|
Packit |
c5a612 |
#ifndef NFTABLES_RULE_H
|
|
Packit |
c5a612 |
#define NFTABLES_RULE_H
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
#include <stdint.h>
|
|
Packit |
c5a612 |
#include <nftables.h>
|
|
Packit |
c5a612 |
#include <list.h>
|
|
Packit |
c5a612 |
#include <netinet/in.h>
|
|
Packit |
c5a612 |
#include <libnftnl/object.h> /* For NFTNL_CTTIMEOUT_ARRAY_MAX. */
|
|
Packit |
c5a612 |
#include <linux/netfilter/nf_tables.h>
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct handle_spec - handle ID
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @location: location this handle was defined at
|
|
Packit |
c5a612 |
* @id: handle ID value
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct handle_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
uint64_t id;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct position_spec - position ID
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @location: location this position was defined at
|
|
Packit |
c5a612 |
* @id: position ID value
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct position_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
uint64_t id;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct table_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
const char *name;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct chain_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
const char *name;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct set_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
const char *name;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct flowtable_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
const char *name;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct obj_spec {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
const char *name;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct handle - handle for tables, chains, rules and sets
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @family: protocol family
|
|
Packit |
c5a612 |
* @table: table name
|
|
Packit |
c5a612 |
* @chain: chain name (chains and rules only)
|
|
Packit |
c5a612 |
* @set: set name (sets only)
|
|
Packit |
c5a612 |
* @obj: stateful object name (stateful object only)
|
|
Packit |
c5a612 |
* @flowtable: flow table name (flow table only)
|
|
Packit |
c5a612 |
* @handle: rule handle (rules only)
|
|
Packit |
c5a612 |
* @position: rule position (rules only)
|
|
Packit |
c5a612 |
* @set_id: set ID (sets only)
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct handle {
|
|
Packit |
c5a612 |
uint32_t family;
|
|
Packit |
c5a612 |
struct table_spec table;
|
|
Packit |
c5a612 |
struct chain_spec chain;
|
|
Packit |
c5a612 |
struct set_spec set;
|
|
Packit |
c5a612 |
struct obj_spec obj;
|
|
Packit |
c5a612 |
struct flowtable_spec flowtable;
|
|
Packit |
c5a612 |
struct handle_spec handle;
|
|
Packit |
c5a612 |
struct position_spec position;
|
|
Packit |
c5a612 |
struct position_spec index;
|
|
Packit |
c5a612 |
uint32_t set_id;
|
|
Packit |
c5a612 |
uint32_t rule_id;
|
|
Packit |
c5a612 |
uint32_t position_id;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern void handle_merge(struct handle *dst, const struct handle *src);
|
|
Packit |
c5a612 |
extern void handle_free(struct handle *h);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct scope
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @parent: pointer to parent scope
|
|
Packit |
c5a612 |
* @symbols: symbols bound in the scope
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct scope {
|
|
Packit |
c5a612 |
const struct scope *parent;
|
|
Packit |
c5a612 |
struct list_head symbols;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct scope *scope_alloc(void);
|
|
Packit |
c5a612 |
extern struct scope *scope_init(struct scope *scope, const struct scope *parent);
|
|
Packit |
c5a612 |
extern void scope_release(const struct scope *scope);
|
|
Packit |
c5a612 |
extern void scope_free(struct scope *scope);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct symbol
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: scope symbol list node
|
|
Packit |
c5a612 |
* @identifier: identifier
|
|
Packit |
c5a612 |
* @expr: initializer
|
|
Packit |
c5a612 |
* @refcnt: reference counter
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct symbol {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
const char *identifier;
|
|
Packit |
c5a612 |
struct expr *expr;
|
|
Packit |
c5a612 |
int refcnt;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern void symbol_bind(struct scope *scope, const char *identifier,
|
|
Packit |
c5a612 |
struct expr *expr);
|
|
Packit |
c5a612 |
extern int symbol_unbind(const struct scope *scope, const char *identifier);
|
|
Packit |
c5a612 |
extern struct symbol *symbol_lookup(const struct scope *scope,
|
|
Packit |
c5a612 |
const char *identifier);
|
|
Packit |
c5a612 |
struct symbol *symbol_lookup_fuzzy(const struct scope *scope,
|
|
Packit |
c5a612 |
const char *identifier);
|
|
Packit |
c5a612 |
struct symbol *symbol_get(const struct scope *scope, const char *identifier);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
enum table_flags {
|
|
Packit |
c5a612 |
TABLE_F_DORMANT = (1 << 0),
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
#define TABLE_FLAGS_MAX 1
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern const char *table_flags_name[TABLE_FLAGS_MAX];
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct table - nftables table
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: list node
|
|
Packit |
c5a612 |
* @handle: table handle
|
|
Packit |
c5a612 |
* @location: location the table was defined at
|
|
Packit |
c5a612 |
* @chains: chains contained in the table
|
|
Packit |
c5a612 |
* @sets: sets contained in the table
|
|
Packit |
c5a612 |
* @objs: stateful objects contained in the table
|
|
Packit |
c5a612 |
* @flowtables: flow tables contained in the table
|
|
Packit |
c5a612 |
* @flags: table flags
|
|
Packit |
c5a612 |
* @refcnt: table reference counter
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct table {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
struct scope scope;
|
|
Packit |
c5a612 |
struct list_head chains;
|
|
Packit |
c5a612 |
struct list_head sets;
|
|
Packit |
c5a612 |
struct list_head objs;
|
|
Packit |
c5a612 |
struct list_head flowtables;
|
|
Packit |
c5a612 |
enum table_flags flags;
|
|
Packit |
c5a612 |
unsigned int refcnt;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct table *table_alloc(void);
|
|
Packit |
c5a612 |
extern struct table *table_get(struct table *table);
|
|
Packit |
c5a612 |
extern void table_free(struct table *table);
|
|
Packit |
c5a612 |
extern void table_add_hash(struct table *table, struct nft_cache *cache);
|
|
Packit |
c5a612 |
extern struct table *table_lookup(const struct handle *h,
|
|
Packit |
c5a612 |
const struct nft_cache *cache);
|
|
Packit |
c5a612 |
extern struct table *table_lookup_fuzzy(const struct handle *h,
|
|
Packit |
c5a612 |
const struct nft_cache *cache);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* enum chain_flags - chain flags
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @CHAIN_F_BASECHAIN: chain is a base chain
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
enum chain_flags {
|
|
Packit |
c5a612 |
CHAIN_F_BASECHAIN = 0x1,
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct prio_spec - extendend priority specification for mixed
|
|
Packit |
c5a612 |
* textual/numerical parsing.
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @expr: expr of the standard priority value
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct prio_spec {
|
|
Packit |
c5a612 |
struct location loc;
|
|
Packit |
c5a612 |
struct expr *expr;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct chain - nftables chain
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: list node in table list
|
|
Packit |
c5a612 |
* @handle: chain handle
|
|
Packit |
c5a612 |
* @location: location the chain was defined at
|
|
Packit |
c5a612 |
* @refcnt: reference counter
|
|
Packit |
c5a612 |
* @flags: chain flags
|
|
Packit |
c5a612 |
* @hookstr: unified and human readable hook name (base chains)
|
|
Packit |
c5a612 |
* @hooknum: hook number (base chains)
|
|
Packit |
c5a612 |
* @priority: hook priority (base chains)
|
|
Packit |
c5a612 |
* @policy: default chain policy (base chains)
|
|
Packit |
c5a612 |
* @type: chain type
|
|
Packit |
c5a612 |
* @dev: device (if any)
|
|
Packit |
c5a612 |
* @rules: rules contained in the chain
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct chain {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
unsigned int refcnt;
|
|
Packit |
c5a612 |
uint32_t flags;
|
|
Packit |
c5a612 |
const char *hookstr;
|
|
Packit |
c5a612 |
unsigned int hooknum;
|
|
Packit |
c5a612 |
struct prio_spec priority;
|
|
Packit |
c5a612 |
struct expr *policy;
|
|
Packit |
c5a612 |
const char *type;
|
|
Packit |
c5a612 |
const char **dev_array;
|
|
Packit |
c5a612 |
struct expr *dev_expr;
|
|
Packit |
c5a612 |
int dev_array_len;
|
|
Packit |
c5a612 |
struct scope scope;
|
|
Packit |
c5a612 |
struct list_head rules;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
#define STD_PRIO_BUFSIZE 100
|
|
Packit |
c5a612 |
extern int std_prio_lookup(const char *std_prio_name, int family, int hook);
|
|
Packit |
c5a612 |
extern const char *chain_type_name_lookup(const char *name);
|
|
Packit |
c5a612 |
extern const char *chain_hookname_lookup(const char *name);
|
|
Packit |
c5a612 |
extern struct chain *chain_alloc(const char *name);
|
|
Packit |
c5a612 |
extern struct chain *chain_get(struct chain *chain);
|
|
Packit |
c5a612 |
extern void chain_free(struct chain *chain);
|
|
Packit |
c5a612 |
extern void chain_add_hash(struct chain *chain, struct table *table);
|
|
Packit |
c5a612 |
extern struct chain *chain_lookup(const struct table *table,
|
|
Packit |
c5a612 |
const struct handle *h);
|
|
Packit |
c5a612 |
extern struct chain *chain_lookup_fuzzy(const struct handle *h,
|
|
Packit |
c5a612 |
const struct nft_cache *cache,
|
|
Packit |
c5a612 |
const struct table **table);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern const char *family2str(unsigned int family);
|
|
Packit |
c5a612 |
extern const char *hooknum2str(unsigned int family, unsigned int hooknum);
|
|
Packit |
c5a612 |
extern const char *chain_policy2str(uint32_t policy);
|
|
Packit |
c5a612 |
extern void chain_print_plain(const struct chain *chain,
|
|
Packit |
c5a612 |
struct output_ctx *octx);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct rule - nftables rule
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: list node in chain list
|
|
Packit |
c5a612 |
* @handle: rule handle
|
|
Packit |
c5a612 |
* @location: location the rule was defined at
|
|
Packit |
c5a612 |
* @stmt: list of statements
|
|
Packit |
c5a612 |
* @num_stmts: number of statements in stmts list
|
|
Packit |
c5a612 |
* @comment: comment
|
|
Packit |
c5a612 |
* @refcnt: rule reference counter
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct rule {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
struct list_head stmts;
|
|
Packit |
c5a612 |
unsigned int num_stmts;
|
|
Packit |
c5a612 |
const char *comment;
|
|
Packit |
c5a612 |
unsigned int refcnt;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct rule *rule_alloc(const struct location *loc,
|
|
Packit |
c5a612 |
const struct handle *h);
|
|
Packit |
c5a612 |
extern struct rule *rule_get(struct rule *rule);
|
|
Packit |
c5a612 |
extern void rule_free(struct rule *rule);
|
|
Packit |
c5a612 |
extern void rule_print(const struct rule *rule, struct output_ctx *octx);
|
|
Packit |
c5a612 |
extern struct rule *rule_lookup(const struct chain *chain, uint64_t handle);
|
|
Packit |
c5a612 |
extern struct rule *rule_lookup_by_index(const struct chain *chain,
|
|
Packit |
c5a612 |
uint64_t index);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct set - nftables set
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: table set list node
|
|
Packit |
c5a612 |
* @handle: set handle
|
|
Packit |
c5a612 |
* @location: location the set was defined/declared at
|
|
Packit |
c5a612 |
* @refcnt: reference count
|
|
Packit |
c5a612 |
* @flags: bitmask of set flags
|
|
Packit |
c5a612 |
* @gc_int: garbage collection interval
|
|
Packit |
c5a612 |
* @timeout: default timeout value
|
|
Packit |
c5a612 |
* @key: key expression (data type, length))
|
|
Packit |
c5a612 |
* @datatype: mapping data type
|
|
Packit |
c5a612 |
* @datalen: mapping data len
|
|
Packit |
c5a612 |
* @objtype: mapping object type
|
|
Packit |
c5a612 |
* @init: initializer
|
|
Packit |
c5a612 |
* @rg_cache: cached range element (left)
|
|
Packit |
c5a612 |
* @policy: set mechanism policy
|
|
Packit |
c5a612 |
* @automerge: merge adjacents and overlapping elements, if possible
|
|
Packit |
c5a612 |
* @desc: set mechanism desc
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct set {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
unsigned int refcnt;
|
|
Packit |
c5a612 |
uint32_t flags;
|
|
Packit |
c5a612 |
uint32_t gc_int;
|
|
Packit |
c5a612 |
uint64_t timeout;
|
|
Packit |
c5a612 |
struct expr *key;
|
|
Packit |
c5a612 |
const struct datatype *datatype;
|
|
Packit |
c5a612 |
unsigned int datalen;
|
|
Packit |
c5a612 |
uint32_t objtype;
|
|
Packit |
c5a612 |
struct expr *init;
|
|
Packit |
c5a612 |
struct expr *rg_cache;
|
|
Packit |
c5a612 |
uint32_t policy;
|
|
Packit |
c5a612 |
bool automerge;
|
|
Packit |
c5a612 |
struct {
|
|
Packit |
c5a612 |
uint32_t size;
|
|
Packit |
c5a612 |
} desc;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct set *set_alloc(const struct location *loc);
|
|
Packit |
c5a612 |
extern struct set *set_get(struct set *set);
|
|
Packit |
c5a612 |
extern void set_free(struct set *set);
|
|
Packit |
c5a612 |
extern struct set *set_clone(const struct set *set);
|
|
Packit |
c5a612 |
extern void set_add_hash(struct set *set, struct table *table);
|
|
Packit |
c5a612 |
extern struct set *set_lookup(const struct table *table, const char *name);
|
|
Packit |
c5a612 |
extern struct set *set_lookup_global(uint32_t family, const char *table,
|
|
Packit |
c5a612 |
const char *name, struct nft_cache *cache);
|
|
Packit |
c5a612 |
extern struct set *set_lookup_fuzzy(const char *set_name,
|
|
Packit |
c5a612 |
const struct nft_cache *cache,
|
|
Packit |
c5a612 |
const struct table **table);
|
|
Packit |
c5a612 |
extern const char *set_policy2str(uint32_t policy);
|
|
Packit |
c5a612 |
extern void set_print(const struct set *set, struct output_ctx *octx);
|
|
Packit |
c5a612 |
extern void set_print_plain(const struct set *s, struct output_ctx *octx);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool set_is_datamap(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return set_flags & NFT_SET_MAP;
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool set_is_objmap(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return set_flags & NFT_SET_OBJECT;
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool set_is_map(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return set_is_datamap(set_flags) || set_is_objmap(set_flags);
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool set_is_anonymous(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return set_flags & NFT_SET_ANONYMOUS;
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool set_is_literal(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return !(set_is_anonymous(set_flags) || set_is_map(set_flags));
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool map_is_literal(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return !(set_is_anonymous(set_flags) || !set_is_map(set_flags));
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
static inline bool set_is_meter(uint32_t set_flags)
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
return set_is_anonymous(set_flags) && (set_flags & NFT_SET_EVAL);
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
0cb584 |
static inline bool set_is_interval(uint32_t set_flags)
|
|
Packit |
0cb584 |
{
|
|
Packit |
0cb584 |
return set_flags & NFT_SET_INTERVAL;
|
|
Packit |
0cb584 |
}
|
|
Packit |
0cb584 |
|
|
Packit |
c5a612 |
#include <statement.h>
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct counter {
|
|
Packit |
c5a612 |
uint64_t packets;
|
|
Packit |
c5a612 |
uint64_t bytes;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct quota {
|
|
Packit |
c5a612 |
uint64_t bytes;
|
|
Packit |
c5a612 |
uint64_t used;
|
|
Packit |
c5a612 |
uint32_t flags;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct ct_helper {
|
|
Packit |
c5a612 |
char name[16];
|
|
Packit |
c5a612 |
uint16_t l3proto;
|
|
Packit |
c5a612 |
uint8_t l4proto;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct timeout_state {
|
|
Packit |
c5a612 |
struct list_head head;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
uint8_t timeout_index;
|
|
Packit |
c5a612 |
const char *timeout_str;
|
|
Packit |
c5a612 |
unsigned int timeout_value;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct ct_timeout {
|
|
Packit |
c5a612 |
uint16_t l3proto;
|
|
Packit |
c5a612 |
uint8_t l4proto;
|
|
Packit |
c5a612 |
uint32_t timeout[NFTNL_CTTIMEOUT_ARRAY_MAX];
|
|
Packit |
c5a612 |
struct list_head timeout_list;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct ct_expect {
|
|
Packit |
c5a612 |
uint16_t l3proto;
|
|
Packit |
c5a612 |
uint8_t l4proto;
|
|
Packit |
c5a612 |
uint16_t dport;
|
|
Packit |
c5a612 |
uint32_t timeout;
|
|
Packit |
c5a612 |
uint8_t size;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct limit {
|
|
Packit |
c5a612 |
uint64_t rate;
|
|
Packit |
c5a612 |
uint64_t unit;
|
|
Packit |
c5a612 |
uint32_t burst;
|
|
Packit |
c5a612 |
uint32_t type;
|
|
Packit |
c5a612 |
uint32_t flags;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct synproxy {
|
|
Packit |
c5a612 |
uint16_t mss;
|
|
Packit |
c5a612 |
uint8_t wscale;
|
|
Packit |
c5a612 |
uint32_t flags;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct secmark {
|
|
Packit |
c5a612 |
char ctx[NFT_SECMARK_CTX_MAXLEN];
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct obj - nftables stateful object statement
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: table set list node
|
|
Packit |
c5a612 |
* @location: location the stateful object was defined/declared at
|
|
Packit |
c5a612 |
* @handle: counter handle
|
|
Packit |
c5a612 |
* @type: type of stateful object
|
|
Packit |
c5a612 |
* @refcnt: object reference counter
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct obj {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
uint32_t type;
|
|
Packit |
c5a612 |
unsigned int refcnt;
|
|
Packit |
c5a612 |
union {
|
|
Packit |
c5a612 |
struct counter counter;
|
|
Packit |
c5a612 |
struct quota quota;
|
|
Packit |
c5a612 |
struct ct_helper ct_helper;
|
|
Packit |
c5a612 |
struct limit limit;
|
|
Packit |
c5a612 |
struct ct_timeout ct_timeout;
|
|
Packit |
c5a612 |
struct secmark secmark;
|
|
Packit |
c5a612 |
struct ct_expect ct_expect;
|
|
Packit |
c5a612 |
struct synproxy synproxy;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct obj *obj_alloc(const struct location *loc);
|
|
Packit |
c5a612 |
extern struct obj *obj_get(struct obj *obj);
|
|
Packit |
c5a612 |
void obj_free(struct obj *obj);
|
|
Packit |
c5a612 |
void obj_add_hash(struct obj *obj, struct table *table);
|
|
Packit |
c5a612 |
struct obj *obj_lookup(const struct table *table, const char *name,
|
|
Packit |
c5a612 |
uint32_t type);
|
|
Packit |
c5a612 |
struct obj *obj_lookup_fuzzy(const char *obj_name,
|
|
Packit |
c5a612 |
const struct nft_cache *cache,
|
|
Packit |
c5a612 |
const struct table **t);
|
|
Packit |
c5a612 |
void obj_print(const struct obj *n, struct output_ctx *octx);
|
|
Packit |
c5a612 |
void obj_print_plain(const struct obj *obj, struct output_ctx *octx);
|
|
Packit |
c5a612 |
const char *obj_type_name(uint32_t type);
|
|
Packit |
c5a612 |
uint32_t obj_type_to_cmd(uint32_t type);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct flowtable {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
struct scope scope;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
const char * hookstr;
|
|
Packit |
c5a612 |
unsigned int hooknum;
|
|
Packit |
c5a612 |
struct prio_spec priority;
|
|
Packit |
c5a612 |
const char **dev_array;
|
|
Packit |
c5a612 |
struct expr *dev_expr;
|
|
Packit |
c5a612 |
int dev_array_len;
|
|
Packit |
c5a612 |
unsigned int refcnt;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct flowtable *flowtable_alloc(const struct location *loc);
|
|
Packit |
c5a612 |
extern struct flowtable *flowtable_get(struct flowtable *flowtable);
|
|
Packit |
c5a612 |
extern void flowtable_free(struct flowtable *flowtable);
|
|
Packit |
c5a612 |
extern void flowtable_add_hash(struct flowtable *flowtable, struct table *table);
|
|
Packit |
c5a612 |
extern struct flowtable *flowtable_lookup(const struct table *table, const char *name);
|
|
Packit |
c5a612 |
extern struct flowtable *flowtable_lookup_fuzzy(const char *ft_name,
|
|
Packit |
c5a612 |
const struct nft_cache *cache,
|
|
Packit |
c5a612 |
const struct table **table);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
void flowtable_print(const struct flowtable *n, struct output_ctx *octx);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* enum cmd_ops - command operations
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @CMD_INVALID: invalid
|
|
Packit |
c5a612 |
* @CMD_ADD: add object (non-exclusive)
|
|
Packit |
c5a612 |
* @CMD_REPLACE, replace object
|
|
Packit |
c5a612 |
* @CMD_CREATE: create object (exclusive)
|
|
Packit |
c5a612 |
* @CMD_INSERT: insert object
|
|
Packit |
c5a612 |
* @CMD_DELETE: delete object
|
|
Packit |
c5a612 |
* @CMD_GET: get object
|
|
Packit |
c5a612 |
* @CMD_LIST: list container
|
|
Packit |
c5a612 |
* @CMD_RESET: reset container
|
|
Packit |
c5a612 |
* @CMD_FLUSH: flush container
|
|
Packit |
c5a612 |
* @CMD_RENAME: rename object
|
|
Packit |
c5a612 |
* @CMD_IMPORT: import a ruleset in a given format
|
|
Packit |
c5a612 |
* @CMD_EXPORT: export the ruleset in a given format
|
|
Packit |
c5a612 |
* @CMD_MONITOR: event listener
|
|
Packit |
c5a612 |
* @CMD_DESCRIBE: describe an expression
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
enum cmd_ops {
|
|
Packit |
c5a612 |
CMD_INVALID,
|
|
Packit |
c5a612 |
CMD_ADD,
|
|
Packit |
c5a612 |
CMD_REPLACE,
|
|
Packit |
c5a612 |
CMD_CREATE,
|
|
Packit |
c5a612 |
CMD_INSERT,
|
|
Packit |
c5a612 |
CMD_DELETE,
|
|
Packit |
c5a612 |
CMD_GET,
|
|
Packit |
c5a612 |
CMD_LIST,
|
|
Packit |
c5a612 |
CMD_RESET,
|
|
Packit |
c5a612 |
CMD_FLUSH,
|
|
Packit |
c5a612 |
CMD_RENAME,
|
|
Packit |
c5a612 |
CMD_IMPORT,
|
|
Packit |
c5a612 |
CMD_EXPORT,
|
|
Packit |
c5a612 |
CMD_MONITOR,
|
|
Packit |
c5a612 |
CMD_DESCRIBE,
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* enum cmd_obj - command objects
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @CMD_OBJ_INVALID: invalid
|
|
Packit |
c5a612 |
* @CMD_OBJ_SETELEM: set element(s)
|
|
Packit |
c5a612 |
* @CMD_OBJ_SET: set
|
|
Packit |
c5a612 |
* @CMD_OBJ_SETS: multiple sets
|
|
Packit |
c5a612 |
* @CMD_OBJ_RULE: rule
|
|
Packit |
c5a612 |
* @CMD_OBJ_CHAIN: chain
|
|
Packit |
c5a612 |
* @CMD_OBJ_CHAINS: multiple chains
|
|
Packit |
c5a612 |
* @CMD_OBJ_TABLE: table
|
|
Packit |
c5a612 |
* @CMD_OBJ_FLOWTABLE: flowtable
|
|
Packit |
c5a612 |
* @CMD_OBJ_FLOWTABLES: flowtables
|
|
Packit |
c5a612 |
* @CMD_OBJ_RULESET: ruleset
|
|
Packit |
c5a612 |
* @CMD_OBJ_EXPR: expression
|
|
Packit |
c5a612 |
* @CMD_OBJ_MONITOR: monitor
|
|
Packit |
c5a612 |
* @CMD_OBJ_MARKUP: import/export
|
|
Packit |
c5a612 |
* @CMD_OBJ_METER: meter
|
|
Packit |
c5a612 |
* @CMD_OBJ_METERS: meters
|
|
Packit |
c5a612 |
* @CMD_OBJ_COUNTER: counter
|
|
Packit |
c5a612 |
* @CMD_OBJ_COUNTERS: multiple counters
|
|
Packit |
c5a612 |
* @CMD_OBJ_QUOTA: quota
|
|
Packit |
c5a612 |
* @CMD_OBJ_QUOTAS: multiple quotas
|
|
Packit |
c5a612 |
* @CMD_OBJ_LIMIT: limit
|
|
Packit |
c5a612 |
* @CMD_OBJ_LIMITS: multiple limits
|
|
Packit |
c5a612 |
* @CMD_OBJ_SECMARK: secmark
|
|
Packit |
c5a612 |
* @CMD_OBJ_SECMARKS: multiple secmarks
|
|
Packit |
c5a612 |
* @CMD_OBJ_SYNPROXY: synproxy
|
|
Packit |
c5a612 |
* @CMD_OBJ_SYNPROXYS: multiple synproxys
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
enum cmd_obj {
|
|
Packit |
c5a612 |
CMD_OBJ_INVALID,
|
|
Packit |
c5a612 |
CMD_OBJ_SETELEM,
|
|
Packit |
c5a612 |
CMD_OBJ_SET,
|
|
Packit |
c5a612 |
CMD_OBJ_SETS,
|
|
Packit |
c5a612 |
CMD_OBJ_RULE,
|
|
Packit |
c5a612 |
CMD_OBJ_CHAIN,
|
|
Packit |
c5a612 |
CMD_OBJ_CHAINS,
|
|
Packit |
c5a612 |
CMD_OBJ_TABLE,
|
|
Packit |
c5a612 |
CMD_OBJ_RULESET,
|
|
Packit |
c5a612 |
CMD_OBJ_EXPR,
|
|
Packit |
c5a612 |
CMD_OBJ_MONITOR,
|
|
Packit |
c5a612 |
CMD_OBJ_MARKUP,
|
|
Packit |
c5a612 |
CMD_OBJ_METER,
|
|
Packit |
c5a612 |
CMD_OBJ_METERS,
|
|
Packit |
c5a612 |
CMD_OBJ_MAP,
|
|
Packit |
c5a612 |
CMD_OBJ_MAPS,
|
|
Packit |
c5a612 |
CMD_OBJ_COUNTER,
|
|
Packit |
c5a612 |
CMD_OBJ_COUNTERS,
|
|
Packit |
c5a612 |
CMD_OBJ_QUOTA,
|
|
Packit |
c5a612 |
CMD_OBJ_QUOTAS,
|
|
Packit |
c5a612 |
CMD_OBJ_CT_HELPER,
|
|
Packit |
c5a612 |
CMD_OBJ_CT_HELPERS,
|
|
Packit |
c5a612 |
CMD_OBJ_LIMIT,
|
|
Packit |
c5a612 |
CMD_OBJ_LIMITS,
|
|
Packit |
c5a612 |
CMD_OBJ_FLOWTABLE,
|
|
Packit |
c5a612 |
CMD_OBJ_FLOWTABLES,
|
|
Packit |
c5a612 |
CMD_OBJ_CT_TIMEOUT,
|
|
Packit |
c5a612 |
CMD_OBJ_SECMARK,
|
|
Packit |
c5a612 |
CMD_OBJ_SECMARKS,
|
|
Packit |
c5a612 |
CMD_OBJ_CT_EXPECT,
|
|
Packit |
c5a612 |
CMD_OBJ_SYNPROXY,
|
|
Packit |
c5a612 |
CMD_OBJ_SYNPROXYS,
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct markup {
|
|
Packit |
c5a612 |
uint32_t format;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct markup *markup_alloc(uint32_t format);
|
|
Packit |
c5a612 |
void markup_free(struct markup *m);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
enum {
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_ANY,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_TABLES,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_CHAINS,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_RULES,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_SETS,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_ELEMS,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_RULESET,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_TRACE,
|
|
Packit |
c5a612 |
CMD_MONITOR_OBJ_MAX
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct monitor {
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
uint32_t format;
|
|
Packit |
c5a612 |
uint32_t flags;
|
|
Packit |
c5a612 |
uint32_t type;
|
|
Packit |
c5a612 |
const char *event;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event);
|
|
Packit |
c5a612 |
void monitor_free(struct monitor *m);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct cmd - command statement
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @list: list node
|
|
Packit |
c5a612 |
* @location: location of the statement
|
|
Packit |
c5a612 |
* @op: operation
|
|
Packit |
c5a612 |
* @obj: object type to perform operation on
|
|
Packit |
c5a612 |
* @handle: handle for operations working without full objects
|
|
Packit |
c5a612 |
* @seqnum: sequence number to match netlink errors
|
|
Packit |
c5a612 |
* @union: object
|
|
Packit |
c5a612 |
* @arg: argument data
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct cmd {
|
|
Packit |
c5a612 |
struct list_head list;
|
|
Packit |
c5a612 |
struct location location;
|
|
Packit |
c5a612 |
enum cmd_ops op;
|
|
Packit |
c5a612 |
enum cmd_obj obj;
|
|
Packit |
c5a612 |
struct handle handle;
|
|
Packit |
c5a612 |
uint32_t seqnum;
|
|
Packit |
c5a612 |
union {
|
|
Packit |
c5a612 |
void *data;
|
|
Packit |
c5a612 |
struct expr *expr;
|
|
Packit |
c5a612 |
struct set *set;
|
|
Packit |
c5a612 |
struct rule *rule;
|
|
Packit |
c5a612 |
struct chain *chain;
|
|
Packit |
c5a612 |
struct table *table;
|
|
Packit |
c5a612 |
struct flowtable *flowtable;
|
|
Packit |
c5a612 |
struct monitor *monitor;
|
|
Packit |
c5a612 |
struct markup *markup;
|
|
Packit |
c5a612 |
struct obj *object;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
const void *arg;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
|
|
Packit |
c5a612 |
const struct handle *h, const struct location *loc,
|
|
Packit |
c5a612 |
void *data);
|
|
Packit |
c5a612 |
extern void nft_cmd_expand(struct cmd *cmd);
|
|
Packit |
c5a612 |
extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
|
|
Packit |
c5a612 |
const struct handle *h,
|
|
Packit |
c5a612 |
const struct location *loc, struct obj *obj);
|
|
Packit |
c5a612 |
extern void cmd_free(struct cmd *cmd);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
#include <payload.h>
|
|
Packit |
c5a612 |
#include <expression.h>
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
/**
|
|
Packit |
c5a612 |
* struct eval_ctx - evaluation context
|
|
Packit |
c5a612 |
*
|
|
Packit |
c5a612 |
* @nft: nftables context
|
|
Packit |
c5a612 |
* @msgs: message queue
|
|
Packit |
c5a612 |
* @cmd: current command
|
|
Packit |
c5a612 |
* @table: current table
|
|
Packit |
c5a612 |
* @rule: current rule
|
|
Packit |
c5a612 |
* @set: current set
|
|
Packit |
c5a612 |
* @stmt: current statement
|
|
Packit |
c5a612 |
* @cache: cache context
|
|
Packit |
c5a612 |
* @debug_mask: debugging bitmask
|
|
Packit |
c5a612 |
* @ectx: expression context
|
|
Packit |
c5a612 |
* @pctx: payload context
|
|
Packit |
c5a612 |
*/
|
|
Packit |
c5a612 |
struct eval_ctx {
|
|
Packit |
c5a612 |
struct nft_ctx *nft;
|
|
Packit |
c5a612 |
struct list_head *msgs;
|
|
Packit |
c5a612 |
struct cmd *cmd;
|
|
Packit |
c5a612 |
struct table *table;
|
|
Packit |
c5a612 |
struct rule *rule;
|
|
Packit |
c5a612 |
struct set *set;
|
|
Packit |
c5a612 |
struct stmt *stmt;
|
|
Packit |
c5a612 |
struct expr_ctx ectx;
|
|
Packit |
c5a612 |
struct proto_ctx pctx;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct error_record *rule_postprocess(struct rule *rule);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct netlink_ctx;
|
|
Packit |
c5a612 |
extern int do_command(struct netlink_ctx *ctx, struct cmd *cmd);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern unsigned int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds);
|
|
Packit |
c5a612 |
extern int cache_update(struct nft_ctx *ctx, enum cmd_ops cmd,
|
|
Packit |
c5a612 |
struct list_head *msgs);
|
|
Packit |
c5a612 |
extern bool cache_needs_update(struct nft_cache *cache);
|
|
Packit |
c5a612 |
extern void cache_release(struct nft_cache *cache);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
struct timeout_protocol {
|
|
Packit |
c5a612 |
uint32_t array_size;
|
|
Packit |
c5a612 |
const char *const *state_to_name;
|
|
Packit |
c5a612 |
uint32_t *dflt_timeout;
|
|
Packit |
c5a612 |
};
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
extern struct timeout_protocol timeout_protocol[IPPROTO_MAX];
|
|
Packit |
c5a612 |
extern int timeout_str2num(uint16_t l4proto, struct timeout_state *ts);
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
#endif /* NFTABLES_RULE_H */
|