diff options
Diffstat (limited to 'include/rule.h')
-rw-r--r-- | include/rule.h | 111 |
1 files changed, 70 insertions, 41 deletions
diff --git a/include/rule.h b/include/rule.h index 56f1951f..5b3e12b5 100644 --- a/include/rule.h +++ b/include/rule.h @@ -1,13 +1,11 @@ #ifndef NFTABLES_RULE_H #define NFTABLES_RULE_H -#include <stdint.h> #include <nftables.h> #include <list.h> #include <netinet/in.h> #include <libnftnl/object.h> /* For NFTNL_CTTIMEOUT_ARRAY_MAX. */ #include <linux/netfilter/nf_tables.h> -#include <string.h> #include <cache.h> /** @@ -131,10 +129,13 @@ struct symbol *symbol_get(const struct scope *scope, const char *identifier); enum table_flags { TABLE_F_DORMANT = (1 << 0), + TABLE_F_OWNER = (1 << 1), + TABLE_F_PERSIST = (1 << 2), }; -#define TABLE_FLAGS_MAX 1 +#define TABLE_FLAGS_MAX 3 -extern const char *table_flags_name[TABLE_FLAGS_MAX]; +const char *table_flag_name(uint32_t flag); +unsigned int parse_table_flag(const char *name); /** * struct table - nftables table @@ -151,10 +152,14 @@ extern const char *table_flags_name[TABLE_FLAGS_MAX]; */ struct table { struct list_head list; + struct cache_item cache; struct handle handle; struct location location; struct scope scope; - struct list_head *chain_htable; + struct cache chain_cache; + struct cache set_cache; + struct cache obj_cache; + struct cache ft_cache; struct list_head chains; struct list_head sets; struct list_head objs; @@ -162,15 +167,14 @@ struct table { struct list_head chain_bindings; enum table_flags flags; unsigned int refcnt; + uint32_t owner; const char *comment; + bool has_xt_stmts; }; extern struct table *table_alloc(void); extern struct table *table_get(struct table *table); extern void table_free(struct table *table); -extern void table_add_hash(struct table *table, struct nft_cache *cache); -extern struct table *table_lookup(const struct handle *h, - const struct nft_cache *cache); extern struct table *table_lookup_fuzzy(const struct handle *h, const struct nft_cache *cache); @@ -186,6 +190,14 @@ enum chain_flags { }; /** + * enum flowtable_flags - flowtable flags + * + */ +enum flowtable_flags { + FLOWTABLE_F_HW_OFFLOAD = 0x1, /* NF_FLOWTABLE_HW_OFFLOAD in linux nf_flow_table.h */ +}; + +/** * struct prio_spec - extendend priority specification for mixed * textual/numerical parsing. * @@ -202,6 +214,11 @@ struct hook_spec { unsigned int num; }; +struct chain_type_spec { + struct location loc; + const char *str; +}; + /** * struct chain - nftables chain * @@ -220,17 +237,18 @@ struct hook_spec { */ struct chain { struct list_head list; - struct list_head hlist; + struct cache_item cache; struct handle handle; struct location location; unsigned int refcnt; uint32_t flags; + const char *comment; struct { struct location loc; struct prio_spec priority; struct hook_spec hook; struct expr *policy; - const char *type; + struct chain_type_spec type; const char **dev_array; struct expr *dev_expr; int dev_array_len; @@ -243,11 +261,9 @@ struct chain { extern int std_prio_lookup(const char *std_prio_name, int family, int hook); extern const char *chain_type_name_lookup(const char *name); extern const char *chain_hookname_lookup(const char *name); -extern struct chain *chain_alloc(const char *name); +extern struct chain *chain_alloc(void); extern struct chain *chain_get(struct chain *chain); extern void chain_free(struct chain *chain); -extern struct chain *chain_lookup(const struct table *table, - const struct handle *h); extern struct chain *chain_lookup_fuzzy(const struct handle *h, const struct nft_cache *cache, const struct table **table); @@ -255,6 +271,7 @@ extern struct chain *chain_binding_lookup(const struct table *table, const char *chain_name); extern const char *family2str(unsigned int family); +#define __NF_ARP_INGRESS 255 extern const char *hooknum2str(unsigned int family, unsigned int hooknum); extern const char *chain_policy2str(uint32_t policy); extern void chain_print_plain(const struct chain *chain, @@ -295,7 +312,6 @@ void rule_stmt_append(struct rule *rule, struct stmt *stmt); void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt, struct stmt *stmt); - /** * struct set - nftables set * @@ -309,17 +325,20 @@ void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt, * @key: key expression (data type, length)) * @data: mapping data expression * @objtype: mapping object type + * @existing_set: reference to existing set in the kernel * @init: initializer * @rg_cache: cached range element (left) * @policy: set mechanism policy * @automerge: merge adjacents and overlapping elements, if possible * @comment: comment + * @errors: expr evaluation errors seen * @desc.size: count of set elements * @desc.field_len: length of single concatenated fields, bytes * @desc.field_count: count of concatenated fields */ struct set { struct list_head list; + struct cache_item cache; struct handle handle; struct location location; unsigned int refcnt; @@ -329,13 +348,15 @@ struct set { struct expr *key; struct expr *data; uint32_t objtype; + struct set *existing_set; struct expr *init; struct expr *rg_cache; uint32_t policy; - struct stmt *stmt; + struct list_head stmt_list; bool root; bool automerge; bool key_typeof_valid; + bool errors; const char *comment; struct { uint32_t size; @@ -348,8 +369,6 @@ extern struct set *set_alloc(const struct location *loc); extern struct set *set_get(struct set *set); extern void set_free(struct set *set); extern struct set *set_clone(const struct set *set); -extern void set_add_hash(struct set *set, struct table *table); -extern struct set *set_lookup(const struct table *table, const char *name); extern struct set *set_lookup_global(uint32_t family, const char *table, const char *name, struct nft_cache *cache); extern struct set *set_lookup_fuzzy(const char *set_name, @@ -394,6 +413,11 @@ static inline bool set_is_meter(uint32_t set_flags) return set_is_anonymous(set_flags) && (set_flags & NFT_SET_EVAL); } +static inline bool set_is_meter_compat(uint32_t set_flags) +{ + return set_flags & NFT_SET_EVAL; +} + static inline bool set_is_interval(uint32_t set_flags) { return set_flags & NFT_SET_INTERVAL; @@ -475,10 +499,12 @@ struct secmark { */ struct obj { struct list_head list; + struct cache_item cache; struct location location; struct handle handle; uint32_t type; unsigned int refcnt; + const char *comment; union { struct counter counter; struct quota quota; @@ -494,19 +520,17 @@ struct obj { struct obj *obj_alloc(const struct location *loc); extern struct obj *obj_get(struct obj *obj); void obj_free(struct obj *obj); -void obj_add_hash(struct obj *obj, struct table *table); -struct obj *obj_lookup(const struct table *table, const char *name, - uint32_t type); struct obj *obj_lookup_fuzzy(const char *obj_name, const struct nft_cache *cache, const struct table **t); void obj_print(const struct obj *n, struct output_ctx *octx); void obj_print_plain(const struct obj *obj, struct output_ctx *octx); const char *obj_type_name(uint32_t type); -uint32_t obj_type_to_cmd(uint32_t type); +enum cmd_obj obj_type_to_cmd(uint32_t type); struct flowtable { struct list_head list; + struct cache_item cache; struct handle handle; struct scope scope; struct location location; @@ -522,8 +546,6 @@ struct flowtable { extern struct flowtable *flowtable_alloc(const struct location *loc); extern struct flowtable *flowtable_get(struct flowtable *flowtable); extern void flowtable_free(struct flowtable *flowtable); -extern void flowtable_add_hash(struct flowtable *flowtable, struct table *table); -extern struct flowtable *flowtable_lookup(const struct table *table, const char *name); extern struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, const struct nft_cache *cache, const struct table **table); @@ -548,6 +570,7 @@ void flowtable_print(const struct flowtable *n, struct output_ctx *octx); * @CMD_EXPORT: export the ruleset in a given format * @CMD_MONITOR: event listener * @CMD_DESCRIBE: describe an expression + * @CMD_DESTROY: destroy object */ enum cmd_ops { CMD_INVALID, @@ -565,6 +588,7 @@ enum cmd_ops { CMD_EXPORT, CMD_MONITOR, CMD_DESCRIBE, + CMD_DESTROY, }; /** @@ -605,6 +629,7 @@ enum cmd_obj { CMD_OBJ_SETELEMS, CMD_OBJ_SETS, CMD_OBJ_RULE, + CMD_OBJ_RULES, CMD_OBJ_CHAIN, CMD_OBJ_CHAINS, CMD_OBJ_TABLE, @@ -627,11 +652,14 @@ enum cmd_obj { CMD_OBJ_FLOWTABLE, CMD_OBJ_FLOWTABLES, CMD_OBJ_CT_TIMEOUT, + CMD_OBJ_CT_TIMEOUTS, CMD_OBJ_SECMARK, CMD_OBJ_SECMARKS, CMD_OBJ_CT_EXPECT, + CMD_OBJ_CT_EXPECTATIONS, CMD_OBJ_SYNPROXY, CMD_OBJ_SYNPROXYS, + CMD_OBJ_HOOKS, }; struct markup { @@ -664,7 +692,12 @@ struct monitor { struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event); void monitor_free(struct monitor *m); -#define NFT_NLATTR_LOC_MAX 8 +#define NFT_NLATTR_LOC_MAX 32 + +struct nlerr_loc { + uint16_t offset; + const struct location *location; +}; /** * struct cmd - command statement @@ -685,6 +718,7 @@ struct cmd { enum cmd_obj obj; struct handle handle; uint32_t seqnum; + struct list_head collapse_list; union { void *data; struct expr *expr; @@ -701,25 +735,20 @@ struct cmd { struct markup *markup; struct obj *object; }; - struct { - uint16_t offset; - struct location *location; - } attr[NFT_NLATTR_LOC_MAX]; - int num_attrs; + struct nlerr_loc *attr; + uint32_t attr_array_len; + uint32_t num_attrs; const void *arg; }; extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, const struct handle *h, const struct location *loc, void *data); -extern void nft_cmd_expand(struct cmd *cmd); extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type, const struct handle *h, const struct location *loc, struct obj *obj); extern void cmd_free(struct cmd *cmd); -void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc); - #include <payload.h> #include <expression.h> @@ -733,10 +762,13 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc); * @rule: current rule * @set: current set * @stmt: current statement + * @stmt_len: current statement template length + * @recursion: expr evaluation recursion counter * @cache: cache context * @debug_mask: debugging bitmask * @ectx: expression context - * @pctx: payload context + * @_pctx: payload contexts + * @inner_desc: inner header description */ struct eval_ctx { struct nft_ctx *nft; @@ -746,8 +778,11 @@ struct eval_ctx { struct rule *rule; struct set *set; struct stmt *stmt; + uint32_t stmt_len; + uint32_t recursion; struct expr_ctx ectx; - struct proto_ctx pctx; + struct proto_ctx _pctx[2]; + const struct proto_desc *inner_desc; }; extern int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd); @@ -757,19 +792,13 @@ extern struct error_record *rule_postprocess(struct rule *rule); struct netlink_ctx; extern int do_command(struct netlink_ctx *ctx, struct cmd *cmd); -extern unsigned int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds); -extern int cache_update(struct nft_ctx *ctx, enum cmd_ops cmd, - struct list_head *msgs); -extern bool cache_needs_update(struct nft_cache *cache); -extern void cache_release(struct nft_cache *cache); - struct timeout_protocol { uint32_t array_size; const char *const *state_to_name; uint32_t *dflt_timeout; }; -extern struct timeout_protocol timeout_protocol[IPPROTO_MAX]; +extern struct timeout_protocol timeout_protocol[UINT8_MAX + 1]; extern int timeout_str2num(uint16_t l4proto, struct timeout_state *ts); #endif /* NFTABLES_RULE_H */ |