1 files changed, 139 insertions, 52 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index ec6d84a8ed1e..9e924014efe3 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -44,6 +44,12 @@ enum nft_verdicts {
 * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)
 * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)
 * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)
+ * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes)
+ * @NFT_MSG_GETSET: get a set (enum nft_set_attributes)
+ * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes)
+ * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes)
+ * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes)
+ * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes)
 */
 enum nf_tables_msg_types {
        NFT_MSG_NEWTABLE,
@@ -55,9 +61,20 @@ enum nf_tables_msg_types {
        NFT_MSG_NEWRULE,
        NFT_MSG_GETRULE,
        NFT_MSG_DELRULE,
+        NFT_MSG_NEWSET,
+        NFT_MSG_GETSET,
+        NFT_MSG_DELSET,
+        NFT_MSG_NEWSETELEM,
+        NFT_MSG_GETSETELEM,
+        NFT_MSG_DELSETELEM,
        NFT_MSG_MAX,
 };
+/**
+ * enum nft_list_attributes - nf_tables generic list netlink attributes
+ *
+ * @NFTA_LIST_ELEM: list element (NLA_NESTED)
+ */
 enum nft_list_attributes {
        NFTA_LIST_UNPEC,
        NFTA_LIST_ELEM,
@@ -127,6 +144,113 @@ enum nft_rule_attributes {
 };
 #define NFTA_RULE_MAX           (__NFTA_RULE_MAX - 1)
+/**
+ * enum nft_set_flags - nf_tables set flags
+ *
+ * @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink
+ * @NFT_SET_CONSTANT: set contents may not change while bound
+ * @NFT_SET_INTERVAL: set contains intervals
+ * @NFT_SET_MAP: set is used as a dictionary
+ */
+enum nft_set_flags {
+        NFT_SET_ANONYMOUS               = 0x1,
+        NFT_SET_CONSTANT                = 0x2,
+        NFT_SET_INTERVAL                = 0x4,
+        NFT_SET_MAP                     = 0x8,
+};
+/**
+ * enum nft_set_attributes - nf_tables set netlink attributes
+ *
+ * @NFTA_SET_TABLE: table name (NLA_STRING)
+ * @NFTA_SET_NAME: set name (NLA_STRING)
+ * @NFTA_SET_FLAGS: bitmask of enum nft_set_flags (NLA_U32)
+ * @NFTA_SET_KEY_TYPE: key data type, informational purpose only (NLA_U32)
+ * @NFTA_SET_KEY_LEN: key data length (NLA_U32)
+ * @NFTA_SET_DATA_TYPE: mapping data type (NLA_U32)
+ * @NFTA_SET_DATA_LEN: mapping data length (NLA_U32)
+ */
+enum nft_set_attributes {
+        NFTA_SET_UNSPEC,
+        NFTA_SET_TABLE,
+        NFTA_SET_NAME,
+        NFTA_SET_FLAGS,
+        NFTA_SET_KEY_TYPE,
+        NFTA_SET_KEY_LEN,
+        NFTA_SET_DATA_TYPE,
+        NFTA_SET_DATA_LEN,
+        __NFTA_SET_MAX
+};
+#define NFTA_SET_MAX            (__NFTA_SET_MAX - 1)
+/**
+ * enum nft_set_elem_flags - nf_tables set element flags
+ *
+ * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
+ */
+enum nft_set_elem_flags {
+        NFT_SET_ELEM_INTERVAL_END       = 0x1,
+};
+/**
+ * enum nft_set_elem_attributes - nf_tables set element netlink attributes
+ *
+ * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
+ * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
+ * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
+ */
+enum nft_set_elem_attributes {
+        NFTA_SET_ELEM_UNSPEC,
+        NFTA_SET_ELEM_KEY,
+        NFTA_SET_ELEM_DATA,
+        NFTA_SET_ELEM_FLAGS,
+        __NFTA_SET_ELEM_MAX
+};
+#define NFTA_SET_ELEM_MAX       (__NFTA_SET_ELEM_MAX - 1)
+/**
+ * enum nft_set_elem_list_attributes - nf_tables set element list netlink attributes
+ *
+ * @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING)
+ * @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING)
+ * @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes)
+ */
+enum nft_set_elem_list_attributes {
+        NFTA_SET_ELEM_LIST_UNSPEC,
+        NFTA_SET_ELEM_LIST_TABLE,
+        NFTA_SET_ELEM_LIST_SET,
+        NFTA_SET_ELEM_LIST_ELEMENTS,
+        __NFTA_SET_ELEM_LIST_MAX
+};
+#define NFTA_SET_ELEM_LIST_MAX  (__NFTA_SET_ELEM_LIST_MAX - 1)
+/**
+ * enum nft_data_types - nf_tables data types
+ *
+ * @NFT_DATA_VALUE: generic data
+ * @NFT_DATA_VERDICT: netfilter verdict
+ *
+ * The type of data is usually determined by the kernel directly and is not
+ * explicitly specified by userspace. The only difference are sets, where
+ * userspace specifies the key and mapping data types.
+ *
+ * The values 0xffffff00-0xffffffff are reserved for internally used types.
+ * The remaining range can be freely used by userspace to encode types, all
+ * values are equivalent to NFT_DATA_VALUE.
+ */
+enum nft_data_types {
+        NFT_DATA_VALUE,
+        NFT_DATA_VERDICT        = 0xffffff00U,
+};
+#define NFT_DATA_RESERVED_MASK  0xffffff00U
+/**
+ * enum nft_data_attributes - nf_tables data netlink attributes
+ *
+ * @NFTA_DATA_VALUE: generic data (NLA_BINARY)
+ * @NFTA_DATA_VERDICT: nf_tables verdict (NLA_NESTED: nft_verdict_attributes)
+ */
 enum nft_data_attributes {
        NFTA_DATA_UNSPEC,
        NFTA_DATA_VALUE,
@@ -275,58 +399,21 @@ enum nft_cmp_attributes {
 };
 #define NFTA_CMP_MAX            (__NFTA_CMP_MAX - 1)
-enum nft_set_elem_flags {
+/**
-        NFT_SE_INTERVAL_END     = 0x1,
+ * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
-};
+ *
+ * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
-enum nft_set_elem_attributes {
+ * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
-        NFTA_SE_UNSPEC,
+ * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
-        NFTA_SE_KEY,
+ */
-        NFTA_SE_DATA,
+enum nft_lookup_attributes {
-        NFTA_SE_FLAGS,
+        NFTA_LOOKUP_UNSPEC,
-        __NFTA_SE_MAX
+        NFTA_LOOKUP_SET,
-};
+        NFTA_LOOKUP_SREG,
-#define NFTA_SE_MAX             (__NFTA_SE_MAX - 1)
+        NFTA_LOOKUP_DREG,
+        __NFTA_LOOKUP_MAX
-enum nft_set_flags {
+};
-        NFT_SET_INTERVAL        = 0x1,
+#define NFTA_LOOKUP_MAX         (__NFTA_LOOKUP_MAX - 1)
-        NFT_SET_MAP             = 0x2,
-};
-enum nft_set_attributes {
-        NFTA_SET_UNSPEC,
-        NFTA_SET_FLAGS,
-        NFTA_SET_SREG,
-        NFTA_SET_DREG,
-        NFTA_SET_KLEN,
-        NFTA_SET_DLEN,
-        NFTA_SET_ELEMENTS,
-        __NFTA_SET_MAX
-};
-#define NFTA_SET_MAX            (__NFTA_SET_MAX - 1)
-enum nft_hash_flags {
-        NFT_HASH_MAP            = 0x1,
-};
-enum nft_hash_elem_attributes {
-        NFTA_HE_UNSPEC,
-        NFTA_HE_KEY,
-        NFTA_HE_DATA,
-        __NFTA_HE_MAX
-};
-#define NFTA_HE_MAX             (__NFTA_HE_MAX - 1)
-enum nft_hash_attributes {
-        NFTA_HASH_UNSPEC,
-        NFTA_HASH_FLAGS,
-        NFTA_HASH_SREG,
-        NFTA_HASH_DREG,
-        NFTA_HASH_KLEN,
-        NFTA_HASH_ELEMENTS,
-        __NFTA_HASH_MAX
-};
-#define NFTA_HASH_MAX           (__NFTA_HASH_MAX - 1)
 /**
 * enum nft_payload_bases - nf_tables payload expression offset bases

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index ec6d84a8ed1e..9e924014efe3 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -44,6 +44,12 @@ enum nft_verdicts {
44	* @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)	44	* @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)
45	* @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)	45	* @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)
46	* @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)	46	* @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)
		47	* @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes)
		48	* @NFT_MSG_GETSET: get a set (enum nft_set_attributes)
		49	* @NFT_MSG_DELSET: delete a set (enum nft_set_attributes)
		50	* @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes)
		51	* @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes)
		52	* @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes)
47	*/	53	*/
48	enum nf_tables_msg_types {	54	enum nf_tables_msg_types {
49	NFT_MSG_NEWTABLE,	55	NFT_MSG_NEWTABLE,
@@ -55,9 +61,20 @@ enum nf_tables_msg_types {
55	NFT_MSG_NEWRULE,	61	NFT_MSG_NEWRULE,
56	NFT_MSG_GETRULE,	62	NFT_MSG_GETRULE,
57	NFT_MSG_DELRULE,	63	NFT_MSG_DELRULE,
		64	NFT_MSG_NEWSET,
		65	NFT_MSG_GETSET,
		66	NFT_MSG_DELSET,
		67	NFT_MSG_NEWSETELEM,
		68	NFT_MSG_GETSETELEM,
		69	NFT_MSG_DELSETELEM,
58	NFT_MSG_MAX,	70	NFT_MSG_MAX,
59	};	71	};
60		72
		73	/**
		74	* enum nft_list_attributes - nf_tables generic list netlink attributes
		75	*
		76	* @NFTA_LIST_ELEM: list element (NLA_NESTED)
		77	*/
61	enum nft_list_attributes {	78	enum nft_list_attributes {
62	NFTA_LIST_UNPEC,	79	NFTA_LIST_UNPEC,
63	NFTA_LIST_ELEM,	80	NFTA_LIST_ELEM,
@@ -127,6 +144,113 @@ enum nft_rule_attributes {
127	};	144	};
128	#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)	145	#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
129		146
		147	/**
		148	* enum nft_set_flags - nf_tables set flags
		149	*
		150	* @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink
		151	* @NFT_SET_CONSTANT: set contents may not change while bound
		152	* @NFT_SET_INTERVAL: set contains intervals
		153	* @NFT_SET_MAP: set is used as a dictionary
		154	*/
		155	enum nft_set_flags {
		156	NFT_SET_ANONYMOUS = 0x1,
		157	NFT_SET_CONSTANT = 0x2,
		158	NFT_SET_INTERVAL = 0x4,
		159	NFT_SET_MAP = 0x8,
		160	};
		161
		162	/**
		163	* enum nft_set_attributes - nf_tables set netlink attributes
		164	*
		165	* @NFTA_SET_TABLE: table name (NLA_STRING)
		166	* @NFTA_SET_NAME: set name (NLA_STRING)
		167	* @NFTA_SET_FLAGS: bitmask of enum nft_set_flags (NLA_U32)
		168	* @NFTA_SET_KEY_TYPE: key data type, informational purpose only (NLA_U32)
		169	* @NFTA_SET_KEY_LEN: key data length (NLA_U32)
		170	* @NFTA_SET_DATA_TYPE: mapping data type (NLA_U32)
		171	* @NFTA_SET_DATA_LEN: mapping data length (NLA_U32)
		172	*/
		173	enum nft_set_attributes {
		174	NFTA_SET_UNSPEC,
		175	NFTA_SET_TABLE,
		176	NFTA_SET_NAME,
		177	NFTA_SET_FLAGS,
		178	NFTA_SET_KEY_TYPE,
		179	NFTA_SET_KEY_LEN,
		180	NFTA_SET_DATA_TYPE,
		181	NFTA_SET_DATA_LEN,
		182	__NFTA_SET_MAX
		183	};
		184	#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
		185
		186	/**
		187	* enum nft_set_elem_flags - nf_tables set element flags
		188	*
		189	* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
		190	*/
		191	enum nft_set_elem_flags {
		192	NFT_SET_ELEM_INTERVAL_END = 0x1,
		193	};
		194
		195	/**
		196	* enum nft_set_elem_attributes - nf_tables set element netlink attributes
		197	*
		198	* @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
		199	* @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
		200	* @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
		201	*/
		202	enum nft_set_elem_attributes {
		203	NFTA_SET_ELEM_UNSPEC,
		204	NFTA_SET_ELEM_KEY,
		205	NFTA_SET_ELEM_DATA,
		206	NFTA_SET_ELEM_FLAGS,
		207	__NFTA_SET_ELEM_MAX
		208	};
		209	#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
		210
		211	/**
		212	* enum nft_set_elem_list_attributes - nf_tables set element list netlink attributes
		213	*
		214	* @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING)
		215	* @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING)
		216	* @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes)
		217	*/
		218	enum nft_set_elem_list_attributes {
		219	NFTA_SET_ELEM_LIST_UNSPEC,
		220	NFTA_SET_ELEM_LIST_TABLE,
		221	NFTA_SET_ELEM_LIST_SET,
		222	NFTA_SET_ELEM_LIST_ELEMENTS,
		223	__NFTA_SET_ELEM_LIST_MAX
		224	};
		225	#define NFTA_SET_ELEM_LIST_MAX (__NFTA_SET_ELEM_LIST_MAX - 1)
		226
		227	/**
		228	* enum nft_data_types - nf_tables data types
		229	*
		230	* @NFT_DATA_VALUE: generic data
		231	* @NFT_DATA_VERDICT: netfilter verdict
		232	*
		233	* The type of data is usually determined by the kernel directly and is not
		234	* explicitly specified by userspace. The only difference are sets, where
		235	* userspace specifies the key and mapping data types.
		236	*
		237	* The values 0xffffff00-0xffffffff are reserved for internally used types.
		238	* The remaining range can be freely used by userspace to encode types, all
		239	* values are equivalent to NFT_DATA_VALUE.
		240	*/
		241	enum nft_data_types {
		242	NFT_DATA_VALUE,
		243	NFT_DATA_VERDICT = 0xffffff00U,
		244	};
		245
		246	#define NFT_DATA_RESERVED_MASK 0xffffff00U
		247
		248	/**
		249	* enum nft_data_attributes - nf_tables data netlink attributes
		250	*
		251	* @NFTA_DATA_VALUE: generic data (NLA_BINARY)
		252	* @NFTA_DATA_VERDICT: nf_tables verdict (NLA_NESTED: nft_verdict_attributes)
		253	*/
130	enum nft_data_attributes {	254	enum nft_data_attributes {
131	NFTA_DATA_UNSPEC,	255	NFTA_DATA_UNSPEC,
132	NFTA_DATA_VALUE,	256	NFTA_DATA_VALUE,
@@ -275,58 +399,21 @@ enum nft_cmp_attributes {
275	};	399	};
276	#define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)	400	#define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)
277		401
278	enum nft_set_elem_flags {	402	/**
279	NFT_SE_INTERVAL_END = 0x1,	403	* enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
280	};	404	*
281		405	* @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
282	enum nft_set_elem_attributes {	406	* @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
283	NFTA_SE_UNSPEC,	407	* @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
284	NFTA_SE_KEY,	408	*/
285	NFTA_SE_DATA,	409	enum nft_lookup_attributes {
286	NFTA_SE_FLAGS,	410	NFTA_LOOKUP_UNSPEC,
287	__NFTA_SE_MAX	411	NFTA_LOOKUP_SET,
288	};	412	NFTA_LOOKUP_SREG,
289	#define NFTA_SE_MAX (__NFTA_SE_MAX - 1)	413	NFTA_LOOKUP_DREG,
290		414	__NFTA_LOOKUP_MAX
291	enum nft_set_flags {	415	};
292	NFT_SET_INTERVAL = 0x1,	416	#define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1)
293	NFT_SET_MAP = 0x2,
294	};
295
296	enum nft_set_attributes {
297	NFTA_SET_UNSPEC,
298	NFTA_SET_FLAGS,
299	NFTA_SET_SREG,
300	NFTA_SET_DREG,
301	NFTA_SET_KLEN,
302	NFTA_SET_DLEN,
303	NFTA_SET_ELEMENTS,
304	__NFTA_SET_MAX
305	};
306	#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
307
308	enum nft_hash_flags {
309	NFT_HASH_MAP = 0x1,
310	};
311
312	enum nft_hash_elem_attributes {
313	NFTA_HE_UNSPEC,
314	NFTA_HE_KEY,
315	NFTA_HE_DATA,
316	__NFTA_HE_MAX
317	};
318	#define NFTA_HE_MAX (__NFTA_HE_MAX - 1)
319
320	enum nft_hash_attributes {
321	NFTA_HASH_UNSPEC,
322	NFTA_HASH_FLAGS,
323	NFTA_HASH_SREG,
324	NFTA_HASH_DREG,
325	NFTA_HASH_KLEN,
326	NFTA_HASH_ELEMENTS,
327	__NFTA_HASH_MAX
328	};
329	#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
330		417
331	/**	418	/**
332	* enum nft_payload_bases - nf_tables payload expression offset bases	419	* enum nft_payload_bases - nf_tables payload expression offset bases