2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 /* removal requests are queued in the commit_list, but not acted upon
78 * until after all new rules are in place.
80 * Therefore, nf_register_net_hook(net, &nat_hook) runs before pending
81 * nf_unregister_net_hook().
83 * nf_register_net_hook thus fails if a nat hook is already in place
84 * even if the conflicting hook is about to be removed.
86 * If collision is detected, search commit_log for DELCHAIN matching
87 * the new nat hooknum; if we find one collision is temporary:
89 * Either transaction is aborted (new/colliding hook is removed), or
90 * transaction is committed (old hook is removed).
92 static bool nf_tables_allow_nat_conflict(const struct net *net,
93 const struct nf_hook_ops *ops)
95 const struct nft_trans *trans;
101 list_for_each_entry(trans, &net->nft.commit_list, list) {
102 const struct nf_hook_ops *pending_ops;
103 const struct nft_chain *pending;
105 if (trans->msg_type != NFT_MSG_NEWCHAIN &&
106 trans->msg_type != NFT_MSG_DELCHAIN)
109 pending = trans->ctx.chain;
110 if (!nft_is_base_chain(pending))
113 pending_ops = &nft_base_chain(pending)->ops;
114 if (pending_ops->nat_hook &&
115 pending_ops->pf == ops->pf &&
116 pending_ops->hooknum == ops->hooknum) {
117 /* other hook registration already pending? */
118 if (trans->msg_type == NFT_MSG_NEWCHAIN)
128 static int nf_tables_register_hook(struct net *net,
129 const struct nft_table *table,
130 struct nft_chain *chain)
132 struct nf_hook_ops *ops;
135 if (table->flags & NFT_TABLE_F_DORMANT ||
136 !nft_is_base_chain(chain))
139 ops = &nft_base_chain(chain)->ops;
140 ret = nf_register_net_hook(net, ops);
141 if (ret == -EBUSY && nf_tables_allow_nat_conflict(net, ops)) {
142 ops->nat_hook = false;
143 ret = nf_register_net_hook(net, ops);
144 ops->nat_hook = true;
150 static void nf_tables_unregister_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
161 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
163 struct nft_trans *trans;
165 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
169 if (msg_type == NFT_MSG_NEWTABLE)
170 nft_activate_next(ctx->net, ctx->table);
172 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
176 static int nft_deltable(struct nft_ctx *ctx)
180 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
184 nft_deactivate_next(ctx->net, ctx->table);
188 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
190 struct nft_trans *trans;
192 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
196 if (msg_type == NFT_MSG_NEWCHAIN)
197 nft_activate_next(ctx->net, ctx->chain);
199 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
203 static int nft_delchain(struct nft_ctx *ctx)
207 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
212 nft_deactivate_next(ctx->net, ctx->chain);
217 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
218 struct nft_rule *rule)
220 struct nft_expr *expr;
222 expr = nft_expr_first(rule);
223 while (expr != nft_expr_last(rule) && expr->ops) {
224 if (expr->ops->activate)
225 expr->ops->activate(ctx, expr);
227 expr = nft_expr_next(expr);
231 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
232 struct nft_rule *rule)
234 struct nft_expr *expr;
236 expr = nft_expr_first(rule);
237 while (expr != nft_expr_last(rule) && expr->ops) {
238 if (expr->ops->deactivate)
239 expr->ops->deactivate(ctx, expr);
241 expr = nft_expr_next(expr);
246 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
248 /* You cannot delete the same rule twice */
249 if (nft_is_active_next(ctx->net, rule)) {
250 nft_deactivate_next(ctx->net, rule);
257 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
258 struct nft_rule *rule)
260 struct nft_trans *trans;
262 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
266 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
267 nft_trans_rule_id(trans) =
268 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
270 nft_trans_rule(trans) = rule;
271 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
276 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
278 struct nft_trans *trans;
281 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
285 err = nf_tables_delrule_deactivate(ctx, rule);
287 nft_trans_destroy(trans);
290 nft_rule_expr_deactivate(ctx, rule);
295 static int nft_delrule_by_chain(struct nft_ctx *ctx)
297 struct nft_rule *rule;
300 list_for_each_entry(rule, &ctx->chain->rules, list) {
301 err = nft_delrule(ctx, rule);
308 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
311 struct nft_trans *trans;
313 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
317 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
318 nft_trans_set_id(trans) =
319 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
320 nft_activate_next(ctx->net, set);
322 nft_trans_set(trans) = set;
323 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
328 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
332 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
336 nft_deactivate_next(ctx->net, set);
342 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
343 struct nft_object *obj)
345 struct nft_trans *trans;
347 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
351 if (msg_type == NFT_MSG_NEWOBJ)
352 nft_activate_next(ctx->net, obj);
354 nft_trans_obj(trans) = obj;
355 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
360 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
364 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
368 nft_deactivate_next(ctx->net, obj);
374 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
375 struct nft_flowtable *flowtable)
377 struct nft_trans *trans;
379 trans = nft_trans_alloc(ctx, msg_type,
380 sizeof(struct nft_trans_flowtable));
384 if (msg_type == NFT_MSG_NEWFLOWTABLE)
385 nft_activate_next(ctx->net, flowtable);
387 nft_trans_flowtable(trans) = flowtable;
388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
393 static int nft_delflowtable(struct nft_ctx *ctx,
394 struct nft_flowtable *flowtable)
398 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
402 nft_deactivate_next(ctx->net, flowtable);
412 static struct nft_table *nft_table_lookup(const struct net *net,
413 const struct nlattr *nla,
414 u8 family, u8 genmask)
416 struct nft_table *table;
419 return ERR_PTR(-EINVAL);
421 list_for_each_entry(table, &net->nft.tables, list) {
422 if (!nla_strcmp(nla, table->name) &&
423 table->family == family &&
424 nft_active_genmask(table, genmask))
428 return ERR_PTR(-ENOENT);
431 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
432 const struct nlattr *nla,
435 struct nft_table *table;
437 list_for_each_entry(table, &net->nft.tables, list) {
438 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
439 nft_active_genmask(table, genmask))
443 return ERR_PTR(-ENOENT);
446 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
448 return ++table->hgenerator;
451 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
453 static const struct nft_chain_type *
454 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
458 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
459 if (chain_type[family][i] != NULL &&
460 !nla_strcmp(nla, chain_type[family][i]->name))
461 return chain_type[family][i];
466 static const struct nft_chain_type *
467 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
469 const struct nft_chain_type *type;
471 type = __nf_tables_chain_type_lookup(nla, family);
474 #ifdef CONFIG_MODULES
476 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
477 request_module("nft-chain-%u-%.*s", family,
478 nla_len(nla), (const char *)nla_data(nla));
479 nfnl_lock(NFNL_SUBSYS_NFTABLES);
480 type = __nf_tables_chain_type_lookup(nla, family);
482 return ERR_PTR(-EAGAIN);
485 return ERR_PTR(-ENOENT);
488 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
489 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
490 .len = NFT_TABLE_MAXNAMELEN - 1 },
491 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
492 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
495 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
496 u32 portid, u32 seq, int event, u32 flags,
497 int family, const struct nft_table *table)
499 struct nlmsghdr *nlh;
500 struct nfgenmsg *nfmsg;
502 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
503 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
505 goto nla_put_failure;
507 nfmsg = nlmsg_data(nlh);
508 nfmsg->nfgen_family = family;
509 nfmsg->version = NFNETLINK_V0;
510 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
512 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
513 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
514 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
515 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
517 goto nla_put_failure;
523 nlmsg_trim(skb, nlh);
527 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
533 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
536 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
540 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
541 event, 0, ctx->family, ctx->table);
547 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
548 ctx->report, GFP_KERNEL);
551 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
554 static int nf_tables_dump_tables(struct sk_buff *skb,
555 struct netlink_callback *cb)
557 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
558 const struct nft_table *table;
559 unsigned int idx = 0, s_idx = cb->args[0];
560 struct net *net = sock_net(skb->sk);
561 int family = nfmsg->nfgen_family;
564 cb->seq = net->nft.base_seq;
566 list_for_each_entry_rcu(table, &net->nft.tables, list) {
567 if (family != NFPROTO_UNSPEC && family != table->family)
573 memset(&cb->args[1], 0,
574 sizeof(cb->args) - sizeof(cb->args[0]));
575 if (!nft_is_active(net, table))
577 if (nf_tables_fill_table_info(skb, net,
578 NETLINK_CB(cb->skb).portid,
580 NFT_MSG_NEWTABLE, NLM_F_MULTI,
581 table->family, table) < 0)
584 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
594 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
595 struct sk_buff *skb, const struct nlmsghdr *nlh,
596 const struct nlattr * const nla[],
597 struct netlink_ext_ack *extack)
599 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
600 u8 genmask = nft_genmask_cur(net);
601 const struct nft_table *table;
602 struct sk_buff *skb2;
603 int family = nfmsg->nfgen_family;
606 if (nlh->nlmsg_flags & NLM_F_DUMP) {
607 struct netlink_dump_control c = {
608 .dump = nf_tables_dump_tables,
610 return netlink_dump_start(nlsk, skb, nlh, &c);
613 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
615 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
616 return PTR_ERR(table);
619 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
623 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
624 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
629 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
636 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
638 struct nft_chain *chain;
641 list_for_each_entry(chain, &table->chains, list) {
642 if (!nft_is_active_next(net, chain))
644 if (!nft_is_base_chain(chain))
647 if (cnt && i++ == cnt)
650 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
654 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
656 struct nft_chain *chain;
659 list_for_each_entry(chain, &table->chains, list) {
660 if (!nft_is_active_next(net, chain))
662 if (!nft_is_base_chain(chain))
665 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
674 nft_table_disable(net, table, i);
678 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
680 nft_table_disable(net, table, 0);
683 static int nf_tables_updtable(struct nft_ctx *ctx)
685 struct nft_trans *trans;
689 if (!ctx->nla[NFTA_TABLE_FLAGS])
692 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
693 if (flags & ~NFT_TABLE_F_DORMANT)
696 if (flags == ctx->table->flags)
699 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
700 sizeof(struct nft_trans_table));
704 if ((flags & NFT_TABLE_F_DORMANT) &&
705 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
706 nft_trans_table_enable(trans) = false;
707 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
708 ctx->table->flags & NFT_TABLE_F_DORMANT) {
709 ret = nf_tables_table_enable(ctx->net, ctx->table);
711 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
712 nft_trans_table_enable(trans) = true;
718 nft_trans_table_update(trans) = true;
719 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
722 nft_trans_destroy(trans);
726 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
727 struct sk_buff *skb, const struct nlmsghdr *nlh,
728 const struct nlattr * const nla[],
729 struct netlink_ext_ack *extack)
731 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
732 u8 genmask = nft_genmask_next(net);
733 int family = nfmsg->nfgen_family;
734 const struct nlattr *attr;
735 struct nft_table *table;
740 attr = nla[NFTA_TABLE_NAME];
741 table = nft_table_lookup(net, attr, family, genmask);
743 if (PTR_ERR(table) != -ENOENT)
744 return PTR_ERR(table);
746 if (nlh->nlmsg_flags & NLM_F_EXCL) {
747 NL_SET_BAD_ATTR(extack, attr);
750 if (nlh->nlmsg_flags & NLM_F_REPLACE)
753 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
754 return nf_tables_updtable(&ctx);
757 if (nla[NFTA_TABLE_FLAGS]) {
758 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
759 if (flags & ~NFT_TABLE_F_DORMANT)
764 table = kzalloc(sizeof(*table), GFP_KERNEL);
768 table->name = nla_strdup(attr, GFP_KERNEL);
769 if (table->name == NULL)
772 INIT_LIST_HEAD(&table->chains);
773 INIT_LIST_HEAD(&table->sets);
774 INIT_LIST_HEAD(&table->objects);
775 INIT_LIST_HEAD(&table->flowtables);
776 table->family = family;
777 table->flags = flags;
778 table->handle = ++table_handle;
780 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
781 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
785 list_add_tail_rcu(&table->list, &net->nft.tables);
795 static int nft_flush_table(struct nft_ctx *ctx)
797 struct nft_flowtable *flowtable, *nft;
798 struct nft_chain *chain, *nc;
799 struct nft_object *obj, *ne;
800 struct nft_set *set, *ns;
803 list_for_each_entry(chain, &ctx->table->chains, list) {
804 if (!nft_is_active_next(ctx->net, chain))
809 err = nft_delrule_by_chain(ctx);
814 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
815 if (!nft_is_active_next(ctx->net, set))
818 if (nft_set_is_anonymous(set) &&
819 !list_empty(&set->bindings))
822 err = nft_delset(ctx, set);
827 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
828 err = nft_delflowtable(ctx, flowtable);
833 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
834 err = nft_delobj(ctx, obj);
839 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
840 if (!nft_is_active_next(ctx->net, chain))
845 err = nft_delchain(ctx);
850 err = nft_deltable(ctx);
855 static int nft_flush(struct nft_ctx *ctx, int family)
857 struct nft_table *table, *nt;
858 const struct nlattr * const *nla = ctx->nla;
861 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
862 if (family != AF_UNSPEC && table->family != family)
865 ctx->family = table->family;
867 if (!nft_is_active_next(ctx->net, table))
870 if (nla[NFTA_TABLE_NAME] &&
871 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
876 err = nft_flush_table(ctx);
884 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
885 struct sk_buff *skb, const struct nlmsghdr *nlh,
886 const struct nlattr * const nla[],
887 struct netlink_ext_ack *extack)
889 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
890 u8 genmask = nft_genmask_next(net);
891 int family = nfmsg->nfgen_family;
892 const struct nlattr *attr;
893 struct nft_table *table;
896 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
897 if (family == AF_UNSPEC ||
898 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
899 return nft_flush(&ctx, family);
901 if (nla[NFTA_TABLE_HANDLE]) {
902 attr = nla[NFTA_TABLE_HANDLE];
903 table = nft_table_lookup_byhandle(net, attr, genmask);
905 attr = nla[NFTA_TABLE_NAME];
906 table = nft_table_lookup(net, attr, family, genmask);
910 NL_SET_BAD_ATTR(extack, attr);
911 return PTR_ERR(table);
914 if (nlh->nlmsg_flags & NLM_F_NONREC &&
921 return nft_flush_table(&ctx);
924 static void nf_tables_table_destroy(struct nft_ctx *ctx)
926 BUG_ON(ctx->table->use > 0);
928 kfree(ctx->table->name);
932 void nft_register_chain_type(const struct nft_chain_type *ctype)
934 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
937 nfnl_lock(NFNL_SUBSYS_NFTABLES);
938 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
939 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
942 chain_type[ctype->family][ctype->type] = ctype;
943 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
945 EXPORT_SYMBOL_GPL(nft_register_chain_type);
947 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
949 nfnl_lock(NFNL_SUBSYS_NFTABLES);
950 chain_type[ctype->family][ctype->type] = NULL;
951 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
953 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
959 static struct nft_chain *
960 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
962 struct nft_chain *chain;
964 list_for_each_entry(chain, &table->chains, list) {
965 if (chain->handle == handle &&
966 nft_active_genmask(chain, genmask))
970 return ERR_PTR(-ENOENT);
973 static struct nft_chain *nft_chain_lookup(const struct nft_table *table,
974 const struct nlattr *nla, u8 genmask)
976 struct nft_chain *chain;
979 return ERR_PTR(-EINVAL);
981 list_for_each_entry(chain, &table->chains, list) {
982 if (!nla_strcmp(nla, chain->name) &&
983 nft_active_genmask(chain, genmask))
987 return ERR_PTR(-ENOENT);
990 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
991 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
992 .len = NFT_TABLE_MAXNAMELEN - 1 },
993 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
994 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
995 .len = NFT_CHAIN_MAXNAMELEN - 1 },
996 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
997 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
998 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
999 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1002 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1003 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1004 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1005 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1006 .len = IFNAMSIZ - 1 },
1009 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1011 struct nft_stats *cpu_stats, total;
1012 struct nlattr *nest;
1017 memset(&total, 0, sizeof(total));
1018 for_each_possible_cpu(cpu) {
1019 cpu_stats = per_cpu_ptr(stats, cpu);
1021 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1022 pkts = cpu_stats->pkts;
1023 bytes = cpu_stats->bytes;
1024 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1026 total.bytes += bytes;
1028 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1030 goto nla_put_failure;
1032 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1033 NFTA_COUNTER_PAD) ||
1034 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1036 goto nla_put_failure;
1038 nla_nest_end(skb, nest);
1045 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1046 u32 portid, u32 seq, int event, u32 flags,
1047 int family, const struct nft_table *table,
1048 const struct nft_chain *chain)
1050 struct nlmsghdr *nlh;
1051 struct nfgenmsg *nfmsg;
1053 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1054 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1056 goto nla_put_failure;
1058 nfmsg = nlmsg_data(nlh);
1059 nfmsg->nfgen_family = family;
1060 nfmsg->version = NFNETLINK_V0;
1061 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1063 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1064 goto nla_put_failure;
1065 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1067 goto nla_put_failure;
1068 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1069 goto nla_put_failure;
1071 if (nft_is_base_chain(chain)) {
1072 const struct nft_base_chain *basechain = nft_base_chain(chain);
1073 const struct nf_hook_ops *ops = &basechain->ops;
1074 struct nlattr *nest;
1076 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1078 goto nla_put_failure;
1079 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1080 goto nla_put_failure;
1081 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1082 goto nla_put_failure;
1083 if (basechain->dev_name[0] &&
1084 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1085 goto nla_put_failure;
1086 nla_nest_end(skb, nest);
1088 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1089 htonl(basechain->policy)))
1090 goto nla_put_failure;
1092 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1093 goto nla_put_failure;
1095 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1096 goto nla_put_failure;
1099 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1100 goto nla_put_failure;
1102 nlmsg_end(skb, nlh);
1106 nlmsg_trim(skb, nlh);
1110 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1112 struct sk_buff *skb;
1116 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1119 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1123 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1124 event, 0, ctx->family, ctx->table,
1131 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1132 ctx->report, GFP_KERNEL);
1135 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1138 static int nf_tables_dump_chains(struct sk_buff *skb,
1139 struct netlink_callback *cb)
1141 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1142 const struct nft_table *table;
1143 const struct nft_chain *chain;
1144 unsigned int idx = 0, s_idx = cb->args[0];
1145 struct net *net = sock_net(skb->sk);
1146 int family = nfmsg->nfgen_family;
1149 cb->seq = net->nft.base_seq;
1151 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1152 if (family != NFPROTO_UNSPEC && family != table->family)
1155 list_for_each_entry_rcu(chain, &table->chains, list) {
1159 memset(&cb->args[1], 0,
1160 sizeof(cb->args) - sizeof(cb->args[0]));
1161 if (!nft_is_active(net, chain))
1163 if (nf_tables_fill_chain_info(skb, net,
1164 NETLINK_CB(cb->skb).portid,
1168 table->family, table,
1172 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1183 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1184 struct sk_buff *skb, const struct nlmsghdr *nlh,
1185 const struct nlattr * const nla[],
1186 struct netlink_ext_ack *extack)
1188 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1189 u8 genmask = nft_genmask_cur(net);
1190 const struct nft_table *table;
1191 const struct nft_chain *chain;
1192 struct sk_buff *skb2;
1193 int family = nfmsg->nfgen_family;
1196 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1197 struct netlink_dump_control c = {
1198 .dump = nf_tables_dump_chains,
1200 return netlink_dump_start(nlsk, skb, nlh, &c);
1203 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1204 if (IS_ERR(table)) {
1205 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1206 return PTR_ERR(table);
1209 chain = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1210 if (IS_ERR(chain)) {
1211 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1212 return PTR_ERR(chain);
1215 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1219 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1220 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1221 family, table, chain);
1225 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1232 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1233 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1234 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1237 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1239 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1240 struct nft_stats __percpu *newstats;
1241 struct nft_stats *stats;
1244 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1247 return ERR_PTR(err);
1249 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1250 return ERR_PTR(-EINVAL);
1252 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1253 if (newstats == NULL)
1254 return ERR_PTR(-ENOMEM);
1256 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1257 * are not exposed to userspace.
1260 stats = this_cpu_ptr(newstats);
1261 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1262 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1268 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1269 struct nft_stats __percpu *newstats)
1271 struct nft_stats __percpu *oldstats;
1273 if (newstats == NULL)
1277 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1278 rcu_assign_pointer(chain->stats, newstats);
1280 free_percpu(oldstats);
1282 rcu_assign_pointer(chain->stats, newstats);
1285 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1287 struct nft_chain *chain = ctx->chain;
1289 BUG_ON(chain->use > 0);
1291 if (nft_is_base_chain(chain)) {
1292 struct nft_base_chain *basechain = nft_base_chain(chain);
1294 if (basechain->type->free)
1295 basechain->type->free(ctx);
1296 module_put(basechain->type->owner);
1297 free_percpu(basechain->stats);
1298 if (basechain->stats)
1299 static_branch_dec(&nft_counters_enabled);
1308 struct nft_chain_hook {
1311 const struct nft_chain_type *type;
1312 struct net_device *dev;
1315 static int nft_chain_parse_hook(struct net *net,
1316 const struct nlattr * const nla[],
1317 struct nft_chain_hook *hook, u8 family,
1320 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1321 const struct nft_chain_type *type;
1322 struct net_device *dev;
1325 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1326 nft_hook_policy, NULL);
1330 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1331 ha[NFTA_HOOK_PRIORITY] == NULL)
1334 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1335 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1337 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1338 if (nla[NFTA_CHAIN_TYPE]) {
1339 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1342 return PTR_ERR(type);
1344 if (!(type->hook_mask & (1 << hook->num)))
1347 if (type->type == NFT_CHAIN_T_NAT &&
1348 hook->priority <= NF_IP_PRI_CONNTRACK)
1351 if (!try_module_get(type->owner))
1357 if (family == NFPROTO_NETDEV) {
1358 char ifname[IFNAMSIZ];
1360 if (!ha[NFTA_HOOK_DEV]) {
1361 module_put(type->owner);
1365 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1366 dev = __dev_get_by_name(net, ifname);
1368 module_put(type->owner);
1372 } else if (ha[NFTA_HOOK_DEV]) {
1373 module_put(type->owner);
1380 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1382 module_put(hook->type->owner);
1385 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1386 u8 policy, bool create)
1388 const struct nlattr * const *nla = ctx->nla;
1389 struct nft_table *table = ctx->table;
1390 struct nft_base_chain *basechain;
1391 struct nft_stats __percpu *stats;
1392 struct net *net = ctx->net;
1393 struct nft_chain *chain;
1396 if (table->use == UINT_MAX)
1399 if (nla[NFTA_CHAIN_HOOK]) {
1400 struct nft_chain_hook hook;
1401 struct nf_hook_ops *ops;
1403 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1407 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1408 if (basechain == NULL) {
1409 nft_chain_release_hook(&hook);
1413 if (hook.dev != NULL)
1414 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1416 if (nla[NFTA_CHAIN_COUNTERS]) {
1417 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1418 if (IS_ERR(stats)) {
1419 nft_chain_release_hook(&hook);
1421 return PTR_ERR(stats);
1423 basechain->stats = stats;
1424 static_branch_inc(&nft_counters_enabled);
1427 basechain->type = hook.type;
1428 if (basechain->type->init)
1429 basechain->type->init(ctx);
1431 chain = &basechain->chain;
1433 ops = &basechain->ops;
1435 ops->hooknum = hook.num;
1436 ops->priority = hook.priority;
1438 ops->hook = hook.type->hooks[ops->hooknum];
1439 ops->dev = hook.dev;
1441 if (basechain->type->type == NFT_CHAIN_T_NAT)
1442 ops->nat_hook = true;
1444 chain->flags |= NFT_BASE_CHAIN;
1445 basechain->policy = policy;
1447 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1453 INIT_LIST_HEAD(&chain->rules);
1454 chain->handle = nf_tables_alloc_handle(table);
1455 chain->table = table;
1456 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1462 err = nf_tables_register_hook(net, table, chain);
1466 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1471 list_add_tail_rcu(&chain->list, &table->chains);
1475 nf_tables_unregister_hook(net, table, chain);
1477 nf_tables_chain_destroy(ctx);
1482 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1485 const struct nlattr * const *nla = ctx->nla;
1486 struct nft_table *table = ctx->table;
1487 struct nft_chain *chain = ctx->chain;
1488 struct nft_base_chain *basechain;
1489 struct nft_stats *stats = NULL;
1490 struct nft_chain_hook hook;
1491 const struct nlattr *name;
1492 struct nf_hook_ops *ops;
1493 struct nft_trans *trans;
1496 if (nla[NFTA_CHAIN_HOOK]) {
1497 if (!nft_is_base_chain(chain))
1500 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1505 basechain = nft_base_chain(chain);
1506 if (basechain->type != hook.type) {
1507 nft_chain_release_hook(&hook);
1511 ops = &basechain->ops;
1512 if (ops->hooknum != hook.num ||
1513 ops->priority != hook.priority ||
1514 ops->dev != hook.dev) {
1515 nft_chain_release_hook(&hook);
1518 nft_chain_release_hook(&hook);
1521 if (nla[NFTA_CHAIN_HANDLE] &&
1522 nla[NFTA_CHAIN_NAME]) {
1523 struct nft_chain *chain2;
1525 chain2 = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1526 if (!IS_ERR(chain2))
1530 if (nla[NFTA_CHAIN_COUNTERS]) {
1531 if (!nft_is_base_chain(chain))
1534 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1536 return PTR_ERR(stats);
1539 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1540 sizeof(struct nft_trans_chain));
1541 if (trans == NULL) {
1546 nft_trans_chain_stats(trans) = stats;
1547 nft_trans_chain_update(trans) = true;
1549 if (nla[NFTA_CHAIN_POLICY])
1550 nft_trans_chain_policy(trans) = policy;
1552 nft_trans_chain_policy(trans) = -1;
1554 name = nla[NFTA_CHAIN_NAME];
1555 if (nla[NFTA_CHAIN_HANDLE] && name) {
1556 nft_trans_chain_name(trans) =
1557 nla_strdup(name, GFP_KERNEL);
1558 if (!nft_trans_chain_name(trans)) {
1564 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1569 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1570 struct sk_buff *skb, const struct nlmsghdr *nlh,
1571 const struct nlattr * const nla[],
1572 struct netlink_ext_ack *extack)
1574 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1575 u8 genmask = nft_genmask_next(net);
1576 int family = nfmsg->nfgen_family;
1577 const struct nlattr *attr;
1578 struct nft_table *table;
1579 struct nft_chain *chain;
1580 u8 policy = NF_ACCEPT;
1585 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1587 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1588 if (IS_ERR(table)) {
1589 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1590 return PTR_ERR(table);
1594 attr = nla[NFTA_CHAIN_NAME];
1596 if (nla[NFTA_CHAIN_HANDLE]) {
1597 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1598 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1599 if (IS_ERR(chain)) {
1600 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1601 return PTR_ERR(chain);
1603 attr = nla[NFTA_CHAIN_HANDLE];
1605 chain = nft_chain_lookup(table, attr, genmask);
1606 if (IS_ERR(chain)) {
1607 if (PTR_ERR(chain) != -ENOENT) {
1608 NL_SET_BAD_ATTR(extack, attr);
1609 return PTR_ERR(chain);
1615 if (nla[NFTA_CHAIN_POLICY]) {
1616 if (chain != NULL &&
1617 !nft_is_base_chain(chain)) {
1618 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1622 if (chain == NULL &&
1623 nla[NFTA_CHAIN_HOOK] == NULL) {
1624 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1628 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1638 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1640 if (chain != NULL) {
1641 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1642 NL_SET_BAD_ATTR(extack, attr);
1645 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1648 return nf_tables_updchain(&ctx, genmask, policy, create);
1651 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1654 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1655 struct sk_buff *skb, const struct nlmsghdr *nlh,
1656 const struct nlattr * const nla[],
1657 struct netlink_ext_ack *extack)
1659 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1660 u8 genmask = nft_genmask_next(net);
1661 int family = nfmsg->nfgen_family;
1662 const struct nlattr *attr;
1663 struct nft_table *table;
1664 struct nft_chain *chain;
1665 struct nft_rule *rule;
1671 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1672 if (IS_ERR(table)) {
1673 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1674 return PTR_ERR(table);
1677 if (nla[NFTA_CHAIN_HANDLE]) {
1678 attr = nla[NFTA_CHAIN_HANDLE];
1679 handle = be64_to_cpu(nla_get_be64(attr));
1680 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1682 attr = nla[NFTA_CHAIN_NAME];
1683 chain = nft_chain_lookup(table, attr, genmask);
1685 if (IS_ERR(chain)) {
1686 NL_SET_BAD_ATTR(extack, attr);
1687 return PTR_ERR(chain);
1690 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1694 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1697 list_for_each_entry(rule, &chain->rules, list) {
1698 if (!nft_is_active_next(net, rule))
1702 err = nft_delrule(&ctx, rule);
1707 /* There are rules and elements that are still holding references to us,
1708 * we cannot do a recursive removal in this case.
1711 NL_SET_BAD_ATTR(extack, attr);
1715 return nft_delchain(&ctx);
1723 * nft_register_expr - register nf_tables expr type
1726 * Registers the expr type for use with nf_tables. Returns zero on
1727 * success or a negative errno code otherwise.
1729 int nft_register_expr(struct nft_expr_type *type)
1731 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1732 if (type->family == NFPROTO_UNSPEC)
1733 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1735 list_add_rcu(&type->list, &nf_tables_expressions);
1736 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1739 EXPORT_SYMBOL_GPL(nft_register_expr);
1742 * nft_unregister_expr - unregister nf_tables expr type
1745 * Unregisters the expr typefor use with nf_tables.
1747 void nft_unregister_expr(struct nft_expr_type *type)
1749 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1750 list_del_rcu(&type->list);
1751 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1753 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1755 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1758 const struct nft_expr_type *type;
1760 list_for_each_entry(type, &nf_tables_expressions, list) {
1761 if (!nla_strcmp(nla, type->name) &&
1762 (!type->family || type->family == family))
1768 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1771 const struct nft_expr_type *type;
1774 return ERR_PTR(-EINVAL);
1776 type = __nft_expr_type_get(family, nla);
1777 if (type != NULL && try_module_get(type->owner))
1780 #ifdef CONFIG_MODULES
1782 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1783 request_module("nft-expr-%u-%.*s", family,
1784 nla_len(nla), (char *)nla_data(nla));
1785 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1786 if (__nft_expr_type_get(family, nla))
1787 return ERR_PTR(-EAGAIN);
1789 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1790 request_module("nft-expr-%.*s",
1791 nla_len(nla), (char *)nla_data(nla));
1792 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1793 if (__nft_expr_type_get(family, nla))
1794 return ERR_PTR(-EAGAIN);
1797 return ERR_PTR(-ENOENT);
1800 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1801 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1802 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1805 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1806 const struct nft_expr *expr)
1808 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1809 goto nla_put_failure;
1811 if (expr->ops->dump) {
1812 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1814 goto nla_put_failure;
1815 if (expr->ops->dump(skb, expr) < 0)
1816 goto nla_put_failure;
1817 nla_nest_end(skb, data);
1826 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1827 const struct nft_expr *expr)
1829 struct nlattr *nest;
1831 nest = nla_nest_start(skb, attr);
1833 goto nla_put_failure;
1834 if (nf_tables_fill_expr_info(skb, expr) < 0)
1835 goto nla_put_failure;
1836 nla_nest_end(skb, nest);
1843 struct nft_expr_info {
1844 const struct nft_expr_ops *ops;
1845 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1848 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1849 const struct nlattr *nla,
1850 struct nft_expr_info *info)
1852 const struct nft_expr_type *type;
1853 const struct nft_expr_ops *ops;
1854 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1857 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1861 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1863 return PTR_ERR(type);
1865 if (tb[NFTA_EXPR_DATA]) {
1866 err = nla_parse_nested(info->tb, type->maxattr,
1867 tb[NFTA_EXPR_DATA], type->policy, NULL);
1871 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1873 if (type->select_ops != NULL) {
1874 ops = type->select_ops(ctx,
1875 (const struct nlattr * const *)info->tb);
1887 module_put(type->owner);
1891 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1892 const struct nft_expr_info *info,
1893 struct nft_expr *expr)
1895 const struct nft_expr_ops *ops = info->ops;
1900 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1905 if (ops->validate) {
1906 const struct nft_data *data = NULL;
1908 err = ops->validate(ctx, expr, &data);
1917 ops->destroy(ctx, expr);
1923 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1924 struct nft_expr *expr)
1926 if (expr->ops->destroy)
1927 expr->ops->destroy(ctx, expr);
1928 module_put(expr->ops->type->owner);
1931 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1932 const struct nlattr *nla)
1934 struct nft_expr_info info;
1935 struct nft_expr *expr;
1938 err = nf_tables_expr_parse(ctx, nla, &info);
1943 expr = kzalloc(info.ops->size, GFP_KERNEL);
1947 err = nf_tables_newexpr(ctx, &info, expr);
1955 module_put(info.ops->type->owner);
1957 return ERR_PTR(err);
1960 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1962 nf_tables_expr_destroy(ctx, expr);
1970 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
1973 struct nft_rule *rule;
1975 // FIXME: this sucks
1976 list_for_each_entry(rule, &chain->rules, list) {
1977 if (handle == rule->handle)
1981 return ERR_PTR(-ENOENT);
1984 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
1985 const struct nlattr *nla)
1988 return ERR_PTR(-EINVAL);
1990 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1993 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1994 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1995 .len = NFT_TABLE_MAXNAMELEN - 1 },
1996 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1997 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1998 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1999 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2000 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2001 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2002 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2003 .len = NFT_USERDATA_MAXLEN },
2004 [NFTA_RULE_ID] = { .type = NLA_U32 },
2007 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2008 u32 portid, u32 seq, int event,
2009 u32 flags, int family,
2010 const struct nft_table *table,
2011 const struct nft_chain *chain,
2012 const struct nft_rule *rule)
2014 struct nlmsghdr *nlh;
2015 struct nfgenmsg *nfmsg;
2016 const struct nft_expr *expr, *next;
2017 struct nlattr *list;
2018 const struct nft_rule *prule;
2019 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2021 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2023 goto nla_put_failure;
2025 nfmsg = nlmsg_data(nlh);
2026 nfmsg->nfgen_family = family;
2027 nfmsg->version = NFNETLINK_V0;
2028 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2030 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2031 goto nla_put_failure;
2032 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2033 goto nla_put_failure;
2034 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2036 goto nla_put_failure;
2038 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2039 prule = list_prev_entry(rule, list);
2040 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2041 cpu_to_be64(prule->handle),
2043 goto nla_put_failure;
2046 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2048 goto nla_put_failure;
2049 nft_rule_for_each_expr(expr, next, rule) {
2050 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2051 goto nla_put_failure;
2053 nla_nest_end(skb, list);
2056 struct nft_userdata *udata = nft_userdata(rule);
2057 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2059 goto nla_put_failure;
2062 nlmsg_end(skb, nlh);
2066 nlmsg_trim(skb, nlh);
2070 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2071 const struct nft_rule *rule, int event)
2073 struct sk_buff *skb;
2077 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2080 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2084 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2085 event, 0, ctx->family, ctx->table,
2092 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2093 ctx->report, GFP_KERNEL);
2096 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2099 struct nft_rule_dump_ctx {
2104 static int nf_tables_dump_rules(struct sk_buff *skb,
2105 struct netlink_callback *cb)
2107 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2108 const struct nft_rule_dump_ctx *ctx = cb->data;
2109 const struct nft_table *table;
2110 const struct nft_chain *chain;
2111 const struct nft_rule *rule;
2112 unsigned int idx = 0, s_idx = cb->args[0];
2113 struct net *net = sock_net(skb->sk);
2114 int family = nfmsg->nfgen_family;
2117 cb->seq = net->nft.base_seq;
2119 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2120 if (family != NFPROTO_UNSPEC && family != table->family)
2123 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2126 list_for_each_entry_rcu(chain, &table->chains, list) {
2127 if (ctx && ctx->chain &&
2128 strcmp(ctx->chain, chain->name) != 0)
2131 list_for_each_entry_rcu(rule, &chain->rules, list) {
2132 if (!nft_is_active(net, rule))
2137 memset(&cb->args[1], 0,
2138 sizeof(cb->args) - sizeof(cb->args[0]));
2139 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2142 NLM_F_MULTI | NLM_F_APPEND,
2144 table, chain, rule) < 0)
2147 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2160 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2162 struct nft_rule_dump_ctx *ctx = cb->data;
2172 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2173 struct sk_buff *skb, const struct nlmsghdr *nlh,
2174 const struct nlattr * const nla[],
2175 struct netlink_ext_ack *extack)
2177 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2178 u8 genmask = nft_genmask_cur(net);
2179 const struct nft_table *table;
2180 const struct nft_chain *chain;
2181 const struct nft_rule *rule;
2182 struct sk_buff *skb2;
2183 int family = nfmsg->nfgen_family;
2186 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2187 struct netlink_dump_control c = {
2188 .dump = nf_tables_dump_rules,
2189 .done = nf_tables_dump_rules_done,
2192 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2193 struct nft_rule_dump_ctx *ctx;
2195 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2199 if (nla[NFTA_RULE_TABLE]) {
2200 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2207 if (nla[NFTA_RULE_CHAIN]) {
2208 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2219 return netlink_dump_start(nlsk, skb, nlh, &c);
2222 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2223 if (IS_ERR(table)) {
2224 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2225 return PTR_ERR(table);
2228 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2229 if (IS_ERR(chain)) {
2230 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2231 return PTR_ERR(chain);
2234 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2236 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2237 return PTR_ERR(rule);
2240 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2244 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2245 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2246 family, table, chain, rule);
2250 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2257 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2258 struct nft_rule *rule)
2260 struct nft_expr *expr;
2263 * Careful: some expressions might not be initialized in case this
2264 * is called on error from nf_tables_newrule().
2266 expr = nft_expr_first(rule);
2267 while (expr != nft_expr_last(rule) && expr->ops) {
2268 nf_tables_expr_destroy(ctx, expr);
2269 expr = nft_expr_next(expr);
2274 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2275 struct nft_rule *rule)
2277 nft_rule_expr_deactivate(ctx, rule);
2278 nf_tables_rule_destroy(ctx, rule);
2281 #define NFT_RULE_MAXEXPRS 128
2283 static struct nft_expr_info *info;
2285 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2286 struct sk_buff *skb, const struct nlmsghdr *nlh,
2287 const struct nlattr * const nla[],
2288 struct netlink_ext_ack *extack)
2290 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2291 u8 genmask = nft_genmask_next(net);
2292 int family = nfmsg->nfgen_family;
2293 struct nft_table *table;
2294 struct nft_chain *chain;
2295 struct nft_rule *rule, *old_rule = NULL;
2296 struct nft_userdata *udata;
2297 struct nft_trans *trans = NULL;
2298 struct nft_expr *expr;
2301 unsigned int size, i, n, ulen = 0, usize = 0;
2304 u64 handle, pos_handle;
2306 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2308 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2309 if (IS_ERR(table)) {
2310 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2311 return PTR_ERR(table);
2314 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2315 if (IS_ERR(chain)) {
2316 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2317 return PTR_ERR(chain);
2320 if (nla[NFTA_RULE_HANDLE]) {
2321 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2322 rule = __nft_rule_lookup(chain, handle);
2324 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2325 return PTR_ERR(rule);
2328 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2329 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2332 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2337 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2339 handle = nf_tables_alloc_handle(table);
2341 if (chain->use == UINT_MAX)
2345 if (nla[NFTA_RULE_POSITION]) {
2346 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2349 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2350 old_rule = __nft_rule_lookup(chain, pos_handle);
2351 if (IS_ERR(old_rule)) {
2352 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2353 return PTR_ERR(old_rule);
2357 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2361 if (nla[NFTA_RULE_EXPRESSIONS]) {
2362 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2364 if (nla_type(tmp) != NFTA_LIST_ELEM)
2366 if (n == NFT_RULE_MAXEXPRS)
2368 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2371 size += info[n].ops->size;
2375 /* Check for overflow of dlen field */
2377 if (size >= 1 << 12)
2380 if (nla[NFTA_RULE_USERDATA]) {
2381 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2383 usize = sizeof(struct nft_userdata) + ulen;
2387 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2391 nft_activate_next(net, rule);
2393 rule->handle = handle;
2395 rule->udata = ulen ? 1 : 0;
2398 udata = nft_userdata(rule);
2399 udata->len = ulen - 1;
2400 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2403 expr = nft_expr_first(rule);
2404 for (i = 0; i < n; i++) {
2405 err = nf_tables_newexpr(&ctx, &info[i], expr);
2409 expr = nft_expr_next(expr);
2412 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2413 if (!nft_is_active_next(net, old_rule)) {
2417 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2419 if (trans == NULL) {
2423 nft_deactivate_next(net, old_rule);
2426 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2431 list_add_tail_rcu(&rule->list, &old_rule->list);
2433 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2438 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2440 list_add_rcu(&rule->list, &old_rule->list);
2442 list_add_tail_rcu(&rule->list, &chain->rules);
2445 list_add_tail_rcu(&rule->list, &old_rule->list);
2447 list_add_rcu(&rule->list, &chain->rules);
2454 nf_tables_rule_release(&ctx, rule);
2456 for (i = 0; i < n; i++) {
2457 if (info[i].ops != NULL)
2458 module_put(info[i].ops->type->owner);
2463 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2464 const struct nlattr *nla)
2466 u32 id = ntohl(nla_get_be32(nla));
2467 struct nft_trans *trans;
2469 list_for_each_entry(trans, &net->nft.commit_list, list) {
2470 struct nft_rule *rule = nft_trans_rule(trans);
2472 if (trans->msg_type == NFT_MSG_NEWRULE &&
2473 id == nft_trans_rule_id(trans))
2476 return ERR_PTR(-ENOENT);
2479 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2480 struct sk_buff *skb, const struct nlmsghdr *nlh,
2481 const struct nlattr * const nla[],
2482 struct netlink_ext_ack *extack)
2484 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2485 u8 genmask = nft_genmask_next(net);
2486 struct nft_table *table;
2487 struct nft_chain *chain = NULL;
2488 struct nft_rule *rule;
2489 int family = nfmsg->nfgen_family, err = 0;
2492 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2493 if (IS_ERR(table)) {
2494 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2495 return PTR_ERR(table);
2498 if (nla[NFTA_RULE_CHAIN]) {
2499 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2500 if (IS_ERR(chain)) {
2501 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2502 return PTR_ERR(chain);
2506 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2509 if (nla[NFTA_RULE_HANDLE]) {
2510 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2512 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2513 return PTR_ERR(rule);
2516 err = nft_delrule(&ctx, rule);
2517 } else if (nla[NFTA_RULE_ID]) {
2518 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2520 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2521 return PTR_ERR(rule);
2524 err = nft_delrule(&ctx, rule);
2526 err = nft_delrule_by_chain(&ctx);
2529 list_for_each_entry(chain, &table->chains, list) {
2530 if (!nft_is_active_next(net, chain))
2534 err = nft_delrule_by_chain(&ctx);
2547 static LIST_HEAD(nf_tables_set_types);
2549 int nft_register_set(struct nft_set_type *type)
2551 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2552 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2553 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2556 EXPORT_SYMBOL_GPL(nft_register_set);
2558 void nft_unregister_set(struct nft_set_type *type)
2560 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2561 list_del_rcu(&type->list);
2562 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2564 EXPORT_SYMBOL_GPL(nft_unregister_set);
2566 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2567 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2570 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2572 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2576 * Select a set implementation based on the data characteristics and the
2577 * given policy. The total memory use might not be known if no size is
2578 * given, in that case the amount of memory per element is used.
2580 static const struct nft_set_ops *
2581 nft_select_set_ops(const struct nft_ctx *ctx,
2582 const struct nlattr * const nla[],
2583 const struct nft_set_desc *desc,
2584 enum nft_set_policies policy)
2586 const struct nft_set_ops *ops, *bops;
2587 struct nft_set_estimate est, best;
2588 const struct nft_set_type *type;
2591 #ifdef CONFIG_MODULES
2592 if (list_empty(&nf_tables_set_types)) {
2593 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2594 request_module("nft-set");
2595 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2596 if (!list_empty(&nf_tables_set_types))
2597 return ERR_PTR(-EAGAIN);
2600 if (nla[NFTA_SET_FLAGS] != NULL)
2601 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2608 list_for_each_entry(type, &nf_tables_set_types, list) {
2611 if (!nft_set_ops_candidate(type, flags))
2613 if (!ops->estimate(desc, flags, &est))
2617 case NFT_SET_POL_PERFORMANCE:
2618 if (est.lookup < best.lookup)
2620 if (est.lookup == best.lookup &&
2621 est.space < best.space)
2624 case NFT_SET_POL_MEMORY:
2626 if (est.space < best.space)
2628 if (est.space == best.space &&
2629 est.lookup < best.lookup)
2631 } else if (est.size < best.size || !bops) {
2639 if (!try_module_get(type->owner))
2642 module_put(to_set_type(bops)->owner);
2651 return ERR_PTR(-EOPNOTSUPP);
2654 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2655 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2656 .len = NFT_TABLE_MAXNAMELEN - 1 },
2657 [NFTA_SET_NAME] = { .type = NLA_STRING,
2658 .len = NFT_SET_MAXNAMELEN - 1 },
2659 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2660 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2661 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2662 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2663 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2664 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2665 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2666 [NFTA_SET_ID] = { .type = NLA_U32 },
2667 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2668 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2669 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2670 .len = NFT_USERDATA_MAXLEN },
2671 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2672 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2675 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2676 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2679 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2680 const struct sk_buff *skb,
2681 const struct nlmsghdr *nlh,
2682 const struct nlattr * const nla[],
2683 struct netlink_ext_ack *extack,
2686 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2687 int family = nfmsg->nfgen_family;
2688 struct nft_table *table = NULL;
2690 if (nla[NFTA_SET_TABLE] != NULL) {
2691 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2693 if (IS_ERR(table)) {
2694 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2695 return PTR_ERR(table);
2699 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2703 static struct nft_set *nft_set_lookup(const struct nft_table *table,
2704 const struct nlattr *nla, u8 genmask)
2706 struct nft_set *set;
2709 return ERR_PTR(-EINVAL);
2711 list_for_each_entry(set, &table->sets, list) {
2712 if (!nla_strcmp(nla, set->name) &&
2713 nft_active_genmask(set, genmask))
2716 return ERR_PTR(-ENOENT);
2719 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2720 const struct nlattr *nla,
2723 struct nft_set *set;
2725 list_for_each_entry(set, &table->sets, list) {
2726 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2727 nft_active_genmask(set, genmask))
2730 return ERR_PTR(-ENOENT);
2733 static struct nft_set *nft_set_lookup_byid(const struct net *net,
2734 const struct nlattr *nla, u8 genmask)
2736 struct nft_trans *trans;
2737 u32 id = ntohl(nla_get_be32(nla));
2739 list_for_each_entry(trans, &net->nft.commit_list, list) {
2740 struct nft_set *set = nft_trans_set(trans);
2742 if (trans->msg_type == NFT_MSG_NEWSET &&
2743 id == nft_trans_set_id(trans) &&
2744 nft_active_genmask(set, genmask))
2747 return ERR_PTR(-ENOENT);
2750 struct nft_set *nft_set_lookup_global(const struct net *net,
2751 const struct nft_table *table,
2752 const struct nlattr *nla_set_name,
2753 const struct nlattr *nla_set_id,
2756 struct nft_set *set;
2758 set = nft_set_lookup(table, nla_set_name, genmask);
2763 set = nft_set_lookup_byid(net, nla_set_id, genmask);
2767 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2769 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2772 const struct nft_set *i;
2774 unsigned long *inuse;
2775 unsigned int n = 0, min = 0;
2777 p = strchr(name, '%');
2779 if (p[1] != 'd' || strchr(p + 2, '%'))
2782 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2786 list_for_each_entry(i, &ctx->table->sets, list) {
2789 if (!nft_is_active_next(ctx->net, set))
2791 if (!sscanf(i->name, name, &tmp))
2793 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2796 set_bit(tmp - min, inuse);
2799 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2800 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2801 min += BITS_PER_BYTE * PAGE_SIZE;
2802 memset(inuse, 0, PAGE_SIZE);
2805 free_page((unsigned long)inuse);
2808 set->name = kasprintf(GFP_KERNEL, name, min + n);
2812 list_for_each_entry(i, &ctx->table->sets, list) {
2813 if (!nft_is_active_next(ctx->net, i))
2815 if (!strcmp(set->name, i->name)) {
2823 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
2825 u64 ms = be64_to_cpu(nla_get_be64(nla));
2826 u64 max = (u64)(~((u64)0));
2828 max = div_u64(max, NSEC_PER_MSEC);
2832 ms *= NSEC_PER_MSEC;
2833 *result = nsecs_to_jiffies64(ms);
2837 static u64 nf_jiffies64_to_msecs(u64 input)
2839 u64 ms = jiffies64_to_nsecs(input);
2841 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
2844 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2845 const struct nft_set *set, u16 event, u16 flags)
2847 struct nfgenmsg *nfmsg;
2848 struct nlmsghdr *nlh;
2849 struct nlattr *desc;
2850 u32 portid = ctx->portid;
2853 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2854 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2857 goto nla_put_failure;
2859 nfmsg = nlmsg_data(nlh);
2860 nfmsg->nfgen_family = ctx->family;
2861 nfmsg->version = NFNETLINK_V0;
2862 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2864 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2865 goto nla_put_failure;
2866 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2867 goto nla_put_failure;
2868 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2870 goto nla_put_failure;
2871 if (set->flags != 0)
2872 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2873 goto nla_put_failure;
2875 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2876 goto nla_put_failure;
2877 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2878 goto nla_put_failure;
2879 if (set->flags & NFT_SET_MAP) {
2880 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2881 goto nla_put_failure;
2882 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2883 goto nla_put_failure;
2885 if (set->flags & NFT_SET_OBJECT &&
2886 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2887 goto nla_put_failure;
2890 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2891 nf_jiffies64_to_msecs(set->timeout),
2893 goto nla_put_failure;
2895 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2896 goto nla_put_failure;
2898 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2899 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2900 goto nla_put_failure;
2903 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2904 goto nla_put_failure;
2906 desc = nla_nest_start(skb, NFTA_SET_DESC);
2908 goto nla_put_failure;
2910 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2911 goto nla_put_failure;
2912 nla_nest_end(skb, desc);
2914 nlmsg_end(skb, nlh);
2918 nlmsg_trim(skb, nlh);
2922 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2923 const struct nft_set *set, int event,
2926 struct sk_buff *skb;
2927 u32 portid = ctx->portid;
2931 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2934 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2938 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2944 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2948 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2951 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2953 const struct nft_set *set;
2954 unsigned int idx, s_idx = cb->args[0];
2955 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2956 struct net *net = sock_net(skb->sk);
2957 struct nft_ctx *ctx = cb->data, ctx_set;
2963 cb->seq = net->nft.base_seq;
2965 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2966 if (ctx->family != NFPROTO_UNSPEC &&
2967 ctx->family != table->family)
2970 if (ctx->table && ctx->table != table)
2974 if (cur_table != table)
2980 list_for_each_entry_rcu(set, &table->sets, list) {
2983 if (!nft_is_active(net, set))
2987 ctx_set.table = table;
2988 ctx_set.family = table->family;
2990 if (nf_tables_fill_set(skb, &ctx_set, set,
2994 cb->args[2] = (unsigned long) table;
2997 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3010 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3016 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3017 struct sk_buff *skb, const struct nlmsghdr *nlh,
3018 const struct nlattr * const nla[],
3019 struct netlink_ext_ack *extack)
3021 u8 genmask = nft_genmask_cur(net);
3022 const struct nft_set *set;
3024 struct sk_buff *skb2;
3025 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3028 /* Verify existence before starting dump */
3029 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3034 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3035 struct netlink_dump_control c = {
3036 .dump = nf_tables_dump_sets,
3037 .done = nf_tables_dump_sets_done,
3039 struct nft_ctx *ctx_dump;
3041 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3042 if (ctx_dump == NULL)
3048 return netlink_dump_start(nlsk, skb, nlh, &c);
3051 /* Only accept unspec with dump */
3052 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3053 return -EAFNOSUPPORT;
3054 if (!nla[NFTA_SET_TABLE])
3057 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3059 return PTR_ERR(set);
3061 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3065 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3069 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3076 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3077 struct nft_set_desc *desc,
3078 const struct nlattr *nla)
3080 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3083 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3084 nft_set_desc_policy, NULL);
3088 if (da[NFTA_SET_DESC_SIZE] != NULL)
3089 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3094 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3095 struct sk_buff *skb, const struct nlmsghdr *nlh,
3096 const struct nlattr * const nla[],
3097 struct netlink_ext_ack *extack)
3099 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3100 u8 genmask = nft_genmask_next(net);
3101 int family = nfmsg->nfgen_family;
3102 const struct nft_set_ops *ops;
3103 struct nft_table *table;
3104 struct nft_set *set;
3110 u32 ktype, dtype, flags, policy, gc_int, objtype;
3111 struct nft_set_desc desc;
3112 unsigned char *udata;
3116 if (nla[NFTA_SET_TABLE] == NULL ||
3117 nla[NFTA_SET_NAME] == NULL ||
3118 nla[NFTA_SET_KEY_LEN] == NULL ||
3119 nla[NFTA_SET_ID] == NULL)
3122 memset(&desc, 0, sizeof(desc));
3124 ktype = NFT_DATA_VALUE;
3125 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3126 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3127 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3131 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3132 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3136 if (nla[NFTA_SET_FLAGS] != NULL) {
3137 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3138 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3139 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3140 NFT_SET_MAP | NFT_SET_EVAL |
3143 /* Only one of these operations is supported */
3144 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3145 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3150 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3151 if (!(flags & NFT_SET_MAP))
3154 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3155 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3156 dtype != NFT_DATA_VERDICT)
3159 if (dtype != NFT_DATA_VERDICT) {
3160 if (nla[NFTA_SET_DATA_LEN] == NULL)
3162 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3163 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3166 desc.dlen = sizeof(struct nft_verdict);
3167 } else if (flags & NFT_SET_MAP)
3170 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3171 if (!(flags & NFT_SET_OBJECT))
3174 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3175 if (objtype == NFT_OBJECT_UNSPEC ||
3176 objtype > NFT_OBJECT_MAX)
3178 } else if (flags & NFT_SET_OBJECT)
3181 objtype = NFT_OBJECT_UNSPEC;
3184 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3185 if (!(flags & NFT_SET_TIMEOUT))
3188 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3193 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3194 if (!(flags & NFT_SET_TIMEOUT))
3196 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3199 policy = NFT_SET_POL_PERFORMANCE;
3200 if (nla[NFTA_SET_POLICY] != NULL)
3201 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3203 if (nla[NFTA_SET_DESC] != NULL) {
3204 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3209 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3211 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3212 if (IS_ERR(table)) {
3213 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3214 return PTR_ERR(table);
3217 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3219 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3221 if (PTR_ERR(set) != -ENOENT) {
3222 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3223 return PTR_ERR(set);
3226 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3227 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3230 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3236 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3239 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3241 return PTR_ERR(ops);
3244 if (nla[NFTA_SET_USERDATA])
3245 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3248 if (ops->privsize != NULL)
3249 size = ops->privsize(nla, &desc);
3251 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3257 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3263 err = nf_tables_set_alloc_name(&ctx, set, name);
3270 udata = set->data + size;
3271 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3274 INIT_LIST_HEAD(&set->bindings);
3277 set->klen = desc.klen;
3279 set->objtype = objtype;
3280 set->dlen = desc.dlen;
3282 set->size = desc.size;
3283 set->policy = policy;
3286 set->timeout = timeout;
3287 set->gc_int = gc_int;
3288 set->handle = nf_tables_alloc_handle(table);
3290 err = ops->init(set, &desc, nla);
3294 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3298 list_add_tail_rcu(&set->list, &table->sets);
3309 module_put(to_set_type(ops)->owner);
3313 static void nft_set_destroy(struct nft_set *set)
3315 set->ops->destroy(set);
3316 module_put(to_set_type(set->ops)->owner);
3321 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3323 list_del_rcu(&set->list);
3324 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3325 nft_set_destroy(set);
3328 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3329 struct sk_buff *skb, const struct nlmsghdr *nlh,
3330 const struct nlattr * const nla[],
3331 struct netlink_ext_ack *extack)
3333 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3334 u8 genmask = nft_genmask_next(net);
3335 const struct nlattr *attr;
3336 struct nft_set *set;
3340 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3341 return -EAFNOSUPPORT;
3342 if (nla[NFTA_SET_TABLE] == NULL)
3345 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3350 if (nla[NFTA_SET_HANDLE]) {
3351 attr = nla[NFTA_SET_HANDLE];
3352 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3354 attr = nla[NFTA_SET_NAME];
3355 set = nft_set_lookup(ctx.table, attr, genmask);
3359 NL_SET_BAD_ATTR(extack, attr);
3360 return PTR_ERR(set);
3362 if (!list_empty(&set->bindings) ||
3363 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3364 NL_SET_BAD_ATTR(extack, attr);
3368 return nft_delset(&ctx, set);
3371 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3372 struct nft_set *set,
3373 const struct nft_set_iter *iter,
3374 struct nft_set_elem *elem)
3376 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3377 enum nft_registers dreg;
3379 dreg = nft_type_to_reg(set->dtype);
3380 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3381 set->dtype == NFT_DATA_VERDICT ?
3382 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3386 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3387 struct nft_set_binding *binding)
3389 struct nft_set_binding *i;
3390 struct nft_set_iter iter;
3392 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3395 if (binding->flags & NFT_SET_MAP) {
3396 /* If the set is already bound to the same chain all
3397 * jumps are already validated for that chain.
3399 list_for_each_entry(i, &set->bindings, list) {
3400 if (i->flags & NFT_SET_MAP &&
3401 i->chain == binding->chain)
3405 iter.genmask = nft_genmask_next(ctx->net);
3409 iter.fn = nf_tables_bind_check_setelem;
3411 set->ops->walk(ctx, set, &iter);
3416 binding->chain = ctx->chain;
3417 list_add_tail_rcu(&binding->list, &set->bindings);
3420 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3422 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3423 struct nft_set_binding *binding)
3425 list_del_rcu(&binding->list);
3427 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3428 nft_is_active(ctx->net, set))
3429 nf_tables_set_destroy(ctx, set);
3431 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3433 const struct nft_set_ext_type nft_set_ext_types[] = {
3434 [NFT_SET_EXT_KEY] = {
3435 .align = __alignof__(u32),
3437 [NFT_SET_EXT_DATA] = {
3438 .align = __alignof__(u32),
3440 [NFT_SET_EXT_EXPR] = {
3441 .align = __alignof__(struct nft_expr),
3443 [NFT_SET_EXT_OBJREF] = {
3444 .len = sizeof(struct nft_object *),
3445 .align = __alignof__(struct nft_object *),
3447 [NFT_SET_EXT_FLAGS] = {
3449 .align = __alignof__(u8),
3451 [NFT_SET_EXT_TIMEOUT] = {
3453 .align = __alignof__(u64),
3455 [NFT_SET_EXT_EXPIRATION] = {
3457 .align = __alignof__(u64),
3459 [NFT_SET_EXT_USERDATA] = {
3460 .len = sizeof(struct nft_userdata),
3461 .align = __alignof__(struct nft_userdata),
3464 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3470 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3471 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3472 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3473 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3474 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3475 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3476 .len = NFT_USERDATA_MAXLEN },
3477 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3478 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3481 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3482 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3483 .len = NFT_TABLE_MAXNAMELEN - 1 },
3484 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3485 .len = NFT_SET_MAXNAMELEN - 1 },
3486 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3487 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3490 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3491 const struct sk_buff *skb,
3492 const struct nlmsghdr *nlh,
3493 const struct nlattr * const nla[],
3494 struct netlink_ext_ack *extack,
3497 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3498 int family = nfmsg->nfgen_family;
3499 struct nft_table *table;
3501 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3503 if (IS_ERR(table)) {
3504 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3505 return PTR_ERR(table);
3508 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3512 static int nf_tables_fill_setelem(struct sk_buff *skb,
3513 const struct nft_set *set,
3514 const struct nft_set_elem *elem)
3516 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3517 unsigned char *b = skb_tail_pointer(skb);
3518 struct nlattr *nest;
3520 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3522 goto nla_put_failure;
3524 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3525 NFT_DATA_VALUE, set->klen) < 0)
3526 goto nla_put_failure;
3528 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3529 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3530 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3532 goto nla_put_failure;
3534 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3535 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3536 goto nla_put_failure;
3538 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3539 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3540 (*nft_set_ext_obj(ext))->name) < 0)
3541 goto nla_put_failure;
3543 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3544 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3545 htonl(*nft_set_ext_flags(ext))))
3546 goto nla_put_failure;
3548 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3549 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3550 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3552 goto nla_put_failure;
3554 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3555 u64 expires, now = get_jiffies_64();
3557 expires = *nft_set_ext_expiration(ext);
3558 if (time_before64(now, expires))
3563 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3564 nf_jiffies64_to_msecs(expires),
3566 goto nla_put_failure;
3569 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3570 struct nft_userdata *udata;
3572 udata = nft_set_ext_userdata(ext);
3573 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3574 udata->len + 1, udata->data))
3575 goto nla_put_failure;
3578 nla_nest_end(skb, nest);
3586 struct nft_set_dump_args {
3587 const struct netlink_callback *cb;
3588 struct nft_set_iter iter;
3589 struct sk_buff *skb;
3592 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3593 struct nft_set *set,
3594 const struct nft_set_iter *iter,
3595 struct nft_set_elem *elem)
3597 struct nft_set_dump_args *args;
3599 args = container_of(iter, struct nft_set_dump_args, iter);
3600 return nf_tables_fill_setelem(args->skb, set, elem);
3603 struct nft_set_dump_ctx {
3604 const struct nft_set *set;
3608 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3610 struct nft_set_dump_ctx *dump_ctx = cb->data;
3611 struct net *net = sock_net(skb->sk);
3612 struct nft_table *table;
3613 struct nft_set *set;
3614 struct nft_set_dump_args args;
3615 bool set_found = false;
3616 struct nfgenmsg *nfmsg;
3617 struct nlmsghdr *nlh;
3618 struct nlattr *nest;
3623 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3624 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3625 dump_ctx->ctx.family != table->family)
3628 if (table != dump_ctx->ctx.table)
3631 list_for_each_entry_rcu(set, &table->sets, list) {
3632 if (set == dump_ctx->set) {
3645 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3646 portid = NETLINK_CB(cb->skb).portid;
3647 seq = cb->nlh->nlmsg_seq;
3649 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3652 goto nla_put_failure;
3654 nfmsg = nlmsg_data(nlh);
3655 nfmsg->nfgen_family = table->family;
3656 nfmsg->version = NFNETLINK_V0;
3657 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3659 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3660 goto nla_put_failure;
3661 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3662 goto nla_put_failure;
3664 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3666 goto nla_put_failure;
3670 args.iter.genmask = nft_genmask_cur(net);
3671 args.iter.skip = cb->args[0];
3672 args.iter.count = 0;
3674 args.iter.fn = nf_tables_dump_setelem;
3675 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3678 nla_nest_end(skb, nest);
3679 nlmsg_end(skb, nlh);
3681 if (args.iter.err && args.iter.err != -EMSGSIZE)
3682 return args.iter.err;
3683 if (args.iter.count == cb->args[0])
3686 cb->args[0] = args.iter.count;
3694 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3700 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3701 const struct nft_ctx *ctx, u32 seq,
3702 u32 portid, int event, u16 flags,
3703 const struct nft_set *set,
3704 const struct nft_set_elem *elem)
3706 struct nfgenmsg *nfmsg;
3707 struct nlmsghdr *nlh;
3708 struct nlattr *nest;
3711 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3712 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3715 goto nla_put_failure;
3717 nfmsg = nlmsg_data(nlh);
3718 nfmsg->nfgen_family = ctx->family;
3719 nfmsg->version = NFNETLINK_V0;
3720 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3722 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3723 goto nla_put_failure;
3724 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3725 goto nla_put_failure;
3727 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3729 goto nla_put_failure;
3731 err = nf_tables_fill_setelem(skb, set, elem);
3733 goto nla_put_failure;
3735 nla_nest_end(skb, nest);
3737 nlmsg_end(skb, nlh);
3741 nlmsg_trim(skb, nlh);
3745 static int nft_setelem_parse_flags(const struct nft_set *set,
3746 const struct nlattr *attr, u32 *flags)
3751 *flags = ntohl(nla_get_be32(attr));
3752 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3754 if (!(set->flags & NFT_SET_INTERVAL) &&
3755 *flags & NFT_SET_ELEM_INTERVAL_END)
3761 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3762 const struct nlattr *attr)
3764 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3765 const struct nft_set_ext *ext;
3766 struct nft_data_desc desc;
3767 struct nft_set_elem elem;
3768 struct sk_buff *skb;
3773 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3774 nft_set_elem_policy, NULL);
3778 if (!nla[NFTA_SET_ELEM_KEY])
3781 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3785 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3786 nla[NFTA_SET_ELEM_KEY]);
3791 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3794 priv = set->ops->get(ctx->net, set, &elem, flags);
3796 return PTR_ERR(priv);
3799 ext = nft_set_elem_ext(set, &elem);
3802 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3806 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3807 NFT_MSG_NEWSETELEM, 0, set, &elem);
3811 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3812 /* This avoids a loop in nfnetlink. */
3820 /* this avoids a loop in nfnetlink. */
3821 return err == -EAGAIN ? -ENOBUFS : err;
3824 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3825 struct sk_buff *skb, const struct nlmsghdr *nlh,
3826 const struct nlattr * const nla[],
3827 struct netlink_ext_ack *extack)
3829 u8 genmask = nft_genmask_cur(net);
3830 struct nft_set *set;
3831 struct nlattr *attr;
3835 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
3840 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
3842 return PTR_ERR(set);
3844 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3845 struct netlink_dump_control c = {
3846 .dump = nf_tables_dump_set,
3847 .done = nf_tables_dump_set_done,
3849 struct nft_set_dump_ctx *dump_ctx;
3851 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3855 dump_ctx->set = set;
3856 dump_ctx->ctx = ctx;
3859 return netlink_dump_start(nlsk, skb, nlh, &c);
3862 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3865 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3866 err = nft_get_set_elem(&ctx, set, attr);
3874 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3875 const struct nft_set *set,
3876 const struct nft_set_elem *elem,
3877 int event, u16 flags)
3879 struct net *net = ctx->net;
3880 u32 portid = ctx->portid;
3881 struct sk_buff *skb;
3884 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3887 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3891 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3898 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3902 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3905 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3907 struct nft_set *set)
3909 struct nft_trans *trans;
3911 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3915 nft_trans_elem_set(trans) = set;
3919 void *nft_set_elem_init(const struct nft_set *set,
3920 const struct nft_set_ext_tmpl *tmpl,
3921 const u32 *key, const u32 *data,
3922 u64 timeout, gfp_t gfp)
3924 struct nft_set_ext *ext;
3927 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3931 ext = nft_set_elem_ext(set, elem);
3932 nft_set_ext_init(ext, tmpl);
3934 memcpy(nft_set_ext_key(ext), key, set->klen);
3935 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3936 memcpy(nft_set_ext_data(ext), data, set->dlen);
3937 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3938 *nft_set_ext_expiration(ext) =
3939 get_jiffies_64() + timeout;
3940 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3941 *nft_set_ext_timeout(ext) = timeout;
3946 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3949 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3951 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3952 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3953 nft_data_release(nft_set_ext_data(ext), set->dtype);
3954 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3955 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3956 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3957 (*nft_set_ext_obj(ext))->use--;
3960 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3962 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3963 * the refcounting from the preparation phase.
3965 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3967 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3969 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3970 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3974 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3975 const struct nlattr *attr, u32 nlmsg_flags)
3977 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3978 u8 genmask = nft_genmask_next(ctx->net);
3979 struct nft_data_desc d1, d2;
3980 struct nft_set_ext_tmpl tmpl;
3981 struct nft_set_ext *ext, *ext2;
3982 struct nft_set_elem elem;
3983 struct nft_set_binding *binding;
3984 struct nft_object *obj = NULL;
3985 struct nft_userdata *udata;
3986 struct nft_data data;
3987 enum nft_registers dreg;
3988 struct nft_trans *trans;
3994 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3995 nft_set_elem_policy, NULL);
3999 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4002 nft_set_ext_prepare(&tmpl);
4004 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4008 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4010 if (set->flags & NFT_SET_MAP) {
4011 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4012 !(flags & NFT_SET_ELEM_INTERVAL_END))
4014 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4015 flags & NFT_SET_ELEM_INTERVAL_END)
4018 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4023 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4024 if (!(set->flags & NFT_SET_TIMEOUT))
4026 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4030 } else if (set->flags & NFT_SET_TIMEOUT) {
4031 timeout = set->timeout;
4034 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4035 nla[NFTA_SET_ELEM_KEY]);
4039 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4042 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4044 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4045 if (timeout != set->timeout)
4046 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4049 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4050 if (!(set->flags & NFT_SET_OBJECT)) {
4054 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4055 set->objtype, genmask);
4060 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4063 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4064 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4065 nla[NFTA_SET_ELEM_DATA]);
4070 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4073 dreg = nft_type_to_reg(set->dtype);
4074 list_for_each_entry(binding, &set->bindings, list) {
4075 struct nft_ctx bind_ctx = {
4077 .family = ctx->family,
4078 .table = ctx->table,
4079 .chain = (struct nft_chain *)binding->chain,
4082 if (!(binding->flags & NFT_SET_MAP))
4085 err = nft_validate_register_store(&bind_ctx, dreg,
4092 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4095 /* The full maximum length of userdata can exceed the maximum
4096 * offset value (U8_MAX) for following extensions, therefor it
4097 * must be the last extension added.
4100 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4101 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4103 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4108 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4109 timeout, GFP_KERNEL);
4110 if (elem.priv == NULL)
4113 ext = nft_set_elem_ext(set, elem.priv);
4115 *nft_set_ext_flags(ext) = flags;
4117 udata = nft_set_ext_userdata(ext);
4118 udata->len = ulen - 1;
4119 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4122 *nft_set_ext_obj(ext) = obj;
4126 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4130 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4131 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4133 if (err == -EEXIST) {
4134 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4135 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4136 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4137 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4141 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4142 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4143 memcmp(nft_set_ext_data(ext),
4144 nft_set_ext_data(ext2), set->dlen) != 0) ||
4145 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4146 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4147 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4149 else if (!(nlmsg_flags & NLM_F_EXCL))
4156 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4161 nft_trans_elem(trans) = elem;
4162 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4166 set->ops->remove(ctx->net, set, &elem);
4172 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4173 nft_data_release(&data, d2.type);
4175 nft_data_release(&elem.key.val, d1.type);
4180 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4181 struct sk_buff *skb, const struct nlmsghdr *nlh,
4182 const struct nlattr * const nla[],
4183 struct netlink_ext_ack *extack)
4185 u8 genmask = nft_genmask_next(net);
4186 const struct nlattr *attr;
4187 struct nft_set *set;
4191 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4194 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4199 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4200 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4202 return PTR_ERR(set);
4204 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4207 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4208 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4216 * nft_data_hold - hold a nft_data item
4218 * @data: struct nft_data to release
4219 * @type: type of data
4221 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4222 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4223 * NFT_GOTO verdicts. This function must be called on active data objects
4224 * from the second phase of the commit protocol.
4226 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4228 if (type == NFT_DATA_VERDICT) {
4229 switch (data->verdict.code) {
4232 data->verdict.chain->use++;
4238 static void nft_set_elem_activate(const struct net *net,
4239 const struct nft_set *set,
4240 struct nft_set_elem *elem)
4242 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4244 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4245 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4246 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4247 (*nft_set_ext_obj(ext))->use++;
4250 static void nft_set_elem_deactivate(const struct net *net,
4251 const struct nft_set *set,
4252 struct nft_set_elem *elem)
4254 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4256 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4257 nft_data_release(nft_set_ext_data(ext), set->dtype);
4258 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4259 (*nft_set_ext_obj(ext))->use--;
4262 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4263 const struct nlattr *attr)
4265 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4266 struct nft_set_ext_tmpl tmpl;
4267 struct nft_data_desc desc;
4268 struct nft_set_elem elem;
4269 struct nft_set_ext *ext;
4270 struct nft_trans *trans;
4275 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4276 nft_set_elem_policy, NULL);
4281 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4284 nft_set_ext_prepare(&tmpl);
4286 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4290 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4292 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4293 nla[NFTA_SET_ELEM_KEY]);
4298 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4301 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4304 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4306 if (elem.priv == NULL)
4309 ext = nft_set_elem_ext(set, elem.priv);
4311 *nft_set_ext_flags(ext) = flags;
4313 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4314 if (trans == NULL) {
4319 priv = set->ops->deactivate(ctx->net, set, &elem);
4327 nft_set_elem_deactivate(ctx->net, set, &elem);
4329 nft_trans_elem(trans) = elem;
4330 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4338 nft_data_release(&elem.key.val, desc.type);
4343 static int nft_flush_set(const struct nft_ctx *ctx,
4344 struct nft_set *set,
4345 const struct nft_set_iter *iter,
4346 struct nft_set_elem *elem)
4348 struct nft_trans *trans;
4351 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4352 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4356 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4362 nft_trans_elem_set(trans) = set;
4363 nft_trans_elem(trans) = *elem;
4364 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4372 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4373 struct sk_buff *skb, const struct nlmsghdr *nlh,
4374 const struct nlattr * const nla[],
4375 struct netlink_ext_ack *extack)
4377 u8 genmask = nft_genmask_next(net);
4378 const struct nlattr *attr;
4379 struct nft_set *set;
4383 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4388 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4390 return PTR_ERR(set);
4391 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4394 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4395 struct nft_set_iter iter = {
4397 .fn = nft_flush_set,
4399 set->ops->walk(&ctx, set, &iter);
4404 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4405 err = nft_del_setelem(&ctx, set, attr);
4414 void nft_set_gc_batch_release(struct rcu_head *rcu)
4416 struct nft_set_gc_batch *gcb;
4419 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4420 for (i = 0; i < gcb->head.cnt; i++)
4421 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4424 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4426 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4429 struct nft_set_gc_batch *gcb;
4431 gcb = kzalloc(sizeof(*gcb), gfp);
4434 gcb->head.set = set;
4437 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4444 * nft_register_obj- register nf_tables stateful object type
4447 * Registers the object type for use with nf_tables. Returns zero on
4448 * success or a negative errno code otherwise.
4450 int nft_register_obj(struct nft_object_type *obj_type)
4452 if (obj_type->type == NFT_OBJECT_UNSPEC)
4455 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4456 list_add_rcu(&obj_type->list, &nf_tables_objects);
4457 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4460 EXPORT_SYMBOL_GPL(nft_register_obj);
4463 * nft_unregister_obj - unregister nf_tables object type
4466 * Unregisters the object type for use with nf_tables.
4468 void nft_unregister_obj(struct nft_object_type *obj_type)
4470 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4471 list_del_rcu(&obj_type->list);
4472 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4474 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4476 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4477 const struct nlattr *nla, u32 objtype,
4480 struct nft_object *obj;
4482 list_for_each_entry(obj, &table->objects, list) {
4483 if (!nla_strcmp(nla, obj->name) &&
4484 objtype == obj->ops->type->type &&
4485 nft_active_genmask(obj, genmask))
4488 return ERR_PTR(-ENOENT);
4490 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4492 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4493 const struct nlattr *nla,
4494 u32 objtype, u8 genmask)
4496 struct nft_object *obj;
4498 list_for_each_entry(obj, &table->objects, list) {
4499 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4500 objtype == obj->ops->type->type &&
4501 nft_active_genmask(obj, genmask))
4504 return ERR_PTR(-ENOENT);
4507 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4508 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4509 .len = NFT_TABLE_MAXNAMELEN - 1 },
4510 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4511 .len = NFT_OBJ_MAXNAMELEN - 1 },
4512 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4513 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4514 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4517 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4518 const struct nft_object_type *type,
4519 const struct nlattr *attr)
4522 const struct nft_object_ops *ops;
4523 struct nft_object *obj;
4526 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4531 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4536 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4539 if (type->select_ops) {
4540 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4550 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4554 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4567 return ERR_PTR(err);
4570 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4571 struct nft_object *obj, bool reset)
4573 struct nlattr *nest;
4575 nest = nla_nest_start(skb, attr);
4577 goto nla_put_failure;
4578 if (obj->ops->dump(skb, obj, reset) < 0)
4579 goto nla_put_failure;
4580 nla_nest_end(skb, nest);
4587 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4589 const struct nft_object_type *type;
4591 list_for_each_entry(type, &nf_tables_objects, list) {
4592 if (objtype == type->type)
4598 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4600 const struct nft_object_type *type;
4602 type = __nft_obj_type_get(objtype);
4603 if (type != NULL && try_module_get(type->owner))
4606 #ifdef CONFIG_MODULES
4608 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4609 request_module("nft-obj-%u", objtype);
4610 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4611 if (__nft_obj_type_get(objtype))
4612 return ERR_PTR(-EAGAIN);
4615 return ERR_PTR(-ENOENT);
4618 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4619 struct sk_buff *skb, const struct nlmsghdr *nlh,
4620 const struct nlattr * const nla[],
4621 struct netlink_ext_ack *extack)
4623 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4624 const struct nft_object_type *type;
4625 u8 genmask = nft_genmask_next(net);
4626 int family = nfmsg->nfgen_family;
4627 struct nft_table *table;
4628 struct nft_object *obj;
4633 if (!nla[NFTA_OBJ_TYPE] ||
4634 !nla[NFTA_OBJ_NAME] ||
4635 !nla[NFTA_OBJ_DATA])
4638 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4639 if (IS_ERR(table)) {
4640 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4641 return PTR_ERR(table);
4644 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4645 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4648 if (err != -ENOENT) {
4649 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4653 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4654 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4660 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4662 type = nft_obj_type_get(objtype);
4664 return PTR_ERR(type);
4666 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4672 obj->handle = nf_tables_alloc_handle(table);
4674 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4680 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4684 list_add_tail_rcu(&obj->list, &table->objects);
4690 if (obj->ops->destroy)
4691 obj->ops->destroy(obj);
4694 module_put(type->owner);
4698 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4699 u32 portid, u32 seq, int event, u32 flags,
4700 int family, const struct nft_table *table,
4701 struct nft_object *obj, bool reset)
4703 struct nfgenmsg *nfmsg;
4704 struct nlmsghdr *nlh;
4706 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4707 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4709 goto nla_put_failure;
4711 nfmsg = nlmsg_data(nlh);
4712 nfmsg->nfgen_family = family;
4713 nfmsg->version = NFNETLINK_V0;
4714 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4716 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4717 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4718 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4719 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4720 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4721 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4723 goto nla_put_failure;
4725 nlmsg_end(skb, nlh);
4729 nlmsg_trim(skb, nlh);
4733 struct nft_obj_filter {
4738 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4740 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4741 const struct nft_table *table;
4742 unsigned int idx = 0, s_idx = cb->args[0];
4743 struct nft_obj_filter *filter = cb->data;
4744 struct net *net = sock_net(skb->sk);
4745 int family = nfmsg->nfgen_family;
4746 struct nft_object *obj;
4749 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4753 cb->seq = net->nft.base_seq;
4755 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4756 if (family != NFPROTO_UNSPEC && family != table->family)
4759 list_for_each_entry_rcu(obj, &table->objects, list) {
4760 if (!nft_is_active(net, obj))
4765 memset(&cb->args[1], 0,
4766 sizeof(cb->args) - sizeof(cb->args[0]));
4767 if (filter && filter->table[0] &&
4768 strcmp(filter->table, table->name))
4771 filter->type != NFT_OBJECT_UNSPEC &&
4772 obj->ops->type->type != filter->type)
4775 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4778 NLM_F_MULTI | NLM_F_APPEND,
4779 table->family, table,
4783 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4795 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4797 struct nft_obj_filter *filter = cb->data;
4800 kfree(filter->table);
4807 static struct nft_obj_filter *
4808 nft_obj_filter_alloc(const struct nlattr * const nla[])
4810 struct nft_obj_filter *filter;
4812 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4814 return ERR_PTR(-ENOMEM);
4816 if (nla[NFTA_OBJ_TABLE]) {
4817 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4818 if (!filter->table) {
4820 return ERR_PTR(-ENOMEM);
4823 if (nla[NFTA_OBJ_TYPE])
4824 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4829 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4830 struct sk_buff *skb, const struct nlmsghdr *nlh,
4831 const struct nlattr * const nla[],
4832 struct netlink_ext_ack *extack)
4834 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4835 u8 genmask = nft_genmask_cur(net);
4836 int family = nfmsg->nfgen_family;
4837 const struct nft_table *table;
4838 struct nft_object *obj;
4839 struct sk_buff *skb2;
4844 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4845 struct netlink_dump_control c = {
4846 .dump = nf_tables_dump_obj,
4847 .done = nf_tables_dump_obj_done,
4850 if (nla[NFTA_OBJ_TABLE] ||
4851 nla[NFTA_OBJ_TYPE]) {
4852 struct nft_obj_filter *filter;
4854 filter = nft_obj_filter_alloc(nla);
4860 return netlink_dump_start(nlsk, skb, nlh, &c);
4863 if (!nla[NFTA_OBJ_NAME] ||
4864 !nla[NFTA_OBJ_TYPE])
4867 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4868 if (IS_ERR(table)) {
4869 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4870 return PTR_ERR(table);
4873 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4874 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4876 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4877 return PTR_ERR(obj);
4880 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4884 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4887 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4888 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4889 family, table, obj, reset);
4893 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4899 static void nft_obj_destroy(struct nft_object *obj)
4901 if (obj->ops->destroy)
4902 obj->ops->destroy(obj);
4904 module_put(obj->ops->type->owner);
4909 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4910 struct sk_buff *skb, const struct nlmsghdr *nlh,
4911 const struct nlattr * const nla[],
4912 struct netlink_ext_ack *extack)
4914 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4915 u8 genmask = nft_genmask_next(net);
4916 int family = nfmsg->nfgen_family;
4917 const struct nlattr *attr;
4918 struct nft_table *table;
4919 struct nft_object *obj;
4923 if (!nla[NFTA_OBJ_TYPE] ||
4924 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4927 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4928 if (IS_ERR(table)) {
4929 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4930 return PTR_ERR(table);
4933 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4934 if (nla[NFTA_OBJ_HANDLE]) {
4935 attr = nla[NFTA_OBJ_HANDLE];
4936 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
4938 attr = nla[NFTA_OBJ_NAME];
4939 obj = nft_obj_lookup(table, attr, objtype, genmask);
4943 NL_SET_BAD_ATTR(extack, attr);
4944 return PTR_ERR(obj);
4947 NL_SET_BAD_ATTR(extack, attr);
4951 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4953 return nft_delobj(&ctx, obj);
4956 void nft_obj_notify(struct net *net, struct nft_table *table,
4957 struct nft_object *obj, u32 portid, u32 seq, int event,
4958 int family, int report, gfp_t gfp)
4960 struct sk_buff *skb;
4964 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4967 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4971 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4978 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4981 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4983 EXPORT_SYMBOL_GPL(nft_obj_notify);
4985 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4986 struct nft_object *obj, int event)
4988 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4989 ctx->family, ctx->report, GFP_KERNEL);
4995 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4997 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4998 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4999 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5001 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5003 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5005 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5006 list_del_rcu(&type->list);
5007 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5009 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5011 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5012 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5013 .len = NFT_NAME_MAXLEN - 1 },
5014 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5015 .len = NFT_NAME_MAXLEN - 1 },
5016 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5017 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5020 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5021 const struct nlattr *nla, u8 genmask)
5023 struct nft_flowtable *flowtable;
5025 list_for_each_entry(flowtable, &table->flowtables, list) {
5026 if (!nla_strcmp(nla, flowtable->name) &&
5027 nft_active_genmask(flowtable, genmask))
5030 return ERR_PTR(-ENOENT);
5032 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5034 static struct nft_flowtable *
5035 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5036 const struct nlattr *nla, u8 genmask)
5038 struct nft_flowtable *flowtable;
5040 list_for_each_entry(flowtable, &table->flowtables, list) {
5041 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5042 nft_active_genmask(flowtable, genmask))
5045 return ERR_PTR(-ENOENT);
5048 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5049 const struct nlattr *attr,
5050 struct net_device *dev_array[], int *len)
5052 const struct nlattr *tmp;
5053 struct net_device *dev;
5054 char ifname[IFNAMSIZ];
5055 int rem, n = 0, err;
5057 nla_for_each_nested(tmp, attr, rem) {
5058 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5063 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5064 dev = __dev_get_by_name(ctx->net, ifname);
5070 dev_array[n++] = dev;
5071 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5085 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5086 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5087 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5088 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5091 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5092 const struct nlattr *attr,
5093 struct nft_flowtable *flowtable)
5095 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5096 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5097 struct nf_hook_ops *ops;
5098 int hooknum, priority;
5101 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5102 nft_flowtable_hook_policy, NULL);
5106 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5107 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5108 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5111 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5112 if (hooknum != NF_NETDEV_INGRESS)
5115 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5117 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5122 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5126 flowtable->hooknum = hooknum;
5127 flowtable->priority = priority;
5128 flowtable->ops = ops;
5129 flowtable->ops_len = n;
5131 for (i = 0; i < n; i++) {
5132 flowtable->ops[i].pf = NFPROTO_NETDEV;
5133 flowtable->ops[i].hooknum = hooknum;
5134 flowtable->ops[i].priority = priority;
5135 flowtable->ops[i].priv = &flowtable->data;
5136 flowtable->ops[i].hook = flowtable->data.type->hook;
5137 flowtable->ops[i].dev = dev_array[i];
5138 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5145 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5147 const struct nf_flowtable_type *type;
5149 list_for_each_entry(type, &nf_tables_flowtables, list) {
5150 if (family == type->family)
5156 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5158 const struct nf_flowtable_type *type;
5160 type = __nft_flowtable_type_get(family);
5161 if (type != NULL && try_module_get(type->owner))
5164 #ifdef CONFIG_MODULES
5166 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5167 request_module("nf-flowtable-%u", family);
5168 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5169 if (__nft_flowtable_type_get(family))
5170 return ERR_PTR(-EAGAIN);
5173 return ERR_PTR(-ENOENT);
5176 static void nft_unregister_flowtable_net_hooks(struct net *net,
5177 struct nft_flowtable *flowtable)
5181 for (i = 0; i < flowtable->ops_len; i++) {
5182 if (!flowtable->ops[i].dev)
5185 nf_unregister_net_hook(net, &flowtable->ops[i]);
5189 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5190 struct sk_buff *skb,
5191 const struct nlmsghdr *nlh,
5192 const struct nlattr * const nla[],
5193 struct netlink_ext_ack *extack)
5195 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5196 const struct nf_flowtable_type *type;
5197 struct nft_flowtable *flowtable, *ft;
5198 u8 genmask = nft_genmask_next(net);
5199 int family = nfmsg->nfgen_family;
5200 struct nft_table *table;
5204 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5205 !nla[NFTA_FLOWTABLE_NAME] ||
5206 !nla[NFTA_FLOWTABLE_HOOK])
5209 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5211 if (IS_ERR(table)) {
5212 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5213 return PTR_ERR(table);
5216 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5218 if (IS_ERR(flowtable)) {
5219 err = PTR_ERR(flowtable);
5220 if (err != -ENOENT) {
5221 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5225 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5226 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5233 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5235 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5239 flowtable->table = table;
5240 flowtable->handle = nf_tables_alloc_handle(table);
5242 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5243 if (!flowtable->name) {
5248 type = nft_flowtable_type_get(family);
5250 err = PTR_ERR(type);
5254 flowtable->data.type = type;
5255 err = type->init(&flowtable->data);
5259 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5264 for (i = 0; i < flowtable->ops_len; i++) {
5265 if (!flowtable->ops[i].dev)
5268 list_for_each_entry(ft, &table->flowtables, list) {
5269 for (k = 0; k < ft->ops_len; k++) {
5270 if (!ft->ops[k].dev)
5273 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5274 flowtable->ops[i].pf == ft->ops[k].pf) {
5281 err = nf_register_net_hook(net, &flowtable->ops[i]);
5286 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5290 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5295 i = flowtable->ops_len;
5297 for (k = i - 1; k >= 0; k--) {
5298 kfree(flowtable->dev_name[k]);
5299 nf_unregister_net_hook(net, &flowtable->ops[k]);
5302 kfree(flowtable->ops);
5304 flowtable->data.type->free(&flowtable->data);
5306 module_put(type->owner);
5308 kfree(flowtable->name);
5314 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5315 struct sk_buff *skb,
5316 const struct nlmsghdr *nlh,
5317 const struct nlattr * const nla[],
5318 struct netlink_ext_ack *extack)
5320 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5321 u8 genmask = nft_genmask_next(net);
5322 int family = nfmsg->nfgen_family;
5323 struct nft_flowtable *flowtable;
5324 const struct nlattr *attr;
5325 struct nft_table *table;
5328 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5329 (!nla[NFTA_FLOWTABLE_NAME] &&
5330 !nla[NFTA_FLOWTABLE_HANDLE]))
5333 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5335 if (IS_ERR(table)) {
5336 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5337 return PTR_ERR(table);
5340 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5341 attr = nla[NFTA_FLOWTABLE_HANDLE];
5342 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5344 attr = nla[NFTA_FLOWTABLE_NAME];
5345 flowtable = nft_flowtable_lookup(table, attr, genmask);
5348 if (IS_ERR(flowtable)) {
5349 NL_SET_BAD_ATTR(extack, attr);
5350 return PTR_ERR(flowtable);
5352 if (flowtable->use > 0) {
5353 NL_SET_BAD_ATTR(extack, attr);
5357 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5359 return nft_delflowtable(&ctx, flowtable);
5362 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5363 u32 portid, u32 seq, int event,
5364 u32 flags, int family,
5365 struct nft_flowtable *flowtable)
5367 struct nlattr *nest, *nest_devs;
5368 struct nfgenmsg *nfmsg;
5369 struct nlmsghdr *nlh;
5372 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5373 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5375 goto nla_put_failure;
5377 nfmsg = nlmsg_data(nlh);
5378 nfmsg->nfgen_family = family;
5379 nfmsg->version = NFNETLINK_V0;
5380 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5382 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5383 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5384 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5385 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5386 NFTA_FLOWTABLE_PAD))
5387 goto nla_put_failure;
5389 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5390 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5391 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5392 goto nla_put_failure;
5394 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5396 goto nla_put_failure;
5398 for (i = 0; i < flowtable->ops_len; i++) {
5399 if (flowtable->dev_name[i][0] &&
5400 nla_put_string(skb, NFTA_DEVICE_NAME,
5401 flowtable->dev_name[i]))
5402 goto nla_put_failure;
5404 nla_nest_end(skb, nest_devs);
5405 nla_nest_end(skb, nest);
5407 nlmsg_end(skb, nlh);
5411 nlmsg_trim(skb, nlh);
5415 struct nft_flowtable_filter {
5419 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5420 struct netlink_callback *cb)
5422 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5423 struct nft_flowtable_filter *filter = cb->data;
5424 unsigned int idx = 0, s_idx = cb->args[0];
5425 struct net *net = sock_net(skb->sk);
5426 int family = nfmsg->nfgen_family;
5427 struct nft_flowtable *flowtable;
5428 const struct nft_table *table;
5431 cb->seq = net->nft.base_seq;
5433 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5434 if (family != NFPROTO_UNSPEC && family != table->family)
5437 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5438 if (!nft_is_active(net, flowtable))
5443 memset(&cb->args[1], 0,
5444 sizeof(cb->args) - sizeof(cb->args[0]));
5445 if (filter && filter->table[0] &&
5446 strcmp(filter->table, table->name))
5449 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5451 NFT_MSG_NEWFLOWTABLE,
5452 NLM_F_MULTI | NLM_F_APPEND,
5453 table->family, flowtable) < 0)
5456 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5468 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5470 struct nft_flowtable_filter *filter = cb->data;
5475 kfree(filter->table);
5481 static struct nft_flowtable_filter *
5482 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5484 struct nft_flowtable_filter *filter;
5486 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5488 return ERR_PTR(-ENOMEM);
5490 if (nla[NFTA_FLOWTABLE_TABLE]) {
5491 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5493 if (!filter->table) {
5495 return ERR_PTR(-ENOMEM);
5501 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5502 struct sk_buff *skb,
5503 const struct nlmsghdr *nlh,
5504 const struct nlattr * const nla[],
5505 struct netlink_ext_ack *extack)
5507 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5508 u8 genmask = nft_genmask_cur(net);
5509 int family = nfmsg->nfgen_family;
5510 struct nft_flowtable *flowtable;
5511 const struct nft_table *table;
5512 struct sk_buff *skb2;
5515 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5516 struct netlink_dump_control c = {
5517 .dump = nf_tables_dump_flowtable,
5518 .done = nf_tables_dump_flowtable_done,
5521 if (nla[NFTA_FLOWTABLE_TABLE]) {
5522 struct nft_flowtable_filter *filter;
5524 filter = nft_flowtable_filter_alloc(nla);
5530 return netlink_dump_start(nlsk, skb, nlh, &c);
5533 if (!nla[NFTA_FLOWTABLE_NAME])
5536 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5539 return PTR_ERR(table);
5541 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5543 if (IS_ERR(flowtable))
5544 return PTR_ERR(flowtable);
5546 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5550 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5552 NFT_MSG_NEWFLOWTABLE, 0, family,
5557 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5563 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5564 struct nft_flowtable *flowtable,
5567 struct sk_buff *skb;
5571 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5574 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5578 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5580 ctx->family, flowtable);
5586 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5587 ctx->report, GFP_KERNEL);
5590 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5593 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5595 kfree(flowtable->ops);
5596 kfree(flowtable->name);
5597 flowtable->data.type->free(&flowtable->data);
5598 module_put(flowtable->data.type->owner);
5601 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5602 u32 portid, u32 seq)
5604 struct nlmsghdr *nlh;
5605 struct nfgenmsg *nfmsg;
5606 char buf[TASK_COMM_LEN];
5607 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5609 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5611 goto nla_put_failure;
5613 nfmsg = nlmsg_data(nlh);
5614 nfmsg->nfgen_family = AF_UNSPEC;
5615 nfmsg->version = NFNETLINK_V0;
5616 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5618 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5619 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5620 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5621 goto nla_put_failure;
5623 nlmsg_end(skb, nlh);
5627 nlmsg_trim(skb, nlh);
5631 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5632 struct nft_flowtable *flowtable)
5636 for (i = 0; i < flowtable->ops_len; i++) {
5637 if (flowtable->ops[i].dev != dev)
5640 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5641 flowtable->dev_name[i][0] = '\0';
5642 flowtable->ops[i].dev = NULL;
5647 static int nf_tables_flowtable_event(struct notifier_block *this,
5648 unsigned long event, void *ptr)
5650 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5651 struct nft_flowtable *flowtable;
5652 struct nft_table *table;
5654 if (event != NETDEV_UNREGISTER)
5657 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5658 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5659 list_for_each_entry(flowtable, &table->flowtables, list) {
5660 nft_flowtable_event(event, dev, flowtable);
5663 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5668 static struct notifier_block nf_tables_flowtable_notifier = {
5669 .notifier_call = nf_tables_flowtable_event,
5672 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5675 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5676 struct sk_buff *skb2;
5679 if (nlmsg_report(nlh) &&
5680 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5683 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5687 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5694 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5695 nlmsg_report(nlh), GFP_KERNEL);
5698 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5702 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5703 struct sk_buff *skb, const struct nlmsghdr *nlh,
5704 const struct nlattr * const nla[],
5705 struct netlink_ext_ack *extack)
5707 struct sk_buff *skb2;
5710 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5714 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5719 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5725 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5726 [NFT_MSG_NEWTABLE] = {
5727 .call_batch = nf_tables_newtable,
5728 .attr_count = NFTA_TABLE_MAX,
5729 .policy = nft_table_policy,
5731 [NFT_MSG_GETTABLE] = {
5732 .call = nf_tables_gettable,
5733 .attr_count = NFTA_TABLE_MAX,
5734 .policy = nft_table_policy,
5736 [NFT_MSG_DELTABLE] = {
5737 .call_batch = nf_tables_deltable,
5738 .attr_count = NFTA_TABLE_MAX,
5739 .policy = nft_table_policy,
5741 [NFT_MSG_NEWCHAIN] = {
5742 .call_batch = nf_tables_newchain,
5743 .attr_count = NFTA_CHAIN_MAX,
5744 .policy = nft_chain_policy,
5746 [NFT_MSG_GETCHAIN] = {
5747 .call = nf_tables_getchain,
5748 .attr_count = NFTA_CHAIN_MAX,
5749 .policy = nft_chain_policy,
5751 [NFT_MSG_DELCHAIN] = {
5752 .call_batch = nf_tables_delchain,
5753 .attr_count = NFTA_CHAIN_MAX,
5754 .policy = nft_chain_policy,
5756 [NFT_MSG_NEWRULE] = {
5757 .call_batch = nf_tables_newrule,
5758 .attr_count = NFTA_RULE_MAX,
5759 .policy = nft_rule_policy,
5761 [NFT_MSG_GETRULE] = {
5762 .call = nf_tables_getrule,
5763 .attr_count = NFTA_RULE_MAX,
5764 .policy = nft_rule_policy,
5766 [NFT_MSG_DELRULE] = {
5767 .call_batch = nf_tables_delrule,
5768 .attr_count = NFTA_RULE_MAX,
5769 .policy = nft_rule_policy,
5771 [NFT_MSG_NEWSET] = {
5772 .call_batch = nf_tables_newset,
5773 .attr_count = NFTA_SET_MAX,
5774 .policy = nft_set_policy,
5776 [NFT_MSG_GETSET] = {
5777 .call = nf_tables_getset,
5778 .attr_count = NFTA_SET_MAX,
5779 .policy = nft_set_policy,
5781 [NFT_MSG_DELSET] = {
5782 .call_batch = nf_tables_delset,
5783 .attr_count = NFTA_SET_MAX,
5784 .policy = nft_set_policy,
5786 [NFT_MSG_NEWSETELEM] = {
5787 .call_batch = nf_tables_newsetelem,
5788 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5789 .policy = nft_set_elem_list_policy,
5791 [NFT_MSG_GETSETELEM] = {
5792 .call = nf_tables_getsetelem,
5793 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5794 .policy = nft_set_elem_list_policy,
5796 [NFT_MSG_DELSETELEM] = {
5797 .call_batch = nf_tables_delsetelem,
5798 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5799 .policy = nft_set_elem_list_policy,
5801 [NFT_MSG_GETGEN] = {
5802 .call = nf_tables_getgen,
5804 [NFT_MSG_NEWOBJ] = {
5805 .call_batch = nf_tables_newobj,
5806 .attr_count = NFTA_OBJ_MAX,
5807 .policy = nft_obj_policy,
5809 [NFT_MSG_GETOBJ] = {
5810 .call = nf_tables_getobj,
5811 .attr_count = NFTA_OBJ_MAX,
5812 .policy = nft_obj_policy,
5814 [NFT_MSG_DELOBJ] = {
5815 .call_batch = nf_tables_delobj,
5816 .attr_count = NFTA_OBJ_MAX,
5817 .policy = nft_obj_policy,
5819 [NFT_MSG_GETOBJ_RESET] = {
5820 .call = nf_tables_getobj,
5821 .attr_count = NFTA_OBJ_MAX,
5822 .policy = nft_obj_policy,
5824 [NFT_MSG_NEWFLOWTABLE] = {
5825 .call_batch = nf_tables_newflowtable,
5826 .attr_count = NFTA_FLOWTABLE_MAX,
5827 .policy = nft_flowtable_policy,
5829 [NFT_MSG_GETFLOWTABLE] = {
5830 .call = nf_tables_getflowtable,
5831 .attr_count = NFTA_FLOWTABLE_MAX,
5832 .policy = nft_flowtable_policy,
5834 [NFT_MSG_DELFLOWTABLE] = {
5835 .call_batch = nf_tables_delflowtable,
5836 .attr_count = NFTA_FLOWTABLE_MAX,
5837 .policy = nft_flowtable_policy,
5841 static void nft_chain_commit_update(struct nft_trans *trans)
5843 struct nft_base_chain *basechain;
5845 if (nft_trans_chain_name(trans))
5846 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5848 if (!nft_is_base_chain(trans->ctx.chain))
5851 basechain = nft_base_chain(trans->ctx.chain);
5852 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5854 switch (nft_trans_chain_policy(trans)) {
5857 basechain->policy = nft_trans_chain_policy(trans);
5862 static void nft_commit_release(struct nft_trans *trans)
5864 switch (trans->msg_type) {
5865 case NFT_MSG_DELTABLE:
5866 nf_tables_table_destroy(&trans->ctx);
5868 case NFT_MSG_DELCHAIN:
5869 nf_tables_chain_destroy(&trans->ctx);
5871 case NFT_MSG_DELRULE:
5872 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5874 case NFT_MSG_DELSET:
5875 nft_set_destroy(nft_trans_set(trans));
5877 case NFT_MSG_DELSETELEM:
5878 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5879 nft_trans_elem(trans).priv);
5881 case NFT_MSG_DELOBJ:
5882 nft_obj_destroy(nft_trans_obj(trans));
5884 case NFT_MSG_DELFLOWTABLE:
5885 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5891 static void nf_tables_commit_release(struct net *net)
5893 struct nft_trans *trans, *next;
5895 if (list_empty(&net->nft.commit_list))
5900 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5901 list_del(&trans->list);
5902 nft_commit_release(trans);
5906 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5908 struct nft_trans *trans, *next;
5909 struct nft_trans_elem *te;
5911 /* Bump generation counter, invalidate any dump in progress */
5912 while (++net->nft.base_seq == 0);
5914 /* A new generation has just started */
5915 net->nft.gencursor = nft_gencursor_next(net);
5917 /* Make sure all packets have left the previous generation before
5918 * purging old rules.
5922 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5923 switch (trans->msg_type) {
5924 case NFT_MSG_NEWTABLE:
5925 if (nft_trans_table_update(trans)) {
5926 if (!nft_trans_table_enable(trans)) {
5927 nf_tables_table_disable(net,
5929 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5932 nft_clear(net, trans->ctx.table);
5934 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5935 nft_trans_destroy(trans);
5937 case NFT_MSG_DELTABLE:
5938 list_del_rcu(&trans->ctx.table->list);
5939 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5941 case NFT_MSG_NEWCHAIN:
5942 if (nft_trans_chain_update(trans))
5943 nft_chain_commit_update(trans);
5945 nft_clear(net, trans->ctx.chain);
5947 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5948 nft_trans_destroy(trans);
5950 case NFT_MSG_DELCHAIN:
5951 list_del_rcu(&trans->ctx.chain->list);
5952 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5953 nf_tables_unregister_hook(trans->ctx.net,
5957 case NFT_MSG_NEWRULE:
5958 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5959 nf_tables_rule_notify(&trans->ctx,
5960 nft_trans_rule(trans),
5962 nft_trans_destroy(trans);
5964 case NFT_MSG_DELRULE:
5965 list_del_rcu(&nft_trans_rule(trans)->list);
5966 nf_tables_rule_notify(&trans->ctx,
5967 nft_trans_rule(trans),
5970 case NFT_MSG_NEWSET:
5971 nft_clear(net, nft_trans_set(trans));
5972 /* This avoids hitting -EBUSY when deleting the table
5973 * from the transaction.
5975 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5976 !list_empty(&nft_trans_set(trans)->bindings))
5977 trans->ctx.table->use--;
5979 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5980 NFT_MSG_NEWSET, GFP_KERNEL);
5981 nft_trans_destroy(trans);
5983 case NFT_MSG_DELSET:
5984 list_del_rcu(&nft_trans_set(trans)->list);
5985 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5986 NFT_MSG_DELSET, GFP_KERNEL);
5988 case NFT_MSG_NEWSETELEM:
5989 te = (struct nft_trans_elem *)trans->data;
5991 te->set->ops->activate(net, te->set, &te->elem);
5992 nf_tables_setelem_notify(&trans->ctx, te->set,
5994 NFT_MSG_NEWSETELEM, 0);
5995 nft_trans_destroy(trans);
5997 case NFT_MSG_DELSETELEM:
5998 te = (struct nft_trans_elem *)trans->data;
6000 nf_tables_setelem_notify(&trans->ctx, te->set,
6002 NFT_MSG_DELSETELEM, 0);
6003 te->set->ops->remove(net, te->set, &te->elem);
6004 atomic_dec(&te->set->nelems);
6007 case NFT_MSG_NEWOBJ:
6008 nft_clear(net, nft_trans_obj(trans));
6009 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6011 nft_trans_destroy(trans);
6013 case NFT_MSG_DELOBJ:
6014 list_del_rcu(&nft_trans_obj(trans)->list);
6015 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6018 case NFT_MSG_NEWFLOWTABLE:
6019 nft_clear(net, nft_trans_flowtable(trans));
6020 nf_tables_flowtable_notify(&trans->ctx,
6021 nft_trans_flowtable(trans),
6022 NFT_MSG_NEWFLOWTABLE);
6023 nft_trans_destroy(trans);
6025 case NFT_MSG_DELFLOWTABLE:
6026 list_del_rcu(&nft_trans_flowtable(trans)->list);
6027 nf_tables_flowtable_notify(&trans->ctx,
6028 nft_trans_flowtable(trans),
6029 NFT_MSG_DELFLOWTABLE);
6030 nft_unregister_flowtable_net_hooks(net,
6031 nft_trans_flowtable(trans));
6036 nf_tables_commit_release(net);
6037 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6042 static void nf_tables_abort_release(struct nft_trans *trans)
6044 switch (trans->msg_type) {
6045 case NFT_MSG_NEWTABLE:
6046 nf_tables_table_destroy(&trans->ctx);
6048 case NFT_MSG_NEWCHAIN:
6049 nf_tables_chain_destroy(&trans->ctx);
6051 case NFT_MSG_NEWRULE:
6052 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6054 case NFT_MSG_NEWSET:
6055 nft_set_destroy(nft_trans_set(trans));
6057 case NFT_MSG_NEWSETELEM:
6058 nft_set_elem_destroy(nft_trans_elem_set(trans),
6059 nft_trans_elem(trans).priv, true);
6061 case NFT_MSG_NEWOBJ:
6062 nft_obj_destroy(nft_trans_obj(trans));
6064 case NFT_MSG_NEWFLOWTABLE:
6065 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6071 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6073 struct nft_trans *trans, *next;
6074 struct nft_trans_elem *te;
6076 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6078 switch (trans->msg_type) {
6079 case NFT_MSG_NEWTABLE:
6080 if (nft_trans_table_update(trans)) {
6081 if (nft_trans_table_enable(trans)) {
6082 nf_tables_table_disable(net,
6084 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6086 nft_trans_destroy(trans);
6088 list_del_rcu(&trans->ctx.table->list);
6091 case NFT_MSG_DELTABLE:
6092 nft_clear(trans->ctx.net, trans->ctx.table);
6093 nft_trans_destroy(trans);
6095 case NFT_MSG_NEWCHAIN:
6096 if (nft_trans_chain_update(trans)) {
6097 free_percpu(nft_trans_chain_stats(trans));
6099 nft_trans_destroy(trans);
6101 trans->ctx.table->use--;
6102 list_del_rcu(&trans->ctx.chain->list);
6103 nf_tables_unregister_hook(trans->ctx.net,
6108 case NFT_MSG_DELCHAIN:
6109 trans->ctx.table->use++;
6110 nft_clear(trans->ctx.net, trans->ctx.chain);
6111 nft_trans_destroy(trans);
6113 case NFT_MSG_NEWRULE:
6114 trans->ctx.chain->use--;
6115 list_del_rcu(&nft_trans_rule(trans)->list);
6116 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6118 case NFT_MSG_DELRULE:
6119 trans->ctx.chain->use++;
6120 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6121 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6122 nft_trans_destroy(trans);
6124 case NFT_MSG_NEWSET:
6125 trans->ctx.table->use--;
6126 list_del_rcu(&nft_trans_set(trans)->list);
6128 case NFT_MSG_DELSET:
6129 trans->ctx.table->use++;
6130 nft_clear(trans->ctx.net, nft_trans_set(trans));
6131 nft_trans_destroy(trans);
6133 case NFT_MSG_NEWSETELEM:
6134 te = (struct nft_trans_elem *)trans->data;
6136 te->set->ops->remove(net, te->set, &te->elem);
6137 atomic_dec(&te->set->nelems);
6139 case NFT_MSG_DELSETELEM:
6140 te = (struct nft_trans_elem *)trans->data;
6142 nft_set_elem_activate(net, te->set, &te->elem);
6143 te->set->ops->activate(net, te->set, &te->elem);
6146 nft_trans_destroy(trans);
6148 case NFT_MSG_NEWOBJ:
6149 trans->ctx.table->use--;
6150 list_del_rcu(&nft_trans_obj(trans)->list);
6152 case NFT_MSG_DELOBJ:
6153 trans->ctx.table->use++;
6154 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6155 nft_trans_destroy(trans);
6157 case NFT_MSG_NEWFLOWTABLE:
6158 trans->ctx.table->use--;
6159 list_del_rcu(&nft_trans_flowtable(trans)->list);
6160 nft_unregister_flowtable_net_hooks(net,
6161 nft_trans_flowtable(trans));
6163 case NFT_MSG_DELFLOWTABLE:
6164 trans->ctx.table->use++;
6165 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6166 nft_trans_destroy(trans);
6173 list_for_each_entry_safe_reverse(trans, next,
6174 &net->nft.commit_list, list) {
6175 list_del(&trans->list);
6176 nf_tables_abort_release(trans);
6182 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6184 return net->nft.base_seq == genid;
6187 static const struct nfnetlink_subsystem nf_tables_subsys = {
6188 .name = "nf_tables",
6189 .subsys_id = NFNL_SUBSYS_NFTABLES,
6190 .cb_count = NFT_MSG_MAX,
6192 .commit = nf_tables_commit,
6193 .abort = nf_tables_abort,
6194 .valid_genid = nf_tables_valid_genid,
6197 int nft_chain_validate_dependency(const struct nft_chain *chain,
6198 enum nft_chain_types type)
6200 const struct nft_base_chain *basechain;
6202 if (nft_is_base_chain(chain)) {
6203 basechain = nft_base_chain(chain);
6204 if (basechain->type->type != type)
6209 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6211 int nft_chain_validate_hooks(const struct nft_chain *chain,
6212 unsigned int hook_flags)
6214 struct nft_base_chain *basechain;
6216 if (nft_is_base_chain(chain)) {
6217 basechain = nft_base_chain(chain);
6219 if ((1 << basechain->ops.hooknum) & hook_flags)
6227 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6230 * Loop detection - walk through the ruleset beginning at the destination chain
6231 * of a new jump until either the source chain is reached (loop) or all
6232 * reachable chains have been traversed.
6234 * The loop check is performed whenever a new jump verdict is added to an
6235 * expression or verdict map or a verdict map is bound to a new chain.
6238 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6239 const struct nft_chain *chain);
6241 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6242 struct nft_set *set,
6243 const struct nft_set_iter *iter,
6244 struct nft_set_elem *elem)
6246 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6247 const struct nft_data *data;
6249 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6250 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6253 data = nft_set_ext_data(ext);
6254 switch (data->verdict.code) {
6257 return nf_tables_check_loops(ctx, data->verdict.chain);
6263 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6264 const struct nft_chain *chain)
6266 const struct nft_rule *rule;
6267 const struct nft_expr *expr, *last;
6268 struct nft_set *set;
6269 struct nft_set_binding *binding;
6270 struct nft_set_iter iter;
6272 if (ctx->chain == chain)
6275 list_for_each_entry(rule, &chain->rules, list) {
6276 nft_rule_for_each_expr(expr, last, rule) {
6277 const struct nft_data *data = NULL;
6280 if (!expr->ops->validate)
6283 err = expr->ops->validate(ctx, expr, &data);
6290 switch (data->verdict.code) {
6293 err = nf_tables_check_loops(ctx,
6294 data->verdict.chain);
6303 list_for_each_entry(set, &ctx->table->sets, list) {
6304 if (!nft_is_active_next(ctx->net, set))
6306 if (!(set->flags & NFT_SET_MAP) ||
6307 set->dtype != NFT_DATA_VERDICT)
6310 list_for_each_entry(binding, &set->bindings, list) {
6311 if (!(binding->flags & NFT_SET_MAP) ||
6312 binding->chain != chain)
6315 iter.genmask = nft_genmask_next(ctx->net);
6319 iter.fn = nf_tables_loop_check_setelem;
6321 set->ops->walk(ctx, set, &iter);
6331 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6333 * @attr: netlink attribute to fetch value from
6334 * @max: maximum value to be stored in dest
6335 * @dest: pointer to the variable
6337 * Parse, check and store a given u32 netlink attribute into variable.
6338 * This function returns -ERANGE if the value goes over maximum value.
6339 * Otherwise a 0 is returned and the attribute value is stored in the
6340 * destination variable.
6342 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6346 val = ntohl(nla_get_be32(attr));
6353 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6356 * nft_parse_register - parse a register value from a netlink attribute
6358 * @attr: netlink attribute
6360 * Parse and translate a register value from a netlink attribute.
6361 * Registers used to be 128 bit wide, these register numbers will be
6362 * mapped to the corresponding 32 bit register numbers.
6364 unsigned int nft_parse_register(const struct nlattr *attr)
6368 reg = ntohl(nla_get_be32(attr));
6370 case NFT_REG_VERDICT...NFT_REG_4:
6371 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6373 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6376 EXPORT_SYMBOL_GPL(nft_parse_register);
6379 * nft_dump_register - dump a register value to a netlink attribute
6381 * @skb: socket buffer
6382 * @attr: attribute number
6383 * @reg: register number
6385 * Construct a netlink attribute containing the register number. For
6386 * compatibility reasons, register numbers being a multiple of 4 are
6387 * translated to the corresponding 128 bit register numbers.
6389 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6391 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6392 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6394 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6396 return nla_put_be32(skb, attr, htonl(reg));
6398 EXPORT_SYMBOL_GPL(nft_dump_register);
6401 * nft_validate_register_load - validate a load from a register
6403 * @reg: the register number
6404 * @len: the length of the data
6406 * Validate that the input register is one of the general purpose
6407 * registers and that the length of the load is within the bounds.
6409 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6411 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6415 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6420 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6423 * nft_validate_register_store - validate an expressions' register store
6425 * @ctx: context of the expression performing the load
6426 * @reg: the destination register number
6427 * @data: the data to load
6428 * @type: the data type
6429 * @len: the length of the data
6431 * Validate that a data load uses the appropriate data type for
6432 * the destination register and the length is within the bounds.
6433 * A value of NULL for the data means that its runtime gathered
6436 int nft_validate_register_store(const struct nft_ctx *ctx,
6437 enum nft_registers reg,
6438 const struct nft_data *data,
6439 enum nft_data_types type, unsigned int len)
6444 case NFT_REG_VERDICT:
6445 if (type != NFT_DATA_VERDICT)
6449 (data->verdict.code == NFT_GOTO ||
6450 data->verdict.code == NFT_JUMP)) {
6451 err = nf_tables_check_loops(ctx, data->verdict.chain);
6455 if (ctx->chain->level + 1 >
6456 data->verdict.chain->level) {
6457 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6459 data->verdict.chain->level = ctx->chain->level + 1;
6465 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6469 if (reg * NFT_REG32_SIZE + len >
6470 FIELD_SIZEOF(struct nft_regs, data))
6473 if (data != NULL && type != NFT_DATA_VALUE)
6478 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6480 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6481 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6482 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6483 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6486 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6487 struct nft_data_desc *desc, const struct nlattr *nla)
6489 u8 genmask = nft_genmask_next(ctx->net);
6490 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6491 struct nft_chain *chain;
6494 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6499 if (!tb[NFTA_VERDICT_CODE])
6501 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6503 switch (data->verdict.code) {
6505 switch (data->verdict.code & NF_VERDICT_MASK) {
6520 if (!tb[NFTA_VERDICT_CHAIN])
6522 chain = nft_chain_lookup(ctx->table, tb[NFTA_VERDICT_CHAIN],
6525 return PTR_ERR(chain);
6526 if (nft_is_base_chain(chain))
6530 data->verdict.chain = chain;
6534 desc->len = sizeof(data->verdict);
6535 desc->type = NFT_DATA_VERDICT;
6539 static void nft_verdict_uninit(const struct nft_data *data)
6541 switch (data->verdict.code) {
6544 data->verdict.chain->use--;
6549 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6551 struct nlattr *nest;
6553 nest = nla_nest_start(skb, type);
6555 goto nla_put_failure;
6557 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6558 goto nla_put_failure;
6563 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6565 goto nla_put_failure;
6567 nla_nest_end(skb, nest);
6574 static int nft_value_init(const struct nft_ctx *ctx,
6575 struct nft_data *data, unsigned int size,
6576 struct nft_data_desc *desc, const struct nlattr *nla)
6586 nla_memcpy(data->data, nla, len);
6587 desc->type = NFT_DATA_VALUE;
6592 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6595 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6598 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6599 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6600 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6604 * nft_data_init - parse nf_tables data netlink attributes
6606 * @ctx: context of the expression using the data
6607 * @data: destination struct nft_data
6608 * @size: maximum data length
6609 * @desc: data description
6610 * @nla: netlink attribute containing data
6612 * Parse the netlink data attributes and initialize a struct nft_data.
6613 * The type and length of data are returned in the data description.
6615 * The caller can indicate that it only wants to accept data of type
6616 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6618 int nft_data_init(const struct nft_ctx *ctx,
6619 struct nft_data *data, unsigned int size,
6620 struct nft_data_desc *desc, const struct nlattr *nla)
6622 struct nlattr *tb[NFTA_DATA_MAX + 1];
6625 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6629 if (tb[NFTA_DATA_VALUE])
6630 return nft_value_init(ctx, data, size, desc,
6631 tb[NFTA_DATA_VALUE]);
6632 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6633 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6636 EXPORT_SYMBOL_GPL(nft_data_init);
6639 * nft_data_release - release a nft_data item
6641 * @data: struct nft_data to release
6642 * @type: type of data
6644 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6645 * all others need to be released by calling this function.
6647 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6649 if (type < NFT_DATA_VERDICT)
6652 case NFT_DATA_VERDICT:
6653 return nft_verdict_uninit(data);
6658 EXPORT_SYMBOL_GPL(nft_data_release);
6660 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6661 enum nft_data_types type, unsigned int len)
6663 struct nlattr *nest;
6666 nest = nla_nest_start(skb, attr);
6671 case NFT_DATA_VALUE:
6672 err = nft_value_dump(skb, data, len);
6674 case NFT_DATA_VERDICT:
6675 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6682 nla_nest_end(skb, nest);
6685 EXPORT_SYMBOL_GPL(nft_data_dump);
6687 int __nft_release_basechain(struct nft_ctx *ctx)
6689 struct nft_rule *rule, *nr;
6691 BUG_ON(!nft_is_base_chain(ctx->chain));
6693 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6694 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6695 list_del(&rule->list);
6697 nf_tables_rule_release(ctx, rule);
6699 list_del(&ctx->chain->list);
6701 nf_tables_chain_destroy(ctx);
6705 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6707 static void __nft_release_tables(struct net *net)
6709 struct nft_flowtable *flowtable, *nf;
6710 struct nft_table *table, *nt;
6711 struct nft_chain *chain, *nc;
6712 struct nft_object *obj, *ne;
6713 struct nft_rule *rule, *nr;
6714 struct nft_set *set, *ns;
6715 struct nft_ctx ctx = {
6717 .family = NFPROTO_NETDEV,
6720 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6721 ctx.family = table->family;
6723 list_for_each_entry(chain, &table->chains, list)
6724 nf_tables_unregister_hook(net, table, chain);
6725 list_for_each_entry(flowtable, &table->flowtables, list)
6726 nf_unregister_net_hooks(net, flowtable->ops,
6727 flowtable->ops_len);
6728 /* No packets are walking on these chains anymore. */
6730 list_for_each_entry(chain, &table->chains, list) {
6732 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6733 list_del(&rule->list);
6735 nf_tables_rule_release(&ctx, rule);
6738 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6739 list_del(&flowtable->list);
6741 nf_tables_flowtable_destroy(flowtable);
6743 list_for_each_entry_safe(set, ns, &table->sets, list) {
6744 list_del(&set->list);
6746 nft_set_destroy(set);
6748 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6749 list_del(&obj->list);
6751 nft_obj_destroy(obj);
6753 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6755 list_del(&chain->list);
6757 nf_tables_chain_destroy(&ctx);
6759 list_del(&table->list);
6760 nf_tables_table_destroy(&ctx);
6764 static int __net_init nf_tables_init_net(struct net *net)
6766 INIT_LIST_HEAD(&net->nft.tables);
6767 INIT_LIST_HEAD(&net->nft.commit_list);
6768 net->nft.base_seq = 1;
6772 static void __net_exit nf_tables_exit_net(struct net *net)
6774 __nft_release_tables(net);
6775 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6776 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6779 static struct pernet_operations nf_tables_net_ops = {
6780 .init = nf_tables_init_net,
6781 .exit = nf_tables_exit_net,
6784 static int __init nf_tables_module_init(void)
6788 nft_chain_filter_init();
6790 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6797 err = nf_tables_core_module_init();
6801 err = nfnetlink_subsys_register(&nf_tables_subsys);
6805 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6807 return register_pernet_subsys(&nf_tables_net_ops);
6809 nf_tables_core_module_exit();
6816 static void __exit nf_tables_module_exit(void)
6818 unregister_pernet_subsys(&nf_tables_net_ops);
6819 nfnetlink_subsys_unregister(&nf_tables_subsys);
6820 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6822 nf_tables_core_module_exit();
6824 nft_chain_filter_fini();
6827 module_init(nf_tables_module_init);
6828 module_exit(nf_tables_module_exit);
6830 MODULE_LICENSE("GPL");
6831 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6832 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
OSDN Git Service
