1 #ifndef _NFT_H_ 2 #define _NFT_H_ 3 4 #include "xshared.h" 5 #include "nft-shared.h" 6 #include "nft-cache.h" 7 #include "nft-chain.h" 8 #include "nft-cmd.h" 9 #include <libiptc/linux_list.h> 10 11 enum nft_table_type { 12 NFT_TABLE_MANGLE = 0, 13 NFT_TABLE_SECURITY, 14 NFT_TABLE_RAW, 15 NFT_TABLE_FILTER, 16 NFT_TABLE_NAT, 17 NFT_TABLE_BROUTE, 18 }; 19 #define NFT_TABLE_MAX (NFT_TABLE_BROUTE + 1) 20 21 struct builtin_chain { 22 const char *name; 23 const char *type; 24 uint32_t prio; 25 uint32_t hook; 26 }; 27 28 struct builtin_table { 29 const char *name; 30 enum nft_table_type type; 31 struct builtin_chain chains[NF_INET_NUMHOOKS]; 32 }; 33 34 enum nft_cache_level { 35 NFT_CL_TABLES, 36 NFT_CL_CHAINS, 37 NFT_CL_SETS, 38 NFT_CL_RULES, 39 NFT_CL_FAKE /* must be last entry */ 40 }; 41 42 struct nft_cache { 43 struct { 44 struct nft_chain *base_chains[NF_INET_NUMHOOKS]; 45 struct nft_chain_list *chains; 46 struct nftnl_set_list *sets; 47 bool exists; 48 bool sorted; 49 bool tainted; 50 } table[NFT_TABLE_MAX]; 51 }; 52 53 enum obj_update_type { 54 NFT_COMPAT_TABLE_ADD, 55 NFT_COMPAT_TABLE_FLUSH, 56 NFT_COMPAT_CHAIN_ADD, 57 NFT_COMPAT_CHAIN_USER_ADD, 58 NFT_COMPAT_CHAIN_DEL, 59 NFT_COMPAT_CHAIN_USER_FLUSH, 60 NFT_COMPAT_CHAIN_UPDATE, 61 NFT_COMPAT_CHAIN_RENAME, 62 NFT_COMPAT_CHAIN_ZERO, 63 NFT_COMPAT_RULE_APPEND, 64 NFT_COMPAT_RULE_INSERT, 65 NFT_COMPAT_RULE_REPLACE, 66 NFT_COMPAT_RULE_DELETE, 67 NFT_COMPAT_RULE_FLUSH, 68 NFT_COMPAT_SET_ADD, 69 NFT_COMPAT_RULE_LIST, 70 NFT_COMPAT_RULE_CHECK, 71 NFT_COMPAT_CHAIN_RESTORE, 72 NFT_COMPAT_RULE_SAVE, 73 NFT_COMPAT_RULE_ZERO, 74 NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE, 75 }; 76 77 struct cache_chain { 78 struct list_head head; 79 char *name; 80 }; 81 82 struct nft_cache_req { 83 enum nft_cache_level level; 84 char *table; 85 bool all_chains; 86 struct list_head chain_list; 87 }; 88 89 struct nft_handle { 90 int family; 91 struct mnl_socket *nl; 92 int nlsndbuffsiz; 93 int nlrcvbuffsiz; 94 uint32_t portid; 95 uint32_t seq; 96 uint32_t nft_genid; 97 uint32_t rule_id; 98 struct list_head obj_list; 99 int obj_list_num; 100 struct nftnl_batch *batch; 101 struct list_head err_list; 102 struct nft_family_ops *ops; 103 const struct builtin_table *tables; 104 unsigned int cache_index; 105 struct nft_cache __cache[2]; 106 struct nft_cache *cache; 107 struct nft_cache_req cache_req; 108 bool restore; 109 bool noflush; 110 int8_t config_done; 111 struct list_head cmd_list; 112 bool cache_init; 113 int verbose; 114 115 /* meta data, for error reporting */ 116 struct { 117 unsigned int lineno; 118 } error; 119 }; 120 121 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, 122 int (*cb)(const struct nlmsghdr *nlh, void *data), 123 void *data); 124 int nft_init(struct nft_handle *h, int family); 125 void nft_fini(struct nft_handle *h); 126 int nft_restart(struct nft_handle *h); 127 128 /* 129 * Operations with tables. 130 */ 131 struct nftnl_table; 132 struct nftnl_chain_list; 133 134 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, void *data), void *data); 135 bool nft_table_find(struct nft_handle *h, const char *tablename); 136 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); 137 int nft_table_flush(struct nft_handle *h, const char *table); 138 const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table); 139 int nft_xt_fake_builtin_chains(struct nft_handle *h, const char *table, const char *chain); 140 141 /* 142 * Operations with chains. 143 */ 144 struct nftnl_chain; 145 146 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); 147 int nft_chain_save(struct nft_chain *c, void *data); 148 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); 149 int nft_chain_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); 150 int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table); 151 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); 152 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose); 153 const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t, const char *chain); 154 bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain); 155 void nft_bridge_chain_postprocess(struct nft_handle *h, 156 struct nftnl_chain *c); 157 int nft_chain_foreach(struct nft_handle *h, const char *table, 158 int (*cb)(struct nft_chain *c, void *data), 159 void *data); 160 161 162 /* 163 * Operations with sets. 164 */ 165 struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h, 166 uint32_t set_id); 167 168 /* 169 * Operations with rule-set. 170 */ 171 struct nft_rule_ctx { 172 int command; 173 }; 174 175 struct nftnl_rule *nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *rule, const char *chain, const char *table, struct iptables_command_state *cs); 176 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose); 177 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); 178 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); 179 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); 180 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); 181 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); 182 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); 183 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); 184 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format); 185 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose); 186 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); 187 188 /* 189 * Operations used in userspace tools 190 */ 191 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); 192 int add_verdict(struct nftnl_rule *r, int verdict); 193 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, 194 struct nftnl_rule *r, struct xt_entry_match *m); 195 int add_target(struct nftnl_rule *r, struct xt_entry_target *t); 196 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); 197 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); 198 int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); 199 char *get_comment(const void *data, uint32_t data_len); 200 201 enum nft_rule_print { 202 NFT_RULE_APPEND, 203 NFT_RULE_DEL, 204 }; 205 206 bool nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, 207 enum nft_rule_print type, unsigned int format); 208 209 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); 210 211 /* 212 * global commit and abort 213 */ 214 int nft_commit(struct nft_handle *h); 215 int nft_bridge_commit(struct nft_handle *h); 216 int nft_abort(struct nft_handle *h); 217 218 /* 219 * revision compatibility. 220 */ 221 int nft_compatible_revision(const char *name, uint8_t rev, int opt); 222 223 /* 224 * Error reporting. 225 */ 226 const char *nft_strerror(int err); 227 228 /* For xtables.c */ 229 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 230 /* For xtables-arptables.c */ 231 int nft_init_arp(struct nft_handle *h, const char *pname); 232 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 233 /* For xtables-eb.c */ 234 int nft_init_eb(struct nft_handle *h, const char *pname); 235 void nft_fini_eb(struct nft_handle *h); 236 int ebt_get_current_chain(const char *chain); 237 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 238 239 /* 240 * Translation from iptables to nft 241 */ 242 struct xt_buf; 243 244 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); 245 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); 246 int xlate_action(const struct iptables_command_state *cs, bool goto_set, 247 struct xt_xlate *xl); 248 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname, 249 bool invert); 250 251 /* 252 * ARP 253 */ 254 255 struct arpt_entry; 256 257 int nft_arp_rule_append(struct nft_handle *h, const char *chain, 258 const char *table, struct arpt_entry *fw, 259 bool verbose); 260 int nft_arp_rule_insert(struct nft_handle *h, const char *chain, 261 const char *table, struct arpt_entry *fw, 262 int rulenum, bool verbose); 263 264 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); 265 266 bool nft_is_table_compatible(struct nft_handle *h, 267 const char *table, const char *chain); 268 bool nft_is_table_tainted(struct nft_handle *h, const char *table); 269 void nft_assert_table_compatible(struct nft_handle *h, 270 const char *table, const char *chain); 271 272 int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, 273 const char *chain, const char *policy); 274 275 #endif 276