1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
#ifndef NFTABLES_RULE_H
#define NFTABLES_RULE_H
#include <stdint.h>
#include <nftables.h>
#include <list.h>
/**
* struct handle - handle for tables, chains and rules
*
* @family: protocol family
* @table: table name
* @chain: chain name (chains and rules only)
* @handle: rule handle (rules only)
*/
struct handle {
int family;
const char *table;
const char *chain;
uint32_t handle;
};
extern void handle_merge(struct handle *dst, const struct handle *src);
extern void handle_free(struct handle *h);
/**
* struct table - nftables table
*
* @list: list node
* @handle: table handle
* @chains: chains contained in the table
*/
struct table {
struct list_head list;
struct handle handle;
struct list_head chains;
};
extern struct table *table_alloc(void);
extern void table_free(struct table *table);
extern void table_add_hash(struct table *table);
extern struct table *table_lookup(const struct handle *h);
/**
* struct chain - nftables chain
*
* @list: list node in table list
* @handle: chain handle
* @hooknum: hook number (base chains)
* @priority: hook priority (base chains)
* @rules: rules contained in the chain
*/
struct chain {
struct list_head list;
struct handle handle;
unsigned int hooknum;
unsigned int priority;
struct list_head rules;
};
extern struct chain *chain_alloc(const char *name);
extern void chain_free(struct chain *chain);
extern void chain_add_hash(struct chain *chain, struct table *table);
extern struct chain *chain_lookup(const struct table *table,
const struct handle *h);
/**
* struct rule - nftables rule
*
* @list: list node in chain list
* @handle: rule handle
* @location: location the rule was defined at
* @stmt: list of statements
* @num_stmts: number of statements in stmts list
*/
struct rule {
struct list_head list;
struct handle handle;
struct location location;
struct list_head stmts;
unsigned int num_stmts;
};
extern struct rule *rule_alloc(const struct location *loc,
const struct handle *h);
extern void rule_free(struct rule *rule);
extern void rule_print(const struct rule *rule);
/**
* enum cmd_ops - command operations
*
* @CMD_INVALID: invalid
* @CMD_ADD: add object
* @CMD_DELETE: delete object
* @CMD_LIST: list container
* @CMD_FLUSH: flush container
*/
enum cmd_ops {
CMD_INVALID,
CMD_ADD,
CMD_DELETE,
CMD_LIST,
CMD_FLUSH,
};
/**
* enum cmd_obj - command objects
*
* @CMD_OBJ_INVALID: invalid
* @CMD_OBJ_RULE: rule
* @CMD_OBJ_CHAIN: chain
* @CMD_OBJ_TABLE: table
*/
enum cmd_obj {
CMD_OBJ_INVALID,
CMD_OBJ_RULE,
CMD_OBJ_CHAIN,
CMD_OBJ_TABLE,
};
/**
* struct cmd - command statement
*
* @list: list node
* @location: location of the statement
* @op: operation
* @obj: object type to perform operation on
* @handle: handle for operations working without full objects
* @union: object
*/
struct cmd {
struct list_head list;
struct location location;
enum cmd_ops op;
enum cmd_obj obj;
struct handle handle;
union {
void *data;
struct rule *rule;
struct chain *chain;
struct table *table;
};
};
extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
const struct handle *h, void *data);
extern void cmd_free(struct cmd *cmd);
#include <payload.h>
#include <expression.h>
/**
* struct eval_ctx - evaluation context
*
* @msgs: message queue
* @stmt: current statement
* @ectx: expression context
* @pctx: payload context
*/
struct eval_ctx {
struct list_head *msgs;
struct stmt *stmt;
struct expr_ctx ectx;
struct payload_ctx pctx;
};
extern int evaluate(struct eval_ctx *ctx, struct list_head *commands);
extern struct error_record *rule_postprocess(struct rule *rule);
struct netlink_ctx;
extern int do_command(struct netlink_ctx *ctx, struct cmd *cmd);
#endif /* NFTABLES_RULE_H */
|