summaryrefslogtreecommitdiffstats
path: root/include/rule.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/rule.h')
-rw-r--r--include/rule.h122
1 files changed, 83 insertions, 39 deletions
diff --git a/include/rule.h b/include/rule.h
index cfb76b8a..3a833cf3 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -1,12 +1,12 @@
#ifndef NFTABLES_RULE_H
#define NFTABLES_RULE_H
-#include <stdint.h>
#include <nftables.h>
#include <list.h>
#include <netinet/in.h>
#include <libnftnl/object.h> /* For NFTNL_CTTIMEOUT_ARRAY_MAX. */
#include <linux/netfilter/nf_tables.h>
+#include <cache.h>
/**
* struct handle_spec - handle ID
@@ -79,6 +79,7 @@ struct handle {
struct position_spec position;
struct position_spec index;
uint32_t set_id;
+ uint32_t chain_id;
uint32_t rule_id;
uint32_t position_id;
};
@@ -128,10 +129,11 @@ struct symbol *symbol_get(const struct scope *scope, const char *identifier);
enum table_flags {
TABLE_F_DORMANT = (1 << 0),
+ TABLE_F_OWNER = (1 << 1),
};
-#define TABLE_FLAGS_MAX 1
+#define TABLE_FLAGS_MAX 2
-extern const char *table_flags_name[TABLE_FLAGS_MAX];
+const char *table_flag_name(uint32_t flag);
/**
* struct table - nftables table
@@ -148,23 +150,29 @@ extern const char *table_flags_name[TABLE_FLAGS_MAX];
*/
struct table {
struct list_head list;
+ struct cache_item cache;
struct handle handle;
struct location location;
struct scope scope;
+ struct cache chain_cache;
+ struct cache set_cache;
+ struct cache obj_cache;
+ struct cache ft_cache;
struct list_head chains;
struct list_head sets;
struct list_head objs;
struct list_head flowtables;
+ struct list_head chain_bindings;
enum table_flags flags;
unsigned int refcnt;
+ uint32_t owner;
+ const char *comment;
+ bool has_xt_stmts;
};
extern struct table *table_alloc(void);
extern struct table *table_get(struct table *table);
extern void table_free(struct table *table);
-extern void table_add_hash(struct table *table, struct nft_cache *cache);
-extern struct table *table_lookup(const struct handle *h,
- const struct nft_cache *cache);
extern struct table *table_lookup_fuzzy(const struct handle *h,
const struct nft_cache *cache);
@@ -176,6 +184,15 @@ extern struct table *table_lookup_fuzzy(const struct handle *h,
enum chain_flags {
CHAIN_F_BASECHAIN = 0x1,
CHAIN_F_HW_OFFLOAD = 0x2,
+ CHAIN_F_BINDING = 0x4,
+};
+
+/**
+ * enum flowtable_flags - flowtable flags
+ *
+ */
+enum flowtable_flags {
+ FLOWTABLE_F_HW_OFFLOAD = 0x1, /* NF_FLOWTABLE_HW_OFFLOAD in linux nf_flow_table.h */
};
/**
@@ -195,6 +212,11 @@ struct hook_spec {
unsigned int num;
};
+struct chain_type_spec {
+ struct location loc;
+ const char *str;
+};
+
/**
* struct chain - nftables chain
*
@@ -213,16 +235,18 @@ struct hook_spec {
*/
struct chain {
struct list_head list;
+ struct cache_item cache;
struct handle handle;
struct location location;
unsigned int refcnt;
uint32_t flags;
+ const char *comment;
struct {
struct location loc;
struct prio_spec priority;
struct hook_spec hook;
struct expr *policy;
- const char *type;
+ struct chain_type_spec type;
const char **dev_array;
struct expr *dev_expr;
int dev_array_len;
@@ -235,21 +259,23 @@ struct chain {
extern int std_prio_lookup(const char *std_prio_name, int family, int hook);
extern const char *chain_type_name_lookup(const char *name);
extern const char *chain_hookname_lookup(const char *name);
-extern struct chain *chain_alloc(const char *name);
+extern struct chain *chain_alloc(void);
extern struct chain *chain_get(struct chain *chain);
extern void chain_free(struct chain *chain);
-extern void chain_add_hash(struct chain *chain, struct table *table);
-extern struct chain *chain_lookup(const struct table *table,
- const struct handle *h);
extern struct chain *chain_lookup_fuzzy(const struct handle *h,
const struct nft_cache *cache,
const struct table **table);
+extern struct chain *chain_binding_lookup(const struct table *table,
+ const char *chain_name);
extern const char *family2str(unsigned int family);
+#define __NF_ARP_INGRESS 255
extern const char *hooknum2str(unsigned int family, unsigned int hooknum);
extern const char *chain_policy2str(uint32_t policy);
extern void chain_print_plain(const struct chain *chain,
struct output_ctx *octx);
+extern void chain_rules_print(const struct chain *chain,
+ struct output_ctx *octx, const char *indent);
/**
* struct rule - nftables rule
@@ -284,7 +310,6 @@ void rule_stmt_append(struct rule *rule, struct stmt *stmt);
void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt,
struct stmt *stmt);
-
/**
* struct set - nftables set
*
@@ -298,16 +323,20 @@ void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt,
* @key: key expression (data type, length))
* @data: mapping data expression
* @objtype: mapping object type
+ * @existing_set: reference to existing set in the kernel
* @init: initializer
* @rg_cache: cached range element (left)
* @policy: set mechanism policy
* @automerge: merge adjacents and overlapping elements, if possible
+ * @comment: comment
+ * @errors: expr evaluation errors seen
* @desc.size: count of set elements
* @desc.field_len: length of single concatenated fields, bytes
* @desc.field_count: count of concatenated fields
*/
struct set {
struct list_head list;
+ struct cache_item cache;
struct handle handle;
struct location location;
unsigned int refcnt;
@@ -317,13 +346,16 @@ struct set {
struct expr *key;
struct expr *data;
uint32_t objtype;
+ struct set *existing_set;
struct expr *init;
struct expr *rg_cache;
uint32_t policy;
- struct stmt *stmt;
+ struct list_head stmt_list;
bool root;
bool automerge;
bool key_typeof_valid;
+ bool errors;
+ const char *comment;
struct {
uint32_t size;
uint8_t field_len[NFT_REG32_COUNT];
@@ -335,8 +367,6 @@ extern struct set *set_alloc(const struct location *loc);
extern struct set *set_get(struct set *set);
extern void set_free(struct set *set);
extern struct set *set_clone(const struct set *set);
-extern void set_add_hash(struct set *set, struct table *table);
-extern struct set *set_lookup(const struct table *table, const char *name);
extern struct set *set_lookup_global(uint32_t family, const char *table,
const char *name, struct nft_cache *cache);
extern struct set *set_lookup_fuzzy(const char *set_name,
@@ -381,6 +411,11 @@ static inline bool set_is_meter(uint32_t set_flags)
return set_is_anonymous(set_flags) && (set_flags & NFT_SET_EVAL);
}
+static inline bool set_is_meter_compat(uint32_t set_flags)
+{
+ return set_flags & NFT_SET_EVAL;
+}
+
static inline bool set_is_interval(uint32_t set_flags)
{
return set_flags & NFT_SET_INTERVAL;
@@ -462,10 +497,12 @@ struct secmark {
*/
struct obj {
struct list_head list;
+ struct cache_item cache;
struct location location;
struct handle handle;
uint32_t type;
unsigned int refcnt;
+ const char *comment;
union {
struct counter counter;
struct quota quota;
@@ -481,19 +518,17 @@ struct obj {
struct obj *obj_alloc(const struct location *loc);
extern struct obj *obj_get(struct obj *obj);
void obj_free(struct obj *obj);
-void obj_add_hash(struct obj *obj, struct table *table);
-struct obj *obj_lookup(const struct table *table, const char *name,
- uint32_t type);
struct obj *obj_lookup_fuzzy(const char *obj_name,
const struct nft_cache *cache,
const struct table **t);
void obj_print(const struct obj *n, struct output_ctx *octx);
void obj_print_plain(const struct obj *obj, struct output_ctx *octx);
const char *obj_type_name(uint32_t type);
-uint32_t obj_type_to_cmd(uint32_t type);
+enum cmd_obj obj_type_to_cmd(uint32_t type);
struct flowtable {
struct list_head list;
+ struct cache_item cache;
struct handle handle;
struct scope scope;
struct location location;
@@ -509,8 +544,6 @@ struct flowtable {
extern struct flowtable *flowtable_alloc(const struct location *loc);
extern struct flowtable *flowtable_get(struct flowtable *flowtable);
extern void flowtable_free(struct flowtable *flowtable);
-extern void flowtable_add_hash(struct flowtable *flowtable, struct table *table);
-extern struct flowtable *flowtable_lookup(const struct table *table, const char *name);
extern struct flowtable *flowtable_lookup_fuzzy(const char *ft_name,
const struct nft_cache *cache,
const struct table **table);
@@ -535,6 +568,7 @@ void flowtable_print(const struct flowtable *n, struct output_ctx *octx);
* @CMD_EXPORT: export the ruleset in a given format
* @CMD_MONITOR: event listener
* @CMD_DESCRIBE: describe an expression
+ * @CMD_DESTROY: destroy object
*/
enum cmd_ops {
CMD_INVALID,
@@ -552,6 +586,7 @@ enum cmd_ops {
CMD_EXPORT,
CMD_MONITOR,
CMD_DESCRIBE,
+ CMD_DESTROY,
};
/**
@@ -592,6 +627,7 @@ enum cmd_obj {
CMD_OBJ_SETELEMS,
CMD_OBJ_SETS,
CMD_OBJ_RULE,
+ CMD_OBJ_RULES,
CMD_OBJ_CHAIN,
CMD_OBJ_CHAINS,
CMD_OBJ_TABLE,
@@ -614,11 +650,14 @@ enum cmd_obj {
CMD_OBJ_FLOWTABLE,
CMD_OBJ_FLOWTABLES,
CMD_OBJ_CT_TIMEOUT,
+ CMD_OBJ_CT_TIMEOUTS,
CMD_OBJ_SECMARK,
CMD_OBJ_SECMARKS,
CMD_OBJ_CT_EXPECT,
+ CMD_OBJ_CT_EXPECTATIONS,
CMD_OBJ_SYNPROXY,
CMD_OBJ_SYNPROXYS,
+ CMD_OBJ_HOOKS,
};
struct markup {
@@ -651,7 +690,12 @@ struct monitor {
struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event);
void monitor_free(struct monitor *m);
-#define NFT_NLATTR_LOC_MAX 8
+#define NFT_NLATTR_LOC_MAX 32
+
+struct nlerr_loc {
+ uint16_t offset;
+ const struct location *location;
+};
/**
* struct cmd - command statement
@@ -672,10 +716,15 @@ struct cmd {
enum cmd_obj obj;
struct handle handle;
uint32_t seqnum;
+ struct list_head collapse_list;
union {
void *data;
struct expr *expr;
struct set *set;
+ struct {
+ struct expr *expr; /* same offset as cmd->expr */
+ struct set *set;
+ } elem;
struct rule *rule;
struct chain *chain;
struct table *table;
@@ -684,25 +733,20 @@ struct cmd {
struct markup *markup;
struct obj *object;
};
- struct {
- uint16_t offset;
- struct location *location;
- } attr[NFT_NLATTR_LOC_MAX];
- int num_attrs;
+ struct nlerr_loc *attr;
+ uint32_t attr_array_len;
+ uint32_t num_attrs;
const void *arg;
};
extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
const struct handle *h, const struct location *loc,
void *data);
-extern void nft_cmd_expand(struct cmd *cmd);
extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
const struct handle *h,
const struct location *loc, struct obj *obj);
extern void cmd_free(struct cmd *cmd);
-void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc);
-
#include <payload.h>
#include <expression.h>
@@ -716,10 +760,13 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc);
* @rule: current rule
* @set: current set
* @stmt: current statement
+ * @stmt_len: current statement template length
+ * @recursion: expr evaluation recursion counter
* @cache: cache context
* @debug_mask: debugging bitmask
* @ectx: expression context
- * @pctx: payload context
+ * @_pctx: payload contexts
+ * @inner_desc: inner header description
*/
struct eval_ctx {
struct nft_ctx *nft;
@@ -729,8 +776,11 @@ struct eval_ctx {
struct rule *rule;
struct set *set;
struct stmt *stmt;
+ uint32_t stmt_len;
+ uint32_t recursion;
struct expr_ctx ectx;
- struct proto_ctx pctx;
+ struct proto_ctx _pctx[2];
+ const struct proto_desc *inner_desc;
};
extern int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd);
@@ -740,19 +790,13 @@ extern struct error_record *rule_postprocess(struct rule *rule);
struct netlink_ctx;
extern int do_command(struct netlink_ctx *ctx, struct cmd *cmd);
-extern unsigned int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds);
-extern int cache_update(struct nft_ctx *ctx, enum cmd_ops cmd,
- struct list_head *msgs);
-extern bool cache_needs_update(struct nft_cache *cache);
-extern void cache_release(struct nft_cache *cache);
-
struct timeout_protocol {
uint32_t array_size;
const char *const *state_to_name;
uint32_t *dflt_timeout;
};
-extern struct timeout_protocol timeout_protocol[IPPROTO_MAX];
+extern struct timeout_protocol timeout_protocol[UINT8_MAX + 1];
extern int timeout_str2num(uint16_t l4proto, struct timeout_state *ts);
#endif /* NFTABLES_RULE_H */