source-git / nftables

Clone
Source Code
GIT

Blame include/rule.h

c8 c8s master
  1.   092e77d46a892a5720ac548c219539ef83db3e75
  2.   include
  3.   rule.h
Blob History Raw
Packit c5a612 
#ifndef NFTABLES_RULE_H
Packit c5a612 
#define NFTABLES_RULE_H
Packit c5a612
Packit c5a612 
#include <stdint.h>
Packit c5a612 
#include <nftables.h>
Packit c5a612 
#include <list.h>
Packit c5a612 
#include <netinet/in.h>
Packit c5a612 
#include <libnftnl/object.h>	/* For NFTNL_CTTIMEOUT_ARRAY_MAX. */
Packit c5a612 
#include <linux/netfilter/nf_tables.h>
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct handle_spec - handle ID
Packit c5a612 
 *
Packit c5a612 
 * @location:	location this handle was defined at
Packit c5a612 
 * @id:		handle ID value
Packit c5a612 
 */
Packit c5a612 
struct handle_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	uint64_t		id;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct position_spec - position ID
Packit c5a612 
 *
Packit c5a612 
 * @location:	location this position was defined at
Packit c5a612 
 * @id:		position ID value
Packit c5a612 
 */
Packit c5a612 
struct position_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	uint64_t		id;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct table_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	const char		*name;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct chain_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	const char		*name;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct set_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	const char		*name;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct flowtable_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	const char		*name;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct obj_spec {
Packit c5a612 
	struct location		location;
Packit c5a612 
	const char		*name;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct handle - handle for tables, chains, rules and sets
Packit c5a612 
 *
Packit c5a612 
 * @family:	protocol family
Packit c5a612 
 * @table:	table name
Packit c5a612 
 * @chain:	chain name (chains and rules only)
Packit c5a612 
 * @set:	set name (sets only)
Packit c5a612 
 * @obj:	stateful object name (stateful object only)
Packit c5a612 
 * @flowtable:	flow table name (flow table only)
Packit c5a612 
 * @handle:	rule handle (rules only)
Packit c5a612 
 * @position:	rule position (rules only)
Packit c5a612 
 * @set_id:	set ID (sets only)
Packit c5a612 
 */
Packit c5a612 
struct handle {
Packit c5a612 
	uint32_t		family;
Packit c5a612 
	struct table_spec	table;
Packit c5a612 
	struct chain_spec	chain;
Packit c5a612 
	struct set_spec		set;
Packit c5a612 
	struct obj_spec		obj;
Packit c5a612 
	struct flowtable_spec	flowtable;
Packit c5a612 
	struct handle_spec	handle;
Packit c5a612 
	struct position_spec	position;
Packit c5a612 
	struct position_spec	index;
Packit c5a612 
	uint32_t		set_id;
Packit c5a612 
	uint32_t		rule_id;
Packit c5a612 
	uint32_t		position_id;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern void handle_merge(struct handle *dst, const struct handle *src);
Packit c5a612 
extern void handle_free(struct handle *h);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct scope
Packit c5a612 
 *
Packit c5a612 
 * @parent:	pointer to parent scope
Packit c5a612 
 * @symbols:	symbols bound in the scope
Packit c5a612 
 */
Packit c5a612 
struct scope {
Packit c5a612 
	const struct scope	*parent;
Packit c5a612 
	struct list_head	symbols;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct scope *scope_alloc(void);
Packit c5a612 
extern struct scope *scope_init(struct scope *scope, const struct scope *parent);
Packit c5a612 
extern void scope_release(const struct scope *scope);
Packit c5a612 
extern void scope_free(struct scope *scope);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct symbol
Packit c5a612 
 *
Packit c5a612 
 * @list:	scope symbol list node
Packit c5a612 
 * @identifier:	identifier
Packit c5a612 
 * @expr:	initializer
Packit c5a612 
 * @refcnt:	reference counter
Packit c5a612 
 */
Packit c5a612 
struct symbol {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	const char		*identifier;
Packit c5a612 
	struct expr		*expr;
Packit c5a612 
	int			refcnt;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern void symbol_bind(struct scope *scope, const char *identifier,
Packit c5a612 
			struct expr *expr);
Packit c5a612 
extern int symbol_unbind(const struct scope *scope, const char *identifier);
Packit c5a612 
extern struct symbol *symbol_lookup(const struct scope *scope,
Packit c5a612 
				    const char *identifier);
Packit c5a612 
struct symbol *symbol_lookup_fuzzy(const struct scope *scope,
Packit c5a612 
				   const char *identifier);
Packit c5a612 
struct symbol *symbol_get(const struct scope *scope, const char *identifier);
Packit c5a612
Packit c5a612 
enum table_flags {
Packit c5a612 
	TABLE_F_DORMANT		= (1 << 0),
Packit c5a612 
};
Packit c5a612 
#define TABLE_FLAGS_MAX 1
Packit c5a612
Packit c5a612 
extern const char *table_flags_name[TABLE_FLAGS_MAX];
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct table - nftables table
Packit c5a612 
 *
Packit c5a612 
 * @list:	list node
Packit c5a612 
 * @handle:	table handle
Packit c5a612 
 * @location:	location the table was defined at
Packit c5a612 
 * @chains:	chains contained in the table
Packit c5a612 
 * @sets:	sets contained in the table
Packit c5a612 
 * @objs:	stateful objects contained in the table
Packit c5a612 
 * @flowtables:	flow tables contained in the table
Packit c5a612 
 * @flags:	table flags
Packit c5a612 
 * @refcnt:	table reference counter
Packit c5a612 
 */
Packit c5a612 
struct table {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	struct handle		handle;
Packit c5a612 
	struct location		location;
Packit c5a612 
	struct scope		scope;
Packit c5a612 
	struct list_head	chains;
Packit c5a612 
	struct list_head	sets;
Packit c5a612 
	struct list_head	objs;
Packit c5a612 
	struct list_head	flowtables;
Packit c5a612 
	enum table_flags 	flags;
Packit c5a612 
	unsigned int		refcnt;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct table *table_alloc(void);
Packit c5a612 
extern struct table *table_get(struct table *table);
Packit c5a612 
extern void table_free(struct table *table);
Packit c5a612 
extern void table_add_hash(struct table *table, struct nft_cache *cache);
Packit c5a612 
extern struct table *table_lookup(const struct handle *h,
Packit c5a612 
				  const struct nft_cache *cache);
Packit c5a612 
extern struct table *table_lookup_fuzzy(const struct handle *h,
Packit c5a612 
					const struct nft_cache *cache);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * enum chain_flags - chain flags
Packit c5a612 
 *
Packit c5a612 
 * @CHAIN_F_BASECHAIN:	chain is a base chain
Packit c5a612 
 */
Packit c5a612 
enum chain_flags {
Packit c5a612 
	CHAIN_F_BASECHAIN	= 0x1,
Packit c5a612 
};
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct prio_spec - extendend priority specification for mixed
Packit c5a612 
 *                    textual/numerical parsing.
Packit c5a612 
 *
Packit c5a612 
 * @expr:  expr of the standard priority value
Packit c5a612 
 */
Packit c5a612 
struct prio_spec {
Packit c5a612 
	struct location loc;
Packit c5a612 
	struct expr	*expr;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct chain - nftables chain
Packit c5a612 
 *
Packit c5a612 
 * @list:	list node in table list
Packit c5a612 
 * @handle:	chain handle
Packit c5a612 
 * @location:	location the chain was defined at
Packit c5a612 
 * @refcnt:	reference counter
Packit c5a612 
 * @flags:	chain flags
Packit c5a612 
 * @hookstr:	unified and human readable hook name (base chains)
Packit c5a612 
 * @hooknum:	hook number (base chains)
Packit c5a612 
 * @priority:	hook priority (base chains)
Packit c5a612 
 * @policy:	default chain policy (base chains)
Packit c5a612 
 * @type:	chain type
Packit c5a612 
 * @dev:	device (if any)
Packit c5a612 
 * @rules:	rules contained in the chain
Packit c5a612 
 */
Packit c5a612 
struct chain {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	struct handle		handle;
Packit c5a612 
	struct location		location;
Packit c5a612 
	unsigned int		refcnt;
Packit c5a612 
	uint32_t		flags;
Packit c5a612 
	const char		*hookstr;
Packit c5a612 
	unsigned int		hooknum;
Packit c5a612 
	struct prio_spec	priority;
Packit c5a612 
	struct expr		*policy;
Packit c5a612 
	const char		*type;
Packit c5a612 
	const char		**dev_array;
Packit c5a612 
	struct expr		*dev_expr;
Packit c5a612 
	int			dev_array_len;
Packit c5a612 
	struct scope		scope;
Packit c5a612 
	struct list_head	rules;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
#define STD_PRIO_BUFSIZE 100
Packit c5a612 
extern int std_prio_lookup(const char *std_prio_name, int family, int hook);
Packit c5a612 
extern const char *chain_type_name_lookup(const char *name);
Packit c5a612 
extern const char *chain_hookname_lookup(const char *name);
Packit c5a612 
extern struct chain *chain_alloc(const char *name);
Packit c5a612 
extern struct chain *chain_get(struct chain *chain);
Packit c5a612 
extern void chain_free(struct chain *chain);
Packit c5a612 
extern void chain_add_hash(struct chain *chain, struct table *table);
Packit c5a612 
extern struct chain *chain_lookup(const struct table *table,
Packit c5a612 
				  const struct handle *h);
Packit c5a612 
extern struct chain *chain_lookup_fuzzy(const struct handle *h,
Packit c5a612 
					const struct nft_cache *cache,
Packit c5a612 
					const struct table **table);
Packit c5a612
Packit c5a612 
extern const char *family2str(unsigned int family);
Packit c5a612 
extern const char *hooknum2str(unsigned int family, unsigned int hooknum);
Packit c5a612 
extern const char *chain_policy2str(uint32_t policy);
Packit c5a612 
extern void chain_print_plain(const struct chain *chain,
Packit c5a612 
			      struct output_ctx *octx);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct rule - nftables rule
Packit c5a612 
 *
Packit c5a612 
 * @list:	list node in chain list
Packit c5a612 
 * @handle:	rule handle
Packit c5a612 
 * @location:	location the rule was defined at
Packit c5a612 
 * @stmt:	list of statements
Packit c5a612 
 * @num_stmts:	number of statements in stmts list
Packit c5a612 
 * @comment:	comment
Packit c5a612 
 * @refcnt:	rule reference counter
Packit c5a612 
 */
Packit c5a612 
struct rule {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	struct handle		handle;
Packit c5a612 
	struct location		location;
Packit c5a612 
	struct list_head	stmts;
Packit c5a612 
	unsigned int		num_stmts;
Packit c5a612 
	const char		*comment;
Packit c5a612 
	unsigned int		refcnt;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct rule *rule_alloc(const struct location *loc,
Packit c5a612 
			       const struct handle *h);
Packit c5a612 
extern struct rule *rule_get(struct rule *rule);
Packit c5a612 
extern void rule_free(struct rule *rule);
Packit c5a612 
extern void rule_print(const struct rule *rule, struct output_ctx *octx);
Packit c5a612 
extern struct rule *rule_lookup(const struct chain *chain, uint64_t handle);
Packit c5a612 
extern struct rule *rule_lookup_by_index(const struct chain *chain,
Packit c5a612 
					 uint64_t index);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct set - nftables set
Packit c5a612 
 *
Packit c5a612 
 * @list:	table set list node
Packit c5a612 
 * @handle:	set handle
Packit c5a612 
 * @location:	location the set was defined/declared at
Packit c5a612 
 * @refcnt:	reference count
Packit c5a612 
 * @flags:	bitmask of set flags
Packit c5a612 
 * @gc_int:	garbage collection interval
Packit c5a612 
 * @timeout:	default timeout value
Packit c5a612 
 * @key:	key expression (data type, length))
Packit c5a612 
 * @datatype:	mapping data type
Packit c5a612 
 * @datalen:	mapping data len
Packit c5a612 
 * @objtype:	mapping object type
Packit c5a612 
 * @init:	initializer
Packit c5a612 
 * @rg_cache:	cached range element (left)
Packit c5a612 
 * @policy:	set mechanism policy
Packit c5a612 
 * @automerge:	merge adjacents and overlapping elements, if possible
Packit Service 6f0138 
 * @desc:	set mechanism desc
Packit c5a612 
 */
Packit c5a612 
struct set {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	struct handle		handle;
Packit c5a612 
	struct location		location;
Packit c5a612 
	unsigned int		refcnt;
Packit c5a612 
	uint32_t		flags;
Packit c5a612 
	uint32_t		gc_int;
Packit c5a612 
	uint64_t		timeout;
Packit c5a612 
	struct expr		*key;
Packit c5a612 
	const struct datatype	*datatype;
Packit c5a612 
	unsigned int		datalen;
Packit c5a612 
	uint32_t		objtype;
Packit c5a612 
	struct expr		*init;
Packit c5a612 
	struct expr		*rg_cache;
Packit c5a612 
	uint32_t		policy;
Packit c5a612 
	bool			automerge;
Packit c5a612 
	struct {
Packit c5a612 
		uint32_t	size;
Packit c5a612 
	} desc;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct set *set_alloc(const struct location *loc);
Packit c5a612 
extern struct set *set_get(struct set *set);
Packit c5a612 
extern void set_free(struct set *set);
Packit c5a612 
extern struct set *set_clone(const struct set *set);
Packit c5a612 
extern void set_add_hash(struct set *set, struct table *table);
Packit c5a612 
extern struct set *set_lookup(const struct table *table, const char *name);
Packit c5a612 
extern struct set *set_lookup_global(uint32_t family, const char *table,
Packit c5a612 
				     const char *name, struct nft_cache *cache);
Packit c5a612 
extern struct set *set_lookup_fuzzy(const char *set_name,
Packit c5a612 
				    const struct nft_cache *cache,
Packit c5a612 
				    const struct table **table);
Packit c5a612 
extern const char *set_policy2str(uint32_t policy);
Packit c5a612 
extern void set_print(const struct set *set, struct output_ctx *octx);
Packit c5a612 
extern void set_print_plain(const struct set *s, struct output_ctx *octx);
Packit c5a612
Packit c5a612 
static inline bool set_is_datamap(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return set_flags & NFT_SET_MAP;
Packit c5a612 
}
Packit c5a612
Packit c5a612 
static inline bool set_is_objmap(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return set_flags & NFT_SET_OBJECT;
Packit c5a612 
}
Packit c5a612
Packit c5a612 
static inline bool set_is_map(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return set_is_datamap(set_flags) || set_is_objmap(set_flags);
Packit c5a612 
}
Packit c5a612
Packit c5a612 
static inline bool set_is_anonymous(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return set_flags & NFT_SET_ANONYMOUS;
Packit c5a612 
}
Packit c5a612
Packit c5a612 
static inline bool set_is_literal(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return !(set_is_anonymous(set_flags) || set_is_map(set_flags));
Packit c5a612 
}
Packit c5a612
Packit c5a612 
static inline bool map_is_literal(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return !(set_is_anonymous(set_flags) || !set_is_map(set_flags));
Packit c5a612 
}
Packit c5a612
Packit c5a612 
static inline bool set_is_meter(uint32_t set_flags)
Packit c5a612 
{
Packit c5a612 
	return set_is_anonymous(set_flags) && (set_flags & NFT_SET_EVAL);
Packit c5a612 
}
Packit c5a612
Packit Service a06f97 
static inline bool set_is_interval(uint32_t set_flags)
Packit Service a06f97 
{
Packit Service a06f97 
	return set_flags & NFT_SET_INTERVAL;
Packit Service a06f97 
}
Packit Service a06f97
Packit c5a612 
#include <statement.h>
Packit c5a612
Packit c5a612 
struct counter {
Packit c5a612 
	uint64_t	packets;
Packit c5a612 
	uint64_t	bytes;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct quota {
Packit c5a612 
	uint64_t	bytes;
Packit c5a612 
	uint64_t	used;
Packit c5a612 
	uint32_t	flags;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct ct_helper {
Packit c5a612 
	char name[16];
Packit c5a612 
	uint16_t l3proto;
Packit c5a612 
	uint8_t l4proto;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct timeout_state {
Packit c5a612 
	struct list_head head;
Packit c5a612 
	struct location location;
Packit c5a612 
	uint8_t timeout_index;
Packit c5a612 
	const char *timeout_str;
Packit c5a612 
	unsigned int timeout_value;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct ct_timeout {
Packit c5a612 
	uint16_t l3proto;
Packit c5a612 
	uint8_t l4proto;
Packit c5a612 
	uint32_t timeout[NFTNL_CTTIMEOUT_ARRAY_MAX];
Packit c5a612 
	struct list_head timeout_list;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct ct_expect {
Packit c5a612 
	uint16_t l3proto;
Packit c5a612 
	uint8_t l4proto;
Packit c5a612 
	uint16_t dport;
Packit c5a612 
	uint32_t timeout;
Packit c5a612 
	uint8_t size;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct limit {
Packit c5a612 
	uint64_t	rate;
Packit c5a612 
	uint64_t	unit;
Packit c5a612 
	uint32_t	burst;
Packit c5a612 
	uint32_t	type;
Packit c5a612 
	uint32_t	flags;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct synproxy {
Packit c5a612 
	uint16_t	mss;
Packit c5a612 
	uint8_t		wscale;
Packit c5a612 
	uint32_t	flags;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct secmark {
Packit c5a612 
	char		ctx[NFT_SECMARK_CTX_MAXLEN];
Packit c5a612 
};
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct obj - nftables stateful object statement
Packit c5a612 
 *
Packit c5a612 
 * @list:	table set list node
Packit c5a612 
 * @location:	location the stateful object was defined/declared at
Packit c5a612 
 * @handle:	counter handle
Packit c5a612 
 * @type:	type of stateful object
Packit c5a612 
 * @refcnt:	object reference counter
Packit c5a612 
 */
Packit c5a612 
struct obj {
Packit c5a612 
	struct list_head		list;
Packit c5a612 
	struct location			location;
Packit c5a612 
	struct handle			handle;
Packit c5a612 
	uint32_t			type;
Packit c5a612 
	unsigned int			refcnt;
Packit c5a612 
	union {
Packit c5a612 
		struct counter		counter;
Packit c5a612 
		struct quota		quota;
Packit c5a612 
		struct ct_helper	ct_helper;
Packit c5a612 
		struct limit		limit;
Packit c5a612 
		struct ct_timeout	ct_timeout;
Packit c5a612 
		struct secmark		secmark;
Packit c5a612 
		struct ct_expect	ct_expect;
Packit c5a612 
		struct synproxy		synproxy;
Packit c5a612 
	};
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct obj *obj_alloc(const struct location *loc);
Packit c5a612 
extern struct obj *obj_get(struct obj *obj);
Packit c5a612 
void obj_free(struct obj *obj);
Packit c5a612 
void obj_add_hash(struct obj *obj, struct table *table);
Packit c5a612 
struct obj *obj_lookup(const struct table *table, const char *name,
Packit c5a612 
		       uint32_t type);
Packit c5a612 
struct obj *obj_lookup_fuzzy(const char *obj_name,
Packit c5a612 
			     const struct nft_cache *cache,
Packit c5a612 
			     const struct table **t);
Packit c5a612 
void obj_print(const struct obj *n, struct output_ctx *octx);
Packit c5a612 
void obj_print_plain(const struct obj *obj, struct output_ctx *octx);
Packit c5a612 
const char *obj_type_name(uint32_t type);
Packit c5a612 
uint32_t obj_type_to_cmd(uint32_t type);
Packit c5a612
Packit c5a612 
struct flowtable {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	struct handle		handle;
Packit c5a612 
	struct scope		scope;
Packit c5a612 
	struct location		location;
Packit c5a612 
	const char *		hookstr;
Packit c5a612 
	unsigned int		hooknum;
Packit c5a612 
	struct prio_spec	priority;
Packit c5a612 
	const char		**dev_array;
Packit c5a612 
	struct expr		*dev_expr;
Packit c5a612 
	int			dev_array_len;
Packit c5a612 
	unsigned int		refcnt;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct flowtable *flowtable_alloc(const struct location *loc);
Packit c5a612 
extern struct flowtable *flowtable_get(struct flowtable *flowtable);
Packit c5a612 
extern void flowtable_free(struct flowtable *flowtable);
Packit c5a612 
extern void flowtable_add_hash(struct flowtable *flowtable, struct table *table);
Packit c5a612 
extern struct flowtable *flowtable_lookup(const struct table *table, const char *name);
Packit c5a612 
extern struct flowtable *flowtable_lookup_fuzzy(const char *ft_name,
Packit c5a612 
						const struct nft_cache *cache,
Packit c5a612 
						const struct table **table);
Packit c5a612
Packit c5a612 
void flowtable_print(const struct flowtable *n, struct output_ctx *octx);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * enum cmd_ops - command operations
Packit c5a612 
 *
Packit c5a612 
 * @CMD_INVALID:	invalid
Packit c5a612 
 * @CMD_ADD:		add object (non-exclusive)
Packit c5a612 
 * @CMD_REPLACE,	replace object
Packit c5a612 
 * @CMD_CREATE:		create object (exclusive)
Packit c5a612 
 * @CMD_INSERT:		insert object
Packit c5a612 
 * @CMD_DELETE:		delete object
Packit c5a612 
 * @CMD_GET:		get object
Packit c5a612 
 * @CMD_LIST:		list container
Packit c5a612 
 * @CMD_RESET:		reset container
Packit c5a612 
 * @CMD_FLUSH:		flush container
Packit c5a612 
 * @CMD_RENAME:		rename object
Packit c5a612 
 * @CMD_IMPORT:		import a ruleset in a given format
Packit c5a612 
 * @CMD_EXPORT:		export the ruleset in a given format
Packit c5a612 
 * @CMD_MONITOR:	event listener
Packit c5a612 
 * @CMD_DESCRIBE:	describe an expression
Packit c5a612 
 */
Packit c5a612 
enum cmd_ops {
Packit c5a612 
	CMD_INVALID,
Packit c5a612 
	CMD_ADD,
Packit c5a612 
	CMD_REPLACE,
Packit c5a612 
	CMD_CREATE,
Packit c5a612 
	CMD_INSERT,
Packit c5a612 
	CMD_DELETE,
Packit c5a612 
	CMD_GET,
Packit c5a612 
	CMD_LIST,
Packit c5a612 
	CMD_RESET,
Packit c5a612 
	CMD_FLUSH,
Packit c5a612 
	CMD_RENAME,
Packit c5a612 
	CMD_IMPORT,
Packit c5a612 
	CMD_EXPORT,
Packit c5a612 
	CMD_MONITOR,
Packit c5a612 
	CMD_DESCRIBE,
Packit c5a612 
};
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * enum cmd_obj - command objects
Packit c5a612 
 *
Packit c5a612 
 * @CMD_OBJ_INVALID:	invalid
Packit c5a612 
 * @CMD_OBJ_SETELEM:	set element(s)
Packit c5a612 
 * @CMD_OBJ_SET:	set
Packit c5a612 
 * @CMD_OBJ_SETS:	multiple sets
Packit c5a612 
 * @CMD_OBJ_RULE:	rule
Packit c5a612 
 * @CMD_OBJ_CHAIN:	chain
Packit c5a612 
 * @CMD_OBJ_CHAINS:	multiple chains
Packit c5a612 
 * @CMD_OBJ_TABLE:	table
Packit c5a612 
 * @CMD_OBJ_FLOWTABLE:	flowtable
Packit c5a612 
 * @CMD_OBJ_FLOWTABLES:	flowtables
Packit c5a612 
 * @CMD_OBJ_RULESET:	ruleset
Packit c5a612 
 * @CMD_OBJ_EXPR:	expression
Packit c5a612 
 * @CMD_OBJ_MONITOR:	monitor
Packit c5a612 
 * @CMD_OBJ_MARKUP:    import/export
Packit c5a612 
 * @CMD_OBJ_METER:	meter
Packit c5a612 
 * @CMD_OBJ_METERS:	meters
Packit c5a612 
 * @CMD_OBJ_COUNTER:	counter
Packit c5a612 
 * @CMD_OBJ_COUNTERS:	multiple counters
Packit c5a612 
 * @CMD_OBJ_QUOTA:	quota
Packit c5a612 
 * @CMD_OBJ_QUOTAS:	multiple quotas
Packit c5a612 
 * @CMD_OBJ_LIMIT:	limit
Packit c5a612 
 * @CMD_OBJ_LIMITS:	multiple limits
Packit c5a612 
 * @CMD_OBJ_SECMARK:	secmark
Packit c5a612 
 * @CMD_OBJ_SECMARKS:	multiple secmarks
Packit c5a612 
 * @CMD_OBJ_SYNPROXY:	synproxy
Packit c5a612 
 * @CMD_OBJ_SYNPROXYS:	multiple synproxys
Packit c5a612 
 */
Packit c5a612 
enum cmd_obj {
Packit c5a612 
	CMD_OBJ_INVALID,
Packit c5a612 
	CMD_OBJ_SETELEM,
Packit c5a612 
	CMD_OBJ_SET,
Packit c5a612 
	CMD_OBJ_SETS,
Packit c5a612 
	CMD_OBJ_RULE,
Packit c5a612 
	CMD_OBJ_CHAIN,
Packit c5a612 
	CMD_OBJ_CHAINS,
Packit c5a612 
	CMD_OBJ_TABLE,
Packit c5a612 
	CMD_OBJ_RULESET,
Packit c5a612 
	CMD_OBJ_EXPR,
Packit c5a612 
	CMD_OBJ_MONITOR,
Packit c5a612 
	CMD_OBJ_MARKUP,
Packit c5a612 
	CMD_OBJ_METER,
Packit c5a612 
	CMD_OBJ_METERS,
Packit c5a612 
	CMD_OBJ_MAP,
Packit c5a612 
	CMD_OBJ_MAPS,
Packit c5a612 
	CMD_OBJ_COUNTER,
Packit c5a612 
	CMD_OBJ_COUNTERS,
Packit c5a612 
	CMD_OBJ_QUOTA,
Packit c5a612 
	CMD_OBJ_QUOTAS,
Packit c5a612 
	CMD_OBJ_CT_HELPER,
Packit c5a612 
	CMD_OBJ_CT_HELPERS,
Packit c5a612 
	CMD_OBJ_LIMIT,
Packit c5a612 
	CMD_OBJ_LIMITS,
Packit c5a612 
	CMD_OBJ_FLOWTABLE,
Packit c5a612 
	CMD_OBJ_FLOWTABLES,
Packit c5a612 
	CMD_OBJ_CT_TIMEOUT,
Packit c5a612 
	CMD_OBJ_SECMARK,
Packit c5a612 
	CMD_OBJ_SECMARKS,
Packit c5a612 
	CMD_OBJ_CT_EXPECT,
Packit c5a612 
	CMD_OBJ_SYNPROXY,
Packit c5a612 
	CMD_OBJ_SYNPROXYS,
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct markup {
Packit c5a612 
	uint32_t	format;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct markup *markup_alloc(uint32_t format);
Packit c5a612 
void markup_free(struct markup *m);
Packit c5a612
Packit c5a612 
enum {
Packit c5a612 
	CMD_MONITOR_OBJ_ANY,
Packit c5a612 
	CMD_MONITOR_OBJ_TABLES,
Packit c5a612 
	CMD_MONITOR_OBJ_CHAINS,
Packit c5a612 
	CMD_MONITOR_OBJ_RULES,
Packit c5a612 
	CMD_MONITOR_OBJ_SETS,
Packit c5a612 
	CMD_MONITOR_OBJ_ELEMS,
Packit c5a612 
	CMD_MONITOR_OBJ_RULESET,
Packit c5a612 
	CMD_MONITOR_OBJ_TRACE,
Packit c5a612 
	CMD_MONITOR_OBJ_MAX
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct monitor {
Packit c5a612 
	struct location	location;
Packit c5a612 
	uint32_t	format;
Packit c5a612 
	uint32_t	flags;
Packit c5a612 
	uint32_t	type;
Packit c5a612 
	const char	*event;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event);
Packit c5a612 
void monitor_free(struct monitor *m);
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct cmd - command statement
Packit c5a612 
 *
Packit c5a612 
 * @list:	list node
Packit c5a612 
 * @location:	location of the statement
Packit c5a612 
 * @op:		operation
Packit c5a612 
 * @obj:	object type to perform operation on
Packit c5a612 
 * @handle:	handle for operations working without full objects
Packit c5a612 
 * @seqnum:	sequence number to match netlink errors
Packit c5a612 
 * @union:	object
Packit c5a612 
 * @arg:	argument data
Packit c5a612 
 */
Packit c5a612 
struct cmd {
Packit c5a612 
	struct list_head	list;
Packit c5a612 
	struct location		location;
Packit c5a612 
	enum cmd_ops		op;
Packit c5a612 
	enum cmd_obj		obj;
Packit c5a612 
	struct handle		handle;
Packit c5a612 
	uint32_t		seqnum;
Packit c5a612 
	union {
Packit c5a612 
		void		*data;
Packit c5a612 
		struct expr	*expr;
Packit c5a612 
		struct set	*set;
Packit c5a612 
		struct rule	*rule;
Packit c5a612 
		struct chain	*chain;
Packit c5a612 
		struct table	*table;
Packit c5a612 
		struct flowtable *flowtable;
Packit c5a612 
		struct monitor	*monitor;
Packit c5a612 
		struct markup	*markup;
Packit c5a612 
		struct obj	*object;
Packit c5a612 
	};
Packit c5a612 
	const void		*arg;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
Packit c5a612 
			     const struct handle *h, const struct location *loc,
Packit c5a612 
			     void *data);
Packit c5a612 
extern void nft_cmd_expand(struct cmd *cmd);
Packit c5a612 
extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
Packit c5a612 
				    const struct handle *h,
Packit c5a612 
				    const struct location *loc, struct obj *obj);
Packit c5a612 
extern void cmd_free(struct cmd *cmd);
Packit c5a612
Packit c5a612 
#include <payload.h>
Packit c5a612 
#include <expression.h>
Packit c5a612
Packit c5a612 
/**
Packit c5a612 
 * struct eval_ctx - evaluation context
Packit c5a612 
 *
Packit c5a612 
 * @nft:	nftables context
Packit c5a612 
 * @msgs:	message queue
Packit c5a612 
 * @cmd:	current command
Packit c5a612 
 * @table:	current table
Packit c5a612 
 * @rule:	current rule
Packit c5a612 
 * @set:	current set
Packit c5a612 
 * @stmt:	current statement
Packit c5a612 
 * @cache:	cache context
Packit c5a612 
 * @debug_mask: debugging bitmask
Packit c5a612 
 * @ectx:	expression context
Packit c5a612 
 * @pctx:	payload context
Packit c5a612 
 */
Packit c5a612 
struct eval_ctx {
Packit c5a612 
	struct nft_ctx		*nft;
Packit c5a612 
	struct list_head	*msgs;
Packit c5a612 
	struct cmd		*cmd;
Packit c5a612 
	struct table		*table;
Packit c5a612 
	struct rule		*rule;
Packit c5a612 
	struct set		*set;
Packit c5a612 
	struct stmt		*stmt;
Packit c5a612 
	struct expr_ctx		ectx;
Packit c5a612 
	struct proto_ctx	pctx;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd);
Packit c5a612
Packit c5a612 
extern struct error_record *rule_postprocess(struct rule *rule);
Packit c5a612
Packit c5a612 
struct netlink_ctx;
Packit c5a612 
extern int do_command(struct netlink_ctx *ctx, struct cmd *cmd);
Packit c5a612
Packit c5a612 
extern unsigned int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds);
Packit c5a612 
extern int cache_update(struct nft_ctx *ctx, enum cmd_ops cmd,
Packit c5a612 
			struct list_head *msgs);
Packit c5a612 
extern bool cache_needs_update(struct nft_cache *cache);
Packit c5a612 
extern void cache_release(struct nft_cache *cache);
Packit c5a612
Packit c5a612 
struct timeout_protocol {
Packit c5a612 
	uint32_t array_size;
Packit c5a612 
	const char *const *state_to_name;
Packit c5a612 
	uint32_t *dflt_timeout;
Packit c5a612 
};
Packit c5a612
Packit c5a612 
extern struct timeout_protocol timeout_protocol[IPPROTO_MAX];
Packit c5a612 
extern int timeout_str2num(uint16_t l4proto, struct timeout_state *ts);
Packit c5a612
Packit c5a612 
#endif /* NFTABLES_RULE_H */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation