diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/expression.h | 8 | ||||
-rw-r--r-- | include/exthdr.h | 6 | ||||
-rw-r--r-- | include/meta.h | 2 | ||||
-rw-r--r-- | include/payload.h | 280 | ||||
-rw-r--r-- | include/proto.h | 287 | ||||
-rw-r--r-- | include/rule.h | 2 |
6 files changed, 305 insertions, 280 deletions
diff --git a/include/expression.h b/include/expression.h index d8f28682..2b7b3795 100644 --- a/include/expression.h +++ b/include/expression.h @@ -225,15 +225,15 @@ struct expr { struct { /* EXPR_PAYLOAD */ - const struct payload_desc *desc; - const struct payload_template *tmpl; - enum payload_bases base; + const struct proto_desc *desc; + const struct proto_hdr_template *tmpl; + enum proto_bases base; unsigned int offset; } payload; struct { /* EXPR_EXTHDR */ const struct exthdr_desc *desc; - const struct payload_template *tmpl; + const struct proto_hdr_template *tmpl; } exthdr; struct { /* EXPR_META */ diff --git a/include/exthdr.h b/include/exthdr.h index 62e69bd2..87c42857 100644 --- a/include/exthdr.h +++ b/include/exthdr.h @@ -1,17 +1,19 @@ #ifndef NFTABLES_EXTHDR_H #define NFTABLES_EXTHDR_H +#include <proto.h> + /** * struct exthdr_desc - extension header description * * @name: extension header name * @type: extension header protocol value - * @templates: header templates + * @templates: header field templates */ struct exthdr_desc { const char *name; uint8_t type; - struct payload_template templates[10]; + struct proto_hdr_template templates[10]; }; extern struct expr *exthdr_expr_alloc(const struct location *loc, diff --git a/include/meta.h b/include/meta.h index 459221fb..23f78cf1 100644 --- a/include/meta.h +++ b/include/meta.h @@ -25,5 +25,7 @@ struct meta_template { extern struct expr *meta_expr_alloc(const struct location *loc, enum nft_meta_keys key); +extern void meta_expr_pctx_update(struct proto_ctx *ctx, + const struct expr *expr); #endif /* NFTABLES_META_H */ diff --git a/include/payload.h b/include/payload.h index fa8d82e1..54d8d547 100644 --- a/include/payload.h +++ b/include/payload.h @@ -2,128 +2,16 @@ #define NFTABLES_PAYLOAD_H #include <nftables.h> - -/** - * enum payload_bases - * - * @PAYLOAD_BASE_INVALID: uninitialised, does not happen - * @PAYLOAD_BASE_LL_HDR: link layer header - * @PAYLOAD_BASE_NETWORK_HDR: network layer header - * @PAYLOAD_BASE_TRANSPORT_HDR: transport layer header - */ -enum payload_bases { - PAYLOAD_BASE_INVALID, - PAYLOAD_BASE_LL_HDR, - PAYLOAD_BASE_NETWORK_HDR, - PAYLOAD_BASE_TRANSPORT_HDR, - __PAYLOAD_BASE_MAX -}; -#define PAYLOAD_BASE_MAX (__PAYLOAD_BASE_MAX - 1) - -/** - * struct payload_template - template for a payload header expression - * - * @token: parser token describing the header field - * @dtype: data type of the expression - * @offset: offset from base - * @len: length of header field - */ -struct payload_template { - const char *token; - const struct datatype *dtype; - uint16_t offset; - uint16_t len; -}; - -#define PAYLOAD_TEMPLATE(__token, __dtype, __offset, __len) \ - { \ - .token = (__token), \ - .dtype = (__dtype), \ - .offset = (__offset), \ - .len = (__len), \ - } - -#define PAYLOAD_PROTO_MAX 16 -#define PAYLOAD_TEMPLATE_MAX 20 - -/** - * struct payload_desc - payload protocol description - * - * @name: protocol name - * @base: header base - * @protocol_key: key of template containing upper layer protocol description - * @protocols: link to upper layer protocol description indexed by protocol value - * @templates: header templates - */ -struct payload_desc { - const char *name; - enum payload_bases base; - unsigned int protocol_key; - struct { - unsigned int num; - const struct payload_desc *desc; - } protocols[PAYLOAD_PROTO_MAX]; - struct payload_template templates[PAYLOAD_TEMPLATE_MAX]; -}; - -#define PAYLOAD_PROTO(__num, __desc) { .num = (__num), .desc = (__desc), } - -/** - * struct payload_hook_desc - description of constraints imposed by hook family - * - * @base: protocol base of packets - * @desc: protocol description of packets - */ -struct payload_hook_desc { - enum payload_bases base; - const struct payload_desc *desc; -}; - -#define PAYLOAD_HOOK(__base, __desc) { .base = (__base), .desc = (__desc), } - -/** - * struct dev_payload_desc - description of device LL protocol - * - * @desc: protocol description - * @type: arphrd value - */ -struct dev_payload_desc { - const struct payload_desc *desc; - uint16_t type; -}; - -#define DEV_PAYLOAD_DESC(__type, __desc) { .type = (__type), .desc = (__desc), } - -/** - * struct payload_ctx - payload expression protocol context - * - * @family: hook family - * @location: location of expression defining the context - * @desc: payload description for this layer - * - * The location of the context is the location of the relational expression - * defining it, either directly through a protocol match or indirectly - * through a dependency. - */ -struct payload_ctx { - unsigned int family; - struct { - struct location location; - const struct payload_desc *desc; - } protocol[PAYLOAD_BASE_MAX + 1]; -}; +#include <proto.h> extern struct expr *payload_expr_alloc(const struct location *loc, - const struct payload_desc *desc, + const struct proto_desc *desc, unsigned int type); -extern void payload_init_raw(struct expr *expr, enum payload_bases base, +extern void payload_init_raw(struct expr *expr, enum proto_bases base, unsigned int offset, unsigned int len); -extern void payload_ctx_init(struct payload_ctx *ctx, unsigned int family); -extern void payload_ctx_update_meta(struct payload_ctx *ctx, - const struct expr *expr); -extern void payload_ctx_update(struct payload_ctx *ctx, - const struct expr *expr); +extern void payload_expr_pctx_update(struct proto_ctx *ctx, + const struct expr *expr); struct eval_ctx; extern int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, @@ -134,162 +22,8 @@ extern struct expr *payload_expr_join(const struct expr *e1, const struct expr *e2); extern void payload_expr_expand(struct list_head *list, struct expr *expr, - const struct payload_ctx *ctx); + const struct proto_ctx *ctx); extern void payload_expr_complete(struct expr *expr, - const struct payload_ctx *ctx); - -enum eth_hdr_fields { - ETHHDR_INVALID, - ETHHDR_DADDR, - ETHHDR_SADDR, - ETHHDR_TYPE, -}; - -enum vlan_hdr_fields { - VLANHDR_INVALID, - VLANHDR_VID, - VLANHDR_CFI, - VLANHDR_PCP, - VLANHDR_TYPE, -}; - -enum arp_hdr_fields { - ARPHDR_INVALID, - ARPHDR_HRD, - ARPHDR_PRO, - ARPHDR_HLN, - ARPHDR_PLN, - ARPHDR_OP, -}; - -enum ip_hdr_fields { - IPHDR_INVALID, - IPHDR_VERSION, - IPHDR_HDRLENGTH, - IPHDR_TOS, - IPHDR_LENGTH, - IPHDR_ID, - IPHDR_FRAG_OFF, - IPHDR_TTL, - IPHDR_PROTOCOL, - IPHDR_CHECKSUM, - IPHDR_SADDR, - IPHDR_DADDR, -}; - -enum icmp_hdr_fields { - ICMPHDR_INVALID, - ICMPHDR_TYPE, - ICMPHDR_CODE, - ICMPHDR_CHECKSUM, - ICMPHDR_ID, - ICMPHDR_SEQ, - ICMPHDR_GATEWAY, - ICMPHDR_MTU, -}; - -enum icmp6_hdr_fields { - ICMP6HDR_INVALID, - ICMP6HDR_TYPE, - ICMP6HDR_CODE, - ICMP6HDR_CHECKSUM, - ICMP6HDR_PPTR, - ICMP6HDR_MTU, - ICMP6HDR_ID, - ICMP6HDR_SEQ, - ICMP6HDR_MAXDELAY, -}; - -enum ip6_hdr_fields { - IP6HDR_INVALID, - IP6HDR_VERSION, - IP6HDR_PRIORITY, - IP6HDR_FLOWLABEL, - IP6HDR_LENGTH, - IP6HDR_NEXTHDR, - IP6HDR_HOPLIMIT, - IP6HDR_SADDR, - IP6HDR_DADDR, - IP6HDR_PROTOCOL, -}; - -enum ah_hdr_fields { - AHHDR_INVALID, - AHHDR_NEXTHDR, - AHHDR_HDRLENGTH, - AHHDR_RESERVED, - AHHDR_SPI, - AHHDR_SEQUENCE, -}; - -enum esp_hdr_fields { - ESPHDR_INVALID, - ESPHDR_SPI, - ESPHDR_SEQUENCE, -}; - -enum comp_hdr_fields { - COMPHDR_INVALID, - COMPHDR_NEXTHDR, - COMPHDR_FLAGS, - COMPHDR_CPI, -}; - -enum udp_hdr_fields { - UDPHDR_INVALID, - UDPHDR_SPORT, - UDPHDR_DPORT, - UDPHDR_LENGTH, - UDPHDR_CSUMCOV = UDPHDR_LENGTH, - UDPHDR_CHECKSUM, -}; - -enum tcp_hdr_fields { - TCPHDR_INVALID, - TCPHDR_SPORT, - TCPHDR_DPORT, - TCPHDR_SEQ, - TCPHDR_ACKSEQ, - TCPHDR_DOFF, - TCPHDR_RESERVED, - TCPHDR_FLAGS, - TCPHDR_WINDOW, - TCPHDR_CHECKSUM, - TCPHDR_URGPTR, -}; - -enum dccp_hdr_fields { - DCCPHDR_INVALID, - DCCPHDR_SPORT, - DCCPHDR_DPORT, - DCCPHDR_TYPE, -}; - -enum sctp_hdr_fields { - SCTPHDR_INVALID, - SCTPHDR_SPORT, - SCTPHDR_DPORT, - SCTPHDR_VTAG, - SCTPHDR_CHECKSUM, -}; - -extern const struct payload_desc payload_icmp; -extern const struct payload_desc payload_ah; -extern const struct payload_desc payload_esp; -extern const struct payload_desc payload_comp; -extern const struct payload_desc payload_udp; -extern const struct payload_desc payload_udplite; -extern const struct payload_desc payload_tcp; -extern const struct payload_desc payload_dccp; -extern const struct payload_desc payload_sctp; -extern const struct payload_desc payload_icmp6; - -extern const struct payload_desc payload_ip; -extern const struct payload_desc payload_ip6; - -extern const struct payload_desc payload_arp; - -extern const struct payload_desc payload_vlan; -extern const struct payload_desc payload_eth; + const struct proto_ctx *ctx); #endif /* NFTABLES_PAYLOAD_H */ diff --git a/include/proto.h b/include/proto.h new file mode 100644 index 00000000..037ef09e --- /dev/null +++ b/include/proto.h @@ -0,0 +1,287 @@ +#ifndef NFTABLES_PROTO_H +#define NFTABLES_PROTO_H + +#include <nftables.h> + +/** + * enum proto_bases - protocol bases + * + * @PROTO_BASE_INVALID: uninitialised, does not happen + * @PROTO_BASE_LL_HDR: link layer header + * @PROTO_BASE_NETWORK_HDR: network layer header + * @PROTO_BASE_TRANSPORT_HDR: transport layer header + */ +enum proto_bases { + PROTO_BASE_INVALID, + PROTO_BASE_LL_HDR, + PROTO_BASE_NETWORK_HDR, + PROTO_BASE_TRANSPORT_HDR, + __PROTO_BASE_MAX +}; +#define PROTO_BASE_MAX (__PROTO_BASE_MAX - 1) + +extern const char *proto_base_names[]; +extern const char *proto_base_tokens[]; + +/** + * struct proto_hdr_template - protocol header field description + * + * @token: parser token describing the header field + * @dtype: data type of the header field + * @offset: offset of the header field from base + * @len: length of header field + */ +struct proto_hdr_template { + const char *token; + const struct datatype *dtype; + uint16_t offset; + uint16_t len; +}; + +#define PROTO_HDR_TEMPLATE(__token, __dtype, __offset, __len) \ + { \ + .token = (__token), \ + .dtype = (__dtype), \ + .offset = (__offset), \ + .len = (__len), \ + } + +#define PROTO_UPPER_MAX 16 +#define PROTO_HDRS_MAX 20 + +/** + * struct proto_desc - protocol header description + * + * @name: protocol name + * @base: header base + * @protocol_key: key of template containing upper layer protocol description + * @protocols: link to upper layer protocol descriptions indexed by protocol value + * @templates: header templates + */ +struct proto_desc { + const char *name; + enum proto_bases base; + unsigned int protocol_key; + struct { + unsigned int num; + const struct proto_desc *desc; + } protocols[PROTO_UPPER_MAX]; + struct proto_hdr_template templates[PROTO_HDRS_MAX]; +}; + +#define PROTO_LINK(__num, __desc) { .num = (__num), .desc = (__desc), } + +/** + * struct hook_proto_desc - description of protocol constraints imposed by hook family + * + * @base: protocol base of packets + * @desc: protocol description of packets + */ +struct hook_proto_desc { + enum proto_bases base; + const struct proto_desc *desc; +}; + +#define HOOK_PROTO_DESC(__base, __desc) { .base = (__base), .desc = (__desc), } + +extern const struct hook_proto_desc hook_proto_desc[]; + +/** + * struct dev_proto_desc - description of device LL protocol + * + * @desc: protocol description + * @type: arphrd value + */ +struct dev_proto_desc { + const struct proto_desc *desc; + uint16_t type; +}; + +#define DEV_PROTO_DESC(__type, __desc) { .type = (__type), .desc = (__desc), } + +extern int proto_dev_type(const struct proto_desc *desc, uint16_t *res); +extern const struct proto_desc *proto_dev_desc(uint16_t type); + +/** + * struct proto_ctx - protocol context + * + * @family: hook family + * @location: location of the relational expression defining the context + * @desc: protocol description for this layer + * + * The location of the context is the location of the relational expression + * defining it, either directly through a protocol match or indirectly + * through a dependency. + */ +struct proto_ctx { + unsigned int family; + struct { + struct location location; + const struct proto_desc *desc; + } protocol[PROTO_BASE_MAX + 1]; +}; + +extern void proto_ctx_init(struct proto_ctx *ctx, unsigned int family); +extern const struct proto_desc *proto_find_upper(const struct proto_desc *base, + unsigned int num); +extern int proto_find_num(const struct proto_desc *base, + const struct proto_desc *desc); + +enum eth_hdr_fields { + ETHHDR_INVALID, + ETHHDR_DADDR, + ETHHDR_SADDR, + ETHHDR_TYPE, +}; + +enum vlan_hdr_fields { + VLANHDR_INVALID, + VLANHDR_VID, + VLANHDR_CFI, + VLANHDR_PCP, + VLANHDR_TYPE, +}; + +enum arp_hdr_fields { + ARPHDR_INVALID, + ARPHDR_HRD, + ARPHDR_PRO, + ARPHDR_HLN, + ARPHDR_PLN, + ARPHDR_OP, +}; + +enum ip_hdr_fields { + IPHDR_INVALID, + IPHDR_VERSION, + IPHDR_HDRLENGTH, + IPHDR_TOS, + IPHDR_LENGTH, + IPHDR_ID, + IPHDR_FRAG_OFF, + IPHDR_TTL, + IPHDR_PROTOCOL, + IPHDR_CHECKSUM, + IPHDR_SADDR, + IPHDR_DADDR, +}; + +enum icmp_hdr_fields { + ICMPHDR_INVALID, + ICMPHDR_TYPE, + ICMPHDR_CODE, + ICMPHDR_CHECKSUM, + ICMPHDR_ID, + ICMPHDR_SEQ, + ICMPHDR_GATEWAY, + ICMPHDR_MTU, +}; + +enum icmp6_hdr_fields { + ICMP6HDR_INVALID, + ICMP6HDR_TYPE, + ICMP6HDR_CODE, + ICMP6HDR_CHECKSUM, + ICMP6HDR_PPTR, + ICMP6HDR_MTU, + ICMP6HDR_ID, + ICMP6HDR_SEQ, + ICMP6HDR_MAXDELAY, +}; + +enum ip6_hdr_fields { + IP6HDR_INVALID, + IP6HDR_VERSION, + IP6HDR_PRIORITY, + IP6HDR_FLOWLABEL, + IP6HDR_LENGTH, + IP6HDR_NEXTHDR, + IP6HDR_HOPLIMIT, + IP6HDR_SADDR, + IP6HDR_DADDR, + IP6HDR_PROTOCOL, +}; + +enum ah_hdr_fields { + AHHDR_INVALID, + AHHDR_NEXTHDR, + AHHDR_HDRLENGTH, + AHHDR_RESERVED, + AHHDR_SPI, + AHHDR_SEQUENCE, +}; + +enum esp_hdr_fields { + ESPHDR_INVALID, + ESPHDR_SPI, + ESPHDR_SEQUENCE, +}; + +enum comp_hdr_fields { + COMPHDR_INVALID, + COMPHDR_NEXTHDR, + COMPHDR_FLAGS, + COMPHDR_CPI, +}; + +enum udp_hdr_fields { + UDPHDR_INVALID, + UDPHDR_SPORT, + UDPHDR_DPORT, + UDPHDR_LENGTH, + UDPHDR_CSUMCOV = UDPHDR_LENGTH, + UDPHDR_CHECKSUM, +}; + +enum tcp_hdr_fields { + TCPHDR_INVALID, + TCPHDR_SPORT, + TCPHDR_DPORT, + TCPHDR_SEQ, + TCPHDR_ACKSEQ, + TCPHDR_DOFF, + TCPHDR_RESERVED, + TCPHDR_FLAGS, + TCPHDR_WINDOW, + TCPHDR_CHECKSUM, + TCPHDR_URGPTR, +}; + +enum dccp_hdr_fields { + DCCPHDR_INVALID, + DCCPHDR_SPORT, + DCCPHDR_DPORT, + DCCPHDR_TYPE, +}; + +enum sctp_hdr_fields { + SCTPHDR_INVALID, + SCTPHDR_SPORT, + SCTPHDR_DPORT, + SCTPHDR_VTAG, + SCTPHDR_CHECKSUM, +}; + +extern const struct proto_desc proto_icmp; +extern const struct proto_desc proto_ah; +extern const struct proto_desc proto_esp; +extern const struct proto_desc proto_comp; +extern const struct proto_desc proto_udp; +extern const struct proto_desc proto_udplite; +extern const struct proto_desc proto_tcp; +extern const struct proto_desc proto_dccp; +extern const struct proto_desc proto_sctp; +extern const struct proto_desc proto_icmp6; + +extern const struct proto_desc proto_ip; +extern const struct proto_desc proto_ip6; + +extern const struct proto_desc proto_arp; + +extern const struct proto_desc proto_vlan; +extern const struct proto_desc proto_eth; + +extern const struct proto_desc proto_unknown; +extern const struct proto_hdr_template proto_unknown_template; + +#endif /* NFTABLES_PROTO_H */ diff --git a/include/rule.h b/include/rule.h index 6ad8af3b..2a7b7980 100644 --- a/include/rule.h +++ b/include/rule.h @@ -292,7 +292,7 @@ struct eval_ctx { struct set *set; struct stmt *stmt; struct expr_ctx ectx; - struct payload_ctx pctx; + struct proto_ctx pctx; }; extern int evaluate(struct eval_ctx *ctx, struct list_head *commands); |