iptables/nft-ruleparse.h - platform/external/iptables - Git at Google

 #ifndef _NFT_RULEPARSE_H_
 #define _NFT_RULEPARSE_H_

 #include <linux/netfilter/nf_tables.h>

 #include <libnftnl/expr.h>

 #include "xshared.h"

 enum nft_ctx_reg_type {
 	NFT_XT_REG_UNDEF,
 	NFT_XT_REG_PAYLOAD,
 	NFT_XT_REG_IMMEDIATE,
 	NFT_XT_REG_META_DREG,
 };

 struct nft_xt_ctx_reg {
 	enum nft_ctx_reg_type type:8;

 	union {
 		struct {
 			uint32_t base;
 			uint32_t offset;
 			uint32_t len;
 		} payload;
 		struct {
 			uint32_t data[4];
 			uint8_t len;
 		} immediate;
 		struct {
 			uint32_t key;
 		} meta_dreg;
 		struct {
 			uint32_t key;
 		} meta_sreg;
 	};

 	struct {
 		uint32_t mask[4];
 		uint32_t xor[4];
 		bool set;
 	} bitwise;
 };

 struct nft_xt_ctx {
 	struct iptables_command_state *cs;
 	struct nftnl_expr_iter *iter;
 	struct nft_handle *h;
 	uint32_t flags;
 	const char *table;

 	struct nft_xt_ctx_reg regs[1 + 16];

 	const char *errmsg;
 };

 static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_sreg(struct nft_xt_ctx *ctx, enum nft_registers reg)
 {
 	switch (reg) {
 	case NFT_REG_VERDICT:
 		return &ctx->regs[0];
 	case NFT_REG_1:
 		return &ctx->regs[1];
 	case NFT_REG_2:
 		return &ctx->regs[5];
 	case NFT_REG_3:
 		return &ctx->regs[9];
 	case NFT_REG_4:
 		return &ctx->regs[13];
 	case NFT_REG32_00...NFT_REG32_15:
 		return &ctx->regs[reg - NFT_REG32_00];
 	default:
 		ctx->errmsg = "Unknown register requested";
 		break;
 	}

 	return NULL;
 }

 static inline void nft_xt_reg_clear(struct nft_xt_ctx_reg *r)
 {
 	r->type = 0;
 	r->bitwise.set = false;
 }

 static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_dreg(struct nft_xt_ctx *ctx, enum nft_registers reg)
 {
 	struct nft_xt_ctx_reg *r = nft_xt_ctx_get_sreg(ctx, reg);

 	if (r)
 		nft_xt_reg_clear(r);

 	return r;
 }

 struct nft_ruleparse_ops {
 	void (*meta)(struct nft_xt_ctx *ctx,
 		     const struct nft_xt_ctx_reg *sreg,
 		     struct nftnl_expr *e,
 		     struct iptables_command_state *cs);
 	void (*payload)(struct nft_xt_ctx *ctx,
 			const struct nft_xt_ctx_reg *sreg,
 			struct nftnl_expr *e,
 			struct iptables_command_state *cs);
 	void (*lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
 	void (*match)(struct xtables_match *m,
 		      struct iptables_command_state *cs);
 	void (*target)(struct xtables_target *t,
 		       struct iptables_command_state *cs);
 };

 void *nft_create_match(struct nft_xt_ctx *ctx,
 		       struct iptables_command_state *cs,
 		       const char *name, bool reuse);

 bool nft_rule_to_iptables_command_state(struct nft_handle *h,
 					const struct nftnl_rule *r,
 					struct iptables_command_state *cs);

 #define min(x, y) ((x) < (y) ? (x) : (y))
 #define max(x, y) ((x) > (y) ? (x) : (y))

 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
 	       char *iniface, unsigned char *iniface_mask, char *outiface,
 	       unsigned char *outiface_mask, uint8_t *invflags);

 void nft_ipv46_parse_target(struct xtables_target *t,
 			    struct iptables_command_state *cs);

 int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 		 struct iptables_command_state *cs);

 #endif /* _NFT_RULEPARSE_H_ */
	#ifndef _NFT_RULEPARSE_H_
	#define _NFT_RULEPARSE_H_

	#include <linux/netfilter/nf_tables.h>

	#include <libnftnl/expr.h>

	#include "xshared.h"

	enum nft_ctx_reg_type {
	NFT_XT_REG_UNDEF,
	NFT_XT_REG_PAYLOAD,
	NFT_XT_REG_IMMEDIATE,
	NFT_XT_REG_META_DREG,
	};

	struct nft_xt_ctx_reg {
	enum nft_ctx_reg_type type:8;

	union {
	struct {
	uint32_t base;
	uint32_t offset;
	uint32_t len;
	} payload;
	struct {
	uint32_t data[4];
	uint8_t len;
	} immediate;
	struct {
	uint32_t key;
	} meta_dreg;
	struct {
	uint32_t key;
	} meta_sreg;
	};

	struct {
	uint32_t mask[4];
	uint32_t xor[4];
	bool set;
	} bitwise;
	};

	struct nft_xt_ctx {
	struct iptables_command_state *cs;
	struct nftnl_expr_iter *iter;
	struct nft_handle *h;
	uint32_t flags;
	const char *table;

	struct nft_xt_ctx_reg regs[1 + 16];

	const char *errmsg;
	};

	static inline struct nft_xt_ctx_reg nft_xt_ctx_get_sreg(struct nft_xt_ctx ctx, enum nft_registers reg)
	{
	switch (reg) {
	case NFT_REG_VERDICT:
	return &ctx->regs[0];
	case NFT_REG_1:
	return &ctx->regs[1];
	case NFT_REG_2:
	return &ctx->regs[5];
	case NFT_REG_3:
	return &ctx->regs[9];
	case NFT_REG_4:
	return &ctx->regs[13];
	case NFT_REG32_00...NFT_REG32_15:
	return &ctx->regs[reg - NFT_REG32_00];
	default:
	ctx->errmsg = "Unknown register requested";
	break;
	}

	return NULL;
	}

	static inline void nft_xt_reg_clear(struct nft_xt_ctx_reg *r)
	{
	r->type = 0;
	r->bitwise.set = false;
	}

	static inline struct nft_xt_ctx_reg nft_xt_ctx_get_dreg(struct nft_xt_ctx ctx, enum nft_registers reg)
	{
	struct nft_xt_ctx_reg *r = nft_xt_ctx_get_sreg(ctx, reg);

	if (r)
	nft_xt_reg_clear(r);

	return r;
	}

	struct nft_ruleparse_ops {
	void (meta)(struct nft_xt_ctx ctx,
	const struct nft_xt_ctx_reg *sreg,
	struct nftnl_expr *e,
	struct iptables_command_state *cs);
	void (payload)(struct nft_xt_ctx ctx,
	const struct nft_xt_ctx_reg *sreg,
	struct nftnl_expr *e,
	struct iptables_command_state *cs);
	void (lookup)(struct nft_xt_ctx ctx, struct nftnl_expr *e);
	void (match)(struct xtables_match m,
	struct iptables_command_state *cs);
	void (target)(struct xtables_target t,
	struct iptables_command_state *cs);
	};

	void nft_create_match(struct nft_xt_ctx ctx,
	struct iptables_command_state *cs,
	const char *name, bool reuse);

	bool nft_rule_to_iptables_command_state(struct nft_handle *h,
	const struct nftnl_rule *r,
	struct iptables_command_state *cs);

	#define min(x, y) ((x) < (y) ? (x) : (y))
	#define max(x, y) ((x) > (y) ? (x) : (y))

	int parse_meta(struct nft_xt_ctx ctx, struct nftnl_expr e, uint8_t key,
	char iniface, unsigned char iniface_mask, char *outiface,
	unsigned char outiface_mask, uint8_t invflags);

	void nft_ipv46_parse_target(struct xtables_target *t,
	struct iptables_command_state *cs);

	int nft_parse_hl(struct nft_xt_ctx ctx, struct nftnl_expr e,
	struct iptables_command_state *cs);

	#endif /* _NFT_RULEPARSE_H_ */