src/shared/firewall-util.h

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2 #pragma once
   3
   4 #include <stdbool.h>
   5 #include <stdint.h>
   6
   7 #include "conf-parser.h"
   8 #include "in-addr-util.h"
   9
  10 typedef struct FirewallContext FirewallContext;
  11
  12 int fw_ctx_new(FirewallContext **ret);
  13 int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
  14 FirewallContext *fw_ctx_free(FirewallContext *ctx);
  15
  16 DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
  17
  18 size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
  19
  20 int fw_add_masquerade(
  21                 FirewallContext **ctx,
  22                 bool add,
  23                 int af,
  24                 const union in_addr_union *source,
  25                 unsigned source_prefixlen);
  26
  27 int fw_add_local_dnat(
  28                 FirewallContext **ctx,
  29                 bool add,
  30                 int af,
  31                 int protocol,
  32                 uint16_t local_port,
  33                 const union in_addr_union *remote,
  34                 uint16_t remote_port,
  35                 const union in_addr_union *previous_remote);
  36
  37 typedef enum NFTSetSource {
  38         NFT_SET_SOURCE_ADDRESS,
  39         NFT_SET_SOURCE_PREFIX,
  40         NFT_SET_SOURCE_IFINDEX,
  41         NFT_SET_SOURCE_CGROUP,
  42         NFT_SET_SOURCE_USER,
  43         NFT_SET_SOURCE_GROUP,
  44         _NFT_SET_SOURCE_MAX,
  45         _NFT_SET_SOURCE_INVALID = -EINVAL,
  46 } NFTSetSource;
  47
  48 typedef struct NFTSet {
  49         NFTSetSource source;
  50         int nfproto;
  51         char *table;
  52         char *set;
  53 } NFTSet;
  54
  55 typedef struct NFTSetContext {
  56         NFTSet *sets;
  57         size_t n_sets;
  58 } NFTSetContext;
  59
  60 void nft_set_context_clear(NFTSetContext *s);
  61 int nft_set_context_dup(const NFTSetContext *src, NFTSetContext *dst);
  62
  63 const char *nfproto_to_string(int i) _const_;
  64 int nfproto_from_string(const char *s) _pure_;
  65
  66 const char *nft_set_source_to_string(int i) _const_;
  67 int nft_set_source_from_string(const char *s) _pure_;
  68
  69 int nft_set_element_modify_iprange(
  70                 FirewallContext *ctx,
  71                 bool add,
  72                 int nfproto,
  73                 int af,
  74                 const char *table,
  75                 const char *set,
  76                 const union in_addr_union *source,
  77                 unsigned int source_prefixlen);
  78
  79 int nft_set_element_modify_ip(
  80                 FirewallContext *ctx,
  81                 bool add,
  82                 int nfproto,
  83                 int af,
  84                 const char *table,
  85                 const char *set,
  86                 const union in_addr_union *source);
  87
  88 int nft_set_element_modify_any(
  89                 FirewallContext *ctx,
  90                 bool add,
  91                 int nfproto,
  92                 const char *table,
  93                 const char *set,
  94                 const void *element,
  95                 size_t element_size);
  96
  97 int nft_set_add(NFTSetContext *s, NFTSetSource source, int nfproto, const char *table, const char *set);
  98
  99 typedef enum NFTSetParseFlags {
 100         NFT_SET_PARSE_NETWORK,
 101         NFT_SET_PARSE_CGROUP,
 102 } NFTSetParseFlags;
 103
 104 CONFIG_PARSER_PROTOTYPE(config_parse_nft_set);