xref: /linux/include/net/netfilter/nf_tables_offload.h (revision 4f2c0a4acffbec01079c28f839422e64ddeff004)
1 #ifndef _NET_NF_TABLES_OFFLOAD_H
2 #define _NET_NF_TABLES_OFFLOAD_H
3 
4 #include <net/flow_offload.h>
5 #include <net/netfilter/nf_tables.h>
6 
7 enum nft_offload_reg_flags {
8 	NFT_OFFLOAD_F_NETWORK2HOST	= (1 << 0),
9 };
10 
11 struct nft_offload_reg {
12 	u32		key;
13 	u32		len;
14 	u32		base_offset;
15 	u32		offset;
16 	u32		flags;
17 	struct nft_data data;
18 	struct nft_data	mask;
19 };
20 
21 enum nft_offload_dep_type {
22 	NFT_OFFLOAD_DEP_UNSPEC	= 0,
23 	NFT_OFFLOAD_DEP_NETWORK,
24 	NFT_OFFLOAD_DEP_TRANSPORT,
25 };
26 
27 struct nft_offload_ctx {
28 	struct {
29 		enum nft_offload_dep_type	type;
30 		__be16				l3num;
31 		u8				protonum;
32 	} dep;
33 	unsigned int				num_actions;
34 	struct net				*net;
35 	struct nft_offload_reg			regs[NFT_REG32_15 + 1];
36 };
37 
38 void nft_offload_set_dependency(struct nft_offload_ctx *ctx,
39 				enum nft_offload_dep_type type);
40 void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
41 				   const void *data, u32 len);
42 
43 struct nft_flow_key {
44 	struct flow_dissector_key_basic			basic;
45 	struct flow_dissector_key_control		control;
46 	union {
47 		struct flow_dissector_key_ipv4_addrs	ipv4;
48 		struct flow_dissector_key_ipv6_addrs	ipv6;
49 	};
50 	struct flow_dissector_key_ports			tp;
51 	struct flow_dissector_key_ip			ip;
52 	struct flow_dissector_key_vlan			vlan;
53 	struct flow_dissector_key_vlan			cvlan;
54 	struct flow_dissector_key_eth_addrs		eth_addrs;
55 	struct flow_dissector_key_meta			meta;
56 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
57 
58 struct nft_flow_match {
59 	struct flow_dissector	dissector;
60 	struct nft_flow_key	key;
61 	struct nft_flow_key	mask;
62 };
63 
64 struct nft_flow_rule {
65 	__be16			proto;
66 	struct nft_flow_match	match;
67 	struct flow_rule	*rule;
68 };
69 
70 void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
71 				 enum flow_dissector_key_id addr_type);
72 
73 struct nft_rule;
74 struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
75 int nft_flow_rule_stats(const struct nft_chain *chain, const struct nft_rule *rule);
76 void nft_flow_rule_destroy(struct nft_flow_rule *flow);
77 int nft_flow_rule_offload_commit(struct net *net);
78 
79 #define NFT_OFFLOAD_MATCH_FLAGS(__key, __base, __field, __len, __reg, __flags)	\
80 	(__reg)->base_offset	=					\
81 		offsetof(struct nft_flow_key, __base);			\
82 	(__reg)->offset		=					\
83 		offsetof(struct nft_flow_key, __base.__field);		\
84 	(__reg)->len		= __len;				\
85 	(__reg)->key		= __key;				\
86 	(__reg)->flags		= __flags;
87 
88 #define NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg)		\
89 	NFT_OFFLOAD_MATCH_FLAGS(__key, __base, __field, __len, __reg, 0)
90 
91 #define NFT_OFFLOAD_MATCH_EXACT(__key, __base, __field, __len, __reg)	\
92 	NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg)		\
93 	memset(&(__reg)->mask, 0xff, (__reg)->len);
94 
95 bool nft_chain_offload_support(const struct nft_base_chain *basechain);
96 
97 int nft_offload_init(void);
98 void nft_offload_exit(void);
99 
100 #endif
101