path: root/iptables/nft-shared.h
diff options
authorTomasz Bursztyka <>2013-02-23 17:50:31 +0100
committerPablo Neira Ayuso <>2013-12-30 23:50:25 +0100
commit077785df023ad8947d44d19769bc6d91e3917633 (patch)
tree81edff765ee5eeb74997f2f1c4784058798776f0 /iptables/nft-shared.h
parent1ff21a68502d67e056100da7e0da074467bc08ed (diff)
nft: Split nft core to become family independant
This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/nft-shared.h')
1 files changed, 110 insertions, 0 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
new file mode 100644
index 00000000..4b2594fa
--- /dev/null
+++ b/iptables/nft-shared.h
@@ -0,0 +1,110 @@
+ * Authors:
+ * (C) 2013 by Tomasz Bursztyka <>
+ * (C) 2012 by Pablo Neira Ayuso <>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+#ifndef _NFT_SHARED_H_
+#define _NFT_SHARED_H_
+#include <stdbool.h>
+#include <libnftables/rule.h>
+#include <libnftables/expr.h>
+#include "xshared.h"
+#if 0
+#define DEBUGP(x, args...) fprintf(stdout, x, ## args)
+#define NLDEBUG
+#define DEBUG_DEL
+#define DEBUGP(x, args...)
+ * iptables print output emulation
+ */
+#define FMT_NUMERIC 0x0001
+#define FMT_NOCOUNTS 0x0002
+#define FMT_KILOMEGAGIGA 0x0004
+#define FMT_OPTIONS 0x0008
+#define FMT_NOTABLE 0x0010
+#define FMT_NOTARGET 0x0020
+#define FMT_VIA 0x0040
+#define FMT_NONEWLINE 0x0080
+#define FMT_LINENUMBERS 0x0100
+#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
+struct nft_family_ops {
+ int (*add)(struct nft_rule *r, struct iptables_command_state *cs);
+ bool (*is_same)(const struct iptables_command_state *a,
+ const struct iptables_command_state *b);
+ void (*print_payload)(struct nft_rule_expr *e,
+ struct nft_rule_expr_iter *iter);
+ void (*parse_meta)(struct nft_rule_expr *e, uint8_t key,
+ struct iptables_command_state *cs);
+ void (*parse_payload)(struct nft_rule_expr_iter *iter,
+ struct iptables_command_state *cs,
+ uint32_t offset);
+ void (*parse_immediate)(struct iptables_command_state *cs);
+ uint8_t (*print_firewall)(const struct iptables_command_state *cs,
+ const char *targname, unsigned int num,
+ unsigned int format);
+void add_meta(struct nft_rule *r, uint32_t key);
+void add_payload(struct nft_rule *r, int offset, int len);
+void add_bitwise_u16(struct nft_rule *r, int mask, int xor);
+void add_cmp_ptr(struct nft_rule *r, uint32_t op, void *data, size_t len);
+void add_cmp_u16(struct nft_rule *r, uint16_t val, uint32_t op);
+void add_cmp_u32(struct nft_rule *r, uint32_t val, uint32_t op);
+void add_iniface(struct nft_rule *r, char *iface, int invflags);
+void add_outiface(struct nft_rule *r, char *iface, int invflags);
+void add_addr(struct nft_rule *r, int offset,
+ void *data, size_t len, int invflags);
+void add_proto(struct nft_rule *r, int offset, size_t len,
+ uint32_t proto, int invflags);
+bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
+ unsigned const char *a_iniface_mask,
+ unsigned const char *a_outiface_mask,
+ const char *b_iniface, const char *b_outiface,
+ unsigned const char *b_iniface_mask,
+ unsigned const char *b_outiface_mask);
+void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface,
+ unsigned char *iniface_mask, char *outiface,
+ unsigned char *outiface_mask, uint8_t *invflags);
+void print_proto(uint16_t proto, int invert);
+void get_cmp_data(struct nft_rule_expr_iter *iter,
+ void *data, size_t dlen, bool *inv);
+void print_num(uint64_t number, unsigned int format);
+void print_firewall_details(const struct iptables_command_state *cs,
+ const char *targname, uint8_t flags,
+ uint8_t invflags, uint8_t proto,
+ const char *iniface, const char *outiface,
+ unsigned int num, unsigned int format);
+struct nft_family_ops *nft_family_ops_lookup(int family);