[thirdparty/systemd.git] / src / shared / firewall-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <stdbool.h>
#include <stdint.h>

#include "conf-parser.h"
#include "in-addr-util.h"

typedef struct FirewallContext FirewallContext;

int fw_ctx_new(FirewallContext **ret);
int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
FirewallContext *fw_ctx_free(FirewallContext *ctx);

DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);

size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);

int fw_add_masquerade(
                FirewallContext **ctx,
                bool add,
                int af,
                const union in_addr_union *source,
                unsigned source_prefixlen);

int fw_add_local_dnat(
                FirewallContext **ctx,
                bool add,
                int af,
                int protocol,
                uint16_t local_port,
                const union in_addr_union *remote,
                uint16_t remote_port,
                const union in_addr_union *previous_remote);

typedef enum NFTSetSource {
        NFT_SET_SOURCE_ADDRESS,
        NFT_SET_SOURCE_PREFIX,
        NFT_SET_SOURCE_IFINDEX,
        NFT_SET_SOURCE_CGROUP,
        NFT_SET_SOURCE_USER,
        NFT_SET_SOURCE_GROUP,
        _NFT_SET_SOURCE_MAX,
        _NFT_SET_SOURCE_INVALID = -EINVAL,
} NFTSetSource;

typedef struct NFTSet {
        NFTSetSource source;
        int nfproto;
        char *table;
        char *set;
} NFTSet;

typedef struct NFTSetContext {
        NFTSet *sets;
        size_t n_sets;
} NFTSetContext;

void nft_set_context_clear(NFTSetContext *s);
int nft_set_context_dup(const NFTSetContext *src, NFTSetContext *dst);

const char *nfproto_to_string(int i) _const_;
int nfproto_from_string(const char *s) _pure_;

const char *nft_set_source_to_string(int i) _const_;
int nft_set_source_from_string(const char *s) _pure_;

int nft_set_element_modify_iprange(
                FirewallContext *ctx,
                bool add,
                int nfproto,
                int af,
                const char *table,
                const char *set,
                const union in_addr_union *source,
                unsigned int source_prefixlen);

int nft_set_element_modify_ip(
                FirewallContext *ctx,
                bool add,
                int nfproto,
                int af,
                const char *table,
                const char *set,
                const union in_addr_union *source);

int nft_set_element_modify_any(
                FirewallContext *ctx,
                bool add,
                int nfproto,
                const char *table,
                const char *set,
                const void *element,
                size_t element_size);

int nft_set_add(NFTSetContext *s, NFTSetSource source, int nfproto, const char *table, const char *set);

typedef enum NFTSetParseFlags {
        NFT_SET_PARSE_NETWORK,
        NFT_SET_PARSE_CGROUP,
} NFTSetParseFlags;

CONFIG_PARSER_PROTOTYPE(config_parse_nft_set);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
76917807 LP	2	#pragma once
76917807 LP	3
a8fbdf54 TA	4	#include <stdbool.h>
	5	#include <stdint.h>
	6
fc289dd0	7	#include "conf-parser.h"
76917807 LP	8	#include "in-addr-util.h"
76917807 LP	9
761cf19d FW	10	typedef struct FirewallContext FirewallContext;
	11
	12	int fw_ctx_new(FirewallContext **ret);
274ffe1a	13	int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
da00b840	14	FirewallContext fw_ctx_free(FirewallContext ctx);
761cf19d FW	15
	16	DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
	17
b3a4f4f0 YW	18	size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
b3a4f4f0 YW	19
76917807	20	int fw_add_masquerade(
da00b840	21	FirewallContext **ctx,
76917807 LP	22	bool add,
76917807 LP	23	int af,
76917807	24	const union in_addr_union *source,
7509c7fd	25	unsigned source_prefixlen);
76917807 LP	26
76917807 LP	27	int fw_add_local_dnat(
da00b840	28	FirewallContext **ctx,
76917807 LP	29	bool add,
	30	int af,
	31	int protocol,
76917807 LP	32	uint16_t local_port,
	33	const union in_addr_union *remote,
	34	uint16_t remote_port,
	35	const union in_addr_union *previous_remote);
94096580	36
fc289dd0 TM	37	typedef enum NFTSetSource {
	38	NFT_SET_SOURCE_ADDRESS,
	39	NFT_SET_SOURCE_PREFIX,
	40	NFT_SET_SOURCE_IFINDEX,
dc7d69b3	41	NFT_SET_SOURCE_CGROUP,
3bb48b19 TM	42	NFT_SET_SOURCE_USER,
3bb48b19 TM	43	NFT_SET_SOURCE_GROUP,
fc289dd0 TM	44	_NFT_SET_SOURCE_MAX,
fc289dd0 TM	45	_NFT_SET_SOURCE_INVALID = -EINVAL,
07e8c305	46	} NFTSetSource;
fc289dd0 TM	47
	48	typedef struct NFTSet {
	49	NFTSetSource source;
	50	int nfproto;
	51	char *table;
	52	char *set;
	53	} NFTSet;
	54
	55	typedef struct NFTSetContext {
	56	NFTSet *sets;
	57	size_t n_sets;
	58	} NFTSetContext;
	59
	60	void nft_set_context_clear(NFTSetContext *s);
	61	int nft_set_context_dup(const NFTSetContext src, NFTSetContext dst);
	62
	63	const char *nfproto_to_string(int i) _const_;
	64	int nfproto_from_string(const char *s) _pure_;
	65
	66	const char *nft_set_source_to_string(int i) _const_;
	67	int nft_set_source_from_string(const char *s) _pure_;
	68
94096580 TM	69	int nft_set_element_modify_iprange(
	70	FirewallContext *ctx,
	71	bool add,
	72	int nfproto,
	73	int af,
	74	const char *table,
	75	const char *set,
	76	const union in_addr_union *source,
	77	unsigned int source_prefixlen);
fc289dd0 TM	78
	79	int nft_set_element_modify_ip(
	80	FirewallContext *ctx,
	81	bool add,
	82	int nfproto,
	83	int af,
	84	const char *table,
	85	const char *set,
	86	const union in_addr_union *source);
	87
	88	int nft_set_element_modify_any(
	89	FirewallContext *ctx,
	90	bool add,
	91	int nfproto,
	92	const char *table,
	93	const char *set,
	94	const void *element,
	95	size_t element_size);
	96
dc7d69b3 TM	97	int nft_set_add(NFTSetContext s, NFTSetSource source, int nfproto, const char table, const char *set);
	98
	99	typedef enum NFTSetParseFlags {
	100	NFT_SET_PARSE_NETWORK,
	101	NFT_SET_PARSE_CGROUP,
	102	} NFTSetParseFlags;
	103
fc289dd0	104	CONFIG_PARSER_PROTOTYPE(config_parse_nft_set);