|
Packit Service |
d1fe03 |
#ifndef _NFT_H_
|
|
Packit Service |
d1fe03 |
#define _NFT_H_
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
#include "xshared.h"
|
|
Packit Service |
d1fe03 |
#include "nft-shared.h"
|
|
Packit Service |
d1fe03 |
#include <libiptc/linux_list.h>
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
enum nft_table_type {
|
|
Packit Service |
d1fe03 |
NFT_TABLE_FILTER = 0,
|
|
Packit Service |
d1fe03 |
NFT_TABLE_MANGLE,
|
|
Packit Service |
d1fe03 |
NFT_TABLE_RAW,
|
|
Packit Service |
d1fe03 |
NFT_TABLE_SECURITY,
|
|
Packit Service |
d1fe03 |
NFT_TABLE_NAT,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
#define NFT_TABLE_MAX (NFT_TABLE_NAT + 1)
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
struct builtin_chain {
|
|
Packit Service |
d1fe03 |
const char *name;
|
|
Packit Service |
d1fe03 |
const char *type;
|
|
Packit Service |
d1fe03 |
uint32_t prio;
|
|
Packit Service |
d1fe03 |
uint32_t hook;
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
struct builtin_table {
|
|
Packit Service |
d1fe03 |
const char *name;
|
|
Packit Service |
d1fe03 |
enum nft_table_type type;
|
|
Packit Service |
d1fe03 |
struct builtin_chain chains[NF_INET_NUMHOOKS];
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
enum nft_cache_level {
|
|
Packit Service |
d1fe03 |
NFT_CL_NONE,
|
|
Packit Service |
d1fe03 |
NFT_CL_TABLES,
|
|
Packit Service |
d1fe03 |
NFT_CL_CHAINS,
|
|
Packit Service |
d1fe03 |
NFT_CL_SETS,
|
|
Packit Service |
d1fe03 |
NFT_CL_RULES
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
struct nft_cache {
|
|
Packit Service |
d1fe03 |
struct nftnl_table_list *tables;
|
|
Packit Service |
d1fe03 |
struct {
|
|
Packit Service |
d1fe03 |
struct nftnl_chain_list *chains;
|
|
Packit Service |
d1fe03 |
struct nftnl_set_list *sets;
|
|
Packit Service |
d1fe03 |
bool initialized;
|
|
Packit Service |
d1fe03 |
} table[NFT_TABLE_MAX];
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
struct nft_handle {
|
|
Packit Service |
d1fe03 |
int family;
|
|
Packit Service |
d1fe03 |
struct mnl_socket *nl;
|
|
Packit Service |
d1fe03 |
int nlsndbuffsiz;
|
|
Packit Service |
d1fe03 |
int nlrcvbuffsiz;
|
|
Packit Service |
d1fe03 |
uint32_t portid;
|
|
Packit Service |
d1fe03 |
uint32_t seq;
|
|
Packit Service |
d1fe03 |
uint32_t nft_genid;
|
|
Packit Service |
d1fe03 |
uint32_t rule_id;
|
|
Packit Service |
d1fe03 |
struct list_head obj_list;
|
|
Packit Service |
d1fe03 |
int obj_list_num;
|
|
Packit Service |
d1fe03 |
struct nftnl_batch *batch;
|
|
Packit Service |
d1fe03 |
struct list_head err_list;
|
|
Packit Service |
d1fe03 |
struct nft_family_ops *ops;
|
|
Packit Service |
d1fe03 |
const struct builtin_table *tables;
|
|
Packit Service |
d1fe03 |
unsigned int cache_index;
|
|
Packit Service |
d1fe03 |
struct nft_cache __cache[2];
|
|
Packit Service |
d1fe03 |
struct nft_cache *cache;
|
|
Packit Service |
d1fe03 |
enum nft_cache_level cache_level;
|
|
Packit Service |
d1fe03 |
bool restore;
|
|
Packit Service |
d1fe03 |
bool noflush;
|
|
Packit Service |
d1fe03 |
int8_t config_done;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* meta data, for error reporting */
|
|
Packit Service |
d1fe03 |
struct {
|
|
Packit Service |
d1fe03 |
unsigned int lineno;
|
|
Packit Service |
d1fe03 |
} error;
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
extern const struct builtin_table xtables_ipv4[NFT_TABLE_MAX];
|
|
Packit Service |
d1fe03 |
extern const struct builtin_table xtables_arp[NFT_TABLE_MAX];
|
|
Packit Service |
d1fe03 |
extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX];
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
|
|
Packit Service |
d1fe03 |
int (*cb)(const struct nlmsghdr *nlh, void *data),
|
|
Packit Service |
d1fe03 |
void *data);
|
|
Packit Service |
c7801c |
int nft_init(struct nft_handle *h, int family, const struct builtin_table *t);
|
|
Packit Service |
d1fe03 |
void nft_fini(struct nft_handle *h);
|
|
Packit Service |
d1fe03 |
int nft_restart(struct nft_handle *h);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Operations with tables.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
struct nftnl_table;
|
|
Packit Service |
d1fe03 |
struct nftnl_chain_list;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, void *data), void *data);
|
|
Packit Service |
d1fe03 |
bool nft_table_find(struct nft_handle *h, const char *tablename);
|
|
Packit Service |
d1fe03 |
int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list);
|
|
Packit Service |
d1fe03 |
int nft_table_flush(struct nft_handle *h, const char *table);
|
|
Packit Service |
d1fe03 |
void nft_table_new(struct nft_handle *h, const char *table);
|
|
Packit Service |
d1fe03 |
const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Operations with chains.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
struct nftnl_chain;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters);
|
|
Packit Service |
d1fe03 |
int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list);
|
|
Packit Service |
d1fe03 |
int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table);
|
|
Packit Service |
d1fe03 |
int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table);
|
|
Packit Service |
d1fe03 |
int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname);
|
|
Packit Service |
d1fe03 |
int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose);
|
|
Packit Service |
d1fe03 |
const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t, const char *chain);
|
|
Packit Service |
d1fe03 |
bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain);
|
|
Packit Service |
d1fe03 |
void nft_bridge_chain_postprocess(struct nft_handle *h,
|
|
Packit Service |
d1fe03 |
struct nftnl_chain *c);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Operations with rule-set.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
struct nftnl_rule;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, struct nftnl_rule *ref, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format);
|
|
Packit Service |
d1fe03 |
int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters);
|
|
Packit Service |
d1fe03 |
int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
|
|
Packit Service |
d1fe03 |
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Operations used in userspace tools
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
|
|
Packit Service |
d1fe03 |
int add_verdict(struct nftnl_rule *r, int verdict);
|
|
Packit Service |
d1fe03 |
int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m);
|
|
Packit Service |
d1fe03 |
int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
|
|
Packit Service |
d1fe03 |
int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
|
|
Packit Service |
d1fe03 |
int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
|
|
Packit Service |
d1fe03 |
char *get_comment(const void *data, uint32_t data_len);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
enum nft_rule_print {
|
|
Packit Service |
d1fe03 |
NFT_RULE_APPEND,
|
|
Packit Service |
d1fe03 |
NFT_RULE_DEL,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
void nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
|
|
Packit Service |
d1fe03 |
enum nft_rule_print type, unsigned int format);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* global commit and abort
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
int nft_commit(struct nft_handle *h);
|
|
Packit Service |
d1fe03 |
int nft_bridge_commit(struct nft_handle *h);
|
|
Packit Service |
d1fe03 |
int nft_abort(struct nft_handle *h);
|
|
Packit Service |
d1fe03 |
int nft_abort_policy_rule(struct nft_handle *h, const char *table);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* revision compatibility.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
int nft_compatible_revision(const char *name, uint8_t rev, int opt);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Error reporting.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
const char *nft_strerror(int err);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* For xtables.c */
|
|
Packit Service |
d1fe03 |
int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
|
|
Packit Service |
d1fe03 |
/* For xtables-arptables.c */
|
|
Packit Service |
d1fe03 |
int nft_init_arp(struct nft_handle *h, const char *pname);
|
|
Packit Service |
d1fe03 |
int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
|
|
Packit Service |
d1fe03 |
/* For xtables-eb.c */
|
|
Packit Service |
d1fe03 |
int nft_init_eb(struct nft_handle *h, const char *pname);
|
|
Packit Service |
d1fe03 |
int ebt_get_current_chain(const char *chain);
|
|
Packit Service |
d1fe03 |
int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Translation from iptables to nft
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
struct xt_buf;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name);
|
|
Packit Service |
d1fe03 |
int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl);
|
|
Packit Service |
d1fe03 |
int xlate_action(const struct iptables_command_state *cs, bool goto_set,
|
|
Packit Service |
d1fe03 |
struct xt_xlate *xl);
|
|
Packit Service |
d1fe03 |
void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
|
|
Packit Service |
d1fe03 |
bool invert);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* ARP
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
struct arpt_entry;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int nft_arp_rule_append(struct nft_handle *h, const char *chain,
|
|
Packit Service |
d1fe03 |
const char *table, struct arpt_entry *fw,
|
|
Packit Service |
d1fe03 |
bool verbose);
|
|
Packit Service |
d1fe03 |
int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
|
|
Packit Service |
d1fe03 |
const char *table, struct arpt_entry *fw,
|
|
Packit Service |
d1fe03 |
int rulenum, bool verbose);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
bool nft_is_table_compatible(struct nft_handle *h,
|
|
Packit Service |
d1fe03 |
const char *table, const char *chain);
|
|
Packit Service |
d1fe03 |
void nft_assert_table_compatible(struct nft_handle *h,
|
|
Packit Service |
d1fe03 |
const char *table, const char *chain);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int ebt_set_user_chain_policy(struct nft_handle *h, const char *table,
|
|
Packit Service |
d1fe03 |
const char *chain, const char *policy);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
#endif
|