1 #ifndef _NFT_RULEPARSE_H_
2 #define _NFT_RULEPARSE_H_
3
4 #include <linux/netfilter/nf_tables.h>
5
6 #include <libnftnl/expr.h>
7
8 #include "xshared.h"
9
10 enum nft_ctx_reg_type {
11 NFT_XT_REG_UNDEF,
12 NFT_XT_REG_PAYLOAD,
13 NFT_XT_REG_IMMEDIATE,
14 NFT_XT_REG_META_DREG,
15 };
16
17 struct nft_xt_ctx_reg {
18 enum nft_ctx_reg_type type:8;
19
20 union {
21 struct {
22 uint32_t base;
23 uint32_t offset;
24 uint32_t len;
25 } payload;
26 struct {
27 uint32_t data[4];
28 uint8_t len;
29 } immediate;
30 struct {
31 uint32_t key;
32 } meta_dreg;
33 struct {
34 uint32_t key;
35 } meta_sreg;
36 };
37
38 struct {
39 uint32_t mask[4];
40 uint32_t xor[4];
41 bool set;
42 } bitwise;
43 };
44
45 struct nft_xt_ctx {
46 struct iptables_command_state *cs;
47 struct nftnl_expr_iter *iter;
48 struct nft_handle *h;
49 uint32_t flags;
50 const char *table;
51
52 struct nft_xt_ctx_reg regs[1 + 16];
53
54 const char *errmsg;
55 };
56
nft_xt_ctx_get_sreg(struct nft_xt_ctx * ctx,enum nft_registers reg)57 static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_sreg(struct nft_xt_ctx *ctx, enum nft_registers reg)
58 {
59 switch (reg) {
60 case NFT_REG_VERDICT:
61 return &ctx->regs[0];
62 case NFT_REG_1:
63 return &ctx->regs[1];
64 case NFT_REG_2:
65 return &ctx->regs[5];
66 case NFT_REG_3:
67 return &ctx->regs[9];
68 case NFT_REG_4:
69 return &ctx->regs[13];
70 case NFT_REG32_00...NFT_REG32_15:
71 return &ctx->regs[reg - NFT_REG32_00];
72 default:
73 ctx->errmsg = "Unknown register requested";
74 break;
75 }
76
77 return NULL;
78 }
79
nft_xt_reg_clear(struct nft_xt_ctx_reg * r)80 static inline void nft_xt_reg_clear(struct nft_xt_ctx_reg *r)
81 {
82 r->type = 0;
83 r->bitwise.set = false;
84 }
85
nft_xt_ctx_get_dreg(struct nft_xt_ctx * ctx,enum nft_registers reg)86 static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_dreg(struct nft_xt_ctx *ctx, enum nft_registers reg)
87 {
88 struct nft_xt_ctx_reg *r = nft_xt_ctx_get_sreg(ctx, reg);
89
90 if (r)
91 nft_xt_reg_clear(r);
92
93 return r;
94 }
95
96 struct nft_ruleparse_ops {
97 void (*meta)(struct nft_xt_ctx *ctx,
98 const struct nft_xt_ctx_reg *sreg,
99 struct nftnl_expr *e,
100 struct iptables_command_state *cs);
101 void (*payload)(struct nft_xt_ctx *ctx,
102 const struct nft_xt_ctx_reg *sreg,
103 struct nftnl_expr *e,
104 struct iptables_command_state *cs);
105 void (*lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
106 void (*match)(struct xtables_match *m,
107 struct iptables_command_state *cs);
108 void (*target)(struct xtables_target *t,
109 struct iptables_command_state *cs);
110 };
111
112 extern struct nft_ruleparse_ops nft_ruleparse_ops_arp;
113 extern struct nft_ruleparse_ops nft_ruleparse_ops_bridge;
114 extern struct nft_ruleparse_ops nft_ruleparse_ops_ipv4;
115 extern struct nft_ruleparse_ops nft_ruleparse_ops_ipv6;
116
117 void *nft_create_match(struct nft_xt_ctx *ctx,
118 struct iptables_command_state *cs,
119 const char *name, bool reuse);
120 void *nft_create_target(struct nft_xt_ctx *ctx, const char *name);
121
122
123 bool nft_rule_to_iptables_command_state(struct nft_handle *h,
124 const struct nftnl_rule *r,
125 struct iptables_command_state *cs);
126
127 #define min(x, y) ((x) < (y) ? (x) : (y))
128 #define max(x, y) ((x) > (y) ? (x) : (y))
129
130 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
131 char *iniface, unsigned char *iniface_mask, char *outiface,
132 unsigned char *outiface_mask, uint8_t *invflags);
133
134 int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
135 struct iptables_command_state *cs);
136
137 #endif /* _NFT_RULEPARSE_H_ */
138