diff options
Diffstat (limited to 'iptables/nft-shared.h')
-rw-r--r-- | iptables/nft-shared.h | 195 |
1 files changed, 53 insertions, 142 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index da4ba9d2..51d1e460 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -11,9 +11,9 @@ #include <linux/netfilter/nf_tables.h> #include "xshared.h" +#include "nft-ruleparse.h" #ifdef DEBUG -#define NLDEBUG #define DEBUG_DEL #endif @@ -35,98 +35,73 @@ | FMT_NUMERIC | FMT_NOTABLE) #define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) +struct nft_rule_ctx; struct xtables_args; struct nft_handle; struct xt_xlate; -enum { - NFT_XT_CTX_PAYLOAD = (1 << 0), - NFT_XT_CTX_META = (1 << 1), - NFT_XT_CTX_BITWISE = (1 << 2), - NFT_XT_CTX_IMMEDIATE = (1 << 3), - NFT_XT_CTX_PREV_PAYLOAD = (1 << 4), -}; - -struct nft_xt_ctx { - struct iptables_command_state *cs; - struct nftnl_expr_iter *iter; - struct nft_handle *h; - uint32_t flags; - const char *table; - - uint32_t reg; - struct { - uint32_t base; - uint32_t offset; - uint32_t len; - } payload, prev_payload; - struct { - uint32_t key; - } meta; - struct { - uint32_t data[4]; - uint32_t len, reg; - } immediate; - struct { - uint32_t mask[4]; - uint32_t xor[4]; - } bitwise; -}; - struct nft_family_ops { - int (*add)(struct nft_handle *h, struct nftnl_rule *r, void *data); - bool (*is_same)(const void *data_a, - const void *data_b); + int (*add)(struct nft_handle *h, struct nft_rule_ctx *ctx, + struct nftnl_rule *r, struct iptables_command_state *cs); + bool (*is_same)(const struct iptables_command_state *cs_a, + const struct iptables_command_state *cs_b); void (*print_payload)(struct nftnl_expr *e, struct nftnl_expr_iter *iter); - void (*parse_meta)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_payload)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_bitwise)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_cmp)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data); + void (*set_goto_flag)(struct iptables_command_state *cs); void (*print_table_header)(const char *tablename); void (*print_header)(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries); + const struct xt_counters *counters, + int refs, uint32_t entries); void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format); - void (*save_rule)(const void *data, unsigned int format); + void (*save_rule)(const struct iptables_command_state *cs, + unsigned int format); void (*save_chain)(const struct nftnl_chain *c, const char *policy); - void (*proto_parse)(struct iptables_command_state *cs, - struct xtables_args *args); - void (*post_parse)(int command, struct iptables_command_state *cs, - struct xtables_args *args); - void (*parse_match)(struct xtables_match *m, void *data); - void (*parse_target)(struct xtables_target *t, void *data); - void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, + struct nft_ruleparse_ops *rule_parse; + struct xt_cmd_parse_ops cmd_parse; + void (*init_cs)(struct iptables_command_state *cs); + bool (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); void (*clear_cs)(struct iptables_command_state *cs); - int (*xlate)(const void *data, struct xt_xlate *xl); + int (*xlate)(const struct iptables_command_state *cs, + struct xt_xlate *xl); + int (*add_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum); + int (*delete_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose); + int (*check_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose); + int (*replace_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum); }; -void add_meta(struct nftnl_rule *r, uint32_t key); -void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base); -void add_bitwise(struct nftnl_rule *r, uint8_t *mask, size_t len); -void add_bitwise_u16(struct nftnl_rule *r, uint16_t mask, uint16_t xor); -void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len); -void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op); -void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op); -void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op); -void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op); -void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op); -void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, +void add_meta(struct nft_handle *h, struct nftnl_rule *r, uint32_t key, uint8_t *dreg); +void add_payload(struct nft_handle *h, struct nftnl_rule *r, int offset, int len, uint32_t base, uint8_t *dreg); +void add_bitwise(struct nft_handle *h, struct nftnl_rule *r, uint8_t *mask, size_t len, uint8_t sreg, uint8_t *dreg); +void add_bitwise_u16(struct nft_handle *h, struct nftnl_rule *r, uint16_t mask, uint16_t xor, uint8_t sreg, uint8_t *dreg); +void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, uint8_t sreg); +void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op, uint8_t sreg); +void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op, uint8_t sreg); +void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg); +void add_iface(struct nft_handle *h, struct nftnl_rule *r, + char *iface, uint32_t key, uint32_t op); +void add_addr(struct nft_handle *h, struct nftnl_rule *r, enum nft_payload_bases base, int offset, void *data, void *mask, size_t len, uint32_t op); -void add_proto(struct nftnl_rule *r, int offset, size_t len, +void add_proto(struct nft_handle *h, struct nftnl_rule *r, int offset, size_t len, uint8_t proto, uint32_t op); -void add_l4proto(struct nftnl_rule *r, uint8_t proto, uint32_t op); +void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint32_t op); void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv); bool is_same_interfaces(const char *a_iniface, const char *a_outiface, @@ -136,30 +111,10 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface, unsigned const char *b_iniface_mask, unsigned const char *b_outiface_mask); -int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, - unsigned char *iniface_mask, char *outiface, - unsigned char *outiface_mask, uint8_t *invflags); -void print_proto(uint16_t proto, int invert); +void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op); void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); -void nft_rule_to_iptables_command_state(struct nft_handle *h, - const struct nftnl_rule *r, - struct iptables_command_state *cs); -void nft_clear_iptables_command_state(struct iptables_command_state *cs); -void print_header(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries); -void print_rule_details(const struct iptables_command_state *cs, - const char *targname, uint8_t flags, - uint8_t invflags, uint8_t proto, - unsigned int num, unsigned int format); void print_matches_and_target(struct iptables_command_state *cs, unsigned int format); -void save_rule_details(const struct iptables_command_state *cs, - uint8_t invflags, uint16_t proto, - const char *iniface, - unsigned const char *iniface_mask, - const char *outiface, - unsigned const char *outiface_mask); void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy); void save_matches_and_target(const struct iptables_command_state *cs, bool goto_flag, const void *fw, @@ -167,55 +122,9 @@ void save_matches_and_target(const struct iptables_command_state *cs, struct nft_family_ops *nft_family_ops_lookup(int family); -void nft_ipv46_parse_target(struct xtables_target *t, void *data); - bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2); bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2); -struct addr_mask { - union { - struct in_addr *v4; - struct in6_addr *v6; - } addr; - - unsigned int naddrs; - - union { - struct in_addr *v4; - struct in6_addr *v6; - } mask; -}; - -struct xtables_args { - int family; - uint16_t proto; - uint8_t flags; - uint8_t invflags; - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; - bool goto_set; - const char *shostnetworkmask, *dhostnetworkmask; - const char *pcnt, *bcnt; - struct addr_mask s, d; - unsigned long long pcnt_cnt, bcnt_cnt; -}; - -struct nft_xt_cmd_parse { - unsigned int command; - unsigned int rulenum; - char *table; - const char *chain; - const char *newname; - const char *policy; - bool restore; - int verbose; - bool xlate; -}; - -void do_parse(struct nft_handle *h, int argc, char *argv[], - struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, - struct xtables_args *args); - struct nftnl_chain_list; struct nft_xt_restore_cb { @@ -249,7 +158,9 @@ void xtables_restore_parse(struct nft_handle *h, void nft_check_xt_legacy(int family, bool is_ipt_save); -#define min(x, y) ((x) < (y) ? (x) : (y)) -#define max(x, y) ((x) > (y) ? (x) : (y)) +/* simplified nftables:include/netlink.h, netlink_padded_len() */ +#define NETLINK_ALIGN 4 + +enum nft_registers nft_get_next_reg(enum nft_registers reg, size_t size); #endif |