|
 |
fe0499 |
From 22e12e53b1378f0e3da23ea298dda59985d5b99b Mon Sep 17 00:00:00 2001
|
|
|
fe0499 |
From: Florian Westphal <fw@strlen.de>
|
|
|
fe0499 |
Date: Thu, 22 Sep 2022 13:33:50 +0200
|
|
|
fe0499 |
Subject: [PATCH] nft: un-break among match with concatenation
|
|
|
fe0499 |
|
|
|
fe0499 |
The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
|
|
|
fe0499 |
breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but
|
|
|
fe0499 |
doesn't set the CONCAT flag.
|
|
|
fe0499 |
|
|
|
fe0499 |
Update uapi header and also set CONCAT.
|
|
|
fe0499 |
|
|
|
fe0499 |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
fe0499 |
(cherry picked from commit 32efb4ffc33ae874b3f26f3380e2184ad6ceb26f)
|
|
|
fe0499 |
---
|
|
|
fe0499 |
include/linux/netfilter/nf_tables.h | 483 +++++++++++++++++++++++++++-
|
|
|
fe0499 |
iptables/nft.c | 2 +-
|
|
|
fe0499 |
2 files changed, 476 insertions(+), 9 deletions(-)
|
|
|
fe0499 |
|
|
|
fe0499 |
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
|
|
|
fe0499 |
index 66dceee0ae307..e94d1fa554cb2 100644
|
|
|
fe0499 |
--- a/include/linux/netfilter/nf_tables.h
|
|
|
fe0499 |
+++ b/include/linux/netfilter/nf_tables.h
|
|
|
fe0499 |
@@ -8,6 +8,7 @@
|
|
|
fe0499 |
#define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN
|
|
|
fe0499 |
#define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN
|
|
|
fe0499 |
#define NFT_USERDATA_MAXLEN 256
|
|
|
fe0499 |
+#define NFT_OSF_MAXGENRELEN 16
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_registers - nf_tables registers
|
|
|
fe0499 |
@@ -47,6 +48,7 @@ enum nft_registers {
|
|
|
fe0499 |
|
|
|
fe0499 |
#define NFT_REG_SIZE 16
|
|
|
fe0499 |
#define NFT_REG32_SIZE 4
|
|
|
fe0499 |
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_verdicts - nf_tables internal verdicts
|
|
|
fe0499 |
@@ -131,7 +133,7 @@ enum nf_tables_msg_types {
|
|
|
fe0499 |
* @NFTA_LIST_ELEM: list element (NLA_NESTED)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_list_attributes {
|
|
|
fe0499 |
- NFTA_LIST_UNPEC,
|
|
|
fe0499 |
+ NFTA_LIST_UNSPEC,
|
|
|
fe0499 |
NFTA_LIST_ELEM,
|
|
|
fe0499 |
__NFTA_LIST_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
@@ -143,12 +145,14 @@ enum nft_list_attributes {
|
|
|
fe0499 |
* @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
|
|
|
fe0499 |
* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
|
|
|
fe0499 |
* @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
|
|
|
fe0499 |
+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_hook_attributes {
|
|
|
fe0499 |
NFTA_HOOK_UNSPEC,
|
|
|
fe0499 |
NFTA_HOOK_HOOKNUM,
|
|
|
fe0499 |
NFTA_HOOK_PRIORITY,
|
|
|
fe0499 |
NFTA_HOOK_DEV,
|
|
|
fe0499 |
+ NFTA_HOOK_DEVS,
|
|
|
fe0499 |
__NFTA_HOOK_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1)
|
|
|
fe0499 |
@@ -160,7 +164,10 @@ enum nft_hook_attributes {
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_table_flags {
|
|
|
fe0499 |
NFT_TABLE_F_DORMANT = 0x1,
|
|
|
fe0499 |
+ NFT_TABLE_F_OWNER = 0x2,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
+#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
|
|
|
fe0499 |
+ NFT_TABLE_F_OWNER)
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_table_attributes - nf_tables table netlink attributes
|
|
|
fe0499 |
@@ -168,6 +175,8 @@ enum nft_table_flags {
|
|
|
fe0499 |
* @NFTA_TABLE_NAME: name of the table (NLA_STRING)
|
|
|
fe0499 |
* @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
|
|
|
fe0499 |
* @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_TABLE_USERDATA: user data (NLA_BINARY)
|
|
|
fe0499 |
+ * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_table_attributes {
|
|
|
fe0499 |
NFTA_TABLE_UNSPEC,
|
|
|
fe0499 |
@@ -176,10 +185,21 @@ enum nft_table_attributes {
|
|
|
fe0499 |
NFTA_TABLE_USE,
|
|
|
fe0499 |
NFTA_TABLE_HANDLE,
|
|
|
fe0499 |
NFTA_TABLE_PAD,
|
|
|
fe0499 |
+ NFTA_TABLE_USERDATA,
|
|
|
fe0499 |
+ NFTA_TABLE_OWNER,
|
|
|
fe0499 |
__NFTA_TABLE_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+enum nft_chain_flags {
|
|
|
fe0499 |
+ NFT_CHAIN_BASE = (1 << 0),
|
|
|
fe0499 |
+ NFT_CHAIN_HW_OFFLOAD = (1 << 1),
|
|
|
fe0499 |
+ NFT_CHAIN_BINDING = (1 << 2),
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \
|
|
|
fe0499 |
+ NFT_CHAIN_HW_OFFLOAD | \
|
|
|
fe0499 |
+ NFT_CHAIN_BINDING)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_chain_attributes - nf_tables chain netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -191,6 +211,9 @@ enum nft_table_attributes {
|
|
|
fe0499 |
* @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
|
|
|
fe0499 |
* @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
|
|
|
fe0499 |
* @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
|
|
|
fe0499 |
+ * @NFTA_CHAIN_FLAGS: chain flags
|
|
|
fe0499 |
+ * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_chain_attributes {
|
|
|
fe0499 |
NFTA_CHAIN_UNSPEC,
|
|
|
fe0499 |
@@ -203,6 +226,9 @@ enum nft_chain_attributes {
|
|
|
fe0499 |
NFTA_CHAIN_TYPE,
|
|
|
fe0499 |
NFTA_CHAIN_COUNTERS,
|
|
|
fe0499 |
NFTA_CHAIN_PAD,
|
|
|
fe0499 |
+ NFTA_CHAIN_FLAGS,
|
|
|
fe0499 |
+ NFTA_CHAIN_ID,
|
|
|
fe0499 |
+ NFTA_CHAIN_USERDATA,
|
|
|
fe0499 |
__NFTA_CHAIN_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1)
|
|
|
fe0499 |
@@ -218,6 +244,7 @@ enum nft_chain_attributes {
|
|
|
fe0499 |
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
|
|
|
fe0499 |
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
|
|
|
fe0499 |
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_rule_attributes {
|
|
|
fe0499 |
NFTA_RULE_UNSPEC,
|
|
|
fe0499 |
@@ -230,6 +257,8 @@ enum nft_rule_attributes {
|
|
|
fe0499 |
NFTA_RULE_USERDATA,
|
|
|
fe0499 |
NFTA_RULE_PAD,
|
|
|
fe0499 |
NFTA_RULE_ID,
|
|
|
fe0499 |
+ NFTA_RULE_POSITION_ID,
|
|
|
fe0499 |
+ NFTA_RULE_CHAIN_ID,
|
|
|
fe0499 |
__NFTA_RULE_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
|
|
|
fe0499 |
@@ -266,8 +295,10 @@ enum nft_rule_compat_attributes {
|
|
|
fe0499 |
* @NFT_SET_INTERVAL: set contains intervals
|
|
|
fe0499 |
* @NFT_SET_MAP: set is used as a dictionary
|
|
|
fe0499 |
* @NFT_SET_TIMEOUT: set uses timeouts
|
|
|
fe0499 |
- * @NFT_SET_EVAL: set contains expressions for evaluation
|
|
|
fe0499 |
+ * @NFT_SET_EVAL: set can be updated from the evaluation path
|
|
|
fe0499 |
* @NFT_SET_OBJECT: set contains stateful objects
|
|
|
fe0499 |
+ * @NFT_SET_CONCAT: set contains a concatenation
|
|
|
fe0499 |
+ * @NFT_SET_EXPR: set contains expressions
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_set_flags {
|
|
|
fe0499 |
NFT_SET_ANONYMOUS = 0x1,
|
|
|
fe0499 |
@@ -277,6 +308,8 @@ enum nft_set_flags {
|
|
|
fe0499 |
NFT_SET_TIMEOUT = 0x10,
|
|
|
fe0499 |
NFT_SET_EVAL = 0x20,
|
|
|
fe0499 |
NFT_SET_OBJECT = 0x40,
|
|
|
fe0499 |
+ NFT_SET_CONCAT = 0x80,
|
|
|
fe0499 |
+ NFT_SET_EXPR = 0x100,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
@@ -294,14 +327,28 @@ enum nft_set_policies {
|
|
|
fe0499 |
* enum nft_set_desc_attributes - set element description
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_set_desc_attributes {
|
|
|
fe0499 |
NFTA_SET_DESC_UNSPEC,
|
|
|
fe0499 |
NFTA_SET_DESC_SIZE,
|
|
|
fe0499 |
+ NFTA_SET_DESC_CONCAT,
|
|
|
fe0499 |
__NFTA_SET_DESC_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_set_field_attributes - attributes of concatenated fields
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_set_field_attributes {
|
|
|
fe0499 |
+ NFTA_SET_FIELD_UNSPEC,
|
|
|
fe0499 |
+ NFTA_SET_FIELD_LEN,
|
|
|
fe0499 |
+ __NFTA_SET_FIELD_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_set_attributes - nf_tables set netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -320,6 +367,8 @@ enum nft_set_desc_attributes {
|
|
|
fe0499 |
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
|
|
|
fe0499 |
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
|
|
|
fe0499 |
* @NFTA_SET_HANDLE: set handle (NLA_U64)
|
|
|
fe0499 |
+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
|
|
|
fe0499 |
+ * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_set_attributes {
|
|
|
fe0499 |
NFTA_SET_UNSPEC,
|
|
|
fe0499 |
@@ -339,6 +388,8 @@ enum nft_set_attributes {
|
|
|
fe0499 |
NFTA_SET_PAD,
|
|
|
fe0499 |
NFTA_SET_OBJ_TYPE,
|
|
|
fe0499 |
NFTA_SET_HANDLE,
|
|
|
fe0499 |
+ NFTA_SET_EXPR,
|
|
|
fe0499 |
+ NFTA_SET_EXPRESSIONS,
|
|
|
fe0499 |
__NFTA_SET_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
|
|
|
fe0499 |
@@ -347,9 +398,11 @@ enum nft_set_attributes {
|
|
|
fe0499 |
* enum nft_set_elem_flags - nf_tables set element flags
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
|
|
|
fe0499 |
+ * @NFT_SET_ELEM_CATCHALL: special catch-all element
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_set_elem_flags {
|
|
|
fe0499 |
NFT_SET_ELEM_INTERVAL_END = 0x1,
|
|
|
fe0499 |
+ NFT_SET_ELEM_CATCHALL = 0x2,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
@@ -363,6 +416,8 @@ enum nft_set_elem_flags {
|
|
|
fe0499 |
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
|
|
fe0499 |
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
|
|
fe0499 |
* @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
|
|
|
fe0499 |
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
|
|
|
fe0499 |
+ * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_set_elem_attributes {
|
|
|
fe0499 |
NFTA_SET_ELEM_UNSPEC,
|
|
|
fe0499 |
@@ -375,6 +430,8 @@ enum nft_set_elem_attributes {
|
|
|
fe0499 |
NFTA_SET_ELEM_EXPR,
|
|
|
fe0499 |
NFTA_SET_ELEM_PAD,
|
|
|
fe0499 |
NFTA_SET_ELEM_OBJREF,
|
|
|
fe0499 |
+ NFTA_SET_ELEM_KEY_END,
|
|
|
fe0499 |
+ NFTA_SET_ELEM_EXPRESSIONS,
|
|
|
fe0499 |
__NFTA_SET_ELEM_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
|
|
|
fe0499 |
@@ -440,11 +497,13 @@ enum nft_data_attributes {
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
|
|
|
fe0499 |
* @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
|
|
|
fe0499 |
+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_verdict_attributes {
|
|
|
fe0499 |
NFTA_VERDICT_UNSPEC,
|
|
|
fe0499 |
NFTA_VERDICT_CODE,
|
|
|
fe0499 |
NFTA_VERDICT_CHAIN,
|
|
|
fe0499 |
+ NFTA_VERDICT_CHAIN_ID,
|
|
|
fe0499 |
__NFTA_VERDICT_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1)
|
|
|
fe0499 |
@@ -477,6 +536,20 @@ enum nft_immediate_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_bitwise_ops - nf_tables bitwise operations
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
|
|
|
fe0499 |
+ * XOR boolean operations
|
|
|
fe0499 |
+ * @NFT_BITWISE_LSHIFT: left-shift operation
|
|
|
fe0499 |
+ * @NFT_BITWISE_RSHIFT: right-shift operation
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_bitwise_ops {
|
|
|
fe0499 |
+ NFT_BITWISE_BOOL,
|
|
|
fe0499 |
+ NFT_BITWISE_LSHIFT,
|
|
|
fe0499 |
+ NFT_BITWISE_RSHIFT,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -485,16 +558,20 @@ enum nft_immediate_attributes {
|
|
|
fe0499 |
* @NFTA_BITWISE_LEN: length of operands (NLA_U32)
|
|
|
fe0499 |
* @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
|
|
|
fe0499 |
* @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
|
|
|
fe0499 |
+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
|
|
|
fe0499 |
+ * @NFTA_BITWISE_DATA: argument for non-boolean operations
|
|
|
fe0499 |
+ * (NLA_NESTED: nft_data_attributes)
|
|
|
fe0499 |
*
|
|
|
fe0499 |
- * The bitwise expression performs the following operation:
|
|
|
fe0499 |
+ * The bitwise expression supports boolean and shift operations. It implements
|
|
|
fe0499 |
+ * the boolean operations by performing the following operation:
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* dreg = (sreg & mask) ^ xor
|
|
|
fe0499 |
*
|
|
|
fe0499 |
- * which allow to express all bitwise operations:
|
|
|
fe0499 |
+ * with these mask and xor values:
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* mask xor
|
|
|
fe0499 |
* NOT: 1 1
|
|
|
fe0499 |
- * OR: 0 x
|
|
|
fe0499 |
+ * OR: ~x x
|
|
|
fe0499 |
* XOR: 1 x
|
|
|
fe0499 |
* AND: x 0
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
@@ -505,6 +582,8 @@ enum nft_bitwise_attributes {
|
|
|
fe0499 |
NFTA_BITWISE_LEN,
|
|
|
fe0499 |
NFTA_BITWISE_MASK,
|
|
|
fe0499 |
NFTA_BITWISE_XOR,
|
|
|
fe0499 |
+ NFTA_BITWISE_OP,
|
|
|
fe0499 |
+ NFTA_BITWISE_DATA,
|
|
|
fe0499 |
__NFTA_BITWISE_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1)
|
|
|
fe0499 |
@@ -631,10 +710,12 @@ enum nft_lookup_attributes {
|
|
|
fe0499 |
enum nft_dynset_ops {
|
|
|
fe0499 |
NFT_DYNSET_OP_ADD,
|
|
|
fe0499 |
NFT_DYNSET_OP_UPDATE,
|
|
|
fe0499 |
+ NFT_DYNSET_OP_DELETE,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
|
|
|
fe0499 |
enum nft_dynset_flags {
|
|
|
fe0499 |
NFT_DYNSET_F_INV = (1 << 0),
|
|
|
fe0499 |
+ NFT_DYNSET_F_EXPR = (1 << 1),
|
|
|
fe0499 |
};
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
@@ -648,6 +729,7 @@ enum nft_dynset_flags {
|
|
|
fe0499 |
* @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64)
|
|
|
fe0499 |
* @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
|
|
fe0499 |
* @NFTA_DYNSET_FLAGS: flags (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_dynset_attributes {
|
|
|
fe0499 |
NFTA_DYNSET_UNSPEC,
|
|
|
fe0499 |
@@ -660,6 +742,7 @@ enum nft_dynset_attributes {
|
|
|
fe0499 |
NFTA_DYNSET_EXPR,
|
|
|
fe0499 |
NFTA_DYNSET_PAD,
|
|
|
fe0499 |
NFTA_DYNSET_FLAGS,
|
|
|
fe0499 |
+ NFTA_DYNSET_EXPRESSIONS,
|
|
|
fe0499 |
__NFTA_DYNSET_MAX,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1)
|
|
|
fe0499 |
@@ -682,10 +765,12 @@ enum nft_payload_bases {
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* @NFT_PAYLOAD_CSUM_NONE: no checksumming
|
|
|
fe0499 |
* @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791)
|
|
|
fe0499 |
+ * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_payload_csum_types {
|
|
|
fe0499 |
NFT_PAYLOAD_CSUM_NONE,
|
|
|
fe0499 |
NFT_PAYLOAD_CSUM_INET,
|
|
|
fe0499 |
+ NFT_PAYLOAD_CSUM_SCTP,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
|
|
|
fe0499 |
enum nft_payload_csum_flags {
|
|
|
fe0499 |
@@ -727,10 +812,14 @@ enum nft_exthdr_flags {
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
|
|
|
fe0499 |
* @NFT_EXTHDR_OP_TCP: match against tcp options
|
|
|
fe0499 |
+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
|
|
|
fe0499 |
+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_exthdr_op {
|
|
|
fe0499 |
NFT_EXTHDR_OP_IPV6,
|
|
|
fe0499 |
NFT_EXTHDR_OP_TCPOPT,
|
|
|
fe0499 |
+ NFT_EXTHDR_OP_IPV4,
|
|
|
fe0499 |
+ NFT_EXTHDR_OP_SCTP,
|
|
|
fe0499 |
__NFT_EXTHDR_OP_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1)
|
|
|
fe0499 |
@@ -788,6 +877,15 @@ enum nft_exthdr_attributes {
|
|
|
fe0499 |
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
|
|
|
fe0499 |
* @NFT_META_PRANDOM: a 32bit pseudo-random number
|
|
|
fe0499 |
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
|
|
|
fe0499 |
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
|
|
|
fe0499 |
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
|
|
|
fe0499 |
+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid
|
|
|
fe0499 |
+ * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto
|
|
|
fe0499 |
+ * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
|
|
|
fe0499 |
+ * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
|
|
|
fe0499 |
+ * @NFT_META_TIME_HOUR: hour of day (in seconds)
|
|
|
fe0499 |
+ * @NFT_META_SDIF: slave device interface index
|
|
|
fe0499 |
+ * @NFT_META_SDIFNAME: slave device interface name
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_meta_keys {
|
|
|
fe0499 |
NFT_META_LEN,
|
|
|
fe0499 |
@@ -816,6 +914,15 @@ enum nft_meta_keys {
|
|
|
fe0499 |
NFT_META_CGROUP,
|
|
|
fe0499 |
NFT_META_PRANDOM,
|
|
|
fe0499 |
NFT_META_SECPATH,
|
|
|
fe0499 |
+ NFT_META_IIFKIND,
|
|
|
fe0499 |
+ NFT_META_OIFKIND,
|
|
|
fe0499 |
+ NFT_META_BRI_IIFPVID,
|
|
|
fe0499 |
+ NFT_META_BRI_IIFVPROTO,
|
|
|
fe0499 |
+ NFT_META_TIME_NS,
|
|
|
fe0499 |
+ NFT_META_TIME_DAY,
|
|
|
fe0499 |
+ NFT_META_TIME_HOUR,
|
|
|
fe0499 |
+ NFT_META_SDIF,
|
|
|
fe0499 |
+ NFT_META_SDIFNAME,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
@@ -825,13 +932,17 @@ enum nft_meta_keys {
|
|
|
fe0499 |
* @NFT_RT_NEXTHOP4: routing nexthop for IPv4
|
|
|
fe0499 |
* @NFT_RT_NEXTHOP6: routing nexthop for IPv6
|
|
|
fe0499 |
* @NFT_RT_TCPMSS: fetch current path tcp mss
|
|
|
fe0499 |
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_rt_keys {
|
|
|
fe0499 |
NFT_RT_CLASSID,
|
|
|
fe0499 |
NFT_RT_NEXTHOP4,
|
|
|
fe0499 |
NFT_RT_NEXTHOP6,
|
|
|
fe0499 |
NFT_RT_TCPMSS,
|
|
|
fe0499 |
+ NFT_RT_XFRM,
|
|
|
fe0499 |
+ __NFT_RT_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
+#define NFT_RT_MAX (__NFT_RT_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_hash_types - nf_tables hash expression types
|
|
|
fe0499 |
@@ -854,6 +965,8 @@ enum nft_hash_types {
|
|
|
fe0499 |
* @NFTA_HASH_SEED: seed value (NLA_U32)
|
|
|
fe0499 |
* @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32)
|
|
|
fe0499 |
* @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types)
|
|
|
fe0499 |
+ * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING)
|
|
|
fe0499 |
+ * @NFTA_HASH_SET_ID: id of the map (NLA_U32)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_hash_attributes {
|
|
|
fe0499 |
NFTA_HASH_UNSPEC,
|
|
|
fe0499 |
@@ -864,6 +977,8 @@ enum nft_hash_attributes {
|
|
|
fe0499 |
NFTA_HASH_SEED,
|
|
|
fe0499 |
NFTA_HASH_OFFSET,
|
|
|
fe0499 |
NFTA_HASH_TYPE,
|
|
|
fe0499 |
+ NFTA_HASH_SET_NAME, /* deprecated */
|
|
|
fe0499 |
+ NFTA_HASH_SET_ID, /* deprecated */
|
|
|
fe0499 |
__NFTA_HASH_MAX,
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
|
|
|
fe0499 |
@@ -898,6 +1013,39 @@ enum nft_rt_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_RT_MAX (__NFTA_RT_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_SOCKET_KEY: socket key to match
|
|
|
fe0499 |
+ * @NFTA_SOCKET_DREG: destination register
|
|
|
fe0499 |
+ * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_socket_attributes {
|
|
|
fe0499 |
+ NFTA_SOCKET_UNSPEC,
|
|
|
fe0499 |
+ NFTA_SOCKET_KEY,
|
|
|
fe0499 |
+ NFTA_SOCKET_DREG,
|
|
|
fe0499 |
+ NFTA_SOCKET_LEVEL,
|
|
|
fe0499 |
+ __NFTA_SOCKET_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+/*
|
|
|
fe0499 |
+ * enum nft_socket_keys - nf_tables socket expression keys
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
|
|
|
fe0499 |
+ * @NFT_SOCKET_MARK: Value of the socket mark
|
|
|
fe0499 |
+ * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
|
|
|
fe0499 |
+ * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_socket_keys {
|
|
|
fe0499 |
+ NFT_SOCKET_TRANSPARENT,
|
|
|
fe0499 |
+ NFT_SOCKET_MARK,
|
|
|
fe0499 |
+ NFT_SOCKET_WILDCARD,
|
|
|
fe0499 |
+ NFT_SOCKET_CGROUPV2,
|
|
|
fe0499 |
+ __NFT_SOCKET_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_ct_keys - nf_tables ct expression keys
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -909,8 +1057,8 @@ enum nft_rt_attributes {
|
|
|
fe0499 |
* @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
|
|
|
fe0499 |
* @NFT_CT_HELPER: connection tracking helper assigned to conntrack
|
|
|
fe0499 |
* @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
|
|
|
fe0499 |
- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
|
|
|
fe0499 |
- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
|
|
|
fe0499 |
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
|
|
|
fe0499 |
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
|
|
|
fe0499 |
* @NFT_CT_PROTOCOL: conntrack layer 4 protocol
|
|
|
fe0499 |
* @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
|
|
|
fe0499 |
* @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
|
|
|
fe0499 |
@@ -920,6 +1068,11 @@ enum nft_rt_attributes {
|
|
|
fe0499 |
* @NFT_CT_AVGPKT: conntrack average bytes per packet
|
|
|
fe0499 |
* @NFT_CT_ZONE: conntrack zone
|
|
|
fe0499 |
* @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
|
|
|
fe0499 |
+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address)
|
|
|
fe0499 |
+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
|
|
|
fe0499 |
+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
|
|
|
fe0499 |
+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
|
|
|
fe0499 |
+ * @NFT_CT_ID: conntrack id
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_ct_keys {
|
|
|
fe0499 |
NFT_CT_STATE,
|
|
|
fe0499 |
@@ -941,7 +1094,14 @@ enum nft_ct_keys {
|
|
|
fe0499 |
NFT_CT_AVGPKT,
|
|
|
fe0499 |
NFT_CT_ZONE,
|
|
|
fe0499 |
NFT_CT_EVENTMASK,
|
|
|
fe0499 |
+ NFT_CT_SRC_IP,
|
|
|
fe0499 |
+ NFT_CT_DST_IP,
|
|
|
fe0499 |
+ NFT_CT_SRC_IP6,
|
|
|
fe0499 |
+ NFT_CT_DST_IP6,
|
|
|
fe0499 |
+ NFT_CT_ID,
|
|
|
fe0499 |
+ __NFT_CT_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
+#define NFT_CT_MAX (__NFT_CT_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_ct_attributes - nf_tables ct expression netlink attributes
|
|
|
fe0499 |
@@ -1002,6 +1162,24 @@ enum nft_limit_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+enum nft_connlimit_flags {
|
|
|
fe0499 |
+ NFT_CONNLIMIT_F_INV = (1 << 0),
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_connlimit_attributes {
|
|
|
fe0499 |
+ NFTA_CONNLIMIT_UNSPEC,
|
|
|
fe0499 |
+ NFTA_CONNLIMIT_COUNT,
|
|
|
fe0499 |
+ NFTA_CONNLIMIT_FLAGS,
|
|
|
fe0499 |
+ __NFTA_CONNLIMIT_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_counter_attributes - nf_tables counter expression netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1017,6 +1195,21 @@ enum nft_counter_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_last_attributes - nf_tables last expression netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_last_attributes {
|
|
|
fe0499 |
+ NFTA_LAST_UNSPEC,
|
|
|
fe0499 |
+ NFTA_LAST_SET,
|
|
|
fe0499 |
+ NFTA_LAST_MSECS,
|
|
|
fe0499 |
+ NFTA_LAST_PAD,
|
|
|
fe0499 |
+ __NFTA_LAST_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_log_attributes - nf_tables log expression netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1039,6 +1232,33 @@ enum nft_log_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_log_level - nf_tables log levels
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_EMERG: system is unusable
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_ALERT: action must be taken immediately
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_CRIT: critical conditions
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_ERR: error conditions
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_WARNING: warning conditions
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_NOTICE: normal but significant condition
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_INFO: informational
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_DEBUG: debug-level messages
|
|
|
fe0499 |
+ * @NFT_LOGLEVEL_AUDIT: enabling audit logging
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_log_level {
|
|
|
fe0499 |
+ NFT_LOGLEVEL_EMERG,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_ALERT,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_CRIT,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_ERR,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_WARNING,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_NOTICE,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_INFO,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_DEBUG,
|
|
|
fe0499 |
+ NFT_LOGLEVEL_AUDIT,
|
|
|
fe0499 |
+ __NFT_LOGLEVEL_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_queue_attributes - nf_tables queue expression netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1083,6 +1303,21 @@ enum nft_quota_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_secmark_attributes - nf_tables secmark object netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_secmark_attributes {
|
|
|
fe0499 |
+ NFTA_SECMARK_UNSPEC,
|
|
|
fe0499 |
+ NFTA_SECMARK_CTX,
|
|
|
fe0499 |
+ __NFTA_SECMARK_MAX,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+/* Max security context length */
|
|
|
fe0499 |
+#define NFT_SECMARK_CTX_MAXLEN 256
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_reject_types - nf_tables reject expression reject types
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1164,6 +1399,22 @@ enum nft_nat_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
|
|
|
fe0499 |
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
|
|
|
fe0499 |
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_tproxy_attributes {
|
|
|
fe0499 |
+ NFTA_TPROXY_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TPROXY_FAMILY,
|
|
|
fe0499 |
+ NFTA_TPROXY_REG_ADDR,
|
|
|
fe0499 |
+ NFTA_TPROXY_REG_PORT,
|
|
|
fe0499 |
+ __NFTA_TPROXY_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_masq_attributes - nf_tables masquerade expression attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1214,10 +1465,14 @@ enum nft_dup_attributes {
|
|
|
fe0499 |
* enum nft_fwd_attributes - nf_tables fwd expression netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
* @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register)
|
|
|
fe0499 |
+ * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register)
|
|
|
fe0499 |
+ * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_fwd_attributes {
|
|
|
fe0499 |
NFTA_FWD_UNSPEC,
|
|
|
fe0499 |
NFTA_FWD_SREG_DEV,
|
|
|
fe0499 |
+ NFTA_FWD_SREG_ADDR,
|
|
|
fe0499 |
+ NFTA_FWD_NFPROTO,
|
|
|
fe0499 |
__NFTA_FWD_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1)
|
|
|
fe0499 |
@@ -1302,12 +1557,38 @@ enum nft_ct_helper_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+enum nft_ct_timeout_timeout_attributes {
|
|
|
fe0499 |
+ NFTA_CT_TIMEOUT_UNSPEC,
|
|
|
fe0499 |
+ NFTA_CT_TIMEOUT_L3PROTO,
|
|
|
fe0499 |
+ NFTA_CT_TIMEOUT_L4PROTO,
|
|
|
fe0499 |
+ NFTA_CT_TIMEOUT_DATA,
|
|
|
fe0499 |
+ __NFTA_CT_TIMEOUT_MAX,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_ct_expectation_attributes {
|
|
|
fe0499 |
+ NFTA_CT_EXPECT_UNSPEC,
|
|
|
fe0499 |
+ NFTA_CT_EXPECT_L3PROTO,
|
|
|
fe0499 |
+ NFTA_CT_EXPECT_L4PROTO,
|
|
|
fe0499 |
+ NFTA_CT_EXPECT_DPORT,
|
|
|
fe0499 |
+ NFTA_CT_EXPECT_TIMEOUT,
|
|
|
fe0499 |
+ NFTA_CT_EXPECT_SIZE,
|
|
|
fe0499 |
+ __NFTA_CT_EXPECT_MAX,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
#define NFT_OBJECT_UNSPEC 0
|
|
|
fe0499 |
#define NFT_OBJECT_COUNTER 1
|
|
|
fe0499 |
#define NFT_OBJECT_QUOTA 2
|
|
|
fe0499 |
#define NFT_OBJECT_CT_HELPER 3
|
|
|
fe0499 |
#define NFT_OBJECT_LIMIT 4
|
|
|
fe0499 |
-#define __NFT_OBJECT_MAX 5
|
|
|
fe0499 |
+#define NFT_OBJECT_CONNLIMIT 5
|
|
|
fe0499 |
+#define NFT_OBJECT_TUNNEL 6
|
|
|
fe0499 |
+#define NFT_OBJECT_CT_TIMEOUT 7
|
|
|
fe0499 |
+#define NFT_OBJECT_SECMARK 8
|
|
|
fe0499 |
+#define NFT_OBJECT_CT_EXPECT 9
|
|
|
fe0499 |
+#define NFT_OBJECT_SYNPROXY 10
|
|
|
fe0499 |
+#define __NFT_OBJECT_MAX 11
|
|
|
fe0499 |
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
@@ -1319,6 +1600,7 @@ enum nft_ct_helper_attributes {
|
|
|
fe0499 |
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
|
|
|
fe0499 |
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
|
|
|
fe0499 |
* @NFTA_OBJ_HANDLE: object handle (NLA_U64)
|
|
|
fe0499 |
+ * @NFTA_OBJ_USERDATA: user data (NLA_BINARY)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_object_attributes {
|
|
|
fe0499 |
NFTA_OBJ_UNSPEC,
|
|
|
fe0499 |
@@ -1329,10 +1611,24 @@ enum nft_object_attributes {
|
|
|
fe0499 |
NFTA_OBJ_USE,
|
|
|
fe0499 |
NFTA_OBJ_HANDLE,
|
|
|
fe0499 |
NFTA_OBJ_PAD,
|
|
|
fe0499 |
+ NFTA_OBJ_USERDATA,
|
|
|
fe0499 |
__NFTA_OBJ_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_flowtable_flags - nf_tables flowtable flags
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled
|
|
|
fe0499 |
+ * @NFT_FLOWTABLE_COUNTER: enable flow counters
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_flowtable_flags {
|
|
|
fe0499 |
+ NFT_FLOWTABLE_HW_OFFLOAD = 0x1,
|
|
|
fe0499 |
+ NFT_FLOWTABLE_COUNTER = 0x2,
|
|
|
fe0499 |
+ NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD |
|
|
|
fe0499 |
+ NFT_FLOWTABLE_COUNTER)
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_flowtable_attributes - nf_tables flow table netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1341,6 +1637,7 @@ enum nft_object_attributes {
|
|
|
fe0499 |
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
|
|
|
fe0499 |
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
|
|
|
fe0499 |
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
|
|
|
fe0499 |
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_flowtable_attributes {
|
|
|
fe0499 |
NFTA_FLOWTABLE_UNSPEC,
|
|
|
fe0499 |
@@ -1350,6 +1647,7 @@ enum nft_flowtable_attributes {
|
|
|
fe0499 |
NFTA_FLOWTABLE_USE,
|
|
|
fe0499 |
NFTA_FLOWTABLE_HANDLE,
|
|
|
fe0499 |
NFTA_FLOWTABLE_PAD,
|
|
|
fe0499 |
+ NFTA_FLOWTABLE_FLAGS,
|
|
|
fe0499 |
__NFTA_FLOWTABLE_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
|
|
|
fe0499 |
@@ -1370,6 +1668,42 @@ enum nft_flowtable_hook_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_osf_attributes - nftables osf expression netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers)
|
|
|
fe0499 |
+ * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8)
|
|
|
fe0499 |
+ * @NFTA_OSF_FLAGS: flags (NLA_U32)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_osf_attributes {
|
|
|
fe0499 |
+ NFTA_OSF_UNSPEC,
|
|
|
fe0499 |
+ NFTA_OSF_DREG,
|
|
|
fe0499 |
+ NFTA_OSF_TTL,
|
|
|
fe0499 |
+ NFTA_OSF_FLAGS,
|
|
|
fe0499 |
+ __NFTA_OSF_MAX,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_osf_flags {
|
|
|
fe0499 |
+ NFT_OSF_F_VERSION = (1 << 0),
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+/**
|
|
|
fe0499 |
+ * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)
|
|
|
fe0499 |
+ * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)
|
|
|
fe0499 |
+ * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_synproxy_attributes {
|
|
|
fe0499 |
+ NFTA_SYNPROXY_UNSPEC,
|
|
|
fe0499 |
+ NFTA_SYNPROXY_MSS,
|
|
|
fe0499 |
+ NFTA_SYNPROXY_WSCALE,
|
|
|
fe0499 |
+ NFTA_SYNPROXY_FLAGS,
|
|
|
fe0499 |
+ __NFTA_SYNPROXY_MAX,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_device_attributes - nf_tables device netlink attributes
|
|
|
fe0499 |
*
|
|
|
fe0499 |
@@ -1382,6 +1716,35 @@ enum nft_devices_attributes {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+/*
|
|
|
fe0499 |
+ * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes
|
|
|
fe0499 |
+ *
|
|
|
fe0499 |
+ * @NFTA_XFRM_DREG: destination register (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_XFRM_DIR: direction (NLA_U8)
|
|
|
fe0499 |
+ * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32)
|
|
|
fe0499 |
+ */
|
|
|
fe0499 |
+enum nft_xfrm_attributes {
|
|
|
fe0499 |
+ NFTA_XFRM_UNSPEC,
|
|
|
fe0499 |
+ NFTA_XFRM_DREG,
|
|
|
fe0499 |
+ NFTA_XFRM_KEY,
|
|
|
fe0499 |
+ NFTA_XFRM_DIR,
|
|
|
fe0499 |
+ NFTA_XFRM_SPNUM,
|
|
|
fe0499 |
+ __NFTA_XFRM_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_xfrm_keys {
|
|
|
fe0499 |
+ NFT_XFRM_KEY_UNSPEC,
|
|
|
fe0499 |
+ NFT_XFRM_KEY_DADDR_IP4,
|
|
|
fe0499 |
+ NFT_XFRM_KEY_DADDR_IP6,
|
|
|
fe0499 |
+ NFT_XFRM_KEY_SADDR_IP4,
|
|
|
fe0499 |
+ NFT_XFRM_KEY_SADDR_IP6,
|
|
|
fe0499 |
+ NFT_XFRM_KEY_REQID,
|
|
|
fe0499 |
+ NFT_XFRM_KEY_SPI,
|
|
|
fe0499 |
+ __NFT_XFRM_KEY_MAX,
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
/**
|
|
|
fe0499 |
* enum nft_trace_attributes - nf_tables trace netlink attributes
|
|
|
fe0499 |
@@ -1442,6 +1805,8 @@ enum nft_trace_types {
|
|
|
fe0499 |
* @NFTA_NG_MODULUS: maximum counter value (NLA_U32)
|
|
|
fe0499 |
* @NFTA_NG_TYPE: operation type (NLA_U32)
|
|
|
fe0499 |
* @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32)
|
|
|
fe0499 |
+ * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING)
|
|
|
fe0499 |
+ * @NFTA_NG_SET_ID: id of the map (NLA_U32)
|
|
|
fe0499 |
*/
|
|
|
fe0499 |
enum nft_ng_attributes {
|
|
|
fe0499 |
NFTA_NG_UNSPEC,
|
|
|
fe0499 |
@@ -1449,6 +1814,8 @@ enum nft_ng_attributes {
|
|
|
fe0499 |
NFTA_NG_MODULUS,
|
|
|
fe0499 |
NFTA_NG_TYPE,
|
|
|
fe0499 |
NFTA_NG_OFFSET,
|
|
|
fe0499 |
+ NFTA_NG_SET_NAME, /* deprecated */
|
|
|
fe0499 |
+ NFTA_NG_SET_ID, /* deprecated */
|
|
|
fe0499 |
__NFTA_NG_MAX
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFTA_NG_MAX (__NFTA_NG_MAX - 1)
|
|
|
fe0499 |
@@ -1460,4 +1827,104 @@ enum nft_ng_types {
|
|
|
fe0499 |
};
|
|
|
fe0499 |
#define NFT_NG_MAX (__NFT_NG_MAX - 1)
|
|
|
fe0499 |
|
|
|
fe0499 |
+enum nft_tunnel_key_ip_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP_SRC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP_DST,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_IP_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_ip6_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP6_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP6_SRC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP6_DST,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_IP6_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_opts_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_OPTS_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_OPTS_VXLAN,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_OPTS_ERSPAN,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_OPTS_GENEVE,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_OPTS_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_opts_vxlan_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_VXLAN_GBP,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_VXLAN_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_opts_erspan_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_ERSPAN_VERSION,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_ERSPAN_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_opts_geneve_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_GENEVE_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_GENEVE_CLASS,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_GENEVE_TYPE,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_GENEVE_DATA,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_GENEVE_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_flags {
|
|
|
fe0499 |
+ NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0),
|
|
|
fe0499 |
+ NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1),
|
|
|
fe0499 |
+ NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2),
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \
|
|
|
fe0499 |
+ NFT_TUNNEL_F_DONT_FRAGMENT | \
|
|
|
fe0499 |
+ NFT_TUNNEL_F_SEQ_NUMBER)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_key_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_ID,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_IP6,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_FLAGS,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_TOS,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_TTL,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_SPORT,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_DPORT,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY_OPTS,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_KEY_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_keys {
|
|
|
fe0499 |
+ NFT_TUNNEL_PATH,
|
|
|
fe0499 |
+ NFT_TUNNEL_ID,
|
|
|
fe0499 |
+ __NFT_TUNNEL_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_mode {
|
|
|
fe0499 |
+ NFT_TUNNEL_MODE_NONE,
|
|
|
fe0499 |
+ NFT_TUNNEL_MODE_RX,
|
|
|
fe0499 |
+ NFT_TUNNEL_MODE_TX,
|
|
|
fe0499 |
+ __NFT_TUNNEL_MODE_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
+enum nft_tunnel_attributes {
|
|
|
fe0499 |
+ NFTA_TUNNEL_UNSPEC,
|
|
|
fe0499 |
+ NFTA_TUNNEL_KEY,
|
|
|
fe0499 |
+ NFTA_TUNNEL_DREG,
|
|
|
fe0499 |
+ NFTA_TUNNEL_MODE,
|
|
|
fe0499 |
+ __NFTA_TUNNEL_MAX
|
|
|
fe0499 |
+};
|
|
|
fe0499 |
+#define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1)
|
|
|
fe0499 |
+
|
|
|
fe0499 |
#endif /* _LINUX_NF_TABLES_H */
|
|
|
fe0499 |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
fe0499 |
index ee003511ab7f3..4807090cc4306 100644
|
|
|
fe0499 |
--- a/iptables/nft.c
|
|
|
fe0499 |
+++ b/iptables/nft.c
|
|
|
fe0499 |
@@ -1167,7 +1167,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
|
|
|
fe0499 |
type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
|
|
|
fe0499 |
len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
|
|
|
fe0499 |
len &= ~(NETLINK_ALIGN - 1);
|
|
|
fe0499 |
- flags = NFT_SET_INTERVAL;
|
|
|
fe0499 |
+ flags = NFT_SET_INTERVAL | NFT_SET_CONCAT;
|
|
|
fe0499 |
}
|
|
|
fe0499 |
|
|
|
fe0499 |
s = add_anon_set(h, table, flags, type, len, cnt);
|
|
|
fe0499 |
--
|
|
|
fe0499 |
2.38.0
|
|
|
fe0499 |
|