroy)(const struct nft_ctx *ctx,
1094 struct nft_object *obj);
e5009240 1095 int (*dump)(struct sk_buff *skb,
43da04a5
PNA		 1096 struct nft_object *obj,
1097 bool reset);
dfc46034 1098 const struct nft_object_type *type;
e5009240
PNA		 1099};
1100
1101int nft_register_obj(struct nft_object_type *obj_type);
1102void nft_unregister_obj(struct nft_object_type *obj_type);
1103
d92191aa
PNA		 1104#define NFT_FLOWTABLE_DEVICE_MAX 8
1105
3b49e2e9
PNA		 1106/**
1107 * struct nft_flowtable - nf_tables flow table
1108 *
1109 * @list: flow table list node in table list
1110 * @table: the table the flow table is contained in
1111 * @name: name of this flow table
1112 * @hooknum: hook number
1113 * @priority: hook priority
1114 * @ops_len: number of hooks in array
1115 * @genmask: generation mask
1116 * @use: number of references to this flow table
3ecbfd65 1117 * @handle: unique object handle
d92191aa 1118 * @dev_name: array of device names
3b49e2e9
PNA		 1119 * @data: rhashtable and garbage collector
1120 * @ops: array of hooks
1121 */
1122struct nft_flowtable {
1123 struct list_head list;
1124 struct nft_table *table;
1125 char *name;
1126 int hooknum;
1127 int priority;
1128 int ops_len;
1129 u32 genmask:2,
1130 use:30;
3ecbfd65 1131 u64 handle;
3b49e2e9
PNA		 1132 /* runtime data below here */
1133 struct nf_hook_ops *ops ____cacheline_aligned;
1134 struct nf_flowtable data;
1135};
1136
cac20fcd
PNA		 1137struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
1138 const struct nlattr *nla,
1139 u8 genmask);
3b49e2e9
PNA		 1140
1141void nft_register_flowtable_type(struct nf_flowtable_type *type);
1142void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
1143
33d5a7b1
FW		 1144/**
1145 * struct nft_traceinfo - nft tracing information and state
1146 *
1147 * @pkt: pktinfo currently processed
1148 * @basechain: base chain currently processed
1149 * @chain: chain currently processed
1150 * @rule: rule that was evaluated
1151 * @verdict: verdict given by rule
1152 * @type: event type (enum nft_trace_types)
1153 * @packet_dumped: packet headers sent in a previous traceinfo message
1154 * @trace: other struct members are initialised
1155 */
1156struct nft_traceinfo {
1157 const struct nft_pktinfo *pkt;
1158 const struct nft_base_chain *basechain;
1159 const struct nft_chain *chain;
1160 const struct nft_rule *rule;
1161 const struct nft_verdict *verdict;
1162 enum nft_trace_types type;
1163 bool packet_dumped;
1164 bool trace;
1165};
1166
1167void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1168 const struct nft_verdict *verdict,
1169 const struct nft_chain *basechain);
1170
1171void nft_trace_notify(struct nft_traceinfo *info);
1172
9370761c
PNA		 1173#define MODULE_ALIAS_NFT_CHAIN(family, name) \
1174 MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
96518518 1175
64d46806
PM		 1176#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \
1177 MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)
1178
96518518
PM		 1179#define MODULE_ALIAS_NFT_EXPR(name) \
1180 MODULE_ALIAS("nft-expr-" name)
1181
20a69341
PM		 1182#define MODULE_ALIAS_NFT_SET() \
1183 MODULE_ALIAS("nft-set")
1184
e5009240
PNA		 1185#define MODULE_ALIAS_NFT_OBJ(type) \
1186 MODULE_ALIAS("nft-obj-" __stringify(type))
1187
ea4bd995
PM		 1188/*
1189 * The gencursor defines two generations, the currently active and the
1190 * next one. Objects contain a bitmask of 2 bits specifying the generations
1191 * they're active in. A set bit means they're inactive in the generation
1192 * represented by that bit.
1193 *
1194 * New objects start out as inactive in the current and active in the
1195 * next generation. When committing the ruleset the bitmask is cleared,
1196 * meaning they're active in all generations. When removing an object,
1197 * it is set inactive in the next generation. After committing the ruleset,
1198 * the objects are removed.
1199 */
1200static inline unsigned int nft_gencursor_next(const struct net *net)
1201{
1202 return net->nft.gencursor + 1 == 1 ? 1 : 0;
1203}
1204
1205static inline u8 nft_genmask_next(const struct net *net)
1206{
1207 return 1 << nft_gencursor_next(net);
1208}
1209
1210static inline u8 nft_genmask_cur(const struct net *net)
1211{
14cd5d4a
MR		 1212 /* Use READ_ONCE() to prevent refetching the value for atomicity */
1213 return 1 << READ_ONCE(net->nft.gencursor);
ea4bd995
PM		 1214}
1215
22fe54d5
PM		 1216#define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
1217
889f7ee7
PNA		 1218/*
1219 * Generic transaction helpers
1220 */
1221
1222/* Check if this object is currently active. */
1223#define nft_is_active(__net, __obj) \
1224 (((__obj)->genmask & nft_genmask_cur(__net)) == 0)
1225
1226/* Check if this object is active in the next generation. */
1227#define nft_is_active_next(__net, __obj) \
1228 (((__obj)->genmask & nft_genmask_next(__net)) == 0)
1229
1230/* This object becomes active in the next generation. */
1231#define nft_activate_next(__net, __obj) \
1232 (__obj)->genmask = nft_genmask_cur(__net)
1233
1234/* This object becomes inactive in the next generation. */
1235#define nft_deactivate_next(__net, __obj) \
1236 (__obj)->genmask = nft_genmask_next(__net)
1237
1238/* After committing the ruleset, clear the stale generation bit. */
1239#define nft_clear(__net, __obj) \
1240 (__obj)->genmask &= ~nft_genmask_next(__net)
f2a6d766
PNA		 1241#define nft_active_genmask(__obj, __genmask) \
1242 !((__obj)->genmask & __genmask)
889f7ee7 1243
cc02e457
PM		 1244/*
1245 * Set element transaction helpers
1246 */
1247
1248static inline bool nft_set_elem_active(const struct nft_set_ext *ext,
1249 u8 genmask)
1250{
1251 return !(ext->genmask & genmask);
1252}
1253
42a55769
PNA		 1254static inline void nft_set_elem_change_active(const struct net *net,
1255 const struct nft_set *set,
cc02e457
PM		 1256 struct nft_set_ext *ext)
1257{
42a55769 1258 ext->genmask ^= nft_genmask_next(net);
cc02e457
PM		 1259}
1260
69086658
PM		 1261/*
1262 * We use a free bit in the genmask field to indicate the element
1263 * is busy, meaning it is currently being processed either by
1264 * the netlink API or GC.
1265 *
1266 * Even though the genmask is only a single byte wide, this works
1267 * because the extension structure if fully constant once initialized,
1268 * so there are no non-atomic write accesses unless it is already
1269 * marked busy.
1270 */
1271#define NFT_SET_ELEM_BUSY_MASK (1 << 2)
1272
1273#if defined(__LITTLE_ENDIAN_BITFIELD)
1274#define NFT_SET_ELEM_BUSY_BIT 2
1275#elif defined(__BIG_ENDIAN_BITFIELD)
1276#define NFT_SET_ELEM_BUSY_BIT (BITS_PER_LONG - BITS_PER_BYTE + 2)
1277#else
1278#error
1279#endif
1280
1281static inline int nft_set_elem_mark_busy(struct nft_set_ext *ext)
1282{
1283 unsigned long *word = (unsigned long *)ext;
1284
1285 BUILD_BUG_ON(offsetof(struct nft_set_ext, genmask) != 0);
1286 return test_and_set_bit(NFT_SET_ELEM_BUSY_BIT, word);
1287}
1288
1289static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
1290{
1291 unsigned long *word = (unsigned long *)ext;
1292
1293 clear_bit(NFT_SET_ELEM_BUSY_BIT, word);
1294}
1295
1a1e1a12
PM		 1296/**
1297 * struct nft_trans - nf_tables object update in transaction
1298 *
1299 * @list: used internally
1300 * @msg_type: message type
0935d558 1301 * @put_net: ctx->net needs to be put
1a1e1a12
PM		 1302 * @ctx: transaction context
1303 * @data: internal information related to the transaction
1304 */
1305struct nft_trans {
1306 struct list_head list;
1307 int msg_type;
0935d558 1308 bool put_net;
1a1e1a12
PM		 1309 struct nft_ctx ctx;
1310 char data[0];
1311};
1312
1313struct nft_trans_rule {
1314 struct nft_rule *rule;
1a94e38d 1315 u32 rule_id;
1a1e1a12
PM		 1316};
1317
1318#define nft_trans_rule(trans) \
1319 (((struct nft_trans_rule *)trans->data)->rule)
1a94e38d
PNA		 1320#define nft_trans_rule_id(trans) \
1321 (((struct nft_trans_rule *)trans->data)->rule_id)
1a1e1a12
PM		 1322
1323struct nft_trans_set {
1324 struct nft_set *set;
1325 u32 set_id;
1326};
1327
1328#define nft_trans_set(trans) \
1329 (((struct nft_trans_set *)trans->data)->set)
1330#define nft_trans_set_id(trans) \
1331 (((struct nft_trans_set *)trans->data)->set_id)
1332
1333struct nft_trans_chain {
1334 bool update;
b7263e07 1335 char *name;
1a1e1a12
PM		 1336 struct nft_stats __percpu *stats;
1337 u8 policy;
1338};
1339
1340#define nft_trans_chain_update(trans) \
1341 (((struct nft_trans_chain *)trans->data)->update)
1342#define nft_trans_chain_name(trans) \
1343 (((struct nft_trans_chain *)trans->data)->name)
1344#define nft_trans_chain_stats(trans) \
1345 (((struct nft_trans_chain *)trans->data)->stats)
1346#define nft_trans_chain_policy(trans) \
1347 (((struct nft_trans_chain *)trans->data)->policy)
1348
1349struct nft_trans_table {
1350 bool update;
1351 bool enable;
1352};
1353
1354#define nft_trans_table_update(trans) \
1355 (((struct nft_trans_table *)trans->data)->update)
1356#define nft_trans_table_enable(trans) \
1357 (((struct nft_trans_table *)trans->data)->enable)
1358
1359struct nft_trans_elem {
1360 struct nft_set *set;
1361 struct nft_set_elem elem;
1362};
1363
1364#define nft_trans_elem_set(trans) \
1365 (((struct nft_trans_elem *)trans->data)->set)
1366#define nft_trans_elem(trans) \
1367 (((struct nft_trans_elem *)trans->data)->elem)
1368
e5009240
PNA		 1369struct nft_trans_obj {
1370 struct nft_object *obj;
1371};
1372
1373#define nft_trans_obj(trans) \
1374 (((struct nft_trans_obj *)trans->data)->obj)
1375
3b49e2e9
PNA		 1376struct nft_trans_flowtable {
1377 struct nft_flowtable *flowtable;
1378};
1379
1380#define nft_trans_flowtable(trans) \
1381 (((struct nft_trans_flowtable *)trans->data)->flowtable)
1382
02c7b25e 1383int __init nft_chain_filter_init(void);
d209df3e 1384void nft_chain_filter_fini(void);
02c7b25e 1385
96518518 1386#endif /* _NET_NF_TABLES_H */
Linux 6.x block layer and io_uring tree(s)