1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 unsigned int nf_tables_net_id __read_mostly;
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 NFT_VALIDATE_SKIP = 0,
42 static struct rhltable nft_objname_ht;
44 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
49 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
50 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52 static const struct rhashtable_params nft_chain_ht_params = {
53 .head_offset = offsetof(struct nft_chain, rhlhead),
54 .key_offset = offsetof(struct nft_chain, name),
55 .hashfn = nft_chain_hash,
56 .obj_hashfn = nft_chain_hash_obj,
57 .obj_cmpfn = nft_chain_hash_cmp,
58 .automatic_shrinking = true,
61 static const struct rhashtable_params nft_objname_ht_params = {
62 .head_offset = offsetof(struct nft_object, rhlhead),
63 .key_offset = offsetof(struct nft_object, key),
64 .hashfn = nft_objname_hash,
65 .obj_hashfn = nft_objname_hash_obj,
66 .obj_cmpfn = nft_objname_hash_cmp,
67 .automatic_shrinking = true,
70 struct nft_audit_data {
71 struct nft_table *table;
74 struct list_head list;
77 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
78 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
79 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
80 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
81 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
82 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
84 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
85 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
87 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
88 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
90 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
91 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
93 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
94 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
97 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
99 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
100 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
101 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
102 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
105 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
107 switch (table->validate_state) {
108 case NFT_VALIDATE_SKIP:
109 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
111 case NFT_VALIDATE_NEED:
113 case NFT_VALIDATE_DO:
114 if (new_validate_state == NFT_VALIDATE_NEED)
118 table->validate_state = new_validate_state;
120 static void nf_tables_trans_destroy_work(struct work_struct *w);
121 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
123 static void nft_ctx_init(struct nft_ctx *ctx,
125 const struct sk_buff *skb,
126 const struct nlmsghdr *nlh,
128 struct nft_table *table,
129 struct nft_chain *chain,
130 const struct nlattr * const *nla)
133 ctx->family = family;
138 ctx->portid = NETLINK_CB(skb).portid;
139 ctx->report = nlmsg_report(nlh);
140 ctx->flags = nlh->nlmsg_flags;
141 ctx->seq = nlh->nlmsg_seq;
144 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
145 int msg_type, u32 size, gfp_t gfp)
147 struct nft_trans *trans;
149 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
153 INIT_LIST_HEAD(&trans->list);
154 trans->msg_type = msg_type;
160 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
161 int msg_type, u32 size)
163 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
166 static void nft_trans_destroy(struct nft_trans *trans)
168 list_del(&trans->list);
172 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
175 struct nftables_pernet *nft_net;
176 struct net *net = ctx->net;
177 struct nft_trans *trans;
179 if (!nft_set_is_anonymous(set))
182 nft_net = nft_pernet(net);
183 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
184 switch (trans->msg_type) {
186 if (nft_trans_set(trans) == set)
187 nft_trans_set_bound(trans) = bind;
189 case NFT_MSG_NEWSETELEM:
190 if (nft_trans_elem_set(trans) == set)
191 nft_trans_elem_set_bound(trans) = bind;
197 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
199 return __nft_set_trans_bind(ctx, set, true);
202 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
204 return __nft_set_trans_bind(ctx, set, false);
207 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
208 struct nft_chain *chain, bool bind)
210 struct nftables_pernet *nft_net;
211 struct net *net = ctx->net;
212 struct nft_trans *trans;
214 if (!nft_chain_binding(chain))
217 nft_net = nft_pernet(net);
218 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
219 switch (trans->msg_type) {
220 case NFT_MSG_NEWCHAIN:
221 if (nft_trans_chain(trans) == chain)
222 nft_trans_chain_bound(trans) = bind;
224 case NFT_MSG_NEWRULE:
225 if (trans->ctx.chain == chain)
226 nft_trans_rule_bound(trans) = bind;
232 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
233 struct nft_chain *chain)
235 __nft_chain_trans_bind(ctx, chain, true);
238 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
240 if (!nft_chain_binding(chain))
243 if (nft_chain_binding(ctx->chain))
251 nft_chain_trans_bind(ctx, chain);
256 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
258 __nft_chain_trans_bind(ctx, chain, false);
261 static int nft_netdev_register_hooks(struct net *net,
262 struct list_head *hook_list)
264 struct nft_hook *hook;
268 list_for_each_entry(hook, hook_list, list) {
269 err = nf_register_net_hook(net, &hook->ops);
278 list_for_each_entry(hook, hook_list, list) {
282 nf_unregister_net_hook(net, &hook->ops);
287 static void nft_netdev_unregister_hooks(struct net *net,
288 struct list_head *hook_list,
291 struct nft_hook *hook, *next;
293 list_for_each_entry_safe(hook, next, hook_list, list) {
294 nf_unregister_net_hook(net, &hook->ops);
295 if (release_netdev) {
296 list_del(&hook->list);
297 kfree_rcu(hook, rcu);
302 static int nf_tables_register_hook(struct net *net,
303 const struct nft_table *table,
304 struct nft_chain *chain)
306 struct nft_base_chain *basechain;
307 const struct nf_hook_ops *ops;
309 if (table->flags & NFT_TABLE_F_DORMANT ||
310 !nft_is_base_chain(chain))
313 basechain = nft_base_chain(chain);
314 ops = &basechain->ops;
316 if (basechain->type->ops_register)
317 return basechain->type->ops_register(net, ops);
319 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
320 return nft_netdev_register_hooks(net, &basechain->hook_list);
322 return nf_register_net_hook(net, &basechain->ops);
325 static void __nf_tables_unregister_hook(struct net *net,
326 const struct nft_table *table,
327 struct nft_chain *chain,
330 struct nft_base_chain *basechain;
331 const struct nf_hook_ops *ops;
333 if (table->flags & NFT_TABLE_F_DORMANT ||
334 !nft_is_base_chain(chain))
336 basechain = nft_base_chain(chain);
337 ops = &basechain->ops;
339 if (basechain->type->ops_unregister)
340 return basechain->type->ops_unregister(net, ops);
342 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
343 nft_netdev_unregister_hooks(net, &basechain->hook_list,
346 nf_unregister_net_hook(net, &basechain->ops);
349 static void nf_tables_unregister_hook(struct net *net,
350 const struct nft_table *table,
351 struct nft_chain *chain)
353 return __nf_tables_unregister_hook(net, table, chain, false);
356 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
358 struct nftables_pernet *nft_net = nft_pernet(net);
360 list_add_tail(&trans->list, &nft_net->commit_list);
363 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
365 struct nft_trans *trans;
367 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
371 if (msg_type == NFT_MSG_NEWTABLE)
372 nft_activate_next(ctx->net, ctx->table);
374 nft_trans_commit_list_add_tail(ctx->net, trans);
378 static int nft_deltable(struct nft_ctx *ctx)
382 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
386 nft_deactivate_next(ctx->net, ctx->table);
390 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
392 struct nft_trans *trans;
394 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
396 return ERR_PTR(-ENOMEM);
398 if (msg_type == NFT_MSG_NEWCHAIN) {
399 nft_activate_next(ctx->net, ctx->chain);
401 if (ctx->nla[NFTA_CHAIN_ID]) {
402 nft_trans_chain_id(trans) =
403 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
406 nft_trans_chain(trans) = ctx->chain;
407 nft_trans_commit_list_add_tail(ctx->net, trans);
412 static int nft_delchain(struct nft_ctx *ctx)
414 struct nft_trans *trans;
416 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
418 return PTR_ERR(trans);
421 nft_deactivate_next(ctx->net, ctx->chain);
426 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
428 struct nft_expr *expr;
430 expr = nft_expr_first(rule);
431 while (nft_expr_more(rule, expr)) {
432 if (expr->ops->activate)
433 expr->ops->activate(ctx, expr);
435 expr = nft_expr_next(expr);
439 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
440 enum nft_trans_phase phase)
442 struct nft_expr *expr;
444 expr = nft_expr_first(rule);
445 while (nft_expr_more(rule, expr)) {
446 if (expr->ops->deactivate)
447 expr->ops->deactivate(ctx, expr, phase);
449 expr = nft_expr_next(expr);
454 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
456 /* You cannot delete the same rule twice */
457 if (nft_is_active_next(ctx->net, rule)) {
458 nft_deactivate_next(ctx->net, rule);
465 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
466 struct nft_rule *rule)
468 struct nft_trans *trans;
470 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
474 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
475 nft_trans_rule_id(trans) =
476 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
478 nft_trans_rule(trans) = rule;
479 nft_trans_commit_list_add_tail(ctx->net, trans);
484 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
486 struct nft_flow_rule *flow;
487 struct nft_trans *trans;
490 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
494 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
495 flow = nft_flow_rule_create(ctx->net, rule);
497 nft_trans_destroy(trans);
498 return PTR_ERR(flow);
501 nft_trans_flow_rule(trans) = flow;
504 err = nf_tables_delrule_deactivate(ctx, rule);
506 nft_trans_destroy(trans);
509 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
514 static int nft_delrule_by_chain(struct nft_ctx *ctx)
516 struct nft_rule *rule;
519 list_for_each_entry(rule, &ctx->chain->rules, list) {
520 if (!nft_is_active_next(ctx->net, rule))
523 err = nft_delrule(ctx, rule);
530 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
532 const struct nft_set_desc *desc)
534 struct nft_trans *trans;
536 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
540 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
541 nft_trans_set_id(trans) =
542 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
543 nft_activate_next(ctx->net, set);
545 nft_trans_set(trans) = set;
547 nft_trans_set_update(trans) = true;
548 nft_trans_set_gc_int(trans) = desc->gc_int;
549 nft_trans_set_timeout(trans) = desc->timeout;
551 nft_trans_commit_list_add_tail(ctx->net, trans);
556 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
559 return __nft_trans_set_add(ctx, msg_type, set, NULL);
562 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
566 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
570 nft_deactivate_next(ctx->net, set);
576 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
577 struct nft_object *obj)
579 struct nft_trans *trans;
581 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
585 if (msg_type == NFT_MSG_NEWOBJ)
586 nft_activate_next(ctx->net, obj);
588 nft_trans_obj(trans) = obj;
589 nft_trans_commit_list_add_tail(ctx->net, trans);
594 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
598 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
602 nft_deactivate_next(ctx->net, obj);
608 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
609 struct nft_flowtable *flowtable)
611 struct nft_trans *trans;
613 trans = nft_trans_alloc(ctx, msg_type,
614 sizeof(struct nft_trans_flowtable));
618 if (msg_type == NFT_MSG_NEWFLOWTABLE)
619 nft_activate_next(ctx->net, flowtable);
621 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
622 nft_trans_flowtable(trans) = flowtable;
623 nft_trans_commit_list_add_tail(ctx->net, trans);
628 static int nft_delflowtable(struct nft_ctx *ctx,
629 struct nft_flowtable *flowtable)
633 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
637 nft_deactivate_next(ctx->net, flowtable);
643 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
647 for (i = track->regs[dreg].num_reg; i > 0; i--)
648 __nft_reg_track_cancel(track, dreg - i);
651 static void __nft_reg_track_update(struct nft_regs_track *track,
652 const struct nft_expr *expr,
655 track->regs[dreg].selector = expr;
656 track->regs[dreg].bitwise = NULL;
657 track->regs[dreg].num_reg = num_reg;
660 void nft_reg_track_update(struct nft_regs_track *track,
661 const struct nft_expr *expr, u8 dreg, u8 len)
663 unsigned int regcount;
666 __nft_reg_track_clobber(track, dreg);
668 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
669 for (i = 0; i < regcount; i++, dreg++)
670 __nft_reg_track_update(track, expr, dreg, i);
672 EXPORT_SYMBOL_GPL(nft_reg_track_update);
674 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
676 unsigned int regcount;
679 __nft_reg_track_clobber(track, dreg);
681 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
682 for (i = 0; i < regcount; i++, dreg++)
683 __nft_reg_track_cancel(track, dreg);
685 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
687 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
689 track->regs[dreg].selector = NULL;
690 track->regs[dreg].bitwise = NULL;
691 track->regs[dreg].num_reg = 0;
693 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
699 static struct nft_table *nft_table_lookup(const struct net *net,
700 const struct nlattr *nla,
701 u8 family, u8 genmask, u32 nlpid)
703 struct nftables_pernet *nft_net;
704 struct nft_table *table;
707 return ERR_PTR(-EINVAL);
709 nft_net = nft_pernet(net);
710 list_for_each_entry_rcu(table, &nft_net->tables, list,
711 lockdep_is_held(&nft_net->commit_mutex)) {
712 if (!nla_strcmp(nla, table->name) &&
713 table->family == family &&
714 nft_active_genmask(table, genmask)) {
715 if (nft_table_has_owner(table) &&
716 nlpid && table->nlpid != nlpid)
717 return ERR_PTR(-EPERM);
723 return ERR_PTR(-ENOENT);
726 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
727 const struct nlattr *nla,
728 u8 genmask, u32 nlpid)
730 struct nftables_pernet *nft_net;
731 struct nft_table *table;
733 nft_net = nft_pernet(net);
734 list_for_each_entry(table, &nft_net->tables, list) {
735 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
736 nft_active_genmask(table, genmask)) {
737 if (nft_table_has_owner(table) &&
738 nlpid && table->nlpid != nlpid)
739 return ERR_PTR(-EPERM);
745 return ERR_PTR(-ENOENT);
748 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
750 return ++table->hgenerator;
753 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
755 static const struct nft_chain_type *
756 __nft_chain_type_get(u8 family, enum nft_chain_types type)
758 if (family >= NFPROTO_NUMPROTO ||
759 type >= NFT_CHAIN_T_MAX)
762 return chain_type[family][type];
765 static const struct nft_chain_type *
766 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
768 const struct nft_chain_type *type;
771 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
772 type = __nft_chain_type_get(family, i);
775 if (!nla_strcmp(nla, type->name))
781 struct nft_module_request {
782 struct list_head list;
783 char module[MODULE_NAME_LEN];
787 #ifdef CONFIG_MODULES
788 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
791 char module_name[MODULE_NAME_LEN];
792 struct nftables_pernet *nft_net;
793 struct nft_module_request *req;
798 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
800 if (ret >= MODULE_NAME_LEN)
803 nft_net = nft_pernet(net);
804 list_for_each_entry(req, &nft_net->module_list, list) {
805 if (!strcmp(req->module, module_name)) {
809 /* A request to load this module already exists. */
814 req = kmalloc(sizeof(*req), GFP_KERNEL);
819 strscpy(req->module, module_name, MODULE_NAME_LEN);
820 list_add_tail(&req->list, &nft_net->module_list);
824 EXPORT_SYMBOL_GPL(nft_request_module);
827 static void lockdep_nfnl_nft_mutex_not_held(void)
829 #ifdef CONFIG_PROVE_LOCKING
831 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
835 static const struct nft_chain_type *
836 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
837 u8 family, bool autoload)
839 const struct nft_chain_type *type;
841 type = __nf_tables_chain_type_lookup(nla, family);
845 lockdep_nfnl_nft_mutex_not_held();
846 #ifdef CONFIG_MODULES
848 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
850 (const char *)nla_data(nla)) == -EAGAIN)
851 return ERR_PTR(-EAGAIN);
854 return ERR_PTR(-ENOENT);
857 static __be16 nft_base_seq(const struct net *net)
859 struct nftables_pernet *nft_net = nft_pernet(net);
861 return htons(nft_net->base_seq & 0xffff);
864 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
865 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
866 .len = NFT_TABLE_MAXNAMELEN - 1 },
867 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
868 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
869 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
870 .len = NFT_USERDATA_MAXLEN }
873 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
874 u32 portid, u32 seq, int event, u32 flags,
875 int family, const struct nft_table *table)
877 struct nlmsghdr *nlh;
879 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
880 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
881 NFNETLINK_V0, nft_base_seq(net));
883 goto nla_put_failure;
885 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
886 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
887 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
889 goto nla_put_failure;
891 if (event == NFT_MSG_DELTABLE) {
896 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
897 htonl(table->flags & NFT_TABLE_F_MASK)))
898 goto nla_put_failure;
900 if (nft_table_has_owner(table) &&
901 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
902 goto nla_put_failure;
905 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
906 goto nla_put_failure;
913 nlmsg_trim(skb, nlh);
917 struct nftnl_skb_parms {
920 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
922 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
923 struct list_head *notify_list)
925 NFT_CB(skb).report = report;
926 list_add_tail(&skb->list, notify_list);
929 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
931 struct nftables_pernet *nft_net;
937 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
940 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
944 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
945 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
947 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
948 event, flags, ctx->family, ctx->table);
954 nft_net = nft_pernet(ctx->net);
955 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
958 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
961 static int nf_tables_dump_tables(struct sk_buff *skb,
962 struct netlink_callback *cb)
964 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
965 struct nftables_pernet *nft_net;
966 const struct nft_table *table;
967 unsigned int idx = 0, s_idx = cb->args[0];
968 struct net *net = sock_net(skb->sk);
969 int family = nfmsg->nfgen_family;
972 nft_net = nft_pernet(net);
973 cb->seq = READ_ONCE(nft_net->base_seq);
975 list_for_each_entry_rcu(table, &nft_net->tables, list) {
976 if (family != NFPROTO_UNSPEC && family != table->family)
982 memset(&cb->args[1], 0,
983 sizeof(cb->args) - sizeof(cb->args[0]));
984 if (!nft_is_active(net, table))
986 if (nf_tables_fill_table_info(skb, net,
987 NETLINK_CB(cb->skb).portid,
989 NFT_MSG_NEWTABLE, NLM_F_MULTI,
990 table->family, table) < 0)
993 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1003 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1004 const struct nlmsghdr *nlh,
1005 struct netlink_dump_control *c)
1009 if (!try_module_get(THIS_MODULE))
1013 err = netlink_dump_start(nlsk, skb, nlh, c);
1015 module_put(THIS_MODULE);
1020 /* called with rcu_read_lock held */
1021 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1022 const struct nlattr * const nla[])
1024 struct netlink_ext_ack *extack = info->extack;
1025 u8 genmask = nft_genmask_cur(info->net);
1026 u8 family = info->nfmsg->nfgen_family;
1027 const struct nft_table *table;
1028 struct net *net = info->net;
1029 struct sk_buff *skb2;
1032 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1033 struct netlink_dump_control c = {
1034 .dump = nf_tables_dump_tables,
1035 .module = THIS_MODULE,
1038 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1041 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1042 if (IS_ERR(table)) {
1043 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1044 return PTR_ERR(table);
1047 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1051 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1052 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1055 goto err_fill_table_info;
1057 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1059 err_fill_table_info:
1064 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1066 struct nft_chain *chain;
1069 list_for_each_entry(chain, &table->chains, list) {
1070 if (!nft_is_active_next(net, chain))
1072 if (!nft_is_base_chain(chain))
1075 if (cnt && i++ == cnt)
1078 nf_tables_unregister_hook(net, table, chain);
1082 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1084 struct nft_chain *chain;
1087 list_for_each_entry(chain, &table->chains, list) {
1088 if (!nft_is_active_next(net, chain))
1090 if (!nft_is_base_chain(chain))
1093 err = nf_tables_register_hook(net, table, chain);
1095 goto err_register_hooks;
1103 nft_table_disable(net, table, i);
1107 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1109 table->flags &= ~NFT_TABLE_F_DORMANT;
1110 nft_table_disable(net, table, 0);
1111 table->flags |= NFT_TABLE_F_DORMANT;
1114 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1115 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1116 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1117 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1118 __NFT_TABLE_F_WAS_AWAKEN)
1120 static int nf_tables_updtable(struct nft_ctx *ctx)
1122 struct nft_trans *trans;
1126 if (!ctx->nla[NFTA_TABLE_FLAGS])
1129 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1130 if (flags & ~NFT_TABLE_F_MASK)
1133 if (flags == ctx->table->flags)
1136 if ((nft_table_has_owner(ctx->table) &&
1137 !(flags & NFT_TABLE_F_OWNER)) ||
1138 (!nft_table_has_owner(ctx->table) &&
1139 flags & NFT_TABLE_F_OWNER))
1142 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1143 sizeof(struct nft_trans_table));
1147 if ((flags & NFT_TABLE_F_DORMANT) &&
1148 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1149 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1150 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1151 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1152 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1153 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1154 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1155 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1156 ret = nf_tables_table_enable(ctx->net, ctx->table);
1158 goto err_register_hooks;
1160 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1164 nft_trans_table_update(trans) = true;
1165 nft_trans_commit_list_add_tail(ctx->net, trans);
1170 nft_trans_destroy(trans);
1174 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1176 const char *name = data;
1178 return jhash(name, strlen(name), seed);
1181 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1183 const struct nft_chain *chain = data;
1185 return nft_chain_hash(chain->name, 0, seed);
1188 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1191 const struct nft_chain *chain = ptr;
1192 const char *name = arg->key;
1194 return strcmp(chain->name, name);
1197 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1199 const struct nft_object_hash_key *k = data;
1201 seed ^= hash_ptr(k->table, 32);
1203 return jhash(k->name, strlen(k->name), seed);
1206 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1208 const struct nft_object *obj = data;
1210 return nft_objname_hash(&obj->key, 0, seed);
1213 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1216 const struct nft_object_hash_key *k = arg->key;
1217 const struct nft_object *obj = ptr;
1219 if (obj->key.table != k->table)
1222 return strcmp(obj->key.name, k->name);
1225 static bool nft_supported_family(u8 family)
1228 #ifdef CONFIG_NF_TABLES_INET
1229 || family == NFPROTO_INET
1231 #ifdef CONFIG_NF_TABLES_IPV4
1232 || family == NFPROTO_IPV4
1234 #ifdef CONFIG_NF_TABLES_ARP
1235 || family == NFPROTO_ARP
1237 #ifdef CONFIG_NF_TABLES_NETDEV
1238 || family == NFPROTO_NETDEV
1240 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1241 || family == NFPROTO_BRIDGE
1243 #ifdef CONFIG_NF_TABLES_IPV6
1244 || family == NFPROTO_IPV6
1249 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1250 const struct nlattr * const nla[])
1252 struct nftables_pernet *nft_net = nft_pernet(info->net);
1253 struct netlink_ext_ack *extack = info->extack;
1254 u8 genmask = nft_genmask_next(info->net);
1255 u8 family = info->nfmsg->nfgen_family;
1256 struct net *net = info->net;
1257 const struct nlattr *attr;
1258 struct nft_table *table;
1263 if (!nft_supported_family(family))
1266 lockdep_assert_held(&nft_net->commit_mutex);
1267 attr = nla[NFTA_TABLE_NAME];
1268 table = nft_table_lookup(net, attr, family, genmask,
1269 NETLINK_CB(skb).portid);
1270 if (IS_ERR(table)) {
1271 if (PTR_ERR(table) != -ENOENT)
1272 return PTR_ERR(table);
1274 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1275 NL_SET_BAD_ATTR(extack, attr);
1278 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1281 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1283 return nf_tables_updtable(&ctx);
1286 if (nla[NFTA_TABLE_FLAGS]) {
1287 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1288 if (flags & ~NFT_TABLE_F_MASK)
1293 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1297 table->validate_state = NFT_VALIDATE_SKIP;
1298 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1299 if (table->name == NULL)
1302 if (nla[NFTA_TABLE_USERDATA]) {
1303 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1304 if (table->udata == NULL)
1305 goto err_table_udata;
1307 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1310 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1314 INIT_LIST_HEAD(&table->chains);
1315 INIT_LIST_HEAD(&table->sets);
1316 INIT_LIST_HEAD(&table->objects);
1317 INIT_LIST_HEAD(&table->flowtables);
1318 table->family = family;
1319 table->flags = flags;
1320 table->handle = ++nft_net->table_handle;
1321 if (table->flags & NFT_TABLE_F_OWNER)
1322 table->nlpid = NETLINK_CB(skb).portid;
1324 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1325 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1329 list_add_tail_rcu(&table->list, &nft_net->tables);
1332 rhltable_destroy(&table->chains_ht);
1334 kfree(table->udata);
1343 static int nft_flush_table(struct nft_ctx *ctx)
1345 struct nft_flowtable *flowtable, *nft;
1346 struct nft_chain *chain, *nc;
1347 struct nft_object *obj, *ne;
1348 struct nft_set *set, *ns;
1351 list_for_each_entry(chain, &ctx->table->chains, list) {
1352 if (!nft_is_active_next(ctx->net, chain))
1355 if (nft_chain_is_bound(chain))
1360 err = nft_delrule_by_chain(ctx);
1365 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1366 if (!nft_is_active_next(ctx->net, set))
1369 if (nft_set_is_anonymous(set) &&
1370 !list_empty(&set->bindings))
1373 err = nft_delset(ctx, set);
1378 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1379 if (!nft_is_active_next(ctx->net, flowtable))
1382 err = nft_delflowtable(ctx, flowtable);
1387 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1388 if (!nft_is_active_next(ctx->net, obj))
1391 err = nft_delobj(ctx, obj);
1396 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1397 if (!nft_is_active_next(ctx->net, chain))
1400 if (nft_chain_is_bound(chain))
1405 err = nft_delchain(ctx);
1410 err = nft_deltable(ctx);
1415 static int nft_flush(struct nft_ctx *ctx, int family)
1417 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1418 const struct nlattr * const *nla = ctx->nla;
1419 struct nft_table *table, *nt;
1422 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1423 if (family != AF_UNSPEC && table->family != family)
1426 ctx->family = table->family;
1428 if (!nft_is_active_next(ctx->net, table))
1431 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1434 if (nla[NFTA_TABLE_NAME] &&
1435 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1440 err = nft_flush_table(ctx);
1448 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1449 const struct nlattr * const nla[])
1451 struct netlink_ext_ack *extack = info->extack;
1452 u8 genmask = nft_genmask_next(info->net);
1453 u8 family = info->nfmsg->nfgen_family;
1454 struct net *net = info->net;
1455 const struct nlattr *attr;
1456 struct nft_table *table;
1459 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1460 if (family == AF_UNSPEC ||
1461 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1462 return nft_flush(&ctx, family);
1464 if (nla[NFTA_TABLE_HANDLE]) {
1465 attr = nla[NFTA_TABLE_HANDLE];
1466 table = nft_table_lookup_byhandle(net, attr, genmask,
1467 NETLINK_CB(skb).portid);
1469 attr = nla[NFTA_TABLE_NAME];
1470 table = nft_table_lookup(net, attr, family, genmask,
1471 NETLINK_CB(skb).portid);
1474 if (IS_ERR(table)) {
1475 if (PTR_ERR(table) == -ENOENT &&
1476 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1479 NL_SET_BAD_ATTR(extack, attr);
1480 return PTR_ERR(table);
1483 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1487 ctx.family = family;
1490 return nft_flush_table(&ctx);
1493 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1495 if (WARN_ON(ctx->table->use > 0))
1498 rhltable_destroy(&ctx->table->chains_ht);
1499 kfree(ctx->table->name);
1500 kfree(ctx->table->udata);
1504 void nft_register_chain_type(const struct nft_chain_type *ctype)
1506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1507 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1508 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1511 chain_type[ctype->family][ctype->type] = ctype;
1512 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1514 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1516 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1518 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1519 chain_type[ctype->family][ctype->type] = NULL;
1520 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1522 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1528 static struct nft_chain *
1529 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1531 struct nft_chain *chain;
1533 list_for_each_entry(chain, &table->chains, list) {
1534 if (chain->handle == handle &&
1535 nft_active_genmask(chain, genmask))
1539 return ERR_PTR(-ENOENT);
1542 static bool lockdep_commit_lock_is_held(const struct net *net)
1544 #ifdef CONFIG_PROVE_LOCKING
1545 struct nftables_pernet *nft_net = nft_pernet(net);
1547 return lockdep_is_held(&nft_net->commit_mutex);
1553 static struct nft_chain *nft_chain_lookup(struct net *net,
1554 struct nft_table *table,
1555 const struct nlattr *nla, u8 genmask)
1557 char search[NFT_CHAIN_MAXNAMELEN + 1];
1558 struct rhlist_head *tmp, *list;
1559 struct nft_chain *chain;
1562 return ERR_PTR(-EINVAL);
1564 nla_strscpy(search, nla, sizeof(search));
1566 WARN_ON(!rcu_read_lock_held() &&
1567 !lockdep_commit_lock_is_held(net));
1569 chain = ERR_PTR(-ENOENT);
1571 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1575 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1576 if (nft_active_genmask(chain, genmask))
1579 chain = ERR_PTR(-ENOENT);
1585 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1586 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1587 .len = NFT_TABLE_MAXNAMELEN - 1 },
1588 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1589 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1590 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1591 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1592 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1593 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1594 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1595 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1596 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1597 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1598 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1599 .len = NFT_USERDATA_MAXLEN },
1602 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1603 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1604 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1605 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1606 .len = IFNAMSIZ - 1 },
1609 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1611 struct nft_stats *cpu_stats, total;
1612 struct nlattr *nest;
1620 memset(&total, 0, sizeof(total));
1621 for_each_possible_cpu(cpu) {
1622 cpu_stats = per_cpu_ptr(stats, cpu);
1624 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1625 pkts = cpu_stats->pkts;
1626 bytes = cpu_stats->bytes;
1627 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1629 total.bytes += bytes;
1631 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1633 goto nla_put_failure;
1635 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1636 NFTA_COUNTER_PAD) ||
1637 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1639 goto nla_put_failure;
1641 nla_nest_end(skb, nest);
1648 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1649 const struct nft_base_chain *basechain,
1650 const struct list_head *hook_list)
1652 const struct nf_hook_ops *ops = &basechain->ops;
1653 struct nft_hook *hook, *first = NULL;
1654 struct nlattr *nest, *nest_devs;
1657 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1659 goto nla_put_failure;
1660 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1661 goto nla_put_failure;
1662 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1663 goto nla_put_failure;
1665 if (nft_base_chain_netdev(family, ops->hooknum)) {
1666 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1668 goto nla_put_failure;
1671 hook_list = &basechain->hook_list;
1673 list_for_each_entry(hook, hook_list, list) {
1677 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1678 hook->ops.dev->name))
1679 goto nla_put_failure;
1682 nla_nest_end(skb, nest_devs);
1685 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1686 goto nla_put_failure;
1688 nla_nest_end(skb, nest);
1695 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1696 u32 portid, u32 seq, int event, u32 flags,
1697 int family, const struct nft_table *table,
1698 const struct nft_chain *chain,
1699 const struct list_head *hook_list)
1701 struct nlmsghdr *nlh;
1703 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1704 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1705 NFNETLINK_V0, nft_base_seq(net));
1707 goto nla_put_failure;
1709 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1710 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1711 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1713 goto nla_put_failure;
1715 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1716 nlmsg_end(skb, nlh);
1720 if (nft_is_base_chain(chain)) {
1721 const struct nft_base_chain *basechain = nft_base_chain(chain);
1722 struct nft_stats __percpu *stats;
1724 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1725 goto nla_put_failure;
1727 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1728 htonl(basechain->policy)))
1729 goto nla_put_failure;
1731 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1732 goto nla_put_failure;
1734 stats = rcu_dereference_check(basechain->stats,
1735 lockdep_commit_lock_is_held(net));
1736 if (nft_dump_stats(skb, stats))
1737 goto nla_put_failure;
1741 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1742 goto nla_put_failure;
1744 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1745 goto nla_put_failure;
1748 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1749 goto nla_put_failure;
1751 nlmsg_end(skb, nlh);
1755 nlmsg_trim(skb, nlh);
1759 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1760 const struct list_head *hook_list)
1762 struct nftables_pernet *nft_net;
1763 struct sk_buff *skb;
1768 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1771 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1775 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1776 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1778 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1779 event, flags, ctx->family, ctx->table,
1780 ctx->chain, hook_list);
1786 nft_net = nft_pernet(ctx->net);
1787 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1790 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1793 static int nf_tables_dump_chains(struct sk_buff *skb,
1794 struct netlink_callback *cb)
1796 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1797 unsigned int idx = 0, s_idx = cb->args[0];
1798 struct net *net = sock_net(skb->sk);
1799 int family = nfmsg->nfgen_family;
1800 struct nftables_pernet *nft_net;
1801 const struct nft_table *table;
1802 const struct nft_chain *chain;
1805 nft_net = nft_pernet(net);
1806 cb->seq = READ_ONCE(nft_net->base_seq);
1808 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1809 if (family != NFPROTO_UNSPEC && family != table->family)
1812 list_for_each_entry_rcu(chain, &table->chains, list) {
1816 memset(&cb->args[1], 0,
1817 sizeof(cb->args) - sizeof(cb->args[0]));
1818 if (!nft_is_active(net, chain))
1820 if (nf_tables_fill_chain_info(skb, net,
1821 NETLINK_CB(cb->skb).portid,
1825 table->family, table,
1829 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1840 /* called with rcu_read_lock held */
1841 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1842 const struct nlattr * const nla[])
1844 struct netlink_ext_ack *extack = info->extack;
1845 u8 genmask = nft_genmask_cur(info->net);
1846 u8 family = info->nfmsg->nfgen_family;
1847 const struct nft_chain *chain;
1848 struct net *net = info->net;
1849 struct nft_table *table;
1850 struct sk_buff *skb2;
1853 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1854 struct netlink_dump_control c = {
1855 .dump = nf_tables_dump_chains,
1856 .module = THIS_MODULE,
1859 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1862 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1863 if (IS_ERR(table)) {
1864 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1865 return PTR_ERR(table);
1868 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1869 if (IS_ERR(chain)) {
1870 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1871 return PTR_ERR(chain);
1874 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1878 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1879 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1880 0, family, table, chain, NULL);
1882 goto err_fill_chain_info;
1884 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1886 err_fill_chain_info:
1891 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1892 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1893 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1896 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1898 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1899 struct nft_stats __percpu *newstats;
1900 struct nft_stats *stats;
1903 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1904 nft_counter_policy, NULL);
1906 return ERR_PTR(err);
1908 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1909 return ERR_PTR(-EINVAL);
1911 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1912 if (newstats == NULL)
1913 return ERR_PTR(-ENOMEM);
1915 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1916 * are not exposed to userspace.
1919 stats = this_cpu_ptr(newstats);
1920 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1921 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1927 static void nft_chain_stats_replace(struct nft_trans *trans)
1929 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1931 if (!nft_trans_chain_stats(trans))
1934 nft_trans_chain_stats(trans) =
1935 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1936 lockdep_commit_lock_is_held(trans->ctx.net));
1938 if (!nft_trans_chain_stats(trans))
1939 static_branch_inc(&nft_counters_enabled);
1942 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1944 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
1945 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
1951 /* should be NULL either via abort or via successful commit */
1952 WARN_ON_ONCE(chain->blob_next);
1953 kvfree(chain->blob_next);
1956 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1958 struct nft_chain *chain = ctx->chain;
1959 struct nft_hook *hook, *next;
1961 if (WARN_ON(chain->use > 0))
1964 /* no concurrent access possible anymore */
1965 nf_tables_chain_free_chain_rules(chain);
1967 if (nft_is_base_chain(chain)) {
1968 struct nft_base_chain *basechain = nft_base_chain(chain);
1970 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1971 list_for_each_entry_safe(hook, next,
1972 &basechain->hook_list, list) {
1973 list_del_rcu(&hook->list);
1974 kfree_rcu(hook, rcu);
1977 module_put(basechain->type->owner);
1978 if (rcu_access_pointer(basechain->stats)) {
1979 static_branch_dec(&nft_counters_enabled);
1980 free_percpu(rcu_dereference_raw(basechain->stats));
1983 kfree(chain->udata);
1987 kfree(chain->udata);
1992 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1993 const struct nlattr *attr)
1995 struct net_device *dev;
1996 char ifname[IFNAMSIZ];
1997 struct nft_hook *hook;
2000 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2003 goto err_hook_alloc;
2006 nla_strscpy(ifname, attr, IFNAMSIZ);
2007 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2008 * indirectly serializing all the other holders of the commit_mutex with
2011 dev = __dev_get_by_name(net, ifname);
2016 hook->ops.dev = dev;
2023 return ERR_PTR(err);
2026 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2027 const struct nft_hook *this)
2029 struct nft_hook *hook;
2031 list_for_each_entry(hook, hook_list, list) {
2032 if (this->ops.dev == hook->ops.dev)
2039 static int nf_tables_parse_netdev_hooks(struct net *net,
2040 const struct nlattr *attr,
2041 struct list_head *hook_list,
2042 struct netlink_ext_ack *extack)
2044 struct nft_hook *hook, *next;
2045 const struct nlattr *tmp;
2046 int rem, n = 0, err;
2048 nla_for_each_nested(tmp, attr, rem) {
2049 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2054 hook = nft_netdev_hook_alloc(net, tmp);
2056 NL_SET_BAD_ATTR(extack, tmp);
2057 err = PTR_ERR(hook);
2060 if (nft_hook_list_find(hook_list, hook)) {
2061 NL_SET_BAD_ATTR(extack, tmp);
2066 list_add_tail(&hook->list, hook_list);
2069 if (n == NFT_NETDEVICE_MAX) {
2078 list_for_each_entry_safe(hook, next, hook_list, list) {
2079 list_del(&hook->list);
2085 struct nft_chain_hook {
2088 const struct nft_chain_type *type;
2089 struct list_head list;
2092 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2093 struct list_head *hook_list,
2094 struct netlink_ext_ack *extack, u32 flags)
2096 struct nft_hook *hook;
2099 if (tb[NFTA_HOOK_DEV]) {
2100 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2102 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2103 return PTR_ERR(hook);
2106 list_add_tail(&hook->list, hook_list);
2107 } else if (tb[NFTA_HOOK_DEVS]) {
2108 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2115 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2116 list_empty(hook_list))
2122 static int nft_chain_parse_hook(struct net *net,
2123 struct nft_base_chain *basechain,
2124 const struct nlattr * const nla[],
2125 struct nft_chain_hook *hook, u8 family,
2126 u32 flags, struct netlink_ext_ack *extack)
2128 struct nftables_pernet *nft_net = nft_pernet(net);
2129 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2130 const struct nft_chain_type *type;
2133 lockdep_assert_held(&nft_net->commit_mutex);
2134 lockdep_nfnl_nft_mutex_not_held();
2136 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2137 nla[NFTA_CHAIN_HOOK],
2138 nft_hook_policy, NULL);
2143 if (!ha[NFTA_HOOK_HOOKNUM] ||
2144 !ha[NFTA_HOOK_PRIORITY]) {
2145 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2149 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2150 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2152 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2156 if (nla[NFTA_CHAIN_TYPE]) {
2157 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2160 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2161 return PTR_ERR(type);
2164 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2167 if (type->type == NFT_CHAIN_T_NAT &&
2168 hook->priority <= NF_IP_PRI_CONNTRACK)
2171 if (ha[NFTA_HOOK_HOOKNUM]) {
2172 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2173 if (hook->num != basechain->ops.hooknum)
2176 if (ha[NFTA_HOOK_PRIORITY]) {
2177 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2178 if (hook->priority != basechain->ops.priority)
2182 type = basechain->type;
2185 if (!try_module_get(type->owner)) {
2186 if (nla[NFTA_CHAIN_TYPE])
2187 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2193 INIT_LIST_HEAD(&hook->list);
2194 if (nft_base_chain_netdev(family, hook->num)) {
2195 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2197 module_put(type->owner);
2200 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2201 module_put(type->owner);
2208 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2210 struct nft_hook *h, *next;
2212 list_for_each_entry_safe(h, next, &hook->list, list) {
2216 module_put(hook->type->owner);
2219 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2221 struct nft_rule_dp_last *lrule;
2223 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2225 lrule = (struct nft_rule_dp_last *)ptr;
2226 lrule->end.is_last = 1;
2227 lrule->chain = chain;
2228 /* blob size does not include the trailer rule */
2231 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2234 struct nft_rule_blob *blob;
2239 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2241 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2246 nft_last_rule(chain, blob->data);
2251 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2252 const struct nft_chain_hook *hook,
2253 struct nft_chain *chain)
2256 ops->hooknum = hook->num;
2257 ops->priority = hook->priority;
2259 ops->hook = hook->type->hooks[ops->hooknum];
2260 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2263 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2264 struct nft_chain_hook *hook, u32 flags)
2266 struct nft_chain *chain;
2269 basechain->type = hook->type;
2270 INIT_LIST_HEAD(&basechain->hook_list);
2271 chain = &basechain->chain;
2273 if (nft_base_chain_netdev(family, hook->num)) {
2274 list_splice_init(&hook->list, &basechain->hook_list);
2275 list_for_each_entry(h, &basechain->hook_list, list)
2276 nft_basechain_hook_init(&h->ops, family, hook, chain);
2278 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2280 chain->flags |= NFT_CHAIN_BASE | flags;
2281 basechain->policy = NF_ACCEPT;
2282 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2283 !nft_chain_offload_support(basechain)) {
2284 list_splice_init(&basechain->hook_list, &hook->list);
2288 flow_block_init(&basechain->flow_block);
2293 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2297 err = rhltable_insert_key(&table->chains_ht, chain->name,
2298 &chain->rhlhead, nft_chain_ht_params);
2302 list_add_tail_rcu(&chain->list, &table->chains);
2307 static u64 chain_id;
2309 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2310 u8 policy, u32 flags,
2311 struct netlink_ext_ack *extack)
2313 const struct nlattr * const *nla = ctx->nla;
2314 struct nft_table *table = ctx->table;
2315 struct nft_base_chain *basechain;
2316 struct net *net = ctx->net;
2317 char name[NFT_NAME_MAXLEN];
2318 struct nft_rule_blob *blob;
2319 struct nft_trans *trans;
2320 struct nft_chain *chain;
2323 if (table->use == UINT_MAX)
2326 if (nla[NFTA_CHAIN_HOOK]) {
2327 struct nft_stats __percpu *stats = NULL;
2328 struct nft_chain_hook hook = {};
2330 if (flags & NFT_CHAIN_BINDING)
2333 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2338 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2339 if (basechain == NULL) {
2340 nft_chain_release_hook(&hook);
2343 chain = &basechain->chain;
2345 if (nla[NFTA_CHAIN_COUNTERS]) {
2346 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2347 if (IS_ERR(stats)) {
2348 nft_chain_release_hook(&hook);
2350 return PTR_ERR(stats);
2352 rcu_assign_pointer(basechain->stats, stats);
2355 err = nft_basechain_init(basechain, family, &hook, flags);
2357 nft_chain_release_hook(&hook);
2363 static_branch_inc(&nft_counters_enabled);
2365 if (flags & NFT_CHAIN_BASE)
2367 if (flags & NFT_CHAIN_HW_OFFLOAD)
2370 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2374 chain->flags = flags;
2378 INIT_LIST_HEAD(&chain->rules);
2379 chain->handle = nf_tables_alloc_handle(table);
2380 chain->table = table;
2382 if (nla[NFTA_CHAIN_NAME]) {
2383 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2385 if (!(flags & NFT_CHAIN_BINDING)) {
2387 goto err_destroy_chain;
2390 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2391 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2396 goto err_destroy_chain;
2399 if (nla[NFTA_CHAIN_USERDATA]) {
2400 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2401 if (chain->udata == NULL) {
2403 goto err_destroy_chain;
2405 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2408 blob = nf_tables_chain_alloc_rules(chain, 0);
2411 goto err_destroy_chain;
2414 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2415 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2417 err = nf_tables_register_hook(net, table, chain);
2419 goto err_destroy_chain;
2421 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2422 if (IS_ERR(trans)) {
2423 err = PTR_ERR(trans);
2424 goto err_unregister_hook;
2427 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2428 if (nft_is_base_chain(chain))
2429 nft_trans_chain_policy(trans) = policy;
2431 err = nft_chain_add(table, chain);
2433 nft_trans_destroy(trans);
2434 goto err_unregister_hook;
2440 err_unregister_hook:
2441 nf_tables_unregister_hook(net, table, chain);
2443 nf_tables_chain_destroy(ctx);
2448 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2449 u32 flags, const struct nlattr *attr,
2450 struct netlink_ext_ack *extack)
2452 const struct nlattr * const *nla = ctx->nla;
2453 struct nft_base_chain *basechain = NULL;
2454 struct nft_table *table = ctx->table;
2455 struct nft_chain *chain = ctx->chain;
2456 struct nft_chain_hook hook = {};
2457 struct nft_stats *stats = NULL;
2458 struct nft_hook *h, *next;
2459 struct nf_hook_ops *ops;
2460 struct nft_trans *trans;
2461 bool unregister = false;
2464 if (chain->flags ^ flags)
2467 INIT_LIST_HEAD(&hook.list);
2469 if (nla[NFTA_CHAIN_HOOK]) {
2470 if (!nft_is_base_chain(chain)) {
2471 NL_SET_BAD_ATTR(extack, attr);
2475 basechain = nft_base_chain(chain);
2476 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2477 ctx->family, flags, extack);
2481 if (basechain->type != hook.type) {
2482 nft_chain_release_hook(&hook);
2483 NL_SET_BAD_ATTR(extack, attr);
2487 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2488 list_for_each_entry_safe(h, next, &hook.list, list) {
2489 h->ops.pf = basechain->ops.pf;
2490 h->ops.hooknum = basechain->ops.hooknum;
2491 h->ops.priority = basechain->ops.priority;
2492 h->ops.priv = basechain->ops.priv;
2493 h->ops.hook = basechain->ops.hook;
2495 if (nft_hook_list_find(&basechain->hook_list, h)) {
2501 ops = &basechain->ops;
2502 if (ops->hooknum != hook.num ||
2503 ops->priority != hook.priority) {
2504 nft_chain_release_hook(&hook);
2505 NL_SET_BAD_ATTR(extack, attr);
2511 if (nla[NFTA_CHAIN_HANDLE] &&
2512 nla[NFTA_CHAIN_NAME]) {
2513 struct nft_chain *chain2;
2515 chain2 = nft_chain_lookup(ctx->net, table,
2516 nla[NFTA_CHAIN_NAME], genmask);
2517 if (!IS_ERR(chain2)) {
2518 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2524 if (nla[NFTA_CHAIN_COUNTERS]) {
2525 if (!nft_is_base_chain(chain)) {
2530 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2531 if (IS_ERR(stats)) {
2532 err = PTR_ERR(stats);
2537 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2538 nft_is_base_chain(chain) &&
2539 !list_empty(&hook.list)) {
2540 basechain = nft_base_chain(chain);
2541 ops = &basechain->ops;
2543 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2544 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2552 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2553 sizeof(struct nft_trans_chain));
2557 nft_trans_chain_stats(trans) = stats;
2558 nft_trans_chain_update(trans) = true;
2560 if (nla[NFTA_CHAIN_POLICY])
2561 nft_trans_chain_policy(trans) = policy;
2563 nft_trans_chain_policy(trans) = -1;
2565 if (nla[NFTA_CHAIN_HANDLE] &&
2566 nla[NFTA_CHAIN_NAME]) {
2567 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2568 struct nft_trans *tmp;
2572 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2577 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2578 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2579 tmp->ctx.table == table &&
2580 nft_trans_chain_update(tmp) &&
2581 nft_trans_chain_name(tmp) &&
2582 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2583 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2589 nft_trans_chain_name(trans) = name;
2592 nft_trans_basechain(trans) = basechain;
2593 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2594 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2596 nft_trans_commit_list_add_tail(ctx->net, trans);
2604 if (nla[NFTA_CHAIN_HOOK]) {
2605 list_for_each_entry_safe(h, next, &hook.list, list) {
2607 nf_unregister_net_hook(ctx->net, &h->ops);
2611 module_put(hook.type->owner);
2617 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2618 const struct nft_table *table,
2619 const struct nlattr *nla)
2621 struct nftables_pernet *nft_net = nft_pernet(net);
2622 u32 id = ntohl(nla_get_be32(nla));
2623 struct nft_trans *trans;
2625 list_for_each_entry(trans, &nft_net->commit_list, list) {
2626 struct nft_chain *chain = trans->ctx.chain;
2628 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2629 chain->table == table &&
2630 id == nft_trans_chain_id(trans))
2633 return ERR_PTR(-ENOENT);
2636 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2637 const struct nlattr * const nla[])
2639 struct nftables_pernet *nft_net = nft_pernet(info->net);
2640 struct netlink_ext_ack *extack = info->extack;
2641 u8 genmask = nft_genmask_next(info->net);
2642 u8 family = info->nfmsg->nfgen_family;
2643 struct nft_chain *chain = NULL;
2644 struct net *net = info->net;
2645 const struct nlattr *attr;
2646 struct nft_table *table;
2647 u8 policy = NF_ACCEPT;
2652 lockdep_assert_held(&nft_net->commit_mutex);
2654 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2655 NETLINK_CB(skb).portid);
2656 if (IS_ERR(table)) {
2657 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2658 return PTR_ERR(table);
2662 attr = nla[NFTA_CHAIN_NAME];
2664 if (nla[NFTA_CHAIN_HANDLE]) {
2665 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2666 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2667 if (IS_ERR(chain)) {
2668 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2669 return PTR_ERR(chain);
2671 attr = nla[NFTA_CHAIN_HANDLE];
2672 } else if (nla[NFTA_CHAIN_NAME]) {
2673 chain = nft_chain_lookup(net, table, attr, genmask);
2674 if (IS_ERR(chain)) {
2675 if (PTR_ERR(chain) != -ENOENT) {
2676 NL_SET_BAD_ATTR(extack, attr);
2677 return PTR_ERR(chain);
2681 } else if (!nla[NFTA_CHAIN_ID]) {
2685 if (nla[NFTA_CHAIN_POLICY]) {
2686 if (chain != NULL &&
2687 !nft_is_base_chain(chain)) {
2688 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2692 if (chain == NULL &&
2693 nla[NFTA_CHAIN_HOOK] == NULL) {
2694 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2698 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2708 if (nla[NFTA_CHAIN_FLAGS])
2709 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2711 flags = chain->flags;
2713 if (flags & ~NFT_CHAIN_FLAGS)
2716 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2718 if (chain != NULL) {
2719 if (chain->flags & NFT_CHAIN_BINDING)
2722 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2723 NL_SET_BAD_ATTR(extack, attr);
2726 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2729 flags |= chain->flags & NFT_CHAIN_BASE;
2730 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2734 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2737 static int nft_delchain_hook(struct nft_ctx *ctx, struct nft_chain *chain,
2738 struct netlink_ext_ack *extack)
2740 const struct nlattr * const *nla = ctx->nla;
2741 struct nft_chain_hook chain_hook = {};
2742 struct nft_base_chain *basechain;
2743 struct nft_hook *this, *hook;
2744 LIST_HEAD(chain_del_list);
2745 struct nft_trans *trans;
2748 if (!nft_is_base_chain(chain))
2751 basechain = nft_base_chain(chain);
2752 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2753 ctx->family, chain->flags, extack);
2757 list_for_each_entry(this, &chain_hook.list, list) {
2758 hook = nft_hook_list_find(&basechain->hook_list, this);
2761 goto err_chain_del_hook;
2763 list_move(&hook->list, &chain_del_list);
2766 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2767 sizeof(struct nft_trans_chain));
2770 goto err_chain_del_hook;
2773 nft_trans_basechain(trans) = basechain;
2774 nft_trans_chain_update(trans) = true;
2775 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2776 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2777 nft_chain_release_hook(&chain_hook);
2779 nft_trans_commit_list_add_tail(ctx->net, trans);
2784 list_splice(&chain_del_list, &basechain->hook_list);
2785 nft_chain_release_hook(&chain_hook);
2790 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2791 const struct nlattr * const nla[])
2793 struct netlink_ext_ack *extack = info->extack;
2794 u8 genmask = nft_genmask_next(info->net);
2795 u8 family = info->nfmsg->nfgen_family;
2796 struct net *net = info->net;
2797 const struct nlattr *attr;
2798 struct nft_table *table;
2799 struct nft_chain *chain;
2800 struct nft_rule *rule;
2806 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2807 NETLINK_CB(skb).portid);
2808 if (IS_ERR(table)) {
2809 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2810 return PTR_ERR(table);
2813 if (nla[NFTA_CHAIN_HANDLE]) {
2814 attr = nla[NFTA_CHAIN_HANDLE];
2815 handle = be64_to_cpu(nla_get_be64(attr));
2816 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2818 attr = nla[NFTA_CHAIN_NAME];
2819 chain = nft_chain_lookup(net, table, attr, genmask);
2821 if (IS_ERR(chain)) {
2822 if (PTR_ERR(chain) == -ENOENT &&
2823 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2826 NL_SET_BAD_ATTR(extack, attr);
2827 return PTR_ERR(chain);
2830 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2832 if (nla[NFTA_CHAIN_HOOK]) {
2833 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2836 return nft_delchain_hook(&ctx, chain, extack);
2839 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2844 list_for_each_entry(rule, &chain->rules, list) {
2845 if (!nft_is_active_next(net, rule))
2849 err = nft_delrule(&ctx, rule);
2854 /* There are rules and elements that are still holding references to us,
2855 * we cannot do a recursive removal in this case.
2858 NL_SET_BAD_ATTR(extack, attr);
2862 return nft_delchain(&ctx);
2870 * nft_register_expr - register nf_tables expr type
2873 * Registers the expr type for use with nf_tables. Returns zero on
2874 * success or a negative errno code otherwise.
2876 int nft_register_expr(struct nft_expr_type *type)
2878 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2879 if (type->family == NFPROTO_UNSPEC)
2880 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2882 list_add_rcu(&type->list, &nf_tables_expressions);
2883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2886 EXPORT_SYMBOL_GPL(nft_register_expr);
2889 * nft_unregister_expr - unregister nf_tables expr type
2892 * Unregisters the expr typefor use with nf_tables.
2894 void nft_unregister_expr(struct nft_expr_type *type)
2896 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2897 list_del_rcu(&type->list);
2898 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2900 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2902 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2905 const struct nft_expr_type *type, *candidate = NULL;
2907 list_for_each_entry(type, &nf_tables_expressions, list) {
2908 if (!nla_strcmp(nla, type->name)) {
2909 if (!type->family && !candidate)
2911 else if (type->family == family)
2918 #ifdef CONFIG_MODULES
2919 static int nft_expr_type_request_module(struct net *net, u8 family,
2922 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2923 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2930 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2934 const struct nft_expr_type *type;
2937 return ERR_PTR(-EINVAL);
2939 type = __nft_expr_type_get(family, nla);
2940 if (type != NULL && try_module_get(type->owner))
2943 lockdep_nfnl_nft_mutex_not_held();
2944 #ifdef CONFIG_MODULES
2946 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2947 return ERR_PTR(-EAGAIN);
2949 if (nft_request_module(net, "nft-expr-%.*s",
2951 (char *)nla_data(nla)) == -EAGAIN)
2952 return ERR_PTR(-EAGAIN);
2955 return ERR_PTR(-ENOENT);
2958 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2959 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2960 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2961 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2964 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2965 const struct nft_expr *expr, bool reset)
2967 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2968 goto nla_put_failure;
2970 if (expr->ops->dump) {
2971 struct nlattr *data = nla_nest_start_noflag(skb,
2974 goto nla_put_failure;
2975 if (expr->ops->dump(skb, expr, reset) < 0)
2976 goto nla_put_failure;
2977 nla_nest_end(skb, data);
2986 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2987 const struct nft_expr *expr, bool reset)
2989 struct nlattr *nest;
2991 nest = nla_nest_start_noflag(skb, attr);
2993 goto nla_put_failure;
2994 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
2995 goto nla_put_failure;
2996 nla_nest_end(skb, nest);
3003 struct nft_expr_info {
3004 const struct nft_expr_ops *ops;
3005 const struct nlattr *attr;
3006 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3009 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3010 const struct nlattr *nla,
3011 struct nft_expr_info *info)
3013 const struct nft_expr_type *type;
3014 const struct nft_expr_ops *ops;
3015 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3018 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3019 nft_expr_policy, NULL);
3023 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3025 return PTR_ERR(type);
3027 if (tb[NFTA_EXPR_DATA]) {
3028 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3030 type->policy, NULL);
3034 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3036 if (type->select_ops != NULL) {
3037 ops = type->select_ops(ctx,
3038 (const struct nlattr * const *)info->tb);
3041 #ifdef CONFIG_MODULES
3043 if (nft_expr_type_request_module(ctx->net,
3045 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3059 module_put(type->owner);
3063 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3064 struct nft_expr_info *info)
3066 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3067 const struct nft_expr_type *type;
3070 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3071 nft_expr_policy, NULL);
3075 if (!tb[NFTA_EXPR_DATA])
3078 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3082 if (!type->inner_ops)
3085 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3087 type->policy, NULL);
3092 info->ops = type->inner_ops;
3100 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3101 const struct nft_expr_info *expr_info,
3102 struct nft_expr *expr)
3104 const struct nft_expr_ops *ops = expr_info->ops;
3109 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3120 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3121 struct nft_expr *expr)
3123 const struct nft_expr_type *type = expr->ops->type;
3125 if (expr->ops->destroy)
3126 expr->ops->destroy(ctx, expr);
3127 module_put(type->owner);
3130 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3131 const struct nlattr *nla)
3133 struct nft_expr_info expr_info;
3134 struct nft_expr *expr;
3135 struct module *owner;
3138 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3140 goto err_expr_parse;
3143 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3144 goto err_expr_stateful;
3147 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3149 goto err_expr_stateful;
3151 err = nf_tables_newexpr(ctx, &expr_info, expr);
3159 owner = expr_info.ops->type->owner;
3160 if (expr_info.ops->type->release_ops)
3161 expr_info.ops->type->release_ops(expr_info.ops);
3165 return ERR_PTR(err);
3168 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3172 if (src->ops->clone) {
3173 dst->ops = src->ops;
3174 err = src->ops->clone(dst, src);
3178 memcpy(dst, src, src->ops->size);
3181 __module_get(src->ops->type->owner);
3186 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3188 nf_tables_expr_destroy(ctx, expr);
3196 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3199 struct nft_rule *rule;
3201 // FIXME: this sucks
3202 list_for_each_entry_rcu(rule, &chain->rules, list) {
3203 if (handle == rule->handle)
3207 return ERR_PTR(-ENOENT);
3210 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3211 const struct nlattr *nla)
3214 return ERR_PTR(-EINVAL);
3216 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3219 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3220 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3221 .len = NFT_TABLE_MAXNAMELEN - 1 },
3222 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3223 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3224 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3225 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
3226 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3227 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3228 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3229 .len = NFT_USERDATA_MAXLEN },
3230 [NFTA_RULE_ID] = { .type = NLA_U32 },
3231 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3232 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3235 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3236 u32 portid, u32 seq, int event,
3237 u32 flags, int family,
3238 const struct nft_table *table,
3239 const struct nft_chain *chain,
3240 const struct nft_rule *rule, u64 handle,
3243 struct nlmsghdr *nlh;
3244 const struct nft_expr *expr, *next;
3245 struct nlattr *list;
3246 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3248 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3251 goto nla_put_failure;
3253 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3254 goto nla_put_failure;
3255 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3256 goto nla_put_failure;
3257 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3259 goto nla_put_failure;
3261 if (event != NFT_MSG_DELRULE && handle) {
3262 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3264 goto nla_put_failure;
3267 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3268 nft_flow_rule_stats(chain, rule);
3270 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3272 goto nla_put_failure;
3273 nft_rule_for_each_expr(expr, next, rule) {
3274 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3275 goto nla_put_failure;
3277 nla_nest_end(skb, list);
3280 struct nft_userdata *udata = nft_userdata(rule);
3281 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3283 goto nla_put_failure;
3286 nlmsg_end(skb, nlh);
3290 nlmsg_trim(skb, nlh);
3294 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3295 const struct nft_rule *rule, int event)
3297 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3298 const struct nft_rule *prule;
3299 struct sk_buff *skb;
3305 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3308 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3312 if (event == NFT_MSG_NEWRULE &&
3313 !list_is_first(&rule->list, &ctx->chain->rules) &&
3314 !list_is_last(&rule->list, &ctx->chain->rules)) {
3315 prule = list_prev_entry(rule, list);
3316 handle = prule->handle;
3318 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3319 flags |= NLM_F_APPEND;
3320 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3321 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3323 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3324 event, flags, ctx->family, ctx->table,
3325 ctx->chain, rule, handle, false);
3331 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3334 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3337 struct nft_rule_dump_ctx {
3342 static int __nf_tables_dump_rules(struct sk_buff *skb,
3344 struct netlink_callback *cb,
3345 const struct nft_table *table,
3346 const struct nft_chain *chain,
3349 struct net *net = sock_net(skb->sk);
3350 const struct nft_rule *rule, *prule;
3351 unsigned int s_idx = cb->args[0];
3355 list_for_each_entry_rcu(rule, &chain->rules, list) {
3356 if (!nft_is_active(net, rule))
3361 memset(&cb->args[1], 0,
3362 sizeof(cb->args) - sizeof(cb->args[0]));
3365 handle = prule->handle;
3369 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3372 NLM_F_MULTI | NLM_F_APPEND,
3374 table, chain, rule, handle, reset) < 0)
3377 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3386 static int nf_tables_dump_rules(struct sk_buff *skb,
3387 struct netlink_callback *cb)
3389 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3390 const struct nft_rule_dump_ctx *ctx = cb->data;
3391 struct nft_table *table;
3392 const struct nft_chain *chain;
3393 unsigned int idx = 0;
3394 struct net *net = sock_net(skb->sk);
3395 int family = nfmsg->nfgen_family;
3396 struct nftables_pernet *nft_net;
3399 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3403 nft_net = nft_pernet(net);
3404 cb->seq = READ_ONCE(nft_net->base_seq);
3406 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3407 if (family != NFPROTO_UNSPEC && family != table->family)
3410 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3413 if (ctx && ctx->table && ctx->chain) {
3414 struct rhlist_head *list, *tmp;
3416 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3417 nft_chain_ht_params);
3421 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3422 if (!nft_is_active(net, chain))
3424 __nf_tables_dump_rules(skb, &idx,
3425 cb, table, chain, reset);
3431 list_for_each_entry_rcu(chain, &table->chains, list) {
3432 if (__nf_tables_dump_rules(skb, &idx,
3433 cb, table, chain, reset))
3437 if (ctx && ctx->table)
3447 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3449 const struct nlattr * const *nla = cb->data;
3450 struct nft_rule_dump_ctx *ctx = NULL;
3452 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3453 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3457 if (nla[NFTA_RULE_TABLE]) {
3458 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3465 if (nla[NFTA_RULE_CHAIN]) {
3466 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3480 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3482 struct nft_rule_dump_ctx *ctx = cb->data;
3492 /* called with rcu_read_lock held */
3493 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3494 const struct nlattr * const nla[])
3496 struct netlink_ext_ack *extack = info->extack;
3497 u8 genmask = nft_genmask_cur(info->net);
3498 u8 family = info->nfmsg->nfgen_family;
3499 const struct nft_chain *chain;
3500 const struct nft_rule *rule;
3501 struct net *net = info->net;
3502 struct nft_table *table;
3503 struct sk_buff *skb2;
3507 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3508 struct netlink_dump_control c = {
3509 .start= nf_tables_dump_rules_start,
3510 .dump = nf_tables_dump_rules,
3511 .done = nf_tables_dump_rules_done,
3512 .module = THIS_MODULE,
3513 .data = (void *)nla,
3516 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3519 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3520 if (IS_ERR(table)) {
3521 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3522 return PTR_ERR(table);
3525 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3526 if (IS_ERR(chain)) {
3527 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3528 return PTR_ERR(chain);
3531 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3533 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3534 return PTR_ERR(rule);
3537 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3541 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3544 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3545 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3546 family, table, chain, rule, 0, reset);
3548 goto err_fill_rule_info;
3550 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3557 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3559 struct nft_expr *expr, *next;
3562 * Careful: some expressions might not be initialized in case this
3563 * is called on error from nf_tables_newrule().
3565 expr = nft_expr_first(rule);
3566 while (nft_expr_more(rule, expr)) {
3567 next = nft_expr_next(expr);
3568 nf_tables_expr_destroy(ctx, expr);
3574 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3576 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3577 nf_tables_rule_destroy(ctx, rule);
3580 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3582 struct nft_expr *expr, *last;
3583 const struct nft_data *data;
3584 struct nft_rule *rule;
3587 if (ctx->level == NFT_JUMP_STACK_SIZE)
3590 list_for_each_entry(rule, &chain->rules, list) {
3591 if (!nft_is_active_next(ctx->net, rule))
3594 nft_rule_for_each_expr(expr, last, rule) {
3595 if (!expr->ops->validate)
3598 err = expr->ops->validate(ctx, expr, &data);
3608 EXPORT_SYMBOL_GPL(nft_chain_validate);
3610 static int nft_table_validate(struct net *net, const struct nft_table *table)
3612 struct nft_chain *chain;
3613 struct nft_ctx ctx = {
3615 .family = table->family,
3619 list_for_each_entry(chain, &table->chains, list) {
3620 if (!nft_is_base_chain(chain))
3624 err = nft_chain_validate(&ctx, chain);
3632 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3633 const struct nft_set_iter *iter,
3634 struct nft_set_elem *elem)
3636 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3637 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3638 const struct nft_data *data;
3641 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3642 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3645 data = nft_set_ext_data(ext);
3646 switch (data->verdict.code) {
3650 err = nft_chain_validate(ctx, data->verdict.chain);
3662 struct nft_set_elem_catchall {
3663 struct list_head list;
3664 struct rcu_head rcu;
3668 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3670 u8 genmask = nft_genmask_next(ctx->net);
3671 struct nft_set_elem_catchall *catchall;
3672 struct nft_set_elem elem;
3673 struct nft_set_ext *ext;
3676 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3677 ext = nft_set_elem_ext(set, catchall->elem);
3678 if (!nft_set_elem_active(ext, genmask))
3681 elem.priv = catchall->elem;
3682 ret = nft_setelem_validate(ctx, set, NULL, &elem);
3690 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3691 const struct nft_chain *chain,
3692 const struct nlattr *nla);
3694 #define NFT_RULE_MAXEXPRS 128
3696 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3697 const struct nlattr * const nla[])
3699 struct nftables_pernet *nft_net = nft_pernet(info->net);
3700 struct netlink_ext_ack *extack = info->extack;
3701 unsigned int size, i, n, ulen = 0, usize = 0;
3702 u8 genmask = nft_genmask_next(info->net);
3703 struct nft_rule *rule, *old_rule = NULL;
3704 struct nft_expr_info *expr_info = NULL;
3705 u8 family = info->nfmsg->nfgen_family;
3706 struct nft_flow_rule *flow = NULL;
3707 struct net *net = info->net;
3708 struct nft_userdata *udata;
3709 struct nft_table *table;
3710 struct nft_chain *chain;
3711 struct nft_trans *trans;
3712 u64 handle, pos_handle;
3713 struct nft_expr *expr;
3718 lockdep_assert_held(&nft_net->commit_mutex);
3720 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3721 NETLINK_CB(skb).portid);
3722 if (IS_ERR(table)) {
3723 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3724 return PTR_ERR(table);
3727 if (nla[NFTA_RULE_CHAIN]) {
3728 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3730 if (IS_ERR(chain)) {
3731 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3732 return PTR_ERR(chain);
3734 if (nft_chain_is_bound(chain))
3737 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3738 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
3739 if (IS_ERR(chain)) {
3740 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3741 return PTR_ERR(chain);
3747 if (nla[NFTA_RULE_HANDLE]) {
3748 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3749 rule = __nft_rule_lookup(chain, handle);
3751 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3752 return PTR_ERR(rule);
3755 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3756 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3759 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3764 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3765 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3767 handle = nf_tables_alloc_handle(table);
3769 if (chain->use == UINT_MAX)
3772 if (nla[NFTA_RULE_POSITION]) {
3773 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3774 old_rule = __nft_rule_lookup(chain, pos_handle);
3775 if (IS_ERR(old_rule)) {
3776 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3777 return PTR_ERR(old_rule);
3779 } else if (nla[NFTA_RULE_POSITION_ID]) {
3780 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3781 if (IS_ERR(old_rule)) {
3782 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3783 return PTR_ERR(old_rule);
3788 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3792 if (nla[NFTA_RULE_EXPRESSIONS]) {
3793 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3794 sizeof(struct nft_expr_info),
3799 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3801 if (nla_type(tmp) != NFTA_LIST_ELEM)
3802 goto err_release_expr;
3803 if (n == NFT_RULE_MAXEXPRS)
3804 goto err_release_expr;
3805 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3807 NL_SET_BAD_ATTR(extack, tmp);
3808 goto err_release_expr;
3810 size += expr_info[n].ops->size;
3814 /* Check for overflow of dlen field */
3816 if (size >= 1 << 12)
3817 goto err_release_expr;
3819 if (nla[NFTA_RULE_USERDATA]) {
3820 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3822 usize = sizeof(struct nft_userdata) + ulen;
3826 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3828 goto err_release_expr;
3830 nft_activate_next(net, rule);
3832 rule->handle = handle;
3834 rule->udata = ulen ? 1 : 0;
3837 udata = nft_userdata(rule);
3838 udata->len = ulen - 1;
3839 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3842 expr = nft_expr_first(rule);
3843 for (i = 0; i < n; i++) {
3844 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3846 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3847 goto err_release_rule;
3850 if (expr_info[i].ops->validate)
3851 nft_validate_state_update(table, NFT_VALIDATE_NEED);
3853 expr_info[i].ops = NULL;
3854 expr = nft_expr_next(expr);
3857 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3858 flow = nft_flow_rule_create(net, rule);
3860 err = PTR_ERR(flow);
3861 goto err_release_rule;
3865 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3866 err = nft_delrule(&ctx, old_rule);
3868 goto err_destroy_flow_rule;
3870 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3871 if (trans == NULL) {
3873 goto err_destroy_flow_rule;
3875 list_add_tail_rcu(&rule->list, &old_rule->list);
3877 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3880 goto err_destroy_flow_rule;
3883 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3885 list_add_rcu(&rule->list, &old_rule->list);
3887 list_add_tail_rcu(&rule->list, &chain->rules);
3890 list_add_tail_rcu(&rule->list, &old_rule->list);
3892 list_add_rcu(&rule->list, &chain->rules);
3899 nft_trans_flow_rule(trans) = flow;
3901 if (table->validate_state == NFT_VALIDATE_DO)
3902 return nft_table_validate(net, table);
3906 err_destroy_flow_rule:
3908 nft_flow_rule_destroy(flow);
3910 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
3911 nf_tables_rule_destroy(&ctx, rule);
3913 for (i = 0; i < n; i++) {
3914 if (expr_info[i].ops) {
3915 module_put(expr_info[i].ops->type->owner);
3916 if (expr_info[i].ops->type->release_ops)
3917 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3925 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3926 const struct nft_chain *chain,
3927 const struct nlattr *nla)
3929 struct nftables_pernet *nft_net = nft_pernet(net);
3930 u32 id = ntohl(nla_get_be32(nla));
3931 struct nft_trans *trans;
3933 list_for_each_entry(trans, &nft_net->commit_list, list) {
3934 if (trans->msg_type == NFT_MSG_NEWRULE &&
3935 trans->ctx.chain == chain &&
3936 id == nft_trans_rule_id(trans))
3937 return nft_trans_rule(trans);
3939 return ERR_PTR(-ENOENT);
3942 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3943 const struct nlattr * const nla[])
3945 struct netlink_ext_ack *extack = info->extack;
3946 u8 genmask = nft_genmask_next(info->net);
3947 u8 family = info->nfmsg->nfgen_family;
3948 struct nft_chain *chain = NULL;
3949 struct net *net = info->net;
3950 struct nft_table *table;
3951 struct nft_rule *rule;
3955 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3956 NETLINK_CB(skb).portid);
3957 if (IS_ERR(table)) {
3958 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3959 return PTR_ERR(table);
3962 if (nla[NFTA_RULE_CHAIN]) {
3963 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3965 if (IS_ERR(chain)) {
3966 if (PTR_ERR(chain) == -ENOENT &&
3967 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
3970 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3971 return PTR_ERR(chain);
3973 if (nft_chain_is_bound(chain))
3977 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3980 if (nla[NFTA_RULE_HANDLE]) {
3981 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3983 if (PTR_ERR(rule) == -ENOENT &&
3984 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
3987 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3988 return PTR_ERR(rule);
3991 err = nft_delrule(&ctx, rule);
3992 } else if (nla[NFTA_RULE_ID]) {
3993 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
3995 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3996 return PTR_ERR(rule);
3999 err = nft_delrule(&ctx, rule);
4001 err = nft_delrule_by_chain(&ctx);
4004 list_for_each_entry(chain, &table->chains, list) {
4005 if (!nft_is_active_next(net, chain))
4009 err = nft_delrule_by_chain(&ctx);
4021 static const struct nft_set_type *nft_set_types[] = {
4022 &nft_set_hash_fast_type,
4024 &nft_set_rhash_type,
4025 &nft_set_bitmap_type,
4026 &nft_set_rbtree_type,
4027 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4028 &nft_set_pipapo_avx2_type,
4030 &nft_set_pipapo_type,
4033 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4034 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4037 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4039 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4043 * Select a set implementation based on the data characteristics and the
4044 * given policy. The total memory use might not be known if no size is
4045 * given, in that case the amount of memory per element is used.
4047 static const struct nft_set_ops *
4048 nft_select_set_ops(const struct nft_ctx *ctx,
4049 const struct nlattr * const nla[],
4050 const struct nft_set_desc *desc)
4052 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4053 const struct nft_set_ops *ops, *bops;
4054 struct nft_set_estimate est, best;
4055 const struct nft_set_type *type;
4059 lockdep_assert_held(&nft_net->commit_mutex);
4060 lockdep_nfnl_nft_mutex_not_held();
4062 if (nla[NFTA_SET_FLAGS] != NULL)
4063 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4070 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4071 type = nft_set_types[i];
4074 if (!nft_set_ops_candidate(type, flags))
4076 if (!ops->estimate(desc, flags, &est))
4079 switch (desc->policy) {
4080 case NFT_SET_POL_PERFORMANCE:
4081 if (est.lookup < best.lookup)
4083 if (est.lookup == best.lookup &&
4084 est.space < best.space)
4087 case NFT_SET_POL_MEMORY:
4089 if (est.space < best.space)
4091 if (est.space == best.space &&
4092 est.lookup < best.lookup)
4094 } else if (est.size < best.size || !bops) {
4109 return ERR_PTR(-EOPNOTSUPP);
4112 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4113 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4114 .len = NFT_TABLE_MAXNAMELEN - 1 },
4115 [NFTA_SET_NAME] = { .type = NLA_STRING,
4116 .len = NFT_SET_MAXNAMELEN - 1 },
4117 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4118 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4119 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4120 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4121 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4122 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4123 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4124 [NFTA_SET_ID] = { .type = NLA_U32 },
4125 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4126 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4127 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4128 .len = NFT_USERDATA_MAXLEN },
4129 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4130 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4131 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4132 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
4135 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4136 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4137 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
4140 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4141 const struct nlattr *nla, u8 genmask)
4143 struct nft_set *set;
4146 return ERR_PTR(-EINVAL);
4148 list_for_each_entry_rcu(set, &table->sets, list) {
4149 if (!nla_strcmp(nla, set->name) &&
4150 nft_active_genmask(set, genmask))
4153 return ERR_PTR(-ENOENT);
4156 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4157 const struct nlattr *nla,
4160 struct nft_set *set;
4162 list_for_each_entry(set, &table->sets, list) {
4163 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4164 nft_active_genmask(set, genmask))
4167 return ERR_PTR(-ENOENT);
4170 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4171 const struct nft_table *table,
4172 const struct nlattr *nla, u8 genmask)
4174 struct nftables_pernet *nft_net = nft_pernet(net);
4175 u32 id = ntohl(nla_get_be32(nla));
4176 struct nft_trans *trans;
4178 list_for_each_entry(trans, &nft_net->commit_list, list) {
4179 if (trans->msg_type == NFT_MSG_NEWSET) {
4180 struct nft_set *set = nft_trans_set(trans);
4182 if (id == nft_trans_set_id(trans) &&
4183 set->table == table &&
4184 nft_active_genmask(set, genmask))
4188 return ERR_PTR(-ENOENT);
4191 struct nft_set *nft_set_lookup_global(const struct net *net,
4192 const struct nft_table *table,
4193 const struct nlattr *nla_set_name,
4194 const struct nlattr *nla_set_id,
4197 struct nft_set *set;
4199 set = nft_set_lookup(table, nla_set_name, genmask);
4204 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4208 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4210 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4213 const struct nft_set *i;
4215 unsigned long *inuse;
4216 unsigned int n = 0, min = 0;
4218 p = strchr(name, '%');
4220 if (p[1] != 'd' || strchr(p + 2, '%'))
4223 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4227 list_for_each_entry(i, &ctx->table->sets, list) {
4230 if (!nft_is_active_next(ctx->net, i))
4232 if (!sscanf(i->name, name, &tmp))
4234 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4237 set_bit(tmp - min, inuse);
4240 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4241 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4242 min += BITS_PER_BYTE * PAGE_SIZE;
4243 memset(inuse, 0, PAGE_SIZE);
4246 free_page((unsigned long)inuse);
4249 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4253 list_for_each_entry(i, &ctx->table->sets, list) {
4254 if (!nft_is_active_next(ctx->net, i))
4256 if (!strcmp(set->name, i->name)) {
4265 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4267 u64 ms = be64_to_cpu(nla_get_be64(nla));
4268 u64 max = (u64)(~((u64)0));
4270 max = div_u64(max, NSEC_PER_MSEC);
4274 ms *= NSEC_PER_MSEC;
4275 *result = nsecs_to_jiffies64(ms);
4279 __be64 nf_jiffies64_to_msecs(u64 input)
4281 return cpu_to_be64(jiffies64_to_msecs(input));
4284 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4285 const struct nft_set *set)
4287 struct nlattr *concat, *field;
4290 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4294 for (i = 0; i < set->field_count; i++) {
4295 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4299 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4300 htonl(set->field_len[i])))
4303 nla_nest_end(skb, field);
4306 nla_nest_end(skb, concat);
4311 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4312 const struct nft_set *set, u16 event, u16 flags)
4314 u64 timeout = READ_ONCE(set->timeout);
4315 u32 gc_int = READ_ONCE(set->gc_int);
4316 u32 portid = ctx->portid;
4317 struct nlmsghdr *nlh;
4318 struct nlattr *nest;
4322 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4323 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4324 NFNETLINK_V0, nft_base_seq(ctx->net));
4326 goto nla_put_failure;
4328 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4329 goto nla_put_failure;
4330 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4331 goto nla_put_failure;
4332 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4334 goto nla_put_failure;
4336 if (event == NFT_MSG_DELSET) {
4337 nlmsg_end(skb, nlh);
4341 if (set->flags != 0)
4342 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4343 goto nla_put_failure;
4345 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4346 goto nla_put_failure;
4347 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4348 goto nla_put_failure;
4349 if (set->flags & NFT_SET_MAP) {
4350 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4351 goto nla_put_failure;
4352 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4353 goto nla_put_failure;
4355 if (set->flags & NFT_SET_OBJECT &&
4356 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4357 goto nla_put_failure;
4360 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4361 nf_jiffies64_to_msecs(timeout),
4363 goto nla_put_failure;
4365 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4366 goto nla_put_failure;
4368 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4369 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4370 goto nla_put_failure;
4374 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4375 goto nla_put_failure;
4377 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4379 goto nla_put_failure;
4381 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4382 goto nla_put_failure;
4384 if (set->field_count > 1 &&
4385 nf_tables_fill_set_concat(skb, set))
4386 goto nla_put_failure;
4388 nla_nest_end(skb, nest);
4390 if (set->num_exprs == 1) {
4391 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4392 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4393 goto nla_put_failure;
4395 nla_nest_end(skb, nest);
4396 } else if (set->num_exprs > 1) {
4397 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4399 goto nla_put_failure;
4401 for (i = 0; i < set->num_exprs; i++) {
4402 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4403 set->exprs[i], false) < 0)
4404 goto nla_put_failure;
4406 nla_nest_end(skb, nest);
4409 nlmsg_end(skb, nlh);
4413 nlmsg_trim(skb, nlh);
4417 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4418 const struct nft_set *set, int event,
4421 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4422 u32 portid = ctx->portid;
4423 struct sk_buff *skb;
4428 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4431 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4435 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4436 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4438 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4444 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4447 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4450 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4452 const struct nft_set *set;
4453 unsigned int idx, s_idx = cb->args[0];
4454 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4455 struct net *net = sock_net(skb->sk);
4456 struct nft_ctx *ctx = cb->data, ctx_set;
4457 struct nftables_pernet *nft_net;
4463 nft_net = nft_pernet(net);
4464 cb->seq = READ_ONCE(nft_net->base_seq);
4466 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4467 if (ctx->family != NFPROTO_UNSPEC &&
4468 ctx->family != table->family)
4471 if (ctx->table && ctx->table != table)
4475 if (cur_table != table)
4481 list_for_each_entry_rcu(set, &table->sets, list) {
4484 if (!nft_is_active(net, set))
4488 ctx_set.table = table;
4489 ctx_set.family = table->family;
4491 if (nf_tables_fill_set(skb, &ctx_set, set,
4495 cb->args[2] = (unsigned long) table;
4498 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4511 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4513 struct nft_ctx *ctx_dump = NULL;
4515 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4516 if (ctx_dump == NULL)
4519 cb->data = ctx_dump;
4523 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4529 /* called with rcu_read_lock held */
4530 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4531 const struct nlattr * const nla[])
4533 struct netlink_ext_ack *extack = info->extack;
4534 u8 genmask = nft_genmask_cur(info->net);
4535 u8 family = info->nfmsg->nfgen_family;
4536 struct nft_table *table = NULL;
4537 struct net *net = info->net;
4538 const struct nft_set *set;
4539 struct sk_buff *skb2;
4543 if (nla[NFTA_SET_TABLE]) {
4544 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4546 if (IS_ERR(table)) {
4547 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4548 return PTR_ERR(table);
4552 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4554 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4555 struct netlink_dump_control c = {
4556 .start = nf_tables_dump_sets_start,
4557 .dump = nf_tables_dump_sets,
4558 .done = nf_tables_dump_sets_done,
4560 .module = THIS_MODULE,
4563 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4566 /* Only accept unspec with dump */
4567 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4568 return -EAFNOSUPPORT;
4569 if (!nla[NFTA_SET_TABLE])
4572 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4574 return PTR_ERR(set);
4576 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4580 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4582 goto err_fill_set_info;
4584 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4591 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4592 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4595 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4596 struct nft_set_desc *desc)
4598 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4602 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4605 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4606 nft_concat_policy, NULL);
4610 if (!tb[NFTA_SET_FIELD_LEN])
4613 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4614 if (!len || len > U8_MAX)
4617 desc->field_len[desc->field_count++] = len;
4622 static int nft_set_desc_concat(struct nft_set_desc *desc,
4623 const struct nlattr *nla)
4625 struct nlattr *attr;
4629 nla_for_each_nested(attr, nla, rem) {
4630 if (nla_type(attr) != NFTA_LIST_ELEM)
4633 err = nft_set_desc_concat_parse(attr, desc);
4638 for (i = 0; i < desc->field_count; i++)
4639 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4641 if (num_regs > NFT_REG32_COUNT)
4647 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4648 const struct nlattr *nla)
4650 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4653 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4654 nft_set_desc_policy, NULL);
4658 if (da[NFTA_SET_DESC_SIZE] != NULL)
4659 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4660 if (da[NFTA_SET_DESC_CONCAT])
4661 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4666 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4667 const struct nlattr * const *nla,
4668 struct nft_expr **exprs, int *num_exprs,
4671 struct nft_expr *expr;
4674 if (nla[NFTA_SET_EXPR]) {
4675 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4677 err = PTR_ERR(expr);
4678 goto err_set_expr_alloc;
4682 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4686 if (!(flags & NFT_SET_EXPR)) {
4688 goto err_set_expr_alloc;
4691 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4692 if (i == NFT_SET_EXPR_MAX) {
4694 goto err_set_expr_alloc;
4696 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4698 goto err_set_expr_alloc;
4700 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4702 err = PTR_ERR(expr);
4703 goto err_set_expr_alloc;
4713 for (i = 0; i < *num_exprs; i++)
4714 nft_expr_destroy(ctx, exprs[i]);
4719 static bool nft_set_is_same(const struct nft_set *set,
4720 const struct nft_set_desc *desc,
4721 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4725 if (set->ktype != desc->ktype ||
4726 set->dtype != desc->dtype ||
4727 set->flags != flags ||
4728 set->klen != desc->klen ||
4729 set->dlen != desc->dlen ||
4730 set->field_count != desc->field_count ||
4731 set->num_exprs != num_exprs)
4734 for (i = 0; i < desc->field_count; i++) {
4735 if (set->field_len[i] != desc->field_len[i])
4739 for (i = 0; i < num_exprs; i++) {
4740 if (set->exprs[i]->ops != exprs[i]->ops)
4747 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4748 const struct nlattr * const nla[])
4750 struct netlink_ext_ack *extack = info->extack;
4751 u8 genmask = nft_genmask_next(info->net);
4752 u8 family = info->nfmsg->nfgen_family;
4753 const struct nft_set_ops *ops;
4754 struct net *net = info->net;
4755 struct nft_set_desc desc;
4756 struct nft_table *table;
4757 unsigned char *udata;
4758 struct nft_set *set;
4768 if (nla[NFTA_SET_TABLE] == NULL ||
4769 nla[NFTA_SET_NAME] == NULL ||
4770 nla[NFTA_SET_KEY_LEN] == NULL ||
4771 nla[NFTA_SET_ID] == NULL)
4774 memset(&desc, 0, sizeof(desc));
4776 desc.ktype = NFT_DATA_VALUE;
4777 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4778 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4779 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4783 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4784 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4788 if (nla[NFTA_SET_FLAGS] != NULL) {
4789 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4790 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4791 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4792 NFT_SET_MAP | NFT_SET_EVAL |
4793 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4795 /* Only one of these operations is supported */
4796 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4797 (NFT_SET_MAP | NFT_SET_OBJECT))
4799 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4800 (NFT_SET_EVAL | NFT_SET_OBJECT))
4805 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4806 if (!(flags & NFT_SET_MAP))
4809 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4810 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4811 desc.dtype != NFT_DATA_VERDICT)
4814 if (desc.dtype != NFT_DATA_VERDICT) {
4815 if (nla[NFTA_SET_DATA_LEN] == NULL)
4817 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4818 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4821 desc.dlen = sizeof(struct nft_verdict);
4822 } else if (flags & NFT_SET_MAP)
4825 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4826 if (!(flags & NFT_SET_OBJECT))
4829 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4830 if (desc.objtype == NFT_OBJECT_UNSPEC ||
4831 desc.objtype > NFT_OBJECT_MAX)
4833 } else if (flags & NFT_SET_OBJECT)
4836 desc.objtype = NFT_OBJECT_UNSPEC;
4839 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4840 if (!(flags & NFT_SET_TIMEOUT))
4843 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
4848 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4849 if (!(flags & NFT_SET_TIMEOUT))
4851 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4854 desc.policy = NFT_SET_POL_PERFORMANCE;
4855 if (nla[NFTA_SET_POLICY] != NULL)
4856 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4858 if (nla[NFTA_SET_DESC] != NULL) {
4859 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4863 if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))
4865 } else if (flags & NFT_SET_CONCAT) {
4869 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4872 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4873 NETLINK_CB(skb).portid);
4874 if (IS_ERR(table)) {
4875 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4876 return PTR_ERR(table);
4879 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4881 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4883 if (PTR_ERR(set) != -ENOENT) {
4884 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4885 return PTR_ERR(set);
4888 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
4890 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4891 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4894 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4897 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
4902 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
4903 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4907 for (i = 0; i < num_exprs; i++)
4908 nft_expr_destroy(&ctx, exprs[i]);
4913 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
4916 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4919 ops = nft_select_set_ops(&ctx, nla, &desc);
4921 return PTR_ERR(ops);
4924 if (nla[NFTA_SET_USERDATA])
4925 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4928 if (ops->privsize != NULL)
4929 size = ops->privsize(nla, &desc);
4930 alloc_size = sizeof(*set) + size + udlen;
4931 if (alloc_size < size || alloc_size > INT_MAX)
4933 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
4937 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
4943 err = nf_tables_set_alloc_name(&ctx, set, name);
4950 udata = set->data + size;
4951 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4954 INIT_LIST_HEAD(&set->bindings);
4955 INIT_LIST_HEAD(&set->catchall_list);
4957 write_pnet(&set->net, net);
4959 set->ktype = desc.ktype;
4960 set->klen = desc.klen;
4961 set->dtype = desc.dtype;
4962 set->objtype = desc.objtype;
4963 set->dlen = desc.dlen;
4965 set->size = desc.size;
4966 set->policy = desc.policy;
4969 set->timeout = desc.timeout;
4970 set->gc_int = desc.gc_int;
4972 set->field_count = desc.field_count;
4973 for (i = 0; i < desc.field_count; i++)
4974 set->field_len[i] = desc.field_len[i];
4976 err = ops->init(set, &desc, nla);
4980 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
4982 goto err_set_destroy;
4984 set->num_exprs = num_exprs;
4985 set->handle = nf_tables_alloc_handle(table);
4986 INIT_LIST_HEAD(&set->pending_update);
4988 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4990 goto err_set_expr_alloc;
4992 list_add_tail_rcu(&set->list, &table->sets);
4997 for (i = 0; i < set->num_exprs; i++)
4998 nft_expr_destroy(&ctx, set->exprs[i]);
5008 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5009 struct nft_set *set)
5011 struct nft_set_elem_catchall *next, *catchall;
5013 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5014 list_del_rcu(&catchall->list);
5015 nft_set_elem_destroy(set, catchall->elem, true);
5016 kfree_rcu(catchall, rcu);
5020 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5024 if (WARN_ON(set->use > 0))
5027 for (i = 0; i < set->num_exprs; i++)
5028 nft_expr_destroy(ctx, set->exprs[i]);
5030 set->ops->destroy(set);
5031 nft_set_catchall_destroy(ctx, set);
5036 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5037 const struct nlattr * const nla[])
5039 struct netlink_ext_ack *extack = info->extack;
5040 u8 genmask = nft_genmask_next(info->net);
5041 u8 family = info->nfmsg->nfgen_family;
5042 struct net *net = info->net;
5043 const struct nlattr *attr;
5044 struct nft_table *table;
5045 struct nft_set *set;
5048 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5049 return -EAFNOSUPPORT;
5051 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5052 genmask, NETLINK_CB(skb).portid);
5053 if (IS_ERR(table)) {
5054 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5055 return PTR_ERR(table);
5058 if (nla[NFTA_SET_HANDLE]) {
5059 attr = nla[NFTA_SET_HANDLE];
5060 set = nft_set_lookup_byhandle(table, attr, genmask);
5062 attr = nla[NFTA_SET_NAME];
5063 set = nft_set_lookup(table, attr, genmask);
5067 if (PTR_ERR(set) == -ENOENT &&
5068 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5071 NL_SET_BAD_ATTR(extack, attr);
5072 return PTR_ERR(set);
5075 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5076 atomic_read(&set->nelems) > 0)) {
5077 NL_SET_BAD_ATTR(extack, attr);
5081 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5083 return nft_delset(&ctx, set);
5086 static int nft_validate_register_store(const struct nft_ctx *ctx,
5087 enum nft_registers reg,
5088 const struct nft_data *data,
5089 enum nft_data_types type,
5092 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5093 struct nft_set *set,
5094 struct nft_set_elem *elem)
5096 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5097 enum nft_registers dreg;
5099 dreg = nft_type_to_reg(set->dtype);
5100 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5101 set->dtype == NFT_DATA_VERDICT ?
5102 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5106 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5107 struct nft_set *set,
5108 const struct nft_set_iter *iter,
5109 struct nft_set_elem *elem)
5111 return nft_setelem_data_validate(ctx, set, elem);
5114 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5115 struct nft_set *set)
5117 u8 genmask = nft_genmask_next(ctx->net);
5118 struct nft_set_elem_catchall *catchall;
5119 struct nft_set_elem elem;
5120 struct nft_set_ext *ext;
5123 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5124 ext = nft_set_elem_ext(set, catchall->elem);
5125 if (!nft_set_elem_active(ext, genmask))
5128 elem.priv = catchall->elem;
5129 ret = nft_setelem_data_validate(ctx, set, &elem);
5137 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5138 struct nft_set_binding *binding)
5140 struct nft_set_binding *i;
5141 struct nft_set_iter iter;
5143 if (set->use == UINT_MAX)
5146 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5149 if (binding->flags & NFT_SET_MAP) {
5150 /* If the set is already bound to the same chain all
5151 * jumps are already validated for that chain.
5153 list_for_each_entry(i, &set->bindings, list) {
5154 if (i->flags & NFT_SET_MAP &&
5155 i->chain == binding->chain)
5159 iter.genmask = nft_genmask_next(ctx->net);
5163 iter.fn = nf_tables_bind_check_setelem;
5165 set->ops->walk(ctx, set, &iter);
5167 iter.err = nft_set_catchall_bind_check(ctx, set);
5173 binding->chain = ctx->chain;
5174 list_add_tail_rcu(&binding->list, &set->bindings);
5175 nft_set_trans_bind(ctx, set);
5180 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5182 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5183 struct nft_set_binding *binding, bool event)
5185 list_del_rcu(&binding->list);
5187 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5188 list_del_rcu(&set->list);
5190 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5195 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5197 if (nft_set_is_anonymous(set))
5198 nft_clear(ctx->net, set);
5202 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5204 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5205 struct nft_set_binding *binding,
5206 enum nft_trans_phase phase)
5209 case NFT_TRANS_PREPARE_ERROR:
5210 nft_set_trans_unbind(ctx, set);
5211 if (nft_set_is_anonymous(set))
5212 nft_deactivate_next(ctx->net, set);
5216 case NFT_TRANS_PREPARE:
5217 if (nft_set_is_anonymous(set))
5218 nft_deactivate_next(ctx->net, set);
5222 case NFT_TRANS_ABORT:
5223 case NFT_TRANS_RELEASE:
5227 nf_tables_unbind_set(ctx, set, binding,
5228 phase == NFT_TRANS_COMMIT);
5231 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5233 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5235 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5236 nft_set_destroy(ctx, set);
5238 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5240 const struct nft_set_ext_type nft_set_ext_types[] = {
5241 [NFT_SET_EXT_KEY] = {
5242 .align = __alignof__(u32),
5244 [NFT_SET_EXT_DATA] = {
5245 .align = __alignof__(u32),
5247 [NFT_SET_EXT_EXPRESSIONS] = {
5248 .align = __alignof__(struct nft_set_elem_expr),
5250 [NFT_SET_EXT_OBJREF] = {
5251 .len = sizeof(struct nft_object *),
5252 .align = __alignof__(struct nft_object *),
5254 [NFT_SET_EXT_FLAGS] = {
5256 .align = __alignof__(u8),
5258 [NFT_SET_EXT_TIMEOUT] = {
5260 .align = __alignof__(u64),
5262 [NFT_SET_EXT_EXPIRATION] = {
5264 .align = __alignof__(u64),
5266 [NFT_SET_EXT_USERDATA] = {
5267 .len = sizeof(struct nft_userdata),
5268 .align = __alignof__(struct nft_userdata),
5270 [NFT_SET_EXT_KEY_END] = {
5271 .align = __alignof__(u32),
5279 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5280 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5281 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5282 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5283 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5284 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5285 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5286 .len = NFT_USERDATA_MAXLEN },
5287 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5288 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5289 .len = NFT_OBJ_MAXNAMELEN - 1 },
5290 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5291 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
5294 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5295 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5296 .len = NFT_TABLE_MAXNAMELEN - 1 },
5297 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5298 .len = NFT_SET_MAXNAMELEN - 1 },
5299 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
5300 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5303 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5304 const struct nft_set *set,
5305 const struct nft_set_ext *ext)
5307 struct nft_set_elem_expr *elem_expr;
5308 u32 size, num_exprs = 0;
5309 struct nft_expr *expr;
5310 struct nlattr *nest;
5312 elem_expr = nft_set_ext_expr(ext);
5313 nft_setelem_expr_foreach(expr, elem_expr, size)
5316 if (num_exprs == 1) {
5317 expr = nft_setelem_expr_at(elem_expr, 0);
5318 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, false) < 0)
5322 } else if (num_exprs > 1) {
5323 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5325 goto nla_put_failure;
5327 nft_setelem_expr_foreach(expr, elem_expr, size) {
5328 expr = nft_setelem_expr_at(elem_expr, size);
5329 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, false) < 0)
5330 goto nla_put_failure;
5332 nla_nest_end(skb, nest);
5340 static int nf_tables_fill_setelem(struct sk_buff *skb,
5341 const struct nft_set *set,
5342 const struct nft_set_elem *elem)
5344 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5345 unsigned char *b = skb_tail_pointer(skb);
5346 struct nlattr *nest;
5348 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5350 goto nla_put_failure;
5352 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5353 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5354 NFT_DATA_VALUE, set->klen) < 0)
5355 goto nla_put_failure;
5357 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5358 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5359 NFT_DATA_VALUE, set->klen) < 0)
5360 goto nla_put_failure;
5362 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5363 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5364 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5366 goto nla_put_failure;
5368 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5369 nft_set_elem_expr_dump(skb, set, ext))
5370 goto nla_put_failure;
5372 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5373 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5374 (*nft_set_ext_obj(ext))->key.name) < 0)
5375 goto nla_put_failure;
5377 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5378 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5379 htonl(*nft_set_ext_flags(ext))))
5380 goto nla_put_failure;
5382 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5383 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5384 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5386 goto nla_put_failure;
5388 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5389 u64 expires, now = get_jiffies_64();
5391 expires = *nft_set_ext_expiration(ext);
5392 if (time_before64(now, expires))
5397 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5398 nf_jiffies64_to_msecs(expires),
5400 goto nla_put_failure;
5403 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5404 struct nft_userdata *udata;
5406 udata = nft_set_ext_userdata(ext);
5407 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5408 udata->len + 1, udata->data))
5409 goto nla_put_failure;
5412 nla_nest_end(skb, nest);
5420 struct nft_set_dump_args {
5421 const struct netlink_callback *cb;
5422 struct nft_set_iter iter;
5423 struct sk_buff *skb;
5426 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5427 struct nft_set *set,
5428 const struct nft_set_iter *iter,
5429 struct nft_set_elem *elem)
5431 struct nft_set_dump_args *args;
5433 args = container_of(iter, struct nft_set_dump_args, iter);
5434 return nf_tables_fill_setelem(args->skb, set, elem);
5437 struct nft_set_dump_ctx {
5438 const struct nft_set *set;
5442 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5443 const struct nft_set *set)
5445 struct nft_set_elem_catchall *catchall;
5446 u8 genmask = nft_genmask_cur(net);
5447 struct nft_set_elem elem;
5448 struct nft_set_ext *ext;
5451 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5452 ext = nft_set_elem_ext(set, catchall->elem);
5453 if (!nft_set_elem_active(ext, genmask) ||
5454 nft_set_elem_expired(ext))
5457 elem.priv = catchall->elem;
5458 ret = nf_tables_fill_setelem(skb, set, &elem);
5465 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5467 struct nft_set_dump_ctx *dump_ctx = cb->data;
5468 struct net *net = sock_net(skb->sk);
5469 struct nftables_pernet *nft_net;
5470 struct nft_table *table;
5471 struct nft_set *set;
5472 struct nft_set_dump_args args;
5473 bool set_found = false;
5474 struct nlmsghdr *nlh;
5475 struct nlattr *nest;
5480 nft_net = nft_pernet(net);
5481 cb->seq = READ_ONCE(nft_net->base_seq);
5483 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5484 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5485 dump_ctx->ctx.family != table->family)
5488 if (table != dump_ctx->ctx.table)
5491 list_for_each_entry_rcu(set, &table->sets, list) {
5492 if (set == dump_ctx->set) {
5505 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5506 portid = NETLINK_CB(cb->skb).portid;
5507 seq = cb->nlh->nlmsg_seq;
5509 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5510 table->family, NFNETLINK_V0, nft_base_seq(net));
5512 goto nla_put_failure;
5514 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5515 goto nla_put_failure;
5516 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5517 goto nla_put_failure;
5519 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5521 goto nla_put_failure;
5525 args.iter.genmask = nft_genmask_cur(net);
5526 args.iter.skip = cb->args[0];
5527 args.iter.count = 0;
5529 args.iter.fn = nf_tables_dump_setelem;
5530 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5532 if (!args.iter.err && args.iter.count == cb->args[0])
5533 args.iter.err = nft_set_catchall_dump(net, skb, set);
5536 nla_nest_end(skb, nest);
5537 nlmsg_end(skb, nlh);
5539 if (args.iter.err && args.iter.err != -EMSGSIZE)
5540 return args.iter.err;
5541 if (args.iter.count == cb->args[0])
5544 cb->args[0] = args.iter.count;
5552 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5554 struct nft_set_dump_ctx *dump_ctx = cb->data;
5556 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5558 return cb->data ? 0 : -ENOMEM;
5561 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5567 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5568 const struct nft_ctx *ctx, u32 seq,
5569 u32 portid, int event, u16 flags,
5570 const struct nft_set *set,
5571 const struct nft_set_elem *elem)
5573 struct nlmsghdr *nlh;
5574 struct nlattr *nest;
5577 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5578 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5579 NFNETLINK_V0, nft_base_seq(ctx->net));
5581 goto nla_put_failure;
5583 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5584 goto nla_put_failure;
5585 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5586 goto nla_put_failure;
5588 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5590 goto nla_put_failure;
5592 err = nf_tables_fill_setelem(skb, set, elem);
5594 goto nla_put_failure;
5596 nla_nest_end(skb, nest);
5598 nlmsg_end(skb, nlh);
5602 nlmsg_trim(skb, nlh);
5606 static int nft_setelem_parse_flags(const struct nft_set *set,
5607 const struct nlattr *attr, u32 *flags)
5612 *flags = ntohl(nla_get_be32(attr));
5613 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5615 if (!(set->flags & NFT_SET_INTERVAL) &&
5616 *flags & NFT_SET_ELEM_INTERVAL_END)
5618 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5619 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5625 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5626 struct nft_data *key, struct nlattr *attr)
5628 struct nft_data_desc desc = {
5629 .type = NFT_DATA_VALUE,
5630 .size = NFT_DATA_VALUE_MAXLEN,
5634 return nft_data_init(ctx, key, &desc, attr);
5637 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5638 struct nft_data_desc *desc,
5639 struct nft_data *data,
5640 struct nlattr *attr)
5644 if (set->dtype == NFT_DATA_VERDICT)
5645 dtype = NFT_DATA_VERDICT;
5647 dtype = NFT_DATA_VALUE;
5650 desc->size = NFT_DATA_VALUE_MAXLEN;
5651 desc->len = set->dlen;
5652 desc->flags = NFT_DATA_DESC_SETELEM;
5654 return nft_data_init(ctx, data, desc, attr);
5657 static void *nft_setelem_catchall_get(const struct net *net,
5658 const struct nft_set *set)
5660 struct nft_set_elem_catchall *catchall;
5661 u8 genmask = nft_genmask_cur(net);
5662 struct nft_set_ext *ext;
5665 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5666 ext = nft_set_elem_ext(set, catchall->elem);
5667 if (!nft_set_elem_active(ext, genmask) ||
5668 nft_set_elem_expired(ext))
5671 priv = catchall->elem;
5678 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5679 struct nft_set_elem *elem, u32 flags)
5683 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5684 priv = set->ops->get(ctx->net, set, elem, flags);
5686 return PTR_ERR(priv);
5688 priv = nft_setelem_catchall_get(ctx->net, set);
5697 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5698 const struct nlattr *attr)
5700 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5701 struct nft_set_elem elem;
5702 struct sk_buff *skb;
5706 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5707 nft_set_elem_policy, NULL);
5711 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5715 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5718 if (nla[NFTA_SET_ELEM_KEY]) {
5719 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5720 nla[NFTA_SET_ELEM_KEY]);
5725 if (nla[NFTA_SET_ELEM_KEY_END]) {
5726 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5727 nla[NFTA_SET_ELEM_KEY_END]);
5732 err = nft_setelem_get(ctx, set, &elem, flags);
5737 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5741 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5742 NFT_MSG_NEWSETELEM, 0, set, &elem);
5744 goto err_fill_setelem;
5746 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5753 /* called with rcu_read_lock held */
5754 static int nf_tables_getsetelem(struct sk_buff *skb,
5755 const struct nfnl_info *info,
5756 const struct nlattr * const nla[])
5758 struct netlink_ext_ack *extack = info->extack;
5759 u8 genmask = nft_genmask_cur(info->net);
5760 u8 family = info->nfmsg->nfgen_family;
5761 struct net *net = info->net;
5762 struct nft_table *table;
5763 struct nft_set *set;
5764 struct nlattr *attr;
5768 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
5770 if (IS_ERR(table)) {
5771 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
5772 return PTR_ERR(table);
5775 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5777 return PTR_ERR(set);
5779 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5781 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5782 struct netlink_dump_control c = {
5783 .start = nf_tables_dump_set_start,
5784 .dump = nf_tables_dump_set,
5785 .done = nf_tables_dump_set_done,
5786 .module = THIS_MODULE,
5788 struct nft_set_dump_ctx dump_ctx = {
5794 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5797 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5800 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5801 err = nft_get_set_elem(&ctx, set, attr);
5803 NL_SET_BAD_ATTR(extack, attr);
5811 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5812 const struct nft_set *set,
5813 const struct nft_set_elem *elem,
5816 struct nftables_pernet *nft_net;
5817 struct net *net = ctx->net;
5818 u32 portid = ctx->portid;
5819 struct sk_buff *skb;
5823 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5826 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5830 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5831 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5833 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5840 nft_net = nft_pernet(net);
5841 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5844 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5847 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5849 struct nft_set *set)
5851 struct nft_trans *trans;
5853 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5857 nft_trans_elem_set(trans) = set;
5861 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5862 const struct nft_set *set,
5863 const struct nlattr *attr)
5865 struct nft_expr *expr;
5868 expr = nft_expr_init(ctx, attr);
5873 if (expr->ops->type->flags & NFT_EXPR_GC) {
5874 if (set->flags & NFT_SET_TIMEOUT)
5875 goto err_set_elem_expr;
5876 if (!set->ops->gc_init)
5877 goto err_set_elem_expr;
5878 set->ops->gc_init(set);
5884 nft_expr_destroy(ctx, expr);
5885 return ERR_PTR(err);
5888 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
5890 len += nft_set_ext_types[id].len;
5891 if (len > tmpl->ext_len[id] ||
5898 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
5899 void *to, const void *from, u32 len)
5901 if (nft_set_ext_check(tmpl, id, len) < 0)
5904 memcpy(to, from, len);
5909 void *nft_set_elem_init(const struct nft_set *set,
5910 const struct nft_set_ext_tmpl *tmpl,
5911 const u32 *key, const u32 *key_end,
5912 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5914 struct nft_set_ext *ext;
5917 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5919 return ERR_PTR(-ENOMEM);
5921 ext = nft_set_elem_ext(set, elem);
5922 nft_set_ext_init(ext, tmpl);
5924 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5925 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
5926 nft_set_ext_key(ext), key, set->klen) < 0)
5929 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5930 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
5931 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
5934 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5935 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
5936 nft_set_ext_data(ext), data, set->dlen) < 0)
5939 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5940 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5941 if (expiration == 0)
5942 *nft_set_ext_expiration(ext) += timeout;
5944 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5945 *nft_set_ext_timeout(ext) = timeout;
5952 return ERR_PTR(-EINVAL);
5955 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5956 struct nft_expr *expr)
5958 if (expr->ops->destroy_clone) {
5959 expr->ops->destroy_clone(ctx, expr);
5960 module_put(expr->ops->type->owner);
5962 nf_tables_expr_destroy(ctx, expr);
5966 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5967 struct nft_set_elem_expr *elem_expr)
5969 struct nft_expr *expr;
5972 nft_setelem_expr_foreach(expr, elem_expr, size)
5973 __nft_set_elem_expr_destroy(ctx, expr);
5976 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5979 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5980 struct nft_ctx ctx = {
5981 .net = read_pnet(&set->net),
5982 .family = set->table->family,
5985 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5986 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5987 nft_data_release(nft_set_ext_data(ext), set->dtype);
5988 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5989 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5991 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5992 (*nft_set_ext_obj(ext))->use--;
5995 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5997 /* Only called from commit path, nft_setelem_data_deactivate() already deals
5998 * with the refcounting from the preparation phase.
6000 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6001 const struct nft_set *set, void *elem)
6003 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
6005 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6006 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6011 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6012 struct nft_expr *expr_array[])
6014 struct nft_expr *expr;
6017 for (i = 0; i < set->num_exprs; i++) {
6018 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6022 err = nft_expr_clone(expr, set->exprs[i]);
6027 expr_array[i] = expr;
6033 for (k = i - 1; k >= 0; k--)
6034 nft_expr_destroy(ctx, expr_array[k]);
6039 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6040 const struct nft_set_ext_tmpl *tmpl,
6041 const struct nft_set_ext *ext,
6042 struct nft_expr *expr_array[],
6045 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6046 u32 len = sizeof(struct nft_set_elem_expr);
6047 struct nft_expr *expr;
6053 for (i = 0; i < num_exprs; i++)
6054 len += expr_array[i]->ops->size;
6056 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6059 for (i = 0; i < num_exprs; i++) {
6060 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6061 err = nft_expr_clone(expr, expr_array[i]);
6063 goto err_elem_expr_setup;
6065 elem_expr->size += expr_array[i]->ops->size;
6066 nft_expr_destroy(ctx, expr_array[i]);
6067 expr_array[i] = NULL;
6072 err_elem_expr_setup:
6073 for (; i < num_exprs; i++) {
6074 nft_expr_destroy(ctx, expr_array[i]);
6075 expr_array[i] = NULL;
6081 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6082 const struct nft_set *set)
6084 struct nft_set_elem_catchall *catchall;
6085 u8 genmask = nft_genmask_cur(net);
6086 struct nft_set_ext *ext;
6088 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6089 ext = nft_set_elem_ext(set, catchall->elem);
6090 if (nft_set_elem_active(ext, genmask) &&
6091 !nft_set_elem_expired(ext))
6097 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6099 void *nft_set_catchall_gc(const struct nft_set *set)
6101 struct nft_set_elem_catchall *catchall, *next;
6102 struct nft_set_ext *ext;
6105 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6106 ext = nft_set_elem_ext(set, catchall->elem);
6108 if (!nft_set_elem_expired(ext) ||
6109 nft_set_elem_mark_busy(ext))
6112 elem = catchall->elem;
6113 list_del_rcu(&catchall->list);
6114 kfree_rcu(catchall, rcu);
6120 EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
6122 static int nft_setelem_catchall_insert(const struct net *net,
6123 struct nft_set *set,
6124 const struct nft_set_elem *elem,
6125 struct nft_set_ext **pext)
6127 struct nft_set_elem_catchall *catchall;
6128 u8 genmask = nft_genmask_next(net);
6129 struct nft_set_ext *ext;
6131 list_for_each_entry(catchall, &set->catchall_list, list) {
6132 ext = nft_set_elem_ext(set, catchall->elem);
6133 if (nft_set_elem_active(ext, genmask)) {
6139 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6143 catchall->elem = elem->priv;
6144 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6149 static int nft_setelem_insert(const struct net *net,
6150 struct nft_set *set,
6151 const struct nft_set_elem *elem,
6152 struct nft_set_ext **ext, unsigned int flags)
6156 if (flags & NFT_SET_ELEM_CATCHALL)
6157 ret = nft_setelem_catchall_insert(net, set, elem, ext);
6159 ret = set->ops->insert(net, set, elem, ext);
6164 static bool nft_setelem_is_catchall(const struct nft_set *set,
6165 const struct nft_set_elem *elem)
6167 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6169 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6170 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6176 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6177 struct nft_set_elem *elem)
6179 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6181 if (nft_setelem_is_catchall(set, elem)) {
6182 nft_set_elem_change_active(net, set, ext);
6183 nft_set_elem_clear_busy(ext);
6185 set->ops->activate(net, set, elem);
6189 static int nft_setelem_catchall_deactivate(const struct net *net,
6190 struct nft_set *set,
6191 struct nft_set_elem *elem)
6193 struct nft_set_elem_catchall *catchall;
6194 struct nft_set_ext *ext;
6196 list_for_each_entry(catchall, &set->catchall_list, list) {
6197 ext = nft_set_elem_ext(set, catchall->elem);
6198 if (!nft_is_active(net, ext) ||
6199 nft_set_elem_mark_busy(ext))
6203 elem->priv = catchall->elem;
6204 nft_set_elem_change_active(net, set, ext);
6211 static int __nft_setelem_deactivate(const struct net *net,
6212 struct nft_set *set,
6213 struct nft_set_elem *elem)
6217 priv = set->ops->deactivate(net, set, elem);
6228 static int nft_setelem_deactivate(const struct net *net,
6229 struct nft_set *set,
6230 struct nft_set_elem *elem, u32 flags)
6234 if (flags & NFT_SET_ELEM_CATCHALL)
6235 ret = nft_setelem_catchall_deactivate(net, set, elem);
6237 ret = __nft_setelem_deactivate(net, set, elem);
6242 static void nft_setelem_catchall_remove(const struct net *net,
6243 const struct nft_set *set,
6244 const struct nft_set_elem *elem)
6246 struct nft_set_elem_catchall *catchall, *next;
6248 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6249 if (catchall->elem == elem->priv) {
6250 list_del_rcu(&catchall->list);
6251 kfree_rcu(catchall, rcu);
6257 static void nft_setelem_remove(const struct net *net,
6258 const struct nft_set *set,
6259 const struct nft_set_elem *elem)
6261 if (nft_setelem_is_catchall(set, elem))
6262 nft_setelem_catchall_remove(net, set, elem);
6264 set->ops->remove(net, set, elem);
6267 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6268 struct nlattr **nla, u32 flags)
6270 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6271 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6272 if (flags & NFT_SET_ELEM_INTERVAL_END)
6275 if (nla[NFTA_SET_ELEM_KEY_END] &&
6276 flags & NFT_SET_ELEM_CATCHALL)
6279 if (nla[NFTA_SET_ELEM_KEY_END])
6286 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6287 const struct nlattr *attr, u32 nlmsg_flags)
6289 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6290 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6291 u8 genmask = nft_genmask_next(ctx->net);
6292 u32 flags = 0, size = 0, num_exprs = 0;
6293 struct nft_set_ext_tmpl tmpl;
6294 struct nft_set_ext *ext, *ext2;
6295 struct nft_set_elem elem;
6296 struct nft_set_binding *binding;
6297 struct nft_object *obj = NULL;
6298 struct nft_userdata *udata;
6299 struct nft_data_desc desc;
6300 enum nft_registers dreg;
6301 struct nft_trans *trans;
6307 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6308 nft_set_elem_policy, NULL);
6312 nft_set_ext_prepare(&tmpl);
6314 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6318 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6319 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6323 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6328 if (set->flags & NFT_SET_MAP) {
6329 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6330 !(flags & NFT_SET_ELEM_INTERVAL_END))
6333 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6337 if (set->flags & NFT_SET_OBJECT) {
6338 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6339 !(flags & NFT_SET_ELEM_INTERVAL_END))
6342 if (nla[NFTA_SET_ELEM_OBJREF])
6346 if (!nft_setelem_valid_key_end(set, nla, flags))
6349 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6350 (nla[NFTA_SET_ELEM_DATA] ||
6351 nla[NFTA_SET_ELEM_OBJREF] ||
6352 nla[NFTA_SET_ELEM_TIMEOUT] ||
6353 nla[NFTA_SET_ELEM_EXPIRATION] ||
6354 nla[NFTA_SET_ELEM_USERDATA] ||
6355 nla[NFTA_SET_ELEM_EXPR] ||
6356 nla[NFTA_SET_ELEM_KEY_END] ||
6357 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6361 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6362 if (!(set->flags & NFT_SET_TIMEOUT))
6364 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6368 } else if (set->flags & NFT_SET_TIMEOUT &&
6369 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6370 timeout = READ_ONCE(set->timeout);
6374 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6375 if (!(set->flags & NFT_SET_TIMEOUT))
6377 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6383 if (nla[NFTA_SET_ELEM_EXPR]) {
6384 struct nft_expr *expr;
6386 if (set->num_exprs && set->num_exprs != 1)
6389 expr = nft_set_elem_expr_alloc(ctx, set,
6390 nla[NFTA_SET_ELEM_EXPR]);
6392 return PTR_ERR(expr);
6394 expr_array[0] = expr;
6397 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6399 goto err_set_elem_expr;
6401 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6402 struct nft_expr *expr;
6407 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6408 if (i == NFT_SET_EXPR_MAX ||
6409 (set->num_exprs && set->num_exprs == i)) {
6411 goto err_set_elem_expr;
6413 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6415 goto err_set_elem_expr;
6417 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6419 err = PTR_ERR(expr);
6420 goto err_set_elem_expr;
6422 expr_array[i] = expr;
6425 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6427 goto err_set_elem_expr;
6431 if (set->num_exprs && set->num_exprs != i) {
6433 goto err_set_elem_expr;
6435 } else if (set->num_exprs > 0 &&
6436 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6437 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6439 goto err_set_elem_expr_clone;
6441 num_exprs = set->num_exprs;
6444 if (nla[NFTA_SET_ELEM_KEY]) {
6445 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6446 nla[NFTA_SET_ELEM_KEY]);
6448 goto err_set_elem_expr;
6450 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6455 if (nla[NFTA_SET_ELEM_KEY_END]) {
6456 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6457 nla[NFTA_SET_ELEM_KEY_END]);
6461 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6463 goto err_parse_key_end;
6467 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6469 goto err_parse_key_end;
6471 if (timeout != READ_ONCE(set->timeout)) {
6472 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6474 goto err_parse_key_end;
6479 for (i = 0; i < num_exprs; i++)
6480 size += expr_array[i]->ops->size;
6482 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6483 sizeof(struct nft_set_elem_expr) + size);
6485 goto err_parse_key_end;
6488 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6489 obj = nft_obj_lookup(ctx->net, ctx->table,
6490 nla[NFTA_SET_ELEM_OBJREF],
6491 set->objtype, genmask);
6494 goto err_parse_key_end;
6496 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6498 goto err_parse_key_end;
6501 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6502 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6503 nla[NFTA_SET_ELEM_DATA]);
6505 goto err_parse_key_end;
6507 dreg = nft_type_to_reg(set->dtype);
6508 list_for_each_entry(binding, &set->bindings, list) {
6509 struct nft_ctx bind_ctx = {
6511 .family = ctx->family,
6512 .table = ctx->table,
6513 .chain = (struct nft_chain *)binding->chain,
6516 if (!(binding->flags & NFT_SET_MAP))
6519 err = nft_validate_register_store(&bind_ctx, dreg,
6521 desc.type, desc.len);
6523 goto err_parse_data;
6525 if (desc.type == NFT_DATA_VERDICT &&
6526 (elem.data.val.verdict.code == NFT_GOTO ||
6527 elem.data.val.verdict.code == NFT_JUMP))
6528 nft_validate_state_update(ctx->table,
6532 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6534 goto err_parse_data;
6537 /* The full maximum length of userdata can exceed the maximum
6538 * offset value (U8_MAX) for following extensions, therefor it
6539 * must be the last extension added.
6542 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6543 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6545 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6548 goto err_parse_data;
6552 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6553 elem.key_end.val.data, elem.data.val.data,
6554 timeout, expiration, GFP_KERNEL_ACCOUNT);
6555 if (IS_ERR(elem.priv)) {
6556 err = PTR_ERR(elem.priv);
6557 goto err_parse_data;
6560 ext = nft_set_elem_ext(set, elem.priv);
6562 *nft_set_ext_flags(ext) = flags;
6565 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6567 goto err_elem_userdata;
6569 udata = nft_set_ext_userdata(ext);
6570 udata->len = ulen - 1;
6571 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6574 *nft_set_ext_obj(ext) = obj;
6577 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6581 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6582 if (trans == NULL) {
6587 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
6589 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
6591 if (err == -EEXIST) {
6592 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6593 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6594 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6595 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
6596 goto err_element_clash;
6597 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6598 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
6599 memcmp(nft_set_ext_data(ext),
6600 nft_set_ext_data(ext2), set->dlen) != 0) ||
6601 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6602 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
6603 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
6604 goto err_element_clash;
6605 else if (!(nlmsg_flags & NLM_F_EXCL))
6607 } else if (err == -ENOTEMPTY) {
6608 /* ENOTEMPTY reports overlapping between this element
6609 * and an existing one.
6613 goto err_element_clash;
6616 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
6617 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
6622 nft_trans_elem(trans) = elem;
6623 nft_trans_commit_list_add_tail(ctx->net, trans);
6627 nft_setelem_remove(ctx->net, set, &elem);
6634 nf_tables_set_elem_destroy(ctx, set, elem.priv);
6636 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6637 nft_data_release(&elem.data.val, desc.type);
6639 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6641 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6643 for (i = 0; i < num_exprs && expr_array[i]; i++)
6644 nft_expr_destroy(ctx, expr_array[i]);
6645 err_set_elem_expr_clone:
6649 static int nf_tables_newsetelem(struct sk_buff *skb,
6650 const struct nfnl_info *info,
6651 const struct nlattr * const nla[])
6653 struct netlink_ext_ack *extack = info->extack;
6654 u8 genmask = nft_genmask_next(info->net);
6655 u8 family = info->nfmsg->nfgen_family;
6656 struct net *net = info->net;
6657 const struct nlattr *attr;
6658 struct nft_table *table;
6659 struct nft_set *set;
6663 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6666 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6667 genmask, NETLINK_CB(skb).portid);
6668 if (IS_ERR(table)) {
6669 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6670 return PTR_ERR(table);
6673 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6674 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6676 return PTR_ERR(set);
6678 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6681 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6683 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6684 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6686 NL_SET_BAD_ATTR(extack, attr);
6691 if (table->validate_state == NFT_VALIDATE_DO)
6692 return nft_table_validate(net, table);
6698 * nft_data_hold - hold a nft_data item
6700 * @data: struct nft_data to release
6701 * @type: type of data
6703 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6704 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
6705 * NFT_GOTO verdicts. This function must be called on active data objects
6706 * from the second phase of the commit protocol.
6708 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6710 struct nft_chain *chain;
6712 if (type == NFT_DATA_VERDICT) {
6713 switch (data->verdict.code) {
6716 chain = data->verdict.chain;
6723 static void nft_setelem_data_activate(const struct net *net,
6724 const struct nft_set *set,
6725 struct nft_set_elem *elem)
6727 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6729 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6730 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6731 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6732 (*nft_set_ext_obj(ext))->use++;
6735 static void nft_setelem_data_deactivate(const struct net *net,
6736 const struct nft_set *set,
6737 struct nft_set_elem *elem)
6739 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6741 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6742 nft_data_release(nft_set_ext_data(ext), set->dtype);
6743 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6744 (*nft_set_ext_obj(ext))->use--;
6747 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6748 const struct nlattr *attr)
6750 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6751 struct nft_set_ext_tmpl tmpl;
6752 struct nft_set_elem elem;
6753 struct nft_set_ext *ext;
6754 struct nft_trans *trans;
6758 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6759 nft_set_elem_policy, NULL);
6763 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6767 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6770 if (!nft_setelem_valid_key_end(set, nla, flags))
6773 nft_set_ext_prepare(&tmpl);
6776 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6781 if (nla[NFTA_SET_ELEM_KEY]) {
6782 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6783 nla[NFTA_SET_ELEM_KEY]);
6787 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6792 if (nla[NFTA_SET_ELEM_KEY_END]) {
6793 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6794 nla[NFTA_SET_ELEM_KEY_END]);
6798 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6800 goto fail_elem_key_end;
6804 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6805 elem.key_end.val.data, NULL, 0, 0,
6806 GFP_KERNEL_ACCOUNT);
6807 if (IS_ERR(elem.priv)) {
6808 err = PTR_ERR(elem.priv);
6809 goto fail_elem_key_end;
6812 ext = nft_set_elem_ext(set, elem.priv);
6814 *nft_set_ext_flags(ext) = flags;
6816 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6820 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6824 nft_setelem_data_deactivate(ctx->net, set, &elem);
6826 nft_trans_elem(trans) = elem;
6827 nft_trans_commit_list_add_tail(ctx->net, trans);
6835 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6837 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6841 static int nft_setelem_flush(const struct nft_ctx *ctx,
6842 struct nft_set *set,
6843 const struct nft_set_iter *iter,
6844 struct nft_set_elem *elem)
6846 struct nft_trans *trans;
6849 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6850 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6854 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6860 nft_setelem_data_deactivate(ctx->net, set, elem);
6861 nft_trans_elem_set(trans) = set;
6862 nft_trans_elem(trans) = *elem;
6863 nft_trans_commit_list_add_tail(ctx->net, trans);
6871 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6872 struct nft_set *set,
6873 struct nft_set_elem *elem)
6875 struct nft_trans *trans;
6877 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6878 sizeof(struct nft_trans_elem), GFP_KERNEL);
6882 nft_setelem_data_deactivate(ctx->net, set, elem);
6883 nft_trans_elem_set(trans) = set;
6884 nft_trans_elem(trans) = *elem;
6885 nft_trans_commit_list_add_tail(ctx->net, trans);
6890 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6891 struct nft_set *set)
6893 u8 genmask = nft_genmask_next(ctx->net);
6894 struct nft_set_elem_catchall *catchall;
6895 struct nft_set_elem elem;
6896 struct nft_set_ext *ext;
6899 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6900 ext = nft_set_elem_ext(set, catchall->elem);
6901 if (!nft_set_elem_active(ext, genmask) ||
6902 nft_set_elem_mark_busy(ext))
6905 elem.priv = catchall->elem;
6906 ret = __nft_set_catchall_flush(ctx, set, &elem);
6914 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6916 struct nft_set_iter iter = {
6918 .fn = nft_setelem_flush,
6921 set->ops->walk(ctx, set, &iter);
6923 iter.err = nft_set_catchall_flush(ctx, set);
6928 static int nf_tables_delsetelem(struct sk_buff *skb,
6929 const struct nfnl_info *info,
6930 const struct nlattr * const nla[])
6932 struct netlink_ext_ack *extack = info->extack;
6933 u8 genmask = nft_genmask_next(info->net);
6934 u8 family = info->nfmsg->nfgen_family;
6935 struct net *net = info->net;
6936 const struct nlattr *attr;
6937 struct nft_table *table;
6938 struct nft_set *set;
6942 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6943 genmask, NETLINK_CB(skb).portid);
6944 if (IS_ERR(table)) {
6945 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6946 return PTR_ERR(table);
6949 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6951 return PTR_ERR(set);
6952 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6955 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6957 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6958 return nft_set_flush(&ctx, set, genmask);
6960 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6961 err = nft_del_setelem(&ctx, set, attr);
6962 if (err == -ENOENT &&
6963 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
6967 NL_SET_BAD_ATTR(extack, attr);
6974 void nft_set_gc_batch_release(struct rcu_head *rcu)
6976 struct nft_set_gc_batch *gcb;
6979 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6980 for (i = 0; i < gcb->head.cnt; i++)
6981 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6985 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6988 struct nft_set_gc_batch *gcb;
6990 gcb = kzalloc(sizeof(*gcb), gfp);
6993 gcb->head.set = set;
7002 * nft_register_obj- register nf_tables stateful object type
7003 * @obj_type: object type
7005 * Registers the object type for use with nf_tables. Returns zero on
7006 * success or a negative errno code otherwise.
7008 int nft_register_obj(struct nft_object_type *obj_type)
7010 if (obj_type->type == NFT_OBJECT_UNSPEC)
7013 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7014 list_add_rcu(&obj_type->list, &nf_tables_objects);
7015 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7018 EXPORT_SYMBOL_GPL(nft_register_obj);
7021 * nft_unregister_obj - unregister nf_tables object type
7022 * @obj_type: object type
7024 * Unregisters the object type for use with nf_tables.
7026 void nft_unregister_obj(struct nft_object_type *obj_type)
7028 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7029 list_del_rcu(&obj_type->list);
7030 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7032 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7034 struct nft_object *nft_obj_lookup(const struct net *net,
7035 const struct nft_table *table,
7036 const struct nlattr *nla, u32 objtype,
7039 struct nft_object_hash_key k = { .table = table };
7040 char search[NFT_OBJ_MAXNAMELEN];
7041 struct rhlist_head *tmp, *list;
7042 struct nft_object *obj;
7044 nla_strscpy(search, nla, sizeof(search));
7047 WARN_ON_ONCE(!rcu_read_lock_held() &&
7048 !lockdep_commit_lock_is_held(net));
7051 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7055 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7056 if (objtype == obj->ops->type->type &&
7057 nft_active_genmask(obj, genmask)) {
7064 return ERR_PTR(-ENOENT);
7066 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7068 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7069 const struct nlattr *nla,
7070 u32 objtype, u8 genmask)
7072 struct nft_object *obj;
7074 list_for_each_entry(obj, &table->objects, list) {
7075 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7076 objtype == obj->ops->type->type &&
7077 nft_active_genmask(obj, genmask))
7080 return ERR_PTR(-ENOENT);
7083 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7084 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7085 .len = NFT_TABLE_MAXNAMELEN - 1 },
7086 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7087 .len = NFT_OBJ_MAXNAMELEN - 1 },
7088 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7089 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7090 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7091 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7092 .len = NFT_USERDATA_MAXLEN },
7095 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7096 const struct nft_object_type *type,
7097 const struct nlattr *attr)
7100 const struct nft_object_ops *ops;
7101 struct nft_object *obj;
7104 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7109 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7110 type->policy, NULL);
7114 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7117 if (type->select_ops) {
7118 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7128 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7132 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7145 return ERR_PTR(err);
7148 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7149 struct nft_object *obj, bool reset)
7151 struct nlattr *nest;
7153 nest = nla_nest_start_noflag(skb, attr);
7155 goto nla_put_failure;
7156 if (obj->ops->dump(skb, obj, reset) < 0)
7157 goto nla_put_failure;
7158 nla_nest_end(skb, nest);
7165 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
7167 const struct nft_object_type *type;
7169 list_for_each_entry(type, &nf_tables_objects, list) {
7170 if (objtype == type->type)
7176 static const struct nft_object_type *
7177 nft_obj_type_get(struct net *net, u32 objtype)
7179 const struct nft_object_type *type;
7181 type = __nft_obj_type_get(objtype);
7182 if (type != NULL && try_module_get(type->owner))
7185 lockdep_nfnl_nft_mutex_not_held();
7186 #ifdef CONFIG_MODULES
7188 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7189 return ERR_PTR(-EAGAIN);
7192 return ERR_PTR(-ENOENT);
7195 static int nf_tables_updobj(const struct nft_ctx *ctx,
7196 const struct nft_object_type *type,
7197 const struct nlattr *attr,
7198 struct nft_object *obj)
7200 struct nft_object *newobj;
7201 struct nft_trans *trans;
7204 if (!try_module_get(type->owner))
7207 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7208 sizeof(struct nft_trans_obj));
7212 newobj = nft_obj_init(ctx, type, attr);
7213 if (IS_ERR(newobj)) {
7214 err = PTR_ERR(newobj);
7215 goto err_free_trans;
7218 nft_trans_obj(trans) = obj;
7219 nft_trans_obj_update(trans) = true;
7220 nft_trans_obj_newobj(trans) = newobj;
7221 nft_trans_commit_list_add_tail(ctx->net, trans);
7228 module_put(type->owner);
7232 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7233 const struct nlattr * const nla[])
7235 struct netlink_ext_ack *extack = info->extack;
7236 u8 genmask = nft_genmask_next(info->net);
7237 u8 family = info->nfmsg->nfgen_family;
7238 const struct nft_object_type *type;
7239 struct net *net = info->net;
7240 struct nft_table *table;
7241 struct nft_object *obj;
7246 if (!nla[NFTA_OBJ_TYPE] ||
7247 !nla[NFTA_OBJ_NAME] ||
7248 !nla[NFTA_OBJ_DATA])
7251 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7252 NETLINK_CB(skb).portid);
7253 if (IS_ERR(table)) {
7254 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7255 return PTR_ERR(table);
7258 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7259 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7262 if (err != -ENOENT) {
7263 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7267 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7268 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7271 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7274 type = __nft_obj_type_get(objtype);
7275 if (WARN_ON_ONCE(!type))
7278 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7280 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7283 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7285 type = nft_obj_type_get(net, objtype);
7287 return PTR_ERR(type);
7289 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7294 obj->key.table = table;
7295 obj->handle = nf_tables_alloc_handle(table);
7297 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7298 if (!obj->key.name) {
7303 if (nla[NFTA_OBJ_USERDATA]) {
7304 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7305 if (obj->udata == NULL)
7308 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7311 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7315 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7316 nft_objname_ht_params);
7320 list_add_tail_rcu(&obj->list, &table->objects);
7324 /* queued in transaction log */
7325 INIT_LIST_HEAD(&obj->list);
7330 kfree(obj->key.name);
7332 if (obj->ops->destroy)
7333 obj->ops->destroy(&ctx, obj);
7336 module_put(type->owner);
7340 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7341 u32 portid, u32 seq, int event, u32 flags,
7342 int family, const struct nft_table *table,
7343 struct nft_object *obj, bool reset)
7345 struct nlmsghdr *nlh;
7347 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7348 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7349 NFNETLINK_V0, nft_base_seq(net));
7351 goto nla_put_failure;
7353 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7354 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7355 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7357 goto nla_put_failure;
7359 if (event == NFT_MSG_DELOBJ) {
7360 nlmsg_end(skb, nlh);
7364 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7365 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7366 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7367 goto nla_put_failure;
7370 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7371 goto nla_put_failure;
7373 nlmsg_end(skb, nlh);
7377 nlmsg_trim(skb, nlh);
7381 struct nft_obj_filter {
7386 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7388 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7389 const struct nft_table *table;
7390 unsigned int idx = 0, s_idx = cb->args[0];
7391 struct nft_obj_filter *filter = cb->data;
7392 struct net *net = sock_net(skb->sk);
7393 int family = nfmsg->nfgen_family;
7394 struct nftables_pernet *nft_net;
7395 struct nft_object *obj;
7398 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7402 nft_net = nft_pernet(net);
7403 cb->seq = READ_ONCE(nft_net->base_seq);
7405 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7406 if (family != NFPROTO_UNSPEC && family != table->family)
7409 list_for_each_entry_rcu(obj, &table->objects, list) {
7410 if (!nft_is_active(net, obj))
7415 memset(&cb->args[1], 0,
7416 sizeof(cb->args) - sizeof(cb->args[0]));
7417 if (filter && filter->table &&
7418 strcmp(filter->table, table->name))
7421 filter->type != NFT_OBJECT_UNSPEC &&
7422 obj->ops->type->type != filter->type)
7425 char *buf = kasprintf(GFP_ATOMIC,
7430 audit_log_nfcfg(buf,
7433 AUDIT_NFT_OP_OBJ_RESET,
7438 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
7441 NLM_F_MULTI | NLM_F_APPEND,
7442 table->family, table,
7446 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7458 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7460 const struct nlattr * const *nla = cb->data;
7461 struct nft_obj_filter *filter = NULL;
7463 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
7464 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7468 if (nla[NFTA_OBJ_TABLE]) {
7469 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7470 if (!filter->table) {
7476 if (nla[NFTA_OBJ_TYPE])
7477 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7484 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7486 struct nft_obj_filter *filter = cb->data;
7489 kfree(filter->table);
7496 /* called with rcu_read_lock held */
7497 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7498 const struct nlattr * const nla[])
7500 struct netlink_ext_ack *extack = info->extack;
7501 u8 genmask = nft_genmask_cur(info->net);
7502 u8 family = info->nfmsg->nfgen_family;
7503 const struct nft_table *table;
7504 struct net *net = info->net;
7505 struct nft_object *obj;
7506 struct sk_buff *skb2;
7511 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7512 struct netlink_dump_control c = {
7513 .start = nf_tables_dump_obj_start,
7514 .dump = nf_tables_dump_obj,
7515 .done = nf_tables_dump_obj_done,
7516 .module = THIS_MODULE,
7517 .data = (void *)nla,
7520 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7523 if (!nla[NFTA_OBJ_NAME] ||
7524 !nla[NFTA_OBJ_TYPE])
7527 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7528 if (IS_ERR(table)) {
7529 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7530 return PTR_ERR(table);
7533 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7534 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7536 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7537 return PTR_ERR(obj);
7540 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7544 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7548 const struct nftables_pernet *nft_net;
7551 nft_net = nft_pernet(net);
7552 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7554 audit_log_nfcfg(buf,
7557 AUDIT_NFT_OP_OBJ_RESET,
7562 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7563 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7564 family, table, obj, reset);
7566 goto err_fill_obj_info;
7568 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7575 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7577 if (obj->ops->destroy)
7578 obj->ops->destroy(ctx, obj);
7580 module_put(obj->ops->type->owner);
7581 kfree(obj->key.name);
7586 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7587 const struct nlattr * const nla[])
7589 struct netlink_ext_ack *extack = info->extack;
7590 u8 genmask = nft_genmask_next(info->net);
7591 u8 family = info->nfmsg->nfgen_family;
7592 struct net *net = info->net;
7593 const struct nlattr *attr;
7594 struct nft_table *table;
7595 struct nft_object *obj;
7599 if (!nla[NFTA_OBJ_TYPE] ||
7600 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7603 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7604 NETLINK_CB(skb).portid);
7605 if (IS_ERR(table)) {
7606 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7607 return PTR_ERR(table);
7610 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7611 if (nla[NFTA_OBJ_HANDLE]) {
7612 attr = nla[NFTA_OBJ_HANDLE];
7613 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
7615 attr = nla[NFTA_OBJ_NAME];
7616 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
7620 if (PTR_ERR(obj) == -ENOENT &&
7621 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
7624 NL_SET_BAD_ATTR(extack, attr);
7625 return PTR_ERR(obj);
7628 NL_SET_BAD_ATTR(extack, attr);
7632 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7634 return nft_delobj(&ctx, obj);
7637 void nft_obj_notify(struct net *net, const struct nft_table *table,
7638 struct nft_object *obj, u32 portid, u32 seq, int event,
7639 u16 flags, int family, int report, gfp_t gfp)
7641 struct nftables_pernet *nft_net = nft_pernet(net);
7642 struct sk_buff *skb;
7644 char *buf = kasprintf(gfp, "%s:%u",
7645 table->name, nft_net->base_seq);
7647 audit_log_nfcfg(buf,
7650 event == NFT_MSG_NEWOBJ ?
7651 AUDIT_NFT_OP_OBJ_REGISTER :
7652 AUDIT_NFT_OP_OBJ_UNREGISTER,
7657 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7660 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
7664 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
7665 flags & (NLM_F_CREATE | NLM_F_EXCL),
7666 family, table, obj, false);
7672 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7675 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7677 EXPORT_SYMBOL_GPL(nft_obj_notify);
7679 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7680 struct nft_object *obj, int event)
7682 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
7683 ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
7689 void nft_register_flowtable_type(struct nf_flowtable_type *type)
7691 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7692 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7693 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7695 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7697 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7699 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7700 list_del_rcu(&type->list);
7701 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7703 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7705 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7706 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7707 .len = NFT_NAME_MAXLEN - 1 },
7708 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7709 .len = NFT_NAME_MAXLEN - 1 },
7710 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7711 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7712 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7715 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7716 const struct nlattr *nla, u8 genmask)
7718 struct nft_flowtable *flowtable;
7720 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7721 if (!nla_strcmp(nla, flowtable->name) &&
7722 nft_active_genmask(flowtable, genmask))
7725 return ERR_PTR(-ENOENT);
7727 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7729 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7730 struct nft_flowtable *flowtable,
7731 enum nft_trans_phase phase)
7734 case NFT_TRANS_PREPARE_ERROR:
7735 case NFT_TRANS_PREPARE:
7736 case NFT_TRANS_ABORT:
7737 case NFT_TRANS_RELEASE:
7744 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7746 static struct nft_flowtable *
7747 nft_flowtable_lookup_byhandle(const struct nft_table *table,
7748 const struct nlattr *nla, u8 genmask)
7750 struct nft_flowtable *flowtable;
7752 list_for_each_entry(flowtable, &table->flowtables, list) {
7753 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7754 nft_active_genmask(flowtable, genmask))
7757 return ERR_PTR(-ENOENT);
7760 struct nft_flowtable_hook {
7763 struct list_head list;
7766 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7767 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7768 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7769 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7772 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7773 const struct nlattr * const nla[],
7774 struct nft_flowtable_hook *flowtable_hook,
7775 struct nft_flowtable *flowtable,
7776 struct netlink_ext_ack *extack, bool add)
7778 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7779 struct nft_hook *hook;
7780 int hooknum, priority;
7783 INIT_LIST_HEAD(&flowtable_hook->list);
7785 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
7786 nla[NFTA_FLOWTABLE_HOOK],
7787 nft_flowtable_hook_policy, NULL);
7792 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7793 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7794 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7798 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7799 if (hooknum != NF_NETDEV_INGRESS)
7802 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7804 flowtable_hook->priority = priority;
7805 flowtable_hook->num = hooknum;
7807 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7808 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7809 if (hooknum != flowtable->hooknum)
7813 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7814 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7815 if (priority != flowtable->data.priority)
7819 flowtable_hook->priority = flowtable->data.priority;
7820 flowtable_hook->num = flowtable->hooknum;
7823 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7824 err = nf_tables_parse_netdev_hooks(ctx->net,
7825 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7826 &flowtable_hook->list,
7832 list_for_each_entry(hook, &flowtable_hook->list, list) {
7833 hook->ops.pf = NFPROTO_NETDEV;
7834 hook->ops.hooknum = flowtable_hook->num;
7835 hook->ops.priority = flowtable_hook->priority;
7836 hook->ops.priv = &flowtable->data;
7837 hook->ops.hook = flowtable->data.type->hook;
7843 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7845 const struct nf_flowtable_type *type;
7847 list_for_each_entry(type, &nf_tables_flowtables, list) {
7848 if (family == type->family)
7854 static const struct nf_flowtable_type *
7855 nft_flowtable_type_get(struct net *net, u8 family)
7857 const struct nf_flowtable_type *type;
7859 type = __nft_flowtable_type_get(family);
7860 if (type != NULL && try_module_get(type->owner))
7863 lockdep_nfnl_nft_mutex_not_held();
7864 #ifdef CONFIG_MODULES
7866 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7867 return ERR_PTR(-EAGAIN);
7870 return ERR_PTR(-ENOENT);
7873 /* Only called from error and netdev event paths. */
7874 static void nft_unregister_flowtable_hook(struct net *net,
7875 struct nft_flowtable *flowtable,
7876 struct nft_hook *hook)
7878 nf_unregister_net_hook(net, &hook->ops);
7879 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7883 static void __nft_unregister_flowtable_net_hooks(struct net *net,
7884 struct list_head *hook_list,
7885 bool release_netdev)
7887 struct nft_hook *hook, *next;
7889 list_for_each_entry_safe(hook, next, hook_list, list) {
7890 nf_unregister_net_hook(net, &hook->ops);
7891 if (release_netdev) {
7892 list_del(&hook->list);
7893 kfree_rcu(hook, rcu);
7898 static void nft_unregister_flowtable_net_hooks(struct net *net,
7899 struct list_head *hook_list)
7901 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
7904 static int nft_register_flowtable_net_hooks(struct net *net,
7905 struct nft_table *table,
7906 struct list_head *hook_list,
7907 struct nft_flowtable *flowtable)
7909 struct nft_hook *hook, *hook2, *next;
7910 struct nft_flowtable *ft;
7913 list_for_each_entry(hook, hook_list, list) {
7914 list_for_each_entry(ft, &table->flowtables, list) {
7915 if (!nft_is_active_next(net, ft))
7918 list_for_each_entry(hook2, &ft->hook_list, list) {
7919 if (hook->ops.dev == hook2->ops.dev &&
7920 hook->ops.pf == hook2->ops.pf) {
7922 goto err_unregister_net_hooks;
7927 err = flowtable->data.type->setup(&flowtable->data,
7931 goto err_unregister_net_hooks;
7933 err = nf_register_net_hook(net, &hook->ops);
7935 flowtable->data.type->setup(&flowtable->data,
7938 goto err_unregister_net_hooks;
7946 err_unregister_net_hooks:
7947 list_for_each_entry_safe(hook, next, hook_list, list) {
7951 nft_unregister_flowtable_hook(net, flowtable, hook);
7952 list_del_rcu(&hook->list);
7953 kfree_rcu(hook, rcu);
7959 static void nft_hooks_destroy(struct list_head *hook_list)
7961 struct nft_hook *hook, *next;
7963 list_for_each_entry_safe(hook, next, hook_list, list) {
7964 list_del_rcu(&hook->list);
7965 kfree_rcu(hook, rcu);
7969 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7970 struct nft_flowtable *flowtable,
7971 struct netlink_ext_ack *extack)
7973 const struct nlattr * const *nla = ctx->nla;
7974 struct nft_flowtable_hook flowtable_hook;
7975 struct nft_hook *hook, *next;
7976 struct nft_trans *trans;
7977 bool unregister = false;
7981 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
7986 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7987 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7988 list_del(&hook->list);
7993 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7994 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7995 if (flags & ~NFT_FLOWTABLE_MASK) {
7997 goto err_flowtable_update_hook;
7999 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8000 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8002 goto err_flowtable_update_hook;
8005 flags = flowtable->data.flags;
8008 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8009 &flowtable_hook.list, flowtable);
8011 goto err_flowtable_update_hook;
8013 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8014 sizeof(struct nft_trans_flowtable));
8018 goto err_flowtable_update_hook;
8021 nft_trans_flowtable_flags(trans) = flags;
8022 nft_trans_flowtable(trans) = flowtable;
8023 nft_trans_flowtable_update(trans) = true;
8024 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8025 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8027 nft_trans_commit_list_add_tail(ctx->net, trans);
8031 err_flowtable_update_hook:
8032 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8034 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8035 list_del_rcu(&hook->list);
8036 kfree_rcu(hook, rcu);
8043 static int nf_tables_newflowtable(struct sk_buff *skb,
8044 const struct nfnl_info *info,
8045 const struct nlattr * const nla[])
8047 struct netlink_ext_ack *extack = info->extack;
8048 struct nft_flowtable_hook flowtable_hook;
8049 u8 genmask = nft_genmask_next(info->net);
8050 u8 family = info->nfmsg->nfgen_family;
8051 const struct nf_flowtable_type *type;
8052 struct nft_flowtable *flowtable;
8053 struct nft_hook *hook, *next;
8054 struct net *net = info->net;
8055 struct nft_table *table;
8059 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8060 !nla[NFTA_FLOWTABLE_NAME] ||
8061 !nla[NFTA_FLOWTABLE_HOOK])
8064 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8065 genmask, NETLINK_CB(skb).portid);
8066 if (IS_ERR(table)) {
8067 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8068 return PTR_ERR(table);
8071 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8073 if (IS_ERR(flowtable)) {
8074 err = PTR_ERR(flowtable);
8075 if (err != -ENOENT) {
8076 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8080 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8081 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8085 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8087 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8090 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8092 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8096 flowtable->table = table;
8097 flowtable->handle = nf_tables_alloc_handle(table);
8098 INIT_LIST_HEAD(&flowtable->hook_list);
8100 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8101 if (!flowtable->name) {
8106 type = nft_flowtable_type_get(net, family);
8108 err = PTR_ERR(type);
8112 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8113 flowtable->data.flags =
8114 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8115 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8121 write_pnet(&flowtable->data.net, net);
8122 flowtable->data.type = type;
8123 err = type->init(&flowtable->data);
8127 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8132 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8133 flowtable->data.priority = flowtable_hook.priority;
8134 flowtable->hooknum = flowtable_hook.num;
8136 err = nft_register_flowtable_net_hooks(ctx.net, table,
8137 &flowtable->hook_list,
8140 nft_hooks_destroy(&flowtable->hook_list);
8144 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8148 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8153 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8154 nft_unregister_flowtable_hook(net, flowtable, hook);
8155 list_del_rcu(&hook->list);
8156 kfree_rcu(hook, rcu);
8159 flowtable->data.type->free(&flowtable->data);
8161 module_put(type->owner);
8163 kfree(flowtable->name);
8169 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8171 struct nft_hook *this, *next;
8173 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8174 list_del(&this->list);
8179 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8180 struct nft_flowtable *flowtable,
8181 struct netlink_ext_ack *extack)
8183 const struct nlattr * const *nla = ctx->nla;
8184 struct nft_flowtable_hook flowtable_hook;
8185 LIST_HEAD(flowtable_del_list);
8186 struct nft_hook *this, *hook;
8187 struct nft_trans *trans;
8190 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8195 list_for_each_entry(this, &flowtable_hook.list, list) {
8196 hook = nft_hook_list_find(&flowtable->hook_list, this);
8199 goto err_flowtable_del_hook;
8201 list_move(&hook->list, &flowtable_del_list);
8204 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8205 sizeof(struct nft_trans_flowtable));
8208 goto err_flowtable_del_hook;
8211 nft_trans_flowtable(trans) = flowtable;
8212 nft_trans_flowtable_update(trans) = true;
8213 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8214 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8215 nft_flowtable_hook_release(&flowtable_hook);
8217 nft_trans_commit_list_add_tail(ctx->net, trans);
8221 err_flowtable_del_hook:
8222 list_splice(&flowtable_del_list, &flowtable->hook_list);
8223 nft_flowtable_hook_release(&flowtable_hook);
8228 static int nf_tables_delflowtable(struct sk_buff *skb,
8229 const struct nfnl_info *info,
8230 const struct nlattr * const nla[])
8232 struct netlink_ext_ack *extack = info->extack;
8233 u8 genmask = nft_genmask_next(info->net);
8234 u8 family = info->nfmsg->nfgen_family;
8235 struct nft_flowtable *flowtable;
8236 struct net *net = info->net;
8237 const struct nlattr *attr;
8238 struct nft_table *table;
8241 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8242 (!nla[NFTA_FLOWTABLE_NAME] &&
8243 !nla[NFTA_FLOWTABLE_HANDLE]))
8246 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8247 genmask, NETLINK_CB(skb).portid);
8248 if (IS_ERR(table)) {
8249 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8250 return PTR_ERR(table);
8253 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8254 attr = nla[NFTA_FLOWTABLE_HANDLE];
8255 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8257 attr = nla[NFTA_FLOWTABLE_NAME];
8258 flowtable = nft_flowtable_lookup(table, attr, genmask);
8261 if (IS_ERR(flowtable)) {
8262 if (PTR_ERR(flowtable) == -ENOENT &&
8263 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8266 NL_SET_BAD_ATTR(extack, attr);
8267 return PTR_ERR(flowtable);
8270 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8272 if (nla[NFTA_FLOWTABLE_HOOK])
8273 return nft_delflowtable_hook(&ctx, flowtable, extack);
8275 if (flowtable->use > 0) {
8276 NL_SET_BAD_ATTR(extack, attr);
8280 return nft_delflowtable(&ctx, flowtable);
8283 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8284 u32 portid, u32 seq, int event,
8285 u32 flags, int family,
8286 struct nft_flowtable *flowtable,
8287 struct list_head *hook_list)
8289 struct nlattr *nest, *nest_devs;
8290 struct nft_hook *hook;
8291 struct nlmsghdr *nlh;
8293 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8294 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8295 NFNETLINK_V0, nft_base_seq(net));
8297 goto nla_put_failure;
8299 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8300 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8301 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8302 NFTA_FLOWTABLE_PAD))
8303 goto nla_put_failure;
8305 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8306 nlmsg_end(skb, nlh);
8310 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8311 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8312 goto nla_put_failure;
8314 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8316 goto nla_put_failure;
8317 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8318 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8319 goto nla_put_failure;
8321 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8323 goto nla_put_failure;
8326 hook_list = &flowtable->hook_list;
8328 list_for_each_entry_rcu(hook, hook_list, list) {
8329 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8330 goto nla_put_failure;
8332 nla_nest_end(skb, nest_devs);
8333 nla_nest_end(skb, nest);
8335 nlmsg_end(skb, nlh);
8339 nlmsg_trim(skb, nlh);
8343 struct nft_flowtable_filter {
8347 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8348 struct netlink_callback *cb)
8350 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8351 struct nft_flowtable_filter *filter = cb->data;
8352 unsigned int idx = 0, s_idx = cb->args[0];
8353 struct net *net = sock_net(skb->sk);
8354 int family = nfmsg->nfgen_family;
8355 struct nft_flowtable *flowtable;
8356 struct nftables_pernet *nft_net;
8357 const struct nft_table *table;
8360 nft_net = nft_pernet(net);
8361 cb->seq = READ_ONCE(nft_net->base_seq);
8363 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8364 if (family != NFPROTO_UNSPEC && family != table->family)
8367 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8368 if (!nft_is_active(net, flowtable))
8373 memset(&cb->args[1], 0,
8374 sizeof(cb->args) - sizeof(cb->args[0]));
8375 if (filter && filter->table &&
8376 strcmp(filter->table, table->name))
8379 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8381 NFT_MSG_NEWFLOWTABLE,
8382 NLM_F_MULTI | NLM_F_APPEND,
8384 flowtable, NULL) < 0)
8387 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8399 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8401 const struct nlattr * const *nla = cb->data;
8402 struct nft_flowtable_filter *filter = NULL;
8404 if (nla[NFTA_FLOWTABLE_TABLE]) {
8405 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8409 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8411 if (!filter->table) {
8421 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8423 struct nft_flowtable_filter *filter = cb->data;
8428 kfree(filter->table);
8434 /* called with rcu_read_lock held */
8435 static int nf_tables_getflowtable(struct sk_buff *skb,
8436 const struct nfnl_info *info,
8437 const struct nlattr * const nla[])
8439 u8 genmask = nft_genmask_cur(info->net);
8440 u8 family = info->nfmsg->nfgen_family;
8441 struct nft_flowtable *flowtable;
8442 const struct nft_table *table;
8443 struct net *net = info->net;
8444 struct sk_buff *skb2;
8447 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8448 struct netlink_dump_control c = {
8449 .start = nf_tables_dump_flowtable_start,
8450 .dump = nf_tables_dump_flowtable,
8451 .done = nf_tables_dump_flowtable_done,
8452 .module = THIS_MODULE,
8453 .data = (void *)nla,
8456 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8459 if (!nla[NFTA_FLOWTABLE_NAME])
8462 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8465 return PTR_ERR(table);
8467 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8469 if (IS_ERR(flowtable))
8470 return PTR_ERR(flowtable);
8472 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8476 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8477 info->nlh->nlmsg_seq,
8478 NFT_MSG_NEWFLOWTABLE, 0, family,
8481 goto err_fill_flowtable_info;
8483 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8485 err_fill_flowtable_info:
8490 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8491 struct nft_flowtable *flowtable,
8492 struct list_head *hook_list, int event)
8494 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8495 struct sk_buff *skb;
8500 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8503 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8507 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8508 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8510 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8511 ctx->seq, event, flags,
8512 ctx->family, flowtable, hook_list);
8518 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8521 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8524 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8526 struct nft_hook *hook, *next;
8528 flowtable->data.type->free(&flowtable->data);
8529 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8530 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8532 list_del_rcu(&hook->list);
8535 kfree(flowtable->name);
8536 module_put(flowtable->data.type->owner);
8540 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8541 u32 portid, u32 seq)
8543 struct nftables_pernet *nft_net = nft_pernet(net);
8544 struct nlmsghdr *nlh;
8545 char buf[TASK_COMM_LEN];
8546 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8548 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8549 NFNETLINK_V0, nft_base_seq(net));
8551 goto nla_put_failure;
8553 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8554 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8555 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8556 goto nla_put_failure;
8558 nlmsg_end(skb, nlh);
8562 nlmsg_trim(skb, nlh);
8566 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8567 struct nft_flowtable *flowtable)
8569 struct nft_hook *hook;
8571 list_for_each_entry(hook, &flowtable->hook_list, list) {
8572 if (hook->ops.dev != dev)
8575 /* flow_offload_netdev_event() cleans up entries for us. */
8576 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
8577 list_del_rcu(&hook->list);
8578 kfree_rcu(hook, rcu);
8583 static int nf_tables_flowtable_event(struct notifier_block *this,
8584 unsigned long event, void *ptr)
8586 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
8587 struct nft_flowtable *flowtable;
8588 struct nftables_pernet *nft_net;
8589 struct nft_table *table;
8592 if (event != NETDEV_UNREGISTER)
8596 nft_net = nft_pernet(net);
8597 mutex_lock(&nft_net->commit_mutex);
8598 list_for_each_entry(table, &nft_net->tables, list) {
8599 list_for_each_entry(flowtable, &table->flowtables, list) {
8600 nft_flowtable_event(event, dev, flowtable);
8603 mutex_unlock(&nft_net->commit_mutex);
8608 static struct notifier_block nf_tables_flowtable_notifier = {
8609 .notifier_call = nf_tables_flowtable_event,
8612 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
8615 struct nlmsghdr *nlh = nlmsg_hdr(skb);
8616 struct sk_buff *skb2;
8619 if (!nlmsg_report(nlh) &&
8620 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8623 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8627 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
8634 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8635 nlmsg_report(nlh), GFP_KERNEL);
8638 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8642 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
8643 const struct nlattr * const nla[])
8645 struct sk_buff *skb2;
8648 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8652 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
8653 info->nlh->nlmsg_seq);
8655 goto err_fill_gen_info;
8657 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
8664 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
8665 [NFT_MSG_NEWTABLE] = {
8666 .call = nf_tables_newtable,
8667 .type = NFNL_CB_BATCH,
8668 .attr_count = NFTA_TABLE_MAX,
8669 .policy = nft_table_policy,
8671 [NFT_MSG_GETTABLE] = {
8672 .call = nf_tables_gettable,
8673 .type = NFNL_CB_RCU,
8674 .attr_count = NFTA_TABLE_MAX,
8675 .policy = nft_table_policy,
8677 [NFT_MSG_DELTABLE] = {
8678 .call = nf_tables_deltable,
8679 .type = NFNL_CB_BATCH,
8680 .attr_count = NFTA_TABLE_MAX,
8681 .policy = nft_table_policy,
8683 [NFT_MSG_DESTROYTABLE] = {
8684 .call = nf_tables_deltable,
8685 .type = NFNL_CB_BATCH,
8686 .attr_count = NFTA_TABLE_MAX,
8687 .policy = nft_table_policy,
8689 [NFT_MSG_NEWCHAIN] = {
8690 .call = nf_tables_newchain,
8691 .type = NFNL_CB_BATCH,
8692 .attr_count = NFTA_CHAIN_MAX,
8693 .policy = nft_chain_policy,
8695 [NFT_MSG_GETCHAIN] = {
8696 .call = nf_tables_getchain,
8697 .type = NFNL_CB_RCU,
8698 .attr_count = NFTA_CHAIN_MAX,
8699 .policy = nft_chain_policy,
8701 [NFT_MSG_DELCHAIN] = {
8702 .call = nf_tables_delchain,
8703 .type = NFNL_CB_BATCH,
8704 .attr_count = NFTA_CHAIN_MAX,
8705 .policy = nft_chain_policy,
8707 [NFT_MSG_DESTROYCHAIN] = {
8708 .call = nf_tables_delchain,
8709 .type = NFNL_CB_BATCH,
8710 .attr_count = NFTA_CHAIN_MAX,
8711 .policy = nft_chain_policy,
8713 [NFT_MSG_NEWRULE] = {
8714 .call = nf_tables_newrule,
8715 .type = NFNL_CB_BATCH,
8716 .attr_count = NFTA_RULE_MAX,
8717 .policy = nft_rule_policy,
8719 [NFT_MSG_GETRULE] = {
8720 .call = nf_tables_getrule,
8721 .type = NFNL_CB_RCU,
8722 .attr_count = NFTA_RULE_MAX,
8723 .policy = nft_rule_policy,
8725 [NFT_MSG_GETRULE_RESET] = {
8726 .call = nf_tables_getrule,
8727 .type = NFNL_CB_RCU,
8728 .attr_count = NFTA_RULE_MAX,
8729 .policy = nft_rule_policy,
8731 [NFT_MSG_DELRULE] = {
8732 .call = nf_tables_delrule,
8733 .type = NFNL_CB_BATCH,
8734 .attr_count = NFTA_RULE_MAX,
8735 .policy = nft_rule_policy,
8737 [NFT_MSG_DESTROYRULE] = {
8738 .call = nf_tables_delrule,
8739 .type = NFNL_CB_BATCH,
8740 .attr_count = NFTA_RULE_MAX,
8741 .policy = nft_rule_policy,
8743 [NFT_MSG_NEWSET] = {
8744 .call = nf_tables_newset,
8745 .type = NFNL_CB_BATCH,
8746 .attr_count = NFTA_SET_MAX,
8747 .policy = nft_set_policy,
8749 [NFT_MSG_GETSET] = {
8750 .call = nf_tables_getset,
8751 .type = NFNL_CB_RCU,
8752 .attr_count = NFTA_SET_MAX,
8753 .policy = nft_set_policy,
8755 [NFT_MSG_DELSET] = {
8756 .call = nf_tables_delset,
8757 .type = NFNL_CB_BATCH,
8758 .attr_count = NFTA_SET_MAX,
8759 .policy = nft_set_policy,
8761 [NFT_MSG_DESTROYSET] = {
8762 .call = nf_tables_delset,
8763 .type = NFNL_CB_BATCH,
8764 .attr_count = NFTA_SET_MAX,
8765 .policy = nft_set_policy,
8767 [NFT_MSG_NEWSETELEM] = {
8768 .call = nf_tables_newsetelem,
8769 .type = NFNL_CB_BATCH,
8770 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8771 .policy = nft_set_elem_list_policy,
8773 [NFT_MSG_GETSETELEM] = {
8774 .call = nf_tables_getsetelem,
8775 .type = NFNL_CB_RCU,
8776 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8777 .policy = nft_set_elem_list_policy,
8779 [NFT_MSG_DELSETELEM] = {
8780 .call = nf_tables_delsetelem,
8781 .type = NFNL_CB_BATCH,
8782 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8783 .policy = nft_set_elem_list_policy,
8785 [NFT_MSG_DESTROYSETELEM] = {
8786 .call = nf_tables_delsetelem,
8787 .type = NFNL_CB_BATCH,
8788 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8789 .policy = nft_set_elem_list_policy,
8791 [NFT_MSG_GETGEN] = {
8792 .call = nf_tables_getgen,
8793 .type = NFNL_CB_RCU,
8795 [NFT_MSG_NEWOBJ] = {
8796 .call = nf_tables_newobj,
8797 .type = NFNL_CB_BATCH,
8798 .attr_count = NFTA_OBJ_MAX,
8799 .policy = nft_obj_policy,
8801 [NFT_MSG_GETOBJ] = {
8802 .call = nf_tables_getobj,
8803 .type = NFNL_CB_RCU,
8804 .attr_count = NFTA_OBJ_MAX,
8805 .policy = nft_obj_policy,
8807 [NFT_MSG_DELOBJ] = {
8808 .call = nf_tables_delobj,
8809 .type = NFNL_CB_BATCH,
8810 .attr_count = NFTA_OBJ_MAX,
8811 .policy = nft_obj_policy,
8813 [NFT_MSG_DESTROYOBJ] = {
8814 .call = nf_tables_delobj,
8815 .type = NFNL_CB_BATCH,
8816 .attr_count = NFTA_OBJ_MAX,
8817 .policy = nft_obj_policy,
8819 [NFT_MSG_GETOBJ_RESET] = {
8820 .call = nf_tables_getobj,
8821 .type = NFNL_CB_RCU,
8822 .attr_count = NFTA_OBJ_MAX,
8823 .policy = nft_obj_policy,
8825 [NFT_MSG_NEWFLOWTABLE] = {
8826 .call = nf_tables_newflowtable,
8827 .type = NFNL_CB_BATCH,
8828 .attr_count = NFTA_FLOWTABLE_MAX,
8829 .policy = nft_flowtable_policy,
8831 [NFT_MSG_GETFLOWTABLE] = {
8832 .call = nf_tables_getflowtable,
8833 .type = NFNL_CB_RCU,
8834 .attr_count = NFTA_FLOWTABLE_MAX,
8835 .policy = nft_flowtable_policy,
8837 [NFT_MSG_DELFLOWTABLE] = {
8838 .call = nf_tables_delflowtable,
8839 .type = NFNL_CB_BATCH,
8840 .attr_count = NFTA_FLOWTABLE_MAX,
8841 .policy = nft_flowtable_policy,
8843 [NFT_MSG_DESTROYFLOWTABLE] = {
8844 .call = nf_tables_delflowtable,
8845 .type = NFNL_CB_BATCH,
8846 .attr_count = NFTA_FLOWTABLE_MAX,
8847 .policy = nft_flowtable_policy,
8851 static int nf_tables_validate(struct net *net)
8853 struct nftables_pernet *nft_net = nft_pernet(net);
8854 struct nft_table *table;
8856 list_for_each_entry(table, &nft_net->tables, list) {
8857 switch (table->validate_state) {
8858 case NFT_VALIDATE_SKIP:
8860 case NFT_VALIDATE_NEED:
8861 nft_validate_state_update(table, NFT_VALIDATE_DO);
8863 case NFT_VALIDATE_DO:
8864 if (nft_table_validate(net, table) < 0)
8867 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
8876 /* a drop policy has to be deferred until all rules have been activated,
8877 * otherwise a large ruleset that contains a drop-policy base chain will
8878 * cause all packets to get dropped until the full transaction has been
8881 * We defer the drop policy until the transaction has been finalized.
8883 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8885 struct nft_base_chain *basechain;
8887 if (nft_trans_chain_policy(trans) != NF_DROP)
8890 if (!nft_is_base_chain(trans->ctx.chain))
8893 basechain = nft_base_chain(trans->ctx.chain);
8894 basechain->policy = NF_DROP;
8897 static void nft_chain_commit_update(struct nft_trans *trans)
8899 struct nft_base_chain *basechain;
8901 if (nft_trans_chain_name(trans)) {
8902 rhltable_remove(&trans->ctx.table->chains_ht,
8903 &trans->ctx.chain->rhlhead,
8904 nft_chain_ht_params);
8905 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8906 rhltable_insert_key(&trans->ctx.table->chains_ht,
8907 trans->ctx.chain->name,
8908 &trans->ctx.chain->rhlhead,
8909 nft_chain_ht_params);
8912 if (!nft_is_base_chain(trans->ctx.chain))
8915 nft_chain_stats_replace(trans);
8917 basechain = nft_base_chain(trans->ctx.chain);
8919 switch (nft_trans_chain_policy(trans)) {
8922 basechain->policy = nft_trans_chain_policy(trans);
8927 static void nft_obj_commit_update(struct nft_trans *trans)
8929 struct nft_object *newobj;
8930 struct nft_object *obj;
8932 obj = nft_trans_obj(trans);
8933 newobj = nft_trans_obj_newobj(trans);
8935 if (obj->ops->update)
8936 obj->ops->update(obj, newobj);
8938 nft_obj_destroy(&trans->ctx, newobj);
8941 static void nft_commit_release(struct nft_trans *trans)
8943 switch (trans->msg_type) {
8944 case NFT_MSG_DELTABLE:
8945 case NFT_MSG_DESTROYTABLE:
8946 nf_tables_table_destroy(&trans->ctx);
8948 case NFT_MSG_NEWCHAIN:
8949 free_percpu(nft_trans_chain_stats(trans));
8950 kfree(nft_trans_chain_name(trans));
8952 case NFT_MSG_DELCHAIN:
8953 case NFT_MSG_DESTROYCHAIN:
8954 if (nft_trans_chain_update(trans))
8955 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
8957 nf_tables_chain_destroy(&trans->ctx);
8959 case NFT_MSG_DELRULE:
8960 case NFT_MSG_DESTROYRULE:
8961 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8963 case NFT_MSG_DELSET:
8964 case NFT_MSG_DESTROYSET:
8965 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8967 case NFT_MSG_DELSETELEM:
8968 case NFT_MSG_DESTROYSETELEM:
8969 nf_tables_set_elem_destroy(&trans->ctx,
8970 nft_trans_elem_set(trans),
8971 nft_trans_elem(trans).priv);
8973 case NFT_MSG_DELOBJ:
8974 case NFT_MSG_DESTROYOBJ:
8975 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8977 case NFT_MSG_DELFLOWTABLE:
8978 case NFT_MSG_DESTROYFLOWTABLE:
8979 if (nft_trans_flowtable_update(trans))
8980 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8982 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8987 put_net(trans->ctx.net);
8992 static void nf_tables_trans_destroy_work(struct work_struct *w)
8994 struct nft_trans *trans, *next;
8997 spin_lock(&nf_tables_destroy_list_lock);
8998 list_splice_init(&nf_tables_destroy_list, &head);
8999 spin_unlock(&nf_tables_destroy_list_lock);
9001 if (list_empty(&head))
9006 list_for_each_entry_safe(trans, next, &head, list) {
9007 list_del(&trans->list);
9008 nft_commit_release(trans);
9012 void nf_tables_trans_destroy_flush_work(void)
9014 flush_work(&trans_destroy_work);
9016 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9018 static bool nft_expr_reduce(struct nft_regs_track *track,
9019 const struct nft_expr *expr)
9024 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9026 const struct nft_expr *expr, *last;
9027 struct nft_regs_track track = {};
9028 unsigned int size, data_size;
9029 void *data, *data_boundary;
9030 struct nft_rule_dp *prule;
9031 struct nft_rule *rule;
9033 /* already handled or inactive chain? */
9034 if (chain->blob_next || !nft_is_active_next(net, chain))
9038 list_for_each_entry(rule, &chain->rules, list) {
9039 if (nft_is_active_next(net, rule)) {
9040 data_size += sizeof(*prule) + rule->dlen;
9041 if (data_size > INT_MAX)
9046 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9047 if (!chain->blob_next)
9050 data = (void *)chain->blob_next->data;
9051 data_boundary = data + data_size;
9054 list_for_each_entry(rule, &chain->rules, list) {
9055 if (!nft_is_active_next(net, rule))
9058 prule = (struct nft_rule_dp *)data;
9059 data += offsetof(struct nft_rule_dp, data);
9060 if (WARN_ON_ONCE(data > data_boundary))
9064 track.last = nft_expr_last(rule);
9065 nft_rule_for_each_expr(expr, last, rule) {
9068 if (nft_expr_reduce(&track, expr)) {
9073 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9076 memcpy(data + size, expr, expr->ops->size);
9077 size += expr->ops->size;
9079 if (WARN_ON_ONCE(size >= 1 << 12))
9082 prule->handle = rule->handle;
9088 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9091 if (WARN_ON_ONCE(data > data_boundary))
9094 prule = (struct nft_rule_dp *)data;
9095 nft_last_rule(chain, prule);
9100 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9102 struct nftables_pernet *nft_net = nft_pernet(net);
9103 struct nft_trans *trans, *next;
9105 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9106 struct nft_chain *chain = trans->ctx.chain;
9108 if (trans->msg_type == NFT_MSG_NEWRULE ||
9109 trans->msg_type == NFT_MSG_DELRULE) {
9110 kvfree(chain->blob_next);
9111 chain->blob_next = NULL;
9116 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9118 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9123 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9125 struct nft_rule_dp_last *last;
9127 /* last rule trailer is after end marker */
9128 last = (void *)blob + sizeof(*blob) + blob->size;
9131 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9134 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9136 struct nft_rule_blob *g0, *g1;
9139 next_genbit = nft_gencursor_next(net);
9141 g0 = rcu_dereference_protected(chain->blob_gen_0,
9142 lockdep_commit_lock_is_held(net));
9143 g1 = rcu_dereference_protected(chain->blob_gen_1,
9144 lockdep_commit_lock_is_held(net));
9146 /* No changes to this chain? */
9147 if (chain->blob_next == NULL) {
9148 /* chain had no change in last or next generation */
9152 * chain had no change in this generation; make sure next
9153 * one uses same rules as current generation.
9156 rcu_assign_pointer(chain->blob_gen_1, g0);
9157 nf_tables_commit_chain_free_rules_old(g1);
9159 rcu_assign_pointer(chain->blob_gen_0, g1);
9160 nf_tables_commit_chain_free_rules_old(g0);
9167 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9169 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9171 chain->blob_next = NULL;
9177 nf_tables_commit_chain_free_rules_old(g1);
9179 nf_tables_commit_chain_free_rules_old(g0);
9182 static void nft_obj_del(struct nft_object *obj)
9184 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9185 list_del_rcu(&obj->list);
9188 void nft_chain_del(struct nft_chain *chain)
9190 struct nft_table *table = chain->table;
9192 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9193 nft_chain_ht_params));
9194 list_del_rcu(&chain->list);
9197 static void nf_tables_module_autoload_cleanup(struct net *net)
9199 struct nftables_pernet *nft_net = nft_pernet(net);
9200 struct nft_module_request *req, *next;
9202 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9203 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9204 WARN_ON_ONCE(!req->done);
9205 list_del(&req->list);
9210 static void nf_tables_commit_release(struct net *net)
9212 struct nftables_pernet *nft_net = nft_pernet(net);
9213 struct nft_trans *trans;
9215 /* all side effects have to be made visible.
9216 * For example, if a chain named 'foo' has been deleted, a
9217 * new transaction must not find it anymore.
9219 * Memory reclaim happens asynchronously from work queue
9220 * to prevent expensive synchronize_rcu() in commit phase.
9222 if (list_empty(&nft_net->commit_list)) {
9223 nf_tables_module_autoload_cleanup(net);
9224 mutex_unlock(&nft_net->commit_mutex);
9228 trans = list_last_entry(&nft_net->commit_list,
9229 struct nft_trans, list);
9230 get_net(trans->ctx.net);
9231 WARN_ON_ONCE(trans->put_net);
9233 trans->put_net = true;
9234 spin_lock(&nf_tables_destroy_list_lock);
9235 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
9236 spin_unlock(&nf_tables_destroy_list_lock);
9238 nf_tables_module_autoload_cleanup(net);
9239 schedule_work(&trans_destroy_work);
9241 mutex_unlock(&nft_net->commit_mutex);
9244 static void nft_commit_notify(struct net *net, u32 portid)
9246 struct nftables_pernet *nft_net = nft_pernet(net);
9247 struct sk_buff *batch_skb = NULL, *nskb, *skb;
9248 unsigned char *data;
9251 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
9255 len = NLMSG_GOODSIZE - skb->len;
9256 list_del(&skb->list);
9260 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
9261 data = skb_put(batch_skb, skb->len);
9262 memcpy(data, skb->data, skb->len);
9263 list_del(&skb->list);
9267 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9268 NFT_CB(batch_skb).report, GFP_KERNEL);
9273 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9274 NFT_CB(batch_skb).report, GFP_KERNEL);
9277 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9280 static int nf_tables_commit_audit_alloc(struct list_head *adl,
9281 struct nft_table *table)
9283 struct nft_audit_data *adp;
9285 list_for_each_entry(adp, adl, list) {
9286 if (adp->table == table)
9289 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
9293 list_add(&adp->list, adl);
9297 static void nf_tables_commit_audit_free(struct list_head *adl)
9299 struct nft_audit_data *adp, *adn;
9301 list_for_each_entry_safe(adp, adn, adl, list) {
9302 list_del(&adp->list);
9307 static void nf_tables_commit_audit_collect(struct list_head *adl,
9308 struct nft_table *table, u32 op)
9310 struct nft_audit_data *adp;
9312 list_for_each_entry(adp, adl, list) {
9313 if (adp->table == table)
9316 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
9320 if (!adp->op || adp->op > op)
9324 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
9326 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
9328 struct nft_audit_data *adp, *adn;
9329 char aubuf[AUNFTABLENAMELEN];
9331 list_for_each_entry_safe(adp, adn, adl, list) {
9332 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
9334 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
9335 nft2audit_op[adp->op], GFP_KERNEL);
9336 list_del(&adp->list);
9341 static void nft_set_commit_update(struct list_head *set_update_list)
9343 struct nft_set *set, *next;
9345 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
9346 list_del_init(&set->pending_update);
9348 if (!set->ops->commit)
9351 set->ops->commit(set);
9355 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
9357 struct nftables_pernet *nft_net = nft_pernet(net);
9358 struct nft_trans *trans, *next;
9359 LIST_HEAD(set_update_list);
9360 struct nft_trans_elem *te;
9361 struct nft_chain *chain;
9362 struct nft_table *table;
9363 unsigned int base_seq;
9367 if (list_empty(&nft_net->commit_list)) {
9368 mutex_unlock(&nft_net->commit_mutex);
9372 /* 0. Validate ruleset, otherwise roll back for error reporting. */
9373 if (nf_tables_validate(net) < 0)
9376 err = nft_flow_rule_offload_commit(net);
9380 /* 1. Allocate space for next generation rules_gen_X[] */
9381 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9384 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
9386 nf_tables_commit_chain_prepare_cancel(net);
9387 nf_tables_commit_audit_free(&adl);
9390 if (trans->msg_type == NFT_MSG_NEWRULE ||
9391 trans->msg_type == NFT_MSG_DELRULE) {
9392 chain = trans->ctx.chain;
9394 ret = nf_tables_commit_chain_prepare(net, chain);
9396 nf_tables_commit_chain_prepare_cancel(net);
9397 nf_tables_commit_audit_free(&adl);
9403 /* step 2. Make rules_gen_X visible to packet path */
9404 list_for_each_entry(table, &nft_net->tables, list) {
9405 list_for_each_entry(chain, &table->chains, list)
9406 nf_tables_commit_chain(net, chain);
9410 * Bump generation counter, invalidate any dump in progress.
9411 * Cannot fail after this point.
9413 base_seq = READ_ONCE(nft_net->base_seq);
9414 while (++base_seq == 0)
9417 WRITE_ONCE(nft_net->base_seq, base_seq);
9419 /* step 3. Start new generation, rules_gen_X now in use. */
9420 net->nft.gencursor = nft_gencursor_next(net);
9422 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9423 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
9425 switch (trans->msg_type) {
9426 case NFT_MSG_NEWTABLE:
9427 if (nft_trans_table_update(trans)) {
9428 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9429 nft_trans_destroy(trans);
9432 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
9433 nf_tables_table_disable(net, trans->ctx.table);
9435 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9437 nft_clear(net, trans->ctx.table);
9439 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
9440 nft_trans_destroy(trans);
9442 case NFT_MSG_DELTABLE:
9443 case NFT_MSG_DESTROYTABLE:
9444 list_del_rcu(&trans->ctx.table->list);
9445 nf_tables_table_notify(&trans->ctx, trans->msg_type);
9447 case NFT_MSG_NEWCHAIN:
9448 if (nft_trans_chain_update(trans)) {
9449 nft_chain_commit_update(trans);
9450 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
9451 &nft_trans_chain_hooks(trans));
9452 list_splice(&nft_trans_chain_hooks(trans),
9453 &nft_trans_basechain(trans)->hook_list);
9454 /* trans destroyed after rcu grace period */
9456 nft_chain_commit_drop_policy(trans);
9457 nft_clear(net, trans->ctx.chain);
9458 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
9459 nft_trans_destroy(trans);
9462 case NFT_MSG_DELCHAIN:
9463 case NFT_MSG_DESTROYCHAIN:
9464 if (nft_trans_chain_update(trans)) {
9465 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
9466 &nft_trans_chain_hooks(trans));
9467 nft_netdev_unregister_hooks(net,
9468 &nft_trans_chain_hooks(trans),
9471 nft_chain_del(trans->ctx.chain);
9472 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
9474 nf_tables_unregister_hook(trans->ctx.net,
9479 case NFT_MSG_NEWRULE:
9480 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9481 nf_tables_rule_notify(&trans->ctx,
9482 nft_trans_rule(trans),
9484 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9485 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9487 nft_trans_destroy(trans);
9489 case NFT_MSG_DELRULE:
9490 case NFT_MSG_DESTROYRULE:
9491 list_del_rcu(&nft_trans_rule(trans)->list);
9492 nf_tables_rule_notify(&trans->ctx,
9493 nft_trans_rule(trans),
9495 nft_rule_expr_deactivate(&trans->ctx,
9496 nft_trans_rule(trans),
9499 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9500 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9502 case NFT_MSG_NEWSET:
9503 if (nft_trans_set_update(trans)) {
9504 struct nft_set *set = nft_trans_set(trans);
9506 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
9507 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
9509 nft_clear(net, nft_trans_set(trans));
9510 /* This avoids hitting -EBUSY when deleting the table
9511 * from the transaction.
9513 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
9514 !list_empty(&nft_trans_set(trans)->bindings))
9515 trans->ctx.table->use--;
9517 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9518 NFT_MSG_NEWSET, GFP_KERNEL);
9519 nft_trans_destroy(trans);
9521 case NFT_MSG_DELSET:
9522 case NFT_MSG_DESTROYSET:
9523 list_del_rcu(&nft_trans_set(trans)->list);
9524 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9525 trans->msg_type, GFP_KERNEL);
9527 case NFT_MSG_NEWSETELEM:
9528 te = (struct nft_trans_elem *)trans->data;
9530 nft_setelem_activate(net, te->set, &te->elem);
9531 nf_tables_setelem_notify(&trans->ctx, te->set,
9533 NFT_MSG_NEWSETELEM);
9534 if (te->set->ops->commit &&
9535 list_empty(&te->set->pending_update)) {
9536 list_add_tail(&te->set->pending_update,
9539 nft_trans_destroy(trans);
9541 case NFT_MSG_DELSETELEM:
9542 case NFT_MSG_DESTROYSETELEM:
9543 te = (struct nft_trans_elem *)trans->data;
9545 nf_tables_setelem_notify(&trans->ctx, te->set,
9548 nft_setelem_remove(net, te->set, &te->elem);
9549 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
9550 atomic_dec(&te->set->nelems);
9553 if (te->set->ops->commit &&
9554 list_empty(&te->set->pending_update)) {
9555 list_add_tail(&te->set->pending_update,
9559 case NFT_MSG_NEWOBJ:
9560 if (nft_trans_obj_update(trans)) {
9561 nft_obj_commit_update(trans);
9562 nf_tables_obj_notify(&trans->ctx,
9563 nft_trans_obj(trans),
9566 nft_clear(net, nft_trans_obj(trans));
9567 nf_tables_obj_notify(&trans->ctx,
9568 nft_trans_obj(trans),
9570 nft_trans_destroy(trans);
9573 case NFT_MSG_DELOBJ:
9574 case NFT_MSG_DESTROYOBJ:
9575 nft_obj_del(nft_trans_obj(trans));
9576 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
9579 case NFT_MSG_NEWFLOWTABLE:
9580 if (nft_trans_flowtable_update(trans)) {
9581 nft_trans_flowtable(trans)->data.flags =
9582 nft_trans_flowtable_flags(trans);
9583 nf_tables_flowtable_notify(&trans->ctx,
9584 nft_trans_flowtable(trans),
9585 &nft_trans_flowtable_hooks(trans),
9586 NFT_MSG_NEWFLOWTABLE);
9587 list_splice(&nft_trans_flowtable_hooks(trans),
9588 &nft_trans_flowtable(trans)->hook_list);
9590 nft_clear(net, nft_trans_flowtable(trans));
9591 nf_tables_flowtable_notify(&trans->ctx,
9592 nft_trans_flowtable(trans),
9594 NFT_MSG_NEWFLOWTABLE);
9596 nft_trans_destroy(trans);
9598 case NFT_MSG_DELFLOWTABLE:
9599 case NFT_MSG_DESTROYFLOWTABLE:
9600 if (nft_trans_flowtable_update(trans)) {
9601 nf_tables_flowtable_notify(&trans->ctx,
9602 nft_trans_flowtable(trans),
9603 &nft_trans_flowtable_hooks(trans),
9605 nft_unregister_flowtable_net_hooks(net,
9606 &nft_trans_flowtable_hooks(trans));
9608 list_del_rcu(&nft_trans_flowtable(trans)->list);
9609 nf_tables_flowtable_notify(&trans->ctx,
9610 nft_trans_flowtable(trans),
9613 nft_unregister_flowtable_net_hooks(net,
9614 &nft_trans_flowtable(trans)->hook_list);
9620 nft_set_commit_update(&set_update_list);
9622 nft_commit_notify(net, NETLINK_CB(skb).portid);
9623 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
9624 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
9625 nf_tables_commit_release(net);
9630 static void nf_tables_module_autoload(struct net *net)
9632 struct nftables_pernet *nft_net = nft_pernet(net);
9633 struct nft_module_request *req, *next;
9634 LIST_HEAD(module_list);
9636 list_splice_init(&nft_net->module_list, &module_list);
9637 mutex_unlock(&nft_net->commit_mutex);
9638 list_for_each_entry_safe(req, next, &module_list, list) {
9639 request_module("%s", req->module);
9642 mutex_lock(&nft_net->commit_mutex);
9643 list_splice(&module_list, &nft_net->module_list);
9646 static void nf_tables_abort_release(struct nft_trans *trans)
9648 switch (trans->msg_type) {
9649 case NFT_MSG_NEWTABLE:
9650 nf_tables_table_destroy(&trans->ctx);
9652 case NFT_MSG_NEWCHAIN:
9653 if (nft_trans_chain_update(trans))
9654 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9656 nf_tables_chain_destroy(&trans->ctx);
9658 case NFT_MSG_NEWRULE:
9659 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9661 case NFT_MSG_NEWSET:
9662 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9664 case NFT_MSG_NEWSETELEM:
9665 nft_set_elem_destroy(nft_trans_elem_set(trans),
9666 nft_trans_elem(trans).priv, true);
9668 case NFT_MSG_NEWOBJ:
9669 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9671 case NFT_MSG_NEWFLOWTABLE:
9672 if (nft_trans_flowtable_update(trans))
9673 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9675 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9681 static void nft_set_abort_update(struct list_head *set_update_list)
9683 struct nft_set *set, *next;
9685 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
9686 list_del_init(&set->pending_update);
9688 if (!set->ops->abort)
9691 set->ops->abort(set);
9695 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
9697 struct nftables_pernet *nft_net = nft_pernet(net);
9698 struct nft_trans *trans, *next;
9699 LIST_HEAD(set_update_list);
9700 struct nft_trans_elem *te;
9702 if (action == NFNL_ABORT_VALIDATE &&
9703 nf_tables_validate(net) < 0)
9706 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
9708 switch (trans->msg_type) {
9709 case NFT_MSG_NEWTABLE:
9710 if (nft_trans_table_update(trans)) {
9711 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9712 nft_trans_destroy(trans);
9715 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
9716 nf_tables_table_disable(net, trans->ctx.table);
9717 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
9718 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
9719 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
9721 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9722 nft_trans_destroy(trans);
9724 list_del_rcu(&trans->ctx.table->list);
9727 case NFT_MSG_DELTABLE:
9728 case NFT_MSG_DESTROYTABLE:
9729 nft_clear(trans->ctx.net, trans->ctx.table);
9730 nft_trans_destroy(trans);
9732 case NFT_MSG_NEWCHAIN:
9733 if (nft_trans_chain_update(trans)) {
9734 nft_netdev_unregister_hooks(net,
9735 &nft_trans_chain_hooks(trans),
9737 free_percpu(nft_trans_chain_stats(trans));
9738 kfree(nft_trans_chain_name(trans));
9739 nft_trans_destroy(trans);
9741 if (nft_trans_chain_bound(trans)) {
9742 nft_trans_destroy(trans);
9745 trans->ctx.table->use--;
9746 nft_chain_del(trans->ctx.chain);
9747 nf_tables_unregister_hook(trans->ctx.net,
9752 case NFT_MSG_DELCHAIN:
9753 case NFT_MSG_DESTROYCHAIN:
9754 if (nft_trans_chain_update(trans)) {
9755 list_splice(&nft_trans_chain_hooks(trans),
9756 &nft_trans_basechain(trans)->hook_list);
9758 trans->ctx.table->use++;
9759 nft_clear(trans->ctx.net, trans->ctx.chain);
9761 nft_trans_destroy(trans);
9763 case NFT_MSG_NEWRULE:
9764 if (nft_trans_rule_bound(trans)) {
9765 nft_trans_destroy(trans);
9768 trans->ctx.chain->use--;
9769 list_del_rcu(&nft_trans_rule(trans)->list);
9770 nft_rule_expr_deactivate(&trans->ctx,
9771 nft_trans_rule(trans),
9773 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9774 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9776 case NFT_MSG_DELRULE:
9777 case NFT_MSG_DESTROYRULE:
9778 trans->ctx.chain->use++;
9779 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9780 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
9781 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9782 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9784 nft_trans_destroy(trans);
9786 case NFT_MSG_NEWSET:
9787 if (nft_trans_set_update(trans)) {
9788 nft_trans_destroy(trans);
9791 trans->ctx.table->use--;
9792 if (nft_trans_set_bound(trans)) {
9793 nft_trans_destroy(trans);
9796 list_del_rcu(&nft_trans_set(trans)->list);
9798 case NFT_MSG_DELSET:
9799 case NFT_MSG_DESTROYSET:
9800 trans->ctx.table->use++;
9801 nft_clear(trans->ctx.net, nft_trans_set(trans));
9802 nft_trans_destroy(trans);
9804 case NFT_MSG_NEWSETELEM:
9805 if (nft_trans_elem_set_bound(trans)) {
9806 nft_trans_destroy(trans);
9809 te = (struct nft_trans_elem *)trans->data;
9810 nft_setelem_remove(net, te->set, &te->elem);
9811 if (!nft_setelem_is_catchall(te->set, &te->elem))
9812 atomic_dec(&te->set->nelems);
9814 if (te->set->ops->abort &&
9815 list_empty(&te->set->pending_update)) {
9816 list_add_tail(&te->set->pending_update,
9820 case NFT_MSG_DELSETELEM:
9821 case NFT_MSG_DESTROYSETELEM:
9822 te = (struct nft_trans_elem *)trans->data;
9824 nft_setelem_data_activate(net, te->set, &te->elem);
9825 nft_setelem_activate(net, te->set, &te->elem);
9826 if (!nft_setelem_is_catchall(te->set, &te->elem))
9829 if (te->set->ops->abort &&
9830 list_empty(&te->set->pending_update)) {
9831 list_add_tail(&te->set->pending_update,
9834 nft_trans_destroy(trans);
9836 case NFT_MSG_NEWOBJ:
9837 if (nft_trans_obj_update(trans)) {
9838 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
9839 nft_trans_destroy(trans);
9841 trans->ctx.table->use--;
9842 nft_obj_del(nft_trans_obj(trans));
9845 case NFT_MSG_DELOBJ:
9846 case NFT_MSG_DESTROYOBJ:
9847 trans->ctx.table->use++;
9848 nft_clear(trans->ctx.net, nft_trans_obj(trans));
9849 nft_trans_destroy(trans);
9851 case NFT_MSG_NEWFLOWTABLE:
9852 if (nft_trans_flowtable_update(trans)) {
9853 nft_unregister_flowtable_net_hooks(net,
9854 &nft_trans_flowtable_hooks(trans));
9856 trans->ctx.table->use--;
9857 list_del_rcu(&nft_trans_flowtable(trans)->list);
9858 nft_unregister_flowtable_net_hooks(net,
9859 &nft_trans_flowtable(trans)->hook_list);
9862 case NFT_MSG_DELFLOWTABLE:
9863 case NFT_MSG_DESTROYFLOWTABLE:
9864 if (nft_trans_flowtable_update(trans)) {
9865 list_splice(&nft_trans_flowtable_hooks(trans),
9866 &nft_trans_flowtable(trans)->hook_list);
9868 trans->ctx.table->use++;
9869 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
9871 nft_trans_destroy(trans);
9876 nft_set_abort_update(&set_update_list);
9880 list_for_each_entry_safe_reverse(trans, next,
9881 &nft_net->commit_list, list) {
9882 list_del(&trans->list);
9883 nf_tables_abort_release(trans);
9886 if (action == NFNL_ABORT_AUTOLOAD)
9887 nf_tables_module_autoload(net);
9889 nf_tables_module_autoload_cleanup(net);
9894 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
9895 enum nfnl_abort_action action)
9897 struct nftables_pernet *nft_net = nft_pernet(net);
9898 int ret = __nf_tables_abort(net, action);
9900 mutex_unlock(&nft_net->commit_mutex);
9905 static bool nf_tables_valid_genid(struct net *net, u32 genid)
9907 struct nftables_pernet *nft_net = nft_pernet(net);
9910 mutex_lock(&nft_net->commit_mutex);
9912 genid_ok = genid == 0 || nft_net->base_seq == genid;
9914 mutex_unlock(&nft_net->commit_mutex);
9916 /* else, commit mutex has to be released by commit or abort function */
9920 static const struct nfnetlink_subsystem nf_tables_subsys = {
9921 .name = "nf_tables",
9922 .subsys_id = NFNL_SUBSYS_NFTABLES,
9923 .cb_count = NFT_MSG_MAX,
9925 .commit = nf_tables_commit,
9926 .abort = nf_tables_abort,
9927 .valid_genid = nf_tables_valid_genid,
9928 .owner = THIS_MODULE,
9931 int nft_chain_validate_dependency(const struct nft_chain *chain,
9932 enum nft_chain_types type)
9934 const struct nft_base_chain *basechain;
9936 if (nft_is_base_chain(chain)) {
9937 basechain = nft_base_chain(chain);
9938 if (basechain->type->type != type)
9943 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
9945 int nft_chain_validate_hooks(const struct nft_chain *chain,
9946 unsigned int hook_flags)
9948 struct nft_base_chain *basechain;
9950 if (nft_is_base_chain(chain)) {
9951 basechain = nft_base_chain(chain);
9953 if ((1 << basechain->ops.hooknum) & hook_flags)
9961 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9964 * Loop detection - walk through the ruleset beginning at the destination chain
9965 * of a new jump until either the source chain is reached (loop) or all
9966 * reachable chains have been traversed.
9968 * The loop check is performed whenever a new jump verdict is added to an
9969 * expression or verdict map or a verdict map is bound to a new chain.
9972 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9973 const struct nft_chain *chain);
9975 static int nft_check_loops(const struct nft_ctx *ctx,
9976 const struct nft_set_ext *ext)
9978 const struct nft_data *data;
9981 data = nft_set_ext_data(ext);
9982 switch (data->verdict.code) {
9985 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9995 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9996 struct nft_set *set,
9997 const struct nft_set_iter *iter,
9998 struct nft_set_elem *elem)
10000 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
10002 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
10003 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
10006 return nft_check_loops(ctx, ext);
10009 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
10010 struct nft_set *set)
10012 u8 genmask = nft_genmask_next(ctx->net);
10013 struct nft_set_elem_catchall *catchall;
10014 struct nft_set_ext *ext;
10017 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10018 ext = nft_set_elem_ext(set, catchall->elem);
10019 if (!nft_set_elem_active(ext, genmask))
10022 ret = nft_check_loops(ctx, ext);
10030 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10031 const struct nft_chain *chain)
10033 const struct nft_rule *rule;
10034 const struct nft_expr *expr, *last;
10035 struct nft_set *set;
10036 struct nft_set_binding *binding;
10037 struct nft_set_iter iter;
10039 if (ctx->chain == chain)
10042 list_for_each_entry(rule, &chain->rules, list) {
10043 nft_rule_for_each_expr(expr, last, rule) {
10044 struct nft_immediate_expr *priv;
10045 const struct nft_data *data;
10048 if (strcmp(expr->ops->type->name, "immediate"))
10051 priv = nft_expr_priv(expr);
10052 if (priv->dreg != NFT_REG_VERDICT)
10055 data = &priv->data;
10056 switch (data->verdict.code) {
10059 err = nf_tables_check_loops(ctx,
10060 data->verdict.chain);
10070 list_for_each_entry(set, &ctx->table->sets, list) {
10071 if (!nft_is_active_next(ctx->net, set))
10073 if (!(set->flags & NFT_SET_MAP) ||
10074 set->dtype != NFT_DATA_VERDICT)
10077 list_for_each_entry(binding, &set->bindings, list) {
10078 if (!(binding->flags & NFT_SET_MAP) ||
10079 binding->chain != chain)
10082 iter.genmask = nft_genmask_next(ctx->net);
10086 iter.fn = nf_tables_loop_check_setelem;
10088 set->ops->walk(ctx, set, &iter);
10090 iter.err = nft_set_catchall_loops(ctx, set);
10101 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10103 * @attr: netlink attribute to fetch value from
10104 * @max: maximum value to be stored in dest
10105 * @dest: pointer to the variable
10107 * Parse, check and store a given u32 netlink attribute into variable.
10108 * This function returns -ERANGE if the value goes over maximum value.
10109 * Otherwise a 0 is returned and the attribute value is stored in the
10110 * destination variable.
10112 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10116 val = ntohl(nla_get_be32(attr));
10123 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10125 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10129 reg = ntohl(nla_get_be32(attr));
10131 case NFT_REG_VERDICT...NFT_REG_4:
10132 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10134 case NFT_REG32_00...NFT_REG32_15:
10135 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10145 * nft_dump_register - dump a register value to a netlink attribute
10147 * @skb: socket buffer
10148 * @attr: attribute number
10149 * @reg: register number
10151 * Construct a netlink attribute containing the register number. For
10152 * compatibility reasons, register numbers being a multiple of 4 are
10153 * translated to the corresponding 128 bit register numbers.
10155 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10157 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10158 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10160 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10162 return nla_put_be32(skb, attr, htonl(reg));
10164 EXPORT_SYMBOL_GPL(nft_dump_register);
10166 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10168 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10172 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10178 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10183 err = nft_parse_register(attr, ®);
10187 err = nft_validate_register_load(reg, len);
10194 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10196 static int nft_validate_register_store(const struct nft_ctx *ctx,
10197 enum nft_registers reg,
10198 const struct nft_data *data,
10199 enum nft_data_types type,
10205 case NFT_REG_VERDICT:
10206 if (type != NFT_DATA_VERDICT)
10209 if (data != NULL &&
10210 (data->verdict.code == NFT_GOTO ||
10211 data->verdict.code == NFT_JUMP)) {
10212 err = nf_tables_check_loops(ctx, data->verdict.chain);
10219 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10223 if (reg * NFT_REG32_SIZE + len >
10224 sizeof_field(struct nft_regs, data))
10227 if (data != NULL && type != NFT_DATA_VALUE)
10233 int nft_parse_register_store(const struct nft_ctx *ctx,
10234 const struct nlattr *attr, u8 *dreg,
10235 const struct nft_data *data,
10236 enum nft_data_types type, unsigned int len)
10241 err = nft_parse_register(attr, ®);
10245 err = nft_validate_register_store(ctx, reg, data, type, len);
10252 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10254 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10255 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10256 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10257 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10258 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10261 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10262 struct nft_data_desc *desc, const struct nlattr *nla)
10264 u8 genmask = nft_genmask_next(ctx->net);
10265 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10266 struct nft_chain *chain;
10269 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
10270 nft_verdict_policy, NULL);
10274 if (!tb[NFTA_VERDICT_CODE])
10276 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
10278 switch (data->verdict.code) {
10280 switch (data->verdict.code & NF_VERDICT_MASK) {
10295 if (tb[NFTA_VERDICT_CHAIN]) {
10296 chain = nft_chain_lookup(ctx->net, ctx->table,
10297 tb[NFTA_VERDICT_CHAIN],
10299 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
10300 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
10301 tb[NFTA_VERDICT_CHAIN_ID]);
10303 return PTR_ERR(chain);
10309 return PTR_ERR(chain);
10310 if (nft_is_base_chain(chain))
10311 return -EOPNOTSUPP;
10312 if (nft_chain_is_bound(chain))
10314 if (desc->flags & NFT_DATA_DESC_SETELEM &&
10315 chain->flags & NFT_CHAIN_BINDING)
10319 data->verdict.chain = chain;
10323 desc->len = sizeof(data->verdict);
10328 static void nft_verdict_uninit(const struct nft_data *data)
10330 struct nft_chain *chain;
10332 switch (data->verdict.code) {
10335 chain = data->verdict.chain;
10341 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
10343 struct nlattr *nest;
10345 nest = nla_nest_start_noflag(skb, type);
10347 goto nla_put_failure;
10349 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
10350 goto nla_put_failure;
10355 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
10357 goto nla_put_failure;
10359 nla_nest_end(skb, nest);
10366 static int nft_value_init(const struct nft_ctx *ctx,
10367 struct nft_data *data, struct nft_data_desc *desc,
10368 const struct nlattr *nla)
10372 len = nla_len(nla);
10375 if (len > desc->size)
10378 if (len != desc->len)
10384 nla_memcpy(data->data, nla, len);
10389 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
10392 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
10395 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
10396 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
10397 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
10401 * nft_data_init - parse nf_tables data netlink attributes
10403 * @ctx: context of the expression using the data
10404 * @data: destination struct nft_data
10405 * @desc: data description
10406 * @nla: netlink attribute containing data
10408 * Parse the netlink data attributes and initialize a struct nft_data.
10409 * The type and length of data are returned in the data description.
10411 * The caller can indicate that it only wants to accept data of type
10412 * NFT_DATA_VALUE by passing NULL for the ctx argument.
10414 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
10415 struct nft_data_desc *desc, const struct nlattr *nla)
10417 struct nlattr *tb[NFTA_DATA_MAX + 1];
10420 if (WARN_ON_ONCE(!desc->size))
10423 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
10424 nft_data_policy, NULL);
10428 if (tb[NFTA_DATA_VALUE]) {
10429 if (desc->type != NFT_DATA_VALUE)
10432 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
10433 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
10434 if (desc->type != NFT_DATA_VERDICT)
10437 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
10444 EXPORT_SYMBOL_GPL(nft_data_init);
10447 * nft_data_release - release a nft_data item
10449 * @data: struct nft_data to release
10450 * @type: type of data
10452 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
10453 * all others need to be released by calling this function.
10455 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
10457 if (type < NFT_DATA_VERDICT)
10460 case NFT_DATA_VERDICT:
10461 return nft_verdict_uninit(data);
10466 EXPORT_SYMBOL_GPL(nft_data_release);
10468 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
10469 enum nft_data_types type, unsigned int len)
10471 struct nlattr *nest;
10474 nest = nla_nest_start_noflag(skb, attr);
10479 case NFT_DATA_VALUE:
10480 err = nft_value_dump(skb, data, len);
10482 case NFT_DATA_VERDICT:
10483 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
10490 nla_nest_end(skb, nest);
10493 EXPORT_SYMBOL_GPL(nft_data_dump);
10495 int __nft_release_basechain(struct nft_ctx *ctx)
10497 struct nft_rule *rule, *nr;
10499 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
10502 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
10503 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
10504 list_del(&rule->list);
10506 nf_tables_rule_release(ctx, rule);
10508 nft_chain_del(ctx->chain);
10510 nf_tables_chain_destroy(ctx);
10514 EXPORT_SYMBOL_GPL(__nft_release_basechain);
10516 static void __nft_release_hook(struct net *net, struct nft_table *table)
10518 struct nft_flowtable *flowtable;
10519 struct nft_chain *chain;
10521 list_for_each_entry(chain, &table->chains, list)
10522 __nf_tables_unregister_hook(net, table, chain, true);
10523 list_for_each_entry(flowtable, &table->flowtables, list)
10524 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
10528 static void __nft_release_hooks(struct net *net)
10530 struct nftables_pernet *nft_net = nft_pernet(net);
10531 struct nft_table *table;
10533 list_for_each_entry(table, &nft_net->tables, list) {
10534 if (nft_table_has_owner(table))
10537 __nft_release_hook(net, table);
10541 static void __nft_release_table(struct net *net, struct nft_table *table)
10543 struct nft_flowtable *flowtable, *nf;
10544 struct nft_chain *chain, *nc;
10545 struct nft_object *obj, *ne;
10546 struct nft_rule *rule, *nr;
10547 struct nft_set *set, *ns;
10548 struct nft_ctx ctx = {
10550 .family = NFPROTO_NETDEV,
10553 ctx.family = table->family;
10555 list_for_each_entry(chain, &table->chains, list) {
10557 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
10558 list_del(&rule->list);
10560 nf_tables_rule_release(&ctx, rule);
10563 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
10564 list_del(&flowtable->list);
10566 nf_tables_flowtable_destroy(flowtable);
10568 list_for_each_entry_safe(set, ns, &table->sets, list) {
10569 list_del(&set->list);
10571 nft_set_destroy(&ctx, set);
10573 list_for_each_entry_safe(obj, ne, &table->objects, list) {
10576 nft_obj_destroy(&ctx, obj);
10578 list_for_each_entry_safe(chain, nc, &table->chains, list) {
10580 nft_chain_del(chain);
10582 nf_tables_chain_destroy(&ctx);
10584 nf_tables_table_destroy(&ctx);
10587 static void __nft_release_tables(struct net *net)
10589 struct nftables_pernet *nft_net = nft_pernet(net);
10590 struct nft_table *table, *nt;
10592 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
10593 if (nft_table_has_owner(table))
10596 list_del(&table->list);
10598 __nft_release_table(net, table);
10602 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
10605 struct nft_table *table, *to_delete[8];
10606 struct nftables_pernet *nft_net;
10607 struct netlink_notify *n = ptr;
10608 struct net *net = n->net;
10609 unsigned int deleted;
10610 bool restart = false;
10612 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
10613 return NOTIFY_DONE;
10615 nft_net = nft_pernet(net);
10617 mutex_lock(&nft_net->commit_mutex);
10618 if (!list_empty(&nf_tables_destroy_list))
10621 list_for_each_entry(table, &nft_net->tables, list) {
10622 if (nft_table_has_owner(table) &&
10623 n->portid == table->nlpid) {
10624 __nft_release_hook(net, table);
10625 list_del_rcu(&table->list);
10626 to_delete[deleted++] = table;
10627 if (deleted >= ARRAY_SIZE(to_delete))
10632 restart = deleted >= ARRAY_SIZE(to_delete);
10635 __nft_release_table(net, to_delete[--deleted]);
10640 mutex_unlock(&nft_net->commit_mutex);
10642 return NOTIFY_DONE;
10645 static struct notifier_block nft_nl_notifier = {
10646 .notifier_call = nft_rcv_nl_event,
10649 static int __net_init nf_tables_init_net(struct net *net)
10651 struct nftables_pernet *nft_net = nft_pernet(net);
10653 INIT_LIST_HEAD(&nft_net->tables);
10654 INIT_LIST_HEAD(&nft_net->commit_list);
10655 INIT_LIST_HEAD(&nft_net->module_list);
10656 INIT_LIST_HEAD(&nft_net->notify_list);
10657 mutex_init(&nft_net->commit_mutex);
10658 nft_net->base_seq = 1;
10663 static void __net_exit nf_tables_pre_exit_net(struct net *net)
10665 struct nftables_pernet *nft_net = nft_pernet(net);
10667 mutex_lock(&nft_net->commit_mutex);
10668 __nft_release_hooks(net);
10669 mutex_unlock(&nft_net->commit_mutex);
10672 static void __net_exit nf_tables_exit_net(struct net *net)
10674 struct nftables_pernet *nft_net = nft_pernet(net);
10676 mutex_lock(&nft_net->commit_mutex);
10677 if (!list_empty(&nft_net->commit_list) ||
10678 !list_empty(&nft_net->module_list))
10679 __nf_tables_abort(net, NFNL_ABORT_NONE);
10680 __nft_release_tables(net);
10681 mutex_unlock(&nft_net->commit_mutex);
10682 WARN_ON_ONCE(!list_empty(&nft_net->tables));
10683 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
10684 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10687 static struct pernet_operations nf_tables_net_ops = {
10688 .init = nf_tables_init_net,
10689 .pre_exit = nf_tables_pre_exit_net,
10690 .exit = nf_tables_exit_net,
10691 .id = &nf_tables_net_id,
10692 .size = sizeof(struct nftables_pernet),
10695 static int __init nf_tables_module_init(void)
10699 err = register_pernet_subsys(&nf_tables_net_ops);
10703 err = nft_chain_filter_init();
10705 goto err_chain_filter;
10707 err = nf_tables_core_module_init();
10709 goto err_core_module;
10711 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
10713 goto err_netdev_notifier;
10715 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
10717 goto err_rht_objname;
10719 err = nft_offload_init();
10723 err = netlink_register_notifier(&nft_nl_notifier);
10725 goto err_netlink_notifier;
10728 err = nfnetlink_subsys_register(&nf_tables_subsys);
10730 goto err_nfnl_subsys;
10732 nft_chain_route_init();
10737 netlink_unregister_notifier(&nft_nl_notifier);
10738 err_netlink_notifier:
10739 nft_offload_exit();
10741 rhltable_destroy(&nft_objname_ht);
10743 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10744 err_netdev_notifier:
10745 nf_tables_core_module_exit();
10747 nft_chain_filter_fini();
10749 unregister_pernet_subsys(&nf_tables_net_ops);
10753 static void __exit nf_tables_module_exit(void)
10755 nfnetlink_subsys_unregister(&nf_tables_subsys);
10756 netlink_unregister_notifier(&nft_nl_notifier);
10757 nft_offload_exit();
10758 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10759 nft_chain_filter_fini();
10760 nft_chain_route_fini();
10761 unregister_pernet_subsys(&nf_tables_net_ops);
10762 cancel_work_sync(&trans_destroy_work);
10764 rhltable_destroy(&nft_objname_ht);
10765 nf_tables_core_module_exit();
10768 module_init(nf_tables_module_init);
10769 module_exit(nf_tables_module_exit);
10771 MODULE_LICENSE("GPL");
10772 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
10773 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
OSDN Git Service
