summaryrefslogtreecommitdiffstats
path: root/iptables/nft-shared.h
diff options
context:
space:
mode:
Diffstat (limited to 'iptables/nft-shared.h')
-rw-r--r--iptables/nft-shared.h128
1 files changed, 8 insertions, 120 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 3d935d53..51d1e460 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -11,6 +11,7 @@
#include <linux/netfilter/nf_tables.h>
#include "xshared.h"
+#include "nft-ruleparse.h"
#ifdef DEBUG
#define DEBUG_DEL
@@ -34,113 +35,18 @@
| FMT_NUMERIC | FMT_NOTABLE)
#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
+struct nft_rule_ctx;
struct xtables_args;
struct nft_handle;
struct xt_xlate;
-enum nft_ctx_reg_type {
- NFT_XT_REG_UNDEF,
- NFT_XT_REG_PAYLOAD,
- NFT_XT_REG_IMMEDIATE,
- NFT_XT_REG_META_DREG,
-};
-
-struct nft_xt_ctx_reg {
- enum nft_ctx_reg_type type:8;
-
- union {
- struct {
- uint32_t base;
- uint32_t offset;
- uint32_t len;
- } payload;
- struct {
- uint32_t data[4];
- uint8_t len;
- } immediate;
- struct {
- uint32_t key;
- } meta_dreg;
- };
-
- struct {
- uint32_t mask[4];
- uint32_t xor[4];
- bool set;
- } bitwise;
-};
-
-struct nft_xt_ctx {
- struct iptables_command_state *cs;
- struct nftnl_expr_iter *iter;
- struct nft_handle *h;
- uint32_t flags;
- const char *table;
- union {
- struct xt_tcp *tcp;
- struct xt_udp *udp;
- } tcpudp;
-
- struct nft_xt_ctx_reg regs[1 + 16];
-
- const char *errmsg;
-};
-
-static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_sreg(struct nft_xt_ctx *ctx, enum nft_registers reg)
-{
- switch (reg) {
- case NFT_REG_VERDICT:
- return &ctx->regs[0];
- case NFT_REG_1:
- return &ctx->regs[1];
- case NFT_REG_2:
- return &ctx->regs[5];
- case NFT_REG_3:
- return &ctx->regs[9];
- case NFT_REG_4:
- return &ctx->regs[13];
- case NFT_REG32_00...NFT_REG32_15:
- return &ctx->regs[reg - NFT_REG32_00];
- default:
- ctx->errmsg = "Unknown register requested";
- break;
- }
-
- return NULL;
-}
-
-static inline void nft_xt_reg_clear(struct nft_xt_ctx_reg *r)
-{
- r->type = 0;
- r->bitwise.set = false;
-}
-
-static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_dreg(struct nft_xt_ctx *ctx, enum nft_registers reg)
-{
- struct nft_xt_ctx_reg *r = nft_xt_ctx_get_sreg(ctx, reg);
-
- if (r)
- nft_xt_reg_clear(r);
-
- return r;
-}
-
struct nft_family_ops {
- int (*add)(struct nft_handle *h, struct nftnl_rule *r,
- struct iptables_command_state *cs);
+ int (*add)(struct nft_handle *h, struct nft_rule_ctx *ctx,
+ struct nftnl_rule *r, struct iptables_command_state *cs);
bool (*is_same)(const struct iptables_command_state *cs_a,
const struct iptables_command_state *cs_b);
void (*print_payload)(struct nftnl_expr *e,
struct nftnl_expr_iter *iter);
- void (*parse_meta)(struct nft_xt_ctx *ctx,
- const struct nft_xt_ctx_reg *sreg,
- struct nftnl_expr *e,
- struct iptables_command_state *cs);
- void (*parse_payload)(struct nft_xt_ctx *ctx,
- const struct nft_xt_ctx_reg *sreg,
- struct nftnl_expr *e,
- struct iptables_command_state *cs);
- void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
void (*set_goto_flag)(struct iptables_command_state *cs);
void (*print_table_header)(const char *tablename);
@@ -153,13 +59,10 @@ struct nft_family_ops {
void (*save_rule)(const struct iptables_command_state *cs,
unsigned int format);
void (*save_chain)(const struct nftnl_chain *c, const char *policy);
+ struct nft_ruleparse_ops *rule_parse;
struct xt_cmd_parse_ops cmd_parse;
- void (*parse_match)(struct xtables_match *m,
- struct iptables_command_state *cs);
- void (*parse_target)(struct xtables_target *t,
- struct iptables_command_state *cs);
void (*init_cs)(struct iptables_command_state *cs);
- void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r,
+ bool (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r,
struct iptables_command_state *cs);
void (*clear_cs)(struct iptables_command_state *cs);
int (*xlate)(const struct iptables_command_state *cs,
@@ -192,8 +95,8 @@ void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, uint
void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op, uint8_t sreg);
void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op, uint8_t sreg);
void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg);
-void add_iniface(struct nft_handle *h, struct nftnl_rule *r, char *iface, uint32_t op);
-void add_outiface(struct nft_handle *h, struct nftnl_rule *r, char *iface, uint32_t op);
+void add_iface(struct nft_handle *h, struct nftnl_rule *r,
+ char *iface, uint32_t key, uint32_t op);
void add_addr(struct nft_handle *h, struct nftnl_rule *r, enum nft_payload_bases base, int offset,
void *data, void *mask, size_t len, uint32_t op);
void add_proto(struct nft_handle *h, struct nftnl_rule *r, int offset, size_t len,
@@ -208,15 +111,8 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
unsigned const char *b_iniface_mask,
unsigned const char *b_outiface_mask);
-int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
- char *iniface, unsigned char *iniface_mask, char *outiface,
- unsigned char *outiface_mask, uint8_t *invflags);
void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
-void nft_rule_to_iptables_command_state(struct nft_handle *h,
- const struct nftnl_rule *r,
- struct iptables_command_state *cs);
-void nft_clear_iptables_command_state(struct iptables_command_state *cs);
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format);
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
@@ -226,9 +122,6 @@ void save_matches_and_target(const struct iptables_command_state *cs,
struct nft_family_ops *nft_family_ops_lookup(int family);
-void nft_ipv46_parse_target(struct xtables_target *t,
- struct iptables_command_state *cs);
-
bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2);
bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2);
@@ -265,11 +158,6 @@ void xtables_restore_parse(struct nft_handle *h,
void nft_check_xt_legacy(int family, bool is_ipt_save);
-int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e, struct iptables_command_state *cs);
-
-#define min(x, y) ((x) < (y) ? (x) : (y))
-#define max(x, y) ((x) > (y) ? (x) : (y))
-
/* simplified nftables:include/netlink.h, netlink_padded_len() */
#define NETLINK_ALIGN 4