Home | History | Annotate | Download | only in iptables 
      1 #ifndef _NFT_H_
      2 #define _NFT_H_
      3 
      4 #include "xshared.h"
      5 #include "nft-shared.h"
      6 #include <libiptc/linux_list.h>
      7 
      8 #define FILTER         0
      9 #define MANGLE         1
     10 #define RAW            2
     11 #define SECURITY       3
     12 #define NAT            4
     13 #define TABLES_MAX     5
     14 
     15 struct builtin_chain {
     16 	const char *name;
     17 	const char *type;
     18 	uint32_t prio;
     19 	uint32_t hook;
     20 };
     21 
     22 struct builtin_table {
     23 	const char *name;
     24 	struct builtin_chain chains[NF_INET_NUMHOOKS];
     25 	bool initialized;
     26 };
     27 
     28 struct nft_handle {
     29 	int			family;
     30 	struct mnl_socket	*nl;
     31 	uint32_t		portid;
     32 	uint32_t		seq;
     33 	struct list_head	obj_list;
     34 	int			obj_list_num;
     35 	struct mnl_nlmsg_batch	*batch;
     36 	struct nft_family_ops	*ops;
     37 	struct builtin_table	*tables;
     38 	struct nftnl_rule_list	*rule_cache;
     39 	bool			restore;
     40 	bool			batch_support;
     41 };
     42 
     43 extern struct builtin_table xtables_ipv4[TABLES_MAX];
     44 extern struct builtin_table xtables_arp[TABLES_MAX];
     45 extern struct builtin_table xtables_bridge[TABLES_MAX];
     46 
     47 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
     48 	     int (*cb)(const struct nlmsghdr *nlh, void *data),
     49 	     void *data);
     50 int nft_init(struct nft_handle *h, struct builtin_table *t);
     51 void nft_fini(struct nft_handle *h);
     52 
     53 /*
     54  * Operations with tables.
     55  */
     56 struct nftnl_table;
     57 struct nftnl_chain_list;
     58 
     59 int nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags);
     60 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters);
     61 bool nft_table_find(struct nft_handle *h, const char *tablename);
     62 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list);
     63 
     64 /*
     65  * Operations with chains.
     66  */
     67 struct nftnl_chain;
     68 
     69 int nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags);
     70 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters);
     71 struct nftnl_chain_list *nft_chain_dump(struct nft_handle *h);
     72 struct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, const char *table, const char *chain);
     73 int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list, const char *table);
     74 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table);
     75 int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table);
     76 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname);
     77 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table);
     78 
     79 /*
     80  * Operations with rule-set.
     81  */
     82 struct nftnl_rule;
     83 
     84 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, uint64_t handle, bool verbose);
     85 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose);
     86 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose);
     87 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose);
     88 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose);
     89 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose);
     90 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format);
     91 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters);
     92 int nft_rule_save(struct nft_handle *h, const char *table, bool counters);
     93 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table);
     94 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
     95 
     96 /*
     97  * Operations used in userspace tools
     98  */
     99 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
    100 int add_verdict(struct nftnl_rule *r, int verdict);
    101 int add_match(struct nftnl_rule *r, struct xt_entry_match *m);
    102 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
    103 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
    104 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
    105 int add_comment(struct nftnl_rule *r, const char *comment);
    106 char *get_comment(const void *data, uint32_t data_len);
    107 
    108 enum nft_rule_print {
    109 	NFT_RULE_APPEND,
    110 	NFT_RULE_DEL,
    111 };
    112 
    113 void nft_rule_print_save(const void *data,
    114 			 struct nftnl_rule *r, enum nft_rule_print type,
    115 			 unsigned int format);
    116 
    117 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag);
    118 
    119 /*
    120  * global commit and abort
    121  */
    122 int nft_commit(struct nft_handle *h);
    123 int nft_abort(struct nft_handle *h);
    124 
    125 /*
    126  * revision compatibility.
    127  */
    128 int nft_compatible_revision(const char *name, uint8_t rev, int opt);
    129 
    130 /*
    131  * Error reporting.
    132  */
    133 const char *nft_strerror(int err);
    134 
    135 /* For xtables.c */
    136 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
    137 /* For xtables-arptables.c */
    138 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table);
    139 /* For xtables-eb.c */
    140 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table);
    141 
    142 /*
    143  * Parse config for tables and chain helper functions
    144  */
    145 #define XTABLES_CONFIG_DEFAULT  "/etc/xtables.conf"
    146 
    147 struct nftnl_table_list;
    148 struct nftnl_chain_list;
    149 
    150 extern int xtables_config_parse(const char *filename, struct nftnl_table_list *table_list, struct nftnl_chain_list *chain_list);
    151 
    152 enum {
    153 	NFT_LOAD_VERBOSE = (1 << 0),
    154 };
    155 
    156 int nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t flags);
    157 
    158 /*
    159  * Translation from iptables to nft
    160  */
    161 struct xt_buf;
    162 
    163 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name);
    164 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl);
    165 int xlate_action(const struct iptables_command_state *cs, bool goto_set,
    166 		 struct xt_xlate *xl);
    167 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
    168 		  bool invert);
    169 
    170 /*
    171  * ARP
    172  */
    173 
    174 struct arpt_entry;
    175 
    176 int nft_arp_rule_append(struct nft_handle *h, const char *chain,
    177 			const char *table, struct arpt_entry *fw,
    178 			bool verbose);
    179 int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
    180 			const char *table, struct arpt_entry *fw,
    181 			int rulenum, bool verbose);
    182 
    183 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
    184 
    185 int nft_is_ruleset_compatible(struct nft_handle *h);
    186 
    187 #endif
    188