netfilter: nf_tables: add compatibility layer for x_tables

This patch adds the x_tables compatibility layer. This allows you
to use existing x_tables matches and targets from nf_tables.

This compatibility later allows us to use existing matches/targets
for features that are still missing in nf_tables. We can progressively
replace them with native nf_tables extensions. It also provides the
userspace compatibility software that allows you to express the
rule-set using the iptables syntax but using the nf_tables kernel
components.

In order to get this compatibility layer working, I've done the
following things:

* add NFNL_SUBSYS_NFT_COMPAT: this new nfnetlink subsystem is used
to query the x_tables match/target revision, so we don't need to
use the native x_table getsockopt interface.

* emulate xt structures: this required extending the struct nft_pktinfo
to include the fragment offset, which is already obtained from
ip[6]_tables and that is used by some matches/targets.

* add support for default policy to base chains, required to emulate
  x_tables.

* add NFTA_CHAIN_USE attribute to obtain the number of references to
  chains, required by x_tables emulation.

* add chain packet/byte counters using per-cpu.

* support 32-64 bits compat.

For historical reasons, this patch includes the following patches
that were posted in the netfilter-devel mailing list.

From Pablo Neira Ayuso:
* nf_tables: add default policy to base chains
* netfilter: nf_tables: add NFTA_CHAIN_USE attribute
* nf_tables: nft_compat: private data of target and matches in contiguous area
* nf_tables: validate hooks for compat match/target
* nf_tables: nft_compat: release cached matches/targets
* nf_tables: x_tables support as a compile time option
* nf_tables: fix alias for xtables over nftables module
* nf_tables: add packet and byte counters per chain
* nf_tables: fix per-chain counter stats if no counters are passed
* nf_tables: don't bump chain stats
* nf_tables: add protocol and flags for xtables over nf_tables
* nf_tables: add ip[6]t_entry emulation
* nf_tables: move specific layer 3 compat code to nf_tables_ipv[4|6]
* nf_tables: support 32bits-64bits x_tables compat
* nf_tables: fix compilation if CONFIG_COMPAT is disabled

From Patrick McHardy:
* nf_tables: move policy to struct nft_base_chain
* nf_tables: send notifications for base chain policy changes

From Alexander Primak:
* nf_tables: remove the duplicate NF_INET_LOCAL_OUT

From Nicolas Dichtel:
* nf_tables: fix compilation when nf-netlink is a module

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

4 files changed, 73 insertions, 1 deletions

diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 6ce0b7f566a7..17c3af2c4bb9 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -6,6 +6,7 @@ header-y += nf_conntrack_sctp.h
 header-y += nf_conntrack_tcp.h
 header-y += nf_conntrack_tuple_common.h
 header-y += nf_tables.h
+header-y += nf_tables_compat.h
 header-y += nf_nat.h
 header-y += nfnetlink.h
 header-y += nfnetlink_acct.h
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 779cf951c8de..1563875e6942 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -115,7 +115,10 @@ enum nft_table_attributes {
  * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64)
  * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING)
  * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes)
+ * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32)
+ * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
  * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
+ * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
  */
 enum nft_chain_attributes {
         NFTA_CHAIN_UNSPEC,
@@ -123,7 +126,10 @@ enum nft_chain_attributes {
         NFTA_CHAIN_HANDLE,
         NFTA_CHAIN_NAME,
         NFTA_CHAIN_HOOK,
+        NFTA_CHAIN_POLICY,
+        NFTA_CHAIN_USE,
         NFTA_CHAIN_TYPE,
+        NFTA_CHAIN_COUNTERS,
         __NFTA_CHAIN_MAX
 };
 #define NFTA_CHAIN_MAX          (__NFTA_CHAIN_MAX - 1)
@@ -135,6 +141,7 @@ enum nft_chain_attributes {
  * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING)
  * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64)
  * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes)
+ * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes)
  */
 enum nft_rule_attributes {
         NFTA_RULE_UNSPEC,
@@ -142,11 +149,36 @@ enum nft_rule_attributes {
         NFTA_RULE_CHAIN,
         NFTA_RULE_HANDLE,
         NFTA_RULE_EXPRESSIONS,
+        NFTA_RULE_COMPAT,
         __NFTA_RULE_MAX
 };
 #define NFTA_RULE_MAX           (__NFTA_RULE_MAX - 1)
 
 /**
+ * enum nft_rule_compat_flags - nf_tables rule compat flags
+ *
+ * @NFT_RULE_COMPAT_F_INV: invert the check result
+ */
+enum nft_rule_compat_flags {
+        NFT_RULE_COMPAT_F_INV   = (1 << 1),
+        NFT_RULE_COMPAT_F_MASK  = NFT_RULE_COMPAT_F_INV,
+};
+
+/**
+ * enum nft_rule_compat_attributes - nf_tables rule compat attributes
+ *
+ * @NFTA_RULE_COMPAT_PROTO: numerice value of handled protocol (NLA_U32)
+ * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32)
+ */
+enum nft_rule_compat_attributes {
+        NFTA_RULE_COMPAT_UNSPEC,
+        NFTA_RULE_COMPAT_PROTO,
+        NFTA_RULE_COMPAT_FLAGS,
+        __NFTA_RULE_COMPAT_MAX
+};
+#define NFTA_RULE_COMPAT_MAX    (__NFTA_RULE_COMPAT_MAX - 1)
+
+/**
  * enum nft_set_flags - nf_tables set flags
  *
  * @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink
diff --git a/include/uapi/linux/netfilter/nf_tables_compat.h b/include/uapi/linux/netfilter/nf_tables_compat.h
new file mode 100644
index 000000000000..8310f5f76551
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_tables_compat.h
@@ -0,0 +1,38 @@
+#ifndef _NFT_COMPAT_NFNETLINK_H_
+#define _NFT_COMPAT_NFNETLINK_H_
+
+enum nft_target_attributes {
+        NFTA_TARGET_UNSPEC,
+        NFTA_TARGET_NAME,
+        NFTA_TARGET_REV,
+        NFTA_TARGET_INFO,
+        __NFTA_TARGET_MAX
+};
+#define NFTA_TARGET_MAX         (__NFTA_TARGET_MAX - 1)
+
+enum nft_match_attributes {
+        NFTA_MATCH_UNSPEC,
+        NFTA_MATCH_NAME,
+        NFTA_MATCH_REV,
+        NFTA_MATCH_INFO,
+        __NFTA_MATCH_MAX
+};
+#define NFTA_MATCH_MAX          (__NFTA_MATCH_MAX - 1)
+
+#define NFT_COMPAT_NAME_MAX     32
+
+enum {
+        NFNL_MSG_COMPAT_GET,
+        NFNL_MSG_COMPAT_MAX
+};
+
+enum {
+        NFTA_COMPAT_UNSPEC = 0,
+        NFTA_COMPAT_NAME,
+        NFTA_COMPAT_REV,
+        NFTA_COMPAT_TYPE,
+        __NFTA_COMPAT_MAX,
+};
+#define NFTA_COMPAT_MAX (__NFTA_COMPAT_MAX - 1)
+
+#endif
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
index d276c3bd55b8..288959404d54 100644
--- a/include/uapi/linux/netfilter/nfnetlink.h
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -54,6 +54,7 @@ struct nfgenmsg {
 #define NFNL_SUBSYS_CTNETLINK_TIMEOUT   8
 #define NFNL_SUBSYS_CTHELPER            9
 #define NFNL_SUBSYS_NFTABLES            10
-#define NFNL_SUBSYS_COUNT               11
+#define NFNL_SUBSYS_NFT_COMPAT          11
+#define NFNL_SUBSYS_COUNT               12
 
 #endif /* _UAPI_NFNETLINK_H */