1 #ifndef _NFT_SHARED_H_ 2 #define _NFT_SHARED_H_ 3 4 #include <stdbool.h> 5 6 #include <libnftnl/rule.h> 7 #include <libnftnl/expr.h> 8 9 #include <linux/netfilter_arp/arp_tables.h> 10 11 #include "xshared.h" 12 13 #if 0 14 #define DEBUGP(x, args...) fprintf(stdout, x, ## args) 15 #define NLDEBUG 16 #define DEBUG_DEL 17 #else 18 #define DEBUGP(x, args...) 19 #endif 20 21 /* 22 * iptables print output emulation 23 */ 24 25 #define FMT_NUMERIC 0x0001 26 #define FMT_NOCOUNTS 0x0002 27 #define FMT_KILOMEGAGIGA 0x0004 28 #define FMT_OPTIONS 0x0008 29 #define FMT_NOTABLE 0x0010 30 #define FMT_NOTARGET 0x0020 31 #define FMT_VIA 0x0040 32 #define FMT_NONEWLINE 0x0080 33 #define FMT_LINENUMBERS 0x0100 34 35 #define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \ 36 | FMT_NUMERIC | FMT_NOTABLE) 37 #define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) 38 39 struct xtables_args; 40 struct xt_xlate; 41 42 enum { 43 NFT_XT_CTX_PAYLOAD = (1 << 0), 44 NFT_XT_CTX_META = (1 << 1), 45 NFT_XT_CTX_BITWISE = (1 << 2), 46 }; 47 48 struct nft_xt_ctx { 49 union { 50 struct iptables_command_state *cs; 51 struct arptables_command_state *cs_arp; 52 struct ebtables_command_state *cs_eb; 53 } state; 54 struct nftnl_expr_iter *iter; 55 int family; 56 uint32_t flags; 57 58 uint32_t reg; 59 struct { 60 uint32_t offset; 61 uint32_t len; 62 } payload; 63 struct { 64 uint32_t key; 65 } meta; 66 struct { 67 uint32_t mask[4]; 68 uint32_t xor[4]; 69 } bitwise; 70 }; 71 72 struct nft_family_ops { 73 int (*add)(struct nftnl_rule *r, void *data); 74 bool (*is_same)(const void *data_a, 75 const void *data_b); 76 void (*print_payload)(struct nftnl_expr *e, 77 struct nftnl_expr_iter *iter); 78 void (*parse_meta)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, 79 void *data); 80 void (*parse_payload)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, 81 void *data); 82 void (*parse_bitwise)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, 83 void *data); 84 void (*parse_cmp)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, 85 void *data); 86 void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data); 87 88 void (*print_table_header)(const char *tablename); 89 void (*print_header)(unsigned int format, const char *chain, 90 const char *pol, 91 const struct xt_counters *counters, bool basechain, 92 uint32_t refs); 93 void (*print_firewall)(struct nftnl_rule *r, unsigned int num, 94 unsigned int format); 95 void (*save_firewall)(const void *data, unsigned int format); 96 void (*save_counters)(const void *data); 97 void (*proto_parse)(struct iptables_command_state *cs, 98 struct xtables_args *args); 99 void (*post_parse)(int command, struct iptables_command_state *cs, 100 struct xtables_args *args); 101 void (*parse_match)(struct xtables_match *m, void *data); 102 void (*parse_target)(struct xtables_target *t, void *data); 103 bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r, 104 void *data); 105 int (*xlate)(const void *data, struct xt_xlate *xl); 106 }; 107 108 void add_meta(struct nftnl_rule *r, uint32_t key); 109 void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base); 110 void add_bitwise_u16(struct nftnl_rule *r, int mask, int xor); 111 void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len); 112 void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op); 113 void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op); 114 void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op); 115 void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op); 116 void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op); 117 void add_addr(struct nftnl_rule *r, int offset, 118 void *data, void *mask, size_t len, uint32_t op); 119 void add_proto(struct nftnl_rule *r, int offset, size_t len, 120 uint8_t proto, uint32_t op); 121 void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv); 122 123 bool is_same_interfaces(const char *a_iniface, const char *a_outiface, 124 unsigned const char *a_iniface_mask, 125 unsigned const char *a_outiface_mask, 126 const char *b_iniface, const char *b_outiface, 127 unsigned const char *b_iniface_mask, 128 unsigned const char *b_outiface_mask); 129 130 int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, 131 unsigned char *iniface_mask, char *outiface, 132 unsigned char *outiface_mask, uint8_t *invflags); 133 void print_proto(uint16_t proto, int invert); 134 void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); 135 void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 136 void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 137 void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 138 void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 139 void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 140 void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 141 void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters); 142 void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e); 143 void nft_rule_to_iptables_command_state(struct nftnl_rule *r, 144 struct iptables_command_state *cs); 145 void print_header(unsigned int format, const char *chain, const char *pol, 146 const struct xt_counters *counters, bool basechain, 147 uint32_t refs); 148 void print_firewall_details(const struct iptables_command_state *cs, 149 const char *targname, uint8_t flags, 150 uint8_t invflags, uint8_t proto, 151 unsigned int num, unsigned int format); 152 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, 153 unsigned int format); 154 void print_matches_and_target(struct iptables_command_state *cs, 155 unsigned int format); 156 void save_firewall_details(const struct iptables_command_state *cs, 157 uint8_t invflags, uint16_t proto, 158 const char *iniface, 159 unsigned const char *iniface_mask, 160 const char *outiface, 161 unsigned const char *outiface_mask); 162 void save_counters(uint64_t pcnt, uint64_t bcnt); 163 void save_matches_and_target(struct xtables_rule_match *m, 164 struct xtables_target *target, 165 const char *jumpto, 166 uint8_t flags, const void *fw); 167 168 struct nft_family_ops *nft_family_ops_lookup(int family); 169 170 struct nft_handle; 171 bool nft_ipv46_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r, 172 struct iptables_command_state *cs); 173 174 bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2); 175 bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2); 176 177 struct addr_mask { 178 union { 179 struct in_addr *v4; 180 struct in6_addr *v6; 181 } addr; 182 183 unsigned int naddrs; 184 185 union { 186 struct in_addr *v4; 187 struct in6_addr *v6; 188 } mask; 189 }; 190 191 struct xtables_args { 192 int family; 193 uint16_t proto; 194 uint8_t flags; 195 uint8_t invflags; 196 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 197 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 198 bool goto_set; 199 const char *shostnetworkmask, *dhostnetworkmask; 200 const char *pcnt, *bcnt; 201 struct addr_mask s, d; 202 unsigned long long pcnt_cnt, bcnt_cnt; 203 }; 204 205 #define CMD_NONE 0x0000U 206 #define CMD_INSERT 0x0001U 207 #define CMD_DELETE 0x0002U 208 #define CMD_DELETE_NUM 0x0004U 209 #define CMD_REPLACE 0x0008U 210 #define CMD_APPEND 0x0010U 211 #define CMD_LIST 0x0020U 212 #define CMD_FLUSH 0x0040U 213 #define CMD_ZERO 0x0080U 214 #define CMD_NEW_CHAIN 0x0100U 215 #define CMD_DELETE_CHAIN 0x0200U 216 #define CMD_SET_POLICY 0x0400U 217 #define CMD_RENAME_CHAIN 0x0800U 218 #define CMD_LIST_RULES 0x1000U 219 #define CMD_ZERO_NUM 0x2000U 220 #define CMD_CHECK 0x4000U 221 222 struct nft_xt_cmd_parse { 223 unsigned int command; 224 unsigned int rulenum; 225 char *table; 226 char *chain; 227 char *newname; 228 char *policy; 229 bool restore; 230 int verbose; 231 }; 232 233 void do_parse(struct nft_handle *h, int argc, char *argv[], 234 struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, 235 struct xtables_args *args); 236 237 struct nft_xt_restore_parse { 238 FILE *in; 239 int testing; 240 const char *tablename; 241 }; 242 243 struct nftnl_chain_list; 244 245 struct nft_xt_restore_cb { 246 void (*table_new)(struct nft_handle *h, const char *table); 247 struct nftnl_chain_list *(*chain_list)(struct nft_handle *h); 248 int (*chains_purge)(struct nft_handle *h, const char *table, 249 struct nftnl_chain_list *clist); 250 void (*chain_del)(struct nftnl_chain_list *clist, const char *curtable, 251 const char *chain); 252 int (*chain_set)(struct nft_handle *h, const char *table, 253 const char *chain, const char *policy, 254 const struct xt_counters *counters); 255 int (*chain_user_add)(struct nft_handle *h, const char *chain, 256 const char *table); 257 258 int (*rule_flush)(struct nft_handle *h, const char *chain, const char *table); 259 260 int (*do_command)(struct nft_handle *h, int argc, char *argv[], 261 char **table, bool restore); 262 263 int (*commit)(struct nft_handle *h); 264 int (*abort)(struct nft_handle *h); 265 }; 266 267 void xtables_restore_parse(struct nft_handle *h, 268 struct nft_xt_restore_parse *p, 269 struct nft_xt_restore_cb *cb, 270 int argc, char *argv[]); 271 272 #endif 273
