diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-19 11:27:06 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-27 10:56:00 -0500 |
| commit | 0768b3b3d228c5acf2075f40f3d25cda30011d4f (patch) | |
| tree | 692c78e345c357dbc036c093abb3a1062e928291 /include/uapi | |
| parent | 39111fd261f544acb0333d59fca27abc2f767ad7 (diff) | |
netfilter: nf_tables: add optional user data area to rules
This allows us to store user comment strings, but it could be also
used to store any kind of information that the user application needs
to link to the rule.
Scratch 8 bits for the new ulen field that indicates the length the
user data area. 4 bits from the handle (so it's 42 bits long, according
to Patrick, it would last 139 years with 1000 new rules per second)
and 4 bits from dlen (so the expression data area is 4K, which seems
sufficient by now even considering the compatibility layer).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/uapi')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index c84c452c62a7..c88ccbfda5f1 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -1,7 +1,8 @@ | |||
| 1 | #ifndef _LINUX_NF_TABLES_H | 1 | #ifndef _LINUX_NF_TABLES_H |
| 2 | #define _LINUX_NF_TABLES_H | 2 | #define _LINUX_NF_TABLES_H |
| 3 | 3 | ||
| 4 | #define NFT_CHAIN_MAXNAMELEN 32 | 4 | #define NFT_CHAIN_MAXNAMELEN 32 |
| 5 | #define NFT_USERDATA_MAXLEN 256 | ||
| 5 | 6 | ||
| 6 | enum nft_registers { | 7 | enum nft_registers { |
| 7 | NFT_REG_VERDICT, | 8 | NFT_REG_VERDICT, |
| @@ -156,6 +157,7 @@ enum nft_chain_attributes { | |||
| 156 | * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) | 157 | * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) |
| 157 | * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) | 158 | * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) |
| 158 | * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) | 159 | * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) |
| 160 | * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) | ||
| 159 | */ | 161 | */ |
| 160 | enum nft_rule_attributes { | 162 | enum nft_rule_attributes { |
| 161 | NFTA_RULE_UNSPEC, | 163 | NFTA_RULE_UNSPEC, |
| @@ -165,6 +167,7 @@ enum nft_rule_attributes { | |||
| 165 | NFTA_RULE_EXPRESSIONS, | 167 | NFTA_RULE_EXPRESSIONS, |
| 166 | NFTA_RULE_COMPAT, | 168 | NFTA_RULE_COMPAT, |
| 167 | NFTA_RULE_POSITION, | 169 | NFTA_RULE_POSITION, |
| 170 | NFTA_RULE_USERDATA, | ||
| 168 | __NFTA_RULE_MAX | 171 | __NFTA_RULE_MAX |
| 169 | }; | 172 | }; |
| 170 | #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) | 173 | #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) |