Merge tag 'nf-24-01-24' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

 *	@nla: netlink attributes

 *	@portid: netlink portID of the original message

 *	@seq: netlink sequence number

 *	@flags: modifiers to new request

 *	@family: protocol family

 *	@level: depth of the chains

 *	@report: notify via unicast netlink message

 *

 *	@key: element key

 *	@key_end: closing element key

 *	@data: element data

 *	@priv: element private data and extensions

 */

struct nft_set_elem {

 *	@dtype: data type

 *	@dlen: data length

 *	@objtype: object type

 *	@flags: flags

 *	@size: number of set elements

 *	@policy: set policy

 *	@gc_int: garbage collector interval

 *	@timeout: element timeout

 *	@field_len: length of each field in concatenation, bytes

 *	@field_count: number of concatenated fields in element

 *	@expr: set must support for expressions

/**

 *	enum nft_set_class - performance class

 *

 *	@NFT_LOOKUP_O_1: constant, O(1)

 *	@NFT_LOOKUP_O_LOG_N: logarithmic, O(log N)

 *	@NFT_LOOKUP_O_N: linear, O(N)

 *	@NFT_SET_CLASS_O_1: constant, O(1)

 *	@NFT_SET_CLASS_O_LOG_N: logarithmic, O(log N)

 *	@NFT_SET_CLASS_O_N: linear, O(N)

 */

enum nft_set_class {

	NFT_SET_CLASS_O_1,

 *	@remove: remove element from set

 *	@walk: iterate over all set elements

 *	@get: get set elements

 *	@commit: commit set elements

 *	@abort: abort set elements

 *	@privsize: function to return size of set private data

 *	@estimate: estimate the required memory size and the lookup complexity class

 *	@init: initialize private data of new set instance

 *	@destroy: destroy private data of set instance

 *	@gc_init: initialize garbage collection

 *	@elemsize: element private size

 *

 *	Operations lookup, update and delete have simpler interfaces, are faster

 *	@policy: set parameterization (see enum nft_set_policies)

 *	@udlen: user data length

 *	@udata: user data

 *	@expr: stateful expression

 *	@pending_update: list of pending update set element

 * 	@ops: set ops

 * 	@flags: set flags

 *	@dead: set will be freed, never cleared

 *	@genmask: generation mask

 * 	@klen: key length

 * 	@dlen: data length

 *	@num_exprs: numbers of exprs

 *	@exprs: stateful expression

 *	@catchall_list: list of catch-all set element

 * 	@data: private set data

 */

struct nft_set {

 *

 *	@len: length of extension area

 *	@offset: offsets of individual extension types

 *	@ext_len: length of the expected extension(used to sanity check)

 */

struct nft_set_ext_tmpl {

	u16	len;

 *	@select_ops: function to select nft_expr_ops

 *	@release_ops: release nft_expr_ops

 *	@ops: default ops, used when no select_ops functions is present

 *	@inner_ops: inner ops, used for inner packet operation

 *	@list: used internally

 *	@name: Identifier

 *	@owner: module reference

 *	struct nft_expr_ops - nf_tables expression operations

 *

 *	@eval: Expression evaluation function

 *	@clone: Expression clone function

 *	@size: full expression size, including private data size

 *	@init: initialization function

 *	@activate: activate expression in the next generation

 *	@deactivate: deactivate expression in next generation

 *	@destroy: destruction function, called after synchronize_rcu

 *	@destroy_clone: destruction clone function

 *	@dump: function to dump parameters

 *	@type: expression type

 *	@validate: validate expression, called during loop detection

 *	@reduce: reduce expression

 *	@gc: garbage collection expression

 *	@offload: hardware offload expression

 *	@offload_action: function to report true/false to allocate one slot or not in the flow

 *			 offload array

 *	@offload_stats: function to synchronize hardware stats via updating the counter expression

 *	@type: expression type

 *	@data: extra data to attach to this expression operation

 */

struct nft_expr_ops {

/**

 *	struct nft_chain - nf_tables chain

 *

 *	@blob_gen_0: rule blob pointer to the current generation

 *	@blob_gen_1: rule blob pointer to the future generation

 *	@rules: list of rules in the chain

 *	@list: used internally

 *	@rhlhead: used internally

 *	@table: table that this chain belongs to

 *	@handle: chain handle

 *	@use: number of jump references to this chain

 *	@flags: bitmask of enum nft_chain_flags

 *	@flags: bitmask of enum NFTA_CHAIN_FLAGS

 *	@bound: bind or not

 *	@genmask: generation mask

 *	@name: name of the chain

 *	@udlen: user data length

 *	@udata: user data in the chain

 *	@blob_next: rule blob pointer to the next in the chain

 */

struct nft_chain {

	struct nft_rule_blob		__rcu *blob_gen_0;

 *	@hook_list: list of netfilter hooks (for NFPROTO_NETDEV family)

 *	@type: chain type

 *	@policy: default policy

 *	@flags: indicate the base chain disabled or not

 *	@stats: per-cpu chain stats

 *	@chain: the chain

 *	@flow_block: flow block (for hardware offload)

 *	struct nft_object - nf_tables stateful object

 *

 *	@list: table stateful object list node

 *	@key:  keys that identify this object

 *	@rhlhead: nft_objname_ht node

 *	@key: keys that identify this object

 *	@genmask: generation mask

 *	@use: number of references to this stateful object

 *	@handle: unique object handle

 *	@udlen: length of user data

 *	@udata: user data

 *	@ops: object operations

 *	@data: object data, layout depends on type

 */

 *	@destroy: release existing stateful object

 *	@dump: netlink dump stateful object

 *	@update: update stateful object

 *	@type: pointer to object type

 */

struct nft_object_ops {

	void				(*eval)(struct nft_object *obj,

 *	@genmask: generation mask

 *	@use: number of references to this flow table

 * 	@handle: unique object handle

 *	@dev_name: array of device names

 *	@hook_list: hook list for hooks per net_device in flowtables

 *	@data: rhashtable and garbage collector

 * 	@ops: array of hooks

 */

struct nft_flowtable {

	struct list_head		list;

#include <net/sock.h>

#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))

#define NFT_SET_MAX_ANONLEN 16

unsigned int nf_tables_net_id __read_mostly;

		if (p[1] != 'd' || strchr(p + 2, '%'))

			return -EINVAL;

		if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)

			return -EINVAL;

		inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);

		if (inuse == NULL)

			return -ENOMEM;

	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));

	switch (data->verdict.code) {

	default:

		switch (data->verdict.code & NF_VERDICT_MASK) {

	case NF_ACCEPT:

	case NF_DROP:

	case NF_QUEUE:

		break;

		default:

			return -EINVAL;

		}

		fallthrough;

	case NFT_CONTINUE:

	case NFT_BREAK:

	case NFT_RETURN:

		data->verdict.chain = chain;

		break;

	default:

		return -EINVAL;

	}

	desc->len = sizeof(data->verdict);

				  unsigned long event, void *ptr)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);

	struct nft_base_chain *basechain;

	struct nftables_pernet *nft_net;

	struct nft_table *table;

	struct nft_chain *chain, *nr;

	struct nft_table *table;

	struct nft_ctx ctx = {

		.net	= dev_net(dev),

	};

	nft_net = nft_pernet(ctx.net);

	mutex_lock(&nft_net->commit_mutex);

	list_for_each_entry(table, &nft_net->tables, list) {

		if (table->family != NFPROTO_NETDEV)

		if (table->family != NFPROTO_NETDEV &&

		    table->family != NFPROTO_INET)

			continue;

		ctx.family = table->family;

			if (!nft_is_base_chain(chain))

				continue;

			basechain = nft_base_chain(chain);

			if (table->family == NFPROTO_INET &&

			    basechain->ops.hooknum != NF_INET_INGRESS)

				continue;

			ctx.chain = chain;

			nft_netdev_event(event, dev, &ctx);

		}

	unsigned int hook_mask = 0;

	int ret;

	if (ctx->family != NFPROTO_IPV4 &&

	    ctx->family != NFPROTO_IPV6 &&

	    ctx->family != NFPROTO_BRIDGE &&

	    ctx->family != NFPROTO_ARP)

		return -EOPNOTSUPP;

	if (nft_is_base_chain(ctx->chain)) {

		const struct nft_base_chain *basechain =

						nft_base_chain(ctx->chain);

	unsigned int hook_mask = 0;

	int ret;

	if (ctx->family != NFPROTO_IPV4 &&

	    ctx->family != NFPROTO_IPV6 &&

	    ctx->family != NFPROTO_BRIDGE &&

	    ctx->family != NFPROTO_ARP)

		return -EOPNOTSUPP;

	if (nft_is_base_chain(ctx->chain)) {

		const struct nft_base_chain *basechain =

						nft_base_chain(ctx->chain);

{

	unsigned int hook_mask = (1 << NF_INET_FORWARD);

	if (ctx->family != NFPROTO_IPV4 &&

	    ctx->family != NFPROTO_IPV6 &&

	    ctx->family != NFPROTO_INET)

		return -EOPNOTSUPP;

	return nft_chain_validate_hooks(ctx->chain, hook_mask);

}