1384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifndef _NFT_H_ 2384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define _NFT_H_ 3384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 4384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include "xshared.h" 5077785df023ad8947d44d19769bc6d91e3917633Tomasz Bursztyka#include "nft-shared.h" 6d6a127cd5710f8c60e95bfd0378ca352c07140a9Pablo Neira Ayuso#include <libiptc/linux_list.h> 7384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 8afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo#define FILTER 0 9afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo#define MANGLE 1 10afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo#define RAW 2 11afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo#define SECURITY 3 12afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo#define NAT 4 13afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo#define TABLES_MAX 5 14afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo 15afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longostruct builtin_chain { 16afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo const char *name; 17afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo const char *type; 18afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo uint32_t prio; 19afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo uint32_t hook; 20afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo}; 21afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo 22afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longostruct builtin_table { 23afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo const char *name; 24afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo struct builtin_chain chains[NF_INET_NUMHOOKS]; 25e6b8e172fca48f5d80699afe80947b0fc1f23fd6Tomasz Bursztyka bool initialized; 26afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo}; 27afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo 28384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostruct nft_handle { 290391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family; 30384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct mnl_socket *nl; 31384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso uint32_t portid; 32384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso uint32_t seq; 33495f1e8cc1753a3577a0b6c790b96b34859cd9bdPablo Neira Ayuso struct list_head obj_list; 34495f1e8cc1753a3577a0b6c790b96b34859cd9bdPablo Neira Ayuso int obj_list_num; 35d6a127cd5710f8c60e95bfd0378ca352c07140a9Pablo Neira Ayuso struct mnl_nlmsg_batch *batch; 36077785df023ad8947d44d19769bc6d91e3917633Tomasz Bursztyka struct nft_family_ops *ops; 37afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo struct builtin_table *tables; 38ef2a7e9fe0d82c691aeee1cbd61095841231974fPablo M. Bermudo Garay struct nftnl_rule_list *rule_cache; 39690ea18fdd6f8bc12322a729a2f7c97d8e731c43Tomasz Bursztyka bool restore; 40f1299b98d7ff200eb50ca574278bfeb1368de01bPablo Neira Ayuso bool batch_support; 41384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 42384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 43afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longoextern struct builtin_table xtables_ipv4[TABLES_MAX]; 4484909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longoextern struct builtin_table xtables_arp[TABLES_MAX]; 45da871de2a6efb576b6378a66222c0871f4282e96Pablo Neira Ayusoextern struct builtin_table xtables_bridge[TABLES_MAX]; 46afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longo 4784909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longoint mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, 4884909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo int (*cb)(const struct nlmsghdr *nlh, void *data), 4984909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo void *data); 50afae1f841bc2c4b39a38fa97d271f3877d00bf3aGiuseppe Longoint nft_init(struct nft_handle *h, struct builtin_table *t); 51384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusovoid nft_fini(struct nft_handle *h); 52384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 53384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 54384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Operations with tables. 55384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 56742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_table; 57742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_chain_list; 58384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 59742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags); 60384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); 61384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusobool nft_table_find(struct nft_handle *h, const char *tablename); 62742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); 63384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 64384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 65384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Operations with chains. 66384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 67742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_chain; 68384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 69742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags); 70384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); 71742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_chain_list *nft_chain_dump(struct nft_handle *h); 72742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, const char *table, const char *chain); 73742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list, const char *table); 74384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); 75384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table); 76384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); 77b48126ca92cc44e88aa024e6da7ff245914d6a53Giuseppe Longoint nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table); 78384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 79384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 80384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Operations with rule-set. 81384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 82742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_rule; 83384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 84b756cf08d6eff885d808504c674bd7eb5ebabfbbPablo Neira Ayusoint nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, uint64_t handle, bool verbose); 85b756cf08d6eff885d808504c674bd7eb5ebabfbbPablo Neira Ayusoint nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); 86b756cf08d6eff885d808504c674bd7eb5ebabfbbPablo Neira Ayusoint nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); 87b756cf08d6eff885d808504c674bd7eb5ebabfbbPablo Neira Ayusoint nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); 88384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); 89b756cf08d6eff885d808504c674bd7eb5ebabfbbPablo Neira Ayusoint nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); 90384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); 91384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); 92384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_rule_save(struct nft_handle *h, const char *table, bool counters); 93384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); 94a69cc575295eedb44f0fa33cd5fcf1cc0114133aTomasz Bursztykaint nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); 95b756cf08d6eff885d808504c674bd7eb5ebabfbbPablo Neira Ayuso 9684909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo/* 9784909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo * Operations used in userspace tools 9884909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo */ 99742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); 100742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint add_verdict(struct nftnl_rule *r, int verdict); 101742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint add_match(struct nftnl_rule *r, struct xt_entry_match *m); 102742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint add_target(struct nftnl_rule *r, struct xt_entry_target *t); 103742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint add_jumpto(struct nftnl_rule *r, const char *name, int verdict); 104742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoint add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); 105d64ef34a99610a6fb54d43660ac31555da858231Pablo M. Bermudo Garayint add_comment(struct nftnl_rule *r, const char *comment); 106a44bee8c3582cb72868a3b7f703494dd2b24bf7dPablo M. Bermudo Garaychar *get_comment(const void *data, uint32_t data_len); 107384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1081ff21a68502d67e056100da7e0da074467bc08edPablo Neira Ayusoenum nft_rule_print { 1091ff21a68502d67e056100da7e0da074467bc08edPablo Neira Ayuso NFT_RULE_APPEND, 1101ff21a68502d67e056100da7e0da074467bc08edPablo Neira Ayuso NFT_RULE_DEL, 1111ff21a68502d67e056100da7e0da074467bc08edPablo Neira Ayuso}; 1121ff21a68502d67e056100da7e0da074467bc08edPablo Neira Ayuso 1138877968858a8dd6b7ae096988d57a7511c81733dGiuseppe Longovoid nft_rule_print_save(const void *data, 114742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayuso struct nftnl_rule *r, enum nft_rule_print type, 115cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357Tomasz Bursztyka unsigned int format); 1161ff21a68502d67e056100da7e0da074467bc08edPablo Neira Ayuso 117c82bf9f79bbc299de428fdc2e204d571b6cbc50dArturo Borrerouint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); 118c82bf9f79bbc299de428fdc2e204d571b6cbc50dArturo Borrero 119384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 1209e62dc8637f210cdeaed784396fecab9b6e5f043Pablo Neira Ayuso * global commit and abort 1219e62dc8637f210cdeaed784396fecab9b6e5f043Pablo Neira Ayuso */ 1229e62dc8637f210cdeaed784396fecab9b6e5f043Pablo Neira Ayusoint nft_commit(struct nft_handle *h); 1239e62dc8637f210cdeaed784396fecab9b6e5f043Pablo Neira Ayusoint nft_abort(struct nft_handle *h); 1249e62dc8637f210cdeaed784396fecab9b6e5f043Pablo Neira Ayuso 1259e62dc8637f210cdeaed784396fecab9b6e5f043Pablo Neira Ayuso/* 126384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * revision compatibility. 127384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 128384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoint nft_compatible_revision(const char *name, uint8_t rev, int opt); 129384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 130384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 131384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Error reporting. 132384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 133384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoconst char *nft_strerror(int err); 134384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1358ebee8c46101914b269afe94e772321e5ee09c3fPablo Neira Ayuso/* For xtables.c */ 1367851975e5055381d30f0788d90671485695928e1Tomasz Bursztykaint do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); 13784909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo/* For xtables-arptables.c */ 13884909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longoint do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table); 139da871de2a6efb576b6378a66222c0871f4282e96Pablo Neira Ayuso/* For xtables-eb.c */ 140da871de2a6efb576b6378a66222c0871f4282e96Pablo Neira Ayusoint do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table); 1418ebee8c46101914b269afe94e772321e5ee09c3fPablo Neira Ayuso 1428b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso/* 1438b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso * Parse config for tables and chain helper functions 1448b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso */ 1458b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso#define XTABLES_CONFIG_DEFAULT "/etc/xtables.conf" 1468b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso 147742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_table_list; 148742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusostruct nftnl_chain_list; 1498b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso 150742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusoextern int xtables_config_parse(const char *filename, struct nftnl_table_list *table_list, struct nftnl_chain_list *chain_list); 1518b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso 1528b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayusoenum { 1538b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso NFT_LOAD_VERBOSE = (1 << 0), 1548b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso}; 1558b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso 1568b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayusoint nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t flags); 1578b9ea2e3f8d685a6b940691cabf5e82c96254747Pablo Neira Ayuso 15884909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo/* 159933400b37d0966980d07d32b64403830429761edPablo Neira Ayuso * Translation from iptables to nft 160933400b37d0966980d07d32b64403830429761edPablo Neira Ayuso */ 161933400b37d0966980d07d32b64403830429761edPablo Neira Ayusostruct xt_buf; 162933400b37d0966980d07d32b64403830429761edPablo Neira Ayuso 163933400b37d0966980d07d32b64403830429761edPablo Neira Ayusobool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); 1646b60dc5be58a5781cacc4e6f238454d5e8421760Pablo Neira Ayusoint xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); 165933400b37d0966980d07d32b64403830429761edPablo Neira Ayusoint xlate_action(const struct iptables_command_state *cs, bool goto_set, 1666b60dc5be58a5781cacc4e6f238454d5e8421760Pablo Neira Ayuso struct xt_xlate *xl); 1670ddd663e9c167f9f0451dac8c02bbfcda25fe15eLiping Zhangvoid xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname, 1680ddd663e9c167f9f0451dac8c02bbfcda25fe15eLiping Zhang bool invert); 169933400b37d0966980d07d32b64403830429761edPablo Neira Ayuso 170933400b37d0966980d07d32b64403830429761edPablo Neira Ayuso/* 17184909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo * ARP 17284909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo */ 17384909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo 17484909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longostruct arpt_entry; 17584909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo 17684909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longoint nft_arp_rule_append(struct nft_handle *h, const char *chain, 17784909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo const char *table, struct arpt_entry *fw, 17884909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo bool verbose); 17984909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longoint nft_arp_rule_insert(struct nft_handle *h, const char *chain, 18084909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo const char *table, struct arpt_entry *fw, 18184909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo int rulenum, bool verbose); 18284909d171585d77fe769f03e2b1b96eab0aa0213Giuseppe Longo 183742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusovoid nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); 184217f021925872dcbce4187408762845ae3f6f182Giuseppe Longo 1854b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garayint nft_is_ruleset_compatible(struct nft_handle *h); 1864b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garay 187384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 188