diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/Makefile.am | 1 | ||||
| -rw-r--r-- | include/buffer.h | 109 | ||||
| -rw-r--r-- | include/data_reg.h | 10 | ||||
| -rw-r--r-- | include/expr_ops.h | 10 | ||||
| -rw-r--r-- | include/internal.h | 1 | ||||
| -rw-r--r-- | include/libnftnl/chain.h | 9 | ||||
| -rw-r--r-- | include/libnftnl/expr.h | 65 | ||||
| -rw-r--r-- | include/libnftnl/flowtable.h | 7 | ||||
| -rw-r--r-- | include/libnftnl/object.h | 40 | ||||
| -rw-r--r-- | include/libnftnl/rule.h | 1 | ||||
| -rw-r--r-- | include/libnftnl/set.h | 21 | ||||
| -rw-r--r-- | include/libnftnl/table.h | 2 | ||||
| -rw-r--r-- | include/libnftnl/udata.h | 35 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_log.h | 3 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 173 | ||||
| -rw-r--r-- | include/obj.h | 10 | ||||
| -rw-r--r-- | include/set.h | 3 | ||||
| -rw-r--r-- | include/set_elem.h | 6 | ||||
| -rw-r--r-- | include/utils.h | 27 |
19 files changed, 364 insertions, 169 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index b31aa10..738f807 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -2,7 +2,6 @@ SUBDIRS = libnftnl linux noinst_HEADERS = internal.h \ linux_list.h \ - buffer.h \ data_reg.h \ expr_ops.h \ obj.h \ diff --git a/include/buffer.h b/include/buffer.h deleted file mode 100644 index f6626a6..0000000 --- a/include/buffer.h +++ /dev/null @@ -1,109 +0,0 @@ -#ifndef _NFTNL_BUFFER_H_ -#define _NFTNL_BUFFER_H_ - -#include <stdint.h> -#include <stdbool.h> - -struct nftnl_expr; - -struct nftnl_buf { - char *buf; - size_t size; - size_t len; - uint32_t off; - bool fail; -}; - -#define NFTNL_BUF_INIT(__b, __buf, __len) \ - struct nftnl_buf __b = { \ - .buf = __buf, \ - .len = __len, \ - }; - -int nftnl_buf_update(struct nftnl_buf *b, int ret); -int nftnl_buf_done(struct nftnl_buf *b); - -union nftnl_data_reg; - -int nftnl_buf_open(struct nftnl_buf *b, int type, const char *tag); -int nftnl_buf_close(struct nftnl_buf *b, int type, const char *tag); - -int nftnl_buf_open_array(struct nftnl_buf *b, int type, const char *tag); -int nftnl_buf_close_array(struct nftnl_buf *b, int type, const char *tag); - -int nftnl_buf_u32(struct nftnl_buf *b, int type, uint32_t value, const char *tag); -int nftnl_buf_s32(struct nftnl_buf *b, int type, uint32_t value, const char *tag); -int nftnl_buf_u64(struct nftnl_buf *b, int type, uint64_t value, const char *tag); -int nftnl_buf_str(struct nftnl_buf *b, int type, const char *str, const char *tag); -int nftnl_buf_reg(struct nftnl_buf *b, int type, union nftnl_data_reg *reg, - int reg_type, const char *tag); -int nftnl_buf_expr_open(struct nftnl_buf *b, int type); -int nftnl_buf_expr_close(struct nftnl_buf *b, int type); -int nftnl_buf_expr(struct nftnl_buf *b, int type, uint32_t flags, - struct nftnl_expr *expr); - -#define BASE "base" -#define BYTES "bytes" -#define BURST "burst" -#define CHAIN "chain" -#define CODE "code" -#define COMPAT_FLAGS "compat_flags" -#define COMPAT_PROTO "compat_proto" -#define CONSUMED "consumed" -#define COUNT "count" -#define DATA "data" -#define DEVICE "device" -#define DIR "dir" -#define DREG "dreg" -#define EXTHDR_TYPE "exthdr_type" -#define FAMILY "family" -#define FLAGS "flags" -#define GROUP "group" -#define HANDLE "handle" -#define HOOKNUM "hooknum" -#define KEY "key" -#define LEN "len" -#define LEVEL "level" -#define MASK "mask" -#define NAT_TYPE "nat_type" -#define NAME "name" -#define NUM "num" -#define OFFSET "offset" -#define OP "op" -#define PACKETS "packets" -#define PKTS "pkts" -#define POLICY "policy" -#define POSITION "position" -#define PREFIX "prefix" -#define PRIO "prio" -#define QTHRESH "qthreshold" -#define RATE "rate" -#define RULE "rule" -#define SET "set" -#define SET_NAME "set_name" -#define SIZE "size" -#define SNAPLEN "snaplen" -#define SREG_ADDR_MAX "sreg_addr_max" -#define SREG_ADDR_MIN "sreg_addr_min" -#define SREG_PROTO_MAX "sreg_proto_max" -#define SREG_PROTO_MIN "sreg_proto_min" -#define SREG_KEY "sreg_key" -#define SREG_DATA "sreg_data" -#define SREG_QNUM "sreg_qnum" -#define SREG "sreg" -#define TABLE "table" -#define TOTAL "total" -#define TYPE "type" -#define UNIT "unit" -#define USE "use" -#define XOR "xor" -#define ADD "add" -#define INSERT "insert" -#define DELETE "delete" -#define REPLACE "replace" -#define FLUSH "flush" -#define MODULUS "modulus" -#define SEED "seed" -#define ID "id" - -#endif diff --git a/include/data_reg.h b/include/data_reg.h index 10517ba..946354d 100644 --- a/include/data_reg.h +++ b/include/data_reg.h @@ -13,6 +13,10 @@ enum { DATA_CHAIN, }; +enum { + DATA_F_NOPFX = 1 << 0, +}; + union nftnl_data_reg { struct { uint32_t val[NFT_DATA_VALUE_MAXLEN / sizeof(uint32_t)]; @@ -21,16 +25,16 @@ union nftnl_data_reg { struct { uint32_t verdict; const char *chain; + uint32_t chain_id; }; }; int nftnl_data_reg_snprintf(char *buf, size_t size, const union nftnl_data_reg *reg, - uint32_t output_format, uint32_t flags, - int reg_type); + uint32_t flags, int reg_type); struct nlattr; int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int *type); -void nftnl_free_verdict(const union nftnl_data_reg *data); +int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len); #endif diff --git a/include/expr_ops.h b/include/expr_ops.h index a7f1b9a..6cfb3b5 100644 --- a/include/expr_ops.h +++ b/include/expr_ops.h @@ -8,16 +8,22 @@ struct nlattr; struct nlmsghdr; struct nftnl_expr; +struct attr_policy { + uint32_t maxlen; +}; + struct expr_ops { const char *name; uint32_t alloc_len; - int max_attr; + int nftnl_max_attr; + struct attr_policy *attr_policy; + void (*init)(const struct nftnl_expr *e); void (*free)(const struct nftnl_expr *e); int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len); const void *(*get)(const struct nftnl_expr *e, uint16_t type, uint32_t *data_len); int (*parse)(struct nftnl_expr *e, struct nlattr *attr); void (*build)(struct nlmsghdr *nlh, const struct nftnl_expr *e); - int (*snprintf)(char *buf, size_t len, uint32_t type, uint32_t flags, const struct nftnl_expr *e); + int (*output)(char *buf, size_t len, uint32_t flags, const struct nftnl_expr *e); }; struct expr_ops *nftnl_expr_ops_lookup(const char *name); diff --git a/include/internal.h b/include/internal.h index a61b725..1f96731 100644 --- a/include/internal.h +++ b/include/internal.h @@ -11,7 +11,6 @@ #include "set_elem.h" #include "expr.h" #include "expr_ops.h" -#include "buffer.h" #include "rule.h" #endif /* _LIBNFTNL_INTERNAL_H_ */ diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h index 33d04e1..bac1f5f 100644 --- a/include/libnftnl/chain.h +++ b/include/libnftnl/chain.h @@ -32,6 +32,9 @@ enum nftnl_chain_attr { NFTNL_CHAIN_TYPE, NFTNL_CHAIN_DEV, NFTNL_CHAIN_DEVICES, + NFTNL_CHAIN_FLAGS, + NFTNL_CHAIN_ID, + NFTNL_CHAIN_USERDATA, __NFTNL_CHAIN_MAX }; #define NFTNL_CHAIN_MAX (__NFTNL_CHAIN_MAX - 1) @@ -46,6 +49,7 @@ void nftnl_chain_set_u32(struct nftnl_chain *t, uint16_t attr, uint32_t data); void nftnl_chain_set_s32(struct nftnl_chain *t, uint16_t attr, int32_t data); void nftnl_chain_set_u64(struct nftnl_chain *t, uint16_t attr, uint64_t data); int nftnl_chain_set_str(struct nftnl_chain *t, uint16_t attr, const char *str); +int nftnl_chain_set_array(struct nftnl_chain *t, uint16_t attr, const char **data); const void *nftnl_chain_get(const struct nftnl_chain *c, uint16_t attr); const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, @@ -55,6 +59,7 @@ uint8_t nftnl_chain_get_u8(const struct nftnl_chain *c, uint16_t attr); uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr); int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr); uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr); +const char *const *nftnl_chain_get_array(const struct nftnl_chain *c, uint16_t attr); void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c); void nftnl_chain_rule_del(struct nftnl_rule *rule); @@ -66,10 +71,6 @@ struct nlmsghdr; void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t); -int nftnl_chain_parse(struct nftnl_chain *c, enum nftnl_parse_type type, - const char *data, struct nftnl_parse_err *err); -int nftnl_chain_parse_file(struct nftnl_chain *c, enum nftnl_parse_type type, - FILE *fp, struct nftnl_parse_err *err); int nftnl_chain_snprintf(char *buf, size_t size, const struct nftnl_chain *t, uint32_t type, uint32_t flags); int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, uint32_t flags); diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h index 3e0f5b0..fba1210 100644 --- a/include/libnftnl/expr.h +++ b/include/libnftnl/expr.h @@ -36,6 +36,14 @@ uint32_t nftnl_expr_get_u32(const struct nftnl_expr *expr, uint16_t type); uint64_t nftnl_expr_get_u64(const struct nftnl_expr *expr, uint16_t type); const char *nftnl_expr_get_str(const struct nftnl_expr *expr, uint16_t type); +void nftnl_expr_build_payload(struct nlmsghdr *nlh, struct nftnl_expr *expr); + +/* For dynset expressions. */ +void nftnl_expr_add_expr(struct nftnl_expr *expr, uint32_t type, struct nftnl_expr *e); +int nftnl_expr_expr_foreach(const struct nftnl_expr *e, + int (*cb)(struct nftnl_expr *e, void *data), + void *data); + int nftnl_expr_snprintf(char *buf, size_t buflen, const struct nftnl_expr *expr, uint32_t type, uint32_t flags); int nftnl_expr_fprintf(FILE *fp, const struct nftnl_expr *expr, uint32_t type, uint32_t flags); @@ -48,6 +56,7 @@ enum { NFTNL_EXPR_PAYLOAD_CSUM_TYPE, NFTNL_EXPR_PAYLOAD_CSUM_OFFSET, NFTNL_EXPR_PAYLOAD_FLAGS, + __NFTNL_EXPR_PAYLOAD_MAX }; enum { @@ -57,33 +66,40 @@ enum { NFTNL_EXPR_NG_OFFSET, NFTNL_EXPR_NG_SET_NAME, /* deprecated */ NFTNL_EXPR_NG_SET_ID, /* deprecated */ + __NFTNL_EXPR_NG_MAX }; enum { NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_META_DREG, NFTNL_EXPR_META_SREG, + __NFTNL_EXPR_META_MAX }; enum { NFTNL_EXPR_RT_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_RT_DREG, + __NFTNL_EXPR_RT_MAX }; enum { NFTNL_EXPR_SOCKET_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_SOCKET_DREG, + NFTNL_EXPR_SOCKET_LEVEL, + __NFTNL_EXPR_SOCKET_MAX }; enum { NFTNL_EXPR_TUNNEL_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_TUNNEL_DREG, + __NFTNL_EXPR_TUNNEL_MAX }; enum { NFTNL_EXPR_CMP_SREG = NFTNL_EXPR_BASE, NFTNL_EXPR_CMP_OP, NFTNL_EXPR_CMP_DATA, + __NFTNL_EXPR_CMP_MAX }; enum { @@ -91,6 +107,7 @@ enum { NFTNL_EXPR_RANGE_OP, NFTNL_EXPR_RANGE_FROM_DATA, NFTNL_EXPR_RANGE_TO_DATA, + __NFTNL_EXPR_RANGE_MAX }; enum { @@ -98,16 +115,20 @@ enum { NFTNL_EXPR_IMM_DATA, NFTNL_EXPR_IMM_VERDICT, NFTNL_EXPR_IMM_CHAIN, + NFTNL_EXPR_IMM_CHAIN_ID, + __NFTNL_EXPR_IMM_MAX }; enum { NFTNL_EXPR_CTR_PACKETS = NFTNL_EXPR_BASE, NFTNL_EXPR_CTR_BYTES, + __NFTNL_EXPR_CTR_MAX }; enum { NFTNL_EXPR_CONNLIMIT_COUNT = NFTNL_EXPR_BASE, NFTNL_EXPR_CONNLIMIT_FLAGS, + __NFTNL_EXPR_CONNLIMIT_MAX }; enum { @@ -116,18 +137,23 @@ enum { NFTNL_EXPR_BITWISE_LEN, NFTNL_EXPR_BITWISE_MASK, NFTNL_EXPR_BITWISE_XOR, + NFTNL_EXPR_BITWISE_OP, + NFTNL_EXPR_BITWISE_DATA, + __NFTNL_EXPR_BITWISE_MAX }; enum { NFTNL_EXPR_TG_NAME = NFTNL_EXPR_BASE, NFTNL_EXPR_TG_REV, NFTNL_EXPR_TG_INFO, + __NFTNL_EXPR_TG_MAX }; enum { NFTNL_EXPR_MT_NAME = NFTNL_EXPR_BASE, NFTNL_EXPR_MT_REV, NFTNL_EXPR_MT_INFO, + __NFTNL_EXPR_MT_MAX }; enum { @@ -138,12 +164,14 @@ enum { NFTNL_EXPR_NAT_REG_PROTO_MIN, NFTNL_EXPR_NAT_REG_PROTO_MAX, NFTNL_EXPR_NAT_FLAGS, + __NFTNL_EXPR_NAT_MAX }; enum { NFTNL_EXPR_TPROXY_FAMILY = NFTNL_EXPR_BASE, NFTNL_EXPR_TPROXY_REG_ADDR, NFTNL_EXPR_TPROXY_REG_PORT, + __NFTNL_EXPR_TPROXY_MAX }; enum { @@ -152,6 +180,7 @@ enum { NFTNL_EXPR_LOOKUP_SET, NFTNL_EXPR_LOOKUP_SET_ID, NFTNL_EXPR_LOOKUP_FLAGS, + __NFTNL_EXPR_LOOKUP_MAX }; enum { @@ -162,6 +191,9 @@ enum { NFTNL_EXPR_DYNSET_SET_NAME, NFTNL_EXPR_DYNSET_SET_ID, NFTNL_EXPR_DYNSET_EXPR, + NFTNL_EXPR_DYNSET_EXPRESSIONS, + NFTNL_EXPR_DYNSET_FLAGS, + __NFTNL_EXPR_DYNSET_MAX }; enum { @@ -171,6 +203,7 @@ enum { NFTNL_EXPR_LOG_QTHRESHOLD, NFTNL_EXPR_LOG_LEVEL, NFTNL_EXPR_LOG_FLAGS, + __NFTNL_EXPR_LOG_MAX }; enum { @@ -181,6 +214,7 @@ enum { NFTNL_EXPR_EXTHDR_FLAGS, NFTNL_EXPR_EXTHDR_OP, NFTNL_EXPR_EXTHDR_SREG, + __NFTNL_EXPR_EXTHDR_MAX }; enum { @@ -188,6 +222,7 @@ enum { NFTNL_EXPR_CT_KEY, NFTNL_EXPR_CT_DIR, NFTNL_EXPR_CT_SREG, + __NFTNL_EXPR_CT_MAX }; enum { @@ -196,6 +231,7 @@ enum { NFTNL_EXPR_BYTEORDER_OP, NFTNL_EXPR_BYTEORDER_LEN, NFTNL_EXPR_BYTEORDER_SIZE, + __NFTNL_EXPR_BYTEORDER_MAX }; enum { @@ -204,11 +240,13 @@ enum { NFTNL_EXPR_LIMIT_BURST, NFTNL_EXPR_LIMIT_TYPE, NFTNL_EXPR_LIMIT_FLAGS, + __NFTNL_EXPR_LIMIT_MAX }; enum { NFTNL_EXPR_REJECT_TYPE = NFTNL_EXPR_BASE, NFTNL_EXPR_REJECT_CODE, + __NFTNL_EXPR_REJECT_MAX }; enum { @@ -216,39 +254,46 @@ enum { NFTNL_EXPR_QUEUE_TOTAL, NFTNL_EXPR_QUEUE_FLAGS, NFTNL_EXPR_QUEUE_SREG_QNUM, + __NFTNL_EXPR_QUEUE_MAX }; enum { NFTNL_EXPR_QUOTA_BYTES = NFTNL_EXPR_BASE, NFTNL_EXPR_QUOTA_FLAGS, NFTNL_EXPR_QUOTA_CONSUMED, + __NFTNL_EXPR_QUOTA_MAX }; enum { NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE, NFTNL_EXPR_MASQ_REG_PROTO_MIN, NFTNL_EXPR_MASQ_REG_PROTO_MAX, + __NFTNL_EXPR_MASQ_MAX }; enum { NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE, NFTNL_EXPR_REDIR_REG_PROTO_MAX, NFTNL_EXPR_REDIR_FLAGS, + __NFTNL_EXPR_REDIR_MAX }; enum { NFTNL_EXPR_DUP_SREG_ADDR = NFTNL_EXPR_BASE, NFTNL_EXPR_DUP_SREG_DEV, + __NFTNL_EXPR_DUP_MAX }; enum { NFTNL_EXPR_FLOW_TABLE_NAME = NFTNL_EXPR_BASE, + __NFTNL_EXPR_FLOW_MAX }; enum { NFTNL_EXPR_FWD_SREG_DEV = NFTNL_EXPR_BASE, NFTNL_EXPR_FWD_SREG_ADDR, NFTNL_EXPR_FWD_NFPROTO, + __NFTNL_EXPR_FWD_MAX }; enum { @@ -261,12 +306,14 @@ enum { NFTNL_EXPR_HASH_TYPE, NFTNL_EXPR_HASH_SET_NAME, /* deprecated */ NFTNL_EXPR_HASH_SET_ID, /* deprecated */ + __NFTNL_EXPR_HASH_MAX }; enum { NFTNL_EXPR_FIB_DREG = NFTNL_EXPR_BASE, NFTNL_EXPR_FIB_RESULT, NFTNL_EXPR_FIB_FLAGS, + __NFTNL_EXPR_FIB_MAX }; enum { @@ -275,12 +322,14 @@ enum { NFTNL_EXPR_OBJREF_SET_SREG, NFTNL_EXPR_OBJREF_SET_NAME, NFTNL_EXPR_OBJREF_SET_ID, + __NFTNL_EXPR_OBJREF_MAX }; enum { NFTNL_EXPR_OSF_DREG = NFTNL_EXPR_BASE, NFTNL_EXPR_OSF_TTL, NFTNL_EXPR_OSF_FLAGS, + __NFTNL_EXPR_OSF_MAX }; enum { @@ -289,12 +338,28 @@ enum { NFTNL_EXPR_XFRM_KEY, NFTNL_EXPR_XFRM_DIR, NFTNL_EXPR_XFRM_SPNUM, + __NFTNL_EXPR_XFRM_MAX }; enum { NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE, NFTNL_EXPR_SYNPROXY_WSCALE, NFTNL_EXPR_SYNPROXY_FLAGS, + __NFTNL_EXPR_SYNPROXY_MAX +}; + +enum { + NFTNL_EXPR_LAST_MSECS = NFTNL_EXPR_BASE, + NFTNL_EXPR_LAST_SET, + __NFTNL_EXPR_LAST_MAX +}; + +enum { + NFTNL_EXPR_INNER_TYPE = NFTNL_EXPR_BASE, + NFTNL_EXPR_INNER_FLAGS, + NFTNL_EXPR_INNER_HDRSIZE, + NFTNL_EXPR_INNER_EXPR, + __NFTNL_EXPR_INNER_MAX }; #ifdef __cplusplus diff --git a/include/libnftnl/flowtable.h b/include/libnftnl/flowtable.h index 028095e..168f833 100644 --- a/include/libnftnl/flowtable.h +++ b/include/libnftnl/flowtable.h @@ -27,6 +27,7 @@ enum nftnl_flowtable_attr { NFTNL_FLOWTABLE_DEVICES, NFTNL_FLOWTABLE_SIZE, NFTNL_FLOWTABLE_FLAGS, + NFTNL_FLOWTABLE_HANDLE, __NFTNL_FLOWTABLE_MAX }; #define NFTNL_FLOWTABLE_MAX (__NFTNL_FLOWTABLE_MAX - 1) @@ -38,8 +39,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *t, uint16_t attr, const void *data, uint32_t data_len); void nftnl_flowtable_set_u32(struct nftnl_flowtable *t, uint16_t attr, uint32_t data); void nftnl_flowtable_set_s32(struct nftnl_flowtable *t, uint16_t attr, int32_t data); +void nftnl_flowtable_set_u64(struct nftnl_flowtable *t, uint16_t attr, uint64_t data); int nftnl_flowtable_set_str(struct nftnl_flowtable *t, uint16_t attr, const char *str); -void nftnl_flowtable_set_array(struct nftnl_flowtable *t, uint16_t attr, const char **data); +int nftnl_flowtable_set_array(struct nftnl_flowtable *t, uint16_t attr, const char **data); const void *nftnl_flowtable_get(const struct nftnl_flowtable *c, uint16_t attr); const void *nftnl_flowtable_get_data(const struct nftnl_flowtable *c, uint16_t attr, @@ -47,7 +49,8 @@ const void *nftnl_flowtable_get_data(const struct nftnl_flowtable *c, uint16_t a const char *nftnl_flowtable_get_str(const struct nftnl_flowtable *c, uint16_t attr); uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr); int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr); -const char **nftnl_flowtable_get_array(const struct nftnl_flowtable *t, uint16_t attr); +uint64_t nftnl_flowtable_get_u64(const struct nftnl_flowtable *c, uint16_t attr); +const char *const *nftnl_flowtable_get_array(const struct nftnl_flowtable *t, uint16_t attr); struct nlmsghdr; diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h index 221b15c..9930355 100644 --- a/include/libnftnl/object.h +++ b/include/libnftnl/object.h @@ -19,6 +19,7 @@ enum { NFTNL_OBJ_FAMILY, NFTNL_OBJ_USE, NFTNL_OBJ_HANDLE, + NFTNL_OBJ_USERDATA, NFTNL_OBJ_BASE = 16, __NFTNL_OBJ_MAX }; @@ -27,18 +28,21 @@ enum { enum { NFTNL_OBJ_CTR_PKTS = NFTNL_OBJ_BASE, NFTNL_OBJ_CTR_BYTES, + __NFTNL_OBJ_CTR_MAX, }; enum { NFTNL_OBJ_QUOTA_BYTES = NFTNL_OBJ_BASE, NFTNL_OBJ_QUOTA_CONSUMED, NFTNL_OBJ_QUOTA_FLAGS, + __NFTNL_OBJ_QUOTA_MAX, }; enum { NFTNL_OBJ_CT_HELPER_NAME = NFTNL_OBJ_BASE, NFTNL_OBJ_CT_HELPER_L3PROTO, NFTNL_OBJ_CT_HELPER_L4PROTO, + __NFTNL_OBJ_CT_HELPER_MAX, }; enum nftnl_cttimeout_array_tcp { @@ -68,6 +72,7 @@ enum { NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE, NFTNL_OBJ_CT_TIMEOUT_L4PROTO, NFTNL_OBJ_CT_TIMEOUT_ARRAY, + __NFTNL_OBJ_CT_TIMEOUT_MAX, }; enum { @@ -76,6 +81,7 @@ enum { NFTNL_OBJ_CT_EXPECT_DPORT, NFTNL_OBJ_CT_EXPECT_TIMEOUT, NFTNL_OBJ_CT_EXPECT_SIZE, + __NFTNL_OBJ_CT_EXPECT_MAX, }; enum { @@ -84,12 +90,14 @@ enum { NFTNL_OBJ_LIMIT_BURST, NFTNL_OBJ_LIMIT_TYPE, NFTNL_OBJ_LIMIT_FLAGS, + __NFTNL_OBJ_LIMIT_MAX, }; enum { NFTNL_OBJ_SYNPROXY_MSS = NFTNL_OBJ_BASE, NFTNL_OBJ_SYNPROXY_WSCALE, NFTNL_OBJ_SYNPROXY_FLAGS, + __NFTNL_OBJ_SYNPROXY_MAX, }; enum { @@ -109,10 +117,12 @@ enum { NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX, NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR, + __NFTNL_OBJ_TUNNEL_MAX, }; enum { NFTNL_OBJ_SECMARK_CTX = NFTNL_OBJ_BASE, + __NFTNL_OBJ_SECMARK_MAX, }; struct nftnl_obj; @@ -122,22 +132,22 @@ void nftnl_obj_free(const struct nftnl_obj *ne); bool nftnl_obj_is_set(const struct nftnl_obj *ne, uint16_t attr); void nftnl_obj_unset(struct nftnl_obj *ne, uint16_t attr); -void nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, - uint32_t data_len); +int nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, + uint32_t data_len); void nftnl_obj_set(struct nftnl_obj *ne, uint16_t attr, const void *data) __attribute__((deprecated)); -void nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); -void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); -void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); -void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); -void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); -const void *nftnl_obj_get_data(struct nftnl_obj *ne, uint16_t attr, +int nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); +int nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); +int nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); +int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); +int nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); +const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr, uint32_t *data_len); -const void *nftnl_obj_get(struct nftnl_obj *ne, uint16_t attr); -uint8_t nftnl_obj_get_u8(struct nftnl_obj *ne, uint16_t attr); -uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr); -uint32_t nftnl_obj_get_u32(struct nftnl_obj *ne, uint16_t attr); -uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr); -const char *nftnl_obj_get_str(struct nftnl_obj *ne, uint16_t attr); +const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr); +uint8_t nftnl_obj_get_u8(const struct nftnl_obj *ne, uint16_t attr); +uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr); +uint32_t nftnl_obj_get_u32(const struct nftnl_obj *ne, uint16_t attr); +uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr); +const char *nftnl_obj_get_str(const struct nftnl_obj *ne, uint16_t attr); void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_obj *ne); @@ -167,7 +177,7 @@ struct nftnl_obj_list_iter *nftnl_obj_list_iter_create(struct nftnl_obj_list *l) struct nftnl_obj *nftnl_obj_list_iter_next(struct nftnl_obj_list_iter *iter); void nftnl_obj_list_iter_destroy(struct nftnl_obj_list_iter *iter); -#ifdef __cplusplusg +#ifdef __cplusplus } /* extern "C" */ #endif diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h index e5d1ca0..b6b93c6 100644 --- a/include/libnftnl/rule.h +++ b/include/libnftnl/rule.h @@ -51,6 +51,7 @@ uint32_t nftnl_rule_get_u32(const struct nftnl_rule *r, uint16_t attr); uint64_t nftnl_rule_get_u64(const struct nftnl_rule *r, uint16_t attr); void nftnl_rule_add_expr(struct nftnl_rule *r, struct nftnl_expr *expr); +void nftnl_rule_del_expr(struct nftnl_expr *expr); struct nlmsghdr; diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h index db3fa68..e2e5795 100644 --- a/include/libnftnl/set.h +++ b/include/libnftnl/set.h @@ -29,6 +29,9 @@ enum nftnl_set_attr { NFTNL_SET_USERDATA, NFTNL_SET_OBJ_TYPE, NFTNL_SET_HANDLE, + NFTNL_SET_DESC_CONCAT, + NFTNL_SET_EXPR, + NFTNL_SET_EXPRESSIONS, __NFTNL_SET_MAX }; #define NFTNL_SET_MAX (__NFTNL_SET_MAX - 1) @@ -78,6 +81,12 @@ int nftnl_set_list_foreach(struct nftnl_set_list *set_list, int (*cb)(struct nft struct nftnl_set *nftnl_set_list_lookup_byname(struct nftnl_set_list *set_list, const char *set); +struct nftnl_expr; +void nftnl_set_add_expr(struct nftnl_set *s, struct nftnl_expr *expr); +int nftnl_set_expr_foreach(const struct nftnl_set *s, + int (*cb)(struct nftnl_expr *e, void *data), + void *data); + struct nftnl_set_list_iter; struct nftnl_set_list_iter *nftnl_set_list_iter_create(const struct nftnl_set_list *l); struct nftnl_set *nftnl_set_list_iter_cur(const struct nftnl_set_list_iter *iter); @@ -104,6 +113,8 @@ enum { NFTNL_SET_ELEM_USERDATA, NFTNL_SET_ELEM_EXPR, NFTNL_SET_ELEM_OBJREF, + NFTNL_SET_ELEM_KEY_END, + NFTNL_SET_ELEM_EXPRESSIONS, __NFTNL_SET_ELEM_MAX }; #define NFTNL_SET_ELEM_MAX (__NFTNL_SET_ELEM_MAX - 1) @@ -133,13 +144,21 @@ bool nftnl_set_elem_is_set(const struct nftnl_set_elem *s, uint16_t attr); #define nftnl_set_elem_nlmsg_build_hdr nftnl_nlmsg_build_hdr void nftnl_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s); void nftnl_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set_elem *e); +struct nlattr *nftnl_set_elem_nlmsg_build(struct nlmsghdr *nlh, + struct nftnl_set_elem *elem, int i); int nftnl_set_elem_parse(struct nftnl_set_elem *e, enum nftnl_parse_type type, const char *data, struct nftnl_parse_err *err); int nftnl_set_elem_parse_file(struct nftnl_set_elem *e, enum nftnl_parse_type type, FILE *fp, struct nftnl_parse_err *err); int nftnl_set_elem_snprintf(char *buf, size_t size, const struct nftnl_set_elem *s, uint32_t type, uint32_t flags); -int nftnl_set_elem_fprintf(FILE *fp, struct nftnl_set_elem *se, uint32_t type, uint32_t flags); +int nftnl_set_elem_fprintf(FILE *fp, const struct nftnl_set_elem *se, uint32_t type, uint32_t flags); + +struct nftnl_expr; +void nftnl_set_elem_add_expr(struct nftnl_set_elem *e, struct nftnl_expr *expr); +int nftnl_set_elem_expr_foreach(struct nftnl_set_elem *e, + int (*cb)(struct nftnl_expr *e, void *data), + void *data); int nftnl_set_elem_foreach(struct nftnl_set *s, int (*cb)(struct nftnl_set_elem *e, void *data), void *data); diff --git a/include/libnftnl/table.h b/include/libnftnl/table.h index 5faec81..d28c375 100644 --- a/include/libnftnl/table.h +++ b/include/libnftnl/table.h @@ -23,6 +23,8 @@ enum nftnl_table_attr { NFTNL_TABLE_FLAGS, NFTNL_TABLE_USE, NFTNL_TABLE_HANDLE, + NFTNL_TABLE_USERDATA, + NFTNL_TABLE_OWNER, __NFTNL_TABLE_MAX }; #define NFTNL_TABLE_MAX (__NFTNL_TABLE_MAX - 1) diff --git a/include/libnftnl/udata.h b/include/libnftnl/udata.h index dd2f3df..dbf3a60 100644 --- a/include/libnftnl/udata.h +++ b/include/libnftnl/udata.h @@ -9,6 +9,18 @@ extern "C" { #endif +enum nftnl_udata_table_types { + NFTNL_UDATA_TABLE_COMMENT, + __NFTNL_UDATA_TABLE_MAX +}; +#define NFTNL_UDATA_TABLE_MAX (__NFTNL_UDATA_TABLE_MAX - 1) + +enum nftnl_udata_chain_types { + NFTNL_UDATA_CHAIN_COMMENT, + __NFTNL_UDATA_CHAIN_MAX +}; +#define NFTNL_UDATA_CHAIN_MAX (__NFTNL_UDATA_CHAIN_MAX - 1) + enum nftnl_udata_rule_types { NFTNL_UDATA_RULE_COMMENT, NFTNL_UDATA_RULE_EBTABLES_POLICY, @@ -16,16 +28,34 @@ enum nftnl_udata_rule_types { }; #define NFTNL_UDATA_RULE_MAX (__NFTNL_UDATA_RULE_MAX - 1) +enum nftnl_udata_obj_types { + NFTNL_UDATA_OBJ_COMMENT, + __NFTNL_UDATA_OBJ_MAX +}; +#define NFTNL_UDATA_OBJ_MAX (__NFTNL_UDATA_OBJ_MAX - 1) + #define NFTNL_UDATA_COMMENT_MAXLEN 128 enum nftnl_udata_set_types { NFTNL_UDATA_SET_KEYBYTEORDER, NFTNL_UDATA_SET_DATABYTEORDER, NFTNL_UDATA_SET_MERGE_ELEMENTS, + NFTNL_UDATA_SET_KEY_TYPEOF, + NFTNL_UDATA_SET_DATA_TYPEOF, + NFTNL_UDATA_SET_EXPR, + NFTNL_UDATA_SET_DATA_INTERVAL, + NFTNL_UDATA_SET_COMMENT, __NFTNL_UDATA_SET_MAX }; #define NFTNL_UDATA_SET_MAX (__NFTNL_UDATA_SET_MAX - 1) +enum { + NFTNL_UDATA_SET_TYPEOF_EXPR, + NFTNL_UDATA_SET_TYPEOF_DATA, + __NFTNL_UDATA_SET_TYPEOF_MAX, +}; +#define NFTNL_UDATA_SET_TYPEOF_MAX (__NFTNL_UDATA_SET_TYPEOF_MAX - 1) + enum nftnl_udata_set_elem_types { NFTNL_UDATA_SET_ELEM_COMMENT, NFTNL_UDATA_SET_ELEM_FLAGS, @@ -66,6 +96,11 @@ bool nftnl_udata_put_u32(struct nftnl_udata_buf *buf, uint8_t type, bool nftnl_udata_put_strz(struct nftnl_udata_buf *buf, uint8_t type, const char *strz); +/* nest */ +struct nftnl_udata *nftnl_udata_nest_start(struct nftnl_udata_buf *buf, + uint8_t type); +void nftnl_udata_nest_end(struct nftnl_udata_buf *buf, struct nftnl_udata *ud); + /* nftnl_udata_attr */ uint8_t nftnl_udata_type(const struct nftnl_udata *attr); uint8_t nftnl_udata_len(const struct nftnl_udata *attr); diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h index 8be21e0..2ae0093 100644 --- a/include/linux/netfilter/nf_log.h +++ b/include/linux/netfilter/nf_log.h @@ -1,3 +1,4 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _NETFILTER_NF_LOG_H #define _NETFILTER_NF_LOG_H @@ -9,4 +10,6 @@ #define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ #define NF_LOG_MASK 0x2f +#define NF_LOG_PREFIXLEN 128 + #endif /* _NETFILTER_NF_LOG_H */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 81c27d3..c48b193 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -48,6 +48,7 @@ enum nft_registers { #define NFT_REG_SIZE 16 #define NFT_REG32_SIZE 4 +#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1) /** * enum nft_verdicts - nf_tables internal verdicts @@ -132,7 +133,7 @@ enum nf_tables_msg_types { * @NFTA_LIST_ELEM: list element (NLA_NESTED) */ enum nft_list_attributes { - NFTA_LIST_UNPEC, + NFTA_LIST_UNSPEC, NFTA_LIST_ELEM, __NFTA_LIST_MAX }; @@ -163,7 +164,10 @@ enum nft_hook_attributes { */ enum nft_table_flags { NFT_TABLE_F_DORMANT = 0x1, + NFT_TABLE_F_OWNER = 0x2, }; +#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \ + NFT_TABLE_F_OWNER) /** * enum nft_table_attributes - nf_tables table netlink attributes @@ -171,6 +175,8 @@ enum nft_table_flags { * @NFTA_TABLE_NAME: name of the table (NLA_STRING) * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) * @NFTA_TABLE_USE: number of chains in this table (NLA_U32) + * @NFTA_TABLE_USERDATA: user data (NLA_BINARY) + * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32) */ enum nft_table_attributes { NFTA_TABLE_UNSPEC, @@ -179,10 +185,21 @@ enum nft_table_attributes { NFTA_TABLE_USE, NFTA_TABLE_HANDLE, NFTA_TABLE_PAD, + NFTA_TABLE_USERDATA, + NFTA_TABLE_OWNER, __NFTA_TABLE_MAX }; #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) +enum nft_chain_flags { + NFT_CHAIN_BASE = (1 << 0), + NFT_CHAIN_HW_OFFLOAD = (1 << 1), + NFT_CHAIN_BINDING = (1 << 2), +}; +#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \ + NFT_CHAIN_HW_OFFLOAD | \ + NFT_CHAIN_BINDING) + /** * enum nft_chain_attributes - nf_tables chain netlink attributes * @@ -195,6 +212,8 @@ enum nft_table_attributes { * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) * @NFTA_CHAIN_FLAGS: chain flags + * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32) + * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY) */ enum nft_chain_attributes { NFTA_CHAIN_UNSPEC, @@ -208,6 +227,8 @@ enum nft_chain_attributes { NFTA_CHAIN_COUNTERS, NFTA_CHAIN_PAD, NFTA_CHAIN_FLAGS, + NFTA_CHAIN_ID, + NFTA_CHAIN_USERDATA, __NFTA_CHAIN_MAX }; #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) @@ -237,6 +258,7 @@ enum nft_rule_attributes { NFTA_RULE_PAD, NFTA_RULE_ID, NFTA_RULE_POSITION_ID, + NFTA_RULE_CHAIN_ID, __NFTA_RULE_MAX }; #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) @@ -275,6 +297,8 @@ enum nft_rule_compat_attributes { * @NFT_SET_TIMEOUT: set uses timeouts * @NFT_SET_EVAL: set can be updated from the evaluation path * @NFT_SET_OBJECT: set contains stateful objects + * @NFT_SET_CONCAT: set contains a concatenation + * @NFT_SET_EXPR: set contains expressions */ enum nft_set_flags { NFT_SET_ANONYMOUS = 0x1, @@ -284,6 +308,8 @@ enum nft_set_flags { NFT_SET_TIMEOUT = 0x10, NFT_SET_EVAL = 0x20, NFT_SET_OBJECT = 0x40, + NFT_SET_CONCAT = 0x80, + NFT_SET_EXPR = 0x100, }; /** @@ -301,15 +327,29 @@ enum nft_set_policies { * enum nft_set_desc_attributes - set element description * * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) + * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED) */ enum nft_set_desc_attributes { NFTA_SET_DESC_UNSPEC, NFTA_SET_DESC_SIZE, + NFTA_SET_DESC_CONCAT, __NFTA_SET_DESC_MAX }; #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) /** + * enum nft_set_field_attributes - attributes of concatenated fields + * + * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) + */ +enum nft_set_field_attributes { + NFTA_SET_FIELD_UNSPEC, + NFTA_SET_FIELD_LEN, + __NFTA_SET_FIELD_MAX +}; +#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) + +/** * enum nft_set_attributes - nf_tables set netlink attributes * * @NFTA_SET_TABLE: table name (NLA_STRING) @@ -327,6 +367,8 @@ enum nft_set_desc_attributes { * @NFTA_SET_USERDATA: user data (NLA_BINARY) * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*) * @NFTA_SET_HANDLE: set handle (NLA_U64) + * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes) + * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enum nft_set_attributes { NFTA_SET_UNSPEC, @@ -346,6 +388,8 @@ enum nft_set_attributes { NFTA_SET_PAD, NFTA_SET_OBJ_TYPE, NFTA_SET_HANDLE, + NFTA_SET_EXPR, + NFTA_SET_EXPRESSIONS, __NFTA_SET_MAX }; #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) @@ -354,9 +398,11 @@ enum nft_set_attributes { * enum nft_set_elem_flags - nf_tables set element flags * * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval + * @NFT_SET_ELEM_CATCHALL: special catch-all element */ enum nft_set_elem_flags { NFT_SET_ELEM_INTERVAL_END = 0x1, + NFT_SET_ELEM_CATCHALL = 0x2, }; /** @@ -370,6 +416,8 @@ enum nft_set_elem_flags { * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING) + * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data) + * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enum nft_set_elem_attributes { NFTA_SET_ELEM_UNSPEC, @@ -382,6 +430,8 @@ enum nft_set_elem_attributes { NFTA_SET_ELEM_EXPR, NFTA_SET_ELEM_PAD, NFTA_SET_ELEM_OBJREF, + NFTA_SET_ELEM_KEY_END, + NFTA_SET_ELEM_EXPRESSIONS, __NFTA_SET_ELEM_MAX }; #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) @@ -447,11 +497,13 @@ enum nft_data_attributes { * * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts) * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING) + * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32) */ enum nft_verdict_attributes { NFTA_VERDICT_UNSPEC, NFTA_VERDICT_CODE, NFTA_VERDICT_CHAIN, + NFTA_VERDICT_CHAIN_ID, __NFTA_VERDICT_MAX }; #define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1) @@ -485,6 +537,20 @@ enum nft_immediate_attributes { #define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1) /** + * enum nft_bitwise_ops - nf_tables bitwise operations + * + * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and + * XOR boolean operations + * @NFT_BITWISE_LSHIFT: left-shift operation + * @NFT_BITWISE_RSHIFT: right-shift operation + */ +enum nft_bitwise_ops { + NFT_BITWISE_BOOL, + NFT_BITWISE_LSHIFT, + NFT_BITWISE_RSHIFT, +}; + +/** * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes * * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers) @@ -492,16 +558,20 @@ enum nft_immediate_attributes { * @NFTA_BITWISE_LEN: length of operands (NLA_U32) * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes) * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes) + * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops) + * @NFTA_BITWISE_DATA: argument for non-boolean operations + * (NLA_NESTED: nft_data_attributes) * - * The bitwise expression performs the following operation: + * The bitwise expression supports boolean and shift operations. It implements + * the boolean operations by performing the following operation: * * dreg = (sreg & mask) ^ xor * - * which allow to express all bitwise operations: + * with these mask and xor values: * * mask xor * NOT: 1 1 - * OR: 0 x + * OR: ~x x * XOR: 1 x * AND: x 0 */ @@ -512,6 +582,8 @@ enum nft_bitwise_attributes { NFTA_BITWISE_LEN, NFTA_BITWISE_MASK, NFTA_BITWISE_XOR, + NFTA_BITWISE_OP, + NFTA_BITWISE_DATA, __NFTA_BITWISE_MAX }; #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) @@ -643,6 +715,7 @@ enum nft_dynset_ops { enum nft_dynset_flags { NFT_DYNSET_F_INV = (1 << 0), + NFT_DYNSET_F_EXPR = (1 << 1), }; /** @@ -656,6 +729,7 @@ enum nft_dynset_flags { * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) * @NFTA_DYNSET_FLAGS: flags (NLA_U32) + * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enum nft_dynset_attributes { NFTA_DYNSET_UNSPEC, @@ -668,6 +742,7 @@ enum nft_dynset_attributes { NFTA_DYNSET_EXPR, NFTA_DYNSET_PAD, NFTA_DYNSET_FLAGS, + NFTA_DYNSET_EXPRESSIONS, __NFTA_DYNSET_MAX, }; #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) @@ -678,11 +753,14 @@ enum nft_dynset_attributes { * @NFT_PAYLOAD_LL_HEADER: link layer header * @NFT_PAYLOAD_NETWORK_HEADER: network header * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header + * @NFT_PAYLOAD_INNER_HEADER: inner header / payload */ enum nft_payload_bases { NFT_PAYLOAD_LL_HEADER, NFT_PAYLOAD_NETWORK_HEADER, NFT_PAYLOAD_TRANSPORT_HEADER, + NFT_PAYLOAD_INNER_HEADER, + NFT_PAYLOAD_TUN_HEADER, }; /** @@ -690,16 +768,43 @@ enum nft_payload_bases { * * @NFT_PAYLOAD_CSUM_NONE: no checksumming * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791) + * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309) */ enum nft_payload_csum_types { NFT_PAYLOAD_CSUM_NONE, NFT_PAYLOAD_CSUM_INET, + NFT_PAYLOAD_CSUM_SCTP, }; enum nft_payload_csum_flags { NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0), }; +enum nft_inner_type { + NFT_INNER_UNSPEC = 0, + NFT_INNER_VXLAN, +}; + +enum nft_inner_flags { + NFT_INNER_HDRSIZE = (1 << 0), + NFT_INNER_LL = (1 << 1), + NFT_INNER_NH = (1 << 2), + NFT_INNER_TH = (1 << 3), +}; +#define NFT_INNER_MASK (NFT_INNER_HDRSIZE | NFT_INNER_LL | \ + NFT_INNER_NH | NFT_INNER_TH) + +enum nft_inner_attributes { + NFTA_INNER_UNSPEC, + NFTA_INNER_NUM, + NFTA_INNER_TYPE, + NFTA_INNER_FLAGS, + NFTA_INNER_HDRSIZE, + NFTA_INNER_EXPR, + __NFTA_INNER_MAX +}; +#define NFTA_INNER_MAX (__NFTA_INNER_MAX - 1) + /** * enum nft_payload_attributes - nf_tables payload expression netlink attributes * @@ -736,11 +841,13 @@ enum nft_exthdr_flags { * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers * @NFT_EXTHDR_OP_TCP: match against tcp options * @NFT_EXTHDR_OP_IPV4: match against ipv4 options + * @NFT_EXTHDR_OP_SCTP: match against sctp chunks */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, NFT_EXTHDR_OP_IPV4, + NFT_EXTHDR_OP_SCTP, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) @@ -805,6 +912,9 @@ enum nft_exthdr_attributes { * @NFT_META_TIME_NS: time since epoch (in nanoseconds) * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) * @NFT_META_TIME_HOUR: hour of day (in seconds) + * @NFT_META_SDIF: slave device interface index + * @NFT_META_SDIFNAME: slave device interface name + * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit */ enum nft_meta_keys { NFT_META_LEN, @@ -815,7 +925,8 @@ enum nft_meta_keys { NFT_META_OIF, NFT_META_IIFNAME, NFT_META_OIFNAME, - NFT_META_IIFTYPE, + NFT_META_IFTYPE, +#define NFT_META_IIFTYPE NFT_META_IFTYPE NFT_META_OIFTYPE, NFT_META_SKUID, NFT_META_SKGID, @@ -840,6 +951,10 @@ enum nft_meta_keys { NFT_META_TIME_NS, NFT_META_TIME_DAY, NFT_META_TIME_HOUR, + NFT_META_SDIF, + NFT_META_SDIFNAME, + NFT_META_BRI_BROUTE, + __NFT_META_IIFTYPE, }; /** @@ -935,11 +1050,13 @@ enum nft_rt_attributes { * * @NFTA_SOCKET_KEY: socket key to match * @NFTA_SOCKET_DREG: destination register + * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2) */ enum nft_socket_attributes { NFTA_SOCKET_UNSPEC, NFTA_SOCKET_KEY, NFTA_SOCKET_DREG, + NFTA_SOCKET_LEVEL, __NFTA_SOCKET_MAX }; #define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) @@ -949,10 +1066,14 @@ enum nft_socket_attributes { * * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option * @NFT_SOCKET_MARK: Value of the socket mark + * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0) + * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2 */ enum nft_socket_keys { NFT_SOCKET_TRANSPARENT, NFT_SOCKET_MARK, + NFT_SOCKET_WILDCARD, + NFT_SOCKET_CGROUPV2, __NFT_SOCKET_MAX }; #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) @@ -1107,6 +1228,21 @@ enum nft_counter_attributes { #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) /** + * enum nft_last_attributes - nf_tables last expression netlink attributes + * + * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32) + * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64) + */ +enum nft_last_attributes { + NFTA_LAST_UNSPEC, + NFTA_LAST_SET, + NFTA_LAST_MSECS, + NFTA_LAST_PAD, + __NFTA_LAST_MAX +}; +#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1) + +/** * enum nft_log_attributes - nf_tables log expression netlink attributes * * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32) @@ -1496,6 +1632,7 @@ enum nft_ct_expectation_attributes { * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED) * @NFTA_OBJ_USE: number of references to this expression (NLA_U32) * @NFTA_OBJ_HANDLE: object handle (NLA_U64) + * @NFTA_OBJ_USERDATA: user data (NLA_BINARY) */ enum nft_object_attributes { NFTA_OBJ_UNSPEC, @@ -1506,11 +1643,25 @@ enum nft_object_attributes { NFTA_OBJ_USE, NFTA_OBJ_HANDLE, NFTA_OBJ_PAD, + NFTA_OBJ_USERDATA, __NFTA_OBJ_MAX }; #define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1) /** + * enum nft_flowtable_flags - nf_tables flowtable flags + * + * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled + * @NFT_FLOWTABLE_COUNTER: enable flow counters + */ +enum nft_flowtable_flags { + NFT_FLOWTABLE_HW_OFFLOAD = 0x1, + NFT_FLOWTABLE_COUNTER = 0x2, + NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD | + NFT_FLOWTABLE_COUNTER) +}; + +/** * enum nft_flowtable_attributes - nf_tables flow table netlink attributes * * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) @@ -1518,7 +1669,6 @@ enum nft_object_attributes { * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) - * @NFTA_FLOWTABLE_SIZE: maximum size (NLA_U32) * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) */ enum nft_flowtable_attributes { @@ -1529,7 +1679,6 @@ enum nft_flowtable_attributes { NFTA_FLOWTABLE_USE, NFTA_FLOWTABLE_HANDLE, NFTA_FLOWTABLE_PAD, - NFTA_FLOWTABLE_SIZE, NFTA_FLOWTABLE_FLAGS, __NFTA_FLOWTABLE_MAX }; @@ -1731,6 +1880,7 @@ enum nft_tunnel_opts_attributes { NFTA_TUNNEL_KEY_OPTS_UNSPEC, NFTA_TUNNEL_KEY_OPTS_VXLAN, NFTA_TUNNEL_KEY_OPTS_ERSPAN, + NFTA_TUNNEL_KEY_OPTS_GENEVE, __NFTA_TUNNEL_KEY_OPTS_MAX }; #define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1) @@ -1752,6 +1902,15 @@ enum nft_tunnel_opts_erspan_attributes { }; #define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1) +enum nft_tunnel_opts_geneve_attributes { + NFTA_TUNNEL_KEY_GENEVE_UNSPEC, + NFTA_TUNNEL_KEY_GENEVE_CLASS, + NFTA_TUNNEL_KEY_GENEVE_TYPE, + NFTA_TUNNEL_KEY_GENEVE_DATA, + __NFTA_TUNNEL_KEY_GENEVE_MAX +}; +#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1) + enum nft_tunnel_flags { NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0), NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1), diff --git a/include/obj.h b/include/obj.h index 10f806c..d217737 100644 --- a/include/obj.h +++ b/include/obj.h @@ -22,6 +22,11 @@ struct nftnl_obj { uint32_t flags; uint64_t handle; + struct { + void *data; + uint32_t len; + } user; + union { struct nftnl_obj_counter { uint64_t pkts; @@ -99,12 +104,13 @@ struct obj_ops { const char *name; uint32_t type; size_t alloc_len; - int max_attr; + int nftnl_max_attr; + struct attr_policy *attr_policy; int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len); const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); int (*parse)(struct nftnl_obj *e, struct nlattr *attr); void (*build)(struct nlmsghdr *nlh, const struct nftnl_obj *e); - int (*snprintf)(char *buf, size_t len, uint32_t type, uint32_t flags, const struct nftnl_obj *e); + int (*output)(char *buf, size_t len, uint32_t flags, const struct nftnl_obj *e); }; extern struct obj_ops obj_ops_counter; diff --git a/include/set.h b/include/set.h index 446acd2..55018b6 100644 --- a/include/set.h +++ b/include/set.h @@ -25,12 +25,15 @@ struct nftnl_set { enum nft_set_policies policy; struct { uint32_t size; + uint8_t field_len[NFT_REG32_COUNT]; + uint8_t field_count; } desc; struct list_head element_list; uint32_t flags; uint32_t gc_interval; uint64_t timeout; + struct list_head expr_list; }; struct nftnl_set_list; diff --git a/include/set_elem.h b/include/set_elem.h index cc4d529..7628005 100644 --- a/include/set_elem.h +++ b/include/set_elem.h @@ -8,8 +8,9 @@ struct nftnl_set_elem { uint32_t set_elem_flags; uint32_t flags; union nftnl_data_reg key; + union nftnl_data_reg key_end; union nftnl_data_reg data; - struct nftnl_expr *expr; + struct list_head expr_list; uint64_t timeout; uint64_t expiration; const char *objref; @@ -19,4 +20,7 @@ struct nftnl_set_elem { } user; }; +int nftnl_set_elem_snprintf_default(char *buf, size_t size, + const struct nftnl_set_elem *e); + #endif diff --git a/include/utils.h b/include/utils.h index 91fbebb..eed6127 100644 --- a/include/utils.h +++ b/include/utils.h @@ -12,6 +12,7 @@ # define __visible __attribute__((visibility("default"))) # define EXPORT_SYMBOL(x) typeof(x) (x) __visible; #else +# define __visible # define EXPORT_SYMBOL #endif @@ -36,9 +37,9 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line); #define nftnl_assert_validate(data, _validate_array, _attr, _data_len) \ ({ \ if (!data) \ - __nftnl_assert_fail(attr, __FILE__, __LINE__); \ + __nftnl_assert_fail(_attr, __FILE__, __LINE__); \ if (_validate_array[_attr]) \ - nftnl_assert(data, attr, _validate_array[_attr] == _data_len); \ + nftnl_assert(data, _attr, _validate_array[_attr] == _data_len); \ }) void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max, @@ -67,27 +68,8 @@ void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max, #define array_size(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) const char *nftnl_family2str(uint32_t family); -int nftnl_str2family(const char *family); - -enum nftnl_type { - NFTNL_TYPE_U8, - NFTNL_TYPE_U16, - NFTNL_TYPE_U32, - NFTNL_TYPE_U64, - NFTNL_TYPE_S8, - NFTNL_TYPE_S16, - NFTNL_TYPE_S32, - NFTNL_TYPE_S64, -}; - -int nftnl_strtoi(const char *string, int base, void *number, enum nftnl_type type); -int nftnl_get_value(enum nftnl_type type, void *val, void *out); const char *nftnl_verdict2str(uint32_t verdict); -int nftnl_str2verdict(const char *verdict, int *verdict_num); - -const char *nftnl_cmd2tag(enum nftnl_cmd_type cmd); -uint32_t nftnl_str2cmd(const char *cmd); enum nftnl_cmd_type nftnl_flag2cmd(uint32_t flags); @@ -97,4 +79,7 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type, uint32_t cmd, uint32_t type, uint32_t flags)); +int nftnl_set_str_attr(const char **dptr, uint32_t *flags, + uint16_t attr, const void *data, uint32_t data_len); + #endif |