netfilter: add nftables

This patch adds nftables which is the intended successor of iptables. This packet filtering framework reuses the existing netfilter hooks, the connection tracking system, the NAT subsystem, the transparent proxying engine, the logging infrastructure and the userspace packet queueing facilities. In a nutshell, nftables provides a pseudo-state machine with 4 general purpose registers of 128 bits and 1 specific purpose register to store verdicts. This pseudo-machine comes with an extensible instruction set, a.k.a. "expressions" in the nftables jargon. The expressions included in this patch provide the basic functionality, they are: * bitwise: to perform bitwise operations. * byteorder: to change from host/network endianess. * cmp: to compare data with the content of the registers. * counter: to enable counters on rules. * ct: to store conntrack keys into register. * exthdr: to match IPv6 extension headers. * immediate: to load data into registers. * limit: to limit matching based on packet rate. * log: to log packets. * meta: to match metainformation that usually comes with the skbuff. * nat: to perform Network Address Translation. * payload: to fetch data from the packet payload and store it into registers. * reject (IPv4 only): to explicitly close connection, eg. TCP RST. Using this instruction-set, the userspace utility 'nft' can transform the rules expressed in human-readable text representation (using a new syntax, inspired by tcpdump) to nftables bytecode. nftables also inherits the table, chain and rule objects from iptables, but in a more configurable way, and it also includes the original datatype-agnostic set infrastructure with mapping support. This set infrastructure is enhanced in the follow up patch (netfilter: nf_tables: add netlink set API). This patch includes the following components: * the netlink API: net/netfilter/nf_tables_api.c and include/uapi/netfilter/nf_tables.h * the packet filter core: net/netfilter/nf_tables_core.c * the expressions (described above): net/netfilter/nft_*.c * the filter tables: arp, IPv4, IPv6 and bridge: net/ipv4/netfilter/nf_tables_ipv4.c net/ipv6/netfilter/nf_tables_ipv6.c net/ipv4/netfilter/nf_tables_arp.c net/bridge/netfilter/nf_tables_bridge.c * the NAT table (IPv4 only): net/ipv4/netfilter/nf_table_nat_ipv4.c * the route table (similar to mangle): net/ipv4/netfilter/nf_table_route_ipv4.c net/ipv6/netfilter/nf_table_route_ipv6.c * internal definitions under: include/net/netfilter/nf_tables.h include/net/netfilter/nf_tables_core.h * It also includes an skeleton expression: net/netfilter/nft_expr_template.c and the preliminary implementation of the meta target net/netfilter/nft_meta_target.c It also includes a change in struct nf_hook_ops to add a new pointer to store private data to the hook, that is used to store the rule list per chain. This patch is based on the patch from Patrick McHardy, plus merged accumulated cleanups, fixes and small enhancements to the nftables code that has been done since 2009, which are: From Patrick McHardy: * nf_tables: adjust netlink handler function signatures * nf_tables: only retry table lookup after successful table module load * nf_tables: fix event notification echo and avoid unnecessary messages * nft_ct: add l3proto support * nf_tables: pass expression context to nft_validate_data_load() * nf_tables: remove redundant definition * nft_ct: fix maxattr initialization * nf_tables: fix invalid event type in nf_tables_getrule() * nf_tables: simplify nft_data_init() usage * nf_tables: build in more core modules * nf_tables: fix double lookup expression unregistation * nf_tables: move expression initialization to nf_tables_core.c * nf_tables: build in payload module * nf_tables: use NFPROTO constants * nf_tables: rename pid variables to portid * nf_tables: save 48 bits per rule * nf_tables: introduce chain rename * nf_tables: check for duplicate names on chain rename * nf_tables: remove ability to specify handles for new rules * nf_tables: return error for rule change request * nf_tables: return error for NLM_F_REPLACE without rule handle * nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification * nf_tables: fix NLM_F_MULTI usage in netlink notifications * nf_tables: include NLM_F_APPEND in rule dumps From Pablo Neira Ayuso: * nf_tables: fix stack overflow in nf_tables_newrule * nf_tables: nft_ct: fix compilation warning * nf_tables: nft_ct: fix crash with invalid packets * nft_log: group and qthreshold are 2^16 * nf_tables: nft_meta: fix socket uid,gid handling * nft_counter: allow to restore counters * nf_tables: fix module autoload * nf_tables: allow to remove all rules placed in one chain * nf_tables: use 64-bits rule handle instead of 16-bits * nf_tables: fix chain after rule deletion * nf_tables: improve deletion performance * nf_tables: add missing code in route chain type * nf_tables: rise maximum number of expressions from 12 to 128 * nf_tables: don't delete table if in use * nf_tables: fix basechain release From Tomasz Bursztyka: * nf_tables: Add support for changing users chain's name * nf_tables: Change chain's name to be fixed sized * nf_tables: Add support for replacing a rule by another one * nf_tables: Update uapi nftables netlink header documentation From Florian Westphal: * nft_log: group is u16, snaplen u32 From Phil Oester: * nf_tables: operational limit match Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2013-10-14 05:00:02 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-14 11:15:48 -0400
commit: 96518518cc417bb0a8c80b9fb736202e28acdf96 (patch)
tree: 2ac4f939a88f0a8047403d0e07b5167369236f82 /include/uapi/linux
parent: f59cb0453cd885736daa11ae2445982c5ab2fc83 (diff)
4 files changed, 591 insertions, 1 deletions
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 174915420d3f..6ce0b7f566a7 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -5,6 +5,7 @@ header-y += nf_conntrack_ftp.h
 header-y += nf_conntrack_sctp.h
 header-y += nf_conntrack_tcp.h
 header-y += nf_conntrack_tuple_common.h
+header-y += nf_tables.h
 header-y += nf_nat.h
 header-y += nfnetlink.h
 header-y += nfnetlink_acct.h
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 8dd803818ebe..319f47128db8 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -25,6 +25,10 @@ enum ip_conntrack_info {
        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
 };
+#define NF_CT_STATE_INVALID_BIT                 (1 << 0)
+#define NF_CT_STATE_BIT(ctinfo)                 (1 << ((ctinfo) % IP_CT_IS_REPLY + 1))
+#define NF_CT_STATE_UNTRACKED_BIT               (1 << (IP_CT_NUMBER + 1))
 /* Bitset representing status of connection. */
 enum ip_conntrack_status {
        /* It's an expected connection: bit 0 set.  This bit never changed */
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
new file mode 100644
index 000000000000..ec6d84a8ed1e
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -0,0 +1,582 @@
+#ifndef _LINUX_NF_TABLES_H
+#define _LINUX_NF_TABLES_H
+#define NFT_CHAIN_MAXNAMELEN 32
+enum nft_registers {
+        NFT_REG_VERDICT,
+        NFT_REG_1,
+        NFT_REG_2,
+        NFT_REG_3,
+        NFT_REG_4,
+        __NFT_REG_MAX
+};
+#define NFT_REG_MAX     (__NFT_REG_MAX - 1)
+/**
+ * enum nft_verdicts - nf_tables internal verdicts
+ *
+ * @NFT_CONTINUE: continue evaluation of the current rule
+ * @NFT_BREAK: terminate evaluation of the current rule
+ * @NFT_JUMP: push the current chain on the jump stack and jump to a chain
+ * @NFT_GOTO: jump to a chain without pushing the current chain on the jump stack
+ * @NFT_RETURN: return to the topmost chain on the jump stack
+ *
+ * The nf_tables verdicts share their numeric space with the netfilter verdicts.
+ */
+enum nft_verdicts {
+        NFT_CONTINUE    = -1,
+        NFT_BREAK       = -2,
+        NFT_JUMP        = -3,
+        NFT_GOTO        = -4,
+        NFT_RETURN      = -5,
+};
+/**
+ * enum nf_tables_msg_types - nf_tables netlink message types
+ *
+ * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes)
+ * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes)
+ * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes)
+ * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes)
+ * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes)
+ * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes)
+ * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)
+ * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)
+ * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)
+ */
+enum nf_tables_msg_types {
+        NFT_MSG_NEWTABLE,
+        NFT_MSG_GETTABLE,
+        NFT_MSG_DELTABLE,
+        NFT_MSG_NEWCHAIN,
+        NFT_MSG_GETCHAIN,
+        NFT_MSG_DELCHAIN,
+        NFT_MSG_NEWRULE,
+        NFT_MSG_GETRULE,
+        NFT_MSG_DELRULE,
+        NFT_MSG_MAX,
+};
+enum nft_list_attributes {
+        NFTA_LIST_UNPEC,
+        NFTA_LIST_ELEM,
+        __NFTA_LIST_MAX
+};
+#define NFTA_LIST_MAX           (__NFTA_LIST_MAX - 1)
+/**
+ * enum nft_hook_attributes - nf_tables netfilter hook netlink attributes
+ *
+ * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
+ * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
+ */
+enum nft_hook_attributes {
+        NFTA_HOOK_UNSPEC,
+        NFTA_HOOK_HOOKNUM,
+        NFTA_HOOK_PRIORITY,
+        __NFTA_HOOK_MAX
+};
+#define NFTA_HOOK_MAX           (__NFTA_HOOK_MAX - 1)
+/**
+ * enum nft_table_attributes - nf_tables table netlink attributes
+ *
+ * @NFTA_TABLE_NAME: name of the table (NLA_STRING)
+ */
+enum nft_table_attributes {
+        NFTA_TABLE_UNSPEC,
+        NFTA_TABLE_NAME,
+        __NFTA_TABLE_MAX
+};
+#define NFTA_TABLE_MAX          (__NFTA_TABLE_MAX - 1)
+/**
+ * enum nft_chain_attributes - nf_tables chain netlink attributes
+ *
+ * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING)
+ * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64)
+ * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING)
+ * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes)
+ */
+enum nft_chain_attributes {
+        NFTA_CHAIN_UNSPEC,
+        NFTA_CHAIN_TABLE,
+        NFTA_CHAIN_HANDLE,
+        NFTA_CHAIN_NAME,
+        NFTA_CHAIN_HOOK,
+        __NFTA_CHAIN_MAX
+};
+#define NFTA_CHAIN_MAX          (__NFTA_CHAIN_MAX - 1)
+/**
+ * enum nft_rule_attributes - nf_tables rule netlink attributes
+ *
+ * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING)
+ * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING)
+ * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64)
+ * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes)
+ */
+enum nft_rule_attributes {
+        NFTA_RULE_UNSPEC,
+        NFTA_RULE_TABLE,
+        NFTA_RULE_CHAIN,
+        NFTA_RULE_HANDLE,
+        NFTA_RULE_EXPRESSIONS,
+        __NFTA_RULE_MAX
+};
+#define NFTA_RULE_MAX           (__NFTA_RULE_MAX - 1)
+enum nft_data_attributes {
+        NFTA_DATA_UNSPEC,
+        NFTA_DATA_VALUE,
+        NFTA_DATA_VERDICT,
+        __NFTA_DATA_MAX
+};
+#define NFTA_DATA_MAX           (__NFTA_DATA_MAX - 1)
+/**
+ * enum nft_verdict_attributes - nf_tables verdict netlink attributes
+ *
+ * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
+ * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
+ */
+enum nft_verdict_attributes {
+        NFTA_VERDICT_UNSPEC,
+        NFTA_VERDICT_CODE,
+        NFTA_VERDICT_CHAIN,
+        __NFTA_VERDICT_MAX
+};
+#define NFTA_VERDICT_MAX        (__NFTA_VERDICT_MAX - 1)
+/**
+ * enum nft_expr_attributes - nf_tables expression netlink attributes
+ *
+ * @NFTA_EXPR_NAME: name of the expression type (NLA_STRING)
+ * @NFTA_EXPR_DATA: type specific data (NLA_NESTED)
+ */
+enum nft_expr_attributes {
+        NFTA_EXPR_UNSPEC,
+        NFTA_EXPR_NAME,
+        NFTA_EXPR_DATA,
+        __NFTA_EXPR_MAX
+};
+#define NFTA_EXPR_MAX           (__NFTA_EXPR_MAX - 1)
+/**
+ * enum nft_immediate_attributes - nf_tables immediate expression netlink attributes
+ *
+ * @NFTA_IMMEDIATE_DREG: destination register to load data into (NLA_U32)
+ * @NFTA_IMMEDIATE_DATA: data to load (NLA_NESTED: nft_data_attributes)
+ */
+enum nft_immediate_attributes {
+        NFTA_IMMEDIATE_UNSPEC,
+        NFTA_IMMEDIATE_DREG,
+        NFTA_IMMEDIATE_DATA,
+        __NFTA_IMMEDIATE_MAX
+};
+#define NFTA_IMMEDIATE_MAX      (__NFTA_IMMEDIATE_MAX - 1)
+/**
+ * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
+ *
+ * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers)
+ * @NFTA_BITWISE_DREG: destination register (NLA_U32: nft_registers)
+ * @NFTA_BITWISE_LEN: length of operands (NLA_U32)
+ * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
+ * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
+ *
+ * The bitwise expression performs the following operation:
+ *
+ * dreg = (sreg & mask) ^ xor
+ *
+ * which allow to express all bitwise operations:
+ *
+ *              mask    xor
+ * NOT:         1       1
+ * OR:          0       x
+ * XOR:         1       x
+ * AND:         x       0
+ */
+enum nft_bitwise_attributes {
+        NFTA_BITWISE_UNSPEC,
+        NFTA_BITWISE_SREG,
+        NFTA_BITWISE_DREG,
+        NFTA_BITWISE_LEN,
+        NFTA_BITWISE_MASK,
+        NFTA_BITWISE_XOR,
+        __NFTA_BITWISE_MAX
+};
+#define NFTA_BITWISE_MAX        (__NFTA_BITWISE_MAX - 1)
+/**
+ * enum nft_byteorder_ops - nf_tables byteorder operators
+ *
+ * @NFT_BYTEORDER_NTOH: network to host operator
+ * @NFT_BYTEORDER_HTON: host to network opertaor
+ */
+enum nft_byteorder_ops {
+        NFT_BYTEORDER_NTOH,
+        NFT_BYTEORDER_HTON,
+};
+/**
+ * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes
+ *
+ * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers)
+ * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers)
+ * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops)
+ * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32)
+ * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4)
+ */
+enum nft_byteorder_attributes {
+        NFTA_BYTEORDER_UNSPEC,
+        NFTA_BYTEORDER_SREG,
+        NFTA_BYTEORDER_DREG,
+        NFTA_BYTEORDER_OP,
+        NFTA_BYTEORDER_LEN,
+        NFTA_BYTEORDER_SIZE,
+        __NFTA_BYTEORDER_MAX
+};
+#define NFTA_BYTEORDER_MAX      (__NFTA_BYTEORDER_MAX - 1)
+/**
+ * enum nft_cmp_ops - nf_tables relational operator
+ *
+ * @NFT_CMP_EQ: equal
+ * @NFT_CMP_NEQ: not equal
+ * @NFT_CMP_LT: less than
+ * @NFT_CMP_LTE: less than or equal to
+ * @NFT_CMP_GT: greater than
+ * @NFT_CMP_GTE: greater than or equal to
+ */
+enum nft_cmp_ops {
+        NFT_CMP_EQ,
+        NFT_CMP_NEQ,
+        NFT_CMP_LT,
+        NFT_CMP_LTE,
+        NFT_CMP_GT,
+        NFT_CMP_GTE,
+};
+/**
+ * enum nft_cmp_attributes - nf_tables cmp expression netlink attributes
+ *
+ * @NFTA_CMP_SREG: source register of data to compare (NLA_U32: nft_registers)
+ * @NFTA_CMP_OP: cmp operation (NLA_U32: nft_cmp_ops)
+ * @NFTA_CMP_DATA: data to compare against (NLA_NESTED: nft_data_attributes)
+ */
+enum nft_cmp_attributes {
+        NFTA_CMP_UNSPEC,
+        NFTA_CMP_SREG,
+        NFTA_CMP_OP,
+        NFTA_CMP_DATA,
+        __NFTA_CMP_MAX
+};
+#define NFTA_CMP_MAX            (__NFTA_CMP_MAX - 1)
+enum nft_set_elem_flags {
+        NFT_SE_INTERVAL_END     = 0x1,
+};
+enum nft_set_elem_attributes {
+        NFTA_SE_UNSPEC,
+        NFTA_SE_KEY,
+        NFTA_SE_DATA,
+        NFTA_SE_FLAGS,
+        __NFTA_SE_MAX
+};
+#define NFTA_SE_MAX             (__NFTA_SE_MAX - 1)
+enum nft_set_flags {
+        NFT_SET_INTERVAL        = 0x1,
+        NFT_SET_MAP             = 0x2,
+};
+enum nft_set_attributes {
+        NFTA_SET_UNSPEC,
+        NFTA_SET_FLAGS,
+        NFTA_SET_SREG,
+        NFTA_SET_DREG,
+        NFTA_SET_KLEN,
+        NFTA_SET_DLEN,
+        NFTA_SET_ELEMENTS,
+        __NFTA_SET_MAX
+};
+#define NFTA_SET_MAX            (__NFTA_SET_MAX - 1)
+enum nft_hash_flags {
+        NFT_HASH_MAP            = 0x1,
+};
+enum nft_hash_elem_attributes {
+        NFTA_HE_UNSPEC,
+        NFTA_HE_KEY,
+        NFTA_HE_DATA,
+        __NFTA_HE_MAX
+};
+#define NFTA_HE_MAX             (__NFTA_HE_MAX - 1)
+enum nft_hash_attributes {
+        NFTA_HASH_UNSPEC,
+        NFTA_HASH_FLAGS,
+        NFTA_HASH_SREG,
+        NFTA_HASH_DREG,
+        NFTA_HASH_KLEN,
+        NFTA_HASH_ELEMENTS,
+        __NFTA_HASH_MAX
+};
+#define NFTA_HASH_MAX           (__NFTA_HASH_MAX - 1)
+/**
+ * enum nft_payload_bases - nf_tables payload expression offset bases
+ *
+ * @NFT_PAYLOAD_LL_HEADER: link layer header
+ * @NFT_PAYLOAD_NETWORK_HEADER: network header
+ * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
+ */
+enum nft_payload_bases {
+        NFT_PAYLOAD_LL_HEADER,
+        NFT_PAYLOAD_NETWORK_HEADER,
+        NFT_PAYLOAD_TRANSPORT_HEADER,
+};
+/**
+ * enum nft_payload_attributes - nf_tables payload expression netlink attributes
+ *
+ * @NFTA_PAYLOAD_DREG: destination register to load data into (NLA_U32: nft_registers)
+ * @NFTA_PAYLOAD_BASE: payload base (NLA_U32: nft_payload_bases)
+ * @NFTA_PAYLOAD_OFFSET: payload offset relative to base (NLA_U32)
+ * @NFTA_PAYLOAD_LEN: payload length (NLA_U32)
+ */
+enum nft_payload_attributes {
+        NFTA_PAYLOAD_UNSPEC,
+        NFTA_PAYLOAD_DREG,
+        NFTA_PAYLOAD_BASE,
+        NFTA_PAYLOAD_OFFSET,
+        NFTA_PAYLOAD_LEN,
+        __NFTA_PAYLOAD_MAX
+};
+#define NFTA_PAYLOAD_MAX        (__NFTA_PAYLOAD_MAX - 1)
+/**
+ * enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes
+ *
+ * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers)
+ * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8)
+ * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32)
+ * @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
+ */
+enum nft_exthdr_attributes {
+        NFTA_EXTHDR_UNSPEC,
+        NFTA_EXTHDR_DREG,
+        NFTA_EXTHDR_TYPE,
+        NFTA_EXTHDR_OFFSET,
+        NFTA_EXTHDR_LEN,
+        __NFTA_EXTHDR_MAX
+};
+#define NFTA_EXTHDR_MAX         (__NFTA_EXTHDR_MAX - 1)
+/**
+ * enum nft_meta_keys - nf_tables meta expression keys
+ *
+ * @NFT_META_LEN: packet length (skb->len)
+ * @NFT_META_PROTOCOL: packet ethertype protocol (skb->protocol), invalid in OUTPUT
+ * @NFT_META_PRIORITY: packet priority (skb->priority)
+ * @NFT_META_MARK: packet mark (skb->mark)
+ * @NFT_META_IIF: packet input interface index (dev->ifindex)
+ * @NFT_META_OIF: packet output interface index (dev->ifindex)
+ * @NFT_META_IIFNAME: packet input interface name (dev->name)
+ * @NFT_META_OIFNAME: packet output interface name (dev->name)
+ * @NFT_META_IIFTYPE: packet input interface type (dev->type)
+ * @NFT_META_OIFTYPE: packet output interface type (dev->type)
+ * @NFT_META_SKUID: originating socket UID (fsuid)
+ * @NFT_META_SKGID: originating socket GID (fsgid)
+ * @NFT_META_NFTRACE: packet nftrace bit
+ * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
+ * @NFT_META_SECMARK: packet secmark (skb->secmark)
+ */
+enum nft_meta_keys {
+        NFT_META_LEN,
+        NFT_META_PROTOCOL,
+        NFT_META_PRIORITY,
+        NFT_META_MARK,
+        NFT_META_IIF,
+        NFT_META_OIF,
+        NFT_META_IIFNAME,
+        NFT_META_OIFNAME,
+        NFT_META_IIFTYPE,
+        NFT_META_OIFTYPE,
+        NFT_META_SKUID,
+        NFT_META_SKGID,
+        NFT_META_NFTRACE,
+        NFT_META_RTCLASSID,
+        NFT_META_SECMARK,
+};
+/**
+ * enum nft_meta_attributes - nf_tables meta expression netlink attributes
+ *
+ * @NFTA_META_DREG: destination register (NLA_U32)
+ * @NFTA_META_KEY: meta data item to load (NLA_U32: nft_meta_keys)
+ */
+enum nft_meta_attributes {
+        NFTA_META_UNSPEC,
+        NFTA_META_DREG,
+        NFTA_META_KEY,
+        __NFTA_META_MAX
+};
+#define NFTA_META_MAX           (__NFTA_META_MAX - 1)
+/**
+ * enum nft_ct_keys - nf_tables ct expression keys
+ *
+ * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)
+ * @NFT_CT_DIRECTION: conntrack direction (enum ip_conntrack_dir)
+ * @NFT_CT_STATUS: conntrack status (bitmask of enum ip_conntrack_status)
+ * @NFT_CT_MARK: conntrack mark value
+ * @NFT_CT_SECMARK: conntrack secmark value
+ * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
+ * @NFT_CT_HELPER: connection tracking helper assigned to conntrack
+ * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
+ * @NFT_CT_PROTOCOL: conntrack layer 4 protocol
+ * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
+ * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
+ */
+enum nft_ct_keys {
+        NFT_CT_STATE,
+        NFT_CT_DIRECTION,
+        NFT_CT_STATUS,
+        NFT_CT_MARK,
+        NFT_CT_SECMARK,
+        NFT_CT_EXPIRATION,
+        NFT_CT_HELPER,
+        NFT_CT_L3PROTOCOL,
+        NFT_CT_SRC,
+        NFT_CT_DST,
+        NFT_CT_PROTOCOL,
+        NFT_CT_PROTO_SRC,
+        NFT_CT_PROTO_DST,
+};
+/**
+ * enum nft_ct_attributes - nf_tables ct expression netlink attributes
+ *
+ * @NFTA_CT_DREG: destination register (NLA_U32)
+ * @NFTA_CT_KEY: conntrack data item to load (NLA_U32: nft_ct_keys)
+ * @NFTA_CT_DIRECTION: direction in case of directional keys (NLA_U8)
+ */
+enum nft_ct_attributes {
+        NFTA_CT_UNSPEC,
+        NFTA_CT_DREG,
+        NFTA_CT_KEY,
+        NFTA_CT_DIRECTION,
+        __NFTA_CT_MAX
+};
+#define NFTA_CT_MAX             (__NFTA_CT_MAX - 1)
+/**
+ * enum nft_limit_attributes - nf_tables limit expression netlink attributes
+ *
+ * @NFTA_LIMIT_RATE: refill rate (NLA_U64)
+ * @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
+ */
+enum nft_limit_attributes {
+        NFTA_LIMIT_UNSPEC,
+        NFTA_LIMIT_RATE,
+        NFTA_LIMIT_UNIT,
+        __NFTA_LIMIT_MAX
+};
+#define NFTA_LIMIT_MAX          (__NFTA_LIMIT_MAX - 1)
+/**
+ * enum nft_counter_attributes - nf_tables counter expression netlink attributes
+ *
+ * @NFTA_COUNTER_BYTES: number of bytes (NLA_U64)
+ * @NFTA_COUNTER_PACKETS: number of packets (NLA_U64)
+ */
+enum nft_counter_attributes {
+        NFTA_COUNTER_UNSPEC,
+        NFTA_COUNTER_BYTES,
+        NFTA_COUNTER_PACKETS,
+        __NFTA_COUNTER_MAX
+};
+#define NFTA_COUNTER_MAX        (__NFTA_COUNTER_MAX - 1)
+/**
+ * enum nft_log_attributes - nf_tables log expression netlink attributes
+ *
+ * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32)
+ * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING)
+ * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32)
+ * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32)
+ */
+enum nft_log_attributes {
+        NFTA_LOG_UNSPEC,
+        NFTA_LOG_GROUP,
+        NFTA_LOG_PREFIX,
+        NFTA_LOG_SNAPLEN,
+        NFTA_LOG_QTHRESHOLD,
+        __NFTA_LOG_MAX
+};
+#define NFTA_LOG_MAX            (__NFTA_LOG_MAX - 1)
+/**
+ * enum nft_reject_types - nf_tables reject expression reject types
+ *
+ * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
+ * @NFT_REJECT_TCP_RST: reject using TCP RST
+ */
+enum nft_reject_types {
+        NFT_REJECT_ICMP_UNREACH,
+        NFT_REJECT_TCP_RST,
+};
+/**
+ * enum nft_reject_attributes - nf_tables reject expression netlink attributes
+ *
+ * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types)
+ * @NFTA_REJECT_ICMP_CODE: ICMP code to use (NLA_U8)
+ */
+enum nft_reject_attributes {
+        NFTA_REJECT_UNSPEC,
+        NFTA_REJECT_TYPE,
+        NFTA_REJECT_ICMP_CODE,
+        __NFTA_REJECT_MAX
+};
+#define NFTA_REJECT_MAX         (__NFTA_REJECT_MAX - 1)
+/**
+ * enum nft_nat_types - nf_tables nat expression NAT types
+ *
+ * @NFT_NAT_SNAT: source NAT
+ * @NFT_NAT_DNAT: destination NAT
+ */
+enum nft_nat_types {
+        NFT_NAT_SNAT,
+        NFT_NAT_DNAT,
+};
+/**
+ * enum nft_nat_attributes - nf_tables nat expression netlink attributes
+ *
+ * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types)
+ * @NFTA_NAT_ADDR_MIN: source register of address range start (NLA_U32: nft_registers)
+ * @NFTA_NAT_ADDR_MAX: source register of address range end (NLA_U32: nft_registers)
+ * @NFTA_NAT_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
+ * @NFTA_NAT_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ */
+enum nft_nat_attributes {
+        NFTA_NAT_UNSPEC,
+        NFTA_NAT_TYPE,
+        NFTA_NAT_ADDR_MIN,
+        NFTA_NAT_ADDR_MAX,
+        NFTA_NAT_PROTO_MIN,
+        NFTA_NAT_PROTO_MAX,
+        __NFTA_NAT_MAX
+};
+#define NFTA_NAT_MAX            (__NFTA_NAT_MAX - 1)
+#endif /* _LINUX_NF_TABLES_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
index 4a4efafad5f4..d276c3bd55b8 100644
--- a/include/uapi/linux/netfilter/nfnetlink.h
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -18,6 +18,8 @@ enum nfnetlink_groups {
 #define NFNLGRP_CONNTRACK_EXP_UPDATE    NFNLGRP_CONNTRACK_EXP_UPDATE
        NFNLGRP_CONNTRACK_EXP_DESTROY,
 #define NFNLGRP_CONNTRACK_EXP_DESTROY   NFNLGRP_CONNTRACK_EXP_DESTROY
+        NFNLGRP_NFTABLES,
+#define NFNLGRP_NFTABLES                NFNLGRP_NFTABLES
        __NFNLGRP_MAX,
 };
 #define NFNLGRP_MAX     (__NFNLGRP_MAX - 1)
@@ -51,6 +53,7 @@ struct nfgenmsg {
 #define NFNL_SUBSYS_ACCT                7
 #define NFNL_SUBSYS_CTNETLINK_TIMEOUT   8
 #define NFNL_SUBSYS_CTHELPER            9
-#define NFNL_SUBSYS_COUNT               10
+#define NFNL_SUBSYS_NFTABLES            10
+#define NFNL_SUBSYS_COUNT               11
 #endif /* _UAPI_NFNETLINK_H */
author	Patrick McHardy <kaber@trash.net>	2013-10-14 05:00:02 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-14 11:15:48 -0400
commit	96518518cc417bb0a8c80b9fb736202e28acdf96 (patch)
tree	2ac4f939a88f0a8047403d0e07b5167369236f82 /include/uapi/linux
parent	f59cb0453cd885736daa11ae2445982c5ab2fc83 (diff)

diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 174915420d3f..6ce0b7f566a7 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild
@@ -5,6 +5,7 @@ header-y += nf_conntrack_ftp.h
5	header-y += nf_conntrack_sctp.h	5	header-y += nf_conntrack_sctp.h
6	header-y += nf_conntrack_tcp.h	6	header-y += nf_conntrack_tcp.h
7	header-y += nf_conntrack_tuple_common.h	7	header-y += nf_conntrack_tuple_common.h
		8	header-y += nf_tables.h
8	header-y += nf_nat.h	9	header-y += nf_nat.h
9	header-y += nfnetlink.h	10	header-y += nfnetlink.h
10	header-y += nfnetlink_acct.h	11	header-y += nfnetlink_acct.h


diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h index 8dd803818ebe..319f47128db8 100644 --- a/include/uapi/linux/netfilter/nf_conntrack_common.h +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -25,6 +25,10 @@ enum ip_conntrack_info {
25	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1	25	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
26	};	26	};
27		27
		28	#define NF_CT_STATE_INVALID_BIT (1 << 0)
		29	#define NF_CT_STATE_BIT(ctinfo) (1 << ((ctinfo) % IP_CT_IS_REPLY + 1))
		30	#define NF_CT_STATE_UNTRACKED_BIT (1 << (IP_CT_NUMBER + 1))
		31
28	/* Bitset representing status of connection. */	32	/* Bitset representing status of connection. */
29	enum ip_conntrack_status {	33	enum ip_conntrack_status {
30	/* It's an expected connection: bit 0 set. This bit never changed */	34	/* It's an expected connection: bit 0 set. This bit never changed */


diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h new file mode 100644 index 000000000000..ec6d84a8ed1e --- /dev/null +++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -0,0 +1,582 @@
		1	#ifndef _LINUX_NF_TABLES_H
		2	#define _LINUX_NF_TABLES_H
		3
		4	#define NFT_CHAIN_MAXNAMELEN 32
		5
		6	enum nft_registers {
		7	NFT_REG_VERDICT,
		8	NFT_REG_1,
		9	NFT_REG_2,
		10	NFT_REG_3,
		11	NFT_REG_4,
		12	__NFT_REG_MAX
		13	};
		14	#define NFT_REG_MAX (__NFT_REG_MAX - 1)
		15
		16	/**
		17	* enum nft_verdicts - nf_tables internal verdicts
		18	*
		19	* @NFT_CONTINUE: continue evaluation of the current rule
		20	* @NFT_BREAK: terminate evaluation of the current rule
		21	* @NFT_JUMP: push the current chain on the jump stack and jump to a chain
		22	* @NFT_GOTO: jump to a chain without pushing the current chain on the jump stack
		23	* @NFT_RETURN: return to the topmost chain on the jump stack
		24	*
		25	* The nf_tables verdicts share their numeric space with the netfilter verdicts.
		26	*/
		27	enum nft_verdicts {
		28	NFT_CONTINUE = -1,
		29	NFT_BREAK = -2,
		30	NFT_JUMP = -3,
		31	NFT_GOTO = -4,
		32	NFT_RETURN = -5,
		33	};
		34
		35	/**
		36	* enum nf_tables_msg_types - nf_tables netlink message types
		37	*
		38	* @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes)
		39	* @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes)
		40	* @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes)
		41	* @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes)
		42	* @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes)
		43	* @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes)
		44	* @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)
		45	* @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)
		46	* @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)
		47	*/
		48	enum nf_tables_msg_types {
		49	NFT_MSG_NEWTABLE,
		50	NFT_MSG_GETTABLE,
		51	NFT_MSG_DELTABLE,
		52	NFT_MSG_NEWCHAIN,
		53	NFT_MSG_GETCHAIN,
		54	NFT_MSG_DELCHAIN,
		55	NFT_MSG_NEWRULE,
		56	NFT_MSG_GETRULE,
		57	NFT_MSG_DELRULE,
		58	NFT_MSG_MAX,
		59	};
		60
		61	enum nft_list_attributes {
		62	NFTA_LIST_UNPEC,
		63	NFTA_LIST_ELEM,
		64	__NFTA_LIST_MAX
		65	};
		66	#define NFTA_LIST_MAX (__NFTA_LIST_MAX - 1)
		67
		68	/**
		69	* enum nft_hook_attributes - nf_tables netfilter hook netlink attributes
		70	*
		71	* @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
		72	* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
		73	*/
		74	enum nft_hook_attributes {
		75	NFTA_HOOK_UNSPEC,
		76	NFTA_HOOK_HOOKNUM,
		77	NFTA_HOOK_PRIORITY,
		78	__NFTA_HOOK_MAX
		79	};
		80	#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1)
		81
		82	/**
		83	* enum nft_table_attributes - nf_tables table netlink attributes
		84	*
		85	* @NFTA_TABLE_NAME: name of the table (NLA_STRING)
		86	*/
		87	enum nft_table_attributes {
		88	NFTA_TABLE_UNSPEC,
		89	NFTA_TABLE_NAME,
		90	__NFTA_TABLE_MAX
		91	};
		92	#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
		93
		94	/**
		95	* enum nft_chain_attributes - nf_tables chain netlink attributes
		96	*
		97	* @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING)
		98	* @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64)
		99	* @NFTA_CHAIN_NAME: name of the chain (NLA_STRING)
		100	* @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes)
		101	*/
		102	enum nft_chain_attributes {
		103	NFTA_CHAIN_UNSPEC,
		104	NFTA_CHAIN_TABLE,
		105	NFTA_CHAIN_HANDLE,
		106	NFTA_CHAIN_NAME,
		107	NFTA_CHAIN_HOOK,
		108	__NFTA_CHAIN_MAX
		109	};
		110	#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1)
		111
		112	/**
		113	* enum nft_rule_attributes - nf_tables rule netlink attributes
		114	*
		115	* @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING)
		116	* @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING)
		117	* @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64)
		118	* @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes)
		119	*/
		120	enum nft_rule_attributes {
		121	NFTA_RULE_UNSPEC,
		122	NFTA_RULE_TABLE,
		123	NFTA_RULE_CHAIN,
		124	NFTA_RULE_HANDLE,
		125	NFTA_RULE_EXPRESSIONS,
		126	__NFTA_RULE_MAX
		127	};
		128	#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
		129
		130	enum nft_data_attributes {
		131	NFTA_DATA_UNSPEC,
		132	NFTA_DATA_VALUE,
		133	NFTA_DATA_VERDICT,
		134	__NFTA_DATA_MAX
		135	};
		136	#define NFTA_DATA_MAX (__NFTA_DATA_MAX - 1)
		137
		138	/**
		139	* enum nft_verdict_attributes - nf_tables verdict netlink attributes
		140	*
		141	* @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
		142	* @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
		143	*/
		144	enum nft_verdict_attributes {
		145	NFTA_VERDICT_UNSPEC,
		146	NFTA_VERDICT_CODE,
		147	NFTA_VERDICT_CHAIN,
		148	__NFTA_VERDICT_MAX
		149	};
		150	#define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1)
		151
		152	/**
		153	* enum nft_expr_attributes - nf_tables expression netlink attributes
		154	*
		155	* @NFTA_EXPR_NAME: name of the expression type (NLA_STRING)
		156	* @NFTA_EXPR_DATA: type specific data (NLA_NESTED)
		157	*/
		158	enum nft_expr_attributes {
		159	NFTA_EXPR_UNSPEC,
		160	NFTA_EXPR_NAME,
		161	NFTA_EXPR_DATA,
		162	__NFTA_EXPR_MAX
		163	};
		164	#define NFTA_EXPR_MAX (__NFTA_EXPR_MAX - 1)
		165
		166	/**
		167	* enum nft_immediate_attributes - nf_tables immediate expression netlink attributes
		168	*
		169	* @NFTA_IMMEDIATE_DREG: destination register to load data into (NLA_U32)
		170	* @NFTA_IMMEDIATE_DATA: data to load (NLA_NESTED: nft_data_attributes)
		171	*/
		172	enum nft_immediate_attributes {
		173	NFTA_IMMEDIATE_UNSPEC,
		174	NFTA_IMMEDIATE_DREG,
		175	NFTA_IMMEDIATE_DATA,
		176	__NFTA_IMMEDIATE_MAX
		177	};
		178	#define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1)
		179
		180	/**
		181	* enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
		182	*
		183	* @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers)
		184	* @NFTA_BITWISE_DREG: destination register (NLA_U32: nft_registers)
		185	* @NFTA_BITWISE_LEN: length of operands (NLA_U32)
		186	* @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
		187	* @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
		188	*
		189	* The bitwise expression performs the following operation:
		190	*
		191	* dreg = (sreg & mask) ^ xor
		192	*
		193	* which allow to express all bitwise operations:
		194	*
		195	* mask xor
		196	* NOT: 1 1
		197	* OR: 0 x
		198	* XOR: 1 x
		199	* AND: x 0
		200	*/
		201	enum nft_bitwise_attributes {
		202	NFTA_BITWISE_UNSPEC,
		203	NFTA_BITWISE_SREG,
		204	NFTA_BITWISE_DREG,
		205	NFTA_BITWISE_LEN,
		206	NFTA_BITWISE_MASK,
		207	NFTA_BITWISE_XOR,
		208	__NFTA_BITWISE_MAX
		209	};
		210	#define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1)
		211
		212	/**
		213	* enum nft_byteorder_ops - nf_tables byteorder operators
		214	*
		215	* @NFT_BYTEORDER_NTOH: network to host operator
		216	* @NFT_BYTEORDER_HTON: host to network opertaor
		217	*/
		218	enum nft_byteorder_ops {
		219	NFT_BYTEORDER_NTOH,
		220	NFT_BYTEORDER_HTON,
		221	};
		222
		223	/**
		224	* enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes
		225	*
		226	* @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers)
		227	* @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers)
		228	* @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops)
		229	* @NFTA_BYTEORDER_LEN: length of the data (NLA_U32)
		230	* @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4)
		231	*/
		232	enum nft_byteorder_attributes {
		233	NFTA_BYTEORDER_UNSPEC,
		234	NFTA_BYTEORDER_SREG,
		235	NFTA_BYTEORDER_DREG,
		236	NFTA_BYTEORDER_OP,
		237	NFTA_BYTEORDER_LEN,
		238	NFTA_BYTEORDER_SIZE,
		239	__NFTA_BYTEORDER_MAX
		240	};
		241	#define NFTA_BYTEORDER_MAX (__NFTA_BYTEORDER_MAX - 1)
		242
		243	/**
		244	* enum nft_cmp_ops - nf_tables relational operator
		245	*
		246	* @NFT_CMP_EQ: equal
		247	* @NFT_CMP_NEQ: not equal
		248	* @NFT_CMP_LT: less than
		249	* @NFT_CMP_LTE: less than or equal to
		250	* @NFT_CMP_GT: greater than
		251	* @NFT_CMP_GTE: greater than or equal to
		252	*/
		253	enum nft_cmp_ops {
		254	NFT_CMP_EQ,
		255	NFT_CMP_NEQ,
		256	NFT_CMP_LT,
		257	NFT_CMP_LTE,
		258	NFT_CMP_GT,
		259	NFT_CMP_GTE,
		260	};
		261
		262	/**
		263	* enum nft_cmp_attributes - nf_tables cmp expression netlink attributes
		264	*
		265	* @NFTA_CMP_SREG: source register of data to compare (NLA_U32: nft_registers)
		266	* @NFTA_CMP_OP: cmp operation (NLA_U32: nft_cmp_ops)
		267	* @NFTA_CMP_DATA: data to compare against (NLA_NESTED: nft_data_attributes)
		268	*/
		269	enum nft_cmp_attributes {
		270	NFTA_CMP_UNSPEC,
		271	NFTA_CMP_SREG,
		272	NFTA_CMP_OP,
		273	NFTA_CMP_DATA,
		274	__NFTA_CMP_MAX
		275	};
		276	#define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)
		277
		278	enum nft_set_elem_flags {
		279	NFT_SE_INTERVAL_END = 0x1,
		280	};
		281
		282	enum nft_set_elem_attributes {
		283	NFTA_SE_UNSPEC,
		284	NFTA_SE_KEY,
		285	NFTA_SE_DATA,
		286	NFTA_SE_FLAGS,
		287	__NFTA_SE_MAX
		288	};
		289	#define NFTA_SE_MAX (__NFTA_SE_MAX - 1)
		290
		291	enum nft_set_flags {
		292	NFT_SET_INTERVAL = 0x1,
		293	NFT_SET_MAP = 0x2,
		294	};
		295
		296	enum nft_set_attributes {
		297	NFTA_SET_UNSPEC,
		298	NFTA_SET_FLAGS,
		299	NFTA_SET_SREG,
		300	NFTA_SET_DREG,
		301	NFTA_SET_KLEN,
		302	NFTA_SET_DLEN,
		303	NFTA_SET_ELEMENTS,
		304	__NFTA_SET_MAX
		305	};
		306	#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
		307
		308	enum nft_hash_flags {
		309	NFT_HASH_MAP = 0x1,
		310	};
		311
		312	enum nft_hash_elem_attributes {
		313	NFTA_HE_UNSPEC,
		314	NFTA_HE_KEY,
		315	NFTA_HE_DATA,
		316	__NFTA_HE_MAX
		317	};
		318	#define NFTA_HE_MAX (__NFTA_HE_MAX - 1)
		319
		320	enum nft_hash_attributes {
		321	NFTA_HASH_UNSPEC,
		322	NFTA_HASH_FLAGS,
		323	NFTA_HASH_SREG,
		324	NFTA_HASH_DREG,
		325	NFTA_HASH_KLEN,
		326	NFTA_HASH_ELEMENTS,
		327	__NFTA_HASH_MAX
		328	};
		329	#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
		330
		331	/**
		332	* enum nft_payload_bases - nf_tables payload expression offset bases
		333	*
		334	* @NFT_PAYLOAD_LL_HEADER: link layer header
		335	* @NFT_PAYLOAD_NETWORK_HEADER: network header
		336	* @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
		337	*/
		338	enum nft_payload_bases {
		339	NFT_PAYLOAD_LL_HEADER,
		340	NFT_PAYLOAD_NETWORK_HEADER,
		341	NFT_PAYLOAD_TRANSPORT_HEADER,
		342	};
		343
		344	/**
		345	* enum nft_payload_attributes - nf_tables payload expression netlink attributes
		346	*
		347	* @NFTA_PAYLOAD_DREG: destination register to load data into (NLA_U32: nft_registers)
		348	* @NFTA_PAYLOAD_BASE: payload base (NLA_U32: nft_payload_bases)
		349	* @NFTA_PAYLOAD_OFFSET: payload offset relative to base (NLA_U32)
		350	* @NFTA_PAYLOAD_LEN: payload length (NLA_U32)
		351	*/
		352	enum nft_payload_attributes {
		353	NFTA_PAYLOAD_UNSPEC,
		354	NFTA_PAYLOAD_DREG,
		355	NFTA_PAYLOAD_BASE,
		356	NFTA_PAYLOAD_OFFSET,
		357	NFTA_PAYLOAD_LEN,
		358	__NFTA_PAYLOAD_MAX
		359	};
		360	#define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1)
		361
		362	/**
		363	* enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes
		364	*
		365	* @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers)
		366	* @NFTA_EXTHDR_TYPE: extension header type (NLA_U8)
		367	* @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32)
		368	* @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
		369	*/
		370	enum nft_exthdr_attributes {
		371	NFTA_EXTHDR_UNSPEC,
		372	NFTA_EXTHDR_DREG,
		373	NFTA_EXTHDR_TYPE,
		374	NFTA_EXTHDR_OFFSET,
		375	NFTA_EXTHDR_LEN,
		376	__NFTA_EXTHDR_MAX
		377	};
		378	#define NFTA_EXTHDR_MAX (__NFTA_EXTHDR_MAX - 1)
		379
		380	/**
		381	* enum nft_meta_keys - nf_tables meta expression keys
		382	*
		383	* @NFT_META_LEN: packet length (skb->len)
		384	* @NFT_META_PROTOCOL: packet ethertype protocol (skb->protocol), invalid in OUTPUT
		385	* @NFT_META_PRIORITY: packet priority (skb->priority)
		386	* @NFT_META_MARK: packet mark (skb->mark)
		387	* @NFT_META_IIF: packet input interface index (dev->ifindex)
		388	* @NFT_META_OIF: packet output interface index (dev->ifindex)
		389	* @NFT_META_IIFNAME: packet input interface name (dev->name)
		390	* @NFT_META_OIFNAME: packet output interface name (dev->name)
		391	* @NFT_META_IIFTYPE: packet input interface type (dev->type)
		392	* @NFT_META_OIFTYPE: packet output interface type (dev->type)
		393	* @NFT_META_SKUID: originating socket UID (fsuid)
		394	* @NFT_META_SKGID: originating socket GID (fsgid)
		395	* @NFT_META_NFTRACE: packet nftrace bit
		396	* @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
		397	* @NFT_META_SECMARK: packet secmark (skb->secmark)
		398	*/
		399	enum nft_meta_keys {
		400	NFT_META_LEN,
		401	NFT_META_PROTOCOL,
		402	NFT_META_PRIORITY,
		403	NFT_META_MARK,
		404	NFT_META_IIF,
		405	NFT_META_OIF,
		406	NFT_META_IIFNAME,
		407	NFT_META_OIFNAME,
		408	NFT_META_IIFTYPE,
		409	NFT_META_OIFTYPE,
		410	NFT_META_SKUID,
		411	NFT_META_SKGID,
		412	NFT_META_NFTRACE,
		413	NFT_META_RTCLASSID,
		414	NFT_META_SECMARK,
		415	};
		416
		417	/**
		418	* enum nft_meta_attributes - nf_tables meta expression netlink attributes
		419	*
		420	* @NFTA_META_DREG: destination register (NLA_U32)
		421	* @NFTA_META_KEY: meta data item to load (NLA_U32: nft_meta_keys)
		422	*/
		423	enum nft_meta_attributes {
		424	NFTA_META_UNSPEC,
		425	NFTA_META_DREG,
		426	NFTA_META_KEY,
		427	__NFTA_META_MAX
		428	};
		429	#define NFTA_META_MAX (__NFTA_META_MAX - 1)
		430
		431	/**
		432	* enum nft_ct_keys - nf_tables ct expression keys
		433	*
		434	* @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)
		435	* @NFT_CT_DIRECTION: conntrack direction (enum ip_conntrack_dir)
		436	* @NFT_CT_STATUS: conntrack status (bitmask of enum ip_conntrack_status)
		437	* @NFT_CT_MARK: conntrack mark value
		438	* @NFT_CT_SECMARK: conntrack secmark value
		439	* @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
		440	* @NFT_CT_HELPER: connection tracking helper assigned to conntrack
		441	* @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
		442	* @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
		443	* @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
		444	* @NFT_CT_PROTOCOL: conntrack layer 4 protocol
		445	* @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
		446	* @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
		447	*/
		448	enum nft_ct_keys {
		449	NFT_CT_STATE,
		450	NFT_CT_DIRECTION,
		451	NFT_CT_STATUS,
		452	NFT_CT_MARK,
		453	NFT_CT_SECMARK,
		454	NFT_CT_EXPIRATION,
		455	NFT_CT_HELPER,
		456	NFT_CT_L3PROTOCOL,
		457	NFT_CT_SRC,
		458	NFT_CT_DST,
		459	NFT_CT_PROTOCOL,
		460	NFT_CT_PROTO_SRC,
		461	NFT_CT_PROTO_DST,
		462	};
		463
		464	/**
		465	* enum nft_ct_attributes - nf_tables ct expression netlink attributes
		466	*
		467	* @NFTA_CT_DREG: destination register (NLA_U32)
		468	* @NFTA_CT_KEY: conntrack data item to load (NLA_U32: nft_ct_keys)
		469	* @NFTA_CT_DIRECTION: direction in case of directional keys (NLA_U8)
		470	*/
		471	enum nft_ct_attributes {
		472	NFTA_CT_UNSPEC,
		473	NFTA_CT_DREG,
		474	NFTA_CT_KEY,
		475	NFTA_CT_DIRECTION,
		476	__NFTA_CT_MAX
		477	};
		478	#define NFTA_CT_MAX (__NFTA_CT_MAX - 1)
		479
		480	/**
		481	* enum nft_limit_attributes - nf_tables limit expression netlink attributes
		482	*
		483	* @NFTA_LIMIT_RATE: refill rate (NLA_U64)
		484	* @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
		485	*/
		486	enum nft_limit_attributes {
		487	NFTA_LIMIT_UNSPEC,
		488	NFTA_LIMIT_RATE,
		489	NFTA_LIMIT_UNIT,
		490	__NFTA_LIMIT_MAX
		491	};
		492	#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
		493
		494	/**
		495	* enum nft_counter_attributes - nf_tables counter expression netlink attributes
		496	*
		497	* @NFTA_COUNTER_BYTES: number of bytes (NLA_U64)
		498	* @NFTA_COUNTER_PACKETS: number of packets (NLA_U64)
		499	*/
		500	enum nft_counter_attributes {
		501	NFTA_COUNTER_UNSPEC,
		502	NFTA_COUNTER_BYTES,
		503	NFTA_COUNTER_PACKETS,
		504	__NFTA_COUNTER_MAX
		505	};
		506	#define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1)
		507
		508	/**
		509	* enum nft_log_attributes - nf_tables log expression netlink attributes
		510	*
		511	* @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32)
		512	* @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING)
		513	* @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32)
		514	* @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32)
		515	*/
		516	enum nft_log_attributes {
		517	NFTA_LOG_UNSPEC,
		518	NFTA_LOG_GROUP,
		519	NFTA_LOG_PREFIX,
		520	NFTA_LOG_SNAPLEN,
		521	NFTA_LOG_QTHRESHOLD,
		522	__NFTA_LOG_MAX
		523	};
		524	#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)
		525
		526	/**
		527	* enum nft_reject_types - nf_tables reject expression reject types
		528	*
		529	* @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
		530	* @NFT_REJECT_TCP_RST: reject using TCP RST
		531	*/
		532	enum nft_reject_types {
		533	NFT_REJECT_ICMP_UNREACH,
		534	NFT_REJECT_TCP_RST,
		535	};
		536
		537	/**
		538	* enum nft_reject_attributes - nf_tables reject expression netlink attributes
		539	*
		540	* @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types)
		541	* @NFTA_REJECT_ICMP_CODE: ICMP code to use (NLA_U8)
		542	*/
		543	enum nft_reject_attributes {
		544	NFTA_REJECT_UNSPEC,
		545	NFTA_REJECT_TYPE,
		546	NFTA_REJECT_ICMP_CODE,
		547	__NFTA_REJECT_MAX
		548	};
		549	#define NFTA_REJECT_MAX (__NFTA_REJECT_MAX - 1)
		550
		551	/**
		552	* enum nft_nat_types - nf_tables nat expression NAT types
		553	*
		554	* @NFT_NAT_SNAT: source NAT
		555	* @NFT_NAT_DNAT: destination NAT
		556	*/
		557	enum nft_nat_types {
		558	NFT_NAT_SNAT,
		559	NFT_NAT_DNAT,
		560	};
		561
		562	/**
		563	* enum nft_nat_attributes - nf_tables nat expression netlink attributes
		564	*
		565	* @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types)
		566	* @NFTA_NAT_ADDR_MIN: source register of address range start (NLA_U32: nft_registers)
		567	* @NFTA_NAT_ADDR_MAX: source register of address range end (NLA_U32: nft_registers)
		568	* @NFTA_NAT_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
		569	* @NFTA_NAT_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
		570	*/
		571	enum nft_nat_attributes {
		572	NFTA_NAT_UNSPEC,
		573	NFTA_NAT_TYPE,
		574	NFTA_NAT_ADDR_MIN,
		575	NFTA_NAT_ADDR_MAX,
		576	NFTA_NAT_PROTO_MIN,
		577	NFTA_NAT_PROTO_MAX,
		578	__NFTA_NAT_MAX
		579	};
		580	#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
		581
		582	#endif /* _LINUX_NF_TABLES_H */


diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h index 4a4efafad5f4..d276c3bd55b8 100644 --- a/include/uapi/linux/netfilter/nfnetlink.h +++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -18,6 +18,8 @@ enum nfnetlink_groups {
18	#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE	18	#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
19	NFNLGRP_CONNTRACK_EXP_DESTROY,	19	NFNLGRP_CONNTRACK_EXP_DESTROY,
20	#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY	20	#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
		21	NFNLGRP_NFTABLES,
		22	#define NFNLGRP_NFTABLES NFNLGRP_NFTABLES
21	__NFNLGRP_MAX,	23	__NFNLGRP_MAX,
22	};	24	};
23	#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)	25	#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
@@ -51,6 +53,7 @@ struct nfgenmsg {
51	#define NFNL_SUBSYS_ACCT 7	53	#define NFNL_SUBSYS_ACCT 7
52	#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8	54	#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
53	#define NFNL_SUBSYS_CTHELPER 9	55	#define NFNL_SUBSYS_CTHELPER 9
54	#define NFNL_SUBSYS_COUNT 10	56	#define NFNL_SUBSYS_NFTABLES 10
		57	#define NFNL_SUBSYS_COUNT 11
55		58
56	#endif /* _UAPI_NFNETLINK_H */	59	#endif /* _UAPI_NFNETLINK_H */