summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/datatype.h2
-rw-r--r--include/expression.h5
-rw-r--r--include/linux/netfilter/nf_log.h3
-rw-r--r--include/linux/netfilter/nf_tables.h2
-rw-r--r--include/netlink.h4
-rw-r--r--include/parser.h2
-rw-r--r--include/rule.h11
-rw-r--r--include/statement.h13
8 files changed, 38 insertions, 4 deletions
diff --git a/include/datatype.h b/include/datatype.h
index 04b4892b..1061a389 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -305,4 +305,6 @@ extern struct error_record *rate_parse(const struct location *loc,
extern struct error_record *data_unit_parse(const struct location *loc,
const char *str, uint64_t *rate);
+extern void expr_chain_export(const struct expr *e, char *chain);
+
#endif /* NFTABLES_DATATYPE_H */
diff --git a/include/expression.h b/include/expression.h
index 8135a516..130912a8 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -249,6 +249,7 @@ struct expr {
/* EXPR_VERDICT */
int verdict;
struct expr *chain;
+ uint32_t chain_id;
};
struct {
/* EXPR_VALUE */
@@ -381,6 +382,8 @@ extern const struct datatype *expr_basetype(const struct expr *expr);
extern void expr_set_type(struct expr *expr, const struct datatype *dtype,
enum byteorder byteorder);
+void expr_to_string(const struct expr *expr, char *string);
+
struct eval_ctx;
extern int expr_binary_error(struct list_head *msgs,
const struct expr *e1, const struct expr *e2,
@@ -476,7 +479,7 @@ extern void interval_map_decompose(struct expr *set);
extern struct expr *get_set_intervals(const struct set *set,
const struct expr *init);
struct table;
-extern int get_set_decompose(struct table *table, struct set *set);
+extern int get_set_decompose(struct set *cache_set, struct set *set);
extern struct expr *mapping_expr_alloc(const struct location *loc,
struct expr *from, struct expr *to);
diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
index 8be21e02..2ae00932 100644
--- a/include/linux/netfilter/nf_log.h
+++ b/include/linux/netfilter/nf_log.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _NETFILTER_NF_LOG_H
#define _NETFILTER_NF_LOG_H
@@ -9,4 +10,6 @@
#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */
#define NF_LOG_MASK 0x2f
+#define NF_LOG_PREFIXLEN 128
+
#endif /* _NETFILTER_NF_LOG_H */
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 4565456c..1341b52f 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -209,6 +209,7 @@ enum nft_chain_attributes {
NFTA_CHAIN_COUNTERS,
NFTA_CHAIN_PAD,
NFTA_CHAIN_FLAGS,
+ NFTA_CHAIN_ID,
__NFTA_CHAIN_MAX
};
#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1)
@@ -238,6 +239,7 @@ enum nft_rule_attributes {
NFTA_RULE_PAD,
NFTA_RULE_ID,
NFTA_RULE_POSITION_ID,
+ NFTA_RULE_CHAIN_ID,
__NFTA_RULE_MAX
};
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
diff --git a/include/netlink.h b/include/netlink.h
index 0a5fde3c..1077096e 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -64,6 +64,7 @@ struct netlink_ctx {
struct nft_ctx *nft;
struct list_head *msgs;
struct list_head list;
+ struct list_head list_bindings;
struct set *set;
const void *data;
uint32_t seqnum;
@@ -83,6 +84,7 @@ struct nft_data_linearize {
uint32_t len;
uint32_t value[4];
char chain[NFT_CHAIN_MAXNAMELEN];
+ uint32_t chain_id;
int verdict;
};
@@ -147,7 +149,7 @@ extern struct stmt *netlink_parse_set_expr(const struct set *set,
extern int netlink_list_setelems(struct netlink_ctx *ctx,
const struct handle *h, struct set *set);
extern int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h,
- const struct location *loc, struct table *table,
+ const struct location *loc, struct set *cache_set,
struct set *set, struct expr *init);
extern int netlink_delinearize_setelem(struct nftnl_set_elem *nlse,
struct set *set,
diff --git a/include/parser.h b/include/parser.h
index 636d1c88..9baa3a4d 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -11,7 +11,7 @@
#define YYLTYPE_IS_TRIVIAL 0
#define YYENABLE_NLS 0
-#define SCOPE_NEST_MAX 3
+#define SCOPE_NEST_MAX 4
struct parser_state {
struct input_descriptor *indesc;
diff --git a/include/rule.h b/include/rule.h
index cfb76b8a..60eadfa3 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -79,6 +79,7 @@ struct handle {
struct position_spec position;
struct position_spec index;
uint32_t set_id;
+ uint32_t chain_id;
uint32_t rule_id;
uint32_t position_id;
};
@@ -155,6 +156,7 @@ struct table {
struct list_head sets;
struct list_head objs;
struct list_head flowtables;
+ struct list_head chain_bindings;
enum table_flags flags;
unsigned int refcnt;
};
@@ -176,6 +178,7 @@ extern struct table *table_lookup_fuzzy(const struct handle *h,
enum chain_flags {
CHAIN_F_BASECHAIN = 0x1,
CHAIN_F_HW_OFFLOAD = 0x2,
+ CHAIN_F_BINDING = 0x4,
};
/**
@@ -244,12 +247,16 @@ extern struct chain *chain_lookup(const struct table *table,
extern struct chain *chain_lookup_fuzzy(const struct handle *h,
const struct nft_cache *cache,
const struct table **table);
+extern struct chain *chain_binding_lookup(const struct table *table,
+ const char *chain_name);
extern const char *family2str(unsigned int family);
extern const char *hooknum2str(unsigned int family, unsigned int hooknum);
extern const char *chain_policy2str(uint32_t policy);
extern void chain_print_plain(const struct chain *chain,
struct output_ctx *octx);
+extern void chain_rules_print(const struct chain *chain,
+ struct output_ctx *octx, const char *indent);
/**
* struct rule - nftables rule
@@ -676,6 +683,10 @@ struct cmd {
void *data;
struct expr *expr;
struct set *set;
+ struct {
+ struct expr *expr; /* same offset as cmd->expr */
+ struct set *set;
+ } elem;
struct rule *rule;
struct chain *chain;
struct table *table;
diff --git a/include/statement.h b/include/statement.h
index 7d96b394..f2fc6ade 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -11,6 +11,14 @@ extern struct stmt *expr_stmt_alloc(const struct location *loc,
extern struct stmt *verdict_stmt_alloc(const struct location *loc,
struct expr *expr);
+struct chain_stmt {
+ struct chain *chain;
+ struct expr *expr;
+};
+
+struct stmt *chain_stmt_alloc(const struct location *loc, struct chain *chain,
+ enum nft_verdicts verdict);
+
struct flow_stmt {
const char *table_name;
};
@@ -75,7 +83,7 @@ enum {
};
struct log_stmt {
- const char *prefix;
+ struct expr *prefix;
unsigned int snaplen;
uint16_t group;
uint16_t qthreshold;
@@ -287,6 +295,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc);
* @STMT_CONNLIMIT: connection limit statement
* @STMT_MAP: map statement
* @STMT_SYNPROXY: synproxy statement
+ * @STMT_CHAIN: chain statement
*/
enum stmt_types {
STMT_INVALID,
@@ -315,6 +324,7 @@ enum stmt_types {
STMT_CONNLIMIT,
STMT_MAP,
STMT_SYNPROXY,
+ STMT_CHAIN,
};
/**
@@ -380,6 +390,7 @@ struct stmt {
struct flow_stmt flow;
struct map_stmt map;
struct synproxy_stmt synproxy;
+ struct chain_stmt chain;
};
};