2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/rhashtable.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_flow_table.h>
22 #include <net/netfilter/nf_tables_core.h>
23 #include <net/netfilter/nf_tables.h>
24 #include <net/net_namespace.h>
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
75 case NFT_VALIDATE_NEED:
78 if (new_validate_state == NFT_VALIDATE_NEED)
82 net->nft.validate_state = new_validate_state;
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
87 static void nft_ctx_init(struct nft_ctx *ctx,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->seq = nlh->nlmsg_seq;
107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
116 trans->msg_type = msg_type;
122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
139 if (!nft_set_is_anonymous(set))
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 if (trans->msg_type == NFT_MSG_NEWSET &&
144 nft_trans_set(trans) == set) {
151 static int nf_tables_register_hook(struct net *net,
152 const struct nft_table *table,
153 struct nft_chain *chain)
155 const struct nft_base_chain *basechain;
156 const struct nf_hook_ops *ops;
158 if (table->flags & NFT_TABLE_F_DORMANT ||
159 !nft_is_base_chain(chain))
162 basechain = nft_base_chain(chain);
163 ops = &basechain->ops;
165 if (basechain->type->ops_register)
166 return basechain->type->ops_register(net, ops);
168 return nf_register_net_hook(net, ops);
171 static void nf_tables_unregister_hook(struct net *net,
172 const struct nft_table *table,
173 struct nft_chain *chain)
175 const struct nft_base_chain *basechain;
176 const struct nf_hook_ops *ops;
178 if (table->flags & NFT_TABLE_F_DORMANT ||
179 !nft_is_base_chain(chain))
181 basechain = nft_base_chain(chain);
182 ops = &basechain->ops;
184 if (basechain->type->ops_unregister)
185 return basechain->type->ops_unregister(net, ops);
187 nf_unregister_net_hook(net, ops);
190 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
192 struct nft_trans *trans;
194 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
198 if (msg_type == NFT_MSG_NEWTABLE)
199 nft_activate_next(ctx->net, ctx->table);
201 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
205 static int nft_deltable(struct nft_ctx *ctx)
209 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
213 nft_deactivate_next(ctx->net, ctx->table);
217 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
219 struct nft_trans *trans;
221 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
225 if (msg_type == NFT_MSG_NEWCHAIN)
226 nft_activate_next(ctx->net, ctx->chain);
228 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
232 static int nft_delchain(struct nft_ctx *ctx)
236 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
241 nft_deactivate_next(ctx->net, ctx->chain);
246 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
247 struct nft_rule *rule)
249 struct nft_expr *expr;
251 expr = nft_expr_first(rule);
252 while (expr != nft_expr_last(rule) && expr->ops) {
253 if (expr->ops->activate)
254 expr->ops->activate(ctx, expr);
256 expr = nft_expr_next(expr);
260 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
261 struct nft_rule *rule,
262 enum nft_trans_phase phase)
264 struct nft_expr *expr;
266 expr = nft_expr_first(rule);
267 while (expr != nft_expr_last(rule) && expr->ops) {
268 if (expr->ops->deactivate)
269 expr->ops->deactivate(ctx, expr, phase);
271 expr = nft_expr_next(expr);
276 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
278 /* You cannot delete the same rule twice */
279 if (nft_is_active_next(ctx->net, rule)) {
280 nft_deactivate_next(ctx->net, rule);
287 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
288 struct nft_rule *rule)
290 struct nft_trans *trans;
292 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
296 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
297 nft_trans_rule_id(trans) =
298 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
300 nft_trans_rule(trans) = rule;
301 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
306 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
308 struct nft_trans *trans;
311 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
315 err = nf_tables_delrule_deactivate(ctx, rule);
317 nft_trans_destroy(trans);
320 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
325 static int nft_delrule_by_chain(struct nft_ctx *ctx)
327 struct nft_rule *rule;
330 list_for_each_entry(rule, &ctx->chain->rules, list) {
331 if (!nft_is_active_next(ctx->net, rule))
334 err = nft_delrule(ctx, rule);
341 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
344 struct nft_trans *trans;
346 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
350 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
351 nft_trans_set_id(trans) =
352 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
353 nft_activate_next(ctx->net, set);
355 nft_trans_set(trans) = set;
356 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
361 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
365 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
369 nft_deactivate_next(ctx->net, set);
375 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
376 struct nft_object *obj)
378 struct nft_trans *trans;
380 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
384 if (msg_type == NFT_MSG_NEWOBJ)
385 nft_activate_next(ctx->net, obj);
387 nft_trans_obj(trans) = obj;
388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
393 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
397 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
401 nft_deactivate_next(ctx->net, obj);
407 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
408 struct nft_flowtable *flowtable)
410 struct nft_trans *trans;
412 trans = nft_trans_alloc(ctx, msg_type,
413 sizeof(struct nft_trans_flowtable));
417 if (msg_type == NFT_MSG_NEWFLOWTABLE)
418 nft_activate_next(ctx->net, flowtable);
420 nft_trans_flowtable(trans) = flowtable;
421 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
426 static int nft_delflowtable(struct nft_ctx *ctx,
427 struct nft_flowtable *flowtable)
431 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
435 nft_deactivate_next(ctx->net, flowtable);
445 static struct nft_table *nft_table_lookup(const struct net *net,
446 const struct nlattr *nla,
447 u8 family, u8 genmask)
449 struct nft_table *table;
452 return ERR_PTR(-EINVAL);
454 list_for_each_entry_rcu(table, &net->nft.tables, list) {
455 if (!nla_strcmp(nla, table->name) &&
456 table->family == family &&
457 nft_active_genmask(table, genmask))
461 return ERR_PTR(-ENOENT);
464 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
465 const struct nlattr *nla,
468 struct nft_table *table;
470 list_for_each_entry(table, &net->nft.tables, list) {
471 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
472 nft_active_genmask(table, genmask))
476 return ERR_PTR(-ENOENT);
479 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
481 return ++table->hgenerator;
484 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
486 static const struct nft_chain_type *
487 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
491 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
492 if (chain_type[family][i] != NULL &&
493 !nla_strcmp(nla, chain_type[family][i]->name))
494 return chain_type[family][i];
500 * Loading a module requires dropping mutex that guards the
502 * We first need to abort any pending transactions as once
503 * mutex is unlocked a different client could start a new
504 * transaction. It must not see any 'future generation'
505 * changes * as these changes will never happen.
507 #ifdef CONFIG_MODULES
508 static int __nf_tables_abort(struct net *net);
510 static void nft_request_module(struct net *net, const char *fmt, ...)
512 char module_name[MODULE_NAME_LEN];
516 __nf_tables_abort(net);
519 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
521 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
524 mutex_unlock(&net->nft.commit_mutex);
525 request_module("%s", module_name);
526 mutex_lock(&net->nft.commit_mutex);
530 static void lockdep_nfnl_nft_mutex_not_held(void)
532 #ifdef CONFIG_PROVE_LOCKING
533 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
537 static const struct nft_chain_type *
538 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
539 u8 family, bool autoload)
541 const struct nft_chain_type *type;
543 type = __nf_tables_chain_type_lookup(nla, family);
547 lockdep_nfnl_nft_mutex_not_held();
548 #ifdef CONFIG_MODULES
550 nft_request_module(net, "nft-chain-%u-%.*s", family,
551 nla_len(nla), (const char *)nla_data(nla));
552 type = __nf_tables_chain_type_lookup(nla, family);
554 return ERR_PTR(-EAGAIN);
557 return ERR_PTR(-ENOENT);
560 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
561 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
562 .len = NFT_TABLE_MAXNAMELEN - 1 },
563 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
564 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
567 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
568 u32 portid, u32 seq, int event, u32 flags,
569 int family, const struct nft_table *table)
571 struct nlmsghdr *nlh;
572 struct nfgenmsg *nfmsg;
574 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
575 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
577 goto nla_put_failure;
579 nfmsg = nlmsg_data(nlh);
580 nfmsg->nfgen_family = family;
581 nfmsg->version = NFNETLINK_V0;
582 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
584 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
585 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
586 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
587 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
589 goto nla_put_failure;
595 nlmsg_trim(skb, nlh);
599 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
605 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
608 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
612 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
613 event, 0, ctx->family, ctx->table);
619 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
620 ctx->report, GFP_KERNEL);
623 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
626 static int nf_tables_dump_tables(struct sk_buff *skb,
627 struct netlink_callback *cb)
629 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
630 const struct nft_table *table;
631 unsigned int idx = 0, s_idx = cb->args[0];
632 struct net *net = sock_net(skb->sk);
633 int family = nfmsg->nfgen_family;
636 cb->seq = net->nft.base_seq;
638 list_for_each_entry_rcu(table, &net->nft.tables, list) {
639 if (family != NFPROTO_UNSPEC && family != table->family)
645 memset(&cb->args[1], 0,
646 sizeof(cb->args) - sizeof(cb->args[0]));
647 if (!nft_is_active(net, table))
649 if (nf_tables_fill_table_info(skb, net,
650 NETLINK_CB(cb->skb).portid,
652 NFT_MSG_NEWTABLE, NLM_F_MULTI,
653 table->family, table) < 0)
656 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
666 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
667 const struct nlmsghdr *nlh,
668 struct netlink_dump_control *c)
672 if (!try_module_get(THIS_MODULE))
676 err = netlink_dump_start(nlsk, skb, nlh, c);
678 module_put(THIS_MODULE);
683 /* called with rcu_read_lock held */
684 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
685 struct sk_buff *skb, const struct nlmsghdr *nlh,
686 const struct nlattr * const nla[],
687 struct netlink_ext_ack *extack)
689 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
690 u8 genmask = nft_genmask_cur(net);
691 const struct nft_table *table;
692 struct sk_buff *skb2;
693 int family = nfmsg->nfgen_family;
696 if (nlh->nlmsg_flags & NLM_F_DUMP) {
697 struct netlink_dump_control c = {
698 .dump = nf_tables_dump_tables,
699 .module = THIS_MODULE,
702 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
705 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
707 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
708 return PTR_ERR(table);
711 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
715 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
716 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
721 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
728 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
730 struct nft_chain *chain;
733 list_for_each_entry(chain, &table->chains, list) {
734 if (!nft_is_active_next(net, chain))
736 if (!nft_is_base_chain(chain))
739 if (cnt && i++ == cnt)
742 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
746 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
748 struct nft_chain *chain;
751 list_for_each_entry(chain, &table->chains, list) {
752 if (!nft_is_active_next(net, chain))
754 if (!nft_is_base_chain(chain))
757 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
766 nft_table_disable(net, table, i);
770 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
772 nft_table_disable(net, table, 0);
775 static int nf_tables_updtable(struct nft_ctx *ctx)
777 struct nft_trans *trans;
781 if (!ctx->nla[NFTA_TABLE_FLAGS])
784 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
785 if (flags & ~NFT_TABLE_F_DORMANT)
788 if (flags == ctx->table->flags)
791 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
792 sizeof(struct nft_trans_table));
796 if ((flags & NFT_TABLE_F_DORMANT) &&
797 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
798 nft_trans_table_enable(trans) = false;
799 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
800 ctx->table->flags & NFT_TABLE_F_DORMANT) {
801 ret = nf_tables_table_enable(ctx->net, ctx->table);
803 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
804 nft_trans_table_enable(trans) = true;
810 nft_trans_table_update(trans) = true;
811 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
814 nft_trans_destroy(trans);
818 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
820 const char *name = data;
822 return jhash(name, strlen(name), seed);
825 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
827 const struct nft_chain *chain = data;
829 return nft_chain_hash(chain->name, 0, seed);
832 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
835 const struct nft_chain *chain = ptr;
836 const char *name = arg->key;
838 return strcmp(chain->name, name);
841 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
843 const struct nft_object_hash_key *k = data;
845 seed ^= hash_ptr(k->table, 32);
847 return jhash(k->name, strlen(k->name), seed);
850 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
852 const struct nft_object *obj = data;
854 return nft_objname_hash(&obj->key, 0, seed);
857 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
860 const struct nft_object_hash_key *k = arg->key;
861 const struct nft_object *obj = ptr;
863 if (obj->key.table != k->table)
866 return strcmp(obj->key.name, k->name);
869 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
870 struct sk_buff *skb, const struct nlmsghdr *nlh,
871 const struct nlattr * const nla[],
872 struct netlink_ext_ack *extack)
874 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
875 u8 genmask = nft_genmask_next(net);
876 int family = nfmsg->nfgen_family;
877 const struct nlattr *attr;
878 struct nft_table *table;
883 lockdep_assert_held(&net->nft.commit_mutex);
884 attr = nla[NFTA_TABLE_NAME];
885 table = nft_table_lookup(net, attr, family, genmask);
887 if (PTR_ERR(table) != -ENOENT)
888 return PTR_ERR(table);
890 if (nlh->nlmsg_flags & NLM_F_EXCL) {
891 NL_SET_BAD_ATTR(extack, attr);
894 if (nlh->nlmsg_flags & NLM_F_REPLACE)
897 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
898 return nf_tables_updtable(&ctx);
901 if (nla[NFTA_TABLE_FLAGS]) {
902 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
903 if (flags & ~NFT_TABLE_F_DORMANT)
908 table = kzalloc(sizeof(*table), GFP_KERNEL);
912 table->name = nla_strdup(attr, GFP_KERNEL);
913 if (table->name == NULL)
916 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
920 INIT_LIST_HEAD(&table->chains);
921 INIT_LIST_HEAD(&table->sets);
922 INIT_LIST_HEAD(&table->objects);
923 INIT_LIST_HEAD(&table->flowtables);
924 table->family = family;
925 table->flags = flags;
926 table->handle = ++table_handle;
928 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
929 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
933 list_add_tail_rcu(&table->list, &net->nft.tables);
936 rhltable_destroy(&table->chains_ht);
945 static int nft_flush_table(struct nft_ctx *ctx)
947 struct nft_flowtable *flowtable, *nft;
948 struct nft_chain *chain, *nc;
949 struct nft_object *obj, *ne;
950 struct nft_set *set, *ns;
953 list_for_each_entry(chain, &ctx->table->chains, list) {
954 if (!nft_is_active_next(ctx->net, chain))
959 err = nft_delrule_by_chain(ctx);
964 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
965 if (!nft_is_active_next(ctx->net, set))
968 if (nft_set_is_anonymous(set) &&
969 !list_empty(&set->bindings))
972 err = nft_delset(ctx, set);
977 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
978 err = nft_delflowtable(ctx, flowtable);
983 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
984 err = nft_delobj(ctx, obj);
989 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
990 if (!nft_is_active_next(ctx->net, chain))
995 err = nft_delchain(ctx);
1000 err = nft_deltable(ctx);
1005 static int nft_flush(struct nft_ctx *ctx, int family)
1007 struct nft_table *table, *nt;
1008 const struct nlattr * const *nla = ctx->nla;
1011 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1012 if (family != AF_UNSPEC && table->family != family)
1015 ctx->family = table->family;
1017 if (!nft_is_active_next(ctx->net, table))
1020 if (nla[NFTA_TABLE_NAME] &&
1021 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1026 err = nft_flush_table(ctx);
1034 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1035 struct sk_buff *skb, const struct nlmsghdr *nlh,
1036 const struct nlattr * const nla[],
1037 struct netlink_ext_ack *extack)
1039 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1040 u8 genmask = nft_genmask_next(net);
1041 int family = nfmsg->nfgen_family;
1042 const struct nlattr *attr;
1043 struct nft_table *table;
1046 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1047 if (family == AF_UNSPEC ||
1048 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1049 return nft_flush(&ctx, family);
1051 if (nla[NFTA_TABLE_HANDLE]) {
1052 attr = nla[NFTA_TABLE_HANDLE];
1053 table = nft_table_lookup_byhandle(net, attr, genmask);
1055 attr = nla[NFTA_TABLE_NAME];
1056 table = nft_table_lookup(net, attr, family, genmask);
1059 if (IS_ERR(table)) {
1060 NL_SET_BAD_ATTR(extack, attr);
1061 return PTR_ERR(table);
1064 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1068 ctx.family = family;
1071 return nft_flush_table(&ctx);
1074 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1076 if (WARN_ON(ctx->table->use > 0))
1079 rhltable_destroy(&ctx->table->chains_ht);
1080 kfree(ctx->table->name);
1084 void nft_register_chain_type(const struct nft_chain_type *ctype)
1086 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1089 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1090 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1091 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1094 chain_type[ctype->family][ctype->type] = ctype;
1095 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1097 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1099 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1101 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1102 chain_type[ctype->family][ctype->type] = NULL;
1103 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1105 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1111 static struct nft_chain *
1112 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1114 struct nft_chain *chain;
1116 list_for_each_entry(chain, &table->chains, list) {
1117 if (chain->handle == handle &&
1118 nft_active_genmask(chain, genmask))
1122 return ERR_PTR(-ENOENT);
1125 static bool lockdep_commit_lock_is_held(const struct net *net)
1127 #ifdef CONFIG_PROVE_LOCKING
1128 return lockdep_is_held(&net->nft.commit_mutex);
1134 static struct nft_chain *nft_chain_lookup(struct net *net,
1135 struct nft_table *table,
1136 const struct nlattr *nla, u8 genmask)
1138 char search[NFT_CHAIN_MAXNAMELEN + 1];
1139 struct rhlist_head *tmp, *list;
1140 struct nft_chain *chain;
1143 return ERR_PTR(-EINVAL);
1145 nla_strlcpy(search, nla, sizeof(search));
1147 WARN_ON(!rcu_read_lock_held() &&
1148 !lockdep_commit_lock_is_held(net));
1150 chain = ERR_PTR(-ENOENT);
1152 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1156 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1157 if (nft_active_genmask(chain, genmask))
1160 chain = ERR_PTR(-ENOENT);
1166 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1167 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1168 .len = NFT_TABLE_MAXNAMELEN - 1 },
1169 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1170 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1171 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1172 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1173 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1174 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1175 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1178 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1179 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1180 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1181 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1182 .len = IFNAMSIZ - 1 },
1185 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1187 struct nft_stats *cpu_stats, total;
1188 struct nlattr *nest;
1193 memset(&total, 0, sizeof(total));
1194 for_each_possible_cpu(cpu) {
1195 cpu_stats = per_cpu_ptr(stats, cpu);
1197 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1198 pkts = cpu_stats->pkts;
1199 bytes = cpu_stats->bytes;
1200 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1202 total.bytes += bytes;
1204 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1206 goto nla_put_failure;
1208 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1209 NFTA_COUNTER_PAD) ||
1210 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1212 goto nla_put_failure;
1214 nla_nest_end(skb, nest);
1221 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1222 u32 portid, u32 seq, int event, u32 flags,
1223 int family, const struct nft_table *table,
1224 const struct nft_chain *chain)
1226 struct nlmsghdr *nlh;
1227 struct nfgenmsg *nfmsg;
1229 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1230 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1232 goto nla_put_failure;
1234 nfmsg = nlmsg_data(nlh);
1235 nfmsg->nfgen_family = family;
1236 nfmsg->version = NFNETLINK_V0;
1237 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1239 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1240 goto nla_put_failure;
1241 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1243 goto nla_put_failure;
1244 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1245 goto nla_put_failure;
1247 if (nft_is_base_chain(chain)) {
1248 const struct nft_base_chain *basechain = nft_base_chain(chain);
1249 const struct nf_hook_ops *ops = &basechain->ops;
1250 struct nlattr *nest;
1252 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1254 goto nla_put_failure;
1255 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1256 goto nla_put_failure;
1257 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1258 goto nla_put_failure;
1259 if (basechain->dev_name[0] &&
1260 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1261 goto nla_put_failure;
1262 nla_nest_end(skb, nest);
1264 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1265 htonl(basechain->policy)))
1266 goto nla_put_failure;
1268 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1269 goto nla_put_failure;
1271 if (rcu_access_pointer(basechain->stats) &&
1272 nft_dump_stats(skb, rcu_dereference(basechain->stats)))
1273 goto nla_put_failure;
1276 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1277 goto nla_put_failure;
1279 nlmsg_end(skb, nlh);
1283 nlmsg_trim(skb, nlh);
1287 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1289 struct sk_buff *skb;
1293 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1296 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1300 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1301 event, 0, ctx->family, ctx->table,
1308 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1309 ctx->report, GFP_KERNEL);
1312 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1315 static int nf_tables_dump_chains(struct sk_buff *skb,
1316 struct netlink_callback *cb)
1318 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1319 const struct nft_table *table;
1320 const struct nft_chain *chain;
1321 unsigned int idx = 0, s_idx = cb->args[0];
1322 struct net *net = sock_net(skb->sk);
1323 int family = nfmsg->nfgen_family;
1326 cb->seq = net->nft.base_seq;
1328 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1329 if (family != NFPROTO_UNSPEC && family != table->family)
1332 list_for_each_entry_rcu(chain, &table->chains, list) {
1336 memset(&cb->args[1], 0,
1337 sizeof(cb->args) - sizeof(cb->args[0]));
1338 if (!nft_is_active(net, chain))
1340 if (nf_tables_fill_chain_info(skb, net,
1341 NETLINK_CB(cb->skb).portid,
1345 table->family, table,
1349 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1360 /* called with rcu_read_lock held */
1361 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1362 struct sk_buff *skb, const struct nlmsghdr *nlh,
1363 const struct nlattr * const nla[],
1364 struct netlink_ext_ack *extack)
1366 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1367 u8 genmask = nft_genmask_cur(net);
1368 const struct nft_chain *chain;
1369 struct nft_table *table;
1370 struct sk_buff *skb2;
1371 int family = nfmsg->nfgen_family;
1374 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1375 struct netlink_dump_control c = {
1376 .dump = nf_tables_dump_chains,
1377 .module = THIS_MODULE,
1380 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1383 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1384 if (IS_ERR(table)) {
1385 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1386 return PTR_ERR(table);
1389 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1390 if (IS_ERR(chain)) {
1391 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1392 return PTR_ERR(chain);
1395 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1399 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1400 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1401 family, table, chain);
1405 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1412 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1413 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1414 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1417 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1419 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1420 struct nft_stats __percpu *newstats;
1421 struct nft_stats *stats;
1424 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1427 return ERR_PTR(err);
1429 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1430 return ERR_PTR(-EINVAL);
1432 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1433 if (newstats == NULL)
1434 return ERR_PTR(-ENOMEM);
1436 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1437 * are not exposed to userspace.
1440 stats = this_cpu_ptr(newstats);
1441 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1442 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1448 static void nft_chain_stats_replace(struct net *net,
1449 struct nft_base_chain *chain,
1450 struct nft_stats __percpu *newstats)
1452 struct nft_stats __percpu *oldstats;
1454 if (newstats == NULL)
1457 if (rcu_access_pointer(chain->stats)) {
1458 oldstats = rcu_dereference_protected(chain->stats,
1459 lockdep_commit_lock_is_held(net));
1460 rcu_assign_pointer(chain->stats, newstats);
1462 free_percpu(oldstats);
1464 rcu_assign_pointer(chain->stats, newstats);
1465 static_branch_inc(&nft_counters_enabled);
1469 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1471 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1472 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1478 /* should be NULL either via abort or via successful commit */
1479 WARN_ON_ONCE(chain->rules_next);
1480 kvfree(chain->rules_next);
1483 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1485 struct nft_chain *chain = ctx->chain;
1487 if (WARN_ON(chain->use > 0))
1490 /* no concurrent access possible anymore */
1491 nf_tables_chain_free_chain_rules(chain);
1493 if (nft_is_base_chain(chain)) {
1494 struct nft_base_chain *basechain = nft_base_chain(chain);
1496 module_put(basechain->type->owner);
1497 if (rcu_access_pointer(basechain->stats)) {
1498 static_branch_dec(&nft_counters_enabled);
1499 free_percpu(rcu_dereference_raw(basechain->stats));
1509 struct nft_chain_hook {
1512 const struct nft_chain_type *type;
1513 struct net_device *dev;
1516 static int nft_chain_parse_hook(struct net *net,
1517 const struct nlattr * const nla[],
1518 struct nft_chain_hook *hook, u8 family,
1521 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1522 const struct nft_chain_type *type;
1523 struct net_device *dev;
1526 lockdep_assert_held(&net->nft.commit_mutex);
1527 lockdep_nfnl_nft_mutex_not_held();
1529 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1530 nft_hook_policy, NULL);
1534 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1535 ha[NFTA_HOOK_PRIORITY] == NULL)
1538 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1539 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1541 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1542 if (nla[NFTA_CHAIN_TYPE]) {
1543 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1546 return PTR_ERR(type);
1548 if (!(type->hook_mask & (1 << hook->num)))
1551 if (type->type == NFT_CHAIN_T_NAT &&
1552 hook->priority <= NF_IP_PRI_CONNTRACK)
1555 if (!try_module_get(type->owner))
1561 if (family == NFPROTO_NETDEV) {
1562 char ifname[IFNAMSIZ];
1564 if (!ha[NFTA_HOOK_DEV]) {
1565 module_put(type->owner);
1569 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1570 dev = __dev_get_by_name(net, ifname);
1572 module_put(type->owner);
1576 } else if (ha[NFTA_HOOK_DEV]) {
1577 module_put(type->owner);
1584 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1586 module_put(hook->type->owner);
1589 struct nft_rules_old {
1591 struct nft_rule **start;
1594 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1597 if (alloc > INT_MAX)
1600 alloc += 1; /* NULL, ends rules */
1601 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1604 alloc *= sizeof(struct nft_rule *);
1605 alloc += sizeof(struct nft_rules_old);
1607 return kvmalloc(alloc, GFP_KERNEL);
1610 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1613 const struct nlattr * const *nla = ctx->nla;
1614 struct nft_table *table = ctx->table;
1615 struct nft_base_chain *basechain;
1616 struct nft_stats __percpu *stats;
1617 struct net *net = ctx->net;
1618 struct nft_chain *chain;
1619 struct nft_rule **rules;
1622 if (table->use == UINT_MAX)
1625 if (nla[NFTA_CHAIN_HOOK]) {
1626 struct nft_chain_hook hook;
1627 struct nf_hook_ops *ops;
1629 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1633 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1634 if (basechain == NULL) {
1635 nft_chain_release_hook(&hook);
1639 if (hook.dev != NULL)
1640 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1642 if (nla[NFTA_CHAIN_COUNTERS]) {
1643 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1644 if (IS_ERR(stats)) {
1645 nft_chain_release_hook(&hook);
1647 return PTR_ERR(stats);
1649 rcu_assign_pointer(basechain->stats, stats);
1650 static_branch_inc(&nft_counters_enabled);
1653 basechain->type = hook.type;
1654 chain = &basechain->chain;
1656 ops = &basechain->ops;
1658 ops->hooknum = hook.num;
1659 ops->priority = hook.priority;
1661 ops->hook = hook.type->hooks[ops->hooknum];
1662 ops->dev = hook.dev;
1664 chain->flags |= NFT_BASE_CHAIN;
1665 basechain->policy = policy;
1667 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1673 INIT_LIST_HEAD(&chain->rules);
1674 chain->handle = nf_tables_alloc_handle(table);
1675 chain->table = table;
1676 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1682 rules = nf_tables_chain_alloc_rules(chain, 0);
1689 rcu_assign_pointer(chain->rules_gen_0, rules);
1690 rcu_assign_pointer(chain->rules_gen_1, rules);
1692 err = nf_tables_register_hook(net, table, chain);
1696 err = rhltable_insert_key(&table->chains_ht, chain->name,
1697 &chain->rhlhead, nft_chain_ht_params);
1701 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1703 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1704 nft_chain_ht_params);
1709 list_add_tail_rcu(&chain->list, &table->chains);
1713 nf_tables_unregister_hook(net, table, chain);
1715 nf_tables_chain_destroy(ctx);
1720 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1722 const struct nlattr * const *nla = ctx->nla;
1723 struct nft_table *table = ctx->table;
1724 struct nft_chain *chain = ctx->chain;
1725 struct nft_base_chain *basechain;
1726 struct nft_stats *stats = NULL;
1727 struct nft_chain_hook hook;
1728 struct nf_hook_ops *ops;
1729 struct nft_trans *trans;
1732 if (nla[NFTA_CHAIN_HOOK]) {
1733 if (!nft_is_base_chain(chain))
1736 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1741 basechain = nft_base_chain(chain);
1742 if (basechain->type != hook.type) {
1743 nft_chain_release_hook(&hook);
1747 ops = &basechain->ops;
1748 if (ops->hooknum != hook.num ||
1749 ops->priority != hook.priority ||
1750 ops->dev != hook.dev) {
1751 nft_chain_release_hook(&hook);
1754 nft_chain_release_hook(&hook);
1757 if (nla[NFTA_CHAIN_HANDLE] &&
1758 nla[NFTA_CHAIN_NAME]) {
1759 struct nft_chain *chain2;
1761 chain2 = nft_chain_lookup(ctx->net, table,
1762 nla[NFTA_CHAIN_NAME], genmask);
1763 if (!IS_ERR(chain2))
1767 if (nla[NFTA_CHAIN_COUNTERS]) {
1768 if (!nft_is_base_chain(chain))
1771 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1773 return PTR_ERR(stats);
1777 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1778 sizeof(struct nft_trans_chain));
1782 nft_trans_chain_stats(trans) = stats;
1783 nft_trans_chain_update(trans) = true;
1785 if (nla[NFTA_CHAIN_POLICY])
1786 nft_trans_chain_policy(trans) = policy;
1788 nft_trans_chain_policy(trans) = -1;
1790 if (nla[NFTA_CHAIN_HANDLE] &&
1791 nla[NFTA_CHAIN_NAME]) {
1792 struct nft_trans *tmp;
1796 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1801 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1802 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1803 tmp->ctx.table == table &&
1804 nft_trans_chain_update(tmp) &&
1805 nft_trans_chain_name(tmp) &&
1806 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1812 nft_trans_chain_name(trans) = name;
1814 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1823 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1824 struct sk_buff *skb, const struct nlmsghdr *nlh,
1825 const struct nlattr * const nla[],
1826 struct netlink_ext_ack *extack)
1828 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1829 u8 genmask = nft_genmask_next(net);
1830 int family = nfmsg->nfgen_family;
1831 const struct nlattr *attr;
1832 struct nft_table *table;
1833 struct nft_chain *chain;
1834 u8 policy = NF_ACCEPT;
1838 lockdep_assert_held(&net->nft.commit_mutex);
1840 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1841 if (IS_ERR(table)) {
1842 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1843 return PTR_ERR(table);
1847 attr = nla[NFTA_CHAIN_NAME];
1849 if (nla[NFTA_CHAIN_HANDLE]) {
1850 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1851 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1852 if (IS_ERR(chain)) {
1853 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1854 return PTR_ERR(chain);
1856 attr = nla[NFTA_CHAIN_HANDLE];
1858 chain = nft_chain_lookup(net, table, attr, genmask);
1859 if (IS_ERR(chain)) {
1860 if (PTR_ERR(chain) != -ENOENT) {
1861 NL_SET_BAD_ATTR(extack, attr);
1862 return PTR_ERR(chain);
1868 if (nla[NFTA_CHAIN_POLICY]) {
1869 if (chain != NULL &&
1870 !nft_is_base_chain(chain)) {
1871 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1875 if (chain == NULL &&
1876 nla[NFTA_CHAIN_HOOK] == NULL) {
1877 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1881 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1891 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1893 if (chain != NULL) {
1894 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1895 NL_SET_BAD_ATTR(extack, attr);
1898 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1901 return nf_tables_updchain(&ctx, genmask, policy);
1904 return nf_tables_addchain(&ctx, family, genmask, policy);
1907 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1908 struct sk_buff *skb, const struct nlmsghdr *nlh,
1909 const struct nlattr * const nla[],
1910 struct netlink_ext_ack *extack)
1912 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1913 u8 genmask = nft_genmask_next(net);
1914 int family = nfmsg->nfgen_family;
1915 const struct nlattr *attr;
1916 struct nft_table *table;
1917 struct nft_chain *chain;
1918 struct nft_rule *rule;
1924 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1925 if (IS_ERR(table)) {
1926 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1927 return PTR_ERR(table);
1930 if (nla[NFTA_CHAIN_HANDLE]) {
1931 attr = nla[NFTA_CHAIN_HANDLE];
1932 handle = be64_to_cpu(nla_get_be64(attr));
1933 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1935 attr = nla[NFTA_CHAIN_NAME];
1936 chain = nft_chain_lookup(net, table, attr, genmask);
1938 if (IS_ERR(chain)) {
1939 NL_SET_BAD_ATTR(extack, attr);
1940 return PTR_ERR(chain);
1943 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1947 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1950 list_for_each_entry(rule, &chain->rules, list) {
1951 if (!nft_is_active_next(net, rule))
1955 err = nft_delrule(&ctx, rule);
1960 /* There are rules and elements that are still holding references to us,
1961 * we cannot do a recursive removal in this case.
1964 NL_SET_BAD_ATTR(extack, attr);
1968 return nft_delchain(&ctx);
1976 * nft_register_expr - register nf_tables expr type
1979 * Registers the expr type for use with nf_tables. Returns zero on
1980 * success or a negative errno code otherwise.
1982 int nft_register_expr(struct nft_expr_type *type)
1984 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1985 if (type->family == NFPROTO_UNSPEC)
1986 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1988 list_add_rcu(&type->list, &nf_tables_expressions);
1989 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1992 EXPORT_SYMBOL_GPL(nft_register_expr);
1995 * nft_unregister_expr - unregister nf_tables expr type
1998 * Unregisters the expr typefor use with nf_tables.
2000 void nft_unregister_expr(struct nft_expr_type *type)
2002 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2003 list_del_rcu(&type->list);
2004 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2006 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2008 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2011 const struct nft_expr_type *type;
2013 list_for_each_entry(type, &nf_tables_expressions, list) {
2014 if (!nla_strcmp(nla, type->name) &&
2015 (!type->family || type->family == family))
2021 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2025 const struct nft_expr_type *type;
2028 return ERR_PTR(-EINVAL);
2030 type = __nft_expr_type_get(family, nla);
2031 if (type != NULL && try_module_get(type->owner))
2034 lockdep_nfnl_nft_mutex_not_held();
2035 #ifdef CONFIG_MODULES
2037 nft_request_module(net, "nft-expr-%u-%.*s", family,
2038 nla_len(nla), (char *)nla_data(nla));
2039 if (__nft_expr_type_get(family, nla))
2040 return ERR_PTR(-EAGAIN);
2042 nft_request_module(net, "nft-expr-%.*s",
2043 nla_len(nla), (char *)nla_data(nla));
2044 if (__nft_expr_type_get(family, nla))
2045 return ERR_PTR(-EAGAIN);
2048 return ERR_PTR(-ENOENT);
2051 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2052 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2053 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2056 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2057 const struct nft_expr *expr)
2059 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2060 goto nla_put_failure;
2062 if (expr->ops->dump) {
2063 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
2065 goto nla_put_failure;
2066 if (expr->ops->dump(skb, expr) < 0)
2067 goto nla_put_failure;
2068 nla_nest_end(skb, data);
2077 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2078 const struct nft_expr *expr)
2080 struct nlattr *nest;
2082 nest = nla_nest_start(skb, attr);
2084 goto nla_put_failure;
2085 if (nf_tables_fill_expr_info(skb, expr) < 0)
2086 goto nla_put_failure;
2087 nla_nest_end(skb, nest);
2094 struct nft_expr_info {
2095 const struct nft_expr_ops *ops;
2096 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2099 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2100 const struct nlattr *nla,
2101 struct nft_expr_info *info)
2103 const struct nft_expr_type *type;
2104 const struct nft_expr_ops *ops;
2105 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2108 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
2112 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2114 return PTR_ERR(type);
2116 if (tb[NFTA_EXPR_DATA]) {
2117 err = nla_parse_nested(info->tb, type->maxattr,
2118 tb[NFTA_EXPR_DATA], type->policy, NULL);
2122 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2124 if (type->select_ops != NULL) {
2125 ops = type->select_ops(ctx,
2126 (const struct nlattr * const *)info->tb);
2138 module_put(type->owner);
2142 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2143 const struct nft_expr_info *info,
2144 struct nft_expr *expr)
2146 const struct nft_expr_ops *ops = info->ops;
2151 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2163 struct nft_expr *expr)
2165 const struct nft_expr_type *type = expr->ops->type;
2167 if (expr->ops->destroy)
2168 expr->ops->destroy(ctx, expr);
2169 module_put(type->owner);
2172 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2173 const struct nlattr *nla)
2175 struct nft_expr_info info;
2176 struct nft_expr *expr;
2177 struct module *owner;
2180 err = nf_tables_expr_parse(ctx, nla, &info);
2185 expr = kzalloc(info.ops->size, GFP_KERNEL);
2189 err = nf_tables_newexpr(ctx, &info, expr);
2197 owner = info.ops->type->owner;
2198 if (info.ops->type->release_ops)
2199 info.ops->type->release_ops(info.ops);
2203 return ERR_PTR(err);
2206 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2208 nf_tables_expr_destroy(ctx, expr);
2216 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2219 struct nft_rule *rule;
2221 // FIXME: this sucks
2222 list_for_each_entry_rcu(rule, &chain->rules, list) {
2223 if (handle == rule->handle)
2227 return ERR_PTR(-ENOENT);
2230 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2231 const struct nlattr *nla)
2234 return ERR_PTR(-EINVAL);
2236 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2239 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2240 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2241 .len = NFT_TABLE_MAXNAMELEN - 1 },
2242 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2243 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2244 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2245 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2246 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2247 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2248 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2249 .len = NFT_USERDATA_MAXLEN },
2250 [NFTA_RULE_ID] = { .type = NLA_U32 },
2251 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2254 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2255 u32 portid, u32 seq, int event,
2256 u32 flags, int family,
2257 const struct nft_table *table,
2258 const struct nft_chain *chain,
2259 const struct nft_rule *rule)
2261 struct nlmsghdr *nlh;
2262 struct nfgenmsg *nfmsg;
2263 const struct nft_expr *expr, *next;
2264 struct nlattr *list;
2265 const struct nft_rule *prule;
2266 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2268 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2270 goto nla_put_failure;
2272 nfmsg = nlmsg_data(nlh);
2273 nfmsg->nfgen_family = family;
2274 nfmsg->version = NFNETLINK_V0;
2275 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2277 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2278 goto nla_put_failure;
2279 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2280 goto nla_put_failure;
2281 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2283 goto nla_put_failure;
2285 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2286 prule = list_prev_entry(rule, list);
2287 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2288 cpu_to_be64(prule->handle),
2290 goto nla_put_failure;
2293 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2295 goto nla_put_failure;
2296 nft_rule_for_each_expr(expr, next, rule) {
2297 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2298 goto nla_put_failure;
2300 nla_nest_end(skb, list);
2303 struct nft_userdata *udata = nft_userdata(rule);
2304 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2306 goto nla_put_failure;
2309 nlmsg_end(skb, nlh);
2313 nlmsg_trim(skb, nlh);
2317 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2318 const struct nft_rule *rule, int event)
2320 struct sk_buff *skb;
2324 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2327 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2331 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2332 event, 0, ctx->family, ctx->table,
2339 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2340 ctx->report, GFP_KERNEL);
2343 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2346 struct nft_rule_dump_ctx {
2351 static int __nf_tables_dump_rules(struct sk_buff *skb,
2353 struct netlink_callback *cb,
2354 const struct nft_table *table,
2355 const struct nft_chain *chain)
2357 struct net *net = sock_net(skb->sk);
2358 unsigned int s_idx = cb->args[0];
2359 const struct nft_rule *rule;
2361 list_for_each_entry_rcu(rule, &chain->rules, list) {
2362 if (!nft_is_active(net, rule))
2367 memset(&cb->args[1], 0,
2368 sizeof(cb->args) - sizeof(cb->args[0]));
2370 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2373 NLM_F_MULTI | NLM_F_APPEND,
2375 table, chain, rule) < 0)
2378 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2385 static int nf_tables_dump_rules(struct sk_buff *skb,
2386 struct netlink_callback *cb)
2388 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2389 const struct nft_rule_dump_ctx *ctx = cb->data;
2390 struct nft_table *table;
2391 const struct nft_chain *chain;
2392 unsigned int idx = 0;
2393 struct net *net = sock_net(skb->sk);
2394 int family = nfmsg->nfgen_family;
2397 cb->seq = net->nft.base_seq;
2399 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2400 if (family != NFPROTO_UNSPEC && family != table->family)
2403 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2406 if (ctx && ctx->table && ctx->chain) {
2407 struct rhlist_head *list, *tmp;
2409 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2410 nft_chain_ht_params);
2414 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2415 if (!nft_is_active(net, chain))
2417 __nf_tables_dump_rules(skb, &idx,
2424 list_for_each_entry_rcu(chain, &table->chains, list) {
2425 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2429 if (ctx && ctx->table)
2439 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2441 const struct nlattr * const *nla = cb->data;
2442 struct nft_rule_dump_ctx *ctx = NULL;
2444 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2445 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2449 if (nla[NFTA_RULE_TABLE]) {
2450 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2457 if (nla[NFTA_RULE_CHAIN]) {
2458 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2472 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2474 struct nft_rule_dump_ctx *ctx = cb->data;
2484 /* called with rcu_read_lock held */
2485 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2486 struct sk_buff *skb, const struct nlmsghdr *nlh,
2487 const struct nlattr * const nla[],
2488 struct netlink_ext_ack *extack)
2490 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2491 u8 genmask = nft_genmask_cur(net);
2492 const struct nft_chain *chain;
2493 const struct nft_rule *rule;
2494 struct nft_table *table;
2495 struct sk_buff *skb2;
2496 int family = nfmsg->nfgen_family;
2499 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2500 struct netlink_dump_control c = {
2501 .start= nf_tables_dump_rules_start,
2502 .dump = nf_tables_dump_rules,
2503 .done = nf_tables_dump_rules_done,
2504 .module = THIS_MODULE,
2505 .data = (void *)nla,
2508 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2511 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2512 if (IS_ERR(table)) {
2513 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2514 return PTR_ERR(table);
2517 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2518 if (IS_ERR(chain)) {
2519 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2520 return PTR_ERR(chain);
2523 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2525 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2526 return PTR_ERR(rule);
2529 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2533 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2534 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2535 family, table, chain, rule);
2539 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2546 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2547 struct nft_rule *rule)
2549 struct nft_expr *expr, *next;
2552 * Careful: some expressions might not be initialized in case this
2553 * is called on error from nf_tables_newrule().
2555 expr = nft_expr_first(rule);
2556 while (expr != nft_expr_last(rule) && expr->ops) {
2557 next = nft_expr_next(expr);
2558 nf_tables_expr_destroy(ctx, expr);
2564 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2565 struct nft_rule *rule)
2567 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2568 nf_tables_rule_destroy(ctx, rule);
2571 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2573 struct nft_expr *expr, *last;
2574 const struct nft_data *data;
2575 struct nft_rule *rule;
2578 if (ctx->level == NFT_JUMP_STACK_SIZE)
2581 list_for_each_entry(rule, &chain->rules, list) {
2582 if (!nft_is_active_next(ctx->net, rule))
2585 nft_rule_for_each_expr(expr, last, rule) {
2586 if (!expr->ops->validate)
2589 err = expr->ops->validate(ctx, expr, &data);
2597 EXPORT_SYMBOL_GPL(nft_chain_validate);
2599 static int nft_table_validate(struct net *net, const struct nft_table *table)
2601 struct nft_chain *chain;
2602 struct nft_ctx ctx = {
2604 .family = table->family,
2608 list_for_each_entry(chain, &table->chains, list) {
2609 if (!nft_is_base_chain(chain))
2613 err = nft_chain_validate(&ctx, chain);
2621 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2622 const struct nlattr *nla);
2624 #define NFT_RULE_MAXEXPRS 128
2626 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2627 struct sk_buff *skb, const struct nlmsghdr *nlh,
2628 const struct nlattr * const nla[],
2629 struct netlink_ext_ack *extack)
2631 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2632 u8 genmask = nft_genmask_next(net);
2633 struct nft_expr_info *info = NULL;
2634 int family = nfmsg->nfgen_family;
2635 struct nft_table *table;
2636 struct nft_chain *chain;
2637 struct nft_rule *rule, *old_rule = NULL;
2638 struct nft_userdata *udata;
2639 struct nft_trans *trans = NULL;
2640 struct nft_expr *expr;
2643 unsigned int size, i, n, ulen = 0, usize = 0;
2645 u64 handle, pos_handle;
2647 lockdep_assert_held(&net->nft.commit_mutex);
2649 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2650 if (IS_ERR(table)) {
2651 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2652 return PTR_ERR(table);
2655 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2656 if (IS_ERR(chain)) {
2657 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2658 return PTR_ERR(chain);
2661 if (nla[NFTA_RULE_HANDLE]) {
2662 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2663 rule = __nft_rule_lookup(chain, handle);
2665 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2666 return PTR_ERR(rule);
2669 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2670 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2673 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2678 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2679 nlh->nlmsg_flags & NLM_F_REPLACE)
2681 handle = nf_tables_alloc_handle(table);
2683 if (chain->use == UINT_MAX)
2686 if (nla[NFTA_RULE_POSITION]) {
2687 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2688 old_rule = __nft_rule_lookup(chain, pos_handle);
2689 if (IS_ERR(old_rule)) {
2690 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2691 return PTR_ERR(old_rule);
2693 } else if (nla[NFTA_RULE_POSITION_ID]) {
2694 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2695 if (IS_ERR(old_rule)) {
2696 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2697 return PTR_ERR(old_rule);
2702 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2706 if (nla[NFTA_RULE_EXPRESSIONS]) {
2707 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2708 sizeof(struct nft_expr_info),
2713 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2715 if (nla_type(tmp) != NFTA_LIST_ELEM)
2717 if (n == NFT_RULE_MAXEXPRS)
2719 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2722 size += info[n].ops->size;
2726 /* Check for overflow of dlen field */
2728 if (size >= 1 << 12)
2731 if (nla[NFTA_RULE_USERDATA]) {
2732 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2734 usize = sizeof(struct nft_userdata) + ulen;
2738 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2742 nft_activate_next(net, rule);
2744 rule->handle = handle;
2746 rule->udata = ulen ? 1 : 0;
2749 udata = nft_userdata(rule);
2750 udata->len = ulen - 1;
2751 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2754 expr = nft_expr_first(rule);
2755 for (i = 0; i < n; i++) {
2756 err = nf_tables_newexpr(&ctx, &info[i], expr);
2760 if (info[i].ops->validate)
2761 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2764 expr = nft_expr_next(expr);
2767 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2768 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2769 if (trans == NULL) {
2773 err = nft_delrule(&ctx, old_rule);
2775 nft_trans_destroy(trans);
2779 list_add_tail_rcu(&rule->list, &old_rule->list);
2781 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2786 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2788 list_add_rcu(&rule->list, &old_rule->list);
2790 list_add_tail_rcu(&rule->list, &chain->rules);
2793 list_add_tail_rcu(&rule->list, &old_rule->list);
2795 list_add_rcu(&rule->list, &chain->rules);
2801 if (net->nft.validate_state == NFT_VALIDATE_DO)
2802 return nft_table_validate(net, table);
2806 nf_tables_rule_release(&ctx, rule);
2808 for (i = 0; i < n; i++) {
2809 if (info[i].ops != NULL)
2810 module_put(info[i].ops->type->owner);
2816 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2817 const struct nlattr *nla)
2819 u32 id = ntohl(nla_get_be32(nla));
2820 struct nft_trans *trans;
2822 list_for_each_entry(trans, &net->nft.commit_list, list) {
2823 struct nft_rule *rule = nft_trans_rule(trans);
2825 if (trans->msg_type == NFT_MSG_NEWRULE &&
2826 id == nft_trans_rule_id(trans))
2829 return ERR_PTR(-ENOENT);
2832 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2833 struct sk_buff *skb, const struct nlmsghdr *nlh,
2834 const struct nlattr * const nla[],
2835 struct netlink_ext_ack *extack)
2837 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2838 u8 genmask = nft_genmask_next(net);
2839 struct nft_table *table;
2840 struct nft_chain *chain = NULL;
2841 struct nft_rule *rule;
2842 int family = nfmsg->nfgen_family, err = 0;
2845 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2846 if (IS_ERR(table)) {
2847 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2848 return PTR_ERR(table);
2851 if (nla[NFTA_RULE_CHAIN]) {
2852 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2854 if (IS_ERR(chain)) {
2855 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2856 return PTR_ERR(chain);
2860 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2863 if (nla[NFTA_RULE_HANDLE]) {
2864 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2866 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2867 return PTR_ERR(rule);
2870 err = nft_delrule(&ctx, rule);
2871 } else if (nla[NFTA_RULE_ID]) {
2872 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2874 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2875 return PTR_ERR(rule);
2878 err = nft_delrule(&ctx, rule);
2880 err = nft_delrule_by_chain(&ctx);
2883 list_for_each_entry(chain, &table->chains, list) {
2884 if (!nft_is_active_next(net, chain))
2888 err = nft_delrule_by_chain(&ctx);
2901 static LIST_HEAD(nf_tables_set_types);
2903 int nft_register_set(struct nft_set_type *type)
2905 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2906 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2907 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2910 EXPORT_SYMBOL_GPL(nft_register_set);
2912 void nft_unregister_set(struct nft_set_type *type)
2914 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2915 list_del_rcu(&type->list);
2916 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2918 EXPORT_SYMBOL_GPL(nft_unregister_set);
2920 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2921 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2924 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2926 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2930 * Select a set implementation based on the data characteristics and the
2931 * given policy. The total memory use might not be known if no size is
2932 * given, in that case the amount of memory per element is used.
2934 static const struct nft_set_ops *
2935 nft_select_set_ops(const struct nft_ctx *ctx,
2936 const struct nlattr * const nla[],
2937 const struct nft_set_desc *desc,
2938 enum nft_set_policies policy)
2940 const struct nft_set_ops *ops, *bops;
2941 struct nft_set_estimate est, best;
2942 const struct nft_set_type *type;
2945 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2946 lockdep_nfnl_nft_mutex_not_held();
2947 #ifdef CONFIG_MODULES
2948 if (list_empty(&nf_tables_set_types)) {
2949 nft_request_module(ctx->net, "nft-set");
2950 if (!list_empty(&nf_tables_set_types))
2951 return ERR_PTR(-EAGAIN);
2954 if (nla[NFTA_SET_FLAGS] != NULL)
2955 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2962 list_for_each_entry(type, &nf_tables_set_types, list) {
2965 if (!nft_set_ops_candidate(type, flags))
2967 if (!ops->estimate(desc, flags, &est))
2971 case NFT_SET_POL_PERFORMANCE:
2972 if (est.lookup < best.lookup)
2974 if (est.lookup == best.lookup &&
2975 est.space < best.space)
2978 case NFT_SET_POL_MEMORY:
2980 if (est.space < best.space)
2982 if (est.space == best.space &&
2983 est.lookup < best.lookup)
2985 } else if (est.size < best.size || !bops) {
2993 if (!try_module_get(type->owner))
2996 module_put(to_set_type(bops)->owner);
3005 return ERR_PTR(-EOPNOTSUPP);
3008 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3009 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3010 .len = NFT_TABLE_MAXNAMELEN - 1 },
3011 [NFTA_SET_NAME] = { .type = NLA_STRING,
3012 .len = NFT_SET_MAXNAMELEN - 1 },
3013 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3014 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3015 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3016 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3017 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3018 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3019 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3020 [NFTA_SET_ID] = { .type = NLA_U32 },
3021 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3022 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3023 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3024 .len = NFT_USERDATA_MAXLEN },
3025 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3026 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3029 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3030 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3033 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3034 const struct sk_buff *skb,
3035 const struct nlmsghdr *nlh,
3036 const struct nlattr * const nla[],
3037 struct netlink_ext_ack *extack,
3040 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3041 int family = nfmsg->nfgen_family;
3042 struct nft_table *table = NULL;
3044 if (nla[NFTA_SET_TABLE] != NULL) {
3045 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3047 if (IS_ERR(table)) {
3048 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3049 return PTR_ERR(table);
3053 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3057 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3058 const struct nlattr *nla, u8 genmask)
3060 struct nft_set *set;
3063 return ERR_PTR(-EINVAL);
3065 list_for_each_entry_rcu(set, &table->sets, list) {
3066 if (!nla_strcmp(nla, set->name) &&
3067 nft_active_genmask(set, genmask))
3070 return ERR_PTR(-ENOENT);
3073 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3074 const struct nlattr *nla,
3077 struct nft_set *set;
3079 list_for_each_entry(set, &table->sets, list) {
3080 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3081 nft_active_genmask(set, genmask))
3084 return ERR_PTR(-ENOENT);
3087 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3088 const struct nlattr *nla, u8 genmask)
3090 struct nft_trans *trans;
3091 u32 id = ntohl(nla_get_be32(nla));
3093 list_for_each_entry(trans, &net->nft.commit_list, list) {
3094 if (trans->msg_type == NFT_MSG_NEWSET) {
3095 struct nft_set *set = nft_trans_set(trans);
3097 if (id == nft_trans_set_id(trans) &&
3098 nft_active_genmask(set, genmask))
3102 return ERR_PTR(-ENOENT);
3105 struct nft_set *nft_set_lookup_global(const struct net *net,
3106 const struct nft_table *table,
3107 const struct nlattr *nla_set_name,
3108 const struct nlattr *nla_set_id,
3111 struct nft_set *set;
3113 set = nft_set_lookup(table, nla_set_name, genmask);
3118 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3122 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3124 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3127 const struct nft_set *i;
3129 unsigned long *inuse;
3130 unsigned int n = 0, min = 0;
3132 p = strchr(name, '%');
3134 if (p[1] != 'd' || strchr(p + 2, '%'))
3137 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3141 list_for_each_entry(i, &ctx->table->sets, list) {
3144 if (!nft_is_active_next(ctx->net, set))
3146 if (!sscanf(i->name, name, &tmp))
3148 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3151 set_bit(tmp - min, inuse);
3154 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3155 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3156 min += BITS_PER_BYTE * PAGE_SIZE;
3157 memset(inuse, 0, PAGE_SIZE);
3160 free_page((unsigned long)inuse);
3163 set->name = kasprintf(GFP_KERNEL, name, min + n);
3167 list_for_each_entry(i, &ctx->table->sets, list) {
3168 if (!nft_is_active_next(ctx->net, i))
3170 if (!strcmp(set->name, i->name)) {
3178 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3180 u64 ms = be64_to_cpu(nla_get_be64(nla));
3181 u64 max = (u64)(~((u64)0));
3183 max = div_u64(max, NSEC_PER_MSEC);
3187 ms *= NSEC_PER_MSEC;
3188 *result = nsecs_to_jiffies64(ms);
3192 static __be64 nf_jiffies64_to_msecs(u64 input)
3194 u64 ms = jiffies64_to_nsecs(input);
3196 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3199 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3200 const struct nft_set *set, u16 event, u16 flags)
3202 struct nfgenmsg *nfmsg;
3203 struct nlmsghdr *nlh;
3204 struct nlattr *desc;
3205 u32 portid = ctx->portid;
3208 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3209 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3212 goto nla_put_failure;
3214 nfmsg = nlmsg_data(nlh);
3215 nfmsg->nfgen_family = ctx->family;
3216 nfmsg->version = NFNETLINK_V0;
3217 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3219 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3220 goto nla_put_failure;
3221 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3222 goto nla_put_failure;
3223 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3225 goto nla_put_failure;
3226 if (set->flags != 0)
3227 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3228 goto nla_put_failure;
3230 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3231 goto nla_put_failure;
3232 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3233 goto nla_put_failure;
3234 if (set->flags & NFT_SET_MAP) {
3235 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3236 goto nla_put_failure;
3237 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3238 goto nla_put_failure;
3240 if (set->flags & NFT_SET_OBJECT &&
3241 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3242 goto nla_put_failure;
3245 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3246 nf_jiffies64_to_msecs(set->timeout),
3248 goto nla_put_failure;
3250 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3251 goto nla_put_failure;
3253 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3254 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3255 goto nla_put_failure;
3258 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3259 goto nla_put_failure;
3261 desc = nla_nest_start(skb, NFTA_SET_DESC);
3263 goto nla_put_failure;
3265 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3266 goto nla_put_failure;
3267 nla_nest_end(skb, desc);
3269 nlmsg_end(skb, nlh);
3273 nlmsg_trim(skb, nlh);
3277 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3278 const struct nft_set *set, int event,
3281 struct sk_buff *skb;
3282 u32 portid = ctx->portid;
3286 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3289 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3293 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3299 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3303 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3306 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3308 const struct nft_set *set;
3309 unsigned int idx, s_idx = cb->args[0];
3310 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3311 struct net *net = sock_net(skb->sk);
3312 struct nft_ctx *ctx = cb->data, ctx_set;
3318 cb->seq = net->nft.base_seq;
3320 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3321 if (ctx->family != NFPROTO_UNSPEC &&
3322 ctx->family != table->family)
3325 if (ctx->table && ctx->table != table)
3329 if (cur_table != table)
3335 list_for_each_entry_rcu(set, &table->sets, list) {
3338 if (!nft_is_active(net, set))
3342 ctx_set.table = table;
3343 ctx_set.family = table->family;
3345 if (nf_tables_fill_set(skb, &ctx_set, set,
3349 cb->args[2] = (unsigned long) table;
3352 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3365 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3367 struct nft_ctx *ctx_dump = NULL;
3369 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3370 if (ctx_dump == NULL)
3373 cb->data = ctx_dump;
3377 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3383 /* called with rcu_read_lock held */
3384 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3385 struct sk_buff *skb, const struct nlmsghdr *nlh,
3386 const struct nlattr * const nla[],
3387 struct netlink_ext_ack *extack)
3389 u8 genmask = nft_genmask_cur(net);
3390 const struct nft_set *set;
3392 struct sk_buff *skb2;
3393 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3396 /* Verify existence before starting dump */
3397 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3402 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3403 struct netlink_dump_control c = {
3404 .start = nf_tables_dump_sets_start,
3405 .dump = nf_tables_dump_sets,
3406 .done = nf_tables_dump_sets_done,
3408 .module = THIS_MODULE,
3411 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3414 /* Only accept unspec with dump */
3415 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3416 return -EAFNOSUPPORT;
3417 if (!nla[NFTA_SET_TABLE])
3420 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3422 return PTR_ERR(set);
3424 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3428 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3432 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3439 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3440 struct nft_set_desc *desc,
3441 const struct nlattr *nla)
3443 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3446 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3447 nft_set_desc_policy, NULL);
3451 if (da[NFTA_SET_DESC_SIZE] != NULL)
3452 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3457 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3458 struct sk_buff *skb, const struct nlmsghdr *nlh,
3459 const struct nlattr * const nla[],
3460 struct netlink_ext_ack *extack)
3462 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3463 u8 genmask = nft_genmask_next(net);
3464 int family = nfmsg->nfgen_family;
3465 const struct nft_set_ops *ops;
3466 struct nft_table *table;
3467 struct nft_set *set;
3472 u32 ktype, dtype, flags, policy, gc_int, objtype;
3473 struct nft_set_desc desc;
3474 unsigned char *udata;
3478 if (nla[NFTA_SET_TABLE] == NULL ||
3479 nla[NFTA_SET_NAME] == NULL ||
3480 nla[NFTA_SET_KEY_LEN] == NULL ||
3481 nla[NFTA_SET_ID] == NULL)
3484 memset(&desc, 0, sizeof(desc));
3486 ktype = NFT_DATA_VALUE;
3487 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3488 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3489 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3493 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3494 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3498 if (nla[NFTA_SET_FLAGS] != NULL) {
3499 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3500 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3501 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3502 NFT_SET_MAP | NFT_SET_EVAL |
3505 /* Only one of these operations is supported */
3506 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3507 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3512 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3513 if (!(flags & NFT_SET_MAP))
3516 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3517 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3518 dtype != NFT_DATA_VERDICT)
3521 if (dtype != NFT_DATA_VERDICT) {
3522 if (nla[NFTA_SET_DATA_LEN] == NULL)
3524 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3525 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3528 desc.dlen = sizeof(struct nft_verdict);
3529 } else if (flags & NFT_SET_MAP)
3532 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3533 if (!(flags & NFT_SET_OBJECT))
3536 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3537 if (objtype == NFT_OBJECT_UNSPEC ||
3538 objtype > NFT_OBJECT_MAX)
3540 } else if (flags & NFT_SET_OBJECT)
3543 objtype = NFT_OBJECT_UNSPEC;
3546 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3547 if (!(flags & NFT_SET_TIMEOUT))
3550 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3555 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3556 if (!(flags & NFT_SET_TIMEOUT))
3558 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3561 policy = NFT_SET_POL_PERFORMANCE;
3562 if (nla[NFTA_SET_POLICY] != NULL)
3563 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3565 if (nla[NFTA_SET_DESC] != NULL) {
3566 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3571 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3572 if (IS_ERR(table)) {
3573 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3574 return PTR_ERR(table);
3577 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3579 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3581 if (PTR_ERR(set) != -ENOENT) {
3582 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3583 return PTR_ERR(set);
3586 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3587 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3590 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3596 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3599 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3601 return PTR_ERR(ops);
3604 if (nla[NFTA_SET_USERDATA])
3605 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3608 if (ops->privsize != NULL)
3609 size = ops->privsize(nla, &desc);
3611 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3617 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3623 err = nf_tables_set_alloc_name(&ctx, set, name);
3630 udata = set->data + size;
3631 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3634 INIT_LIST_HEAD(&set->bindings);
3636 write_pnet(&set->net, net);
3639 set->klen = desc.klen;
3641 set->objtype = objtype;
3642 set->dlen = desc.dlen;
3644 set->size = desc.size;
3645 set->policy = policy;
3648 set->timeout = timeout;
3649 set->gc_int = gc_int;
3650 set->handle = nf_tables_alloc_handle(table);
3652 err = ops->init(set, &desc, nla);
3656 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3660 list_add_tail_rcu(&set->list, &table->sets);
3671 module_put(to_set_type(ops)->owner);
3675 static void nft_set_destroy(struct nft_set *set)
3677 if (WARN_ON(set->use > 0))
3680 set->ops->destroy(set);
3681 module_put(to_set_type(set->ops)->owner);
3686 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3687 struct sk_buff *skb, const struct nlmsghdr *nlh,
3688 const struct nlattr * const nla[],
3689 struct netlink_ext_ack *extack)
3691 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3692 u8 genmask = nft_genmask_next(net);
3693 const struct nlattr *attr;
3694 struct nft_set *set;
3698 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3699 return -EAFNOSUPPORT;
3700 if (nla[NFTA_SET_TABLE] == NULL)
3703 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3708 if (nla[NFTA_SET_HANDLE]) {
3709 attr = nla[NFTA_SET_HANDLE];
3710 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3712 attr = nla[NFTA_SET_NAME];
3713 set = nft_set_lookup(ctx.table, attr, genmask);
3717 NL_SET_BAD_ATTR(extack, attr);
3718 return PTR_ERR(set);
3721 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3722 NL_SET_BAD_ATTR(extack, attr);
3726 return nft_delset(&ctx, set);
3729 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3730 struct nft_set *set,
3731 const struct nft_set_iter *iter,
3732 struct nft_set_elem *elem)
3734 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3735 enum nft_registers dreg;
3737 dreg = nft_type_to_reg(set->dtype);
3738 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3739 set->dtype == NFT_DATA_VERDICT ?
3740 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3744 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3745 struct nft_set_binding *binding)
3747 struct nft_set_binding *i;
3748 struct nft_set_iter iter;
3750 if (set->use == UINT_MAX)
3753 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3756 if (binding->flags & NFT_SET_MAP) {
3757 /* If the set is already bound to the same chain all
3758 * jumps are already validated for that chain.
3760 list_for_each_entry(i, &set->bindings, list) {
3761 if (i->flags & NFT_SET_MAP &&
3762 i->chain == binding->chain)
3766 iter.genmask = nft_genmask_next(ctx->net);
3770 iter.fn = nf_tables_bind_check_setelem;
3772 set->ops->walk(ctx, set, &iter);
3777 binding->chain = ctx->chain;
3778 list_add_tail_rcu(&binding->list, &set->bindings);
3779 nft_set_trans_bind(ctx, set);
3784 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3786 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3787 struct nft_set_binding *binding, bool event)
3789 list_del_rcu(&binding->list);
3791 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3792 list_del_rcu(&set->list);
3794 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3798 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3800 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3801 struct nft_set_binding *binding,
3802 enum nft_trans_phase phase)
3805 case NFT_TRANS_PREPARE:
3808 case NFT_TRANS_ABORT:
3809 case NFT_TRANS_RELEASE:
3813 nf_tables_unbind_set(ctx, set, binding,
3814 phase == NFT_TRANS_COMMIT);
3817 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3819 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3821 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3822 nft_set_destroy(set);
3824 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3826 const struct nft_set_ext_type nft_set_ext_types[] = {
3827 [NFT_SET_EXT_KEY] = {
3828 .align = __alignof__(u32),
3830 [NFT_SET_EXT_DATA] = {
3831 .align = __alignof__(u32),
3833 [NFT_SET_EXT_EXPR] = {
3834 .align = __alignof__(struct nft_expr),
3836 [NFT_SET_EXT_OBJREF] = {
3837 .len = sizeof(struct nft_object *),
3838 .align = __alignof__(struct nft_object *),
3840 [NFT_SET_EXT_FLAGS] = {
3842 .align = __alignof__(u8),
3844 [NFT_SET_EXT_TIMEOUT] = {
3846 .align = __alignof__(u64),
3848 [NFT_SET_EXT_EXPIRATION] = {
3850 .align = __alignof__(u64),
3852 [NFT_SET_EXT_USERDATA] = {
3853 .len = sizeof(struct nft_userdata),
3854 .align = __alignof__(struct nft_userdata),
3857 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3863 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3864 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3865 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3866 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3867 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3868 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3869 .len = NFT_USERDATA_MAXLEN },
3870 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3871 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3874 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3875 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3876 .len = NFT_TABLE_MAXNAMELEN - 1 },
3877 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3878 .len = NFT_SET_MAXNAMELEN - 1 },
3879 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3880 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3883 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3884 const struct sk_buff *skb,
3885 const struct nlmsghdr *nlh,
3886 const struct nlattr * const nla[],
3887 struct netlink_ext_ack *extack,
3890 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3891 int family = nfmsg->nfgen_family;
3892 struct nft_table *table;
3894 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3896 if (IS_ERR(table)) {
3897 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3898 return PTR_ERR(table);
3901 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3905 static int nf_tables_fill_setelem(struct sk_buff *skb,
3906 const struct nft_set *set,
3907 const struct nft_set_elem *elem)
3909 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3910 unsigned char *b = skb_tail_pointer(skb);
3911 struct nlattr *nest;
3913 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3915 goto nla_put_failure;
3917 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3918 NFT_DATA_VALUE, set->klen) < 0)
3919 goto nla_put_failure;
3921 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3922 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3923 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3925 goto nla_put_failure;
3927 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3928 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3929 goto nla_put_failure;
3931 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3932 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3933 (*nft_set_ext_obj(ext))->key.name) < 0)
3934 goto nla_put_failure;
3936 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3937 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3938 htonl(*nft_set_ext_flags(ext))))
3939 goto nla_put_failure;
3941 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3942 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3943 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3945 goto nla_put_failure;
3947 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3948 u64 expires, now = get_jiffies_64();
3950 expires = *nft_set_ext_expiration(ext);
3951 if (time_before64(now, expires))
3956 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3957 nf_jiffies64_to_msecs(expires),
3959 goto nla_put_failure;
3962 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3963 struct nft_userdata *udata;
3965 udata = nft_set_ext_userdata(ext);
3966 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3967 udata->len + 1, udata->data))
3968 goto nla_put_failure;
3971 nla_nest_end(skb, nest);
3979 struct nft_set_dump_args {
3980 const struct netlink_callback *cb;
3981 struct nft_set_iter iter;
3982 struct sk_buff *skb;
3985 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3986 struct nft_set *set,
3987 const struct nft_set_iter *iter,
3988 struct nft_set_elem *elem)
3990 struct nft_set_dump_args *args;
3992 args = container_of(iter, struct nft_set_dump_args, iter);
3993 return nf_tables_fill_setelem(args->skb, set, elem);
3996 struct nft_set_dump_ctx {
3997 const struct nft_set *set;
4001 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4003 struct nft_set_dump_ctx *dump_ctx = cb->data;
4004 struct net *net = sock_net(skb->sk);
4005 struct nft_table *table;
4006 struct nft_set *set;
4007 struct nft_set_dump_args args;
4008 bool set_found = false;
4009 struct nfgenmsg *nfmsg;
4010 struct nlmsghdr *nlh;
4011 struct nlattr *nest;
4016 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4017 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4018 dump_ctx->ctx.family != table->family)
4021 if (table != dump_ctx->ctx.table)
4024 list_for_each_entry_rcu(set, &table->sets, list) {
4025 if (set == dump_ctx->set) {
4038 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4039 portid = NETLINK_CB(cb->skb).portid;
4040 seq = cb->nlh->nlmsg_seq;
4042 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4045 goto nla_put_failure;
4047 nfmsg = nlmsg_data(nlh);
4048 nfmsg->nfgen_family = table->family;
4049 nfmsg->version = NFNETLINK_V0;
4050 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4052 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4053 goto nla_put_failure;
4054 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4055 goto nla_put_failure;
4057 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4059 goto nla_put_failure;
4063 args.iter.genmask = nft_genmask_cur(net);
4064 args.iter.skip = cb->args[0];
4065 args.iter.count = 0;
4067 args.iter.fn = nf_tables_dump_setelem;
4068 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4071 nla_nest_end(skb, nest);
4072 nlmsg_end(skb, nlh);
4074 if (args.iter.err && args.iter.err != -EMSGSIZE)
4075 return args.iter.err;
4076 if (args.iter.count == cb->args[0])
4079 cb->args[0] = args.iter.count;
4087 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4089 struct nft_set_dump_ctx *dump_ctx = cb->data;
4091 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4093 return cb->data ? 0 : -ENOMEM;
4096 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4102 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4103 const struct nft_ctx *ctx, u32 seq,
4104 u32 portid, int event, u16 flags,
4105 const struct nft_set *set,
4106 const struct nft_set_elem *elem)
4108 struct nfgenmsg *nfmsg;
4109 struct nlmsghdr *nlh;
4110 struct nlattr *nest;
4113 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4114 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4117 goto nla_put_failure;
4119 nfmsg = nlmsg_data(nlh);
4120 nfmsg->nfgen_family = ctx->family;
4121 nfmsg->version = NFNETLINK_V0;
4122 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4124 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4125 goto nla_put_failure;
4126 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4127 goto nla_put_failure;
4129 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4131 goto nla_put_failure;
4133 err = nf_tables_fill_setelem(skb, set, elem);
4135 goto nla_put_failure;
4137 nla_nest_end(skb, nest);
4139 nlmsg_end(skb, nlh);
4143 nlmsg_trim(skb, nlh);
4147 static int nft_setelem_parse_flags(const struct nft_set *set,
4148 const struct nlattr *attr, u32 *flags)
4153 *flags = ntohl(nla_get_be32(attr));
4154 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4156 if (!(set->flags & NFT_SET_INTERVAL) &&
4157 *flags & NFT_SET_ELEM_INTERVAL_END)
4163 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4164 const struct nlattr *attr)
4166 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4167 struct nft_data_desc desc;
4168 struct nft_set_elem elem;
4169 struct sk_buff *skb;
4174 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4175 nft_set_elem_policy, NULL);
4179 if (!nla[NFTA_SET_ELEM_KEY])
4182 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4186 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4187 nla[NFTA_SET_ELEM_KEY]);
4192 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4195 priv = set->ops->get(ctx->net, set, &elem, flags);
4197 return PTR_ERR(priv);
4202 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4206 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4207 NFT_MSG_NEWSETELEM, 0, set, &elem);
4211 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4212 /* This avoids a loop in nfnetlink. */
4220 /* this avoids a loop in nfnetlink. */
4221 return err == -EAGAIN ? -ENOBUFS : err;
4224 /* called with rcu_read_lock held */
4225 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4226 struct sk_buff *skb, const struct nlmsghdr *nlh,
4227 const struct nlattr * const nla[],
4228 struct netlink_ext_ack *extack)
4230 u8 genmask = nft_genmask_cur(net);
4231 struct nft_set *set;
4232 struct nlattr *attr;
4236 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4241 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4243 return PTR_ERR(set);
4245 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4246 struct netlink_dump_control c = {
4247 .start = nf_tables_dump_set_start,
4248 .dump = nf_tables_dump_set,
4249 .done = nf_tables_dump_set_done,
4250 .module = THIS_MODULE,
4252 struct nft_set_dump_ctx dump_ctx = {
4258 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4261 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4264 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4265 err = nft_get_set_elem(&ctx, set, attr);
4273 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4274 const struct nft_set *set,
4275 const struct nft_set_elem *elem,
4276 int event, u16 flags)
4278 struct net *net = ctx->net;
4279 u32 portid = ctx->portid;
4280 struct sk_buff *skb;
4283 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4286 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4290 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4297 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4301 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4304 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4306 struct nft_set *set)
4308 struct nft_trans *trans;
4310 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4314 nft_trans_elem_set(trans) = set;
4318 void *nft_set_elem_init(const struct nft_set *set,
4319 const struct nft_set_ext_tmpl *tmpl,
4320 const u32 *key, const u32 *data,
4321 u64 timeout, gfp_t gfp)
4323 struct nft_set_ext *ext;
4326 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4330 ext = nft_set_elem_ext(set, elem);
4331 nft_set_ext_init(ext, tmpl);
4333 memcpy(nft_set_ext_key(ext), key, set->klen);
4334 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4335 memcpy(nft_set_ext_data(ext), data, set->dlen);
4336 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4337 *nft_set_ext_expiration(ext) =
4338 get_jiffies_64() + timeout;
4339 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4340 *nft_set_ext_timeout(ext) = timeout;
4345 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4348 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4349 struct nft_ctx ctx = {
4350 .net = read_pnet(&set->net),
4351 .family = set->table->family,
4354 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4355 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4356 nft_data_release(nft_set_ext_data(ext), set->dtype);
4357 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4358 struct nft_expr *expr = nft_set_ext_expr(ext);
4360 if (expr->ops->destroy_clone) {
4361 expr->ops->destroy_clone(&ctx, expr);
4362 module_put(expr->ops->type->owner);
4364 nf_tables_expr_destroy(&ctx, expr);
4367 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4368 (*nft_set_ext_obj(ext))->use--;
4371 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4373 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4374 * the refcounting from the preparation phase.
4376 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4377 const struct nft_set *set, void *elem)
4379 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4381 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4382 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4386 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4387 const struct nlattr *attr, u32 nlmsg_flags)
4389 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4390 u8 genmask = nft_genmask_next(ctx->net);
4391 struct nft_data_desc d1, d2;
4392 struct nft_set_ext_tmpl tmpl;
4393 struct nft_set_ext *ext, *ext2;
4394 struct nft_set_elem elem;
4395 struct nft_set_binding *binding;
4396 struct nft_object *obj = NULL;
4397 struct nft_userdata *udata;
4398 struct nft_data data;
4399 enum nft_registers dreg;
4400 struct nft_trans *trans;
4406 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4407 nft_set_elem_policy, NULL);
4411 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4414 nft_set_ext_prepare(&tmpl);
4416 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4420 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4422 if (set->flags & NFT_SET_MAP) {
4423 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4424 !(flags & NFT_SET_ELEM_INTERVAL_END))
4426 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4427 flags & NFT_SET_ELEM_INTERVAL_END)
4430 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4435 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4436 if (!(set->flags & NFT_SET_TIMEOUT))
4438 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4442 } else if (set->flags & NFT_SET_TIMEOUT) {
4443 timeout = set->timeout;
4446 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4447 nla[NFTA_SET_ELEM_KEY]);
4451 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4454 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4456 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4457 if (timeout != set->timeout)
4458 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4461 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4462 if (!(set->flags & NFT_SET_OBJECT)) {
4466 obj = nft_obj_lookup(ctx->net, ctx->table,
4467 nla[NFTA_SET_ELEM_OBJREF],
4468 set->objtype, genmask);
4473 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4476 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4477 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4478 nla[NFTA_SET_ELEM_DATA]);
4483 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4486 dreg = nft_type_to_reg(set->dtype);
4487 list_for_each_entry(binding, &set->bindings, list) {
4488 struct nft_ctx bind_ctx = {
4490 .family = ctx->family,
4491 .table = ctx->table,
4492 .chain = (struct nft_chain *)binding->chain,
4495 if (!(binding->flags & NFT_SET_MAP))
4498 err = nft_validate_register_store(&bind_ctx, dreg,
4504 if (d2.type == NFT_DATA_VERDICT &&
4505 (data.verdict.code == NFT_GOTO ||
4506 data.verdict.code == NFT_JUMP))
4507 nft_validate_state_update(ctx->net,
4511 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4514 /* The full maximum length of userdata can exceed the maximum
4515 * offset value (U8_MAX) for following extensions, therefor it
4516 * must be the last extension added.
4519 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4520 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4522 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4527 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4528 timeout, GFP_KERNEL);
4529 if (elem.priv == NULL)
4532 ext = nft_set_elem_ext(set, elem.priv);
4534 *nft_set_ext_flags(ext) = flags;
4536 udata = nft_set_ext_userdata(ext);
4537 udata->len = ulen - 1;
4538 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4541 *nft_set_ext_obj(ext) = obj;
4545 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4549 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4550 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4552 if (err == -EEXIST) {
4553 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4554 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4555 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4556 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4560 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4561 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4562 memcmp(nft_set_ext_data(ext),
4563 nft_set_ext_data(ext2), set->dlen) != 0) ||
4564 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4565 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4566 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4568 else if (!(nlmsg_flags & NLM_F_EXCL))
4575 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4580 nft_trans_elem(trans) = elem;
4581 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4585 set->ops->remove(ctx->net, set, &elem);
4593 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4594 nft_data_release(&data, d2.type);
4596 nft_data_release(&elem.key.val, d1.type);
4601 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4602 struct sk_buff *skb, const struct nlmsghdr *nlh,
4603 const struct nlattr * const nla[],
4604 struct netlink_ext_ack *extack)
4606 u8 genmask = nft_genmask_next(net);
4607 const struct nlattr *attr;
4608 struct nft_set *set;
4612 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4615 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4620 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4621 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4623 return PTR_ERR(set);
4625 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4628 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4629 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4634 if (net->nft.validate_state == NFT_VALIDATE_DO)
4635 return nft_table_validate(net, ctx.table);
4641 * nft_data_hold - hold a nft_data item
4643 * @data: struct nft_data to release
4644 * @type: type of data
4646 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4647 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4648 * NFT_GOTO verdicts. This function must be called on active data objects
4649 * from the second phase of the commit protocol.
4651 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4653 if (type == NFT_DATA_VERDICT) {
4654 switch (data->verdict.code) {
4657 data->verdict.chain->use++;
4663 static void nft_set_elem_activate(const struct net *net,
4664 const struct nft_set *set,
4665 struct nft_set_elem *elem)
4667 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4669 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4670 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4671 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4672 (*nft_set_ext_obj(ext))->use++;
4675 static void nft_set_elem_deactivate(const struct net *net,
4676 const struct nft_set *set,
4677 struct nft_set_elem *elem)
4679 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4681 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4682 nft_data_release(nft_set_ext_data(ext), set->dtype);
4683 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4684 (*nft_set_ext_obj(ext))->use--;
4687 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4688 const struct nlattr *attr)
4690 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4691 struct nft_set_ext_tmpl tmpl;
4692 struct nft_data_desc desc;
4693 struct nft_set_elem elem;
4694 struct nft_set_ext *ext;
4695 struct nft_trans *trans;
4700 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4701 nft_set_elem_policy, NULL);
4706 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4709 nft_set_ext_prepare(&tmpl);
4711 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4715 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4717 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4718 nla[NFTA_SET_ELEM_KEY]);
4723 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4726 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4729 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4731 if (elem.priv == NULL)
4734 ext = nft_set_elem_ext(set, elem.priv);
4736 *nft_set_ext_flags(ext) = flags;
4738 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4739 if (trans == NULL) {
4744 priv = set->ops->deactivate(ctx->net, set, &elem);
4752 nft_set_elem_deactivate(ctx->net, set, &elem);
4754 nft_trans_elem(trans) = elem;
4755 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4763 nft_data_release(&elem.key.val, desc.type);
4768 static int nft_flush_set(const struct nft_ctx *ctx,
4769 struct nft_set *set,
4770 const struct nft_set_iter *iter,
4771 struct nft_set_elem *elem)
4773 struct nft_trans *trans;
4776 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4777 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4781 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4787 nft_set_elem_deactivate(ctx->net, set, elem);
4788 nft_trans_elem_set(trans) = set;
4789 nft_trans_elem(trans) = *elem;
4790 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4798 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4799 struct sk_buff *skb, const struct nlmsghdr *nlh,
4800 const struct nlattr * const nla[],
4801 struct netlink_ext_ack *extack)
4803 u8 genmask = nft_genmask_next(net);
4804 const struct nlattr *attr;
4805 struct nft_set *set;
4809 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4814 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4816 return PTR_ERR(set);
4817 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4820 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4821 struct nft_set_iter iter = {
4823 .fn = nft_flush_set,
4825 set->ops->walk(&ctx, set, &iter);
4830 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4831 err = nft_del_setelem(&ctx, set, attr);
4840 void nft_set_gc_batch_release(struct rcu_head *rcu)
4842 struct nft_set_gc_batch *gcb;
4845 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4846 for (i = 0; i < gcb->head.cnt; i++)
4847 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4850 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4852 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4855 struct nft_set_gc_batch *gcb;
4857 gcb = kzalloc(sizeof(*gcb), gfp);
4860 gcb->head.set = set;
4863 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4870 * nft_register_obj- register nf_tables stateful object type
4873 * Registers the object type for use with nf_tables. Returns zero on
4874 * success or a negative errno code otherwise.
4876 int nft_register_obj(struct nft_object_type *obj_type)
4878 if (obj_type->type == NFT_OBJECT_UNSPEC)
4881 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4882 list_add_rcu(&obj_type->list, &nf_tables_objects);
4883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4886 EXPORT_SYMBOL_GPL(nft_register_obj);
4889 * nft_unregister_obj - unregister nf_tables object type
4892 * Unregisters the object type for use with nf_tables.
4894 void nft_unregister_obj(struct nft_object_type *obj_type)
4896 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4897 list_del_rcu(&obj_type->list);
4898 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4900 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4902 struct nft_object *nft_obj_lookup(const struct net *net,
4903 const struct nft_table *table,
4904 const struct nlattr *nla, u32 objtype,
4907 struct nft_object_hash_key k = { .table = table };
4908 char search[NFT_OBJ_MAXNAMELEN];
4909 struct rhlist_head *tmp, *list;
4910 struct nft_object *obj;
4912 nla_strlcpy(search, nla, sizeof(search));
4915 WARN_ON_ONCE(!rcu_read_lock_held() &&
4916 !lockdep_commit_lock_is_held(net));
4919 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4923 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
4924 if (objtype == obj->ops->type->type &&
4925 nft_active_genmask(obj, genmask)) {
4932 return ERR_PTR(-ENOENT);
4934 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4936 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4937 const struct nlattr *nla,
4938 u32 objtype, u8 genmask)
4940 struct nft_object *obj;
4942 list_for_each_entry(obj, &table->objects, list) {
4943 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4944 objtype == obj->ops->type->type &&
4945 nft_active_genmask(obj, genmask))
4948 return ERR_PTR(-ENOENT);
4951 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4952 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4953 .len = NFT_TABLE_MAXNAMELEN - 1 },
4954 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4955 .len = NFT_OBJ_MAXNAMELEN - 1 },
4956 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4957 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4958 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4961 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4962 const struct nft_object_type *type,
4963 const struct nlattr *attr)
4966 const struct nft_object_ops *ops;
4967 struct nft_object *obj;
4970 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4975 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4980 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4983 if (type->select_ops) {
4984 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4994 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4998 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5011 return ERR_PTR(err);
5014 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5015 struct nft_object *obj, bool reset)
5017 struct nlattr *nest;
5019 nest = nla_nest_start(skb, attr);
5021 goto nla_put_failure;
5022 if (obj->ops->dump(skb, obj, reset) < 0)
5023 goto nla_put_failure;
5024 nla_nest_end(skb, nest);
5031 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5033 const struct nft_object_type *type;
5035 list_for_each_entry(type, &nf_tables_objects, list) {
5036 if (objtype == type->type)
5042 static const struct nft_object_type *
5043 nft_obj_type_get(struct net *net, u32 objtype)
5045 const struct nft_object_type *type;
5047 type = __nft_obj_type_get(objtype);
5048 if (type != NULL && try_module_get(type->owner))
5051 lockdep_nfnl_nft_mutex_not_held();
5052 #ifdef CONFIG_MODULES
5054 nft_request_module(net, "nft-obj-%u", objtype);
5055 if (__nft_obj_type_get(objtype))
5056 return ERR_PTR(-EAGAIN);
5059 return ERR_PTR(-ENOENT);
5062 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5063 struct sk_buff *skb, const struct nlmsghdr *nlh,
5064 const struct nlattr * const nla[],
5065 struct netlink_ext_ack *extack)
5067 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5068 const struct nft_object_type *type;
5069 u8 genmask = nft_genmask_next(net);
5070 int family = nfmsg->nfgen_family;
5071 struct nft_table *table;
5072 struct nft_object *obj;
5077 if (!nla[NFTA_OBJ_TYPE] ||
5078 !nla[NFTA_OBJ_NAME] ||
5079 !nla[NFTA_OBJ_DATA])
5082 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5083 if (IS_ERR(table)) {
5084 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5085 return PTR_ERR(table);
5088 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5089 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5092 if (err != -ENOENT) {
5093 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5097 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5098 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5104 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5106 type = nft_obj_type_get(net, objtype);
5108 return PTR_ERR(type);
5110 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5115 obj->key.table = table;
5116 obj->handle = nf_tables_alloc_handle(table);
5118 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5119 if (!obj->key.name) {
5124 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5128 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5129 nft_objname_ht_params);
5133 list_add_tail_rcu(&obj->list, &table->objects);
5137 /* queued in transaction log */
5138 INIT_LIST_HEAD(&obj->list);
5141 kfree(obj->key.name);
5143 if (obj->ops->destroy)
5144 obj->ops->destroy(&ctx, obj);
5147 module_put(type->owner);
5151 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5152 u32 portid, u32 seq, int event, u32 flags,
5153 int family, const struct nft_table *table,
5154 struct nft_object *obj, bool reset)
5156 struct nfgenmsg *nfmsg;
5157 struct nlmsghdr *nlh;
5159 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5160 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5162 goto nla_put_failure;
5164 nfmsg = nlmsg_data(nlh);
5165 nfmsg->nfgen_family = family;
5166 nfmsg->version = NFNETLINK_V0;
5167 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5169 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5170 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5171 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5172 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5173 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5174 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5176 goto nla_put_failure;
5178 nlmsg_end(skb, nlh);
5182 nlmsg_trim(skb, nlh);
5186 struct nft_obj_filter {
5191 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5193 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5194 const struct nft_table *table;
5195 unsigned int idx = 0, s_idx = cb->args[0];
5196 struct nft_obj_filter *filter = cb->data;
5197 struct net *net = sock_net(skb->sk);
5198 int family = nfmsg->nfgen_family;
5199 struct nft_object *obj;
5202 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5206 cb->seq = net->nft.base_seq;
5208 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5209 if (family != NFPROTO_UNSPEC && family != table->family)
5212 list_for_each_entry_rcu(obj, &table->objects, list) {
5213 if (!nft_is_active(net, obj))
5218 memset(&cb->args[1], 0,
5219 sizeof(cb->args) - sizeof(cb->args[0]));
5220 if (filter && filter->table &&
5221 strcmp(filter->table, table->name))
5224 filter->type != NFT_OBJECT_UNSPEC &&
5225 obj->ops->type->type != filter->type)
5228 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5231 NLM_F_MULTI | NLM_F_APPEND,
5232 table->family, table,
5236 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5248 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5250 const struct nlattr * const *nla = cb->data;
5251 struct nft_obj_filter *filter = NULL;
5253 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5254 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5258 if (nla[NFTA_OBJ_TABLE]) {
5259 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5260 if (!filter->table) {
5266 if (nla[NFTA_OBJ_TYPE])
5267 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5274 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5276 struct nft_obj_filter *filter = cb->data;
5279 kfree(filter->table);
5286 /* called with rcu_read_lock held */
5287 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5288 struct sk_buff *skb, const struct nlmsghdr *nlh,
5289 const struct nlattr * const nla[],
5290 struct netlink_ext_ack *extack)
5292 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5293 u8 genmask = nft_genmask_cur(net);
5294 int family = nfmsg->nfgen_family;
5295 const struct nft_table *table;
5296 struct nft_object *obj;
5297 struct sk_buff *skb2;
5302 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5303 struct netlink_dump_control c = {
5304 .start = nf_tables_dump_obj_start,
5305 .dump = nf_tables_dump_obj,
5306 .done = nf_tables_dump_obj_done,
5307 .module = THIS_MODULE,
5308 .data = (void *)nla,
5311 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5314 if (!nla[NFTA_OBJ_NAME] ||
5315 !nla[NFTA_OBJ_TYPE])
5318 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5319 if (IS_ERR(table)) {
5320 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5321 return PTR_ERR(table);
5324 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5325 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5327 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5328 return PTR_ERR(obj);
5331 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5335 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5338 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5339 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5340 family, table, obj, reset);
5344 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5350 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5352 if (obj->ops->destroy)
5353 obj->ops->destroy(ctx, obj);
5355 module_put(obj->ops->type->owner);
5356 kfree(obj->key.name);
5360 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5361 struct sk_buff *skb, const struct nlmsghdr *nlh,
5362 const struct nlattr * const nla[],
5363 struct netlink_ext_ack *extack)
5365 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5366 u8 genmask = nft_genmask_next(net);
5367 int family = nfmsg->nfgen_family;
5368 const struct nlattr *attr;
5369 struct nft_table *table;
5370 struct nft_object *obj;
5374 if (!nla[NFTA_OBJ_TYPE] ||
5375 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5378 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5379 if (IS_ERR(table)) {
5380 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5381 return PTR_ERR(table);
5384 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5385 if (nla[NFTA_OBJ_HANDLE]) {
5386 attr = nla[NFTA_OBJ_HANDLE];
5387 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5389 attr = nla[NFTA_OBJ_NAME];
5390 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5394 NL_SET_BAD_ATTR(extack, attr);
5395 return PTR_ERR(obj);
5398 NL_SET_BAD_ATTR(extack, attr);
5402 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5404 return nft_delobj(&ctx, obj);
5407 void nft_obj_notify(struct net *net, const struct nft_table *table,
5408 struct nft_object *obj, u32 portid, u32 seq, int event,
5409 int family, int report, gfp_t gfp)
5411 struct sk_buff *skb;
5415 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5418 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5422 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5429 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5432 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5434 EXPORT_SYMBOL_GPL(nft_obj_notify);
5436 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5437 struct nft_object *obj, int event)
5439 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5440 ctx->family, ctx->report, GFP_KERNEL);
5446 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5448 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5449 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5450 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5452 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5454 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5456 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5457 list_del_rcu(&type->list);
5458 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5460 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5462 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5463 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5464 .len = NFT_NAME_MAXLEN - 1 },
5465 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5466 .len = NFT_NAME_MAXLEN - 1 },
5467 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5468 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5471 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5472 const struct nlattr *nla, u8 genmask)
5474 struct nft_flowtable *flowtable;
5476 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5477 if (!nla_strcmp(nla, flowtable->name) &&
5478 nft_active_genmask(flowtable, genmask))
5481 return ERR_PTR(-ENOENT);
5483 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5485 static struct nft_flowtable *
5486 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5487 const struct nlattr *nla, u8 genmask)
5489 struct nft_flowtable *flowtable;
5491 list_for_each_entry(flowtable, &table->flowtables, list) {
5492 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5493 nft_active_genmask(flowtable, genmask))
5496 return ERR_PTR(-ENOENT);
5499 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5500 const struct nlattr *attr,
5501 struct net_device *dev_array[], int *len)
5503 const struct nlattr *tmp;
5504 struct net_device *dev;
5505 char ifname[IFNAMSIZ];
5506 int rem, n = 0, err;
5508 nla_for_each_nested(tmp, attr, rem) {
5509 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5514 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5515 dev = __dev_get_by_name(ctx->net, ifname);
5521 dev_array[n++] = dev;
5522 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5536 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5537 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5538 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5539 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5542 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5543 const struct nlattr *attr,
5544 struct nft_flowtable *flowtable)
5546 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5547 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5548 struct nf_hook_ops *ops;
5549 int hooknum, priority;
5552 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5553 nft_flowtable_hook_policy, NULL);
5557 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5558 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5559 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5562 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5563 if (hooknum != NF_NETDEV_INGRESS)
5566 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5568 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5573 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5577 flowtable->hooknum = hooknum;
5578 flowtable->priority = priority;
5579 flowtable->ops = ops;
5580 flowtable->ops_len = n;
5582 for (i = 0; i < n; i++) {
5583 flowtable->ops[i].pf = NFPROTO_NETDEV;
5584 flowtable->ops[i].hooknum = hooknum;
5585 flowtable->ops[i].priority = priority;
5586 flowtable->ops[i].priv = &flowtable->data;
5587 flowtable->ops[i].hook = flowtable->data.type->hook;
5588 flowtable->ops[i].dev = dev_array[i];
5594 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5596 const struct nf_flowtable_type *type;
5598 list_for_each_entry(type, &nf_tables_flowtables, list) {
5599 if (family == type->family)
5605 static const struct nf_flowtable_type *
5606 nft_flowtable_type_get(struct net *net, u8 family)
5608 const struct nf_flowtable_type *type;
5610 type = __nft_flowtable_type_get(family);
5611 if (type != NULL && try_module_get(type->owner))
5614 lockdep_nfnl_nft_mutex_not_held();
5615 #ifdef CONFIG_MODULES
5617 nft_request_module(net, "nf-flowtable-%u", family);
5618 if (__nft_flowtable_type_get(family))
5619 return ERR_PTR(-EAGAIN);
5622 return ERR_PTR(-ENOENT);
5625 static void nft_unregister_flowtable_net_hooks(struct net *net,
5626 struct nft_flowtable *flowtable)
5630 for (i = 0; i < flowtable->ops_len; i++) {
5631 if (!flowtable->ops[i].dev)
5634 nf_unregister_net_hook(net, &flowtable->ops[i]);
5638 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5639 struct sk_buff *skb,
5640 const struct nlmsghdr *nlh,
5641 const struct nlattr * const nla[],
5642 struct netlink_ext_ack *extack)
5644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5645 const struct nf_flowtable_type *type;
5646 struct nft_flowtable *flowtable, *ft;
5647 u8 genmask = nft_genmask_next(net);
5648 int family = nfmsg->nfgen_family;
5649 struct nft_table *table;
5653 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5654 !nla[NFTA_FLOWTABLE_NAME] ||
5655 !nla[NFTA_FLOWTABLE_HOOK])
5658 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5660 if (IS_ERR(table)) {
5661 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5662 return PTR_ERR(table);
5665 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5667 if (IS_ERR(flowtable)) {
5668 err = PTR_ERR(flowtable);
5669 if (err != -ENOENT) {
5670 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5674 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5675 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5682 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5684 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5688 flowtable->table = table;
5689 flowtable->handle = nf_tables_alloc_handle(table);
5691 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5692 if (!flowtable->name) {
5697 type = nft_flowtable_type_get(net, family);
5699 err = PTR_ERR(type);
5703 flowtable->data.type = type;
5704 err = type->init(&flowtable->data);
5708 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5713 for (i = 0; i < flowtable->ops_len; i++) {
5714 if (!flowtable->ops[i].dev)
5717 list_for_each_entry(ft, &table->flowtables, list) {
5718 for (k = 0; k < ft->ops_len; k++) {
5719 if (!ft->ops[k].dev)
5722 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5723 flowtable->ops[i].pf == ft->ops[k].pf) {
5730 err = nf_register_net_hook(net, &flowtable->ops[i]);
5735 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5739 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5744 i = flowtable->ops_len;
5746 for (k = i - 1; k >= 0; k--)
5747 nf_unregister_net_hook(net, &flowtable->ops[k]);
5749 kfree(flowtable->ops);
5751 flowtable->data.type->free(&flowtable->data);
5753 module_put(type->owner);
5755 kfree(flowtable->name);
5761 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5762 struct sk_buff *skb,
5763 const struct nlmsghdr *nlh,
5764 const struct nlattr * const nla[],
5765 struct netlink_ext_ack *extack)
5767 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5768 u8 genmask = nft_genmask_next(net);
5769 int family = nfmsg->nfgen_family;
5770 struct nft_flowtable *flowtable;
5771 const struct nlattr *attr;
5772 struct nft_table *table;
5775 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5776 (!nla[NFTA_FLOWTABLE_NAME] &&
5777 !nla[NFTA_FLOWTABLE_HANDLE]))
5780 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5782 if (IS_ERR(table)) {
5783 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5784 return PTR_ERR(table);
5787 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5788 attr = nla[NFTA_FLOWTABLE_HANDLE];
5789 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5791 attr = nla[NFTA_FLOWTABLE_NAME];
5792 flowtable = nft_flowtable_lookup(table, attr, genmask);
5795 if (IS_ERR(flowtable)) {
5796 NL_SET_BAD_ATTR(extack, attr);
5797 return PTR_ERR(flowtable);
5799 if (flowtable->use > 0) {
5800 NL_SET_BAD_ATTR(extack, attr);
5804 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5806 return nft_delflowtable(&ctx, flowtable);
5809 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5810 u32 portid, u32 seq, int event,
5811 u32 flags, int family,
5812 struct nft_flowtable *flowtable)
5814 struct nlattr *nest, *nest_devs;
5815 struct nfgenmsg *nfmsg;
5816 struct nlmsghdr *nlh;
5819 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5820 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5822 goto nla_put_failure;
5824 nfmsg = nlmsg_data(nlh);
5825 nfmsg->nfgen_family = family;
5826 nfmsg->version = NFNETLINK_V0;
5827 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5829 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5830 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5831 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5832 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5833 NFTA_FLOWTABLE_PAD))
5834 goto nla_put_failure;
5836 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5838 goto nla_put_failure;
5839 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5840 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5841 goto nla_put_failure;
5843 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5845 goto nla_put_failure;
5847 for (i = 0; i < flowtable->ops_len; i++) {
5848 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5851 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5852 goto nla_put_failure;
5854 nla_nest_end(skb, nest_devs);
5855 nla_nest_end(skb, nest);
5857 nlmsg_end(skb, nlh);
5861 nlmsg_trim(skb, nlh);
5865 struct nft_flowtable_filter {
5869 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5870 struct netlink_callback *cb)
5872 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5873 struct nft_flowtable_filter *filter = cb->data;
5874 unsigned int idx = 0, s_idx = cb->args[0];
5875 struct net *net = sock_net(skb->sk);
5876 int family = nfmsg->nfgen_family;
5877 struct nft_flowtable *flowtable;
5878 const struct nft_table *table;
5881 cb->seq = net->nft.base_seq;
5883 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5884 if (family != NFPROTO_UNSPEC && family != table->family)
5887 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5888 if (!nft_is_active(net, flowtable))
5893 memset(&cb->args[1], 0,
5894 sizeof(cb->args) - sizeof(cb->args[0]));
5895 if (filter && filter->table &&
5896 strcmp(filter->table, table->name))
5899 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5901 NFT_MSG_NEWFLOWTABLE,
5902 NLM_F_MULTI | NLM_F_APPEND,
5903 table->family, flowtable) < 0)
5906 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5918 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5920 const struct nlattr * const *nla = cb->data;
5921 struct nft_flowtable_filter *filter = NULL;
5923 if (nla[NFTA_FLOWTABLE_TABLE]) {
5924 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5928 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5930 if (!filter->table) {
5940 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5942 struct nft_flowtable_filter *filter = cb->data;
5947 kfree(filter->table);
5953 /* called with rcu_read_lock held */
5954 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5955 struct sk_buff *skb,
5956 const struct nlmsghdr *nlh,
5957 const struct nlattr * const nla[],
5958 struct netlink_ext_ack *extack)
5960 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5961 u8 genmask = nft_genmask_cur(net);
5962 int family = nfmsg->nfgen_family;
5963 struct nft_flowtable *flowtable;
5964 const struct nft_table *table;
5965 struct sk_buff *skb2;
5968 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5969 struct netlink_dump_control c = {
5970 .start = nf_tables_dump_flowtable_start,
5971 .dump = nf_tables_dump_flowtable,
5972 .done = nf_tables_dump_flowtable_done,
5973 .module = THIS_MODULE,
5974 .data = (void *)nla,
5977 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5980 if (!nla[NFTA_FLOWTABLE_NAME])
5983 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5986 return PTR_ERR(table);
5988 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5990 if (IS_ERR(flowtable))
5991 return PTR_ERR(flowtable);
5993 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5997 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5999 NFT_MSG_NEWFLOWTABLE, 0, family,
6004 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6010 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6011 struct nft_flowtable *flowtable,
6014 struct sk_buff *skb;
6018 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6021 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6025 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6027 ctx->family, flowtable);
6033 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6034 ctx->report, GFP_KERNEL);
6037 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6040 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6042 kfree(flowtable->ops);
6043 kfree(flowtable->name);
6044 flowtable->data.type->free(&flowtable->data);
6045 module_put(flowtable->data.type->owner);
6049 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6050 u32 portid, u32 seq)
6052 struct nlmsghdr *nlh;
6053 struct nfgenmsg *nfmsg;
6054 char buf[TASK_COMM_LEN];
6055 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6057 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6059 goto nla_put_failure;
6061 nfmsg = nlmsg_data(nlh);
6062 nfmsg->nfgen_family = AF_UNSPEC;
6063 nfmsg->version = NFNETLINK_V0;
6064 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6066 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6067 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6068 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6069 goto nla_put_failure;
6071 nlmsg_end(skb, nlh);
6075 nlmsg_trim(skb, nlh);
6079 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6080 struct nft_flowtable *flowtable)
6084 for (i = 0; i < flowtable->ops_len; i++) {
6085 if (flowtable->ops[i].dev != dev)
6088 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6089 flowtable->ops[i].dev = NULL;
6094 static int nf_tables_flowtable_event(struct notifier_block *this,
6095 unsigned long event, void *ptr)
6097 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6098 struct nft_flowtable *flowtable;
6099 struct nft_table *table;
6102 if (event != NETDEV_UNREGISTER)
6106 mutex_lock(&net->nft.commit_mutex);
6107 list_for_each_entry(table, &net->nft.tables, list) {
6108 list_for_each_entry(flowtable, &table->flowtables, list) {
6109 nft_flowtable_event(event, dev, flowtable);
6112 mutex_unlock(&net->nft.commit_mutex);
6117 static struct notifier_block nf_tables_flowtable_notifier = {
6118 .notifier_call = nf_tables_flowtable_event,
6121 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6124 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6125 struct sk_buff *skb2;
6128 if (nlmsg_report(nlh) &&
6129 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6132 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6136 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6143 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6144 nlmsg_report(nlh), GFP_KERNEL);
6147 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6151 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6152 struct sk_buff *skb, const struct nlmsghdr *nlh,
6153 const struct nlattr * const nla[],
6154 struct netlink_ext_ack *extack)
6156 struct sk_buff *skb2;
6159 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6163 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6168 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6174 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6175 [NFT_MSG_NEWTABLE] = {
6176 .call_batch = nf_tables_newtable,
6177 .attr_count = NFTA_TABLE_MAX,
6178 .policy = nft_table_policy,
6180 [NFT_MSG_GETTABLE] = {
6181 .call_rcu = nf_tables_gettable,
6182 .attr_count = NFTA_TABLE_MAX,
6183 .policy = nft_table_policy,
6185 [NFT_MSG_DELTABLE] = {
6186 .call_batch = nf_tables_deltable,
6187 .attr_count = NFTA_TABLE_MAX,
6188 .policy = nft_table_policy,
6190 [NFT_MSG_NEWCHAIN] = {
6191 .call_batch = nf_tables_newchain,
6192 .attr_count = NFTA_CHAIN_MAX,
6193 .policy = nft_chain_policy,
6195 [NFT_MSG_GETCHAIN] = {
6196 .call_rcu = nf_tables_getchain,
6197 .attr_count = NFTA_CHAIN_MAX,
6198 .policy = nft_chain_policy,
6200 [NFT_MSG_DELCHAIN] = {
6201 .call_batch = nf_tables_delchain,
6202 .attr_count = NFTA_CHAIN_MAX,
6203 .policy = nft_chain_policy,
6205 [NFT_MSG_NEWRULE] = {
6206 .call_batch = nf_tables_newrule,
6207 .attr_count = NFTA_RULE_MAX,
6208 .policy = nft_rule_policy,
6210 [NFT_MSG_GETRULE] = {
6211 .call_rcu = nf_tables_getrule,
6212 .attr_count = NFTA_RULE_MAX,
6213 .policy = nft_rule_policy,
6215 [NFT_MSG_DELRULE] = {
6216 .call_batch = nf_tables_delrule,
6217 .attr_count = NFTA_RULE_MAX,
6218 .policy = nft_rule_policy,
6220 [NFT_MSG_NEWSET] = {
6221 .call_batch = nf_tables_newset,
6222 .attr_count = NFTA_SET_MAX,
6223 .policy = nft_set_policy,
6225 [NFT_MSG_GETSET] = {
6226 .call_rcu = nf_tables_getset,
6227 .attr_count = NFTA_SET_MAX,
6228 .policy = nft_set_policy,
6230 [NFT_MSG_DELSET] = {
6231 .call_batch = nf_tables_delset,
6232 .attr_count = NFTA_SET_MAX,
6233 .policy = nft_set_policy,
6235 [NFT_MSG_NEWSETELEM] = {
6236 .call_batch = nf_tables_newsetelem,
6237 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6238 .policy = nft_set_elem_list_policy,
6240 [NFT_MSG_GETSETELEM] = {
6241 .call_rcu = nf_tables_getsetelem,
6242 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6243 .policy = nft_set_elem_list_policy,
6245 [NFT_MSG_DELSETELEM] = {
6246 .call_batch = nf_tables_delsetelem,
6247 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6248 .policy = nft_set_elem_list_policy,
6250 [NFT_MSG_GETGEN] = {
6251 .call_rcu = nf_tables_getgen,
6253 [NFT_MSG_NEWOBJ] = {
6254 .call_batch = nf_tables_newobj,
6255 .attr_count = NFTA_OBJ_MAX,
6256 .policy = nft_obj_policy,
6258 [NFT_MSG_GETOBJ] = {
6259 .call_rcu = nf_tables_getobj,
6260 .attr_count = NFTA_OBJ_MAX,
6261 .policy = nft_obj_policy,
6263 [NFT_MSG_DELOBJ] = {
6264 .call_batch = nf_tables_delobj,
6265 .attr_count = NFTA_OBJ_MAX,
6266 .policy = nft_obj_policy,
6268 [NFT_MSG_GETOBJ_RESET] = {
6269 .call_rcu = nf_tables_getobj,
6270 .attr_count = NFTA_OBJ_MAX,
6271 .policy = nft_obj_policy,
6273 [NFT_MSG_NEWFLOWTABLE] = {
6274 .call_batch = nf_tables_newflowtable,
6275 .attr_count = NFTA_FLOWTABLE_MAX,
6276 .policy = nft_flowtable_policy,
6278 [NFT_MSG_GETFLOWTABLE] = {
6279 .call_rcu = nf_tables_getflowtable,
6280 .attr_count = NFTA_FLOWTABLE_MAX,
6281 .policy = nft_flowtable_policy,
6283 [NFT_MSG_DELFLOWTABLE] = {
6284 .call_batch = nf_tables_delflowtable,
6285 .attr_count = NFTA_FLOWTABLE_MAX,
6286 .policy = nft_flowtable_policy,
6290 static int nf_tables_validate(struct net *net)
6292 struct nft_table *table;
6294 switch (net->nft.validate_state) {
6295 case NFT_VALIDATE_SKIP:
6297 case NFT_VALIDATE_NEED:
6298 nft_validate_state_update(net, NFT_VALIDATE_DO);
6300 case NFT_VALIDATE_DO:
6301 list_for_each_entry(table, &net->nft.tables, list) {
6302 if (nft_table_validate(net, table) < 0)
6311 static void nft_chain_commit_update(struct nft_trans *trans)
6313 struct nft_base_chain *basechain;
6315 if (nft_trans_chain_name(trans)) {
6316 rhltable_remove(&trans->ctx.table->chains_ht,
6317 &trans->ctx.chain->rhlhead,
6318 nft_chain_ht_params);
6319 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6320 rhltable_insert_key(&trans->ctx.table->chains_ht,
6321 trans->ctx.chain->name,
6322 &trans->ctx.chain->rhlhead,
6323 nft_chain_ht_params);
6326 if (!nft_is_base_chain(trans->ctx.chain))
6329 basechain = nft_base_chain(trans->ctx.chain);
6330 nft_chain_stats_replace(trans->ctx.net, basechain,
6331 nft_trans_chain_stats(trans));
6333 switch (nft_trans_chain_policy(trans)) {
6336 basechain->policy = nft_trans_chain_policy(trans);
6341 static void nft_commit_release(struct nft_trans *trans)
6343 switch (trans->msg_type) {
6344 case NFT_MSG_DELTABLE:
6345 nf_tables_table_destroy(&trans->ctx);
6347 case NFT_MSG_NEWCHAIN:
6348 kfree(nft_trans_chain_name(trans));
6350 case NFT_MSG_DELCHAIN:
6351 nf_tables_chain_destroy(&trans->ctx);
6353 case NFT_MSG_DELRULE:
6354 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6356 case NFT_MSG_DELSET:
6357 nft_set_destroy(nft_trans_set(trans));
6359 case NFT_MSG_DELSETELEM:
6360 nf_tables_set_elem_destroy(&trans->ctx,
6361 nft_trans_elem_set(trans),
6362 nft_trans_elem(trans).priv);
6364 case NFT_MSG_DELOBJ:
6365 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6367 case NFT_MSG_DELFLOWTABLE:
6368 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6373 put_net(trans->ctx.net);
6378 static void nf_tables_trans_destroy_work(struct work_struct *w)
6380 struct nft_trans *trans, *next;
6383 spin_lock(&nf_tables_destroy_list_lock);
6384 list_splice_init(&nf_tables_destroy_list, &head);
6385 spin_unlock(&nf_tables_destroy_list_lock);
6387 if (list_empty(&head))
6392 list_for_each_entry_safe(trans, next, &head, list) {
6393 list_del(&trans->list);
6394 nft_commit_release(trans);
6398 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6400 struct nft_rule *rule;
6401 unsigned int alloc = 0;
6404 /* already handled or inactive chain? */
6405 if (chain->rules_next || !nft_is_active_next(net, chain))
6408 rule = list_entry(&chain->rules, struct nft_rule, list);
6411 list_for_each_entry_continue(rule, &chain->rules, list) {
6412 if (nft_is_active_next(net, rule))
6416 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6417 if (!chain->rules_next)
6420 list_for_each_entry_continue(rule, &chain->rules, list) {
6421 if (nft_is_active_next(net, rule))
6422 chain->rules_next[i++] = rule;
6425 chain->rules_next[i] = NULL;
6429 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6431 struct nft_trans *trans, *next;
6433 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6434 struct nft_chain *chain = trans->ctx.chain;
6436 if (trans->msg_type == NFT_MSG_NEWRULE ||
6437 trans->msg_type == NFT_MSG_DELRULE) {
6438 kvfree(chain->rules_next);
6439 chain->rules_next = NULL;
6444 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6446 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6451 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6453 struct nft_rule **r = rules;
6454 struct nft_rules_old *old;
6459 r++; /* rcu_head is after end marker */
6463 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6466 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6468 struct nft_rule **g0, **g1;
6471 next_genbit = nft_gencursor_next(net);
6473 g0 = rcu_dereference_protected(chain->rules_gen_0,
6474 lockdep_commit_lock_is_held(net));
6475 g1 = rcu_dereference_protected(chain->rules_gen_1,
6476 lockdep_commit_lock_is_held(net));
6478 /* No changes to this chain? */
6479 if (chain->rules_next == NULL) {
6480 /* chain had no change in last or next generation */
6484 * chain had no change in this generation; make sure next
6485 * one uses same rules as current generation.
6488 rcu_assign_pointer(chain->rules_gen_1, g0);
6489 nf_tables_commit_chain_free_rules_old(g1);
6491 rcu_assign_pointer(chain->rules_gen_0, g1);
6492 nf_tables_commit_chain_free_rules_old(g0);
6499 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6501 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6503 chain->rules_next = NULL;
6509 nf_tables_commit_chain_free_rules_old(g1);
6511 nf_tables_commit_chain_free_rules_old(g0);
6514 static void nft_obj_del(struct nft_object *obj)
6516 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6517 list_del_rcu(&obj->list);
6520 static void nft_chain_del(struct nft_chain *chain)
6522 struct nft_table *table = chain->table;
6524 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6525 nft_chain_ht_params));
6526 list_del_rcu(&chain->list);
6529 static void nf_tables_commit_release(struct net *net)
6531 struct nft_trans *trans;
6533 /* all side effects have to be made visible.
6534 * For example, if a chain named 'foo' has been deleted, a
6535 * new transaction must not find it anymore.
6537 * Memory reclaim happens asynchronously from work queue
6538 * to prevent expensive synchronize_rcu() in commit phase.
6540 if (list_empty(&net->nft.commit_list)) {
6541 mutex_unlock(&net->nft.commit_mutex);
6545 trans = list_last_entry(&net->nft.commit_list,
6546 struct nft_trans, list);
6547 get_net(trans->ctx.net);
6548 WARN_ON_ONCE(trans->put_net);
6550 trans->put_net = true;
6551 spin_lock(&nf_tables_destroy_list_lock);
6552 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6553 spin_unlock(&nf_tables_destroy_list_lock);
6555 mutex_unlock(&net->nft.commit_mutex);
6557 schedule_work(&trans_destroy_work);
6560 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6562 struct nft_trans *trans, *next;
6563 struct nft_trans_elem *te;
6564 struct nft_chain *chain;
6565 struct nft_table *table;
6567 if (list_empty(&net->nft.commit_list)) {
6568 mutex_unlock(&net->nft.commit_mutex);
6572 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6573 if (nf_tables_validate(net) < 0)
6576 /* 1. Allocate space for next generation rules_gen_X[] */
6577 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6580 if (trans->msg_type == NFT_MSG_NEWRULE ||
6581 trans->msg_type == NFT_MSG_DELRULE) {
6582 chain = trans->ctx.chain;
6584 ret = nf_tables_commit_chain_prepare(net, chain);
6586 nf_tables_commit_chain_prepare_cancel(net);
6592 /* step 2. Make rules_gen_X visible to packet path */
6593 list_for_each_entry(table, &net->nft.tables, list) {
6594 list_for_each_entry(chain, &table->chains, list)
6595 nf_tables_commit_chain(net, chain);
6599 * Bump generation counter, invalidate any dump in progress.
6600 * Cannot fail after this point.
6602 while (++net->nft.base_seq == 0);
6604 /* step 3. Start new generation, rules_gen_X now in use. */
6605 net->nft.gencursor = nft_gencursor_next(net);
6607 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6608 switch (trans->msg_type) {
6609 case NFT_MSG_NEWTABLE:
6610 if (nft_trans_table_update(trans)) {
6611 if (!nft_trans_table_enable(trans)) {
6612 nf_tables_table_disable(net,
6614 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6617 nft_clear(net, trans->ctx.table);
6619 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6620 nft_trans_destroy(trans);
6622 case NFT_MSG_DELTABLE:
6623 list_del_rcu(&trans->ctx.table->list);
6624 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6626 case NFT_MSG_NEWCHAIN:
6627 if (nft_trans_chain_update(trans)) {
6628 nft_chain_commit_update(trans);
6629 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6630 /* trans destroyed after rcu grace period */
6632 nft_clear(net, trans->ctx.chain);
6633 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6634 nft_trans_destroy(trans);
6637 case NFT_MSG_DELCHAIN:
6638 nft_chain_del(trans->ctx.chain);
6639 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6640 nf_tables_unregister_hook(trans->ctx.net,
6644 case NFT_MSG_NEWRULE:
6645 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6646 nf_tables_rule_notify(&trans->ctx,
6647 nft_trans_rule(trans),
6649 nft_trans_destroy(trans);
6651 case NFT_MSG_DELRULE:
6652 list_del_rcu(&nft_trans_rule(trans)->list);
6653 nf_tables_rule_notify(&trans->ctx,
6654 nft_trans_rule(trans),
6656 nft_rule_expr_deactivate(&trans->ctx,
6657 nft_trans_rule(trans),
6660 case NFT_MSG_NEWSET:
6661 nft_clear(net, nft_trans_set(trans));
6662 /* This avoids hitting -EBUSY when deleting the table
6663 * from the transaction.
6665 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6666 !list_empty(&nft_trans_set(trans)->bindings))
6667 trans->ctx.table->use--;
6669 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6670 NFT_MSG_NEWSET, GFP_KERNEL);
6671 nft_trans_destroy(trans);
6673 case NFT_MSG_DELSET:
6674 list_del_rcu(&nft_trans_set(trans)->list);
6675 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6676 NFT_MSG_DELSET, GFP_KERNEL);
6678 case NFT_MSG_NEWSETELEM:
6679 te = (struct nft_trans_elem *)trans->data;
6681 te->set->ops->activate(net, te->set, &te->elem);
6682 nf_tables_setelem_notify(&trans->ctx, te->set,
6684 NFT_MSG_NEWSETELEM, 0);
6685 nft_trans_destroy(trans);
6687 case NFT_MSG_DELSETELEM:
6688 te = (struct nft_trans_elem *)trans->data;
6690 nf_tables_setelem_notify(&trans->ctx, te->set,
6692 NFT_MSG_DELSETELEM, 0);
6693 te->set->ops->remove(net, te->set, &te->elem);
6694 atomic_dec(&te->set->nelems);
6697 case NFT_MSG_NEWOBJ:
6698 nft_clear(net, nft_trans_obj(trans));
6699 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6701 nft_trans_destroy(trans);
6703 case NFT_MSG_DELOBJ:
6704 nft_obj_del(nft_trans_obj(trans));
6705 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6708 case NFT_MSG_NEWFLOWTABLE:
6709 nft_clear(net, nft_trans_flowtable(trans));
6710 nf_tables_flowtable_notify(&trans->ctx,
6711 nft_trans_flowtable(trans),
6712 NFT_MSG_NEWFLOWTABLE);
6713 nft_trans_destroy(trans);
6715 case NFT_MSG_DELFLOWTABLE:
6716 list_del_rcu(&nft_trans_flowtable(trans)->list);
6717 nf_tables_flowtable_notify(&trans->ctx,
6718 nft_trans_flowtable(trans),
6719 NFT_MSG_DELFLOWTABLE);
6720 nft_unregister_flowtable_net_hooks(net,
6721 nft_trans_flowtable(trans));
6726 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6727 nf_tables_commit_release(net);
6732 static void nf_tables_abort_release(struct nft_trans *trans)
6734 switch (trans->msg_type) {
6735 case NFT_MSG_NEWTABLE:
6736 nf_tables_table_destroy(&trans->ctx);
6738 case NFT_MSG_NEWCHAIN:
6739 nf_tables_chain_destroy(&trans->ctx);
6741 case NFT_MSG_NEWRULE:
6742 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6744 case NFT_MSG_NEWSET:
6745 nft_set_destroy(nft_trans_set(trans));
6747 case NFT_MSG_NEWSETELEM:
6748 nft_set_elem_destroy(nft_trans_elem_set(trans),
6749 nft_trans_elem(trans).priv, true);
6751 case NFT_MSG_NEWOBJ:
6752 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6754 case NFT_MSG_NEWFLOWTABLE:
6755 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6761 static int __nf_tables_abort(struct net *net)
6763 struct nft_trans *trans, *next;
6764 struct nft_trans_elem *te;
6766 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6768 switch (trans->msg_type) {
6769 case NFT_MSG_NEWTABLE:
6770 if (nft_trans_table_update(trans)) {
6771 if (nft_trans_table_enable(trans)) {
6772 nf_tables_table_disable(net,
6774 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6776 nft_trans_destroy(trans);
6778 list_del_rcu(&trans->ctx.table->list);
6781 case NFT_MSG_DELTABLE:
6782 nft_clear(trans->ctx.net, trans->ctx.table);
6783 nft_trans_destroy(trans);
6785 case NFT_MSG_NEWCHAIN:
6786 if (nft_trans_chain_update(trans)) {
6787 free_percpu(nft_trans_chain_stats(trans));
6788 kfree(nft_trans_chain_name(trans));
6789 nft_trans_destroy(trans);
6791 trans->ctx.table->use--;
6792 nft_chain_del(trans->ctx.chain);
6793 nf_tables_unregister_hook(trans->ctx.net,
6798 case NFT_MSG_DELCHAIN:
6799 trans->ctx.table->use++;
6800 nft_clear(trans->ctx.net, trans->ctx.chain);
6801 nft_trans_destroy(trans);
6803 case NFT_MSG_NEWRULE:
6804 trans->ctx.chain->use--;
6805 list_del_rcu(&nft_trans_rule(trans)->list);
6806 nft_rule_expr_deactivate(&trans->ctx,
6807 nft_trans_rule(trans),
6810 case NFT_MSG_DELRULE:
6811 trans->ctx.chain->use++;
6812 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6813 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6814 nft_trans_destroy(trans);
6816 case NFT_MSG_NEWSET:
6817 trans->ctx.table->use--;
6818 if (nft_trans_set(trans)->bound) {
6819 nft_trans_destroy(trans);
6822 list_del_rcu(&nft_trans_set(trans)->list);
6824 case NFT_MSG_DELSET:
6825 trans->ctx.table->use++;
6826 nft_clear(trans->ctx.net, nft_trans_set(trans));
6827 nft_trans_destroy(trans);
6829 case NFT_MSG_NEWSETELEM:
6830 if (nft_trans_elem_set(trans)->bound) {
6831 nft_trans_destroy(trans);
6834 te = (struct nft_trans_elem *)trans->data;
6835 te->set->ops->remove(net, te->set, &te->elem);
6836 atomic_dec(&te->set->nelems);
6838 case NFT_MSG_DELSETELEM:
6839 te = (struct nft_trans_elem *)trans->data;
6841 nft_set_elem_activate(net, te->set, &te->elem);
6842 te->set->ops->activate(net, te->set, &te->elem);
6845 nft_trans_destroy(trans);
6847 case NFT_MSG_NEWOBJ:
6848 trans->ctx.table->use--;
6849 nft_obj_del(nft_trans_obj(trans));
6851 case NFT_MSG_DELOBJ:
6852 trans->ctx.table->use++;
6853 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6854 nft_trans_destroy(trans);
6856 case NFT_MSG_NEWFLOWTABLE:
6857 trans->ctx.table->use--;
6858 list_del_rcu(&nft_trans_flowtable(trans)->list);
6859 nft_unregister_flowtable_net_hooks(net,
6860 nft_trans_flowtable(trans));
6862 case NFT_MSG_DELFLOWTABLE:
6863 trans->ctx.table->use++;
6864 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6865 nft_trans_destroy(trans);
6872 list_for_each_entry_safe_reverse(trans, next,
6873 &net->nft.commit_list, list) {
6874 list_del(&trans->list);
6875 nf_tables_abort_release(trans);
6881 static void nf_tables_cleanup(struct net *net)
6883 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6886 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6888 int ret = __nf_tables_abort(net);
6890 mutex_unlock(&net->nft.commit_mutex);
6895 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6899 mutex_lock(&net->nft.commit_mutex);
6901 genid_ok = genid == 0 || net->nft.base_seq == genid;
6903 mutex_unlock(&net->nft.commit_mutex);
6905 /* else, commit mutex has to be released by commit or abort function */
6909 static const struct nfnetlink_subsystem nf_tables_subsys = {
6910 .name = "nf_tables",
6911 .subsys_id = NFNL_SUBSYS_NFTABLES,
6912 .cb_count = NFT_MSG_MAX,
6914 .commit = nf_tables_commit,
6915 .abort = nf_tables_abort,
6916 .cleanup = nf_tables_cleanup,
6917 .valid_genid = nf_tables_valid_genid,
6918 .owner = THIS_MODULE,
6921 int nft_chain_validate_dependency(const struct nft_chain *chain,
6922 enum nft_chain_types type)
6924 const struct nft_base_chain *basechain;
6926 if (nft_is_base_chain(chain)) {
6927 basechain = nft_base_chain(chain);
6928 if (basechain->type->type != type)
6933 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6935 int nft_chain_validate_hooks(const struct nft_chain *chain,
6936 unsigned int hook_flags)
6938 struct nft_base_chain *basechain;
6940 if (nft_is_base_chain(chain)) {
6941 basechain = nft_base_chain(chain);
6943 if ((1 << basechain->ops.hooknum) & hook_flags)
6951 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6954 * Loop detection - walk through the ruleset beginning at the destination chain
6955 * of a new jump until either the source chain is reached (loop) or all
6956 * reachable chains have been traversed.
6958 * The loop check is performed whenever a new jump verdict is added to an
6959 * expression or verdict map or a verdict map is bound to a new chain.
6962 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6963 const struct nft_chain *chain);
6965 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6966 struct nft_set *set,
6967 const struct nft_set_iter *iter,
6968 struct nft_set_elem *elem)
6970 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6971 const struct nft_data *data;
6973 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6974 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6977 data = nft_set_ext_data(ext);
6978 switch (data->verdict.code) {
6981 return nf_tables_check_loops(ctx, data->verdict.chain);
6987 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6988 const struct nft_chain *chain)
6990 const struct nft_rule *rule;
6991 const struct nft_expr *expr, *last;
6992 struct nft_set *set;
6993 struct nft_set_binding *binding;
6994 struct nft_set_iter iter;
6996 if (ctx->chain == chain)
6999 list_for_each_entry(rule, &chain->rules, list) {
7000 nft_rule_for_each_expr(expr, last, rule) {
7001 struct nft_immediate_expr *priv;
7002 const struct nft_data *data;
7005 if (strcmp(expr->ops->type->name, "immediate"))
7008 priv = nft_expr_priv(expr);
7009 if (priv->dreg != NFT_REG_VERDICT)
7013 switch (data->verdict.code) {
7016 err = nf_tables_check_loops(ctx,
7017 data->verdict.chain);
7026 list_for_each_entry(set, &ctx->table->sets, list) {
7027 if (!nft_is_active_next(ctx->net, set))
7029 if (!(set->flags & NFT_SET_MAP) ||
7030 set->dtype != NFT_DATA_VERDICT)
7033 list_for_each_entry(binding, &set->bindings, list) {
7034 if (!(binding->flags & NFT_SET_MAP) ||
7035 binding->chain != chain)
7038 iter.genmask = nft_genmask_next(ctx->net);
7042 iter.fn = nf_tables_loop_check_setelem;
7044 set->ops->walk(ctx, set, &iter);
7054 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7056 * @attr: netlink attribute to fetch value from
7057 * @max: maximum value to be stored in dest
7058 * @dest: pointer to the variable
7060 * Parse, check and store a given u32 netlink attribute into variable.
7061 * This function returns -ERANGE if the value goes over maximum value.
7062 * Otherwise a 0 is returned and the attribute value is stored in the
7063 * destination variable.
7065 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7069 val = ntohl(nla_get_be32(attr));
7076 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7079 * nft_parse_register - parse a register value from a netlink attribute
7081 * @attr: netlink attribute
7083 * Parse and translate a register value from a netlink attribute.
7084 * Registers used to be 128 bit wide, these register numbers will be
7085 * mapped to the corresponding 32 bit register numbers.
7087 unsigned int nft_parse_register(const struct nlattr *attr)
7091 reg = ntohl(nla_get_be32(attr));
7093 case NFT_REG_VERDICT...NFT_REG_4:
7094 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7096 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7099 EXPORT_SYMBOL_GPL(nft_parse_register);
7102 * nft_dump_register - dump a register value to a netlink attribute
7104 * @skb: socket buffer
7105 * @attr: attribute number
7106 * @reg: register number
7108 * Construct a netlink attribute containing the register number. For
7109 * compatibility reasons, register numbers being a multiple of 4 are
7110 * translated to the corresponding 128 bit register numbers.
7112 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7114 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7115 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7117 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7119 return nla_put_be32(skb, attr, htonl(reg));
7121 EXPORT_SYMBOL_GPL(nft_dump_register);
7124 * nft_validate_register_load - validate a load from a register
7126 * @reg: the register number
7127 * @len: the length of the data
7129 * Validate that the input register is one of the general purpose
7130 * registers and that the length of the load is within the bounds.
7132 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7134 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7138 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7143 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7146 * nft_validate_register_store - validate an expressions' register store
7148 * @ctx: context of the expression performing the load
7149 * @reg: the destination register number
7150 * @data: the data to load
7151 * @type: the data type
7152 * @len: the length of the data
7154 * Validate that a data load uses the appropriate data type for
7155 * the destination register and the length is within the bounds.
7156 * A value of NULL for the data means that its runtime gathered
7159 int nft_validate_register_store(const struct nft_ctx *ctx,
7160 enum nft_registers reg,
7161 const struct nft_data *data,
7162 enum nft_data_types type, unsigned int len)
7167 case NFT_REG_VERDICT:
7168 if (type != NFT_DATA_VERDICT)
7172 (data->verdict.code == NFT_GOTO ||
7173 data->verdict.code == NFT_JUMP)) {
7174 err = nf_tables_check_loops(ctx, data->verdict.chain);
7181 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7185 if (reg * NFT_REG32_SIZE + len >
7186 FIELD_SIZEOF(struct nft_regs, data))
7189 if (data != NULL && type != NFT_DATA_VALUE)
7194 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7196 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7197 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7198 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7199 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7202 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7203 struct nft_data_desc *desc, const struct nlattr *nla)
7205 u8 genmask = nft_genmask_next(ctx->net);
7206 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7207 struct nft_chain *chain;
7210 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
7215 if (!tb[NFTA_VERDICT_CODE])
7217 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7219 switch (data->verdict.code) {
7221 switch (data->verdict.code & NF_VERDICT_MASK) {
7236 if (!tb[NFTA_VERDICT_CHAIN])
7238 chain = nft_chain_lookup(ctx->net, ctx->table,
7239 tb[NFTA_VERDICT_CHAIN], genmask);
7241 return PTR_ERR(chain);
7242 if (nft_is_base_chain(chain))
7246 data->verdict.chain = chain;
7250 desc->len = sizeof(data->verdict);
7251 desc->type = NFT_DATA_VERDICT;
7255 static void nft_verdict_uninit(const struct nft_data *data)
7257 switch (data->verdict.code) {
7260 data->verdict.chain->use--;
7265 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7267 struct nlattr *nest;
7269 nest = nla_nest_start(skb, type);
7271 goto nla_put_failure;
7273 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7274 goto nla_put_failure;
7279 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7281 goto nla_put_failure;
7283 nla_nest_end(skb, nest);
7290 static int nft_value_init(const struct nft_ctx *ctx,
7291 struct nft_data *data, unsigned int size,
7292 struct nft_data_desc *desc, const struct nlattr *nla)
7302 nla_memcpy(data->data, nla, len);
7303 desc->type = NFT_DATA_VALUE;
7308 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7311 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7314 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7315 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7316 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7320 * nft_data_init - parse nf_tables data netlink attributes
7322 * @ctx: context of the expression using the data
7323 * @data: destination struct nft_data
7324 * @size: maximum data length
7325 * @desc: data description
7326 * @nla: netlink attribute containing data
7328 * Parse the netlink data attributes and initialize a struct nft_data.
7329 * The type and length of data are returned in the data description.
7331 * The caller can indicate that it only wants to accept data of type
7332 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7334 int nft_data_init(const struct nft_ctx *ctx,
7335 struct nft_data *data, unsigned int size,
7336 struct nft_data_desc *desc, const struct nlattr *nla)
7338 struct nlattr *tb[NFTA_DATA_MAX + 1];
7341 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7345 if (tb[NFTA_DATA_VALUE])
7346 return nft_value_init(ctx, data, size, desc,
7347 tb[NFTA_DATA_VALUE]);
7348 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7349 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7352 EXPORT_SYMBOL_GPL(nft_data_init);
7355 * nft_data_release - release a nft_data item
7357 * @data: struct nft_data to release
7358 * @type: type of data
7360 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7361 * all others need to be released by calling this function.
7363 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7365 if (type < NFT_DATA_VERDICT)
7368 case NFT_DATA_VERDICT:
7369 return nft_verdict_uninit(data);
7374 EXPORT_SYMBOL_GPL(nft_data_release);
7376 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7377 enum nft_data_types type, unsigned int len)
7379 struct nlattr *nest;
7382 nest = nla_nest_start(skb, attr);
7387 case NFT_DATA_VALUE:
7388 err = nft_value_dump(skb, data, len);
7390 case NFT_DATA_VERDICT:
7391 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7398 nla_nest_end(skb, nest);
7401 EXPORT_SYMBOL_GPL(nft_data_dump);
7403 int __nft_release_basechain(struct nft_ctx *ctx)
7405 struct nft_rule *rule, *nr;
7407 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7410 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7411 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7412 list_del(&rule->list);
7414 nf_tables_rule_release(ctx, rule);
7416 nft_chain_del(ctx->chain);
7418 nf_tables_chain_destroy(ctx);
7422 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7424 static void __nft_release_tables(struct net *net)
7426 struct nft_flowtable *flowtable, *nf;
7427 struct nft_table *table, *nt;
7428 struct nft_chain *chain, *nc;
7429 struct nft_object *obj, *ne;
7430 struct nft_rule *rule, *nr;
7431 struct nft_set *set, *ns;
7432 struct nft_ctx ctx = {
7434 .family = NFPROTO_NETDEV,
7437 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7438 ctx.family = table->family;
7440 list_for_each_entry(chain, &table->chains, list)
7441 nf_tables_unregister_hook(net, table, chain);
7442 /* No packets are walking on these chains anymore. */
7444 list_for_each_entry(chain, &table->chains, list) {
7446 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7447 list_del(&rule->list);
7449 nf_tables_rule_release(&ctx, rule);
7452 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7453 list_del(&flowtable->list);
7455 nf_tables_flowtable_destroy(flowtable);
7457 list_for_each_entry_safe(set, ns, &table->sets, list) {
7458 list_del(&set->list);
7460 nft_set_destroy(set);
7462 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7465 nft_obj_destroy(&ctx, obj);
7467 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7469 nft_chain_del(chain);
7471 nf_tables_chain_destroy(&ctx);
7473 list_del(&table->list);
7474 nf_tables_table_destroy(&ctx);
7478 static int __net_init nf_tables_init_net(struct net *net)
7480 INIT_LIST_HEAD(&net->nft.tables);
7481 INIT_LIST_HEAD(&net->nft.commit_list);
7482 mutex_init(&net->nft.commit_mutex);
7483 net->nft.base_seq = 1;
7484 net->nft.validate_state = NFT_VALIDATE_SKIP;
7489 static void __net_exit nf_tables_exit_net(struct net *net)
7491 mutex_lock(&net->nft.commit_mutex);
7492 if (!list_empty(&net->nft.commit_list))
7493 __nf_tables_abort(net);
7494 __nft_release_tables(net);
7495 mutex_unlock(&net->nft.commit_mutex);
7496 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7499 static struct pernet_operations nf_tables_net_ops = {
7500 .init = nf_tables_init_net,
7501 .exit = nf_tables_exit_net,
7504 static int __init nf_tables_module_init(void)
7508 spin_lock_init(&nf_tables_destroy_list_lock);
7509 err = register_pernet_subsys(&nf_tables_net_ops);
7513 err = nft_chain_filter_init();
7517 err = nf_tables_core_module_init();
7521 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7525 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7530 err = nfnetlink_subsys_register(&nf_tables_subsys);
7536 rhltable_destroy(&nft_objname_ht);
7538 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7540 nf_tables_core_module_exit();
7542 nft_chain_filter_fini();
7544 unregister_pernet_subsys(&nf_tables_net_ops);
7548 static void __exit nf_tables_module_exit(void)
7550 nfnetlink_subsys_unregister(&nf_tables_subsys);
7551 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7552 nft_chain_filter_fini();
7553 unregister_pernet_subsys(&nf_tables_net_ops);
7554 cancel_work_sync(&trans_destroy_work);
7556 rhltable_destroy(&nft_objname_ht);
7557 nf_tables_core_module_exit();
7560 module_init(nf_tables_module_init);
7561 module_exit(nf_tables_module_exit);
7563 MODULE_LICENSE("GPL");
7564 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7565 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
OSDN Git Service
