iptables/nft-shared.h

   1 #ifndef _NFT_SHARED_H_
   2 #define _NFT_SHARED_H_
   3
   4 #include <stdbool.h>
   5
   6 #include <libnftnl/rule.h>
   7 #include <libnftnl/expr.h>
   8 #include <libnftnl/chain.h>
   9
  10 #include <linux/netfilter_arp/arp_tables.h>
  11 #include <linux/netfilter/nf_tables.h>
  12
  13 #include "xshared.h"
  14 #include "nft-ruleparse.h"
  15
  16 #ifdef DEBUG
  17 #define DEBUG_DEL
  18 #endif
  19
  20 /*
  21  * iptables print output emulation
  22  */
  23
  24 #define FMT_NUMERIC     0x0001
  25 #define FMT_NOCOUNTS    0x0002
  26 #define FMT_KILOMEGAGIGA 0x0004
  27 #define FMT_OPTIONS     0x0008
  28 #define FMT_NOTABLE     0x0010
  29 #define FMT_NOTARGET    0x0020
  30 #define FMT_VIA         0x0040
  31 #define FMT_NONEWLINE   0x0080
  32 #define FMT_LINENUMBERS 0x0100
  33
  34 #define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
  35                         | FMT_NUMERIC | FMT_NOTABLE)
  36 #define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
  37
  38 struct nft_rule_ctx;
  39 struct xtables_args;
  40 struct nft_handle;
  41 struct xt_xlate;
  42
  43 struct nft_family_ops {
  44         int (*add)(struct nft_handle *h, struct nft_rule_ctx *ctx,
  45                    struct nftnl_rule *r, struct iptables_command_state *cs);
  46         bool (*is_same)(const struct iptables_command_state *cs_a,
  47                         const struct iptables_command_state *cs_b);
  48         void (*print_payload)(struct nftnl_expr *e,
  49                               struct nftnl_expr_iter *iter);
  50         void (*set_goto_flag)(struct iptables_command_state *cs);
  51
  52         void (*print_table_header)(const char *tablename);
  53         void (*print_header)(unsigned int format, const char *chain,
  54                              const char *pol,
  55                              const struct xt_counters *counters,
  56                              int refs, uint32_t entries);
  57         void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r,
  58                            unsigned int num, unsigned int format);
  59         void (*save_rule)(const struct iptables_command_state *cs,
  60                           unsigned int format);
  61         void (*save_chain)(const struct nftnl_chain *c, const char *policy);
  62         struct nft_ruleparse_ops *rule_parse;
  63         struct xt_cmd_parse_ops cmd_parse;
  64         void (*init_cs)(struct iptables_command_state *cs);
  65         bool (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r,
  66                            struct iptables_command_state *cs);
  67         void (*clear_cs)(struct iptables_command_state *cs);
  68         int (*xlate)(const struct iptables_command_state *cs,
  69                      struct xt_xlate *xl);
  70         int (*add_entry)(struct nft_handle *h,
  71                          const char *chain, const char *table,
  72                          struct iptables_command_state *cs,
  73                          struct xtables_args *args, bool verbose,
  74                          bool append, int rulenum);
  75         int (*delete_entry)(struct nft_handle *h,
  76                             const char *chain, const char *table,
  77                             struct iptables_command_state *cs,
  78                             struct xtables_args *args, bool verbose);
  79         int (*check_entry)(struct nft_handle *h,
  80                            const char *chain, const char *table,
  81                            struct iptables_command_state *cs,
  82                            struct xtables_args *args, bool verbose);
  83         int (*replace_entry)(struct nft_handle *h,
  84                              const char *chain, const char *table,
  85                              struct iptables_command_state *cs,
  86                              struct xtables_args *args, bool verbose,
  87                              int rulenum);
  88 };
  89
  90 void add_meta(struct nft_handle *h, struct nftnl_rule *r, uint32_t key, uint8_t *dreg);
  91 void add_payload(struct nft_handle *h, struct nftnl_rule *r, int offset, int len, uint32_t base, uint8_t *dreg);
  92 void add_bitwise(struct nft_handle *h, struct nftnl_rule *r, uint8_t *mask, size_t len, uint8_t sreg, uint8_t *dreg);
  93 void add_bitwise_u16(struct nft_handle *h, struct nftnl_rule *r, uint16_t mask, uint16_t xor, uint8_t sreg, uint8_t *dreg);
  94 void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, uint8_t sreg);
  95 void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op, uint8_t sreg);
  96 void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op, uint8_t sreg);
  97 void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg);
  98 void add_iface(struct nft_handle *h, struct nftnl_rule *r,
  99                char *iface, uint32_t key, uint32_t op);
 100 void add_addr(struct nft_handle *h, struct nftnl_rule *r, enum nft_payload_bases base, int offset,
 101               void *data, void *mask, size_t len, uint32_t op);
 102 void add_proto(struct nft_handle *h, struct nftnl_rule *r, int offset, size_t len,
 103                uint8_t proto, uint32_t op);
 104 void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint32_t op);
 105 void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
 106
 107 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
 108                         const char *b_iniface, const char *b_outiface);
 109
 110 void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
 111 void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
 112 void print_matches_and_target(struct iptables_command_state *cs,
 113                               unsigned int format);
 114 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
 115 void save_matches_and_target(const struct iptables_command_state *cs,
 116                              bool goto_flag, const void *fw,
 117                              unsigned int format);
 118
 119 struct nft_family_ops *nft_family_ops_lookup(int family);
 120
 121 bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2);
 122 bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2);
 123
 124 struct nftnl_chain_list;
 125
 126 struct nft_xt_restore_cb {
 127         void (*table_new)(struct nft_handle *h, const char *table);
 128         int (*chain_set)(struct nft_handle *h, const char *table,
 129                          const char *chain, const char *policy,
 130                          const struct xt_counters *counters);
 131         int (*chain_restore)(struct nft_handle *h, const char *chain,
 132                              const char *table);
 133
 134         int (*table_flush)(struct nft_handle *h, const char *table,
 135                            bool verbose);
 136
 137         int (*do_command)(struct nft_handle *h, int argc, char *argv[],
 138                           char **table, bool restore);
 139
 140         int (*commit)(struct nft_handle *h);
 141         int (*abort)(struct nft_handle *h);
 142 };
 143
 144 struct nft_xt_restore_parse {
 145         FILE                            *in;
 146         int                             testing;
 147         const char                      *tablename;
 148         bool                            commit;
 149         const struct nft_xt_restore_cb  *cb;
 150 };
 151
 152 void xtables_restore_parse(struct nft_handle *h,
 153                            const struct nft_xt_restore_parse *p);
 154
 155 void nft_check_xt_legacy(int family, bool is_ipt_save);
 156
 157 /* simplified nftables:include/netlink.h, netlink_padded_len() */
 158 #define NETLINK_ALIGN           4
 159
 160 enum nft_registers nft_get_next_reg(enum nft_registers reg, size_t size);
 161
 162 #endif