Merge changes from topic 'iptables-1.6.1' am: c784fc47e6

am: ff45753ae3

Change-Id: Ic463667ae6ac346f8eae4b6ca18888dcd24b9d6d

1 files changed, 272 insertions, 0 deletions

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
new file mode 100644
index 00000000..c0948fd4
--- /dev/null
+++ b/iptables/nft-shared.h
@@ -0,0 +1,272 @@
+#ifndef _NFT_SHARED_H_
+#define _NFT_SHARED_H_
+
+#include <stdbool.h>
+
+#include <libnftnl/rule.h>
+#include <libnftnl/expr.h>
+
+#include <linux/netfilter_arp/arp_tables.h>
+
+#include "xshared.h"
+
+#if 0
+#define DEBUGP(x, args...) fprintf(stdout, x, ## args)
+#define NLDEBUG
+#define DEBUG_DEL
+#else
+#define DEBUGP(x, args...)
+#endif
+
+/*
+ * iptables print output emulation
+ */
+
+#define FMT_NUMERIC	0x0001
+#define FMT_NOCOUNTS	0x0002
+#define FMT_KILOMEGAGIGA 0x0004
+#define FMT_OPTIONS	0x0008
+#define FMT_NOTABLE	0x0010
+#define FMT_NOTARGET	0x0020
+#define FMT_VIA		0x0040
+#define FMT_NONEWLINE	0x0080
+#define FMT_LINENUMBERS 0x0100
+
+#define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
+			| FMT_NUMERIC | FMT_NOTABLE)
+#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
+
+struct xtables_args;
+struct xt_xlate;
+
+enum {
+	NFT_XT_CTX_PAYLOAD	= (1 << 0),
+	NFT_XT_CTX_META		= (1 << 1),
+	NFT_XT_CTX_BITWISE	= (1 << 2),
+};
+
+struct nft_xt_ctx {
+	union {
+		struct iptables_command_state *cs;
+		struct arptables_command_state *cs_arp;
+		struct ebtables_command_state *cs_eb;
+	} state;
+	struct nftnl_expr_iter *iter;
+	int family;
+	uint32_t flags;
+
+	uint32_t reg;
+	struct {
+		uint32_t offset;
+		uint32_t len;
+	} payload;
+	struct {
+		uint32_t key;
+	} meta;
+	struct {
+		uint32_t mask[4];
+		uint32_t xor[4];
+	} bitwise;
+};
+
+struct nft_family_ops {
+	int (*add)(struct nftnl_rule *r, void *data);
+	bool (*is_same)(const void *data_a,
+			const void *data_b);
+	void (*print_payload)(struct nftnl_expr *e,
+			      struct nftnl_expr_iter *iter);
+	void (*parse_meta)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
+			   void *data);
+	void (*parse_payload)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
+			      void *data);
+	void (*parse_bitwise)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
+			      void *data);
+	void (*parse_cmp)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
+			  void *data);
+	void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
+
+	void (*print_table_header)(const char *tablename);
+	void (*print_header)(unsigned int format, const char *chain,
+			     const char *pol,
+			     const struct xt_counters *counters, bool basechain,
+			     uint32_t refs);
+	void (*print_firewall)(struct nftnl_rule *r, unsigned int num,
+			       unsigned int format);
+	void (*save_firewall)(const void *data, unsigned int format);
+	void (*save_counters)(const void *data);
+	void (*proto_parse)(struct iptables_command_state *cs,
+			    struct xtables_args *args);
+	void (*post_parse)(int command, struct iptables_command_state *cs,
+			   struct xtables_args *args);
+	void (*parse_match)(struct xtables_match *m, void *data);
+	void (*parse_target)(struct xtables_target *t, void *data);
+	bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r,
+			  void *data);
+	int (*xlate)(const void *data, struct xt_xlate *xl);
+};
+
+void add_meta(struct nftnl_rule *r, uint32_t key);
+void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base);
+void add_bitwise_u16(struct nftnl_rule *r, int mask, int xor);
+void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len);
+void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op);
+void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op);
+void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op);
+void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op);
+void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op);
+void add_addr(struct nftnl_rule *r, int offset,
+	      void *data, void *mask, size_t len, uint32_t op);
+void add_proto(struct nftnl_rule *r, int offset, size_t len,
+	       uint8_t proto, uint32_t op);
+void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
+
+bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
+			unsigned const char *a_iniface_mask,
+			unsigned const char *a_outiface_mask,
+			const char *b_iniface, const char *b_outiface,
+			unsigned const char *b_iniface_mask,
+			unsigned const char *b_outiface_mask);
+
+int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
+		unsigned char *iniface_mask, char *outiface,
+		unsigned char *outiface_mask, uint8_t *invflags);
+void print_proto(uint16_t proto, int invert);
+void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
+void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters);
+void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
+void nft_rule_to_iptables_command_state(struct nftnl_rule *r,
+					struct iptables_command_state *cs);
+void print_header(unsigned int format, const char *chain, const char *pol,
+		  const struct xt_counters *counters, bool basechain,
+		  uint32_t refs);
+void print_firewall_details(const struct iptables_command_state *cs,
+			    const char *targname, uint8_t flags,
+			    uint8_t invflags, uint8_t proto,
+			    unsigned int num, unsigned int format);
+void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
+		  unsigned int format);
+void print_matches_and_target(struct iptables_command_state *cs,
+			      unsigned int format);
+void save_firewall_details(const struct iptables_command_state *cs,
+			   uint8_t invflags, uint16_t proto,
+			   const char *iniface,
+			   unsigned const char *iniface_mask,
+			   const char *outiface,
+			   unsigned const char *outiface_mask);
+void save_counters(uint64_t pcnt, uint64_t bcnt);
+void save_matches_and_target(struct xtables_rule_match *m,
+			     struct xtables_target *target,
+			     const char *jumpto,
+			     uint8_t flags, const void *fw);
+
+struct nft_family_ops *nft_family_ops_lookup(int family);
+
+struct nft_handle;
+bool nft_ipv46_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
+			 struct iptables_command_state *cs);
+
+bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2);
+bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2);
+
+struct addr_mask {
+	union {
+		struct in_addr	*v4;
+		struct in6_addr *v6;
+	} addr;
+
+	unsigned int naddrs;
+
+	union {
+		struct in_addr	*v4;
+		struct in6_addr *v6;
+	} mask;
+};
+
+struct xtables_args {
+	int		family;
+	uint16_t	proto;
+	uint8_t		flags;
+	uint8_t		invflags;
+	char		iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+	unsigned char	iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+	bool		goto_set;
+	const char	*shostnetworkmask, *dhostnetworkmask;
+	const char	*pcnt, *bcnt;
+	struct addr_mask s, d;
+	unsigned long long pcnt_cnt, bcnt_cnt;
+};
+
+#define CMD_NONE		0x0000U
+#define CMD_INSERT		0x0001U
+#define CMD_DELETE		0x0002U
+#define CMD_DELETE_NUM		0x0004U
+#define CMD_REPLACE		0x0008U
+#define CMD_APPEND		0x0010U
+#define CMD_LIST		0x0020U
+#define CMD_FLUSH		0x0040U
+#define CMD_ZERO		0x0080U
+#define CMD_NEW_CHAIN		0x0100U
+#define CMD_DELETE_CHAIN	0x0200U
+#define CMD_SET_POLICY		0x0400U
+#define CMD_RENAME_CHAIN	0x0800U
+#define CMD_LIST_RULES		0x1000U
+#define CMD_ZERO_NUM		0x2000U
+#define CMD_CHECK		0x4000U
+
+struct nft_xt_cmd_parse {
+	unsigned int			command;
+	unsigned int			rulenum;
+	char				*table;
+	char				*chain;
+	char				*newname;
+	char				*policy;
+	bool				restore;
+	int				verbose;
+};
+
+void do_parse(struct nft_handle *h, int argc, char *argv[],
+	      struct nft_xt_cmd_parse *p, struct iptables_command_state *cs,
+	      struct xtables_args *args);
+
+struct nft_xt_restore_parse {
+	FILE		*in;
+	int		testing;
+	const char	*tablename;
+};
+
+struct nftnl_chain_list;
+
+struct nft_xt_restore_cb {
+	void (*table_new)(struct nft_handle *h, const char *table);
+	struct nftnl_chain_list *(*chain_list)(struct nft_handle *h);
+	int (*chains_purge)(struct nft_handle *h, const char *table,
+			    struct nftnl_chain_list *clist);
+	void (*chain_del)(struct nftnl_chain_list *clist, const char *curtable,
+			  const char *chain);
+	int (*chain_set)(struct nft_handle *h, const char *table,
+			 const char *chain, const char *policy,
+			 const struct xt_counters *counters);
+	int (*chain_user_add)(struct nft_handle *h, const char *chain,
+			      const char *table);
+
+	int (*rule_flush)(struct nft_handle *h, const char *chain, const char *table);
+
+	int (*do_command)(struct nft_handle *h, int argc, char *argv[],
+			  char **table, bool restore);
+
+	int (*commit)(struct nft_handle *h);
+	int (*abort)(struct nft_handle *h);
+};
+
+void xtables_restore_parse(struct nft_handle *h,
+			   struct nft_xt_restore_parse *p,
+			   struct nft_xt_restore_cb *cb,
+			   int argc, char *argv[]);
+
+#endif