logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

nf_tables.h (58448B)

    

  1. /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
  2. #ifndef _LINUX_NF_TABLES_H
  3. #define _LINUX_NF_TABLES_H
  5. #define NFT_NAME_MAXLEN		256
  6. #define NFT_TABLE_MAXNAMELEN	NFT_NAME_MAXLEN
  7. #define NFT_CHAIN_MAXNAMELEN	NFT_NAME_MAXLEN
  8. #define NFT_SET_MAXNAMELEN	NFT_NAME_MAXLEN
  9. #define NFT_OBJ_MAXNAMELEN	NFT_NAME_MAXLEN
  10. #define NFT_USERDATA_MAXLEN	256
  11. #define NFT_OSF_MAXGENRELEN	16
  13. /**
  14.  * enum nft_registers - nf_tables registers
  15.  *
  16.  * nf_tables used to have five registers: a verdict register and four data
  17.  * registers of size 16. The data registers have been changed to 16 registers
  18.  * of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still
  19.  * map to areas of size 16, the 4 byte registers are addressed using
  20.  * NFT_REG32_00 - NFT_REG32_15.
  21.  */
  22. enum nft_registers {
  23. 	NFT_REG_VERDICT,
  24. 	NFT_REG_1,
  25. 	NFT_REG_2,
  26. 	NFT_REG_3,
  27. 	NFT_REG_4,
  28. 	__NFT_REG_MAX,
  30. 	NFT_REG32_00	= 8,
  31. 	NFT_REG32_01,
  32. 	NFT_REG32_02,
  33. 	NFT_REG32_03,
  34. 	NFT_REG32_04,
  35. 	NFT_REG32_05,
  36. 	NFT_REG32_06,
  37. 	NFT_REG32_07,
  38. 	NFT_REG32_08,
  39. 	NFT_REG32_09,
  40. 	NFT_REG32_10,
  41. 	NFT_REG32_11,
  42. 	NFT_REG32_12,
  43. 	NFT_REG32_13,
  44. 	NFT_REG32_14,
  45. 	NFT_REG32_15,
  46. };
  47. #define NFT_REG_MAX	(__NFT_REG_MAX - 1)
  49. #define NFT_REG_SIZE	16
  50. #define NFT_REG32_SIZE	4
  51. #define NFT_REG32_COUNT	(NFT_REG32_15 - NFT_REG32_00 + 1)
  53. /**
  54.  * enum nft_verdicts - nf_tables internal verdicts
  55.  *
  56.  * @NFT_CONTINUE: continue evaluation of the current rule
  57.  * @NFT_BREAK: terminate evaluation of the current rule
  58.  * @NFT_JUMP: push the current chain on the jump stack and jump to a chain
  59.  * @NFT_GOTO: jump to a chain without pushing the current chain on the jump stack
  60.  * @NFT_RETURN: return to the topmost chain on the jump stack
  61.  *
  62.  * The nf_tables verdicts share their numeric space with the netfilter verdicts.
  63.  */
  64. enum nft_verdicts {
  65. 	NFT_CONTINUE	= -1,
  66. 	NFT_BREAK	= -2,
  67. 	NFT_JUMP	= -3,
  68. 	NFT_GOTO	= -4,
  69. 	NFT_RETURN	= -5,
  70. };
  72. /**
  73.  * enum nf_tables_msg_types - nf_tables netlink message types
  74.  *
  75.  * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes)
  76.  * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes)
  77.  * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes)
  78.  * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes)
  79.  * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes)
  80.  * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes)
  81.  * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes)
  82.  * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes)
  83.  * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes)
  84.  * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes)
  85.  * @NFT_MSG_GETSET: get a set (enum nft_set_attributes)
  86.  * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes)
  87.  * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes)
  88.  * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes)
  89.  * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes)
  90.  * @NFT_MSG_NEWGEN: announce a new generation, only for events (enum nft_gen_attributes)
  91.  * @NFT_MSG_GETGEN: get the rule-set generation (enum nft_gen_attributes)
  92.  * @NFT_MSG_TRACE: trace event (enum nft_trace_attributes)
  93.  * @NFT_MSG_NEWOBJ: create a stateful object (enum nft_obj_attributes)
  94.  * @NFT_MSG_GETOBJ: get a stateful object (enum nft_obj_attributes)
  95.  * @NFT_MSG_DELOBJ: delete a stateful object (enum nft_obj_attributes)
  96.  * @NFT_MSG_GETOBJ_RESET: get and reset a stateful object (enum nft_obj_attributes)
  97.  * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes)
  98.  * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)
  99.  * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes)
  100.  * @NFT_MSG_GETRULE_RESET: get rules and reset stateful expressions (enum nft_obj_attributes)
  101.  * @NFT_MSG_DESTROYTABLE: destroy a table (enum nft_table_attributes)
  102.  * @NFT_MSG_DESTROYCHAIN: destroy a chain (enum nft_chain_attributes)
  103.  * @NFT_MSG_DESTROYRULE: destroy a rule (enum nft_rule_attributes)
  104.  * @NFT_MSG_DESTROYSET: destroy a set (enum nft_set_attributes)
  105.  * @NFT_MSG_DESTROYSETELEM: destroy a set element (enum nft_set_elem_attributes)
  106.  * @NFT_MSG_DESTROYOBJ: destroy a stateful object (enum nft_object_attributes)
  107.  * @NFT_MSG_DESTROYFLOWTABLE: destroy flow table (enum nft_flowtable_attributes)
  108.  * @NFT_MSG_GETSETELEM_RESET: get set elements and reset attached stateful expressions (enum nft_set_elem_attributes)
  109.  */
  110. enum nf_tables_msg_types {
  111. 	NFT_MSG_NEWTABLE,
  112. 	NFT_MSG_GETTABLE,
  113. 	NFT_MSG_DELTABLE,
  114. 	NFT_MSG_NEWCHAIN,
  115. 	NFT_MSG_GETCHAIN,
  116. 	NFT_MSG_DELCHAIN,
  117. 	NFT_MSG_NEWRULE,
  118. 	NFT_MSG_GETRULE,
  119. 	NFT_MSG_DELRULE,
  120. 	NFT_MSG_NEWSET,
  121. 	NFT_MSG_GETSET,
  122. 	NFT_MSG_DELSET,
  123. 	NFT_MSG_NEWSETELEM,
  124. 	NFT_MSG_GETSETELEM,
  125. 	NFT_MSG_DELSETELEM,
  126. 	NFT_MSG_NEWGEN,
  127. 	NFT_MSG_GETGEN,
  128. 	NFT_MSG_TRACE,
  129. 	NFT_MSG_NEWOBJ,
  130. 	NFT_MSG_GETOBJ,
  131. 	NFT_MSG_DELOBJ,
  132. 	NFT_MSG_GETOBJ_RESET,
  133. 	NFT_MSG_NEWFLOWTABLE,
  134. 	NFT_MSG_GETFLOWTABLE,
  135. 	NFT_MSG_DELFLOWTABLE,
  136. 	NFT_MSG_GETRULE_RESET,
  137. 	NFT_MSG_DESTROYTABLE,
  138. 	NFT_MSG_DESTROYCHAIN,
  139. 	NFT_MSG_DESTROYRULE,
  140. 	NFT_MSG_DESTROYSET,
  141. 	NFT_MSG_DESTROYSETELEM,
  142. 	NFT_MSG_DESTROYOBJ,
  143. 	NFT_MSG_DESTROYFLOWTABLE,
  144. 	NFT_MSG_GETSETELEM_RESET,
  145. 	NFT_MSG_MAX,
  146. };
  148. /**
  149.  * enum nft_list_attributes - nf_tables generic list netlink attributes
  150.  *
  151.  * @NFTA_LIST_ELEM: list element (NLA_NESTED)
  152.  */
  153. enum nft_list_attributes {
  154. 	NFTA_LIST_UNSPEC,
  155. 	NFTA_LIST_ELEM,
  156. 	__NFTA_LIST_MAX
  157. };
  158. #define NFTA_LIST_MAX		(__NFTA_LIST_MAX - 1)
  160. /**
  161.  * enum nft_hook_attributes - nf_tables netfilter hook netlink attributes
  162.  *
  163.  * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
  164.  * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
  165.  * @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
  166.  * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
  167.  */
  168. enum nft_hook_attributes {
  169. 	NFTA_HOOK_UNSPEC,
  170. 	NFTA_HOOK_HOOKNUM,
  171. 	NFTA_HOOK_PRIORITY,
  172. 	NFTA_HOOK_DEV,
  173. 	NFTA_HOOK_DEVS,
  174. 	__NFTA_HOOK_MAX
  175. };
  176. #define NFTA_HOOK_MAX		(__NFTA_HOOK_MAX - 1)
  178. /**
  179.  * enum nft_table_flags - nf_tables table flags
  180.  *
  181.  * @NFT_TABLE_F_DORMANT: this table is not active
  182.  * @NFT_TABLE_F_OWNER:   this table is owned by a process
  183.  * @NFT_TABLE_F_PERSIST: this table shall outlive its owner
  184.  */
  185. enum nft_table_flags {
  186. 	NFT_TABLE_F_DORMANT	= 0x1,
  187. 	NFT_TABLE_F_OWNER	= 0x2,
  188. 	NFT_TABLE_F_PERSIST	= 0x4,
  189. };
  190. #define NFT_TABLE_F_MASK	(NFT_TABLE_F_DORMANT | \
  191. 				 NFT_TABLE_F_OWNER | \
  192. 				 NFT_TABLE_F_PERSIST)
  194. /**
  195.  * enum nft_table_attributes - nf_tables table netlink attributes
  196.  *
  197.  * @NFTA_TABLE_NAME: name of the table (NLA_STRING)
  198.  * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
  199.  * @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
  200.  * @NFTA_TABLE_USERDATA: user data (NLA_BINARY)
  201.  * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32)
  202.  */
  203. enum nft_table_attributes {
  204. 	NFTA_TABLE_UNSPEC,
  205. 	NFTA_TABLE_NAME,
  206. 	NFTA_TABLE_FLAGS,
  207. 	NFTA_TABLE_USE,
  208. 	NFTA_TABLE_HANDLE,
  209. 	NFTA_TABLE_PAD,
  210. 	NFTA_TABLE_USERDATA,
  211. 	NFTA_TABLE_OWNER,
  212. 	__NFTA_TABLE_MAX
  213. };
  214. #define NFTA_TABLE_MAX		(__NFTA_TABLE_MAX - 1)
  216. enum nft_chain_flags {
  217. 	NFT_CHAIN_BASE		= (1 << 0),
  218. 	NFT_CHAIN_HW_OFFLOAD	= (1 << 1),
  219. 	NFT_CHAIN_BINDING	= (1 << 2),
  220. };
  221. #define NFT_CHAIN_FLAGS		(NFT_CHAIN_BASE		| \
  222. 				 NFT_CHAIN_HW_OFFLOAD	| \
  223. 				 NFT_CHAIN_BINDING)
  225. /**
  226.  * enum nft_chain_attributes - nf_tables chain netlink attributes
  227.  *
  228.  * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING)
  229.  * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64)
  230.  * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING)
  231.  * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes)
  232.  * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32)
  233.  * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
  234.  * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
  235.  * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
  236.  * @NFTA_CHAIN_FLAGS: chain flags
  237.  * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
  238.  * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
  239.  */
  240. enum nft_chain_attributes {
  241. 	NFTA_CHAIN_UNSPEC,
  242. 	NFTA_CHAIN_TABLE,
  243. 	NFTA_CHAIN_HANDLE,
  244. 	NFTA_CHAIN_NAME,
  245. 	NFTA_CHAIN_HOOK,
  246. 	NFTA_CHAIN_POLICY,
  247. 	NFTA_CHAIN_USE,
  248. 	NFTA_CHAIN_TYPE,
  249. 	NFTA_CHAIN_COUNTERS,
  250. 	NFTA_CHAIN_PAD,
  251. 	NFTA_CHAIN_FLAGS,
  252. 	NFTA_CHAIN_ID,
  253. 	NFTA_CHAIN_USERDATA,
  254. 	__NFTA_CHAIN_MAX
  255. };
  256. #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
  258. /**
  259.  * enum nft_rule_attributes - nf_tables rule netlink attributes
  260.  *
  261.  * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING)
  262.  * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING)
  263.  * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64)
  264.  * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes)
  265.  * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes)
  266.  * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
  267.  * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
  268.  * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
  269.  * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
  270.  * @NFTA_RULE_CHAIN_ID: add the rule to chain by ID, alternative to @NFTA_RULE_CHAIN (NLA_U32)
  271.  */
  272. enum nft_rule_attributes {
  273. 	NFTA_RULE_UNSPEC,
  274. 	NFTA_RULE_TABLE,
  275. 	NFTA_RULE_CHAIN,
  276. 	NFTA_RULE_HANDLE,
  277. 	NFTA_RULE_EXPRESSIONS,
  278. 	NFTA_RULE_COMPAT,
  279. 	NFTA_RULE_POSITION,
  280. 	NFTA_RULE_USERDATA,
  281. 	NFTA_RULE_PAD,
  282. 	NFTA_RULE_ID,
  283. 	NFTA_RULE_POSITION_ID,
  284. 	NFTA_RULE_CHAIN_ID,
  285. 	__NFTA_RULE_MAX
  286. };
  287. #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
  289. /**
  290.  * enum nft_rule_compat_flags - nf_tables rule compat flags
  291.  *
  292.  * @NFT_RULE_COMPAT_F_UNUSED: unused
  293.  * @NFT_RULE_COMPAT_F_INV: invert the check result
  294.  */
  295. enum nft_rule_compat_flags {
  296. 	NFT_RULE_COMPAT_F_UNUSED = (1 << 0),
  297. 	NFT_RULE_COMPAT_F_INV	= (1 << 1),
  298. 	NFT_RULE_COMPAT_F_MASK	= NFT_RULE_COMPAT_F_INV,
  299. };
  301. /**
  302.  * enum nft_rule_compat_attributes - nf_tables rule compat attributes
  303.  *
  304.  * @NFTA_RULE_COMPAT_PROTO: numeric value of handled protocol (NLA_U32)
  305.  * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32)
  306.  */
  307. enum nft_rule_compat_attributes {
  308. 	NFTA_RULE_COMPAT_UNSPEC,
  309. 	NFTA_RULE_COMPAT_PROTO,
  310. 	NFTA_RULE_COMPAT_FLAGS,
  311. 	__NFTA_RULE_COMPAT_MAX
  312. };
  313. #define NFTA_RULE_COMPAT_MAX	(__NFTA_RULE_COMPAT_MAX - 1)
  315. /**
  316.  * enum nft_set_flags - nf_tables set flags
  317.  *
  318.  * @NFT_SET_ANONYMOUS: name allocation, automatic cleanup on unlink
  319.  * @NFT_SET_CONSTANT: set contents may not change while bound
  320.  * @NFT_SET_INTERVAL: set contains intervals
  321.  * @NFT_SET_MAP: set is used as a dictionary
  322.  * @NFT_SET_TIMEOUT: set uses timeouts
  323.  * @NFT_SET_EVAL: set can be updated from the evaluation path
  324.  * @NFT_SET_OBJECT: set contains stateful objects
  325.  * @NFT_SET_CONCAT: set contains a concatenation
  326.  * @NFT_SET_EXPR: set contains expressions
  327.  */
  328. enum nft_set_flags {
  329. 	NFT_SET_ANONYMOUS		= 0x1,
  330. 	NFT_SET_CONSTANT		= 0x2,
  331. 	NFT_SET_INTERVAL		= 0x4,
  332. 	NFT_SET_MAP			= 0x8,
  333. 	NFT_SET_TIMEOUT			= 0x10,
  334. 	NFT_SET_EVAL			= 0x20,
  335. 	NFT_SET_OBJECT			= 0x40,
  336. 	NFT_SET_CONCAT			= 0x80,
  337. 	NFT_SET_EXPR			= 0x100,
  338. };
  340. /**
  341.  * enum nft_set_policies - set selection policy
  342.  *
  343.  * @NFT_SET_POL_PERFORMANCE: prefer high performance over low memory use
  344.  * @NFT_SET_POL_MEMORY: prefer low memory use over high performance
  345.  */
  346. enum nft_set_policies {
  347. 	NFT_SET_POL_PERFORMANCE,
  348. 	NFT_SET_POL_MEMORY,
  349. };
  351. /**
  352.  * enum nft_set_desc_attributes - set element description
  353.  *
  354.  * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
  355.  * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
  356.  */
  357. enum nft_set_desc_attributes {
  358. 	NFTA_SET_DESC_UNSPEC,
  359. 	NFTA_SET_DESC_SIZE,
  360. 	NFTA_SET_DESC_CONCAT,
  361. 	__NFTA_SET_DESC_MAX
  362. };
  363. #define NFTA_SET_DESC_MAX	(__NFTA_SET_DESC_MAX - 1)
  365. /**
  366.  * enum nft_set_field_attributes - attributes of concatenated fields
  367.  *
  368.  * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
  369.  */
  370. enum nft_set_field_attributes {
  371. 	NFTA_SET_FIELD_UNSPEC,
  372. 	NFTA_SET_FIELD_LEN,
  373. 	__NFTA_SET_FIELD_MAX
  374. };
  375. #define NFTA_SET_FIELD_MAX	(__NFTA_SET_FIELD_MAX - 1)
  377. /**
  378.  * enum nft_set_attributes - nf_tables set netlink attributes
  379.  *
  380.  * @NFTA_SET_TABLE: table name (NLA_STRING)
  381.  * @NFTA_SET_NAME: set name (NLA_STRING)
  382.  * @NFTA_SET_FLAGS: bitmask of enum nft_set_flags (NLA_U32)
  383.  * @NFTA_SET_KEY_TYPE: key data type, informational purpose only (NLA_U32)
  384.  * @NFTA_SET_KEY_LEN: key data length (NLA_U32)
  385.  * @NFTA_SET_DATA_TYPE: mapping data type (NLA_U32)
  386.  * @NFTA_SET_DATA_LEN: mapping data length (NLA_U32)
  387.  * @NFTA_SET_POLICY: selection policy (NLA_U32)
  388.  * @NFTA_SET_DESC: set description (NLA_NESTED)
  389.  * @NFTA_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
  390.  * @NFTA_SET_TIMEOUT: default timeout value (NLA_U64)
  391.  * @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
  392.  * @NFTA_SET_USERDATA: user data (NLA_BINARY)
  393.  * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
  394.  * @NFTA_SET_HANDLE: set handle (NLA_U64)
  395.  * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
  396.  * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
  397.  */
  398. enum nft_set_attributes {
  399. 	NFTA_SET_UNSPEC,
  400. 	NFTA_SET_TABLE,
  401. 	NFTA_SET_NAME,
  402. 	NFTA_SET_FLAGS,
  403. 	NFTA_SET_KEY_TYPE,
  404. 	NFTA_SET_KEY_LEN,
  405. 	NFTA_SET_DATA_TYPE,
  406. 	NFTA_SET_DATA_LEN,
  407. 	NFTA_SET_POLICY,
  408. 	NFTA_SET_DESC,
  409. 	NFTA_SET_ID,
  410. 	NFTA_SET_TIMEOUT,
  411. 	NFTA_SET_GC_INTERVAL,
  412. 	NFTA_SET_USERDATA,
  413. 	NFTA_SET_PAD,
  414. 	NFTA_SET_OBJ_TYPE,
  415. 	NFTA_SET_HANDLE,
  416. 	NFTA_SET_EXPR,
  417. 	NFTA_SET_EXPRESSIONS,
  418. 	__NFTA_SET_MAX
  419. };
  420. #define NFTA_SET_MAX		(__NFTA_SET_MAX - 1)
  422. /**
  423.  * enum nft_set_elem_flags - nf_tables set element flags
  424.  *
  425.  * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
  426.  * @NFT_SET_ELEM_CATCHALL: special catch-all element
  427.  */
  428. enum nft_set_elem_flags {
  429. 	NFT_SET_ELEM_INTERVAL_END	= 0x1,
  430. 	NFT_SET_ELEM_CATCHALL		= 0x2,
  431. };
  433. /**
  434.  * enum nft_set_elem_attributes - nf_tables set element netlink attributes
  435.  *
  436.  * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
  437.  * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
  438.  * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
  439.  * @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64)
  440.  * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
  441.  * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
  442.  * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
  443.  * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
  444.  * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
  445.  * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
  446.  */
  447. enum nft_set_elem_attributes {
  448. 	NFTA_SET_ELEM_UNSPEC,
  449. 	NFTA_SET_ELEM_KEY,
  450. 	NFTA_SET_ELEM_DATA,
  451. 	NFTA_SET_ELEM_FLAGS,
  452. 	NFTA_SET_ELEM_TIMEOUT,
  453. 	NFTA_SET_ELEM_EXPIRATION,
  454. 	NFTA_SET_ELEM_USERDATA,
  455. 	NFTA_SET_ELEM_EXPR,
  456. 	NFTA_SET_ELEM_PAD,
  457. 	NFTA_SET_ELEM_OBJREF,
  458. 	NFTA_SET_ELEM_KEY_END,
  459. 	NFTA_SET_ELEM_EXPRESSIONS,
  460. 	__NFTA_SET_ELEM_MAX
  461. };
  462. #define NFTA_SET_ELEM_MAX	(__NFTA_SET_ELEM_MAX - 1)
  464. /**
  465.  * enum nft_set_elem_list_attributes - nf_tables set element list netlink attributes
  466.  *
  467.  * @NFTA_SET_ELEM_LIST_TABLE: table of the set to be changed (NLA_STRING)
  468.  * @NFTA_SET_ELEM_LIST_SET: name of the set to be changed (NLA_STRING)
  469.  * @NFTA_SET_ELEM_LIST_ELEMENTS: list of set elements (NLA_NESTED: nft_set_elem_attributes)
  470.  * @NFTA_SET_ELEM_LIST_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
  471.  */
  472. enum nft_set_elem_list_attributes {
  473. 	NFTA_SET_ELEM_LIST_UNSPEC,
  474. 	NFTA_SET_ELEM_LIST_TABLE,
  475. 	NFTA_SET_ELEM_LIST_SET,
  476. 	NFTA_SET_ELEM_LIST_ELEMENTS,
  477. 	NFTA_SET_ELEM_LIST_SET_ID,
  478. 	__NFTA_SET_ELEM_LIST_MAX
  479. };
  480. #define NFTA_SET_ELEM_LIST_MAX	(__NFTA_SET_ELEM_LIST_MAX - 1)
  482. /**
  483.  * enum nft_data_types - nf_tables data types
  484.  *
  485.  * @NFT_DATA_VALUE: generic data
  486.  * @NFT_DATA_VERDICT: netfilter verdict
  487.  *
  488.  * The type of data is usually determined by the kernel directly and is not
  489.  * explicitly specified by userspace. The only difference are sets, where
  490.  * userspace specifies the key and mapping data types.
  491.  *
  492.  * The values 0xffffff00-0xffffffff are reserved for internally used types.
  493.  * The remaining range can be freely used by userspace to encode types, all
  494.  * values are equivalent to NFT_DATA_VALUE.
  495.  */
  496. enum nft_data_types {
  497. 	NFT_DATA_VALUE,
  498. 	NFT_DATA_VERDICT	= 0xffffff00U,
  499. };
  501. #define NFT_DATA_RESERVED_MASK	0xffffff00U
  503. /**
  504.  * enum nft_data_attributes - nf_tables data netlink attributes
  505.  *
  506.  * @NFTA_DATA_VALUE: generic data (NLA_BINARY)
  507.  * @NFTA_DATA_VERDICT: nf_tables verdict (NLA_NESTED: nft_verdict_attributes)
  508.  */
  509. enum nft_data_attributes {
  510. 	NFTA_DATA_UNSPEC,
  511. 	NFTA_DATA_VALUE,
  512. 	NFTA_DATA_VERDICT,
  513. 	__NFTA_DATA_MAX
  514. };
  515. #define NFTA_DATA_MAX		(__NFTA_DATA_MAX - 1)
  517. /* Maximum length of a value */
  518. #define NFT_DATA_VALUE_MAXLEN	64
  520. /**
  521.  * enum nft_verdict_attributes - nf_tables verdict netlink attributes
  522.  *
  523.  * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
  524.  * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
  525.  * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32)
  526.  */
  527. enum nft_verdict_attributes {
  528. 	NFTA_VERDICT_UNSPEC,
  529. 	NFTA_VERDICT_CODE,
  530. 	NFTA_VERDICT_CHAIN,
  531. 	NFTA_VERDICT_CHAIN_ID,
  532. 	__NFTA_VERDICT_MAX
  533. };
  534. #define NFTA_VERDICT_MAX	(__NFTA_VERDICT_MAX - 1)
  536. /**
  537.  * enum nft_expr_attributes - nf_tables expression netlink attributes
  538.  *
  539.  * @NFTA_EXPR_NAME: name of the expression type (NLA_STRING)
  540.  * @NFTA_EXPR_DATA: type specific data (NLA_NESTED)
  541.  */
  542. enum nft_expr_attributes {
  543. 	NFTA_EXPR_UNSPEC,
  544. 	NFTA_EXPR_NAME,
  545. 	NFTA_EXPR_DATA,
  546. 	__NFTA_EXPR_MAX
  547. };
  548. #define NFTA_EXPR_MAX		(__NFTA_EXPR_MAX - 1)
  550. /**
  551.  * enum nft_immediate_attributes - nf_tables immediate expression netlink attributes
  552.  *
  553.  * @NFTA_IMMEDIATE_DREG: destination register to load data into (NLA_U32)
  554.  * @NFTA_IMMEDIATE_DATA: data to load (NLA_NESTED: nft_data_attributes)
  555.  */
  556. enum nft_immediate_attributes {
  557. 	NFTA_IMMEDIATE_UNSPEC,
  558. 	NFTA_IMMEDIATE_DREG,
  559. 	NFTA_IMMEDIATE_DATA,
  560. 	__NFTA_IMMEDIATE_MAX
  561. };
  562. #define NFTA_IMMEDIATE_MAX	(__NFTA_IMMEDIATE_MAX - 1)
  564. /**
  565.  * enum nft_bitwise_ops - nf_tables bitwise operations
  566.  *
  567.  * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
  568.  *                    XOR boolean operations
  569.  * @NFT_BITWISE_LSHIFT: left-shift operation
  570.  * @NFT_BITWISE_RSHIFT: right-shift operation
  571.  */
  572. enum nft_bitwise_ops {
  573. 	NFT_BITWISE_BOOL,
  574. 	NFT_BITWISE_LSHIFT,
  575. 	NFT_BITWISE_RSHIFT,
  576. };
  578. /**
  579.  * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
  580.  *
  581.  * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers)
  582.  * @NFTA_BITWISE_DREG: destination register (NLA_U32: nft_registers)
  583.  * @NFTA_BITWISE_LEN: length of operands (NLA_U32)
  584.  * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
  585.  * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
  586.  * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
  587.  * @NFTA_BITWISE_DATA: argument for non-boolean operations
  588.  *                     (NLA_NESTED: nft_data_attributes)
  589.  *
  590.  * The bitwise expression supports boolean and shift operations.  It implements
  591.  * the boolean operations by performing the following operation:
  592.  *
  593.  * dreg = (sreg & mask) ^ xor
  594.  *
  595.  * with these mask and xor values:
  596.  *
  597.  * 		mask	xor
  598.  * NOT:		1	1
  599.  * OR:		~x	x
  600.  * XOR:		1	x
  601.  * AND:		x	0
  602.  */
  603. enum nft_bitwise_attributes {
  604. 	NFTA_BITWISE_UNSPEC,
  605. 	NFTA_BITWISE_SREG,
  606. 	NFTA_BITWISE_DREG,
  607. 	NFTA_BITWISE_LEN,
  608. 	NFTA_BITWISE_MASK,
  609. 	NFTA_BITWISE_XOR,
  610. 	NFTA_BITWISE_OP,
  611. 	NFTA_BITWISE_DATA,
  612. 	__NFTA_BITWISE_MAX
  613. };
  614. #define NFTA_BITWISE_MAX	(__NFTA_BITWISE_MAX - 1)
  616. /**
  617.  * enum nft_byteorder_ops - nf_tables byteorder operators
  618.  *
  619.  * @NFT_BYTEORDER_NTOH: network to host operator
  620.  * @NFT_BYTEORDER_HTON: host to network operator
  621.  */
  622. enum nft_byteorder_ops {
  623. 	NFT_BYTEORDER_NTOH,
  624. 	NFT_BYTEORDER_HTON,
  625. };
  627. /**
  628.  * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes
  629.  *
  630.  * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers)
  631.  * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers)
  632.  * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops)
  633.  * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32)
  634.  * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4)
  635.  */
  636. enum nft_byteorder_attributes {
  637. 	NFTA_BYTEORDER_UNSPEC,
  638. 	NFTA_BYTEORDER_SREG,
  639. 	NFTA_BYTEORDER_DREG,
  640. 	NFTA_BYTEORDER_OP,
  641. 	NFTA_BYTEORDER_LEN,
  642. 	NFTA_BYTEORDER_SIZE,
  643. 	__NFTA_BYTEORDER_MAX
  644. };
  645. #define NFTA_BYTEORDER_MAX	(__NFTA_BYTEORDER_MAX - 1)
  647. /**
  648.  * enum nft_cmp_ops - nf_tables relational operator
  649.  *
  650.  * @NFT_CMP_EQ: equal
  651.  * @NFT_CMP_NEQ: not equal
  652.  * @NFT_CMP_LT: less than
  653.  * @NFT_CMP_LTE: less than or equal to
  654.  * @NFT_CMP_GT: greater than
  655.  * @NFT_CMP_GTE: greater than or equal to
  656.  */
  657. enum nft_cmp_ops {
  658. 	NFT_CMP_EQ,
  659. 	NFT_CMP_NEQ,
  660. 	NFT_CMP_LT,
  661. 	NFT_CMP_LTE,
  662. 	NFT_CMP_GT,
  663. 	NFT_CMP_GTE,
  664. };
  666. /**
  667.  * enum nft_cmp_attributes - nf_tables cmp expression netlink attributes
  668.  *
  669.  * @NFTA_CMP_SREG: source register of data to compare (NLA_U32: nft_registers)
  670.  * @NFTA_CMP_OP: cmp operation (NLA_U32: nft_cmp_ops)
  671.  * @NFTA_CMP_DATA: data to compare against (NLA_NESTED: nft_data_attributes)
  672.  */
  673. enum nft_cmp_attributes {
  674. 	NFTA_CMP_UNSPEC,
  675. 	NFTA_CMP_SREG,
  676. 	NFTA_CMP_OP,
  677. 	NFTA_CMP_DATA,
  678. 	__NFTA_CMP_MAX
  679. };
  680. #define NFTA_CMP_MAX		(__NFTA_CMP_MAX - 1)
  682. /**
  683.  * enum nft_range_ops - nf_tables range operator
  684.  *
  685.  * @NFT_RANGE_EQ: equal
  686.  * @NFT_RANGE_NEQ: not equal
  687.  */
  688. enum nft_range_ops {
  689. 	NFT_RANGE_EQ,
  690. 	NFT_RANGE_NEQ,
  691. };
  693. /**
  694.  * enum nft_range_attributes - nf_tables range expression netlink attributes
  695.  *
  696.  * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers)
  697.  * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_range_ops)
  698.  * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes)
  699.  * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes)
  700.  */
  701. enum nft_range_attributes {
  702. 	NFTA_RANGE_UNSPEC,
  703. 	NFTA_RANGE_SREG,
  704. 	NFTA_RANGE_OP,
  705. 	NFTA_RANGE_FROM_DATA,
  706. 	NFTA_RANGE_TO_DATA,
  707. 	__NFTA_RANGE_MAX
  708. };
  709. #define NFTA_RANGE_MAX		(__NFTA_RANGE_MAX - 1)
  711. enum nft_lookup_flags {
  712. 	NFT_LOOKUP_F_INV = (1 << 0),
  713. };
  715. /**
  716.  * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
  717.  *
  718.  * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
  719.  * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
  720.  * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
  721.  * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
  722.  * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags)
  723.  */
  724. enum nft_lookup_attributes {
  725. 	NFTA_LOOKUP_UNSPEC,
  726. 	NFTA_LOOKUP_SET,
  727. 	NFTA_LOOKUP_SREG,
  728. 	NFTA_LOOKUP_DREG,
  729. 	NFTA_LOOKUP_SET_ID,
  730. 	NFTA_LOOKUP_FLAGS,
  731. 	__NFTA_LOOKUP_MAX
  732. };
  733. #define NFTA_LOOKUP_MAX		(__NFTA_LOOKUP_MAX - 1)
  735. enum nft_dynset_ops {
  736. 	NFT_DYNSET_OP_ADD,
  737. 	NFT_DYNSET_OP_UPDATE,
  738. 	NFT_DYNSET_OP_DELETE,
  739. };
  741. enum nft_dynset_flags {
  742. 	NFT_DYNSET_F_INV	= (1 << 0),
  743. 	NFT_DYNSET_F_EXPR	= (1 << 1),
  744. };
  746. /**
  747.  * enum nft_dynset_attributes - dynset expression attributes
  748.  *
  749.  * @NFTA_DYNSET_SET_NAME: name of set the to add data to (NLA_STRING)
  750.  * @NFTA_DYNSET_SET_ID: uniquely identifier of the set in the transaction (NLA_U32)
  751.  * @NFTA_DYNSET_OP: operation (NLA_U32)
  752.  * @NFTA_DYNSET_SREG_KEY: source register of the key (NLA_U32)
  753.  * @NFTA_DYNSET_SREG_DATA: source register of the data (NLA_U32)
  754.  * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64)
  755.  * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes)
  756.  * @NFTA_DYNSET_FLAGS: flags (NLA_U32)
  757.  * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
  758.  */
  759. enum nft_dynset_attributes {
  760. 	NFTA_DYNSET_UNSPEC,
  761. 	NFTA_DYNSET_SET_NAME,
  762. 	NFTA_DYNSET_SET_ID,
  763. 	NFTA_DYNSET_OP,
  764. 	NFTA_DYNSET_SREG_KEY,
  765. 	NFTA_DYNSET_SREG_DATA,
  766. 	NFTA_DYNSET_TIMEOUT,
  767. 	NFTA_DYNSET_EXPR,
  768. 	NFTA_DYNSET_PAD,
  769. 	NFTA_DYNSET_FLAGS,
  770. 	NFTA_DYNSET_EXPRESSIONS,
  771. 	__NFTA_DYNSET_MAX,
  772. };
  773. #define NFTA_DYNSET_MAX		(__NFTA_DYNSET_MAX - 1)
  775. /**
  776.  * enum nft_payload_bases - nf_tables payload expression offset bases
  777.  *
  778.  * @NFT_PAYLOAD_LL_HEADER: link layer header
  779.  * @NFT_PAYLOAD_NETWORK_HEADER: network header
  780.  * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
  781.  * @NFT_PAYLOAD_INNER_HEADER: inner header / payload
  782.  */
  783. enum nft_payload_bases {
  784. 	NFT_PAYLOAD_LL_HEADER,
  785. 	NFT_PAYLOAD_NETWORK_HEADER,
  786. 	NFT_PAYLOAD_TRANSPORT_HEADER,
  787. 	NFT_PAYLOAD_INNER_HEADER,
  788. 	NFT_PAYLOAD_TUN_HEADER,
  789. };
  791. /**
  792.  * enum nft_payload_csum_types - nf_tables payload expression checksum types
  793.  *
  794.  * @NFT_PAYLOAD_CSUM_NONE: no checksumming
  795.  * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791)
  796.  * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309)
  797.  */
  798. enum nft_payload_csum_types {
  799. 	NFT_PAYLOAD_CSUM_NONE,
  800. 	NFT_PAYLOAD_CSUM_INET,
  801. 	NFT_PAYLOAD_CSUM_SCTP,
  802. };
  804. enum nft_payload_csum_flags {
  805. 	NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0),
  806. };
  808. enum nft_inner_type {
  809. 	NFT_INNER_UNSPEC	= 0,
  810. 	NFT_INNER_VXLAN,
  811. 	NFT_INNER_GENEVE,
  812. };
  814. enum nft_inner_flags {
  815. 	NFT_INNER_HDRSIZE	= (1 << 0),
  816. 	NFT_INNER_LL		= (1 << 1),
  817. 	NFT_INNER_NH		= (1 << 2),
  818. 	NFT_INNER_TH		= (1 << 3),
  819. };
  820. #define NFT_INNER_MASK		(NFT_INNER_HDRSIZE | NFT_INNER_LL | \
  821. 				 NFT_INNER_NH | NFT_INNER_TH)
  823. enum nft_inner_attributes {
  824. 	NFTA_INNER_UNSPEC,
  825. 	NFTA_INNER_NUM,
  826. 	NFTA_INNER_TYPE,
  827. 	NFTA_INNER_FLAGS,
  828. 	NFTA_INNER_HDRSIZE,
  829. 	NFTA_INNER_EXPR,
  830. 	__NFTA_INNER_MAX
  831. };
  832. #define NFTA_INNER_MAX	(__NFTA_INNER_MAX - 1)
  834. /**
  835.  * enum nft_payload_attributes - nf_tables payload expression netlink attributes
  836.  *
  837.  * @NFTA_PAYLOAD_DREG: destination register to load data into (NLA_U32: nft_registers)
  838.  * @NFTA_PAYLOAD_BASE: payload base (NLA_U32: nft_payload_bases)
  839.  * @NFTA_PAYLOAD_OFFSET: payload offset relative to base (NLA_U32)
  840.  * @NFTA_PAYLOAD_LEN: payload length (NLA_U32)
  841.  * @NFTA_PAYLOAD_SREG: source register to load data from (NLA_U32: nft_registers)
  842.  * @NFTA_PAYLOAD_CSUM_TYPE: checksum type (NLA_U32)
  843.  * @NFTA_PAYLOAD_CSUM_OFFSET: checksum offset relative to base (NLA_U32)
  844.  * @NFTA_PAYLOAD_CSUM_FLAGS: checksum flags (NLA_U32)
  845.  */
  846. enum nft_payload_attributes {
  847. 	NFTA_PAYLOAD_UNSPEC,
  848. 	NFTA_PAYLOAD_DREG,
  849. 	NFTA_PAYLOAD_BASE,
  850. 	NFTA_PAYLOAD_OFFSET,
  851. 	NFTA_PAYLOAD_LEN,
  852. 	NFTA_PAYLOAD_SREG,
  853. 	NFTA_PAYLOAD_CSUM_TYPE,
  854. 	NFTA_PAYLOAD_CSUM_OFFSET,
  855. 	NFTA_PAYLOAD_CSUM_FLAGS,
  856. 	__NFTA_PAYLOAD_MAX
  857. };
  858. #define NFTA_PAYLOAD_MAX	(__NFTA_PAYLOAD_MAX - 1)
  860. enum nft_exthdr_flags {
  861. 	NFT_EXTHDR_F_PRESENT = (1 << 0),
  862. };
  864. /**
  865.  * enum nft_exthdr_op - nf_tables match options
  866.  *
  867.  * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
  868.  * @NFT_EXTHDR_OP_TCP: match against tcp options
  869.  * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
  870.  * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
  871.  * @NFT_EXTHDR_OP_DCCP: match against dccp otions
  872.  */
  873. enum nft_exthdr_op {
  874. 	NFT_EXTHDR_OP_IPV6,
  875. 	NFT_EXTHDR_OP_TCPOPT,
  876. 	NFT_EXTHDR_OP_IPV4,
  877. 	NFT_EXTHDR_OP_SCTP,
  878. 	NFT_EXTHDR_OP_DCCP,
  879. 	__NFT_EXTHDR_OP_MAX
  880. };
  881. #define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)
  883. /**
  884.  * enum nft_exthdr_attributes - nf_tables extension header expression netlink attributes
  885.  *
  886.  * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers)
  887.  * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8)
  888.  * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32)
  889.  * @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
  890.  * @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32)
  891.  * @NFTA_EXTHDR_OP: option match type (NLA_U32)
  892.  * @NFTA_EXTHDR_SREG: source register (NLA_U32: nft_registers)
  893.  */
  894. enum nft_exthdr_attributes {
  895. 	NFTA_EXTHDR_UNSPEC,
  896. 	NFTA_EXTHDR_DREG,
  897. 	NFTA_EXTHDR_TYPE,
  898. 	NFTA_EXTHDR_OFFSET,
  899. 	NFTA_EXTHDR_LEN,
  900. 	NFTA_EXTHDR_FLAGS,
  901. 	NFTA_EXTHDR_OP,
  902. 	NFTA_EXTHDR_SREG,
  903. 	__NFTA_EXTHDR_MAX
  904. };
  905. #define NFTA_EXTHDR_MAX		(__NFTA_EXTHDR_MAX - 1)
  907. /**
  908.  * enum nft_meta_keys - nf_tables meta expression keys
  909.  *
  910.  * @NFT_META_LEN: packet length (skb->len)
  911.  * @NFT_META_PROTOCOL: packet ethertype protocol (skb->protocol), invalid in OUTPUT
  912.  * @NFT_META_PRIORITY: packet priority (skb->priority)
  913.  * @NFT_META_MARK: packet mark (skb->mark)
  914.  * @NFT_META_IIF: packet input interface index (dev->ifindex)
  915.  * @NFT_META_OIF: packet output interface index (dev->ifindex)
  916.  * @NFT_META_IIFNAME: packet input interface name (dev->name)
  917.  * @NFT_META_OIFNAME: packet output interface name (dev->name)
  918.  * @NFT_META_IIFTYPE: packet input interface type (dev->type)
  919.  * @NFT_META_OIFTYPE: packet output interface type (dev->type)
  920.  * @NFT_META_SKUID: originating socket UID (fsuid)
  921.  * @NFT_META_SKGID: originating socket GID (fsgid)
  922.  * @NFT_META_NFTRACE: packet nftrace bit
  923.  * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
  924.  * @NFT_META_SECMARK: packet secmark (skb->secmark)
  925.  * @NFT_META_NFPROTO: netfilter protocol
  926.  * @NFT_META_L4PROTO: layer 4 protocol number
  927.  * @NFT_META_BRI_IIFNAME: packet input bridge interface name
  928.  * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  929.  * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
  930.  * @NFT_META_CPU: cpu id through smp_processor_id()
  931.  * @NFT_META_IIFGROUP: packet input interface group
  932.  * @NFT_META_OIFGROUP: packet output interface group
  933.  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  934.  * @NFT_META_PRANDOM: a 32bit pseudo-random number
  935.  * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
  936.  * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
  937.  * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
  938.  * @NFT_META_BRI_IIFPVID: packet input bridge port pvid
  939.  * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto
  940.  * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
  941.  * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
  942.  * @NFT_META_TIME_HOUR: hour of day (in seconds)
  943.  * @NFT_META_SDIF: slave device interface index
  944.  * @NFT_META_SDIFNAME: slave device interface name
  945.  * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit
  946.  */
  947. enum nft_meta_keys {
  948. 	NFT_META_LEN,
  949. 	NFT_META_PROTOCOL,
  950. 	NFT_META_PRIORITY,
  951. 	NFT_META_MARK,
  952. 	NFT_META_IIF,
  953. 	NFT_META_OIF,
  954. 	NFT_META_IIFNAME,
  955. 	NFT_META_OIFNAME,
  956. 	NFT_META_IFTYPE,
  957. #define NFT_META_IIFTYPE	NFT_META_IFTYPE
  958. 	NFT_META_OIFTYPE,
  959. 	NFT_META_SKUID,
  960. 	NFT_META_SKGID,
  961. 	NFT_META_NFTRACE,
  962. 	NFT_META_RTCLASSID,
  963. 	NFT_META_SECMARK,
  964. 	NFT_META_NFPROTO,
  965. 	NFT_META_L4PROTO,
  966. 	NFT_META_BRI_IIFNAME,
  967. 	NFT_META_BRI_OIFNAME,
  968. 	NFT_META_PKTTYPE,
  969. 	NFT_META_CPU,
  970. 	NFT_META_IIFGROUP,
  971. 	NFT_META_OIFGROUP,
  972. 	NFT_META_CGROUP,
  973. 	NFT_META_PRANDOM,
  974. 	NFT_META_SECPATH,
  975. 	NFT_META_IIFKIND,
  976. 	NFT_META_OIFKIND,
  977. 	NFT_META_BRI_IIFPVID,
  978. 	NFT_META_BRI_IIFVPROTO,
  979. 	NFT_META_TIME_NS,
  980. 	NFT_META_TIME_DAY,
  981. 	NFT_META_TIME_HOUR,
  982. 	NFT_META_SDIF,
  983. 	NFT_META_SDIFNAME,
  984. 	NFT_META_BRI_BROUTE,
  985. 	__NFT_META_IIFTYPE,
  986. };
  988. /**
  989.  * enum nft_rt_keys - nf_tables routing expression keys
  990.  *
  991.  * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid)
  992.  * @NFT_RT_NEXTHOP4: routing nexthop for IPv4
  993.  * @NFT_RT_NEXTHOP6: routing nexthop for IPv6
  994.  * @NFT_RT_TCPMSS: fetch current path tcp mss
  995.  * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
  996.  */
  997. enum nft_rt_keys {
  998. 	NFT_RT_CLASSID,
  999. 	NFT_RT_NEXTHOP4,
  1000. 	NFT_RT_NEXTHOP6,
  1001. 	NFT_RT_TCPMSS,
  1002. 	NFT_RT_XFRM,
  1003. 	__NFT_RT_MAX
  1004. };
  1005. #define NFT_RT_MAX		(__NFT_RT_MAX - 1)
  1007. /**
  1008.  * enum nft_hash_types - nf_tables hash expression types
  1009.  *
  1010.  * @NFT_HASH_JENKINS: Jenkins Hash
  1011.  * @NFT_HASH_SYM: Symmetric Hash
  1012.  */
  1013. enum nft_hash_types {
  1014. 	NFT_HASH_JENKINS,
  1015. 	NFT_HASH_SYM,
  1016. };
  1018. /**
  1019.  * enum nft_hash_attributes - nf_tables hash expression netlink attributes
  1020.  *
  1021.  * @NFTA_HASH_SREG: source register (NLA_U32)
  1022.  * @NFTA_HASH_DREG: destination register (NLA_U32)
  1023.  * @NFTA_HASH_LEN: source data length (NLA_U32)
  1024.  * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
  1025.  * @NFTA_HASH_SEED: seed value (NLA_U32)
  1026.  * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32)
  1027.  * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types)
  1028.  * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING)
  1029.  * @NFTA_HASH_SET_ID: id of the map (NLA_U32)
  1030.  */
  1031. enum nft_hash_attributes {
  1032. 	NFTA_HASH_UNSPEC,
  1033. 	NFTA_HASH_SREG,
  1034. 	NFTA_HASH_DREG,
  1035. 	NFTA_HASH_LEN,
  1036. 	NFTA_HASH_MODULUS,
  1037. 	NFTA_HASH_SEED,
  1038. 	NFTA_HASH_OFFSET,
  1039. 	NFTA_HASH_TYPE,
  1040. 	NFTA_HASH_SET_NAME,	/* deprecated */
  1041. 	NFTA_HASH_SET_ID,	/* deprecated */
  1042. 	__NFTA_HASH_MAX,
  1043. };
  1044. #define NFTA_HASH_MAX	(__NFTA_HASH_MAX - 1)
  1046. /**
  1047.  * enum nft_meta_attributes - nf_tables meta expression netlink attributes
  1048.  *
  1049.  * @NFTA_META_DREG: destination register (NLA_U32)
  1050.  * @NFTA_META_KEY: meta data item to load (NLA_U32: nft_meta_keys)
  1051.  * @NFTA_META_SREG: source register (NLA_U32)
  1052.  */
  1053. enum nft_meta_attributes {
  1054. 	NFTA_META_UNSPEC,
  1055. 	NFTA_META_DREG,
  1056. 	NFTA_META_KEY,
  1057. 	NFTA_META_SREG,
  1058. 	__NFTA_META_MAX
  1059. };
  1060. #define NFTA_META_MAX		(__NFTA_META_MAX - 1)
  1062. /**
  1063.  * enum nft_rt_attributes - nf_tables routing expression netlink attributes
  1064.  *
  1065.  * @NFTA_RT_DREG: destination register (NLA_U32)
  1066.  * @NFTA_RT_KEY: routing data item to load (NLA_U32: nft_rt_keys)
  1067.  */
  1068. enum nft_rt_attributes {
  1069. 	NFTA_RT_UNSPEC,
  1070. 	NFTA_RT_DREG,
  1071. 	NFTA_RT_KEY,
  1072. 	__NFTA_RT_MAX
  1073. };
  1074. #define NFTA_RT_MAX		(__NFTA_RT_MAX - 1)
  1076. /**
  1077.  * enum nft_socket_attributes - nf_tables socket expression netlink attributes
  1078.  *
  1079.  * @NFTA_SOCKET_KEY: socket key to match
  1080.  * @NFTA_SOCKET_DREG: destination register
  1081.  * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2)
  1082.  */
  1083. enum nft_socket_attributes {
  1084. 	NFTA_SOCKET_UNSPEC,
  1085. 	NFTA_SOCKET_KEY,
  1086. 	NFTA_SOCKET_DREG,
  1087. 	NFTA_SOCKET_LEVEL,
  1088. 	__NFTA_SOCKET_MAX
  1089. };
  1090. #define NFTA_SOCKET_MAX		(__NFTA_SOCKET_MAX - 1)
  1092. /*
  1093.  * enum nft_socket_keys - nf_tables socket expression keys
  1094.  *
  1095.  * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
  1096.  * @NFT_SOCKET_MARK: Value of the socket mark
  1097.  * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
  1098.  * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
  1099.  */
  1100. enum nft_socket_keys {
  1101. 	NFT_SOCKET_TRANSPARENT,
  1102. 	NFT_SOCKET_MARK,
  1103. 	NFT_SOCKET_WILDCARD,
  1104. 	NFT_SOCKET_CGROUPV2,
  1105. 	__NFT_SOCKET_MAX
  1106. };
  1107. #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
  1109. /**
  1110.  * enum nft_ct_keys - nf_tables ct expression keys
  1111.  *
  1112.  * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)
  1113.  * @NFT_CT_DIRECTION: conntrack direction (enum ip_conntrack_dir)
  1114.  * @NFT_CT_STATUS: conntrack status (bitmask of enum ip_conntrack_status)
  1115.  * @NFT_CT_MARK: conntrack mark value
  1116.  * @NFT_CT_SECMARK: conntrack secmark value
  1117.  * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
  1118.  * @NFT_CT_HELPER: connection tracking helper assigned to conntrack
  1119.  * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
  1120.  * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
  1121.  * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
  1122.  * @NFT_CT_PROTOCOL: conntrack layer 4 protocol
  1123.  * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
  1124.  * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
  1125.  * @NFT_CT_LABELS: conntrack labels
  1126.  * @NFT_CT_PKTS: conntrack packets
  1127.  * @NFT_CT_BYTES: conntrack bytes
  1128.  * @NFT_CT_AVGPKT: conntrack average bytes per packet
  1129.  * @NFT_CT_ZONE: conntrack zone
  1130.  * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
  1131.  * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address)
  1132.  * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
  1133.  * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
  1134.  * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
  1135.  * @NFT_CT_ID: conntrack id
  1136.  */
  1137. enum nft_ct_keys {
  1138. 	NFT_CT_STATE,
  1139. 	NFT_CT_DIRECTION,
  1140. 	NFT_CT_STATUS,
  1141. 	NFT_CT_MARK,
  1142. 	NFT_CT_SECMARK,
  1143. 	NFT_CT_EXPIRATION,
  1144. 	NFT_CT_HELPER,
  1145. 	NFT_CT_L3PROTOCOL,
  1146. 	NFT_CT_SRC,
  1147. 	NFT_CT_DST,
  1148. 	NFT_CT_PROTOCOL,
  1149. 	NFT_CT_PROTO_SRC,
  1150. 	NFT_CT_PROTO_DST,
  1151. 	NFT_CT_LABELS,
  1152. 	NFT_CT_PKTS,
  1153. 	NFT_CT_BYTES,
  1154. 	NFT_CT_AVGPKT,
  1155. 	NFT_CT_ZONE,
  1156. 	NFT_CT_EVENTMASK,
  1157. 	NFT_CT_SRC_IP,
  1158. 	NFT_CT_DST_IP,
  1159. 	NFT_CT_SRC_IP6,
  1160. 	NFT_CT_DST_IP6,
  1161. 	NFT_CT_ID,
  1162. 	__NFT_CT_MAX
  1163. };
  1164. #define NFT_CT_MAX		(__NFT_CT_MAX - 1)
  1166. /**
  1167.  * enum nft_ct_attributes - nf_tables ct expression netlink attributes
  1168.  *
  1169.  * @NFTA_CT_DREG: destination register (NLA_U32)
  1170.  * @NFTA_CT_KEY: conntrack data item to load (NLA_U32: nft_ct_keys)
  1171.  * @NFTA_CT_DIRECTION: direction in case of directional keys (NLA_U8)
  1172.  * @NFTA_CT_SREG: source register (NLA_U32)
  1173.  */
  1174. enum nft_ct_attributes {
  1175. 	NFTA_CT_UNSPEC,
  1176. 	NFTA_CT_DREG,
  1177. 	NFTA_CT_KEY,
  1178. 	NFTA_CT_DIRECTION,
  1179. 	NFTA_CT_SREG,
  1180. 	__NFTA_CT_MAX
  1181. };
  1182. #define NFTA_CT_MAX		(__NFTA_CT_MAX - 1)
  1184. /**
  1185.  * enum nft_flow_attributes - ct offload expression attributes
  1186.  * @NFTA_FLOW_TABLE_NAME: flow table name (NLA_STRING)
  1187.  */
  1188. enum nft_offload_attributes {
  1189. 	NFTA_FLOW_UNSPEC,
  1190. 	NFTA_FLOW_TABLE_NAME,
  1191. 	__NFTA_FLOW_MAX,
  1192. };
  1193. #define NFTA_FLOW_MAX		(__NFTA_FLOW_MAX - 1)
  1195. enum nft_limit_type {
  1196. 	NFT_LIMIT_PKTS,
  1197. 	NFT_LIMIT_PKT_BYTES
  1198. };
  1200. enum nft_limit_flags {
  1201. 	NFT_LIMIT_F_INV	= (1 << 0),
  1202. };
  1204. /**
  1205.  * enum nft_limit_attributes - nf_tables limit expression netlink attributes
  1206.  *
  1207.  * @NFTA_LIMIT_RATE: refill rate (NLA_U64)
  1208.  * @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
  1209.  * @NFTA_LIMIT_BURST: burst (NLA_U32)
  1210.  * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type)
  1211.  * @NFTA_LIMIT_FLAGS: flags (NLA_U32: enum nft_limit_flags)
  1212.  */
  1213. enum nft_limit_attributes {
  1214. 	NFTA_LIMIT_UNSPEC,
  1215. 	NFTA_LIMIT_RATE,
  1216. 	NFTA_LIMIT_UNIT,
  1217. 	NFTA_LIMIT_BURST,
  1218. 	NFTA_LIMIT_TYPE,
  1219. 	NFTA_LIMIT_FLAGS,
  1220. 	NFTA_LIMIT_PAD,
  1221. 	__NFTA_LIMIT_MAX
  1222. };
  1223. #define NFTA_LIMIT_MAX		(__NFTA_LIMIT_MAX - 1)
  1225. enum nft_connlimit_flags {
  1226. 	NFT_CONNLIMIT_F_INV	= (1 << 0),
  1227. };
  1229. /**
  1230.  * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes
  1231.  *
  1232.  * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32)
  1233.  * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags)
  1234.  */
  1235. enum nft_connlimit_attributes {
  1236. 	NFTA_CONNLIMIT_UNSPEC,
  1237. 	NFTA_CONNLIMIT_COUNT,
  1238. 	NFTA_CONNLIMIT_FLAGS,
  1239. 	__NFTA_CONNLIMIT_MAX
  1240. };
  1241. #define NFTA_CONNLIMIT_MAX	(__NFTA_CONNLIMIT_MAX - 1)
  1243. /**
  1244.  * enum nft_counter_attributes - nf_tables counter expression netlink attributes
  1245.  *
  1246.  * @NFTA_COUNTER_BYTES: number of bytes (NLA_U64)
  1247.  * @NFTA_COUNTER_PACKETS: number of packets (NLA_U64)
  1248.  */
  1249. enum nft_counter_attributes {
  1250. 	NFTA_COUNTER_UNSPEC,
  1251. 	NFTA_COUNTER_BYTES,
  1252. 	NFTA_COUNTER_PACKETS,
  1253. 	NFTA_COUNTER_PAD,
  1254. 	__NFTA_COUNTER_MAX
  1255. };
  1256. #define NFTA_COUNTER_MAX	(__NFTA_COUNTER_MAX - 1)
  1258. /**
  1259.  * enum nft_last_attributes - nf_tables last expression netlink attributes
  1260.  *
  1261.  * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32)
  1262.  * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64)
  1263.  */
  1264. enum nft_last_attributes {
  1265. 	NFTA_LAST_UNSPEC,
  1266. 	NFTA_LAST_SET,
  1267. 	NFTA_LAST_MSECS,
  1268. 	NFTA_LAST_PAD,
  1269. 	__NFTA_LAST_MAX
  1270. };
  1271. #define NFTA_LAST_MAX	(__NFTA_LAST_MAX - 1)
  1273. /**
  1274.  * enum nft_log_attributes - nf_tables log expression netlink attributes
  1275.  *
  1276.  * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U16)
  1277.  * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING)
  1278.  * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32)
  1279.  * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U16)
  1280.  * @NFTA_LOG_LEVEL: log level (NLA_U32)
  1281.  * @NFTA_LOG_FLAGS: logging flags (NLA_U32)
  1282.  */
  1283. enum nft_log_attributes {
  1284. 	NFTA_LOG_UNSPEC,
  1285. 	NFTA_LOG_GROUP,
  1286. 	NFTA_LOG_PREFIX,
  1287. 	NFTA_LOG_SNAPLEN,
  1288. 	NFTA_LOG_QTHRESHOLD,
  1289. 	NFTA_LOG_LEVEL,
  1290. 	NFTA_LOG_FLAGS,
  1291. 	__NFTA_LOG_MAX
  1292. };
  1293. #define NFTA_LOG_MAX		(__NFTA_LOG_MAX - 1)
  1295. /**
  1296.  * enum nft_log_level - nf_tables log levels
  1297.  *
  1298.  * @NFT_LOGLEVEL_EMERG: system is unusable
  1299.  * @NFT_LOGLEVEL_ALERT: action must be taken immediately
  1300.  * @NFT_LOGLEVEL_CRIT: critical conditions
  1301.  * @NFT_LOGLEVEL_ERR: error conditions
  1302.  * @NFT_LOGLEVEL_WARNING: warning conditions
  1303.  * @NFT_LOGLEVEL_NOTICE: normal but significant condition
  1304.  * @NFT_LOGLEVEL_INFO: informational
  1305.  * @NFT_LOGLEVEL_DEBUG: debug-level messages
  1306.  * @NFT_LOGLEVEL_AUDIT: enabling audit logging
  1307.  */
  1308. enum nft_log_level {
  1309. 	NFT_LOGLEVEL_EMERG,
  1310. 	NFT_LOGLEVEL_ALERT,
  1311. 	NFT_LOGLEVEL_CRIT,
  1312. 	NFT_LOGLEVEL_ERR,
  1313. 	NFT_LOGLEVEL_WARNING,
  1314. 	NFT_LOGLEVEL_NOTICE,
  1315. 	NFT_LOGLEVEL_INFO,
  1316. 	NFT_LOGLEVEL_DEBUG,
  1317. 	NFT_LOGLEVEL_AUDIT,
  1318. 	__NFT_LOGLEVEL_MAX
  1319. };
  1320. #define NFT_LOGLEVEL_MAX	(__NFT_LOGLEVEL_MAX - 1)
  1322. /**
  1323.  * enum nft_queue_attributes - nf_tables queue expression netlink attributes
  1324.  *
  1325.  * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16)
  1326.  * @NFTA_QUEUE_TOTAL: number of queues to load balance packets on (NLA_U16)
  1327.  * @NFTA_QUEUE_FLAGS: various flags (NLA_U16)
  1328.  * @NFTA_QUEUE_SREG_QNUM: source register of queue number (NLA_U32: nft_registers)
  1329.  */
  1330. enum nft_queue_attributes {
  1331. 	NFTA_QUEUE_UNSPEC,
  1332. 	NFTA_QUEUE_NUM,
  1333. 	NFTA_QUEUE_TOTAL,
  1334. 	NFTA_QUEUE_FLAGS,
  1335. 	NFTA_QUEUE_SREG_QNUM,
  1336. 	__NFTA_QUEUE_MAX
  1337. };
  1338. #define NFTA_QUEUE_MAX		(__NFTA_QUEUE_MAX - 1)
  1340. #define NFT_QUEUE_FLAG_BYPASS		0x01 /* for compatibility with v2 */
  1341. #define NFT_QUEUE_FLAG_CPU_FANOUT	0x02 /* use current CPU (no hashing) */
  1342. #define NFT_QUEUE_FLAG_MASK		0x03
  1344. enum nft_quota_flags {
  1345. 	NFT_QUOTA_F_INV		= (1 << 0),
  1346. 	NFT_QUOTA_F_DEPLETED	= (1 << 1),
  1347. };
  1349. /**
  1350.  * enum nft_quota_attributes - nf_tables quota expression netlink attributes
  1351.  *
  1352.  * @NFTA_QUOTA_BYTES: quota in bytes (NLA_U16)
  1353.  * @NFTA_QUOTA_FLAGS: flags (NLA_U32)
  1354.  * @NFTA_QUOTA_CONSUMED: quota already consumed in bytes (NLA_U64)
  1355.  */
  1356. enum nft_quota_attributes {
  1357. 	NFTA_QUOTA_UNSPEC,
  1358. 	NFTA_QUOTA_BYTES,
  1359. 	NFTA_QUOTA_FLAGS,
  1360. 	NFTA_QUOTA_PAD,
  1361. 	NFTA_QUOTA_CONSUMED,
  1362. 	__NFTA_QUOTA_MAX
  1363. };
  1364. #define NFTA_QUOTA_MAX		(__NFTA_QUOTA_MAX - 1)
  1366. /**
  1367.  * enum nft_secmark_attributes - nf_tables secmark object netlink attributes
  1368.  *
  1369.  * @NFTA_SECMARK_CTX: security context (NLA_STRING)
  1370.  */
  1371. enum nft_secmark_attributes {
  1372. 	NFTA_SECMARK_UNSPEC,
  1373. 	NFTA_SECMARK_CTX,
  1374. 	__NFTA_SECMARK_MAX,
  1375. };
  1376. #define NFTA_SECMARK_MAX	(__NFTA_SECMARK_MAX - 1)
  1378. /* Max security context length */
  1379. #define NFT_SECMARK_CTX_MAXLEN		4096
  1381. /**
  1382.  * enum nft_reject_types - nf_tables reject expression reject types
  1383.  *
  1384.  * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
  1385.  * @NFT_REJECT_TCP_RST: reject using TCP RST
  1386.  * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet
  1387.  */
  1388. enum nft_reject_types {
  1389. 	NFT_REJECT_ICMP_UNREACH,
  1390. 	NFT_REJECT_TCP_RST,
  1391. 	NFT_REJECT_ICMPX_UNREACH,
  1392. };
  1394. /**
  1395.  * enum nft_reject_code - Generic reject codes for IPv4/IPv6
  1396.  *
  1397.  * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host / network unreachable
  1398.  * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
  1399.  * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
  1400.  * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratively prohibited
  1401.  *
  1402.  * These codes are mapped to real ICMP and ICMPv6 codes.
  1403.  */
  1404. enum nft_reject_inet_code {
  1405. 	NFT_REJECT_ICMPX_NO_ROUTE	= 0,
  1406. 	NFT_REJECT_ICMPX_PORT_UNREACH,
  1407. 	NFT_REJECT_ICMPX_HOST_UNREACH,
  1408. 	NFT_REJECT_ICMPX_ADMIN_PROHIBITED,
  1409. 	__NFT_REJECT_ICMPX_MAX
  1410. };
  1411. #define NFT_REJECT_ICMPX_MAX	(__NFT_REJECT_ICMPX_MAX - 1)
  1413. /**
  1414.  * enum nft_reject_attributes - nf_tables reject expression netlink attributes
  1415.  *
  1416.  * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types)
  1417.  * @NFTA_REJECT_ICMP_CODE: ICMP code to use (NLA_U8)
  1418.  */
  1419. enum nft_reject_attributes {
  1420. 	NFTA_REJECT_UNSPEC,
  1421. 	NFTA_REJECT_TYPE,
  1422. 	NFTA_REJECT_ICMP_CODE,
  1423. 	__NFTA_REJECT_MAX
  1424. };
  1425. #define NFTA_REJECT_MAX		(__NFTA_REJECT_MAX - 1)
  1427. /**
  1428.  * enum nft_nat_types - nf_tables nat expression NAT types
  1429.  *
  1430.  * @NFT_NAT_SNAT: source NAT
  1431.  * @NFT_NAT_DNAT: destination NAT
  1432.  */
  1433. enum nft_nat_types {
  1434. 	NFT_NAT_SNAT,
  1435. 	NFT_NAT_DNAT,
  1436. };
  1438. /**
  1439.  * enum nft_nat_attributes - nf_tables nat expression netlink attributes
  1440.  *
  1441.  * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types)
  1442.  * @NFTA_NAT_FAMILY: NAT family (NLA_U32)
  1443.  * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers)
  1444.  * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers)
  1445.  * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  1446.  * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
  1447.  * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
  1448.  */
  1449. enum nft_nat_attributes {
  1450. 	NFTA_NAT_UNSPEC,
  1451. 	NFTA_NAT_TYPE,
  1452. 	NFTA_NAT_FAMILY,
  1453. 	NFTA_NAT_REG_ADDR_MIN,
  1454. 	NFTA_NAT_REG_ADDR_MAX,
  1455. 	NFTA_NAT_REG_PROTO_MIN,
  1456. 	NFTA_NAT_REG_PROTO_MAX,
  1457. 	NFTA_NAT_FLAGS,
  1458. 	__NFTA_NAT_MAX
  1459. };
  1460. #define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)
  1462. /**
  1463.  * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
  1464.  *
  1465.  * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
  1466.  * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
  1467.  * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
  1468.  */
  1469. enum nft_tproxy_attributes {
  1470. 	NFTA_TPROXY_UNSPEC,
  1471. 	NFTA_TPROXY_FAMILY,
  1472. 	NFTA_TPROXY_REG_ADDR,
  1473. 	NFTA_TPROXY_REG_PORT,
  1474. 	__NFTA_TPROXY_MAX
  1475. };
  1476. #define NFTA_TPROXY_MAX		(__NFTA_TPROXY_MAX - 1)
  1478. /**
  1479.  * enum nft_masq_attributes - nf_tables masquerade expression attributes
  1480.  *
  1481.  * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
  1482.  * @NFTA_MASQ_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  1483.  * @NFTA_MASQ_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
  1484.  */
  1485. enum nft_masq_attributes {
  1486. 	NFTA_MASQ_UNSPEC,
  1487. 	NFTA_MASQ_FLAGS,
  1488. 	NFTA_MASQ_REG_PROTO_MIN,
  1489. 	NFTA_MASQ_REG_PROTO_MAX,
  1490. 	__NFTA_MASQ_MAX
  1491. };
  1492. #define NFTA_MASQ_MAX		(__NFTA_MASQ_MAX - 1)
  1494. /**
  1495.  * enum nft_redir_attributes - nf_tables redirect expression netlink attributes
  1496.  *
  1497.  * @NFTA_REDIR_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  1498.  * @NFTA_REDIR_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
  1499.  * @NFTA_REDIR_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
  1500.  */
  1501. enum nft_redir_attributes {
  1502. 	NFTA_REDIR_UNSPEC,
  1503. 	NFTA_REDIR_REG_PROTO_MIN,
  1504. 	NFTA_REDIR_REG_PROTO_MAX,
  1505. 	NFTA_REDIR_FLAGS,
  1506. 	__NFTA_REDIR_MAX
  1507. };
  1508. #define NFTA_REDIR_MAX		(__NFTA_REDIR_MAX - 1)
  1510. /**
  1511.  * enum nft_dup_attributes - nf_tables dup expression netlink attributes
  1512.  *
  1513.  * @NFTA_DUP_SREG_ADDR: source register of address (NLA_U32: nft_registers)
  1514.  * @NFTA_DUP_SREG_DEV: source register of output interface (NLA_U32: nft_register)
  1515.  */
  1516. enum nft_dup_attributes {
  1517. 	NFTA_DUP_UNSPEC,
  1518. 	NFTA_DUP_SREG_ADDR,
  1519. 	NFTA_DUP_SREG_DEV,
  1520. 	__NFTA_DUP_MAX
  1521. };
  1522. #define NFTA_DUP_MAX		(__NFTA_DUP_MAX - 1)
  1524. /**
  1525.  * enum nft_fwd_attributes - nf_tables fwd expression netlink attributes
  1526.  *
  1527.  * @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register)
  1528.  * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register)
  1529.  * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto)
  1530.  */
  1531. enum nft_fwd_attributes {
  1532. 	NFTA_FWD_UNSPEC,
  1533. 	NFTA_FWD_SREG_DEV,
  1534. 	NFTA_FWD_SREG_ADDR,
  1535. 	NFTA_FWD_NFPROTO,
  1536. 	__NFTA_FWD_MAX
  1537. };
  1538. #define NFTA_FWD_MAX	(__NFTA_FWD_MAX - 1)
  1540. /**
  1541.  * enum nft_objref_attributes - nf_tables stateful object expression netlink attributes
  1542.  *
  1543.  * @NFTA_OBJREF_IMM_TYPE: object type for immediate reference (NLA_U32: nft_register)
  1544.  * @NFTA_OBJREF_IMM_NAME: object name for immediate reference (NLA_STRING)
  1545.  * @NFTA_OBJREF_SET_SREG: source register of the data to look for (NLA_U32: nft_registers)
  1546.  * @NFTA_OBJREF_SET_NAME: name of the set where to look for (NLA_STRING)
  1547.  * @NFTA_OBJREF_SET_ID: id of the set where to look for in this transaction (NLA_U32)
  1548.  */
  1549. enum nft_objref_attributes {
  1550. 	NFTA_OBJREF_UNSPEC,
  1551. 	NFTA_OBJREF_IMM_TYPE,
  1552. 	NFTA_OBJREF_IMM_NAME,
  1553. 	NFTA_OBJREF_SET_SREG,
  1554. 	NFTA_OBJREF_SET_NAME,
  1555. 	NFTA_OBJREF_SET_ID,
  1556. 	__NFTA_OBJREF_MAX
  1557. };
  1558. #define NFTA_OBJREF_MAX	(__NFTA_OBJREF_MAX - 1)
  1560. /**
  1561.  * enum nft_gen_attributes - nf_tables ruleset generation attributes
  1562.  *
  1563.  * @NFTA_GEN_ID: Ruleset generation ID (NLA_U32)
  1564.  */
  1565. enum nft_gen_attributes {
  1566. 	NFTA_GEN_UNSPEC,
  1567. 	NFTA_GEN_ID,
  1568. 	NFTA_GEN_PROC_PID,
  1569. 	NFTA_GEN_PROC_NAME,
  1570. 	__NFTA_GEN_MAX
  1571. };
  1572. #define NFTA_GEN_MAX		(__NFTA_GEN_MAX - 1)
  1574. /*
  1575.  * enum nft_fib_attributes - nf_tables fib expression netlink attributes
  1576.  *
  1577.  * @NFTA_FIB_DREG: destination register (NLA_U32)
  1578.  * @NFTA_FIB_RESULT: desired result (NLA_U32)
  1579.  * @NFTA_FIB_FLAGS: flowi fields to initialize when querying the FIB (NLA_U32)
  1580.  *
  1581.  * The FIB expression performs a route lookup according
  1582.  * to the packet data.
  1583.  */
  1584. enum nft_fib_attributes {
  1585. 	NFTA_FIB_UNSPEC,
  1586. 	NFTA_FIB_DREG,
  1587. 	NFTA_FIB_RESULT,
  1588. 	NFTA_FIB_FLAGS,
  1589. 	__NFTA_FIB_MAX
  1590. };
  1591. #define NFTA_FIB_MAX (__NFTA_FIB_MAX - 1)
  1593. enum nft_fib_result {
  1594. 	NFT_FIB_RESULT_UNSPEC,
  1595. 	NFT_FIB_RESULT_OIF,
  1596. 	NFT_FIB_RESULT_OIFNAME,
  1597. 	NFT_FIB_RESULT_ADDRTYPE,
  1598. 	__NFT_FIB_RESULT_MAX
  1599. };
  1600. #define NFT_FIB_RESULT_MAX	(__NFT_FIB_RESULT_MAX - 1)
  1602. enum nft_fib_flags {
  1603. 	NFTA_FIB_F_SADDR	= 1 << 0,	/* look up src */
  1604. 	NFTA_FIB_F_DADDR	= 1 << 1,	/* look up dst */
  1605. 	NFTA_FIB_F_MARK		= 1 << 2,	/* use skb->mark */
  1606. 	NFTA_FIB_F_IIF		= 1 << 3,	/* restrict to iif */
  1607. 	NFTA_FIB_F_OIF		= 1 << 4,	/* restrict to oif */
  1608. 	NFTA_FIB_F_PRESENT	= 1 << 5,	/* check existence only */
  1609. };
  1611. enum nft_ct_helper_attributes {
  1612. 	NFTA_CT_HELPER_UNSPEC,
  1613. 	NFTA_CT_HELPER_NAME,
  1614. 	NFTA_CT_HELPER_L3PROTO,
  1615. 	NFTA_CT_HELPER_L4PROTO,
  1616. 	__NFTA_CT_HELPER_MAX,
  1617. };
  1618. #define NFTA_CT_HELPER_MAX	(__NFTA_CT_HELPER_MAX - 1)
  1620. enum nft_ct_timeout_timeout_attributes {
  1621. 	NFTA_CT_TIMEOUT_UNSPEC,
  1622. 	NFTA_CT_TIMEOUT_L3PROTO,
  1623. 	NFTA_CT_TIMEOUT_L4PROTO,
  1624. 	NFTA_CT_TIMEOUT_DATA,
  1625. 	__NFTA_CT_TIMEOUT_MAX,
  1626. };
  1627. #define NFTA_CT_TIMEOUT_MAX	(__NFTA_CT_TIMEOUT_MAX - 1)
  1629. enum nft_ct_expectation_attributes {
  1630. 	NFTA_CT_EXPECT_UNSPEC,
  1631. 	NFTA_CT_EXPECT_L3PROTO,
  1632. 	NFTA_CT_EXPECT_L4PROTO,
  1633. 	NFTA_CT_EXPECT_DPORT,
  1634. 	NFTA_CT_EXPECT_TIMEOUT,
  1635. 	NFTA_CT_EXPECT_SIZE,
  1636. 	__NFTA_CT_EXPECT_MAX,
  1637. };
  1638. #define NFTA_CT_EXPECT_MAX	(__NFTA_CT_EXPECT_MAX - 1)
  1640. #define NFT_OBJECT_UNSPEC	0
  1641. #define NFT_OBJECT_COUNTER	1
  1642. #define NFT_OBJECT_QUOTA	2
  1643. #define NFT_OBJECT_CT_HELPER	3
  1644. #define NFT_OBJECT_LIMIT	4
  1645. #define NFT_OBJECT_CONNLIMIT	5
  1646. #define NFT_OBJECT_TUNNEL	6
  1647. #define NFT_OBJECT_CT_TIMEOUT	7
  1648. #define NFT_OBJECT_SECMARK	8
  1649. #define NFT_OBJECT_CT_EXPECT	9
  1650. #define NFT_OBJECT_SYNPROXY	10
  1651. #define __NFT_OBJECT_MAX	11
  1652. #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
  1654. /**
  1655.  * enum nft_object_attributes - nf_tables stateful object netlink attributes
  1656.  *
  1657.  * @NFTA_OBJ_TABLE: name of the table containing the expression (NLA_STRING)
  1658.  * @NFTA_OBJ_NAME: name of this expression type (NLA_STRING)
  1659.  * @NFTA_OBJ_TYPE: stateful object type (NLA_U32)
  1660.  * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
  1661.  * @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
  1662.  * @NFTA_OBJ_HANDLE: object handle (NLA_U64)
  1663.  * @NFTA_OBJ_USERDATA: user data (NLA_BINARY)
  1664.  */
  1665. enum nft_object_attributes {
  1666. 	NFTA_OBJ_UNSPEC,
  1667. 	NFTA_OBJ_TABLE,
  1668. 	NFTA_OBJ_NAME,
  1669. 	NFTA_OBJ_TYPE,
  1670. 	NFTA_OBJ_DATA,
  1671. 	NFTA_OBJ_USE,
  1672. 	NFTA_OBJ_HANDLE,
  1673. 	NFTA_OBJ_PAD,
  1674. 	NFTA_OBJ_USERDATA,
  1675. 	__NFTA_OBJ_MAX
  1676. };
  1677. #define NFTA_OBJ_MAX		(__NFTA_OBJ_MAX - 1)
  1679. /**
  1680.  * enum nft_flowtable_flags - nf_tables flowtable flags
  1681.  *
  1682.  * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled
  1683.  * @NFT_FLOWTABLE_COUNTER: enable flow counters
  1684.  */
  1685. enum nft_flowtable_flags {
  1686. 	NFT_FLOWTABLE_HW_OFFLOAD	= 0x1,
  1687. 	NFT_FLOWTABLE_COUNTER		= 0x2,
  1688. 	NFT_FLOWTABLE_MASK		= (NFT_FLOWTABLE_HW_OFFLOAD |
  1689. 					   NFT_FLOWTABLE_COUNTER)
  1690. };
  1692. /**
  1693.  * enum nft_flowtable_attributes - nf_tables flow table netlink attributes
  1694.  *
  1695.  * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
  1696.  * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
  1697.  * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
  1698.  * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
  1699.  * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
  1700.  * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
  1701.  */
  1702. enum nft_flowtable_attributes {
  1703. 	NFTA_FLOWTABLE_UNSPEC,
  1704. 	NFTA_FLOWTABLE_TABLE,
  1705. 	NFTA_FLOWTABLE_NAME,
  1706. 	NFTA_FLOWTABLE_HOOK,
  1707. 	NFTA_FLOWTABLE_USE,
  1708. 	NFTA_FLOWTABLE_HANDLE,
  1709. 	NFTA_FLOWTABLE_PAD,
  1710. 	NFTA_FLOWTABLE_FLAGS,
  1711. 	__NFTA_FLOWTABLE_MAX
  1712. };
  1713. #define NFTA_FLOWTABLE_MAX	(__NFTA_FLOWTABLE_MAX - 1)
  1715. /**
  1716.  * enum nft_flowtable_hook_attributes - nf_tables flow table hook netlink attributes
  1717.  *
  1718.  * @NFTA_FLOWTABLE_HOOK_NUM: netfilter hook number (NLA_U32)
  1719.  * @NFTA_FLOWTABLE_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
  1720.  * @NFTA_FLOWTABLE_HOOK_DEVS: input devices this flow table is bound to (NLA_NESTED)
  1721.  */
  1722. enum nft_flowtable_hook_attributes {
  1723. 	NFTA_FLOWTABLE_HOOK_UNSPEC,
  1724. 	NFTA_FLOWTABLE_HOOK_NUM,
  1725. 	NFTA_FLOWTABLE_HOOK_PRIORITY,
  1726. 	NFTA_FLOWTABLE_HOOK_DEVS,
  1727. 	__NFTA_FLOWTABLE_HOOK_MAX
  1728. };
  1729. #define NFTA_FLOWTABLE_HOOK_MAX	(__NFTA_FLOWTABLE_HOOK_MAX - 1)
  1731. /**
  1732.  * enum nft_osf_attributes - nftables osf expression netlink attributes
  1733.  *
  1734.  * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers)
  1735.  * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8)
  1736.  * @NFTA_OSF_FLAGS: flags (NLA_U32)
  1737.  */
  1738. enum nft_osf_attributes {
  1739. 	NFTA_OSF_UNSPEC,
  1740. 	NFTA_OSF_DREG,
  1741. 	NFTA_OSF_TTL,
  1742. 	NFTA_OSF_FLAGS,
  1743. 	__NFTA_OSF_MAX,
  1744. };
  1745. #define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
  1747. enum nft_osf_flags {
  1748. 	NFT_OSF_F_VERSION = (1 << 0),
  1749. };
  1751. /**
  1752.  * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes
  1753.  *
  1754.  * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)
  1755.  * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)
  1756.  * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)
  1757.  */
  1758. enum nft_synproxy_attributes {
  1759. 	NFTA_SYNPROXY_UNSPEC,
  1760. 	NFTA_SYNPROXY_MSS,
  1761. 	NFTA_SYNPROXY_WSCALE,
  1762. 	NFTA_SYNPROXY_FLAGS,
  1763. 	__NFTA_SYNPROXY_MAX,
  1764. };
  1765. #define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)
  1767. /**
  1768.  * enum nft_device_attributes - nf_tables device netlink attributes
  1769.  *
  1770.  * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)
  1771.  */
  1772. enum nft_devices_attributes {
  1773. 	NFTA_DEVICE_UNSPEC,
  1774. 	NFTA_DEVICE_NAME,
  1775. 	__NFTA_DEVICE_MAX
  1776. };
  1777. #define NFTA_DEVICE_MAX		(__NFTA_DEVICE_MAX - 1)
  1779. /*
  1780.  * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes
  1781.  *
  1782.  * @NFTA_XFRM_DREG: destination register (NLA_U32)
  1783.  * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32)
  1784.  * @NFTA_XFRM_DIR: direction (NLA_U8)
  1785.  * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32)
  1786.  */
  1787. enum nft_xfrm_attributes {
  1788. 	NFTA_XFRM_UNSPEC,
  1789. 	NFTA_XFRM_DREG,
  1790. 	NFTA_XFRM_KEY,
  1791. 	NFTA_XFRM_DIR,
  1792. 	NFTA_XFRM_SPNUM,
  1793. 	__NFTA_XFRM_MAX
  1794. };
  1795. #define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1)
  1797. enum nft_xfrm_keys {
  1798. 	NFT_XFRM_KEY_UNSPEC,
  1799. 	NFT_XFRM_KEY_DADDR_IP4,
  1800. 	NFT_XFRM_KEY_DADDR_IP6,
  1801. 	NFT_XFRM_KEY_SADDR_IP4,
  1802. 	NFT_XFRM_KEY_SADDR_IP6,
  1803. 	NFT_XFRM_KEY_REQID,
  1804. 	NFT_XFRM_KEY_SPI,
  1805. 	__NFT_XFRM_KEY_MAX,
  1806. };
  1807. #define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1)
  1809. /**
  1810.  * enum nft_trace_attributes - nf_tables trace netlink attributes
  1811.  *
  1812.  * @NFTA_TRACE_TABLE: name of the table (NLA_STRING)
  1813.  * @NFTA_TRACE_CHAIN: name of the chain (NLA_STRING)
  1814.  * @NFTA_TRACE_RULE_HANDLE: numeric handle of the rule (NLA_U64)
  1815.  * @NFTA_TRACE_TYPE: type of the event (NLA_U32: nft_trace_types)
  1816.  * @NFTA_TRACE_VERDICT: verdict returned by hook (NLA_NESTED: nft_verdicts)
  1817.  * @NFTA_TRACE_ID: pseudo-id, same for each skb traced (NLA_U32)
  1818.  * @NFTA_TRACE_LL_HEADER: linklayer header (NLA_BINARY)
  1819.  * @NFTA_TRACE_NETWORK_HEADER: network header (NLA_BINARY)
  1820.  * @NFTA_TRACE_TRANSPORT_HEADER: transport header (NLA_BINARY)
  1821.  * @NFTA_TRACE_IIF: indev ifindex (NLA_U32)
  1822.  * @NFTA_TRACE_IIFTYPE: netdev->type of indev (NLA_U16)
  1823.  * @NFTA_TRACE_OIF: outdev ifindex (NLA_U32)
  1824.  * @NFTA_TRACE_OIFTYPE: netdev->type of outdev (NLA_U16)
  1825.  * @NFTA_TRACE_MARK: nfmark (NLA_U32)
  1826.  * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32)
  1827.  * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32)
  1828.  */
  1829. enum nft_trace_attributes {
  1830. 	NFTA_TRACE_UNSPEC,
  1831. 	NFTA_TRACE_TABLE,
  1832. 	NFTA_TRACE_CHAIN,
  1833. 	NFTA_TRACE_RULE_HANDLE,
  1834. 	NFTA_TRACE_TYPE,
  1835. 	NFTA_TRACE_VERDICT,
  1836. 	NFTA_TRACE_ID,
  1837. 	NFTA_TRACE_LL_HEADER,
  1838. 	NFTA_TRACE_NETWORK_HEADER,
  1839. 	NFTA_TRACE_TRANSPORT_HEADER,
  1840. 	NFTA_TRACE_IIF,
  1841. 	NFTA_TRACE_IIFTYPE,
  1842. 	NFTA_TRACE_OIF,
  1843. 	NFTA_TRACE_OIFTYPE,
  1844. 	NFTA_TRACE_MARK,
  1845. 	NFTA_TRACE_NFPROTO,
  1846. 	NFTA_TRACE_POLICY,
  1847. 	NFTA_TRACE_PAD,
  1848. 	__NFTA_TRACE_MAX
  1849. };
  1850. #define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1)
  1852. enum nft_trace_types {
  1853. 	NFT_TRACETYPE_UNSPEC,
  1854. 	NFT_TRACETYPE_POLICY,
  1855. 	NFT_TRACETYPE_RETURN,
  1856. 	NFT_TRACETYPE_RULE,
  1857. 	__NFT_TRACETYPE_MAX
  1858. };
  1859. #define NFT_TRACETYPE_MAX (__NFT_TRACETYPE_MAX - 1)
  1861. /**
  1862.  * enum nft_ng_attributes - nf_tables number generator expression netlink attributes
  1863.  *
  1864.  * @NFTA_NG_DREG: destination register (NLA_U32)
  1865.  * @NFTA_NG_MODULUS: maximum counter value (NLA_U32)
  1866.  * @NFTA_NG_TYPE: operation type (NLA_U32)
  1867.  * @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32)
  1868.  * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING)
  1869.  * @NFTA_NG_SET_ID: id of the map (NLA_U32)
  1870.  */
  1871. enum nft_ng_attributes {
  1872. 	NFTA_NG_UNSPEC,
  1873. 	NFTA_NG_DREG,
  1874. 	NFTA_NG_MODULUS,
  1875. 	NFTA_NG_TYPE,
  1876. 	NFTA_NG_OFFSET,
  1877. 	NFTA_NG_SET_NAME,	/* deprecated */
  1878. 	NFTA_NG_SET_ID,		/* deprecated */
  1879. 	__NFTA_NG_MAX
  1880. };
  1881. #define NFTA_NG_MAX	(__NFTA_NG_MAX - 1)
  1883. enum nft_ng_types {
  1884. 	NFT_NG_INCREMENTAL,
  1885. 	NFT_NG_RANDOM,
  1886. 	__NFT_NG_MAX
  1887. };
  1888. #define NFT_NG_MAX	(__NFT_NG_MAX - 1)
  1890. enum nft_tunnel_key_ip_attributes {
  1891. 	NFTA_TUNNEL_KEY_IP_UNSPEC,
  1892. 	NFTA_TUNNEL_KEY_IP_SRC,
  1893. 	NFTA_TUNNEL_KEY_IP_DST,
  1894. 	__NFTA_TUNNEL_KEY_IP_MAX
  1895. };
  1896. #define NFTA_TUNNEL_KEY_IP_MAX	(__NFTA_TUNNEL_KEY_IP_MAX - 1)
  1898. enum nft_tunnel_ip6_attributes {
  1899. 	NFTA_TUNNEL_KEY_IP6_UNSPEC,
  1900. 	NFTA_TUNNEL_KEY_IP6_SRC,
  1901. 	NFTA_TUNNEL_KEY_IP6_DST,
  1902. 	NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
  1903. 	__NFTA_TUNNEL_KEY_IP6_MAX
  1904. };
  1905. #define NFTA_TUNNEL_KEY_IP6_MAX	(__NFTA_TUNNEL_KEY_IP6_MAX - 1)
  1907. enum nft_tunnel_opts_attributes {
  1908. 	NFTA_TUNNEL_KEY_OPTS_UNSPEC,
  1909. 	NFTA_TUNNEL_KEY_OPTS_VXLAN,
  1910. 	NFTA_TUNNEL_KEY_OPTS_ERSPAN,
  1911. 	NFTA_TUNNEL_KEY_OPTS_GENEVE,
  1912. 	__NFTA_TUNNEL_KEY_OPTS_MAX
  1913. };
  1914. #define NFTA_TUNNEL_KEY_OPTS_MAX	(__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
  1916. enum nft_tunnel_opts_vxlan_attributes {
  1917. 	NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
  1918. 	NFTA_TUNNEL_KEY_VXLAN_GBP,
  1919. 	__NFTA_TUNNEL_KEY_VXLAN_MAX
  1920. };
  1921. #define NFTA_TUNNEL_KEY_VXLAN_MAX	(__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
  1923. enum nft_tunnel_opts_erspan_attributes {
  1924. 	NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
  1925. 	NFTA_TUNNEL_KEY_ERSPAN_VERSION,
  1926. 	NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
  1927. 	NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
  1928. 	NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
  1929. 	__NFTA_TUNNEL_KEY_ERSPAN_MAX
  1930. };
  1931. #define NFTA_TUNNEL_KEY_ERSPAN_MAX	(__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
  1933. enum nft_tunnel_opts_geneve_attributes {
  1934. 	NFTA_TUNNEL_KEY_GENEVE_UNSPEC,
  1935. 	NFTA_TUNNEL_KEY_GENEVE_CLASS,
  1936. 	NFTA_TUNNEL_KEY_GENEVE_TYPE,
  1937. 	NFTA_TUNNEL_KEY_GENEVE_DATA,
  1938. 	__NFTA_TUNNEL_KEY_GENEVE_MAX
  1939. };
  1940. #define NFTA_TUNNEL_KEY_GENEVE_MAX	(__NFTA_TUNNEL_KEY_GENEVE_MAX - 1)
  1942. enum nft_tunnel_flags {
  1943. 	NFT_TUNNEL_F_ZERO_CSUM_TX	= (1 << 0),
  1944. 	NFT_TUNNEL_F_DONT_FRAGMENT	= (1 << 1),
  1945. 	NFT_TUNNEL_F_SEQ_NUMBER		= (1 << 2),
  1946. };
  1947. #define NFT_TUNNEL_F_MASK	(NFT_TUNNEL_F_ZERO_CSUM_TX | \
  1948. 				 NFT_TUNNEL_F_DONT_FRAGMENT | \
  1949. 				 NFT_TUNNEL_F_SEQ_NUMBER)
  1951. enum nft_tunnel_key_attributes {
  1952. 	NFTA_TUNNEL_KEY_UNSPEC,
  1953. 	NFTA_TUNNEL_KEY_ID,
  1954. 	NFTA_TUNNEL_KEY_IP,
  1955. 	NFTA_TUNNEL_KEY_IP6,
  1956. 	NFTA_TUNNEL_KEY_FLAGS,
  1957. 	NFTA_TUNNEL_KEY_TOS,
  1958. 	NFTA_TUNNEL_KEY_TTL,
  1959. 	NFTA_TUNNEL_KEY_SPORT,
  1960. 	NFTA_TUNNEL_KEY_DPORT,
  1961. 	NFTA_TUNNEL_KEY_OPTS,
  1962. 	__NFTA_TUNNEL_KEY_MAX
  1963. };
  1964. #define NFTA_TUNNEL_KEY_MAX	(__NFTA_TUNNEL_KEY_MAX - 1)
  1966. enum nft_tunnel_keys {
  1967. 	NFT_TUNNEL_PATH,
  1968. 	NFT_TUNNEL_ID,
  1969. 	__NFT_TUNNEL_MAX
  1970. };
  1971. #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
  1973. enum nft_tunnel_mode {
  1974. 	NFT_TUNNEL_MODE_NONE,
  1975. 	NFT_TUNNEL_MODE_RX,
  1976. 	NFT_TUNNEL_MODE_TX,
  1977. 	__NFT_TUNNEL_MODE_MAX
  1978. };
  1979. #define NFT_TUNNEL_MODE_MAX	(__NFT_TUNNEL_MODE_MAX - 1)
  1981. enum nft_tunnel_attributes {
  1982. 	NFTA_TUNNEL_UNSPEC,
  1983. 	NFTA_TUNNEL_KEY,
  1984. 	NFTA_TUNNEL_DREG,
  1985. 	NFTA_TUNNEL_MODE,
  1986. 	__NFTA_TUNNEL_MAX
  1987. };
  1988. #define NFTA_TUNNEL_MAX	(__NFTA_TUNNEL_MAX - 1)
  1990. #endif /* _LINUX_NF_TABLES_H */