1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 unsigned int nf_tables_net_id __read_mostly;
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static LIST_HEAD(nf_tables_gc_list);
35 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
36 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
39 NFT_VALIDATE_SKIP = 0,
44 static struct rhltable nft_objname_ht;
46 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
51 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
52 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54 static const struct rhashtable_params nft_chain_ht_params = {
55 .head_offset = offsetof(struct nft_chain, rhlhead),
56 .key_offset = offsetof(struct nft_chain, name),
57 .hashfn = nft_chain_hash,
58 .obj_hashfn = nft_chain_hash_obj,
59 .obj_cmpfn = nft_chain_hash_cmp,
60 .automatic_shrinking = true,
63 static const struct rhashtable_params nft_objname_ht_params = {
64 .head_offset = offsetof(struct nft_object, rhlhead),
65 .key_offset = offsetof(struct nft_object, key),
66 .hashfn = nft_objname_hash,
67 .obj_hashfn = nft_objname_hash_obj,
68 .obj_cmpfn = nft_objname_hash_cmp,
69 .automatic_shrinking = true,
72 struct nft_audit_data {
73 struct nft_table *table;
76 struct list_head list;
79 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
80 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
81 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
82 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
83 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
84 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
85 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
86 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
87 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
88 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
89 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
90 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
91 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
92 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
93 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
94 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
95 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
96 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
99 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
100 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
101 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
102 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
103 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
104 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
105 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
108 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110 switch (table->validate_state) {
111 case NFT_VALIDATE_SKIP:
112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 case NFT_VALIDATE_NEED:
116 case NFT_VALIDATE_DO:
117 if (new_validate_state == NFT_VALIDATE_NEED)
121 table->validate_state = new_validate_state;
123 static void nf_tables_trans_destroy_work(struct work_struct *w);
124 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126 static void nft_trans_gc_work(struct work_struct *work);
127 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129 static void nft_ctx_init(struct nft_ctx *ctx,
131 const struct sk_buff *skb,
132 const struct nlmsghdr *nlh,
134 struct nft_table *table,
135 struct nft_chain *chain,
136 const struct nlattr * const *nla)
139 ctx->family = family;
144 ctx->portid = NETLINK_CB(skb).portid;
145 ctx->report = nlmsg_report(nlh);
146 ctx->flags = nlh->nlmsg_flags;
147 ctx->seq = nlh->nlmsg_seq;
150 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
151 int msg_type, u32 size, gfp_t gfp)
153 struct nft_trans *trans;
155 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
159 INIT_LIST_HEAD(&trans->list);
160 INIT_LIST_HEAD(&trans->binding_list);
161 trans->msg_type = msg_type;
167 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
168 int msg_type, u32 size)
170 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
173 static void nft_trans_list_del(struct nft_trans *trans)
175 list_del(&trans->list);
176 list_del(&trans->binding_list);
179 static void nft_trans_destroy(struct nft_trans *trans)
181 nft_trans_list_del(trans);
185 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
188 struct nftables_pernet *nft_net;
189 struct net *net = ctx->net;
190 struct nft_trans *trans;
192 if (!nft_set_is_anonymous(set))
195 nft_net = nft_pernet(net);
196 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
197 switch (trans->msg_type) {
199 if (nft_trans_set(trans) == set)
200 nft_trans_set_bound(trans) = bind;
202 case NFT_MSG_NEWSETELEM:
203 if (nft_trans_elem_set(trans) == set)
204 nft_trans_elem_set_bound(trans) = bind;
210 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
212 return __nft_set_trans_bind(ctx, set, true);
215 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
217 return __nft_set_trans_bind(ctx, set, false);
220 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
221 struct nft_chain *chain, bool bind)
223 struct nftables_pernet *nft_net;
224 struct net *net = ctx->net;
225 struct nft_trans *trans;
227 if (!nft_chain_binding(chain))
230 nft_net = nft_pernet(net);
231 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
232 switch (trans->msg_type) {
233 case NFT_MSG_NEWCHAIN:
234 if (nft_trans_chain(trans) == chain)
235 nft_trans_chain_bound(trans) = bind;
237 case NFT_MSG_NEWRULE:
238 if (trans->ctx.chain == chain)
239 nft_trans_rule_bound(trans) = bind;
245 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
246 struct nft_chain *chain)
248 __nft_chain_trans_bind(ctx, chain, true);
251 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
253 if (!nft_chain_binding(chain))
256 if (nft_chain_binding(ctx->chain))
262 if (!nft_use_inc(&chain->use))
266 nft_chain_trans_bind(ctx, chain);
271 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
273 __nft_chain_trans_bind(ctx, chain, false);
276 static int nft_netdev_register_hooks(struct net *net,
277 struct list_head *hook_list)
279 struct nft_hook *hook;
283 list_for_each_entry(hook, hook_list, list) {
284 err = nf_register_net_hook(net, &hook->ops);
293 list_for_each_entry(hook, hook_list, list) {
297 nf_unregister_net_hook(net, &hook->ops);
302 static void nft_netdev_unregister_hooks(struct net *net,
303 struct list_head *hook_list,
306 struct nft_hook *hook, *next;
308 list_for_each_entry_safe(hook, next, hook_list, list) {
309 nf_unregister_net_hook(net, &hook->ops);
310 if (release_netdev) {
311 list_del(&hook->list);
312 kfree_rcu(hook, rcu);
317 static int nf_tables_register_hook(struct net *net,
318 const struct nft_table *table,
319 struct nft_chain *chain)
321 struct nft_base_chain *basechain;
322 const struct nf_hook_ops *ops;
324 if (table->flags & NFT_TABLE_F_DORMANT ||
325 !nft_is_base_chain(chain))
328 basechain = nft_base_chain(chain);
329 ops = &basechain->ops;
331 if (basechain->type->ops_register)
332 return basechain->type->ops_register(net, ops);
334 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
335 return nft_netdev_register_hooks(net, &basechain->hook_list);
337 return nf_register_net_hook(net, &basechain->ops);
340 static void __nf_tables_unregister_hook(struct net *net,
341 const struct nft_table *table,
342 struct nft_chain *chain,
345 struct nft_base_chain *basechain;
346 const struct nf_hook_ops *ops;
348 if (table->flags & NFT_TABLE_F_DORMANT ||
349 !nft_is_base_chain(chain))
351 basechain = nft_base_chain(chain);
352 ops = &basechain->ops;
354 if (basechain->type->ops_unregister)
355 return basechain->type->ops_unregister(net, ops);
357 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
358 nft_netdev_unregister_hooks(net, &basechain->hook_list,
361 nf_unregister_net_hook(net, &basechain->ops);
364 static void nf_tables_unregister_hook(struct net *net,
365 const struct nft_table *table,
366 struct nft_chain *chain)
368 return __nf_tables_unregister_hook(net, table, chain, false);
371 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
373 struct nftables_pernet *nft_net = nft_pernet(net);
375 switch (trans->msg_type) {
377 if (!nft_trans_set_update(trans) &&
378 nft_set_is_anonymous(nft_trans_set(trans)))
379 list_add_tail(&trans->binding_list, &nft_net->binding_list);
381 case NFT_MSG_NEWCHAIN:
382 if (!nft_trans_chain_update(trans) &&
383 nft_chain_binding(nft_trans_chain(trans)))
384 list_add_tail(&trans->binding_list, &nft_net->binding_list);
388 list_add_tail(&trans->list, &nft_net->commit_list);
391 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
393 struct nft_trans *trans;
395 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
399 if (msg_type == NFT_MSG_NEWTABLE)
400 nft_activate_next(ctx->net, ctx->table);
402 nft_trans_commit_list_add_tail(ctx->net, trans);
406 static int nft_deltable(struct nft_ctx *ctx)
410 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
414 nft_deactivate_next(ctx->net, ctx->table);
418 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
420 struct nft_trans *trans;
422 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
424 return ERR_PTR(-ENOMEM);
426 if (msg_type == NFT_MSG_NEWCHAIN) {
427 nft_activate_next(ctx->net, ctx->chain);
429 if (ctx->nla[NFTA_CHAIN_ID]) {
430 nft_trans_chain_id(trans) =
431 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
434 nft_trans_chain(trans) = ctx->chain;
435 nft_trans_commit_list_add_tail(ctx->net, trans);
440 static int nft_delchain(struct nft_ctx *ctx)
442 struct nft_trans *trans;
444 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
446 return PTR_ERR(trans);
448 nft_use_dec(&ctx->table->use);
449 nft_deactivate_next(ctx->net, ctx->chain);
454 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
456 struct nft_expr *expr;
458 expr = nft_expr_first(rule);
459 while (nft_expr_more(rule, expr)) {
460 if (expr->ops->activate)
461 expr->ops->activate(ctx, expr);
463 expr = nft_expr_next(expr);
467 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
468 enum nft_trans_phase phase)
470 struct nft_expr *expr;
472 expr = nft_expr_first(rule);
473 while (nft_expr_more(rule, expr)) {
474 if (expr->ops->deactivate)
475 expr->ops->deactivate(ctx, expr, phase);
477 expr = nft_expr_next(expr);
482 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
484 /* You cannot delete the same rule twice */
485 if (nft_is_active_next(ctx->net, rule)) {
486 nft_deactivate_next(ctx->net, rule);
487 nft_use_dec(&ctx->chain->use);
493 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
494 struct nft_rule *rule)
496 struct nft_trans *trans;
498 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
502 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
503 nft_trans_rule_id(trans) =
504 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
506 nft_trans_rule(trans) = rule;
507 nft_trans_commit_list_add_tail(ctx->net, trans);
512 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
514 struct nft_flow_rule *flow;
515 struct nft_trans *trans;
518 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
522 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
523 flow = nft_flow_rule_create(ctx->net, rule);
525 nft_trans_destroy(trans);
526 return PTR_ERR(flow);
529 nft_trans_flow_rule(trans) = flow;
532 err = nf_tables_delrule_deactivate(ctx, rule);
534 nft_trans_destroy(trans);
537 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
542 static int nft_delrule_by_chain(struct nft_ctx *ctx)
544 struct nft_rule *rule;
547 list_for_each_entry(rule, &ctx->chain->rules, list) {
548 if (!nft_is_active_next(ctx->net, rule))
551 err = nft_delrule(ctx, rule);
558 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
560 const struct nft_set_desc *desc)
562 struct nft_trans *trans;
564 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
568 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
569 nft_trans_set_id(trans) =
570 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
571 nft_activate_next(ctx->net, set);
573 nft_trans_set(trans) = set;
575 nft_trans_set_update(trans) = true;
576 nft_trans_set_gc_int(trans) = desc->gc_int;
577 nft_trans_set_timeout(trans) = desc->timeout;
578 nft_trans_set_size(trans) = desc->size;
580 nft_trans_commit_list_add_tail(ctx->net, trans);
585 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
588 return __nft_trans_set_add(ctx, msg_type, set, NULL);
591 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
593 const struct nft_set_iter *iter,
594 struct nft_elem_priv *elem_priv)
596 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
601 struct nft_set_elem_catchall {
602 struct list_head list;
604 struct nft_elem_priv *elem;
607 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
610 u8 genmask = nft_genmask_next(ctx->net);
611 struct nft_set_elem_catchall *catchall;
612 struct nft_set_ext *ext;
614 list_for_each_entry(catchall, &set->catchall_list, list) {
615 ext = nft_set_elem_ext(set, catchall->elem);
616 if (!nft_set_elem_active(ext, genmask))
619 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
624 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
626 struct nft_set_iter iter = {
627 .genmask = nft_genmask_next(ctx->net),
628 .fn = nft_mapelem_deactivate,
631 set->ops->walk(ctx, set, &iter);
632 WARN_ON_ONCE(iter.err);
634 nft_map_catchall_deactivate(ctx, set);
637 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
641 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
645 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
646 nft_map_deactivate(ctx, set);
648 nft_deactivate_next(ctx->net, set);
649 nft_use_dec(&ctx->table->use);
654 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
655 struct nft_object *obj)
657 struct nft_trans *trans;
659 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
663 if (msg_type == NFT_MSG_NEWOBJ)
664 nft_activate_next(ctx->net, obj);
666 nft_trans_obj(trans) = obj;
667 nft_trans_commit_list_add_tail(ctx->net, trans);
672 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
676 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
680 nft_deactivate_next(ctx->net, obj);
681 nft_use_dec(&ctx->table->use);
686 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
687 struct nft_flowtable *flowtable)
689 struct nft_trans *trans;
691 trans = nft_trans_alloc(ctx, msg_type,
692 sizeof(struct nft_trans_flowtable));
696 if (msg_type == NFT_MSG_NEWFLOWTABLE)
697 nft_activate_next(ctx->net, flowtable);
699 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
700 nft_trans_flowtable(trans) = flowtable;
701 nft_trans_commit_list_add_tail(ctx->net, trans);
706 static int nft_delflowtable(struct nft_ctx *ctx,
707 struct nft_flowtable *flowtable)
711 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
715 nft_deactivate_next(ctx->net, flowtable);
716 nft_use_dec(&ctx->table->use);
721 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
725 for (i = track->regs[dreg].num_reg; i > 0; i--)
726 __nft_reg_track_cancel(track, dreg - i);
729 static void __nft_reg_track_update(struct nft_regs_track *track,
730 const struct nft_expr *expr,
733 track->regs[dreg].selector = expr;
734 track->regs[dreg].bitwise = NULL;
735 track->regs[dreg].num_reg = num_reg;
738 void nft_reg_track_update(struct nft_regs_track *track,
739 const struct nft_expr *expr, u8 dreg, u8 len)
741 unsigned int regcount;
744 __nft_reg_track_clobber(track, dreg);
746 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
747 for (i = 0; i < regcount; i++, dreg++)
748 __nft_reg_track_update(track, expr, dreg, i);
750 EXPORT_SYMBOL_GPL(nft_reg_track_update);
752 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
754 unsigned int regcount;
757 __nft_reg_track_clobber(track, dreg);
759 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
760 for (i = 0; i < regcount; i++, dreg++)
761 __nft_reg_track_cancel(track, dreg);
763 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
765 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
767 track->regs[dreg].selector = NULL;
768 track->regs[dreg].bitwise = NULL;
769 track->regs[dreg].num_reg = 0;
771 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
777 static struct nft_table *nft_table_lookup(const struct net *net,
778 const struct nlattr *nla,
779 u8 family, u8 genmask, u32 nlpid)
781 struct nftables_pernet *nft_net;
782 struct nft_table *table;
785 return ERR_PTR(-EINVAL);
787 nft_net = nft_pernet(net);
788 list_for_each_entry_rcu(table, &nft_net->tables, list,
789 lockdep_is_held(&nft_net->commit_mutex)) {
790 if (!nla_strcmp(nla, table->name) &&
791 table->family == family &&
792 nft_active_genmask(table, genmask)) {
793 if (nft_table_has_owner(table) &&
794 nlpid && table->nlpid != nlpid)
795 return ERR_PTR(-EPERM);
801 return ERR_PTR(-ENOENT);
804 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
805 const struct nlattr *nla,
806 int family, u8 genmask, u32 nlpid)
808 struct nftables_pernet *nft_net;
809 struct nft_table *table;
811 nft_net = nft_pernet(net);
812 list_for_each_entry(table, &nft_net->tables, list) {
813 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
814 table->family == family &&
815 nft_active_genmask(table, genmask)) {
816 if (nft_table_has_owner(table) &&
817 nlpid && table->nlpid != nlpid)
818 return ERR_PTR(-EPERM);
824 return ERR_PTR(-ENOENT);
827 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
829 return ++table->hgenerator;
832 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
834 static const struct nft_chain_type *
835 __nft_chain_type_get(u8 family, enum nft_chain_types type)
837 if (family >= NFPROTO_NUMPROTO ||
838 type >= NFT_CHAIN_T_MAX)
841 return chain_type[family][type];
844 static const struct nft_chain_type *
845 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
847 const struct nft_chain_type *type;
850 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
851 type = __nft_chain_type_get(family, i);
854 if (!nla_strcmp(nla, type->name))
860 struct nft_module_request {
861 struct list_head list;
862 char module[MODULE_NAME_LEN];
866 #ifdef CONFIG_MODULES
867 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
870 char module_name[MODULE_NAME_LEN];
871 struct nftables_pernet *nft_net;
872 struct nft_module_request *req;
877 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
879 if (ret >= MODULE_NAME_LEN)
882 nft_net = nft_pernet(net);
883 list_for_each_entry(req, &nft_net->module_list, list) {
884 if (!strcmp(req->module, module_name)) {
888 /* A request to load this module already exists. */
893 req = kmalloc(sizeof(*req), GFP_KERNEL);
898 strscpy(req->module, module_name, MODULE_NAME_LEN);
899 list_add_tail(&req->list, &nft_net->module_list);
903 EXPORT_SYMBOL_GPL(nft_request_module);
906 static void lockdep_nfnl_nft_mutex_not_held(void)
908 #ifdef CONFIG_PROVE_LOCKING
910 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
914 static const struct nft_chain_type *
915 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
916 u8 family, bool autoload)
918 const struct nft_chain_type *type;
920 type = __nf_tables_chain_type_lookup(nla, family);
924 lockdep_nfnl_nft_mutex_not_held();
925 #ifdef CONFIG_MODULES
927 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
929 (const char *)nla_data(nla)) == -EAGAIN)
930 return ERR_PTR(-EAGAIN);
933 return ERR_PTR(-ENOENT);
936 static __be16 nft_base_seq(const struct net *net)
938 struct nftables_pernet *nft_net = nft_pernet(net);
940 return htons(nft_net->base_seq & 0xffff);
943 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
944 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
945 .len = NFT_TABLE_MAXNAMELEN - 1 },
946 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
947 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
948 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
949 .len = NFT_USERDATA_MAXLEN }
952 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
953 u32 portid, u32 seq, int event, u32 flags,
954 int family, const struct nft_table *table)
956 struct nlmsghdr *nlh;
958 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
959 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
960 NFNETLINK_V0, nft_base_seq(net));
962 goto nla_put_failure;
964 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
965 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
966 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
968 goto nla_put_failure;
970 if (event == NFT_MSG_DELTABLE) {
975 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
976 htonl(table->flags & NFT_TABLE_F_MASK)))
977 goto nla_put_failure;
979 if (nft_table_has_owner(table) &&
980 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
981 goto nla_put_failure;
984 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
985 goto nla_put_failure;
992 nlmsg_trim(skb, nlh);
996 struct nftnl_skb_parms {
999 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1001 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1002 struct list_head *notify_list)
1004 NFT_CB(skb).report = report;
1005 list_add_tail(&skb->list, notify_list);
1008 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1010 struct nftables_pernet *nft_net;
1011 struct sk_buff *skb;
1016 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1019 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1023 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1024 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1026 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1027 event, flags, ctx->family, ctx->table);
1033 nft_net = nft_pernet(ctx->net);
1034 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1037 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1040 static int nf_tables_dump_tables(struct sk_buff *skb,
1041 struct netlink_callback *cb)
1043 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1044 struct nftables_pernet *nft_net;
1045 const struct nft_table *table;
1046 unsigned int idx = 0, s_idx = cb->args[0];
1047 struct net *net = sock_net(skb->sk);
1048 int family = nfmsg->nfgen_family;
1051 nft_net = nft_pernet(net);
1052 cb->seq = READ_ONCE(nft_net->base_seq);
1054 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1055 if (family != NFPROTO_UNSPEC && family != table->family)
1061 memset(&cb->args[1], 0,
1062 sizeof(cb->args) - sizeof(cb->args[0]));
1063 if (!nft_is_active(net, table))
1065 if (nf_tables_fill_table_info(skb, net,
1066 NETLINK_CB(cb->skb).portid,
1068 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1069 table->family, table) < 0)
1072 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1082 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1083 const struct nlmsghdr *nlh,
1084 struct netlink_dump_control *c)
1088 if (!try_module_get(THIS_MODULE))
1092 err = netlink_dump_start(nlsk, skb, nlh, c);
1094 module_put(THIS_MODULE);
1099 /* called with rcu_read_lock held */
1100 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1101 const struct nlattr * const nla[])
1103 struct netlink_ext_ack *extack = info->extack;
1104 u8 genmask = nft_genmask_cur(info->net);
1105 u8 family = info->nfmsg->nfgen_family;
1106 const struct nft_table *table;
1107 struct net *net = info->net;
1108 struct sk_buff *skb2;
1111 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1112 struct netlink_dump_control c = {
1113 .dump = nf_tables_dump_tables,
1114 .module = THIS_MODULE,
1117 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1120 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1121 if (IS_ERR(table)) {
1122 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1123 return PTR_ERR(table);
1126 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1130 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1131 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1134 goto err_fill_table_info;
1136 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1138 err_fill_table_info:
1143 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1145 struct nft_chain *chain;
1148 list_for_each_entry(chain, &table->chains, list) {
1149 if (!nft_is_active_next(net, chain))
1151 if (!nft_is_base_chain(chain))
1154 if (cnt && i++ == cnt)
1157 nf_tables_unregister_hook(net, table, chain);
1161 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1163 struct nft_chain *chain;
1166 list_for_each_entry(chain, &table->chains, list) {
1167 if (!nft_is_active_next(net, chain))
1169 if (!nft_is_base_chain(chain))
1172 err = nf_tables_register_hook(net, table, chain);
1174 goto err_register_hooks;
1182 nft_table_disable(net, table, i);
1186 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1188 table->flags &= ~NFT_TABLE_F_DORMANT;
1189 nft_table_disable(net, table, 0);
1190 table->flags |= NFT_TABLE_F_DORMANT;
1193 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1194 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1195 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1196 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1197 __NFT_TABLE_F_WAS_AWAKEN)
1199 static int nf_tables_updtable(struct nft_ctx *ctx)
1201 struct nft_trans *trans;
1205 if (!ctx->nla[NFTA_TABLE_FLAGS])
1208 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1209 if (flags & ~NFT_TABLE_F_MASK)
1212 if (flags == ctx->table->flags)
1215 if ((nft_table_has_owner(ctx->table) &&
1216 !(flags & NFT_TABLE_F_OWNER)) ||
1217 (!nft_table_has_owner(ctx->table) &&
1218 flags & NFT_TABLE_F_OWNER))
1221 /* No dormant off/on/off/on games in single transaction */
1222 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1225 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1226 sizeof(struct nft_trans_table));
1230 if ((flags & NFT_TABLE_F_DORMANT) &&
1231 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1232 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1233 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1234 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1235 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1236 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1237 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1238 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1239 ret = nf_tables_table_enable(ctx->net, ctx->table);
1241 goto err_register_hooks;
1243 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1247 nft_trans_table_update(trans) = true;
1248 nft_trans_commit_list_add_tail(ctx->net, trans);
1253 nft_trans_destroy(trans);
1257 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1259 const char *name = data;
1261 return jhash(name, strlen(name), seed);
1264 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1266 const struct nft_chain *chain = data;
1268 return nft_chain_hash(chain->name, 0, seed);
1271 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1274 const struct nft_chain *chain = ptr;
1275 const char *name = arg->key;
1277 return strcmp(chain->name, name);
1280 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1282 const struct nft_object_hash_key *k = data;
1284 seed ^= hash_ptr(k->table, 32);
1286 return jhash(k->name, strlen(k->name), seed);
1289 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1291 const struct nft_object *obj = data;
1293 return nft_objname_hash(&obj->key, 0, seed);
1296 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1299 const struct nft_object_hash_key *k = arg->key;
1300 const struct nft_object *obj = ptr;
1302 if (obj->key.table != k->table)
1305 return strcmp(obj->key.name, k->name);
1308 static bool nft_supported_family(u8 family)
1311 #ifdef CONFIG_NF_TABLES_INET
1312 || family == NFPROTO_INET
1314 #ifdef CONFIG_NF_TABLES_IPV4
1315 || family == NFPROTO_IPV4
1317 #ifdef CONFIG_NF_TABLES_ARP
1318 || family == NFPROTO_ARP
1320 #ifdef CONFIG_NF_TABLES_NETDEV
1321 || family == NFPROTO_NETDEV
1323 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1324 || family == NFPROTO_BRIDGE
1326 #ifdef CONFIG_NF_TABLES_IPV6
1327 || family == NFPROTO_IPV6
1332 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1333 const struct nlattr * const nla[])
1335 struct nftables_pernet *nft_net = nft_pernet(info->net);
1336 struct netlink_ext_ack *extack = info->extack;
1337 u8 genmask = nft_genmask_next(info->net);
1338 u8 family = info->nfmsg->nfgen_family;
1339 struct net *net = info->net;
1340 const struct nlattr *attr;
1341 struct nft_table *table;
1346 if (!nft_supported_family(family))
1349 lockdep_assert_held(&nft_net->commit_mutex);
1350 attr = nla[NFTA_TABLE_NAME];
1351 table = nft_table_lookup(net, attr, family, genmask,
1352 NETLINK_CB(skb).portid);
1353 if (IS_ERR(table)) {
1354 if (PTR_ERR(table) != -ENOENT)
1355 return PTR_ERR(table);
1357 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1358 NL_SET_BAD_ATTR(extack, attr);
1361 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1364 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1366 return nf_tables_updtable(&ctx);
1369 if (nla[NFTA_TABLE_FLAGS]) {
1370 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1371 if (flags & ~NFT_TABLE_F_MASK)
1376 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1380 table->validate_state = nft_net->validate_state;
1381 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1382 if (table->name == NULL)
1385 if (nla[NFTA_TABLE_USERDATA]) {
1386 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1387 if (table->udata == NULL)
1388 goto err_table_udata;
1390 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1393 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1397 INIT_LIST_HEAD(&table->chains);
1398 INIT_LIST_HEAD(&table->sets);
1399 INIT_LIST_HEAD(&table->objects);
1400 INIT_LIST_HEAD(&table->flowtables);
1401 table->family = family;
1402 table->flags = flags;
1403 table->handle = ++nft_net->table_handle;
1404 if (table->flags & NFT_TABLE_F_OWNER)
1405 table->nlpid = NETLINK_CB(skb).portid;
1407 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1408 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1412 list_add_tail_rcu(&table->list, &nft_net->tables);
1415 rhltable_destroy(&table->chains_ht);
1417 kfree(table->udata);
1426 static int nft_flush_table(struct nft_ctx *ctx)
1428 struct nft_flowtable *flowtable, *nft;
1429 struct nft_chain *chain, *nc;
1430 struct nft_object *obj, *ne;
1431 struct nft_set *set, *ns;
1434 list_for_each_entry(chain, &ctx->table->chains, list) {
1435 if (!nft_is_active_next(ctx->net, chain))
1438 if (nft_chain_binding(chain))
1443 err = nft_delrule_by_chain(ctx);
1448 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1449 if (!nft_is_active_next(ctx->net, set))
1452 if (nft_set_is_anonymous(set))
1455 err = nft_delset(ctx, set);
1460 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1461 if (!nft_is_active_next(ctx->net, flowtable))
1464 err = nft_delflowtable(ctx, flowtable);
1469 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1470 if (!nft_is_active_next(ctx->net, obj))
1473 err = nft_delobj(ctx, obj);
1478 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1479 if (!nft_is_active_next(ctx->net, chain))
1482 if (nft_chain_binding(chain))
1487 err = nft_delchain(ctx);
1492 err = nft_deltable(ctx);
1497 static int nft_flush(struct nft_ctx *ctx, int family)
1499 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1500 const struct nlattr * const *nla = ctx->nla;
1501 struct nft_table *table, *nt;
1504 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1505 if (family != AF_UNSPEC && table->family != family)
1508 ctx->family = table->family;
1510 if (!nft_is_active_next(ctx->net, table))
1513 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1516 if (nla[NFTA_TABLE_NAME] &&
1517 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1522 err = nft_flush_table(ctx);
1530 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1531 const struct nlattr * const nla[])
1533 struct netlink_ext_ack *extack = info->extack;
1534 u8 genmask = nft_genmask_next(info->net);
1535 u8 family = info->nfmsg->nfgen_family;
1536 struct net *net = info->net;
1537 const struct nlattr *attr;
1538 struct nft_table *table;
1541 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1542 if (family == AF_UNSPEC ||
1543 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1544 return nft_flush(&ctx, family);
1546 if (nla[NFTA_TABLE_HANDLE]) {
1547 attr = nla[NFTA_TABLE_HANDLE];
1548 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1549 NETLINK_CB(skb).portid);
1551 attr = nla[NFTA_TABLE_NAME];
1552 table = nft_table_lookup(net, attr, family, genmask,
1553 NETLINK_CB(skb).portid);
1556 if (IS_ERR(table)) {
1557 if (PTR_ERR(table) == -ENOENT &&
1558 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1561 NL_SET_BAD_ATTR(extack, attr);
1562 return PTR_ERR(table);
1565 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1569 ctx.family = family;
1572 return nft_flush_table(&ctx);
1575 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1577 if (WARN_ON(ctx->table->use > 0))
1580 rhltable_destroy(&ctx->table->chains_ht);
1581 kfree(ctx->table->name);
1582 kfree(ctx->table->udata);
1586 void nft_register_chain_type(const struct nft_chain_type *ctype)
1588 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1589 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1590 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1593 chain_type[ctype->family][ctype->type] = ctype;
1594 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1596 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1598 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1600 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1601 chain_type[ctype->family][ctype->type] = NULL;
1602 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1604 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1610 static struct nft_chain *
1611 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1613 struct nft_chain *chain;
1615 list_for_each_entry(chain, &table->chains, list) {
1616 if (chain->handle == handle &&
1617 nft_active_genmask(chain, genmask))
1621 return ERR_PTR(-ENOENT);
1624 static bool lockdep_commit_lock_is_held(const struct net *net)
1626 #ifdef CONFIG_PROVE_LOCKING
1627 struct nftables_pernet *nft_net = nft_pernet(net);
1629 return lockdep_is_held(&nft_net->commit_mutex);
1635 static struct nft_chain *nft_chain_lookup(struct net *net,
1636 struct nft_table *table,
1637 const struct nlattr *nla, u8 genmask)
1639 char search[NFT_CHAIN_MAXNAMELEN + 1];
1640 struct rhlist_head *tmp, *list;
1641 struct nft_chain *chain;
1644 return ERR_PTR(-EINVAL);
1646 nla_strscpy(search, nla, sizeof(search));
1648 WARN_ON(!rcu_read_lock_held() &&
1649 !lockdep_commit_lock_is_held(net));
1651 chain = ERR_PTR(-ENOENT);
1653 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1657 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1658 if (nft_active_genmask(chain, genmask))
1661 chain = ERR_PTR(-ENOENT);
1667 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1668 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1669 .len = NFT_TABLE_MAXNAMELEN - 1 },
1670 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1671 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1672 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1673 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1674 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1675 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1676 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1677 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1678 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1679 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1680 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1681 .len = NFT_USERDATA_MAXLEN },
1684 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1685 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1686 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1687 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1688 .len = IFNAMSIZ - 1 },
1691 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1693 struct nft_stats *cpu_stats, total;
1694 struct nlattr *nest;
1702 memset(&total, 0, sizeof(total));
1703 for_each_possible_cpu(cpu) {
1704 cpu_stats = per_cpu_ptr(stats, cpu);
1706 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1707 pkts = cpu_stats->pkts;
1708 bytes = cpu_stats->bytes;
1709 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1711 total.bytes += bytes;
1713 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1715 goto nla_put_failure;
1717 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1718 NFTA_COUNTER_PAD) ||
1719 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1721 goto nla_put_failure;
1723 nla_nest_end(skb, nest);
1730 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1731 const struct nft_base_chain *basechain,
1732 const struct list_head *hook_list)
1734 const struct nf_hook_ops *ops = &basechain->ops;
1735 struct nft_hook *hook, *first = NULL;
1736 struct nlattr *nest, *nest_devs;
1739 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1741 goto nla_put_failure;
1742 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1743 goto nla_put_failure;
1744 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1745 goto nla_put_failure;
1747 if (nft_base_chain_netdev(family, ops->hooknum)) {
1748 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1750 goto nla_put_failure;
1753 hook_list = &basechain->hook_list;
1755 list_for_each_entry(hook, hook_list, list) {
1759 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1760 hook->ops.dev->name))
1761 goto nla_put_failure;
1764 nla_nest_end(skb, nest_devs);
1767 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1768 goto nla_put_failure;
1770 nla_nest_end(skb, nest);
1777 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1778 u32 portid, u32 seq, int event, u32 flags,
1779 int family, const struct nft_table *table,
1780 const struct nft_chain *chain,
1781 const struct list_head *hook_list)
1783 struct nlmsghdr *nlh;
1785 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1786 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1787 NFNETLINK_V0, nft_base_seq(net));
1789 goto nla_put_failure;
1791 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1792 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1793 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1795 goto nla_put_failure;
1797 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1798 nlmsg_end(skb, nlh);
1802 if (nft_is_base_chain(chain)) {
1803 const struct nft_base_chain *basechain = nft_base_chain(chain);
1804 struct nft_stats __percpu *stats;
1806 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1807 goto nla_put_failure;
1809 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1810 htonl(basechain->policy)))
1811 goto nla_put_failure;
1813 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1814 goto nla_put_failure;
1816 stats = rcu_dereference_check(basechain->stats,
1817 lockdep_commit_lock_is_held(net));
1818 if (nft_dump_stats(skb, stats))
1819 goto nla_put_failure;
1823 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1824 goto nla_put_failure;
1826 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1827 goto nla_put_failure;
1830 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1831 goto nla_put_failure;
1833 nlmsg_end(skb, nlh);
1837 nlmsg_trim(skb, nlh);
1841 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1842 const struct list_head *hook_list)
1844 struct nftables_pernet *nft_net;
1845 struct sk_buff *skb;
1850 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1853 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1857 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1858 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1860 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1861 event, flags, ctx->family, ctx->table,
1862 ctx->chain, hook_list);
1868 nft_net = nft_pernet(ctx->net);
1869 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1872 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1875 static int nf_tables_dump_chains(struct sk_buff *skb,
1876 struct netlink_callback *cb)
1878 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1879 unsigned int idx = 0, s_idx = cb->args[0];
1880 struct net *net = sock_net(skb->sk);
1881 int family = nfmsg->nfgen_family;
1882 struct nftables_pernet *nft_net;
1883 const struct nft_table *table;
1884 const struct nft_chain *chain;
1887 nft_net = nft_pernet(net);
1888 cb->seq = READ_ONCE(nft_net->base_seq);
1890 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1891 if (family != NFPROTO_UNSPEC && family != table->family)
1894 list_for_each_entry_rcu(chain, &table->chains, list) {
1898 memset(&cb->args[1], 0,
1899 sizeof(cb->args) - sizeof(cb->args[0]));
1900 if (!nft_is_active(net, chain))
1902 if (nf_tables_fill_chain_info(skb, net,
1903 NETLINK_CB(cb->skb).portid,
1907 table->family, table,
1911 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1922 /* called with rcu_read_lock held */
1923 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1924 const struct nlattr * const nla[])
1926 struct netlink_ext_ack *extack = info->extack;
1927 u8 genmask = nft_genmask_cur(info->net);
1928 u8 family = info->nfmsg->nfgen_family;
1929 const struct nft_chain *chain;
1930 struct net *net = info->net;
1931 struct nft_table *table;
1932 struct sk_buff *skb2;
1935 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1936 struct netlink_dump_control c = {
1937 .dump = nf_tables_dump_chains,
1938 .module = THIS_MODULE,
1941 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1944 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1945 if (IS_ERR(table)) {
1946 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1947 return PTR_ERR(table);
1950 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1951 if (IS_ERR(chain)) {
1952 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1953 return PTR_ERR(chain);
1956 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1960 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1961 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1962 0, family, table, chain, NULL);
1964 goto err_fill_chain_info;
1966 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1968 err_fill_chain_info:
1973 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1974 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1975 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1978 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1980 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1981 struct nft_stats __percpu *newstats;
1982 struct nft_stats *stats;
1985 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1986 nft_counter_policy, NULL);
1988 return ERR_PTR(err);
1990 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1991 return ERR_PTR(-EINVAL);
1993 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1994 if (newstats == NULL)
1995 return ERR_PTR(-ENOMEM);
1997 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1998 * are not exposed to userspace.
2001 stats = this_cpu_ptr(newstats);
2002 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2003 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2009 static void nft_chain_stats_replace(struct nft_trans *trans)
2011 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
2013 if (!nft_trans_chain_stats(trans))
2016 nft_trans_chain_stats(trans) =
2017 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
2018 lockdep_commit_lock_is_held(trans->ctx.net));
2020 if (!nft_trans_chain_stats(trans))
2021 static_branch_inc(&nft_counters_enabled);
2024 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2026 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2027 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2033 /* should be NULL either via abort or via successful commit */
2034 WARN_ON_ONCE(chain->blob_next);
2035 kvfree(chain->blob_next);
2038 void nf_tables_chain_destroy(struct nft_ctx *ctx)
2040 struct nft_chain *chain = ctx->chain;
2041 struct nft_hook *hook, *next;
2043 if (WARN_ON(chain->use > 0))
2046 /* no concurrent access possible anymore */
2047 nf_tables_chain_free_chain_rules(chain);
2049 if (nft_is_base_chain(chain)) {
2050 struct nft_base_chain *basechain = nft_base_chain(chain);
2052 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2053 list_for_each_entry_safe(hook, next,
2054 &basechain->hook_list, list) {
2055 list_del_rcu(&hook->list);
2056 kfree_rcu(hook, rcu);
2059 module_put(basechain->type->owner);
2060 if (rcu_access_pointer(basechain->stats)) {
2061 static_branch_dec(&nft_counters_enabled);
2062 free_percpu(rcu_dereference_raw(basechain->stats));
2065 kfree(chain->udata);
2069 kfree(chain->udata);
2074 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2075 const struct nlattr *attr)
2077 struct net_device *dev;
2078 char ifname[IFNAMSIZ];
2079 struct nft_hook *hook;
2082 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2085 goto err_hook_alloc;
2088 nla_strscpy(ifname, attr, IFNAMSIZ);
2089 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2090 * indirectly serializing all the other holders of the commit_mutex with
2093 dev = __dev_get_by_name(net, ifname);
2098 hook->ops.dev = dev;
2105 return ERR_PTR(err);
2108 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2109 const struct nft_hook *this)
2111 struct nft_hook *hook;
2113 list_for_each_entry(hook, hook_list, list) {
2114 if (this->ops.dev == hook->ops.dev)
2121 static int nf_tables_parse_netdev_hooks(struct net *net,
2122 const struct nlattr *attr,
2123 struct list_head *hook_list,
2124 struct netlink_ext_ack *extack)
2126 struct nft_hook *hook, *next;
2127 const struct nlattr *tmp;
2128 int rem, n = 0, err;
2130 nla_for_each_nested(tmp, attr, rem) {
2131 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2136 hook = nft_netdev_hook_alloc(net, tmp);
2138 NL_SET_BAD_ATTR(extack, tmp);
2139 err = PTR_ERR(hook);
2142 if (nft_hook_list_find(hook_list, hook)) {
2143 NL_SET_BAD_ATTR(extack, tmp);
2148 list_add_tail(&hook->list, hook_list);
2151 if (n == NFT_NETDEVICE_MAX) {
2160 list_for_each_entry_safe(hook, next, hook_list, list) {
2161 list_del(&hook->list);
2167 struct nft_chain_hook {
2170 const struct nft_chain_type *type;
2171 struct list_head list;
2174 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2175 struct list_head *hook_list,
2176 struct netlink_ext_ack *extack, u32 flags)
2178 struct nft_hook *hook;
2181 if (tb[NFTA_HOOK_DEV]) {
2182 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2184 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2185 return PTR_ERR(hook);
2188 list_add_tail(&hook->list, hook_list);
2189 } else if (tb[NFTA_HOOK_DEVS]) {
2190 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2197 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2198 list_empty(hook_list))
2204 static int nft_chain_parse_hook(struct net *net,
2205 struct nft_base_chain *basechain,
2206 const struct nlattr * const nla[],
2207 struct nft_chain_hook *hook, u8 family,
2208 u32 flags, struct netlink_ext_ack *extack)
2210 struct nftables_pernet *nft_net = nft_pernet(net);
2211 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2212 const struct nft_chain_type *type;
2215 lockdep_assert_held(&nft_net->commit_mutex);
2216 lockdep_nfnl_nft_mutex_not_held();
2218 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2219 nla[NFTA_CHAIN_HOOK],
2220 nft_hook_policy, NULL);
2225 if (!ha[NFTA_HOOK_HOOKNUM] ||
2226 !ha[NFTA_HOOK_PRIORITY]) {
2227 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2231 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2232 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2234 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2238 if (nla[NFTA_CHAIN_TYPE]) {
2239 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2242 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2243 return PTR_ERR(type);
2246 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2249 if (type->type == NFT_CHAIN_T_NAT &&
2250 hook->priority <= NF_IP_PRI_CONNTRACK)
2253 if (ha[NFTA_HOOK_HOOKNUM]) {
2254 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2255 if (hook->num != basechain->ops.hooknum)
2258 if (ha[NFTA_HOOK_PRIORITY]) {
2259 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2260 if (hook->priority != basechain->ops.priority)
2264 if (nla[NFTA_CHAIN_TYPE]) {
2265 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2268 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2272 type = basechain->type;
2276 if (!try_module_get(type->owner)) {
2277 if (nla[NFTA_CHAIN_TYPE])
2278 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2284 INIT_LIST_HEAD(&hook->list);
2285 if (nft_base_chain_netdev(family, hook->num)) {
2286 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2288 module_put(type->owner);
2291 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2292 module_put(type->owner);
2299 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2301 struct nft_hook *h, *next;
2303 list_for_each_entry_safe(h, next, &hook->list, list) {
2307 module_put(hook->type->owner);
2310 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2312 struct nft_rule_dp_last *lrule;
2314 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2316 lrule = (struct nft_rule_dp_last *)ptr;
2317 lrule->end.is_last = 1;
2318 lrule->chain = chain;
2319 /* blob size does not include the trailer rule */
2322 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2325 struct nft_rule_blob *blob;
2330 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2332 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2337 nft_last_rule(chain, blob->data);
2342 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2343 const struct nft_chain_hook *hook,
2344 struct nft_chain *chain)
2347 ops->hooknum = hook->num;
2348 ops->priority = hook->priority;
2350 ops->hook = hook->type->hooks[ops->hooknum];
2351 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2354 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2355 struct nft_chain_hook *hook, u32 flags)
2357 struct nft_chain *chain;
2360 basechain->type = hook->type;
2361 INIT_LIST_HEAD(&basechain->hook_list);
2362 chain = &basechain->chain;
2364 if (nft_base_chain_netdev(family, hook->num)) {
2365 list_splice_init(&hook->list, &basechain->hook_list);
2366 list_for_each_entry(h, &basechain->hook_list, list)
2367 nft_basechain_hook_init(&h->ops, family, hook, chain);
2369 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2371 chain->flags |= NFT_CHAIN_BASE | flags;
2372 basechain->policy = NF_ACCEPT;
2373 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2374 !nft_chain_offload_support(basechain)) {
2375 list_splice_init(&basechain->hook_list, &hook->list);
2379 flow_block_init(&basechain->flow_block);
2384 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2388 err = rhltable_insert_key(&table->chains_ht, chain->name,
2389 &chain->rhlhead, nft_chain_ht_params);
2393 list_add_tail_rcu(&chain->list, &table->chains);
2398 static u64 chain_id;
2400 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2401 u8 policy, u32 flags,
2402 struct netlink_ext_ack *extack)
2404 const struct nlattr * const *nla = ctx->nla;
2405 struct nft_table *table = ctx->table;
2406 struct nft_base_chain *basechain;
2407 struct net *net = ctx->net;
2408 char name[NFT_NAME_MAXLEN];
2409 struct nft_rule_blob *blob;
2410 struct nft_trans *trans;
2411 struct nft_chain *chain;
2414 if (nla[NFTA_CHAIN_HOOK]) {
2415 struct nft_stats __percpu *stats = NULL;
2416 struct nft_chain_hook hook = {};
2418 if (flags & NFT_CHAIN_BINDING)
2421 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2426 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2427 if (basechain == NULL) {
2428 nft_chain_release_hook(&hook);
2431 chain = &basechain->chain;
2433 if (nla[NFTA_CHAIN_COUNTERS]) {
2434 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2435 if (IS_ERR(stats)) {
2436 nft_chain_release_hook(&hook);
2438 return PTR_ERR(stats);
2440 rcu_assign_pointer(basechain->stats, stats);
2443 err = nft_basechain_init(basechain, family, &hook, flags);
2445 nft_chain_release_hook(&hook);
2451 static_branch_inc(&nft_counters_enabled);
2453 if (flags & NFT_CHAIN_BASE)
2455 if (flags & NFT_CHAIN_HW_OFFLOAD)
2458 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2462 chain->flags = flags;
2466 INIT_LIST_HEAD(&chain->rules);
2467 chain->handle = nf_tables_alloc_handle(table);
2468 chain->table = table;
2470 if (nla[NFTA_CHAIN_NAME]) {
2471 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2473 if (!(flags & NFT_CHAIN_BINDING)) {
2475 goto err_destroy_chain;
2478 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2479 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2484 goto err_destroy_chain;
2487 if (nla[NFTA_CHAIN_USERDATA]) {
2488 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2489 if (chain->udata == NULL) {
2491 goto err_destroy_chain;
2493 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2496 blob = nf_tables_chain_alloc_rules(chain, 0);
2499 goto err_destroy_chain;
2502 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2503 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2505 err = nf_tables_register_hook(net, table, chain);
2507 goto err_destroy_chain;
2509 if (!nft_use_inc(&table->use)) {
2514 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2515 if (IS_ERR(trans)) {
2516 err = PTR_ERR(trans);
2517 goto err_unregister_hook;
2520 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2521 if (nft_is_base_chain(chain))
2522 nft_trans_chain_policy(trans) = policy;
2524 err = nft_chain_add(table, chain);
2526 nft_trans_destroy(trans);
2527 goto err_unregister_hook;
2532 err_unregister_hook:
2533 nft_use_dec_restore(&table->use);
2535 nf_tables_unregister_hook(net, table, chain);
2537 nf_tables_chain_destroy(ctx);
2542 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2543 u32 flags, const struct nlattr *attr,
2544 struct netlink_ext_ack *extack)
2546 const struct nlattr * const *nla = ctx->nla;
2547 struct nft_base_chain *basechain = NULL;
2548 struct nft_table *table = ctx->table;
2549 struct nft_chain *chain = ctx->chain;
2550 struct nft_chain_hook hook = {};
2551 struct nft_stats *stats = NULL;
2552 struct nft_hook *h, *next;
2553 struct nf_hook_ops *ops;
2554 struct nft_trans *trans;
2555 bool unregister = false;
2558 if (chain->flags ^ flags)
2561 INIT_LIST_HEAD(&hook.list);
2563 if (nla[NFTA_CHAIN_HOOK]) {
2564 if (!nft_is_base_chain(chain)) {
2565 NL_SET_BAD_ATTR(extack, attr);
2569 basechain = nft_base_chain(chain);
2570 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2571 ctx->family, flags, extack);
2575 if (basechain->type != hook.type) {
2576 nft_chain_release_hook(&hook);
2577 NL_SET_BAD_ATTR(extack, attr);
2581 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2582 list_for_each_entry_safe(h, next, &hook.list, list) {
2583 h->ops.pf = basechain->ops.pf;
2584 h->ops.hooknum = basechain->ops.hooknum;
2585 h->ops.priority = basechain->ops.priority;
2586 h->ops.priv = basechain->ops.priv;
2587 h->ops.hook = basechain->ops.hook;
2589 if (nft_hook_list_find(&basechain->hook_list, h)) {
2595 ops = &basechain->ops;
2596 if (ops->hooknum != hook.num ||
2597 ops->priority != hook.priority) {
2598 nft_chain_release_hook(&hook);
2599 NL_SET_BAD_ATTR(extack, attr);
2605 if (nla[NFTA_CHAIN_HANDLE] &&
2606 nla[NFTA_CHAIN_NAME]) {
2607 struct nft_chain *chain2;
2609 chain2 = nft_chain_lookup(ctx->net, table,
2610 nla[NFTA_CHAIN_NAME], genmask);
2611 if (!IS_ERR(chain2)) {
2612 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2618 if (nla[NFTA_CHAIN_COUNTERS]) {
2619 if (!nft_is_base_chain(chain)) {
2624 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2625 if (IS_ERR(stats)) {
2626 err = PTR_ERR(stats);
2631 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2632 nft_is_base_chain(chain) &&
2633 !list_empty(&hook.list)) {
2634 basechain = nft_base_chain(chain);
2635 ops = &basechain->ops;
2637 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2638 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2646 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2647 sizeof(struct nft_trans_chain));
2651 nft_trans_chain_stats(trans) = stats;
2652 nft_trans_chain_update(trans) = true;
2654 if (nla[NFTA_CHAIN_POLICY])
2655 nft_trans_chain_policy(trans) = policy;
2657 nft_trans_chain_policy(trans) = -1;
2659 if (nla[NFTA_CHAIN_HANDLE] &&
2660 nla[NFTA_CHAIN_NAME]) {
2661 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2662 struct nft_trans *tmp;
2666 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2671 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2672 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2673 tmp->ctx.table == table &&
2674 nft_trans_chain_update(tmp) &&
2675 nft_trans_chain_name(tmp) &&
2676 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2677 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2683 nft_trans_chain_name(trans) = name;
2686 nft_trans_basechain(trans) = basechain;
2687 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2688 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2689 if (nla[NFTA_CHAIN_HOOK])
2690 module_put(hook.type->owner);
2692 nft_trans_commit_list_add_tail(ctx->net, trans);
2700 if (nla[NFTA_CHAIN_HOOK]) {
2701 list_for_each_entry_safe(h, next, &hook.list, list) {
2703 nf_unregister_net_hook(ctx->net, &h->ops);
2707 module_put(hook.type->owner);
2713 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2714 const struct nft_table *table,
2715 const struct nlattr *nla, u8 genmask)
2717 struct nftables_pernet *nft_net = nft_pernet(net);
2718 u32 id = ntohl(nla_get_be32(nla));
2719 struct nft_trans *trans;
2721 list_for_each_entry(trans, &nft_net->commit_list, list) {
2722 struct nft_chain *chain = trans->ctx.chain;
2724 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2725 chain->table == table &&
2726 id == nft_trans_chain_id(trans) &&
2727 nft_active_genmask(chain, genmask))
2730 return ERR_PTR(-ENOENT);
2733 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2734 const struct nlattr * const nla[])
2736 struct nftables_pernet *nft_net = nft_pernet(info->net);
2737 struct netlink_ext_ack *extack = info->extack;
2738 u8 genmask = nft_genmask_next(info->net);
2739 u8 family = info->nfmsg->nfgen_family;
2740 struct nft_chain *chain = NULL;
2741 struct net *net = info->net;
2742 const struct nlattr *attr;
2743 struct nft_table *table;
2744 u8 policy = NF_ACCEPT;
2749 lockdep_assert_held(&nft_net->commit_mutex);
2751 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2752 NETLINK_CB(skb).portid);
2753 if (IS_ERR(table)) {
2754 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2755 return PTR_ERR(table);
2759 attr = nla[NFTA_CHAIN_NAME];
2761 if (nla[NFTA_CHAIN_HANDLE]) {
2762 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2763 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2764 if (IS_ERR(chain)) {
2765 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2766 return PTR_ERR(chain);
2768 attr = nla[NFTA_CHAIN_HANDLE];
2769 } else if (nla[NFTA_CHAIN_NAME]) {
2770 chain = nft_chain_lookup(net, table, attr, genmask);
2771 if (IS_ERR(chain)) {
2772 if (PTR_ERR(chain) != -ENOENT) {
2773 NL_SET_BAD_ATTR(extack, attr);
2774 return PTR_ERR(chain);
2778 } else if (!nla[NFTA_CHAIN_ID]) {
2782 if (nla[NFTA_CHAIN_POLICY]) {
2783 if (chain != NULL &&
2784 !nft_is_base_chain(chain)) {
2785 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2789 if (chain == NULL &&
2790 nla[NFTA_CHAIN_HOOK] == NULL) {
2791 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2795 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2805 if (nla[NFTA_CHAIN_FLAGS])
2806 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2808 flags = chain->flags;
2810 if (flags & ~NFT_CHAIN_FLAGS)
2813 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2815 if (chain != NULL) {
2816 if (chain->flags & NFT_CHAIN_BINDING)
2819 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2820 NL_SET_BAD_ATTR(extack, attr);
2823 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2826 flags |= chain->flags & NFT_CHAIN_BASE;
2827 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2831 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2834 static int nft_delchain_hook(struct nft_ctx *ctx,
2835 struct nft_base_chain *basechain,
2836 struct netlink_ext_ack *extack)
2838 const struct nft_chain *chain = &basechain->chain;
2839 const struct nlattr * const *nla = ctx->nla;
2840 struct nft_chain_hook chain_hook = {};
2841 struct nft_hook *this, *hook;
2842 LIST_HEAD(chain_del_list);
2843 struct nft_trans *trans;
2846 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2847 ctx->family, chain->flags, extack);
2851 list_for_each_entry(this, &chain_hook.list, list) {
2852 hook = nft_hook_list_find(&basechain->hook_list, this);
2855 goto err_chain_del_hook;
2857 list_move(&hook->list, &chain_del_list);
2860 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2861 sizeof(struct nft_trans_chain));
2864 goto err_chain_del_hook;
2867 nft_trans_basechain(trans) = basechain;
2868 nft_trans_chain_update(trans) = true;
2869 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2870 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2871 nft_chain_release_hook(&chain_hook);
2873 nft_trans_commit_list_add_tail(ctx->net, trans);
2878 list_splice(&chain_del_list, &basechain->hook_list);
2879 nft_chain_release_hook(&chain_hook);
2884 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2885 const struct nlattr * const nla[])
2887 struct netlink_ext_ack *extack = info->extack;
2888 u8 genmask = nft_genmask_next(info->net);
2889 u8 family = info->nfmsg->nfgen_family;
2890 struct net *net = info->net;
2891 const struct nlattr *attr;
2892 struct nft_table *table;
2893 struct nft_chain *chain;
2894 struct nft_rule *rule;
2900 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2901 NETLINK_CB(skb).portid);
2902 if (IS_ERR(table)) {
2903 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2904 return PTR_ERR(table);
2907 if (nla[NFTA_CHAIN_HANDLE]) {
2908 attr = nla[NFTA_CHAIN_HANDLE];
2909 handle = be64_to_cpu(nla_get_be64(attr));
2910 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2912 attr = nla[NFTA_CHAIN_NAME];
2913 chain = nft_chain_lookup(net, table, attr, genmask);
2915 if (IS_ERR(chain)) {
2916 if (PTR_ERR(chain) == -ENOENT &&
2917 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2920 NL_SET_BAD_ATTR(extack, attr);
2921 return PTR_ERR(chain);
2924 if (nft_chain_binding(chain))
2927 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2929 if (nla[NFTA_CHAIN_HOOK]) {
2930 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2933 if (nft_is_base_chain(chain)) {
2934 struct nft_base_chain *basechain = nft_base_chain(chain);
2936 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
2937 return nft_delchain_hook(&ctx, basechain, extack);
2941 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2946 list_for_each_entry(rule, &chain->rules, list) {
2947 if (!nft_is_active_next(net, rule))
2951 err = nft_delrule(&ctx, rule);
2956 /* There are rules and elements that are still holding references to us,
2957 * we cannot do a recursive removal in this case.
2960 NL_SET_BAD_ATTR(extack, attr);
2964 return nft_delchain(&ctx);
2972 * nft_register_expr - register nf_tables expr type
2975 * Registers the expr type for use with nf_tables. Returns zero on
2976 * success or a negative errno code otherwise.
2978 int nft_register_expr(struct nft_expr_type *type)
2980 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
2983 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2984 if (type->family == NFPROTO_UNSPEC)
2985 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2987 list_add_rcu(&type->list, &nf_tables_expressions);
2988 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2991 EXPORT_SYMBOL_GPL(nft_register_expr);
2994 * nft_unregister_expr - unregister nf_tables expr type
2997 * Unregisters the expr typefor use with nf_tables.
2999 void nft_unregister_expr(struct nft_expr_type *type)
3001 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3002 list_del_rcu(&type->list);
3003 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3005 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3007 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3010 const struct nft_expr_type *type, *candidate = NULL;
3012 list_for_each_entry(type, &nf_tables_expressions, list) {
3013 if (!nla_strcmp(nla, type->name)) {
3014 if (!type->family && !candidate)
3016 else if (type->family == family)
3023 #ifdef CONFIG_MODULES
3024 static int nft_expr_type_request_module(struct net *net, u8 family,
3027 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3028 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3035 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3039 const struct nft_expr_type *type;
3042 return ERR_PTR(-EINVAL);
3044 type = __nft_expr_type_get(family, nla);
3045 if (type != NULL && try_module_get(type->owner))
3048 lockdep_nfnl_nft_mutex_not_held();
3049 #ifdef CONFIG_MODULES
3051 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3052 return ERR_PTR(-EAGAIN);
3054 if (nft_request_module(net, "nft-expr-%.*s",
3056 (char *)nla_data(nla)) == -EAGAIN)
3057 return ERR_PTR(-EAGAIN);
3060 return ERR_PTR(-ENOENT);
3063 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3064 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3065 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3066 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3069 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3070 const struct nft_expr *expr, bool reset)
3072 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3073 goto nla_put_failure;
3075 if (expr->ops->dump) {
3076 struct nlattr *data = nla_nest_start_noflag(skb,
3079 goto nla_put_failure;
3080 if (expr->ops->dump(skb, expr, reset) < 0)
3081 goto nla_put_failure;
3082 nla_nest_end(skb, data);
3091 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3092 const struct nft_expr *expr, bool reset)
3094 struct nlattr *nest;
3096 nest = nla_nest_start_noflag(skb, attr);
3098 goto nla_put_failure;
3099 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3100 goto nla_put_failure;
3101 nla_nest_end(skb, nest);
3108 struct nft_expr_info {
3109 const struct nft_expr_ops *ops;
3110 const struct nlattr *attr;
3111 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3114 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3115 const struct nlattr *nla,
3116 struct nft_expr_info *info)
3118 const struct nft_expr_type *type;
3119 const struct nft_expr_ops *ops;
3120 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3123 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3124 nft_expr_policy, NULL);
3128 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3130 return PTR_ERR(type);
3132 if (tb[NFTA_EXPR_DATA]) {
3133 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3135 type->policy, NULL);
3139 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3141 if (type->select_ops != NULL) {
3142 ops = type->select_ops(ctx,
3143 (const struct nlattr * const *)info->tb);
3146 #ifdef CONFIG_MODULES
3148 if (nft_expr_type_request_module(ctx->net,
3150 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3164 module_put(type->owner);
3168 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3169 struct nft_expr_info *info)
3171 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3172 const struct nft_expr_type *type;
3175 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3176 nft_expr_policy, NULL);
3180 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3183 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3187 if (!type->inner_ops)
3190 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3192 type->policy, NULL);
3197 info->ops = type->inner_ops;
3205 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3206 const struct nft_expr_info *expr_info,
3207 struct nft_expr *expr)
3209 const struct nft_expr_ops *ops = expr_info->ops;
3214 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3225 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3226 struct nft_expr *expr)
3228 const struct nft_expr_type *type = expr->ops->type;
3230 if (expr->ops->destroy)
3231 expr->ops->destroy(ctx, expr);
3232 module_put(type->owner);
3235 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3236 const struct nlattr *nla)
3238 struct nft_expr_info expr_info;
3239 struct nft_expr *expr;
3240 struct module *owner;
3243 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3245 goto err_expr_parse;
3248 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3249 goto err_expr_stateful;
3252 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3254 goto err_expr_stateful;
3256 err = nf_tables_newexpr(ctx, &expr_info, expr);
3264 owner = expr_info.ops->type->owner;
3265 if (expr_info.ops->type->release_ops)
3266 expr_info.ops->type->release_ops(expr_info.ops);
3270 return ERR_PTR(err);
3273 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3277 if (WARN_ON_ONCE(!src->ops->clone))
3280 dst->ops = src->ops;
3281 err = src->ops->clone(dst, src);
3285 __module_get(src->ops->type->owner);
3290 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3292 nf_tables_expr_destroy(ctx, expr);
3300 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3303 struct nft_rule *rule;
3305 // FIXME: this sucks
3306 list_for_each_entry_rcu(rule, &chain->rules, list) {
3307 if (handle == rule->handle)
3311 return ERR_PTR(-ENOENT);
3314 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3315 const struct nlattr *nla)
3318 return ERR_PTR(-EINVAL);
3320 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3323 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3324 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3325 .len = NFT_TABLE_MAXNAMELEN - 1 },
3326 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3327 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3328 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3329 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3330 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3331 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3332 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3333 .len = NFT_USERDATA_MAXLEN },
3334 [NFTA_RULE_ID] = { .type = NLA_U32 },
3335 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3336 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3339 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3340 u32 portid, u32 seq, int event,
3341 u32 flags, int family,
3342 const struct nft_table *table,
3343 const struct nft_chain *chain,
3344 const struct nft_rule *rule, u64 handle,
3347 struct nlmsghdr *nlh;
3348 const struct nft_expr *expr, *next;
3349 struct nlattr *list;
3350 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3352 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3355 goto nla_put_failure;
3357 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3358 goto nla_put_failure;
3359 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3360 goto nla_put_failure;
3361 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3363 goto nla_put_failure;
3365 if (event != NFT_MSG_DELRULE && handle) {
3366 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3368 goto nla_put_failure;
3371 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3372 nft_flow_rule_stats(chain, rule);
3374 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3376 goto nla_put_failure;
3377 nft_rule_for_each_expr(expr, next, rule) {
3378 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3379 goto nla_put_failure;
3381 nla_nest_end(skb, list);
3384 struct nft_userdata *udata = nft_userdata(rule);
3385 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3387 goto nla_put_failure;
3390 nlmsg_end(skb, nlh);
3394 nlmsg_trim(skb, nlh);
3398 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3399 const struct nft_rule *rule, int event)
3401 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3402 const struct nft_rule *prule;
3403 struct sk_buff *skb;
3409 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3412 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3416 if (event == NFT_MSG_NEWRULE &&
3417 !list_is_first(&rule->list, &ctx->chain->rules) &&
3418 !list_is_last(&rule->list, &ctx->chain->rules)) {
3419 prule = list_prev_entry(rule, list);
3420 handle = prule->handle;
3422 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3423 flags |= NLM_F_APPEND;
3424 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3425 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3427 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3428 event, flags, ctx->family, ctx->table,
3429 ctx->chain, rule, handle, false);
3435 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3438 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3441 static void audit_log_rule_reset(const struct nft_table *table,
3442 unsigned int base_seq,
3443 unsigned int nentries)
3445 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3446 table->name, base_seq);
3448 audit_log_nfcfg(buf, table->family, nentries,
3449 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3453 struct nft_rule_dump_ctx {
3460 static int __nf_tables_dump_rules(struct sk_buff *skb,
3462 struct netlink_callback *cb,
3463 const struct nft_table *table,
3464 const struct nft_chain *chain)
3466 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3467 struct net *net = sock_net(skb->sk);
3468 const struct nft_rule *rule, *prule;
3469 unsigned int entries = 0;
3474 list_for_each_entry_rcu(rule, &chain->rules, list) {
3475 if (!nft_is_active(net, rule))
3477 if (*idx < ctx->s_idx)
3480 handle = prule->handle;
3484 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3487 NLM_F_MULTI | NLM_F_APPEND,
3489 table, chain, rule, handle, ctx->reset) < 0) {
3494 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3501 if (ctx->reset && entries)
3502 audit_log_rule_reset(table, cb->seq, entries);
3507 static int nf_tables_dump_rules(struct sk_buff *skb,
3508 struct netlink_callback *cb)
3510 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3511 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3512 struct nft_table *table;
3513 const struct nft_chain *chain;
3514 unsigned int idx = 0;
3515 struct net *net = sock_net(skb->sk);
3516 int family = nfmsg->nfgen_family;
3517 struct nftables_pernet *nft_net;
3520 nft_net = nft_pernet(net);
3521 cb->seq = READ_ONCE(nft_net->base_seq);
3523 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3524 if (family != NFPROTO_UNSPEC && family != table->family)
3527 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3530 if (ctx->table && ctx->chain) {
3531 struct rhlist_head *list, *tmp;
3533 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3534 nft_chain_ht_params);
3538 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3539 if (!nft_is_active(net, chain))
3541 __nf_tables_dump_rules(skb, &idx,
3548 list_for_each_entry_rcu(chain, &table->chains, list) {
3549 if (__nf_tables_dump_rules(skb, &idx,
3564 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3565 struct netlink_callback *cb)
3567 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3570 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3571 * do not underrun counters and quotas. The commit_mutex is used for
3572 * the lack a better lock, this is not transaction path.
3574 mutex_lock(&nft_net->commit_mutex);
3575 ret = nf_tables_dump_rules(skb, cb);
3576 mutex_unlock(&nft_net->commit_mutex);
3581 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3583 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3584 const struct nlattr * const *nla = cb->data;
3586 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3588 if (nla[NFTA_RULE_TABLE]) {
3589 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3593 if (nla[NFTA_RULE_CHAIN]) {
3594 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3603 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3605 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3609 return nf_tables_dump_rules_start(cb);
3612 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3614 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3621 /* called with rcu_read_lock held */
3622 static struct sk_buff *
3623 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3624 const struct nlattr * const nla[], bool reset)
3626 struct netlink_ext_ack *extack = info->extack;
3627 u8 genmask = nft_genmask_cur(info->net);
3628 u8 family = info->nfmsg->nfgen_family;
3629 const struct nft_chain *chain;
3630 const struct nft_rule *rule;
3631 struct net *net = info->net;
3632 struct nft_table *table;
3633 struct sk_buff *skb2;
3636 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3637 if (IS_ERR(table)) {
3638 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3639 return ERR_CAST(table);
3642 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3643 if (IS_ERR(chain)) {
3644 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3645 return ERR_CAST(chain);
3648 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3650 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3651 return ERR_CAST(rule);
3654 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3656 return ERR_PTR(-ENOMEM);
3658 err = nf_tables_fill_rule_info(skb2, net, portid,
3659 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3660 family, table, chain, rule, 0, reset);
3663 return ERR_PTR(err);
3669 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3670 const struct nlattr * const nla[])
3672 u32 portid = NETLINK_CB(skb).portid;
3673 struct net *net = info->net;
3674 struct sk_buff *skb2;
3676 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3677 struct netlink_dump_control c = {
3678 .start= nf_tables_dump_rules_start,
3679 .dump = nf_tables_dump_rules,
3680 .done = nf_tables_dump_rules_done,
3681 .module = THIS_MODULE,
3682 .data = (void *)nla,
3685 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3688 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3690 return PTR_ERR(skb2);
3692 return nfnetlink_unicast(skb2, net, portid);
3695 static int nf_tables_getrule_reset(struct sk_buff *skb,
3696 const struct nfnl_info *info,
3697 const struct nlattr * const nla[])
3699 struct nftables_pernet *nft_net = nft_pernet(info->net);
3700 u32 portid = NETLINK_CB(skb).portid;
3701 struct net *net = info->net;
3702 struct sk_buff *skb2;
3705 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3706 struct netlink_dump_control c = {
3707 .start= nf_tables_dumpreset_rules_start,
3708 .dump = nf_tables_dumpreset_rules,
3709 .done = nf_tables_dump_rules_done,
3710 .module = THIS_MODULE,
3711 .data = (void *)nla,
3714 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3717 if (!try_module_get(THIS_MODULE))
3720 mutex_lock(&nft_net->commit_mutex);
3721 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3722 mutex_unlock(&nft_net->commit_mutex);
3724 module_put(THIS_MODULE);
3727 return PTR_ERR(skb2);
3729 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3730 nla_len(nla[NFTA_RULE_TABLE]),
3731 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3733 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3734 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3737 return nfnetlink_unicast(skb2, net, portid);
3740 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3742 struct nft_expr *expr, *next;
3745 * Careful: some expressions might not be initialized in case this
3746 * is called on error from nf_tables_newrule().
3748 expr = nft_expr_first(rule);
3749 while (nft_expr_more(rule, expr)) {
3750 next = nft_expr_next(expr);
3751 nf_tables_expr_destroy(ctx, expr);
3757 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3759 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3760 nf_tables_rule_destroy(ctx, rule);
3763 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3765 struct nft_expr *expr, *last;
3766 const struct nft_data *data;
3767 struct nft_rule *rule;
3770 if (ctx->level == NFT_JUMP_STACK_SIZE)
3773 list_for_each_entry(rule, &chain->rules, list) {
3774 if (fatal_signal_pending(current))
3777 if (!nft_is_active_next(ctx->net, rule))
3780 nft_rule_for_each_expr(expr, last, rule) {
3781 if (!expr->ops->validate)
3784 err = expr->ops->validate(ctx, expr, &data);
3792 EXPORT_SYMBOL_GPL(nft_chain_validate);
3794 static int nft_table_validate(struct net *net, const struct nft_table *table)
3796 struct nft_chain *chain;
3797 struct nft_ctx ctx = {
3799 .family = table->family,
3803 list_for_each_entry(chain, &table->chains, list) {
3804 if (!nft_is_base_chain(chain))
3808 err = nft_chain_validate(&ctx, chain);
3818 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3819 const struct nft_set_iter *iter,
3820 struct nft_elem_priv *elem_priv)
3822 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3823 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3824 const struct nft_data *data;
3827 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3828 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3831 data = nft_set_ext_data(ext);
3832 switch (data->verdict.code) {
3836 err = nft_chain_validate(ctx, data->verdict.chain);
3848 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3850 u8 genmask = nft_genmask_next(ctx->net);
3851 struct nft_set_elem_catchall *catchall;
3852 struct nft_set_ext *ext;
3855 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3856 ext = nft_set_elem_ext(set, catchall->elem);
3857 if (!nft_set_elem_active(ext, genmask))
3860 ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
3868 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3869 const struct nft_chain *chain,
3870 const struct nlattr *nla);
3872 #define NFT_RULE_MAXEXPRS 128
3874 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3875 const struct nlattr * const nla[])
3877 struct nftables_pernet *nft_net = nft_pernet(info->net);
3878 struct netlink_ext_ack *extack = info->extack;
3879 unsigned int size, i, n, ulen = 0, usize = 0;
3880 u8 genmask = nft_genmask_next(info->net);
3881 struct nft_rule *rule, *old_rule = NULL;
3882 struct nft_expr_info *expr_info = NULL;
3883 u8 family = info->nfmsg->nfgen_family;
3884 struct nft_flow_rule *flow = NULL;
3885 struct net *net = info->net;
3886 struct nft_userdata *udata;
3887 struct nft_table *table;
3888 struct nft_chain *chain;
3889 struct nft_trans *trans;
3890 u64 handle, pos_handle;
3891 struct nft_expr *expr;
3896 lockdep_assert_held(&nft_net->commit_mutex);
3898 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3899 NETLINK_CB(skb).portid);
3900 if (IS_ERR(table)) {
3901 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3902 return PTR_ERR(table);
3905 if (nla[NFTA_RULE_CHAIN]) {
3906 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3908 if (IS_ERR(chain)) {
3909 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3910 return PTR_ERR(chain);
3913 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3914 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
3916 if (IS_ERR(chain)) {
3917 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3918 return PTR_ERR(chain);
3924 if (nft_chain_is_bound(chain))
3927 if (nla[NFTA_RULE_HANDLE]) {
3928 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3929 rule = __nft_rule_lookup(chain, handle);
3931 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3932 return PTR_ERR(rule);
3935 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3936 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3939 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3944 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3945 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3947 handle = nf_tables_alloc_handle(table);
3949 if (nla[NFTA_RULE_POSITION]) {
3950 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3951 old_rule = __nft_rule_lookup(chain, pos_handle);
3952 if (IS_ERR(old_rule)) {
3953 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3954 return PTR_ERR(old_rule);
3956 } else if (nla[NFTA_RULE_POSITION_ID]) {
3957 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3958 if (IS_ERR(old_rule)) {
3959 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3960 return PTR_ERR(old_rule);
3965 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3969 if (nla[NFTA_RULE_EXPRESSIONS]) {
3970 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3971 sizeof(struct nft_expr_info),
3976 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3978 if (nla_type(tmp) != NFTA_LIST_ELEM)
3979 goto err_release_expr;
3980 if (n == NFT_RULE_MAXEXPRS)
3981 goto err_release_expr;
3982 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3984 NL_SET_BAD_ATTR(extack, tmp);
3985 goto err_release_expr;
3987 size += expr_info[n].ops->size;
3991 /* Check for overflow of dlen field */
3993 if (size >= 1 << 12)
3994 goto err_release_expr;
3996 if (nla[NFTA_RULE_USERDATA]) {
3997 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3999 usize = sizeof(struct nft_userdata) + ulen;
4003 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4005 goto err_release_expr;
4007 nft_activate_next(net, rule);
4009 rule->handle = handle;
4011 rule->udata = ulen ? 1 : 0;
4014 udata = nft_userdata(rule);
4015 udata->len = ulen - 1;
4016 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4019 expr = nft_expr_first(rule);
4020 for (i = 0; i < n; i++) {
4021 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4023 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4024 goto err_release_rule;
4027 if (expr_info[i].ops->validate)
4028 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4030 expr_info[i].ops = NULL;
4031 expr = nft_expr_next(expr);
4034 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4035 flow = nft_flow_rule_create(net, rule);
4037 err = PTR_ERR(flow);
4038 goto err_release_rule;
4042 if (!nft_use_inc(&chain->use)) {
4044 goto err_release_rule;
4047 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4048 if (nft_chain_binding(chain)) {
4050 goto err_destroy_flow_rule;
4053 err = nft_delrule(&ctx, old_rule);
4055 goto err_destroy_flow_rule;
4057 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4058 if (trans == NULL) {
4060 goto err_destroy_flow_rule;
4062 list_add_tail_rcu(&rule->list, &old_rule->list);
4064 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4067 goto err_destroy_flow_rule;
4070 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4072 list_add_rcu(&rule->list, &old_rule->list);
4074 list_add_tail_rcu(&rule->list, &chain->rules);
4077 list_add_tail_rcu(&rule->list, &old_rule->list);
4079 list_add_rcu(&rule->list, &chain->rules);
4085 nft_trans_flow_rule(trans) = flow;
4087 if (table->validate_state == NFT_VALIDATE_DO)
4088 return nft_table_validate(net, table);
4092 err_destroy_flow_rule:
4093 nft_use_dec_restore(&chain->use);
4095 nft_flow_rule_destroy(flow);
4097 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4098 nf_tables_rule_destroy(&ctx, rule);
4100 for (i = 0; i < n; i++) {
4101 if (expr_info[i].ops) {
4102 module_put(expr_info[i].ops->type->owner);
4103 if (expr_info[i].ops->type->release_ops)
4104 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4112 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4113 const struct nft_chain *chain,
4114 const struct nlattr *nla)
4116 struct nftables_pernet *nft_net = nft_pernet(net);
4117 u32 id = ntohl(nla_get_be32(nla));
4118 struct nft_trans *trans;
4120 list_for_each_entry(trans, &nft_net->commit_list, list) {
4121 if (trans->msg_type == NFT_MSG_NEWRULE &&
4122 trans->ctx.chain == chain &&
4123 id == nft_trans_rule_id(trans))
4124 return nft_trans_rule(trans);
4126 return ERR_PTR(-ENOENT);
4129 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4130 const struct nlattr * const nla[])
4132 struct netlink_ext_ack *extack = info->extack;
4133 u8 genmask = nft_genmask_next(info->net);
4134 u8 family = info->nfmsg->nfgen_family;
4135 struct nft_chain *chain = NULL;
4136 struct net *net = info->net;
4137 struct nft_table *table;
4138 struct nft_rule *rule;
4142 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4143 NETLINK_CB(skb).portid);
4144 if (IS_ERR(table)) {
4145 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4146 return PTR_ERR(table);
4149 if (nla[NFTA_RULE_CHAIN]) {
4150 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4152 if (IS_ERR(chain)) {
4153 if (PTR_ERR(chain) == -ENOENT &&
4154 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4157 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4158 return PTR_ERR(chain);
4160 if (nft_chain_binding(chain))
4164 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4167 if (nla[NFTA_RULE_HANDLE]) {
4168 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4170 if (PTR_ERR(rule) == -ENOENT &&
4171 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4174 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4175 return PTR_ERR(rule);
4178 err = nft_delrule(&ctx, rule);
4179 } else if (nla[NFTA_RULE_ID]) {
4180 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4182 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4183 return PTR_ERR(rule);
4186 err = nft_delrule(&ctx, rule);
4188 err = nft_delrule_by_chain(&ctx);
4191 list_for_each_entry(chain, &table->chains, list) {
4192 if (!nft_is_active_next(net, chain))
4194 if (nft_chain_binding(chain))
4198 err = nft_delrule_by_chain(&ctx);
4210 static const struct nft_set_type *nft_set_types[] = {
4211 &nft_set_hash_fast_type,
4213 &nft_set_rhash_type,
4214 &nft_set_bitmap_type,
4215 &nft_set_rbtree_type,
4216 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4217 &nft_set_pipapo_avx2_type,
4219 &nft_set_pipapo_type,
4222 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4223 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4226 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4228 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4232 * Select a set implementation based on the data characteristics and the
4233 * given policy. The total memory use might not be known if no size is
4234 * given, in that case the amount of memory per element is used.
4236 static const struct nft_set_ops *
4237 nft_select_set_ops(const struct nft_ctx *ctx,
4238 const struct nlattr * const nla[],
4239 const struct nft_set_desc *desc)
4241 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4242 const struct nft_set_ops *ops, *bops;
4243 struct nft_set_estimate est, best;
4244 const struct nft_set_type *type;
4248 lockdep_assert_held(&nft_net->commit_mutex);
4249 lockdep_nfnl_nft_mutex_not_held();
4251 if (nla[NFTA_SET_FLAGS] != NULL)
4252 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4259 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4260 type = nft_set_types[i];
4263 if (!nft_set_ops_candidate(type, flags))
4265 if (!ops->estimate(desc, flags, &est))
4268 switch (desc->policy) {
4269 case NFT_SET_POL_PERFORMANCE:
4270 if (est.lookup < best.lookup)
4272 if (est.lookup == best.lookup &&
4273 est.space < best.space)
4276 case NFT_SET_POL_MEMORY:
4278 if (est.space < best.space)
4280 if (est.space == best.space &&
4281 est.lookup < best.lookup)
4283 } else if (est.size < best.size || !bops) {
4298 return ERR_PTR(-EOPNOTSUPP);
4301 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4302 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4303 .len = NFT_TABLE_MAXNAMELEN - 1 },
4304 [NFTA_SET_NAME] = { .type = NLA_STRING,
4305 .len = NFT_SET_MAXNAMELEN - 1 },
4306 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4307 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4308 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4309 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4310 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4311 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4312 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4313 [NFTA_SET_ID] = { .type = NLA_U32 },
4314 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4315 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4316 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4317 .len = NFT_USERDATA_MAXLEN },
4318 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4319 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4320 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4321 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4324 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4325 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4328 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4329 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4330 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4333 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4334 const struct nlattr *nla, u8 genmask)
4336 struct nft_set *set;
4339 return ERR_PTR(-EINVAL);
4341 list_for_each_entry_rcu(set, &table->sets, list) {
4342 if (!nla_strcmp(nla, set->name) &&
4343 nft_active_genmask(set, genmask))
4346 return ERR_PTR(-ENOENT);
4349 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4350 const struct nlattr *nla,
4353 struct nft_set *set;
4355 list_for_each_entry(set, &table->sets, list) {
4356 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4357 nft_active_genmask(set, genmask))
4360 return ERR_PTR(-ENOENT);
4363 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4364 const struct nft_table *table,
4365 const struct nlattr *nla, u8 genmask)
4367 struct nftables_pernet *nft_net = nft_pernet(net);
4368 u32 id = ntohl(nla_get_be32(nla));
4369 struct nft_trans *trans;
4371 list_for_each_entry(trans, &nft_net->commit_list, list) {
4372 if (trans->msg_type == NFT_MSG_NEWSET) {
4373 struct nft_set *set = nft_trans_set(trans);
4375 if (id == nft_trans_set_id(trans) &&
4376 set->table == table &&
4377 nft_active_genmask(set, genmask))
4381 return ERR_PTR(-ENOENT);
4384 struct nft_set *nft_set_lookup_global(const struct net *net,
4385 const struct nft_table *table,
4386 const struct nlattr *nla_set_name,
4387 const struct nlattr *nla_set_id,
4390 struct nft_set *set;
4392 set = nft_set_lookup(table, nla_set_name, genmask);
4397 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4401 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4403 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4406 const struct nft_set *i;
4408 unsigned long *inuse;
4409 unsigned int n = 0, min = 0;
4411 p = strchr(name, '%');
4413 if (p[1] != 'd' || strchr(p + 2, '%'))
4416 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4420 list_for_each_entry(i, &ctx->table->sets, list) {
4423 if (!nft_is_active_next(ctx->net, i))
4425 if (!sscanf(i->name, name, &tmp))
4427 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4430 set_bit(tmp - min, inuse);
4433 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4434 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4435 min += BITS_PER_BYTE * PAGE_SIZE;
4436 memset(inuse, 0, PAGE_SIZE);
4439 free_page((unsigned long)inuse);
4442 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4446 list_for_each_entry(i, &ctx->table->sets, list) {
4447 if (!nft_is_active_next(ctx->net, i))
4449 if (!strcmp(set->name, i->name)) {
4458 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4460 u64 ms = be64_to_cpu(nla_get_be64(nla));
4461 u64 max = (u64)(~((u64)0));
4463 max = div_u64(max, NSEC_PER_MSEC);
4467 ms *= NSEC_PER_MSEC;
4468 *result = nsecs_to_jiffies64(ms);
4472 __be64 nf_jiffies64_to_msecs(u64 input)
4474 return cpu_to_be64(jiffies64_to_msecs(input));
4477 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4478 const struct nft_set *set)
4480 struct nlattr *concat, *field;
4483 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4487 for (i = 0; i < set->field_count; i++) {
4488 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4492 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4493 htonl(set->field_len[i])))
4496 nla_nest_end(skb, field);
4499 nla_nest_end(skb, concat);
4504 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4505 const struct nft_set *set, u16 event, u16 flags)
4507 u64 timeout = READ_ONCE(set->timeout);
4508 u32 gc_int = READ_ONCE(set->gc_int);
4509 u32 portid = ctx->portid;
4510 struct nlmsghdr *nlh;
4511 struct nlattr *nest;
4515 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4516 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4517 NFNETLINK_V0, nft_base_seq(ctx->net));
4519 goto nla_put_failure;
4521 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4522 goto nla_put_failure;
4523 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4524 goto nla_put_failure;
4525 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4527 goto nla_put_failure;
4529 if (event == NFT_MSG_DELSET) {
4530 nlmsg_end(skb, nlh);
4534 if (set->flags != 0)
4535 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4536 goto nla_put_failure;
4538 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4539 goto nla_put_failure;
4540 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4541 goto nla_put_failure;
4542 if (set->flags & NFT_SET_MAP) {
4543 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4544 goto nla_put_failure;
4545 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4546 goto nla_put_failure;
4548 if (set->flags & NFT_SET_OBJECT &&
4549 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4550 goto nla_put_failure;
4553 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4554 nf_jiffies64_to_msecs(timeout),
4556 goto nla_put_failure;
4558 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4559 goto nla_put_failure;
4561 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4562 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4563 goto nla_put_failure;
4567 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4568 goto nla_put_failure;
4570 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4572 goto nla_put_failure;
4574 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4575 goto nla_put_failure;
4577 if (set->field_count > 1 &&
4578 nf_tables_fill_set_concat(skb, set))
4579 goto nla_put_failure;
4581 nla_nest_end(skb, nest);
4583 if (set->num_exprs == 1) {
4584 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4585 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4586 goto nla_put_failure;
4588 nla_nest_end(skb, nest);
4589 } else if (set->num_exprs > 1) {
4590 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4592 goto nla_put_failure;
4594 for (i = 0; i < set->num_exprs; i++) {
4595 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4596 set->exprs[i], false) < 0)
4597 goto nla_put_failure;
4599 nla_nest_end(skb, nest);
4602 nlmsg_end(skb, nlh);
4606 nlmsg_trim(skb, nlh);
4610 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4611 const struct nft_set *set, int event,
4614 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4615 u32 portid = ctx->portid;
4616 struct sk_buff *skb;
4621 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4624 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4628 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4629 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4631 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4637 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4640 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4643 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4645 const struct nft_set *set;
4646 unsigned int idx, s_idx = cb->args[0];
4647 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4648 struct net *net = sock_net(skb->sk);
4649 struct nft_ctx *ctx = cb->data, ctx_set;
4650 struct nftables_pernet *nft_net;
4656 nft_net = nft_pernet(net);
4657 cb->seq = READ_ONCE(nft_net->base_seq);
4659 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4660 if (ctx->family != NFPROTO_UNSPEC &&
4661 ctx->family != table->family)
4664 if (ctx->table && ctx->table != table)
4668 if (cur_table != table)
4674 list_for_each_entry_rcu(set, &table->sets, list) {
4677 if (!nft_is_active(net, set))
4681 ctx_set.table = table;
4682 ctx_set.family = table->family;
4684 if (nf_tables_fill_set(skb, &ctx_set, set,
4688 cb->args[2] = (unsigned long) table;
4691 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4704 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4706 struct nft_ctx *ctx_dump = NULL;
4708 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4709 if (ctx_dump == NULL)
4712 cb->data = ctx_dump;
4716 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4722 /* called with rcu_read_lock held */
4723 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4724 const struct nlattr * const nla[])
4726 struct netlink_ext_ack *extack = info->extack;
4727 u8 genmask = nft_genmask_cur(info->net);
4728 u8 family = info->nfmsg->nfgen_family;
4729 struct nft_table *table = NULL;
4730 struct net *net = info->net;
4731 const struct nft_set *set;
4732 struct sk_buff *skb2;
4736 if (nla[NFTA_SET_TABLE]) {
4737 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4739 if (IS_ERR(table)) {
4740 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4741 return PTR_ERR(table);
4745 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4747 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4748 struct netlink_dump_control c = {
4749 .start = nf_tables_dump_sets_start,
4750 .dump = nf_tables_dump_sets,
4751 .done = nf_tables_dump_sets_done,
4753 .module = THIS_MODULE,
4756 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4759 /* Only accept unspec with dump */
4760 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4761 return -EAFNOSUPPORT;
4762 if (!nla[NFTA_SET_TABLE])
4765 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4767 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4768 return PTR_ERR(set);
4771 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4775 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4777 goto err_fill_set_info;
4779 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4786 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4787 struct nft_set_desc *desc)
4789 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4793 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4796 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4797 nft_concat_policy, NULL);
4801 if (!tb[NFTA_SET_FIELD_LEN])
4804 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4805 if (!len || len > U8_MAX)
4808 desc->field_len[desc->field_count++] = len;
4813 static int nft_set_desc_concat(struct nft_set_desc *desc,
4814 const struct nlattr *nla)
4816 u32 num_regs = 0, key_num_regs = 0;
4817 struct nlattr *attr;
4820 nla_for_each_nested(attr, nla, rem) {
4821 if (nla_type(attr) != NFTA_LIST_ELEM)
4824 err = nft_set_desc_concat_parse(attr, desc);
4829 for (i = 0; i < desc->field_count; i++)
4830 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4832 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4833 if (key_num_regs != num_regs)
4836 if (num_regs > NFT_REG32_COUNT)
4842 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4843 const struct nlattr *nla)
4845 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4848 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4849 nft_set_desc_policy, NULL);
4853 if (da[NFTA_SET_DESC_SIZE] != NULL)
4854 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4855 if (da[NFTA_SET_DESC_CONCAT])
4856 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4861 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4862 const struct nlattr * const *nla,
4863 struct nft_expr **exprs, int *num_exprs,
4866 struct nft_expr *expr;
4869 if (nla[NFTA_SET_EXPR]) {
4870 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4872 err = PTR_ERR(expr);
4873 goto err_set_expr_alloc;
4877 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4881 if (!(flags & NFT_SET_EXPR)) {
4883 goto err_set_expr_alloc;
4886 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4887 if (i == NFT_SET_EXPR_MAX) {
4889 goto err_set_expr_alloc;
4891 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4893 goto err_set_expr_alloc;
4895 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4897 err = PTR_ERR(expr);
4898 goto err_set_expr_alloc;
4908 for (i = 0; i < *num_exprs; i++)
4909 nft_expr_destroy(ctx, exprs[i]);
4914 static bool nft_set_is_same(const struct nft_set *set,
4915 const struct nft_set_desc *desc,
4916 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4920 if (set->ktype != desc->ktype ||
4921 set->dtype != desc->dtype ||
4922 set->flags != flags ||
4923 set->klen != desc->klen ||
4924 set->dlen != desc->dlen ||
4925 set->field_count != desc->field_count ||
4926 set->num_exprs != num_exprs)
4929 for (i = 0; i < desc->field_count; i++) {
4930 if (set->field_len[i] != desc->field_len[i])
4934 for (i = 0; i < num_exprs; i++) {
4935 if (set->exprs[i]->ops != exprs[i]->ops)
4942 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4943 const struct nlattr * const nla[])
4945 struct netlink_ext_ack *extack = info->extack;
4946 u8 genmask = nft_genmask_next(info->net);
4947 u8 family = info->nfmsg->nfgen_family;
4948 const struct nft_set_ops *ops;
4949 struct net *net = info->net;
4950 struct nft_set_desc desc;
4951 struct nft_table *table;
4952 unsigned char *udata;
4953 struct nft_set *set;
4963 if (nla[NFTA_SET_TABLE] == NULL ||
4964 nla[NFTA_SET_NAME] == NULL ||
4965 nla[NFTA_SET_KEY_LEN] == NULL ||
4966 nla[NFTA_SET_ID] == NULL)
4969 memset(&desc, 0, sizeof(desc));
4971 desc.ktype = NFT_DATA_VALUE;
4972 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4973 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4974 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4978 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4979 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4983 if (nla[NFTA_SET_FLAGS] != NULL) {
4984 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4985 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4986 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4987 NFT_SET_MAP | NFT_SET_EVAL |
4988 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4990 /* Only one of these operations is supported */
4991 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4992 (NFT_SET_MAP | NFT_SET_OBJECT))
4994 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4995 (NFT_SET_EVAL | NFT_SET_OBJECT))
5000 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5001 if (!(flags & NFT_SET_MAP))
5004 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5005 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5006 desc.dtype != NFT_DATA_VERDICT)
5009 if (desc.dtype != NFT_DATA_VERDICT) {
5010 if (nla[NFTA_SET_DATA_LEN] == NULL)
5012 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5013 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5016 desc.dlen = sizeof(struct nft_verdict);
5017 } else if (flags & NFT_SET_MAP)
5020 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5021 if (!(flags & NFT_SET_OBJECT))
5024 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5025 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5026 desc.objtype > NFT_OBJECT_MAX)
5028 } else if (flags & NFT_SET_OBJECT)
5031 desc.objtype = NFT_OBJECT_UNSPEC;
5034 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5035 if (!(flags & NFT_SET_TIMEOUT))
5038 if (flags & NFT_SET_ANONYMOUS)
5041 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5046 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5047 if (!(flags & NFT_SET_TIMEOUT))
5050 if (flags & NFT_SET_ANONYMOUS)
5053 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5056 desc.policy = NFT_SET_POL_PERFORMANCE;
5057 if (nla[NFTA_SET_POLICY] != NULL) {
5058 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5059 switch (desc.policy) {
5060 case NFT_SET_POL_PERFORMANCE:
5061 case NFT_SET_POL_MEMORY:
5068 if (nla[NFTA_SET_DESC] != NULL) {
5069 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5073 if (desc.field_count > 1) {
5074 if (!(flags & NFT_SET_CONCAT))
5076 } else if (flags & NFT_SET_CONCAT) {
5079 } else if (flags & NFT_SET_CONCAT) {
5083 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5086 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5087 NETLINK_CB(skb).portid);
5088 if (IS_ERR(table)) {
5089 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5090 return PTR_ERR(table);
5093 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5095 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5097 if (PTR_ERR(set) != -ENOENT) {
5098 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5099 return PTR_ERR(set);
5102 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5104 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5105 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5108 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5111 if (nft_set_is_anonymous(set))
5114 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5119 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5120 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5124 for (i = 0; i < num_exprs; i++)
5125 nft_expr_destroy(&ctx, exprs[i]);
5130 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5133 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5136 ops = nft_select_set_ops(&ctx, nla, &desc);
5138 return PTR_ERR(ops);
5141 if (nla[NFTA_SET_USERDATA])
5142 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5145 if (ops->privsize != NULL)
5146 size = ops->privsize(nla, &desc);
5147 alloc_size = sizeof(*set) + size + udlen;
5148 if (alloc_size < size || alloc_size > INT_MAX)
5151 if (!nft_use_inc(&table->use))
5154 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5160 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5166 err = nf_tables_set_alloc_name(&ctx, set, name);
5173 udata = set->data + size;
5174 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5177 INIT_LIST_HEAD(&set->bindings);
5178 INIT_LIST_HEAD(&set->catchall_list);
5179 refcount_set(&set->refs, 1);
5181 write_pnet(&set->net, net);
5183 set->ktype = desc.ktype;
5184 set->klen = desc.klen;
5185 set->dtype = desc.dtype;
5186 set->objtype = desc.objtype;
5187 set->dlen = desc.dlen;
5189 set->size = desc.size;
5190 set->policy = desc.policy;
5193 set->timeout = desc.timeout;
5194 set->gc_int = desc.gc_int;
5196 set->field_count = desc.field_count;
5197 for (i = 0; i < desc.field_count; i++)
5198 set->field_len[i] = desc.field_len[i];
5200 err = ops->init(set, &desc, nla);
5204 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5206 goto err_set_destroy;
5208 set->num_exprs = num_exprs;
5209 set->handle = nf_tables_alloc_handle(table);
5210 INIT_LIST_HEAD(&set->pending_update);
5212 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5214 goto err_set_expr_alloc;
5216 list_add_tail_rcu(&set->list, &table->sets);
5221 for (i = 0; i < set->num_exprs; i++)
5222 nft_expr_destroy(&ctx, set->exprs[i]);
5224 ops->destroy(&ctx, set);
5230 nft_use_dec_restore(&table->use);
5235 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5236 struct nft_set *set)
5238 struct nft_set_elem_catchall *next, *catchall;
5240 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5241 list_del_rcu(&catchall->list);
5242 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5243 kfree_rcu(catchall, rcu);
5247 static void nft_set_put(struct nft_set *set)
5249 if (refcount_dec_and_test(&set->refs)) {
5255 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5259 if (WARN_ON(set->use > 0))
5262 for (i = 0; i < set->num_exprs; i++)
5263 nft_expr_destroy(ctx, set->exprs[i]);
5265 set->ops->destroy(ctx, set);
5266 nft_set_catchall_destroy(ctx, set);
5270 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5271 const struct nlattr * const nla[])
5273 struct netlink_ext_ack *extack = info->extack;
5274 u8 genmask = nft_genmask_next(info->net);
5275 u8 family = info->nfmsg->nfgen_family;
5276 struct net *net = info->net;
5277 const struct nlattr *attr;
5278 struct nft_table *table;
5279 struct nft_set *set;
5282 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5283 return -EAFNOSUPPORT;
5285 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5286 genmask, NETLINK_CB(skb).portid);
5287 if (IS_ERR(table)) {
5288 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5289 return PTR_ERR(table);
5292 if (nla[NFTA_SET_HANDLE]) {
5293 attr = nla[NFTA_SET_HANDLE];
5294 set = nft_set_lookup_byhandle(table, attr, genmask);
5296 attr = nla[NFTA_SET_NAME];
5297 set = nft_set_lookup(table, attr, genmask);
5301 if (PTR_ERR(set) == -ENOENT &&
5302 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5305 NL_SET_BAD_ATTR(extack, attr);
5306 return PTR_ERR(set);
5309 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5310 atomic_read(&set->nelems) > 0)) {
5311 NL_SET_BAD_ATTR(extack, attr);
5315 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5317 return nft_delset(&ctx, set);
5320 static int nft_validate_register_store(const struct nft_ctx *ctx,
5321 enum nft_registers reg,
5322 const struct nft_data *data,
5323 enum nft_data_types type,
5326 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5327 struct nft_set *set,
5328 struct nft_elem_priv *elem_priv)
5330 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5331 enum nft_registers dreg;
5333 dreg = nft_type_to_reg(set->dtype);
5334 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5335 set->dtype == NFT_DATA_VERDICT ?
5336 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5340 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5341 struct nft_set *set,
5342 const struct nft_set_iter *iter,
5343 struct nft_elem_priv *elem_priv)
5345 return nft_setelem_data_validate(ctx, set, elem_priv);
5348 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5349 struct nft_set *set)
5351 u8 genmask = nft_genmask_next(ctx->net);
5352 struct nft_set_elem_catchall *catchall;
5353 struct nft_set_ext *ext;
5356 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5357 ext = nft_set_elem_ext(set, catchall->elem);
5358 if (!nft_set_elem_active(ext, genmask))
5361 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5369 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5370 struct nft_set_binding *binding)
5372 struct nft_set_binding *i;
5373 struct nft_set_iter iter;
5375 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5378 if (binding->flags & NFT_SET_MAP) {
5379 /* If the set is already bound to the same chain all
5380 * jumps are already validated for that chain.
5382 list_for_each_entry(i, &set->bindings, list) {
5383 if (i->flags & NFT_SET_MAP &&
5384 i->chain == binding->chain)
5388 iter.genmask = nft_genmask_next(ctx->net);
5392 iter.fn = nf_tables_bind_check_setelem;
5394 set->ops->walk(ctx, set, &iter);
5396 iter.err = nft_set_catchall_bind_check(ctx, set);
5402 if (!nft_use_inc(&set->use))
5405 binding->chain = ctx->chain;
5406 list_add_tail_rcu(&binding->list, &set->bindings);
5407 nft_set_trans_bind(ctx, set);
5411 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5413 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5414 struct nft_set_binding *binding, bool event)
5416 list_del_rcu(&binding->list);
5418 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5419 list_del_rcu(&set->list);
5421 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5426 static void nft_setelem_data_activate(const struct net *net,
5427 const struct nft_set *set,
5428 struct nft_elem_priv *elem_priv);
5430 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5431 struct nft_set *set,
5432 const struct nft_set_iter *iter,
5433 struct nft_elem_priv *elem_priv)
5435 nft_setelem_data_activate(ctx->net, set, elem_priv);
5440 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5441 struct nft_set *set)
5443 u8 genmask = nft_genmask_next(ctx->net);
5444 struct nft_set_elem_catchall *catchall;
5445 struct nft_set_ext *ext;
5447 list_for_each_entry(catchall, &set->catchall_list, list) {
5448 ext = nft_set_elem_ext(set, catchall->elem);
5449 if (!nft_set_elem_active(ext, genmask))
5452 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5457 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5459 struct nft_set_iter iter = {
5460 .genmask = nft_genmask_next(ctx->net),
5461 .fn = nft_mapelem_activate,
5464 set->ops->walk(ctx, set, &iter);
5465 WARN_ON_ONCE(iter.err);
5467 nft_map_catchall_activate(ctx, set);
5470 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5472 if (nft_set_is_anonymous(set)) {
5473 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5474 nft_map_activate(ctx, set);
5476 nft_clear(ctx->net, set);
5479 nft_use_inc_restore(&set->use);
5481 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5483 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5484 struct nft_set_binding *binding,
5485 enum nft_trans_phase phase)
5488 case NFT_TRANS_PREPARE_ERROR:
5489 nft_set_trans_unbind(ctx, set);
5490 if (nft_set_is_anonymous(set))
5491 nft_deactivate_next(ctx->net, set);
5493 list_del_rcu(&binding->list);
5495 nft_use_dec(&set->use);
5497 case NFT_TRANS_PREPARE:
5498 if (nft_set_is_anonymous(set)) {
5499 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5500 nft_map_deactivate(ctx, set);
5502 nft_deactivate_next(ctx->net, set);
5504 nft_use_dec(&set->use);
5506 case NFT_TRANS_ABORT:
5507 case NFT_TRANS_RELEASE:
5508 if (nft_set_is_anonymous(set) &&
5509 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5510 nft_map_deactivate(ctx, set);
5512 nft_use_dec(&set->use);
5515 nf_tables_unbind_set(ctx, set, binding,
5516 phase == NFT_TRANS_COMMIT);
5519 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5521 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5523 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5524 nft_set_destroy(ctx, set);
5526 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5528 const struct nft_set_ext_type nft_set_ext_types[] = {
5529 [NFT_SET_EXT_KEY] = {
5530 .align = __alignof__(u32),
5532 [NFT_SET_EXT_DATA] = {
5533 .align = __alignof__(u32),
5535 [NFT_SET_EXT_EXPRESSIONS] = {
5536 .align = __alignof__(struct nft_set_elem_expr),
5538 [NFT_SET_EXT_OBJREF] = {
5539 .len = sizeof(struct nft_object *),
5540 .align = __alignof__(struct nft_object *),
5542 [NFT_SET_EXT_FLAGS] = {
5544 .align = __alignof__(u8),
5546 [NFT_SET_EXT_TIMEOUT] = {
5548 .align = __alignof__(u64),
5550 [NFT_SET_EXT_EXPIRATION] = {
5552 .align = __alignof__(u64),
5554 [NFT_SET_EXT_USERDATA] = {
5555 .len = sizeof(struct nft_userdata),
5556 .align = __alignof__(struct nft_userdata),
5558 [NFT_SET_EXT_KEY_END] = {
5559 .align = __alignof__(u32),
5567 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5568 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5569 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5570 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5571 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5572 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5573 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5574 .len = NFT_USERDATA_MAXLEN },
5575 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5576 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5577 .len = NFT_OBJ_MAXNAMELEN - 1 },
5578 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5579 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5582 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5583 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5584 .len = NFT_TABLE_MAXNAMELEN - 1 },
5585 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5586 .len = NFT_SET_MAXNAMELEN - 1 },
5587 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5588 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5591 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5592 const struct nft_set *set,
5593 const struct nft_set_ext *ext,
5596 struct nft_set_elem_expr *elem_expr;
5597 u32 size, num_exprs = 0;
5598 struct nft_expr *expr;
5599 struct nlattr *nest;
5601 elem_expr = nft_set_ext_expr(ext);
5602 nft_setelem_expr_foreach(expr, elem_expr, size)
5605 if (num_exprs == 1) {
5606 expr = nft_setelem_expr_at(elem_expr, 0);
5607 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5611 } else if (num_exprs > 1) {
5612 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5614 goto nla_put_failure;
5616 nft_setelem_expr_foreach(expr, elem_expr, size) {
5617 expr = nft_setelem_expr_at(elem_expr, size);
5618 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5619 goto nla_put_failure;
5621 nla_nest_end(skb, nest);
5629 static int nf_tables_fill_setelem(struct sk_buff *skb,
5630 const struct nft_set *set,
5631 const struct nft_elem_priv *elem_priv,
5634 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5635 unsigned char *b = skb_tail_pointer(skb);
5636 struct nlattr *nest;
5638 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5640 goto nla_put_failure;
5642 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5643 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5644 NFT_DATA_VALUE, set->klen) < 0)
5645 goto nla_put_failure;
5647 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5648 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5649 NFT_DATA_VALUE, set->klen) < 0)
5650 goto nla_put_failure;
5652 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5653 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5654 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5656 goto nla_put_failure;
5658 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5659 nft_set_elem_expr_dump(skb, set, ext, reset))
5660 goto nla_put_failure;
5662 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5663 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5664 (*nft_set_ext_obj(ext))->key.name) < 0)
5665 goto nla_put_failure;
5667 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5668 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5669 htonl(*nft_set_ext_flags(ext))))
5670 goto nla_put_failure;
5672 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5673 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5674 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5676 goto nla_put_failure;
5678 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5679 u64 expires, now = get_jiffies_64();
5681 expires = *nft_set_ext_expiration(ext);
5682 if (time_before64(now, expires))
5687 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5688 nf_jiffies64_to_msecs(expires),
5690 goto nla_put_failure;
5693 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5694 struct nft_userdata *udata;
5696 udata = nft_set_ext_userdata(ext);
5697 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5698 udata->len + 1, udata->data))
5699 goto nla_put_failure;
5702 nla_nest_end(skb, nest);
5710 struct nft_set_dump_args {
5711 const struct netlink_callback *cb;
5712 struct nft_set_iter iter;
5713 struct sk_buff *skb;
5717 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5718 struct nft_set *set,
5719 const struct nft_set_iter *iter,
5720 struct nft_elem_priv *elem_priv)
5722 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5723 struct nft_set_dump_args *args;
5725 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5728 args = container_of(iter, struct nft_set_dump_args, iter);
5729 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5732 static void audit_log_nft_set_reset(const struct nft_table *table,
5733 unsigned int base_seq,
5734 unsigned int nentries)
5736 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5738 audit_log_nfcfg(buf, table->family, nentries,
5739 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5743 struct nft_set_dump_ctx {
5744 const struct nft_set *set;
5749 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5750 const struct nft_set *set, bool reset,
5751 unsigned int base_seq)
5753 struct nft_set_elem_catchall *catchall;
5754 u8 genmask = nft_genmask_cur(net);
5755 struct nft_set_ext *ext;
5758 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5759 ext = nft_set_elem_ext(set, catchall->elem);
5760 if (!nft_set_elem_active(ext, genmask) ||
5761 nft_set_elem_expired(ext))
5764 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5766 audit_log_nft_set_reset(set->table, base_seq, 1);
5773 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5775 struct nft_set_dump_ctx *dump_ctx = cb->data;
5776 struct net *net = sock_net(skb->sk);
5777 struct nftables_pernet *nft_net;
5778 struct nft_table *table;
5779 struct nft_set *set;
5780 struct nft_set_dump_args args;
5781 bool set_found = false;
5782 struct nlmsghdr *nlh;
5783 struct nlattr *nest;
5788 nft_net = nft_pernet(net);
5789 cb->seq = READ_ONCE(nft_net->base_seq);
5791 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5792 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5793 dump_ctx->ctx.family != table->family)
5796 if (table != dump_ctx->ctx.table)
5799 list_for_each_entry_rcu(set, &table->sets, list) {
5800 if (set == dump_ctx->set) {
5813 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5814 portid = NETLINK_CB(cb->skb).portid;
5815 seq = cb->nlh->nlmsg_seq;
5817 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5818 table->family, NFNETLINK_V0, nft_base_seq(net));
5820 goto nla_put_failure;
5822 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5823 goto nla_put_failure;
5824 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5825 goto nla_put_failure;
5827 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5829 goto nla_put_failure;
5833 args.reset = dump_ctx->reset;
5834 args.iter.genmask = nft_genmask_cur(net);
5835 args.iter.skip = cb->args[0];
5836 args.iter.count = 0;
5838 args.iter.fn = nf_tables_dump_setelem;
5839 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5841 if (!args.iter.err && args.iter.count == cb->args[0])
5842 args.iter.err = nft_set_catchall_dump(net, skb, set,
5843 dump_ctx->reset, cb->seq);
5844 nla_nest_end(skb, nest);
5845 nlmsg_end(skb, nlh);
5849 if (args.iter.err && args.iter.err != -EMSGSIZE)
5850 return args.iter.err;
5851 if (args.iter.count == cb->args[0])
5854 cb->args[0] = args.iter.count;
5862 static int nf_tables_dumpreset_set(struct sk_buff *skb,
5863 struct netlink_callback *cb)
5865 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
5866 struct nft_set_dump_ctx *dump_ctx = cb->data;
5867 int ret, skip = cb->args[0];
5869 mutex_lock(&nft_net->commit_mutex);
5871 ret = nf_tables_dump_set(skb, cb);
5873 if (cb->args[0] > skip)
5874 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
5875 cb->args[0] - skip);
5877 mutex_unlock(&nft_net->commit_mutex);
5882 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5884 struct nft_set_dump_ctx *dump_ctx = cb->data;
5886 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5888 return cb->data ? 0 : -ENOMEM;
5891 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5897 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5898 const struct nft_ctx *ctx, u32 seq,
5899 u32 portid, int event, u16 flags,
5900 const struct nft_set *set,
5901 const struct nft_elem_priv *elem_priv,
5904 struct nlmsghdr *nlh;
5905 struct nlattr *nest;
5908 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5909 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5910 NFNETLINK_V0, nft_base_seq(ctx->net));
5912 goto nla_put_failure;
5914 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5915 goto nla_put_failure;
5916 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5917 goto nla_put_failure;
5919 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5921 goto nla_put_failure;
5923 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
5925 goto nla_put_failure;
5927 nla_nest_end(skb, nest);
5929 nlmsg_end(skb, nlh);
5933 nlmsg_trim(skb, nlh);
5937 static int nft_setelem_parse_flags(const struct nft_set *set,
5938 const struct nlattr *attr, u32 *flags)
5943 *flags = ntohl(nla_get_be32(attr));
5944 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5946 if (!(set->flags & NFT_SET_INTERVAL) &&
5947 *flags & NFT_SET_ELEM_INTERVAL_END)
5949 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5950 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5956 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
5957 struct nft_data *key, struct nlattr *attr)
5959 struct nft_data_desc desc = {
5960 .type = NFT_DATA_VALUE,
5961 .size = NFT_DATA_VALUE_MAXLEN,
5965 return nft_data_init(ctx, key, &desc, attr);
5968 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5969 struct nft_data_desc *desc,
5970 struct nft_data *data,
5971 struct nlattr *attr)
5975 if (set->dtype == NFT_DATA_VERDICT)
5976 dtype = NFT_DATA_VERDICT;
5978 dtype = NFT_DATA_VALUE;
5981 desc->size = NFT_DATA_VALUE_MAXLEN;
5982 desc->len = set->dlen;
5983 desc->flags = NFT_DATA_DESC_SETELEM;
5985 return nft_data_init(ctx, data, desc, attr);
5988 static void *nft_setelem_catchall_get(const struct net *net,
5989 const struct nft_set *set)
5991 struct nft_set_elem_catchall *catchall;
5992 u8 genmask = nft_genmask_cur(net);
5993 struct nft_set_ext *ext;
5996 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5997 ext = nft_set_elem_ext(set, catchall->elem);
5998 if (!nft_set_elem_active(ext, genmask) ||
5999 nft_set_elem_expired(ext))
6002 priv = catchall->elem;
6009 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6010 struct nft_set_elem *elem, u32 flags)
6014 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6015 priv = set->ops->get(ctx->net, set, elem, flags);
6017 return PTR_ERR(priv);
6019 priv = nft_setelem_catchall_get(ctx->net, set);
6028 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6029 const struct nlattr *attr, bool reset)
6031 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6032 struct nft_set_elem elem;
6033 struct sk_buff *skb;
6037 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6038 nft_set_elem_policy, NULL);
6042 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6046 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6049 if (nla[NFTA_SET_ELEM_KEY]) {
6050 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6051 nla[NFTA_SET_ELEM_KEY]);
6056 if (nla[NFTA_SET_ELEM_KEY_END]) {
6057 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6058 nla[NFTA_SET_ELEM_KEY_END]);
6063 err = nft_setelem_get(ctx, set, &elem, flags);
6068 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6072 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6073 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6076 goto err_fill_setelem;
6078 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6085 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6086 const struct sk_buff *skb,
6087 const struct nfnl_info *info,
6088 const struct nlattr * const nla[],
6091 struct netlink_ext_ack *extack = info->extack;
6092 u8 genmask = nft_genmask_cur(info->net);
6093 u8 family = info->nfmsg->nfgen_family;
6094 struct net *net = info->net;
6095 struct nft_table *table;
6096 struct nft_set *set;
6098 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6100 if (IS_ERR(table)) {
6101 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6102 return PTR_ERR(table);
6105 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6107 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6108 return PTR_ERR(set);
6111 nft_ctx_init(&dump_ctx->ctx, net, skb,
6112 info->nlh, family, table, NULL, nla);
6113 dump_ctx->set = set;
6114 dump_ctx->reset = reset;
6118 /* called with rcu_read_lock held */
6119 static int nf_tables_getsetelem(struct sk_buff *skb,
6120 const struct nfnl_info *info,
6121 const struct nlattr * const nla[])
6123 struct netlink_ext_ack *extack = info->extack;
6124 struct nft_set_dump_ctx dump_ctx;
6125 struct nlattr *attr;
6128 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6129 struct netlink_dump_control c = {
6130 .start = nf_tables_dump_set_start,
6131 .dump = nf_tables_dump_set,
6132 .done = nf_tables_dump_set_done,
6133 .module = THIS_MODULE,
6136 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6141 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6144 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6147 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6151 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6152 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6154 NL_SET_BAD_ATTR(extack, attr);
6162 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6163 const struct nfnl_info *info,
6164 const struct nlattr * const nla[])
6166 struct nftables_pernet *nft_net = nft_pernet(info->net);
6167 struct netlink_ext_ack *extack = info->extack;
6168 struct nft_set_dump_ctx dump_ctx;
6169 int rem, err = 0, nelems = 0;
6170 struct nlattr *attr;
6172 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6173 struct netlink_dump_control c = {
6174 .start = nf_tables_dump_set_start,
6175 .dump = nf_tables_dumpreset_set,
6176 .done = nf_tables_dump_set_done,
6177 .module = THIS_MODULE,
6180 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6185 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6188 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6191 if (!try_module_get(THIS_MODULE))
6194 mutex_lock(&nft_net->commit_mutex);
6197 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6201 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6202 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6204 NL_SET_BAD_ATTR(extack, attr);
6209 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6213 mutex_unlock(&nft_net->commit_mutex);
6215 module_put(THIS_MODULE);
6220 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6221 const struct nft_set *set,
6222 const struct nft_elem_priv *elem_priv,
6225 struct nftables_pernet *nft_net;
6226 struct net *net = ctx->net;
6227 u32 portid = ctx->portid;
6228 struct sk_buff *skb;
6232 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6235 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6239 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6240 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6242 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6243 set, elem_priv, false);
6249 nft_net = nft_pernet(net);
6250 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6253 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6256 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6258 struct nft_set *set)
6260 struct nft_trans *trans;
6262 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6266 nft_trans_elem_set(trans) = set;
6270 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6271 const struct nft_set *set,
6272 const struct nlattr *attr)
6274 struct nft_expr *expr;
6277 expr = nft_expr_init(ctx, attr);
6282 if (expr->ops->type->flags & NFT_EXPR_GC) {
6283 if (set->flags & NFT_SET_TIMEOUT)
6284 goto err_set_elem_expr;
6285 if (!set->ops->gc_init)
6286 goto err_set_elem_expr;
6287 set->ops->gc_init(set);
6293 nft_expr_destroy(ctx, expr);
6294 return ERR_PTR(err);
6297 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6299 len += nft_set_ext_types[id].len;
6300 if (len > tmpl->ext_len[id] ||
6307 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6308 void *to, const void *from, u32 len)
6310 if (nft_set_ext_check(tmpl, id, len) < 0)
6313 memcpy(to, from, len);
6318 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6319 const struct nft_set_ext_tmpl *tmpl,
6320 const u32 *key, const u32 *key_end,
6322 u64 timeout, u64 expiration, gfp_t gfp)
6324 struct nft_set_ext *ext;
6327 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6329 return ERR_PTR(-ENOMEM);
6331 ext = nft_set_elem_ext(set, elem);
6332 nft_set_ext_init(ext, tmpl);
6334 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6335 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6336 nft_set_ext_key(ext), key, set->klen) < 0)
6339 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6340 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6341 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6344 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6345 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6346 nft_set_ext_data(ext), data, set->dlen) < 0)
6349 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
6350 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6351 if (expiration == 0)
6352 *nft_set_ext_expiration(ext) += timeout;
6354 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
6355 *nft_set_ext_timeout(ext) = timeout;
6362 return ERR_PTR(-EINVAL);
6365 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6366 struct nft_expr *expr)
6368 if (expr->ops->destroy_clone) {
6369 expr->ops->destroy_clone(ctx, expr);
6370 module_put(expr->ops->type->owner);
6372 nf_tables_expr_destroy(ctx, expr);
6376 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6377 struct nft_set_elem_expr *elem_expr)
6379 struct nft_expr *expr;
6382 nft_setelem_expr_foreach(expr, elem_expr, size)
6383 __nft_set_elem_expr_destroy(ctx, expr);
6386 /* Drop references and destroy. Called from gc, dynset and abort path. */
6387 void nft_set_elem_destroy(const struct nft_set *set,
6388 const struct nft_elem_priv *elem_priv,
6391 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6392 struct nft_ctx ctx = {
6393 .net = read_pnet(&set->net),
6394 .family = set->table->family,
6397 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6398 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6399 nft_data_release(nft_set_ext_data(ext), set->dtype);
6400 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6401 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6402 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6403 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6407 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6409 /* Destroy element. References have been already dropped in the preparation
6410 * path via nft_setelem_data_deactivate().
6412 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6413 const struct nft_set *set,
6414 const struct nft_elem_priv *elem_priv)
6416 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6418 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6419 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6424 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6425 struct nft_expr *expr_array[])
6427 struct nft_expr *expr;
6430 for (i = 0; i < set->num_exprs; i++) {
6431 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6435 err = nft_expr_clone(expr, set->exprs[i]);
6440 expr_array[i] = expr;
6446 for (k = i - 1; k >= 0; k--)
6447 nft_expr_destroy(ctx, expr_array[k]);
6452 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6453 const struct nft_set_ext_tmpl *tmpl,
6454 const struct nft_set_ext *ext,
6455 struct nft_expr *expr_array[],
6458 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6459 u32 len = sizeof(struct nft_set_elem_expr);
6460 struct nft_expr *expr;
6466 for (i = 0; i < num_exprs; i++)
6467 len += expr_array[i]->ops->size;
6469 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6472 for (i = 0; i < num_exprs; i++) {
6473 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6474 err = nft_expr_clone(expr, expr_array[i]);
6476 goto err_elem_expr_setup;
6478 elem_expr->size += expr_array[i]->ops->size;
6479 nft_expr_destroy(ctx, expr_array[i]);
6480 expr_array[i] = NULL;
6485 err_elem_expr_setup:
6486 for (; i < num_exprs; i++) {
6487 nft_expr_destroy(ctx, expr_array[i]);
6488 expr_array[i] = NULL;
6494 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6495 const struct nft_set *set)
6497 struct nft_set_elem_catchall *catchall;
6498 u8 genmask = nft_genmask_cur(net);
6499 struct nft_set_ext *ext;
6501 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6502 ext = nft_set_elem_ext(set, catchall->elem);
6503 if (nft_set_elem_active(ext, genmask) &&
6504 !nft_set_elem_expired(ext) &&
6505 !nft_set_elem_is_dead(ext))
6511 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6513 static int nft_setelem_catchall_insert(const struct net *net,
6514 struct nft_set *set,
6515 const struct nft_set_elem *elem,
6516 struct nft_elem_priv **priv)
6518 struct nft_set_elem_catchall *catchall;
6519 u8 genmask = nft_genmask_next(net);
6520 struct nft_set_ext *ext;
6522 list_for_each_entry(catchall, &set->catchall_list, list) {
6523 ext = nft_set_elem_ext(set, catchall->elem);
6524 if (nft_set_elem_active(ext, genmask)) {
6525 *priv = catchall->elem;
6530 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6534 catchall->elem = elem->priv;
6535 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6540 static int nft_setelem_insert(const struct net *net,
6541 struct nft_set *set,
6542 const struct nft_set_elem *elem,
6543 struct nft_elem_priv **elem_priv,
6548 if (flags & NFT_SET_ELEM_CATCHALL)
6549 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6551 ret = set->ops->insert(net, set, elem, elem_priv);
6556 static bool nft_setelem_is_catchall(const struct nft_set *set,
6557 const struct nft_elem_priv *elem_priv)
6559 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6561 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6562 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6568 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6569 struct nft_elem_priv *elem_priv)
6571 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6573 if (nft_setelem_is_catchall(set, elem_priv)) {
6574 nft_set_elem_change_active(net, set, ext);
6576 set->ops->activate(net, set, elem_priv);
6580 static int nft_setelem_catchall_deactivate(const struct net *net,
6581 struct nft_set *set,
6582 struct nft_set_elem *elem)
6584 struct nft_set_elem_catchall *catchall;
6585 struct nft_set_ext *ext;
6587 list_for_each_entry(catchall, &set->catchall_list, list) {
6588 ext = nft_set_elem_ext(set, catchall->elem);
6589 if (!nft_is_active_next(net, ext))
6593 elem->priv = catchall->elem;
6594 nft_set_elem_change_active(net, set, ext);
6601 static int __nft_setelem_deactivate(const struct net *net,
6602 struct nft_set *set,
6603 struct nft_set_elem *elem)
6607 priv = set->ops->deactivate(net, set, elem);
6618 static int nft_setelem_deactivate(const struct net *net,
6619 struct nft_set *set,
6620 struct nft_set_elem *elem, u32 flags)
6624 if (flags & NFT_SET_ELEM_CATCHALL)
6625 ret = nft_setelem_catchall_deactivate(net, set, elem);
6627 ret = __nft_setelem_deactivate(net, set, elem);
6632 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6634 list_del_rcu(&catchall->list);
6635 kfree_rcu(catchall, rcu);
6638 static void nft_setelem_catchall_remove(const struct net *net,
6639 const struct nft_set *set,
6640 struct nft_elem_priv *elem_priv)
6642 struct nft_set_elem_catchall *catchall, *next;
6644 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6645 if (catchall->elem == elem_priv) {
6646 nft_setelem_catchall_destroy(catchall);
6652 static void nft_setelem_remove(const struct net *net,
6653 const struct nft_set *set,
6654 struct nft_elem_priv *elem_priv)
6656 if (nft_setelem_is_catchall(set, elem_priv))
6657 nft_setelem_catchall_remove(net, set, elem_priv);
6659 set->ops->remove(net, set, elem_priv);
6662 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6663 struct nlattr **nla, u32 flags)
6665 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6666 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6667 if (flags & NFT_SET_ELEM_INTERVAL_END)
6670 if (nla[NFTA_SET_ELEM_KEY_END] &&
6671 flags & NFT_SET_ELEM_CATCHALL)
6674 if (nla[NFTA_SET_ELEM_KEY_END])
6681 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6682 const struct nlattr *attr, u32 nlmsg_flags)
6684 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6685 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6686 u8 genmask = nft_genmask_next(ctx->net);
6687 u32 flags = 0, size = 0, num_exprs = 0;
6688 struct nft_set_ext_tmpl tmpl;
6689 struct nft_set_ext *ext, *ext2;
6690 struct nft_set_elem elem;
6691 struct nft_set_binding *binding;
6692 struct nft_elem_priv *elem_priv;
6693 struct nft_object *obj = NULL;
6694 struct nft_userdata *udata;
6695 struct nft_data_desc desc;
6696 enum nft_registers dreg;
6697 struct nft_trans *trans;
6703 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6704 nft_set_elem_policy, NULL);
6708 nft_set_ext_prepare(&tmpl);
6710 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6714 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6715 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6719 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6724 if (set->flags & NFT_SET_MAP) {
6725 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6726 !(flags & NFT_SET_ELEM_INTERVAL_END))
6729 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6733 if (set->flags & NFT_SET_OBJECT) {
6734 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6735 !(flags & NFT_SET_ELEM_INTERVAL_END))
6738 if (nla[NFTA_SET_ELEM_OBJREF])
6742 if (!nft_setelem_valid_key_end(set, nla, flags))
6745 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6746 (nla[NFTA_SET_ELEM_DATA] ||
6747 nla[NFTA_SET_ELEM_OBJREF] ||
6748 nla[NFTA_SET_ELEM_TIMEOUT] ||
6749 nla[NFTA_SET_ELEM_EXPIRATION] ||
6750 nla[NFTA_SET_ELEM_USERDATA] ||
6751 nla[NFTA_SET_ELEM_EXPR] ||
6752 nla[NFTA_SET_ELEM_KEY_END] ||
6753 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6757 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6758 if (!(set->flags & NFT_SET_TIMEOUT))
6760 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6764 } else if (set->flags & NFT_SET_TIMEOUT &&
6765 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6766 timeout = READ_ONCE(set->timeout);
6770 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6771 if (!(set->flags & NFT_SET_TIMEOUT))
6773 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6779 if (nla[NFTA_SET_ELEM_EXPR]) {
6780 struct nft_expr *expr;
6782 if (set->num_exprs && set->num_exprs != 1)
6785 expr = nft_set_elem_expr_alloc(ctx, set,
6786 nla[NFTA_SET_ELEM_EXPR]);
6788 return PTR_ERR(expr);
6790 expr_array[0] = expr;
6793 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6795 goto err_set_elem_expr;
6797 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6798 struct nft_expr *expr;
6803 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6804 if (i == NFT_SET_EXPR_MAX ||
6805 (set->num_exprs && set->num_exprs == i)) {
6807 goto err_set_elem_expr;
6809 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6811 goto err_set_elem_expr;
6813 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6815 err = PTR_ERR(expr);
6816 goto err_set_elem_expr;
6818 expr_array[i] = expr;
6821 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6823 goto err_set_elem_expr;
6827 if (set->num_exprs && set->num_exprs != i) {
6829 goto err_set_elem_expr;
6831 } else if (set->num_exprs > 0 &&
6832 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6833 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6835 goto err_set_elem_expr_clone;
6837 num_exprs = set->num_exprs;
6840 if (nla[NFTA_SET_ELEM_KEY]) {
6841 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6842 nla[NFTA_SET_ELEM_KEY]);
6844 goto err_set_elem_expr;
6846 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6851 if (nla[NFTA_SET_ELEM_KEY_END]) {
6852 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6853 nla[NFTA_SET_ELEM_KEY_END]);
6857 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6859 goto err_parse_key_end;
6863 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6865 goto err_parse_key_end;
6867 if (timeout != READ_ONCE(set->timeout)) {
6868 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6870 goto err_parse_key_end;
6875 for (i = 0; i < num_exprs; i++)
6876 size += expr_array[i]->ops->size;
6878 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6879 sizeof(struct nft_set_elem_expr) + size);
6881 goto err_parse_key_end;
6884 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6885 obj = nft_obj_lookup(ctx->net, ctx->table,
6886 nla[NFTA_SET_ELEM_OBJREF],
6887 set->objtype, genmask);
6891 goto err_parse_key_end;
6894 if (!nft_use_inc(&obj->use)) {
6897 goto err_parse_key_end;
6900 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6902 goto err_parse_key_end;
6905 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6906 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6907 nla[NFTA_SET_ELEM_DATA]);
6909 goto err_parse_key_end;
6911 dreg = nft_type_to_reg(set->dtype);
6912 list_for_each_entry(binding, &set->bindings, list) {
6913 struct nft_ctx bind_ctx = {
6915 .family = ctx->family,
6916 .table = ctx->table,
6917 .chain = (struct nft_chain *)binding->chain,
6920 if (!(binding->flags & NFT_SET_MAP))
6923 err = nft_validate_register_store(&bind_ctx, dreg,
6925 desc.type, desc.len);
6927 goto err_parse_data;
6929 if (desc.type == NFT_DATA_VERDICT &&
6930 (elem.data.val.verdict.code == NFT_GOTO ||
6931 elem.data.val.verdict.code == NFT_JUMP))
6932 nft_validate_state_update(ctx->table,
6936 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6938 goto err_parse_data;
6941 /* The full maximum length of userdata can exceed the maximum
6942 * offset value (U8_MAX) for following extensions, therefor it
6943 * must be the last extension added.
6946 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6947 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6949 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6952 goto err_parse_data;
6956 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6957 elem.key_end.val.data, elem.data.val.data,
6958 timeout, expiration, GFP_KERNEL_ACCOUNT);
6959 if (IS_ERR(elem.priv)) {
6960 err = PTR_ERR(elem.priv);
6961 goto err_parse_data;
6964 ext = nft_set_elem_ext(set, elem.priv);
6966 *nft_set_ext_flags(ext) = flags;
6969 *nft_set_ext_obj(ext) = obj;
6972 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6976 udata = nft_set_ext_userdata(ext);
6977 udata->len = ulen - 1;
6978 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6980 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6984 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6985 if (trans == NULL) {
6990 ext->genmask = nft_genmask_cur(ctx->net);
6992 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
6994 if (err == -EEXIST) {
6995 ext2 = nft_set_elem_ext(set, elem_priv);
6996 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6997 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6998 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6999 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7000 goto err_element_clash;
7001 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7002 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7003 memcmp(nft_set_ext_data(ext),
7004 nft_set_ext_data(ext2), set->dlen) != 0) ||
7005 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7006 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7007 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7008 goto err_element_clash;
7009 else if (!(nlmsg_flags & NLM_F_EXCL))
7011 } else if (err == -ENOTEMPTY) {
7012 /* ENOTEMPTY reports overlapping between this element
7013 * and an existing one.
7017 goto err_element_clash;
7020 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7021 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7023 if (!atomic_add_unless(&set->nelems, 1, max)) {
7029 nft_trans_elem_priv(trans) = elem.priv;
7030 nft_trans_commit_list_add_tail(ctx->net, trans);
7034 nft_setelem_remove(ctx->net, set, elem.priv);
7038 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7040 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7041 nft_data_release(&elem.data.val, desc.type);
7044 nft_use_dec_restore(&obj->use);
7046 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7048 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7050 for (i = 0; i < num_exprs && expr_array[i]; i++)
7051 nft_expr_destroy(ctx, expr_array[i]);
7052 err_set_elem_expr_clone:
7056 static int nf_tables_newsetelem(struct sk_buff *skb,
7057 const struct nfnl_info *info,
7058 const struct nlattr * const nla[])
7060 struct netlink_ext_ack *extack = info->extack;
7061 u8 genmask = nft_genmask_next(info->net);
7062 u8 family = info->nfmsg->nfgen_family;
7063 struct net *net = info->net;
7064 const struct nlattr *attr;
7065 struct nft_table *table;
7066 struct nft_set *set;
7070 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7073 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7074 genmask, NETLINK_CB(skb).portid);
7075 if (IS_ERR(table)) {
7076 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7077 return PTR_ERR(table);
7080 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7081 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7083 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7084 return PTR_ERR(set);
7087 if (!list_empty(&set->bindings) &&
7088 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7091 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7093 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7094 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7096 NL_SET_BAD_ATTR(extack, attr);
7101 if (table->validate_state == NFT_VALIDATE_DO)
7102 return nft_table_validate(net, table);
7108 * nft_data_hold - hold a nft_data item
7110 * @data: struct nft_data to release
7111 * @type: type of data
7113 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7114 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7115 * NFT_GOTO verdicts. This function must be called on active data objects
7116 * from the second phase of the commit protocol.
7118 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7120 struct nft_chain *chain;
7122 if (type == NFT_DATA_VERDICT) {
7123 switch (data->verdict.code) {
7126 chain = data->verdict.chain;
7127 nft_use_inc_restore(&chain->use);
7133 static void nft_setelem_data_activate(const struct net *net,
7134 const struct nft_set *set,
7135 struct nft_elem_priv *elem_priv)
7137 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7139 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7140 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7141 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7142 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7145 void nft_setelem_data_deactivate(const struct net *net,
7146 const struct nft_set *set,
7147 struct nft_elem_priv *elem_priv)
7149 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7151 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7152 nft_data_release(nft_set_ext_data(ext), set->dtype);
7153 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7154 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7157 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7158 const struct nlattr *attr)
7160 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7161 struct nft_set_ext_tmpl tmpl;
7162 struct nft_set_elem elem;
7163 struct nft_set_ext *ext;
7164 struct nft_trans *trans;
7168 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7169 nft_set_elem_policy, NULL);
7173 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7177 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7180 if (!nft_setelem_valid_key_end(set, nla, flags))
7183 nft_set_ext_prepare(&tmpl);
7186 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7191 if (nla[NFTA_SET_ELEM_KEY]) {
7192 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7193 nla[NFTA_SET_ELEM_KEY]);
7197 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7202 if (nla[NFTA_SET_ELEM_KEY_END]) {
7203 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7204 nla[NFTA_SET_ELEM_KEY_END]);
7208 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7210 goto fail_elem_key_end;
7214 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7215 elem.key_end.val.data, NULL, 0, 0,
7216 GFP_KERNEL_ACCOUNT);
7217 if (IS_ERR(elem.priv)) {
7218 err = PTR_ERR(elem.priv);
7219 goto fail_elem_key_end;
7222 ext = nft_set_elem_ext(set, elem.priv);
7224 *nft_set_ext_flags(ext) = flags;
7226 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7230 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7234 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7236 nft_trans_elem_priv(trans) = elem.priv;
7237 nft_trans_commit_list_add_tail(ctx->net, trans);
7245 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7247 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7251 static int nft_setelem_flush(const struct nft_ctx *ctx,
7252 struct nft_set *set,
7253 const struct nft_set_iter *iter,
7254 struct nft_elem_priv *elem_priv)
7256 struct nft_trans *trans;
7258 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7259 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7263 set->ops->flush(ctx->net, set, elem_priv);
7266 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7267 nft_trans_elem_set(trans) = set;
7268 nft_trans_elem_priv(trans) = elem_priv;
7269 nft_trans_commit_list_add_tail(ctx->net, trans);
7274 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7275 struct nft_set *set,
7276 struct nft_elem_priv *elem_priv)
7278 struct nft_trans *trans;
7280 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7281 sizeof(struct nft_trans_elem), GFP_KERNEL);
7285 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7286 nft_trans_elem_set(trans) = set;
7287 nft_trans_elem_priv(trans) = elem_priv;
7288 nft_trans_commit_list_add_tail(ctx->net, trans);
7293 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7294 struct nft_set *set)
7296 u8 genmask = nft_genmask_next(ctx->net);
7297 struct nft_set_elem_catchall *catchall;
7298 struct nft_set_ext *ext;
7301 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7302 ext = nft_set_elem_ext(set, catchall->elem);
7303 if (!nft_set_elem_active(ext, genmask))
7306 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7309 nft_set_elem_change_active(ctx->net, set, ext);
7315 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7317 struct nft_set_iter iter = {
7319 .fn = nft_setelem_flush,
7322 set->ops->walk(ctx, set, &iter);
7324 iter.err = nft_set_catchall_flush(ctx, set);
7329 static int nf_tables_delsetelem(struct sk_buff *skb,
7330 const struct nfnl_info *info,
7331 const struct nlattr * const nla[])
7333 struct netlink_ext_ack *extack = info->extack;
7334 u8 genmask = nft_genmask_next(info->net);
7335 u8 family = info->nfmsg->nfgen_family;
7336 struct net *net = info->net;
7337 const struct nlattr *attr;
7338 struct nft_table *table;
7339 struct nft_set *set;
7343 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7344 genmask, NETLINK_CB(skb).portid);
7345 if (IS_ERR(table)) {
7346 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7347 return PTR_ERR(table);
7350 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7352 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7353 return PTR_ERR(set);
7356 if (nft_set_is_anonymous(set))
7359 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7362 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7364 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7365 return nft_set_flush(&ctx, set, genmask);
7367 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7368 err = nft_del_setelem(&ctx, set, attr);
7369 if (err == -ENOENT &&
7370 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7374 NL_SET_BAD_ATTR(extack, attr);
7387 * nft_register_obj- register nf_tables stateful object type
7388 * @obj_type: object type
7390 * Registers the object type for use with nf_tables. Returns zero on
7391 * success or a negative errno code otherwise.
7393 int nft_register_obj(struct nft_object_type *obj_type)
7395 if (obj_type->type == NFT_OBJECT_UNSPEC)
7398 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7399 list_add_rcu(&obj_type->list, &nf_tables_objects);
7400 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7403 EXPORT_SYMBOL_GPL(nft_register_obj);
7406 * nft_unregister_obj - unregister nf_tables object type
7407 * @obj_type: object type
7409 * Unregisters the object type for use with nf_tables.
7411 void nft_unregister_obj(struct nft_object_type *obj_type)
7413 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7414 list_del_rcu(&obj_type->list);
7415 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7417 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7419 struct nft_object *nft_obj_lookup(const struct net *net,
7420 const struct nft_table *table,
7421 const struct nlattr *nla, u32 objtype,
7424 struct nft_object_hash_key k = { .table = table };
7425 char search[NFT_OBJ_MAXNAMELEN];
7426 struct rhlist_head *tmp, *list;
7427 struct nft_object *obj;
7429 nla_strscpy(search, nla, sizeof(search));
7432 WARN_ON_ONCE(!rcu_read_lock_held() &&
7433 !lockdep_commit_lock_is_held(net));
7436 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7440 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7441 if (objtype == obj->ops->type->type &&
7442 nft_active_genmask(obj, genmask)) {
7449 return ERR_PTR(-ENOENT);
7451 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7453 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7454 const struct nlattr *nla,
7455 u32 objtype, u8 genmask)
7457 struct nft_object *obj;
7459 list_for_each_entry(obj, &table->objects, list) {
7460 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7461 objtype == obj->ops->type->type &&
7462 nft_active_genmask(obj, genmask))
7465 return ERR_PTR(-ENOENT);
7468 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7469 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7470 .len = NFT_TABLE_MAXNAMELEN - 1 },
7471 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7472 .len = NFT_OBJ_MAXNAMELEN - 1 },
7473 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7474 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7475 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7476 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7477 .len = NFT_USERDATA_MAXLEN },
7480 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7481 const struct nft_object_type *type,
7482 const struct nlattr *attr)
7485 const struct nft_object_ops *ops;
7486 struct nft_object *obj;
7489 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7494 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7495 type->policy, NULL);
7499 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7502 if (type->select_ops) {
7503 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7513 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7517 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7530 return ERR_PTR(err);
7533 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7534 struct nft_object *obj, bool reset)
7536 struct nlattr *nest;
7538 nest = nla_nest_start_noflag(skb, attr);
7540 goto nla_put_failure;
7541 if (obj->ops->dump(skb, obj, reset) < 0)
7542 goto nla_put_failure;
7543 nla_nest_end(skb, nest);
7550 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
7552 const struct nft_object_type *type;
7554 list_for_each_entry(type, &nf_tables_objects, list) {
7555 if (objtype == type->type)
7561 static const struct nft_object_type *
7562 nft_obj_type_get(struct net *net, u32 objtype)
7564 const struct nft_object_type *type;
7566 type = __nft_obj_type_get(objtype);
7567 if (type != NULL && try_module_get(type->owner))
7570 lockdep_nfnl_nft_mutex_not_held();
7571 #ifdef CONFIG_MODULES
7573 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7574 return ERR_PTR(-EAGAIN);
7577 return ERR_PTR(-ENOENT);
7580 static int nf_tables_updobj(const struct nft_ctx *ctx,
7581 const struct nft_object_type *type,
7582 const struct nlattr *attr,
7583 struct nft_object *obj)
7585 struct nft_object *newobj;
7586 struct nft_trans *trans;
7589 if (!try_module_get(type->owner))
7592 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7593 sizeof(struct nft_trans_obj));
7597 newobj = nft_obj_init(ctx, type, attr);
7598 if (IS_ERR(newobj)) {
7599 err = PTR_ERR(newobj);
7600 goto err_free_trans;
7603 nft_trans_obj(trans) = obj;
7604 nft_trans_obj_update(trans) = true;
7605 nft_trans_obj_newobj(trans) = newobj;
7606 nft_trans_commit_list_add_tail(ctx->net, trans);
7613 module_put(type->owner);
7617 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7618 const struct nlattr * const nla[])
7620 struct netlink_ext_ack *extack = info->extack;
7621 u8 genmask = nft_genmask_next(info->net);
7622 u8 family = info->nfmsg->nfgen_family;
7623 const struct nft_object_type *type;
7624 struct net *net = info->net;
7625 struct nft_table *table;
7626 struct nft_object *obj;
7631 if (!nla[NFTA_OBJ_TYPE] ||
7632 !nla[NFTA_OBJ_NAME] ||
7633 !nla[NFTA_OBJ_DATA])
7636 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7637 NETLINK_CB(skb).portid);
7638 if (IS_ERR(table)) {
7639 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7640 return PTR_ERR(table);
7643 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7644 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7647 if (err != -ENOENT) {
7648 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7652 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7653 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7656 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7659 type = __nft_obj_type_get(objtype);
7660 if (WARN_ON_ONCE(!type))
7663 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7665 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7668 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7670 if (!nft_use_inc(&table->use))
7673 type = nft_obj_type_get(net, objtype);
7675 err = PTR_ERR(type);
7679 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7684 obj->key.table = table;
7685 obj->handle = nf_tables_alloc_handle(table);
7687 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7688 if (!obj->key.name) {
7693 if (nla[NFTA_OBJ_USERDATA]) {
7694 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7695 if (obj->udata == NULL)
7698 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7701 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7705 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7706 nft_objname_ht_params);
7710 list_add_tail_rcu(&obj->list, &table->objects);
7714 /* queued in transaction log */
7715 INIT_LIST_HEAD(&obj->list);
7720 kfree(obj->key.name);
7722 if (obj->ops->destroy)
7723 obj->ops->destroy(&ctx, obj);
7726 module_put(type->owner);
7728 nft_use_dec_restore(&table->use);
7733 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7734 u32 portid, u32 seq, int event, u32 flags,
7735 int family, const struct nft_table *table,
7736 struct nft_object *obj, bool reset)
7738 struct nlmsghdr *nlh;
7740 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7741 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7742 NFNETLINK_V0, nft_base_seq(net));
7744 goto nla_put_failure;
7746 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7747 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7748 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7750 goto nla_put_failure;
7752 if (event == NFT_MSG_DELOBJ) {
7753 nlmsg_end(skb, nlh);
7757 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7758 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7759 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7760 goto nla_put_failure;
7763 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7764 goto nla_put_failure;
7766 nlmsg_end(skb, nlh);
7770 nlmsg_trim(skb, nlh);
7774 static void audit_log_obj_reset(const struct nft_table *table,
7775 unsigned int base_seq, unsigned int nentries)
7777 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7779 audit_log_nfcfg(buf, table->family, nentries,
7780 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7784 struct nft_obj_dump_ctx {
7791 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7793 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7794 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7795 struct net *net = sock_net(skb->sk);
7796 int family = nfmsg->nfgen_family;
7797 struct nftables_pernet *nft_net;
7798 const struct nft_table *table;
7799 unsigned int entries = 0;
7800 struct nft_object *obj;
7801 unsigned int idx = 0;
7805 nft_net = nft_pernet(net);
7806 cb->seq = READ_ONCE(nft_net->base_seq);
7808 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7809 if (family != NFPROTO_UNSPEC && family != table->family)
7813 list_for_each_entry_rcu(obj, &table->objects, list) {
7814 if (!nft_is_active(net, obj))
7816 if (idx < ctx->s_idx)
7818 if (ctx->table && strcmp(ctx->table, table->name))
7820 if (ctx->type != NFT_OBJECT_UNSPEC &&
7821 obj->ops->type->type != ctx->type)
7824 rc = nf_tables_fill_obj_info(skb, net,
7825 NETLINK_CB(cb->skb).portid,
7828 NLM_F_MULTI | NLM_F_APPEND,
7829 table->family, table,
7835 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7839 if (ctx->reset && entries)
7840 audit_log_obj_reset(table, nft_net->base_seq, entries);
7850 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7852 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7853 const struct nlattr * const *nla = cb->data;
7855 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
7857 if (nla[NFTA_OBJ_TABLE]) {
7858 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7863 if (nla[NFTA_OBJ_TYPE])
7864 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7866 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7872 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7874 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7881 /* called with rcu_read_lock held */
7882 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7883 const struct nlattr * const nla[])
7885 struct netlink_ext_ack *extack = info->extack;
7886 u8 genmask = nft_genmask_cur(info->net);
7887 u8 family = info->nfmsg->nfgen_family;
7888 const struct nft_table *table;
7889 struct net *net = info->net;
7890 struct nft_object *obj;
7891 struct sk_buff *skb2;
7896 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7897 struct netlink_dump_control c = {
7898 .start = nf_tables_dump_obj_start,
7899 .dump = nf_tables_dump_obj,
7900 .done = nf_tables_dump_obj_done,
7901 .module = THIS_MODULE,
7902 .data = (void *)nla,
7905 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7908 if (!nla[NFTA_OBJ_NAME] ||
7909 !nla[NFTA_OBJ_TYPE])
7912 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7913 if (IS_ERR(table)) {
7914 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7915 return PTR_ERR(table);
7918 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7919 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7921 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7922 return PTR_ERR(obj);
7925 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7929 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7933 const struct nftables_pernet *nft_net;
7936 nft_net = nft_pernet(net);
7937 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7939 audit_log_nfcfg(buf,
7942 AUDIT_NFT_OP_OBJ_RESET,
7947 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7948 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7949 family, table, obj, reset);
7951 goto err_fill_obj_info;
7953 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7960 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7962 if (obj->ops->destroy)
7963 obj->ops->destroy(ctx, obj);
7965 module_put(obj->ops->type->owner);
7966 kfree(obj->key.name);
7971 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7972 const struct nlattr * const nla[])
7974 struct netlink_ext_ack *extack = info->extack;
7975 u8 genmask = nft_genmask_next(info->net);
7976 u8 family = info->nfmsg->nfgen_family;
7977 struct net *net = info->net;
7978 const struct nlattr *attr;
7979 struct nft_table *table;
7980 struct nft_object *obj;
7984 if (!nla[NFTA_OBJ_TYPE] ||
7985 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7988 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7989 NETLINK_CB(skb).portid);
7990 if (IS_ERR(table)) {
7991 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7992 return PTR_ERR(table);
7995 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7996 if (nla[NFTA_OBJ_HANDLE]) {
7997 attr = nla[NFTA_OBJ_HANDLE];
7998 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8000 attr = nla[NFTA_OBJ_NAME];
8001 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8005 if (PTR_ERR(obj) == -ENOENT &&
8006 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8009 NL_SET_BAD_ATTR(extack, attr);
8010 return PTR_ERR(obj);
8013 NL_SET_BAD_ATTR(extack, attr);
8017 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8019 return nft_delobj(&ctx, obj);
8023 __nft_obj_notify(struct net *net, const struct nft_table *table,
8024 struct nft_object *obj, u32 portid, u32 seq, int event,
8025 u16 flags, int family, int report, gfp_t gfp)
8027 struct nftables_pernet *nft_net = nft_pernet(net);
8028 struct sk_buff *skb;
8032 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8035 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8039 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8040 flags & (NLM_F_CREATE | NLM_F_EXCL),
8041 family, table, obj, false);
8047 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8050 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8053 void nft_obj_notify(struct net *net, const struct nft_table *table,
8054 struct nft_object *obj, u32 portid, u32 seq, int event,
8055 u16 flags, int family, int report, gfp_t gfp)
8057 struct nftables_pernet *nft_net = nft_pernet(net);
8058 char *buf = kasprintf(gfp, "%s:%u",
8059 table->name, nft_net->base_seq);
8061 audit_log_nfcfg(buf,
8064 event == NFT_MSG_NEWOBJ ?
8065 AUDIT_NFT_OP_OBJ_REGISTER :
8066 AUDIT_NFT_OP_OBJ_UNREGISTER,
8070 __nft_obj_notify(net, table, obj, portid, seq, event,
8071 flags, family, report, gfp);
8073 EXPORT_SYMBOL_GPL(nft_obj_notify);
8075 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8076 struct nft_object *obj, int event)
8078 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8079 ctx->seq, event, ctx->flags, ctx->family,
8080 ctx->report, GFP_KERNEL);
8086 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8088 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8089 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8090 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8092 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8094 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8096 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8097 list_del_rcu(&type->list);
8098 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8100 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8102 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8103 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8104 .len = NFT_NAME_MAXLEN - 1 },
8105 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8106 .len = NFT_NAME_MAXLEN - 1 },
8107 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8108 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8109 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8112 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8113 const struct nlattr *nla, u8 genmask)
8115 struct nft_flowtable *flowtable;
8117 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8118 if (!nla_strcmp(nla, flowtable->name) &&
8119 nft_active_genmask(flowtable, genmask))
8122 return ERR_PTR(-ENOENT);
8124 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8126 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8127 struct nft_flowtable *flowtable,
8128 enum nft_trans_phase phase)
8131 case NFT_TRANS_PREPARE_ERROR:
8132 case NFT_TRANS_PREPARE:
8133 case NFT_TRANS_ABORT:
8134 case NFT_TRANS_RELEASE:
8135 nft_use_dec(&flowtable->use);
8141 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8143 static struct nft_flowtable *
8144 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8145 const struct nlattr *nla, u8 genmask)
8147 struct nft_flowtable *flowtable;
8149 list_for_each_entry(flowtable, &table->flowtables, list) {
8150 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8151 nft_active_genmask(flowtable, genmask))
8154 return ERR_PTR(-ENOENT);
8157 struct nft_flowtable_hook {
8160 struct list_head list;
8163 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8164 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8165 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8166 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8169 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8170 const struct nlattr * const nla[],
8171 struct nft_flowtable_hook *flowtable_hook,
8172 struct nft_flowtable *flowtable,
8173 struct netlink_ext_ack *extack, bool add)
8175 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8176 struct nft_hook *hook;
8177 int hooknum, priority;
8180 INIT_LIST_HEAD(&flowtable_hook->list);
8182 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8183 nla[NFTA_FLOWTABLE_HOOK],
8184 nft_flowtable_hook_policy, NULL);
8189 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8190 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8191 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8195 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8196 if (hooknum != NF_NETDEV_INGRESS)
8199 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8201 flowtable_hook->priority = priority;
8202 flowtable_hook->num = hooknum;
8204 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8205 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8206 if (hooknum != flowtable->hooknum)
8210 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8211 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8212 if (priority != flowtable->data.priority)
8216 flowtable_hook->priority = flowtable->data.priority;
8217 flowtable_hook->num = flowtable->hooknum;
8220 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8221 err = nf_tables_parse_netdev_hooks(ctx->net,
8222 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8223 &flowtable_hook->list,
8229 list_for_each_entry(hook, &flowtable_hook->list, list) {
8230 hook->ops.pf = NFPROTO_NETDEV;
8231 hook->ops.hooknum = flowtable_hook->num;
8232 hook->ops.priority = flowtable_hook->priority;
8233 hook->ops.priv = &flowtable->data;
8234 hook->ops.hook = flowtable->data.type->hook;
8240 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8242 const struct nf_flowtable_type *type;
8244 list_for_each_entry(type, &nf_tables_flowtables, list) {
8245 if (family == type->family)
8251 static const struct nf_flowtable_type *
8252 nft_flowtable_type_get(struct net *net, u8 family)
8254 const struct nf_flowtable_type *type;
8256 type = __nft_flowtable_type_get(family);
8257 if (type != NULL && try_module_get(type->owner))
8260 lockdep_nfnl_nft_mutex_not_held();
8261 #ifdef CONFIG_MODULES
8263 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8264 return ERR_PTR(-EAGAIN);
8267 return ERR_PTR(-ENOENT);
8270 /* Only called from error and netdev event paths. */
8271 static void nft_unregister_flowtable_hook(struct net *net,
8272 struct nft_flowtable *flowtable,
8273 struct nft_hook *hook)
8275 nf_unregister_net_hook(net, &hook->ops);
8276 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8280 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8281 struct list_head *hook_list,
8282 bool release_netdev)
8284 struct nft_hook *hook, *next;
8286 list_for_each_entry_safe(hook, next, hook_list, list) {
8287 nf_unregister_net_hook(net, &hook->ops);
8288 if (release_netdev) {
8289 list_del(&hook->list);
8290 kfree_rcu(hook, rcu);
8295 static void nft_unregister_flowtable_net_hooks(struct net *net,
8296 struct list_head *hook_list)
8298 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8301 static int nft_register_flowtable_net_hooks(struct net *net,
8302 struct nft_table *table,
8303 struct list_head *hook_list,
8304 struct nft_flowtable *flowtable)
8306 struct nft_hook *hook, *hook2, *next;
8307 struct nft_flowtable *ft;
8310 list_for_each_entry(hook, hook_list, list) {
8311 list_for_each_entry(ft, &table->flowtables, list) {
8312 if (!nft_is_active_next(net, ft))
8315 list_for_each_entry(hook2, &ft->hook_list, list) {
8316 if (hook->ops.dev == hook2->ops.dev &&
8317 hook->ops.pf == hook2->ops.pf) {
8319 goto err_unregister_net_hooks;
8324 err = flowtable->data.type->setup(&flowtable->data,
8328 goto err_unregister_net_hooks;
8330 err = nf_register_net_hook(net, &hook->ops);
8332 flowtable->data.type->setup(&flowtable->data,
8335 goto err_unregister_net_hooks;
8343 err_unregister_net_hooks:
8344 list_for_each_entry_safe(hook, next, hook_list, list) {
8348 nft_unregister_flowtable_hook(net, flowtable, hook);
8349 list_del_rcu(&hook->list);
8350 kfree_rcu(hook, rcu);
8356 static void nft_hooks_destroy(struct list_head *hook_list)
8358 struct nft_hook *hook, *next;
8360 list_for_each_entry_safe(hook, next, hook_list, list) {
8361 list_del_rcu(&hook->list);
8362 kfree_rcu(hook, rcu);
8366 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8367 struct nft_flowtable *flowtable,
8368 struct netlink_ext_ack *extack)
8370 const struct nlattr * const *nla = ctx->nla;
8371 struct nft_flowtable_hook flowtable_hook;
8372 struct nft_hook *hook, *next;
8373 struct nft_trans *trans;
8374 bool unregister = false;
8378 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8383 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8384 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8385 list_del(&hook->list);
8390 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8391 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8392 if (flags & ~NFT_FLOWTABLE_MASK) {
8394 goto err_flowtable_update_hook;
8396 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8397 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8399 goto err_flowtable_update_hook;
8402 flags = flowtable->data.flags;
8405 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8406 &flowtable_hook.list, flowtable);
8408 goto err_flowtable_update_hook;
8410 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8411 sizeof(struct nft_trans_flowtable));
8415 goto err_flowtable_update_hook;
8418 nft_trans_flowtable_flags(trans) = flags;
8419 nft_trans_flowtable(trans) = flowtable;
8420 nft_trans_flowtable_update(trans) = true;
8421 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8422 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8424 nft_trans_commit_list_add_tail(ctx->net, trans);
8428 err_flowtable_update_hook:
8429 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8431 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8432 list_del_rcu(&hook->list);
8433 kfree_rcu(hook, rcu);
8440 static int nf_tables_newflowtable(struct sk_buff *skb,
8441 const struct nfnl_info *info,
8442 const struct nlattr * const nla[])
8444 struct netlink_ext_ack *extack = info->extack;
8445 struct nft_flowtable_hook flowtable_hook;
8446 u8 genmask = nft_genmask_next(info->net);
8447 u8 family = info->nfmsg->nfgen_family;
8448 const struct nf_flowtable_type *type;
8449 struct nft_flowtable *flowtable;
8450 struct nft_hook *hook, *next;
8451 struct net *net = info->net;
8452 struct nft_table *table;
8456 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8457 !nla[NFTA_FLOWTABLE_NAME] ||
8458 !nla[NFTA_FLOWTABLE_HOOK])
8461 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8462 genmask, NETLINK_CB(skb).portid);
8463 if (IS_ERR(table)) {
8464 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8465 return PTR_ERR(table);
8468 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8470 if (IS_ERR(flowtable)) {
8471 err = PTR_ERR(flowtable);
8472 if (err != -ENOENT) {
8473 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8477 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8478 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8482 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8484 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8487 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8489 if (!nft_use_inc(&table->use))
8492 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8495 goto flowtable_alloc;
8498 flowtable->table = table;
8499 flowtable->handle = nf_tables_alloc_handle(table);
8500 INIT_LIST_HEAD(&flowtable->hook_list);
8502 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8503 if (!flowtable->name) {
8508 type = nft_flowtable_type_get(net, family);
8510 err = PTR_ERR(type);
8514 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8515 flowtable->data.flags =
8516 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8517 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8523 write_pnet(&flowtable->data.net, net);
8524 flowtable->data.type = type;
8525 err = type->init(&flowtable->data);
8529 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8534 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8535 flowtable->data.priority = flowtable_hook.priority;
8536 flowtable->hooknum = flowtable_hook.num;
8538 err = nft_register_flowtable_net_hooks(ctx.net, table,
8539 &flowtable->hook_list,
8542 nft_hooks_destroy(&flowtable->hook_list);
8546 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8550 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8554 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8555 nft_unregister_flowtable_hook(net, flowtable, hook);
8556 list_del_rcu(&hook->list);
8557 kfree_rcu(hook, rcu);
8560 flowtable->data.type->free(&flowtable->data);
8562 module_put(type->owner);
8564 kfree(flowtable->name);
8568 nft_use_dec_restore(&table->use);
8573 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8575 struct nft_hook *this, *next;
8577 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8578 list_del(&this->list);
8583 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8584 struct nft_flowtable *flowtable,
8585 struct netlink_ext_ack *extack)
8587 const struct nlattr * const *nla = ctx->nla;
8588 struct nft_flowtable_hook flowtable_hook;
8589 LIST_HEAD(flowtable_del_list);
8590 struct nft_hook *this, *hook;
8591 struct nft_trans *trans;
8594 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8599 list_for_each_entry(this, &flowtable_hook.list, list) {
8600 hook = nft_hook_list_find(&flowtable->hook_list, this);
8603 goto err_flowtable_del_hook;
8605 list_move(&hook->list, &flowtable_del_list);
8608 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8609 sizeof(struct nft_trans_flowtable));
8612 goto err_flowtable_del_hook;
8615 nft_trans_flowtable(trans) = flowtable;
8616 nft_trans_flowtable_update(trans) = true;
8617 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8618 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8619 nft_flowtable_hook_release(&flowtable_hook);
8621 nft_trans_commit_list_add_tail(ctx->net, trans);
8625 err_flowtable_del_hook:
8626 list_splice(&flowtable_del_list, &flowtable->hook_list);
8627 nft_flowtable_hook_release(&flowtable_hook);
8632 static int nf_tables_delflowtable(struct sk_buff *skb,
8633 const struct nfnl_info *info,
8634 const struct nlattr * const nla[])
8636 struct netlink_ext_ack *extack = info->extack;
8637 u8 genmask = nft_genmask_next(info->net);
8638 u8 family = info->nfmsg->nfgen_family;
8639 struct nft_flowtable *flowtable;
8640 struct net *net = info->net;
8641 const struct nlattr *attr;
8642 struct nft_table *table;
8645 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8646 (!nla[NFTA_FLOWTABLE_NAME] &&
8647 !nla[NFTA_FLOWTABLE_HANDLE]))
8650 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8651 genmask, NETLINK_CB(skb).portid);
8652 if (IS_ERR(table)) {
8653 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8654 return PTR_ERR(table);
8657 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8658 attr = nla[NFTA_FLOWTABLE_HANDLE];
8659 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8661 attr = nla[NFTA_FLOWTABLE_NAME];
8662 flowtable = nft_flowtable_lookup(table, attr, genmask);
8665 if (IS_ERR(flowtable)) {
8666 if (PTR_ERR(flowtable) == -ENOENT &&
8667 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8670 NL_SET_BAD_ATTR(extack, attr);
8671 return PTR_ERR(flowtable);
8674 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8676 if (nla[NFTA_FLOWTABLE_HOOK])
8677 return nft_delflowtable_hook(&ctx, flowtable, extack);
8679 if (flowtable->use > 0) {
8680 NL_SET_BAD_ATTR(extack, attr);
8684 return nft_delflowtable(&ctx, flowtable);
8687 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8688 u32 portid, u32 seq, int event,
8689 u32 flags, int family,
8690 struct nft_flowtable *flowtable,
8691 struct list_head *hook_list)
8693 struct nlattr *nest, *nest_devs;
8694 struct nft_hook *hook;
8695 struct nlmsghdr *nlh;
8697 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8698 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8699 NFNETLINK_V0, nft_base_seq(net));
8701 goto nla_put_failure;
8703 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8704 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8705 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8706 NFTA_FLOWTABLE_PAD))
8707 goto nla_put_failure;
8709 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8710 nlmsg_end(skb, nlh);
8714 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8715 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8716 goto nla_put_failure;
8718 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8720 goto nla_put_failure;
8721 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8722 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8723 goto nla_put_failure;
8725 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8727 goto nla_put_failure;
8730 hook_list = &flowtable->hook_list;
8732 list_for_each_entry_rcu(hook, hook_list, list) {
8733 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8734 goto nla_put_failure;
8736 nla_nest_end(skb, nest_devs);
8737 nla_nest_end(skb, nest);
8739 nlmsg_end(skb, nlh);
8743 nlmsg_trim(skb, nlh);
8747 struct nft_flowtable_filter {
8751 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8752 struct netlink_callback *cb)
8754 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8755 struct nft_flowtable_filter *filter = cb->data;
8756 unsigned int idx = 0, s_idx = cb->args[0];
8757 struct net *net = sock_net(skb->sk);
8758 int family = nfmsg->nfgen_family;
8759 struct nft_flowtable *flowtable;
8760 struct nftables_pernet *nft_net;
8761 const struct nft_table *table;
8764 nft_net = nft_pernet(net);
8765 cb->seq = READ_ONCE(nft_net->base_seq);
8767 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8768 if (family != NFPROTO_UNSPEC && family != table->family)
8771 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8772 if (!nft_is_active(net, flowtable))
8777 memset(&cb->args[1], 0,
8778 sizeof(cb->args) - sizeof(cb->args[0]));
8779 if (filter && filter->table &&
8780 strcmp(filter->table, table->name))
8783 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8785 NFT_MSG_NEWFLOWTABLE,
8786 NLM_F_MULTI | NLM_F_APPEND,
8788 flowtable, NULL) < 0)
8791 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8803 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8805 const struct nlattr * const *nla = cb->data;
8806 struct nft_flowtable_filter *filter = NULL;
8808 if (nla[NFTA_FLOWTABLE_TABLE]) {
8809 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8813 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8815 if (!filter->table) {
8825 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8827 struct nft_flowtable_filter *filter = cb->data;
8832 kfree(filter->table);
8838 /* called with rcu_read_lock held */
8839 static int nf_tables_getflowtable(struct sk_buff *skb,
8840 const struct nfnl_info *info,
8841 const struct nlattr * const nla[])
8843 struct netlink_ext_ack *extack = info->extack;
8844 u8 genmask = nft_genmask_cur(info->net);
8845 u8 family = info->nfmsg->nfgen_family;
8846 struct nft_flowtable *flowtable;
8847 const struct nft_table *table;
8848 struct net *net = info->net;
8849 struct sk_buff *skb2;
8852 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8853 struct netlink_dump_control c = {
8854 .start = nf_tables_dump_flowtable_start,
8855 .dump = nf_tables_dump_flowtable,
8856 .done = nf_tables_dump_flowtable_done,
8857 .module = THIS_MODULE,
8858 .data = (void *)nla,
8861 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8864 if (!nla[NFTA_FLOWTABLE_NAME])
8867 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8869 if (IS_ERR(table)) {
8870 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8871 return PTR_ERR(table);
8874 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8876 if (IS_ERR(flowtable)) {
8877 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8878 return PTR_ERR(flowtable);
8881 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8885 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8886 info->nlh->nlmsg_seq,
8887 NFT_MSG_NEWFLOWTABLE, 0, family,
8890 goto err_fill_flowtable_info;
8892 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8894 err_fill_flowtable_info:
8899 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8900 struct nft_flowtable *flowtable,
8901 struct list_head *hook_list, int event)
8903 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8904 struct sk_buff *skb;
8909 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8912 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8916 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8917 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8919 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8920 ctx->seq, event, flags,
8921 ctx->family, flowtable, hook_list);
8927 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8930 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8933 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8935 struct nft_hook *hook, *next;
8937 flowtable->data.type->free(&flowtable->data);
8938 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8939 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8941 list_del_rcu(&hook->list);
8944 kfree(flowtable->name);
8945 module_put(flowtable->data.type->owner);
8949 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8950 u32 portid, u32 seq)
8952 struct nftables_pernet *nft_net = nft_pernet(net);
8953 struct nlmsghdr *nlh;
8954 char buf[TASK_COMM_LEN];
8955 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8957 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8958 NFNETLINK_V0, nft_base_seq(net));
8960 goto nla_put_failure;
8962 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8963 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8964 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8965 goto nla_put_failure;
8967 nlmsg_end(skb, nlh);
8971 nlmsg_trim(skb, nlh);
8975 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8976 struct nft_flowtable *flowtable)
8978 struct nft_hook *hook;
8980 list_for_each_entry(hook, &flowtable->hook_list, list) {
8981 if (hook->ops.dev != dev)
8984 /* flow_offload_netdev_event() cleans up entries for us. */
8985 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
8986 list_del_rcu(&hook->list);
8987 kfree_rcu(hook, rcu);
8992 static int nf_tables_flowtable_event(struct notifier_block *this,
8993 unsigned long event, void *ptr)
8995 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
8996 struct nft_flowtable *flowtable;
8997 struct nftables_pernet *nft_net;
8998 struct nft_table *table;
9001 if (event != NETDEV_UNREGISTER)
9005 nft_net = nft_pernet(net);
9006 mutex_lock(&nft_net->commit_mutex);
9007 list_for_each_entry(table, &nft_net->tables, list) {
9008 list_for_each_entry(flowtable, &table->flowtables, list) {
9009 nft_flowtable_event(event, dev, flowtable);
9012 mutex_unlock(&nft_net->commit_mutex);
9017 static struct notifier_block nf_tables_flowtable_notifier = {
9018 .notifier_call = nf_tables_flowtable_event,
9021 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9024 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9025 struct sk_buff *skb2;
9028 if (!nlmsg_report(nlh) &&
9029 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9032 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9036 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9043 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9044 nlmsg_report(nlh), GFP_KERNEL);
9047 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9051 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9052 const struct nlattr * const nla[])
9054 struct sk_buff *skb2;
9057 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9061 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9062 info->nlh->nlmsg_seq);
9064 goto err_fill_gen_info;
9066 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9073 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9074 [NFT_MSG_NEWTABLE] = {
9075 .call = nf_tables_newtable,
9076 .type = NFNL_CB_BATCH,
9077 .attr_count = NFTA_TABLE_MAX,
9078 .policy = nft_table_policy,
9080 [NFT_MSG_GETTABLE] = {
9081 .call = nf_tables_gettable,
9082 .type = NFNL_CB_RCU,
9083 .attr_count = NFTA_TABLE_MAX,
9084 .policy = nft_table_policy,
9086 [NFT_MSG_DELTABLE] = {
9087 .call = nf_tables_deltable,
9088 .type = NFNL_CB_BATCH,
9089 .attr_count = NFTA_TABLE_MAX,
9090 .policy = nft_table_policy,
9092 [NFT_MSG_DESTROYTABLE] = {
9093 .call = nf_tables_deltable,
9094 .type = NFNL_CB_BATCH,
9095 .attr_count = NFTA_TABLE_MAX,
9096 .policy = nft_table_policy,
9098 [NFT_MSG_NEWCHAIN] = {
9099 .call = nf_tables_newchain,
9100 .type = NFNL_CB_BATCH,
9101 .attr_count = NFTA_CHAIN_MAX,
9102 .policy = nft_chain_policy,
9104 [NFT_MSG_GETCHAIN] = {
9105 .call = nf_tables_getchain,
9106 .type = NFNL_CB_RCU,
9107 .attr_count = NFTA_CHAIN_MAX,
9108 .policy = nft_chain_policy,
9110 [NFT_MSG_DELCHAIN] = {
9111 .call = nf_tables_delchain,
9112 .type = NFNL_CB_BATCH,
9113 .attr_count = NFTA_CHAIN_MAX,
9114 .policy = nft_chain_policy,
9116 [NFT_MSG_DESTROYCHAIN] = {
9117 .call = nf_tables_delchain,
9118 .type = NFNL_CB_BATCH,
9119 .attr_count = NFTA_CHAIN_MAX,
9120 .policy = nft_chain_policy,
9122 [NFT_MSG_NEWRULE] = {
9123 .call = nf_tables_newrule,
9124 .type = NFNL_CB_BATCH,
9125 .attr_count = NFTA_RULE_MAX,
9126 .policy = nft_rule_policy,
9128 [NFT_MSG_GETRULE] = {
9129 .call = nf_tables_getrule,
9130 .type = NFNL_CB_RCU,
9131 .attr_count = NFTA_RULE_MAX,
9132 .policy = nft_rule_policy,
9134 [NFT_MSG_GETRULE_RESET] = {
9135 .call = nf_tables_getrule_reset,
9136 .type = NFNL_CB_RCU,
9137 .attr_count = NFTA_RULE_MAX,
9138 .policy = nft_rule_policy,
9140 [NFT_MSG_DELRULE] = {
9141 .call = nf_tables_delrule,
9142 .type = NFNL_CB_BATCH,
9143 .attr_count = NFTA_RULE_MAX,
9144 .policy = nft_rule_policy,
9146 [NFT_MSG_DESTROYRULE] = {
9147 .call = nf_tables_delrule,
9148 .type = NFNL_CB_BATCH,
9149 .attr_count = NFTA_RULE_MAX,
9150 .policy = nft_rule_policy,
9152 [NFT_MSG_NEWSET] = {
9153 .call = nf_tables_newset,
9154 .type = NFNL_CB_BATCH,
9155 .attr_count = NFTA_SET_MAX,
9156 .policy = nft_set_policy,
9158 [NFT_MSG_GETSET] = {
9159 .call = nf_tables_getset,
9160 .type = NFNL_CB_RCU,
9161 .attr_count = NFTA_SET_MAX,
9162 .policy = nft_set_policy,
9164 [NFT_MSG_DELSET] = {
9165 .call = nf_tables_delset,
9166 .type = NFNL_CB_BATCH,
9167 .attr_count = NFTA_SET_MAX,
9168 .policy = nft_set_policy,
9170 [NFT_MSG_DESTROYSET] = {
9171 .call = nf_tables_delset,
9172 .type = NFNL_CB_BATCH,
9173 .attr_count = NFTA_SET_MAX,
9174 .policy = nft_set_policy,
9176 [NFT_MSG_NEWSETELEM] = {
9177 .call = nf_tables_newsetelem,
9178 .type = NFNL_CB_BATCH,
9179 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9180 .policy = nft_set_elem_list_policy,
9182 [NFT_MSG_GETSETELEM] = {
9183 .call = nf_tables_getsetelem,
9184 .type = NFNL_CB_RCU,
9185 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9186 .policy = nft_set_elem_list_policy,
9188 [NFT_MSG_GETSETELEM_RESET] = {
9189 .call = nf_tables_getsetelem_reset,
9190 .type = NFNL_CB_RCU,
9191 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9192 .policy = nft_set_elem_list_policy,
9194 [NFT_MSG_DELSETELEM] = {
9195 .call = nf_tables_delsetelem,
9196 .type = NFNL_CB_BATCH,
9197 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9198 .policy = nft_set_elem_list_policy,
9200 [NFT_MSG_DESTROYSETELEM] = {
9201 .call = nf_tables_delsetelem,
9202 .type = NFNL_CB_BATCH,
9203 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9204 .policy = nft_set_elem_list_policy,
9206 [NFT_MSG_GETGEN] = {
9207 .call = nf_tables_getgen,
9208 .type = NFNL_CB_RCU,
9210 [NFT_MSG_NEWOBJ] = {
9211 .call = nf_tables_newobj,
9212 .type = NFNL_CB_BATCH,
9213 .attr_count = NFTA_OBJ_MAX,
9214 .policy = nft_obj_policy,
9216 [NFT_MSG_GETOBJ] = {
9217 .call = nf_tables_getobj,
9218 .type = NFNL_CB_RCU,
9219 .attr_count = NFTA_OBJ_MAX,
9220 .policy = nft_obj_policy,
9222 [NFT_MSG_DELOBJ] = {
9223 .call = nf_tables_delobj,
9224 .type = NFNL_CB_BATCH,
9225 .attr_count = NFTA_OBJ_MAX,
9226 .policy = nft_obj_policy,
9228 [NFT_MSG_DESTROYOBJ] = {
9229 .call = nf_tables_delobj,
9230 .type = NFNL_CB_BATCH,
9231 .attr_count = NFTA_OBJ_MAX,
9232 .policy = nft_obj_policy,
9234 [NFT_MSG_GETOBJ_RESET] = {
9235 .call = nf_tables_getobj,
9236 .type = NFNL_CB_RCU,
9237 .attr_count = NFTA_OBJ_MAX,
9238 .policy = nft_obj_policy,
9240 [NFT_MSG_NEWFLOWTABLE] = {
9241 .call = nf_tables_newflowtable,
9242 .type = NFNL_CB_BATCH,
9243 .attr_count = NFTA_FLOWTABLE_MAX,
9244 .policy = nft_flowtable_policy,
9246 [NFT_MSG_GETFLOWTABLE] = {
9247 .call = nf_tables_getflowtable,
9248 .type = NFNL_CB_RCU,
9249 .attr_count = NFTA_FLOWTABLE_MAX,
9250 .policy = nft_flowtable_policy,
9252 [NFT_MSG_DELFLOWTABLE] = {
9253 .call = nf_tables_delflowtable,
9254 .type = NFNL_CB_BATCH,
9255 .attr_count = NFTA_FLOWTABLE_MAX,
9256 .policy = nft_flowtable_policy,
9258 [NFT_MSG_DESTROYFLOWTABLE] = {
9259 .call = nf_tables_delflowtable,
9260 .type = NFNL_CB_BATCH,
9261 .attr_count = NFTA_FLOWTABLE_MAX,
9262 .policy = nft_flowtable_policy,
9266 static int nf_tables_validate(struct net *net)
9268 struct nftables_pernet *nft_net = nft_pernet(net);
9269 struct nft_table *table;
9271 list_for_each_entry(table, &nft_net->tables, list) {
9272 switch (table->validate_state) {
9273 case NFT_VALIDATE_SKIP:
9275 case NFT_VALIDATE_NEED:
9276 nft_validate_state_update(table, NFT_VALIDATE_DO);
9278 case NFT_VALIDATE_DO:
9279 if (nft_table_validate(net, table) < 0)
9282 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9290 /* a drop policy has to be deferred until all rules have been activated,
9291 * otherwise a large ruleset that contains a drop-policy base chain will
9292 * cause all packets to get dropped until the full transaction has been
9295 * We defer the drop policy until the transaction has been finalized.
9297 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
9299 struct nft_base_chain *basechain;
9301 if (nft_trans_chain_policy(trans) != NF_DROP)
9304 if (!nft_is_base_chain(trans->ctx.chain))
9307 basechain = nft_base_chain(trans->ctx.chain);
9308 basechain->policy = NF_DROP;
9311 static void nft_chain_commit_update(struct nft_trans *trans)
9313 struct nft_base_chain *basechain;
9315 if (nft_trans_chain_name(trans)) {
9316 rhltable_remove(&trans->ctx.table->chains_ht,
9317 &trans->ctx.chain->rhlhead,
9318 nft_chain_ht_params);
9319 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
9320 rhltable_insert_key(&trans->ctx.table->chains_ht,
9321 trans->ctx.chain->name,
9322 &trans->ctx.chain->rhlhead,
9323 nft_chain_ht_params);
9326 if (!nft_is_base_chain(trans->ctx.chain))
9329 nft_chain_stats_replace(trans);
9331 basechain = nft_base_chain(trans->ctx.chain);
9333 switch (nft_trans_chain_policy(trans)) {
9336 basechain->policy = nft_trans_chain_policy(trans);
9341 static void nft_obj_commit_update(struct nft_trans *trans)
9343 struct nft_object *newobj;
9344 struct nft_object *obj;
9346 obj = nft_trans_obj(trans);
9347 newobj = nft_trans_obj_newobj(trans);
9349 if (obj->ops->update)
9350 obj->ops->update(obj, newobj);
9352 nft_obj_destroy(&trans->ctx, newobj);
9355 static void nft_commit_release(struct nft_trans *trans)
9357 switch (trans->msg_type) {
9358 case NFT_MSG_DELTABLE:
9359 case NFT_MSG_DESTROYTABLE:
9360 nf_tables_table_destroy(&trans->ctx);
9362 case NFT_MSG_NEWCHAIN:
9363 free_percpu(nft_trans_chain_stats(trans));
9364 kfree(nft_trans_chain_name(trans));
9366 case NFT_MSG_DELCHAIN:
9367 case NFT_MSG_DESTROYCHAIN:
9368 if (nft_trans_chain_update(trans))
9369 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9371 nf_tables_chain_destroy(&trans->ctx);
9373 case NFT_MSG_DELRULE:
9374 case NFT_MSG_DESTROYRULE:
9375 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9377 case NFT_MSG_DELSET:
9378 case NFT_MSG_DESTROYSET:
9379 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9381 case NFT_MSG_DELSETELEM:
9382 case NFT_MSG_DESTROYSETELEM:
9383 nf_tables_set_elem_destroy(&trans->ctx,
9384 nft_trans_elem_set(trans),
9385 nft_trans_elem_priv(trans));
9387 case NFT_MSG_DELOBJ:
9388 case NFT_MSG_DESTROYOBJ:
9389 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9391 case NFT_MSG_DELFLOWTABLE:
9392 case NFT_MSG_DESTROYFLOWTABLE:
9393 if (nft_trans_flowtable_update(trans))
9394 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9396 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9401 put_net(trans->ctx.net);
9406 static void nf_tables_trans_destroy_work(struct work_struct *w)
9408 struct nft_trans *trans, *next;
9411 spin_lock(&nf_tables_destroy_list_lock);
9412 list_splice_init(&nf_tables_destroy_list, &head);
9413 spin_unlock(&nf_tables_destroy_list_lock);
9415 if (list_empty(&head))
9420 list_for_each_entry_safe(trans, next, &head, list) {
9421 nft_trans_list_del(trans);
9422 nft_commit_release(trans);
9426 void nf_tables_trans_destroy_flush_work(void)
9428 flush_work(&trans_destroy_work);
9430 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9432 static bool nft_expr_reduce(struct nft_regs_track *track,
9433 const struct nft_expr *expr)
9438 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9440 const struct nft_expr *expr, *last;
9441 struct nft_regs_track track = {};
9442 unsigned int size, data_size;
9443 void *data, *data_boundary;
9444 struct nft_rule_dp *prule;
9445 struct nft_rule *rule;
9447 /* already handled or inactive chain? */
9448 if (chain->blob_next || !nft_is_active_next(net, chain))
9452 list_for_each_entry(rule, &chain->rules, list) {
9453 if (nft_is_active_next(net, rule)) {
9454 data_size += sizeof(*prule) + rule->dlen;
9455 if (data_size > INT_MAX)
9460 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9461 if (!chain->blob_next)
9464 data = (void *)chain->blob_next->data;
9465 data_boundary = data + data_size;
9468 list_for_each_entry(rule, &chain->rules, list) {
9469 if (!nft_is_active_next(net, rule))
9472 prule = (struct nft_rule_dp *)data;
9473 data += offsetof(struct nft_rule_dp, data);
9474 if (WARN_ON_ONCE(data > data_boundary))
9478 track.last = nft_expr_last(rule);
9479 nft_rule_for_each_expr(expr, last, rule) {
9482 if (nft_expr_reduce(&track, expr)) {
9487 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9490 memcpy(data + size, expr, expr->ops->size);
9491 size += expr->ops->size;
9493 if (WARN_ON_ONCE(size >= 1 << 12))
9496 prule->handle = rule->handle;
9502 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9505 if (WARN_ON_ONCE(data > data_boundary))
9508 prule = (struct nft_rule_dp *)data;
9509 nft_last_rule(chain, prule);
9514 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9516 struct nftables_pernet *nft_net = nft_pernet(net);
9517 struct nft_trans *trans, *next;
9519 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9520 struct nft_chain *chain = trans->ctx.chain;
9522 if (trans->msg_type == NFT_MSG_NEWRULE ||
9523 trans->msg_type == NFT_MSG_DELRULE) {
9524 kvfree(chain->blob_next);
9525 chain->blob_next = NULL;
9530 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9532 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9537 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9539 struct nft_rule_dp_last *last;
9541 /* last rule trailer is after end marker */
9542 last = (void *)blob + sizeof(*blob) + blob->size;
9545 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9548 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9550 struct nft_rule_blob *g0, *g1;
9553 next_genbit = nft_gencursor_next(net);
9555 g0 = rcu_dereference_protected(chain->blob_gen_0,
9556 lockdep_commit_lock_is_held(net));
9557 g1 = rcu_dereference_protected(chain->blob_gen_1,
9558 lockdep_commit_lock_is_held(net));
9560 /* No changes to this chain? */
9561 if (chain->blob_next == NULL) {
9562 /* chain had no change in last or next generation */
9566 * chain had no change in this generation; make sure next
9567 * one uses same rules as current generation.
9570 rcu_assign_pointer(chain->blob_gen_1, g0);
9571 nf_tables_commit_chain_free_rules_old(g1);
9573 rcu_assign_pointer(chain->blob_gen_0, g1);
9574 nf_tables_commit_chain_free_rules_old(g0);
9581 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9583 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9585 chain->blob_next = NULL;
9591 nf_tables_commit_chain_free_rules_old(g1);
9593 nf_tables_commit_chain_free_rules_old(g0);
9596 static void nft_obj_del(struct nft_object *obj)
9598 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9599 list_del_rcu(&obj->list);
9602 void nft_chain_del(struct nft_chain *chain)
9604 struct nft_table *table = chain->table;
9606 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9607 nft_chain_ht_params));
9608 list_del_rcu(&chain->list);
9611 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9612 struct nft_trans_gc *trans)
9614 struct nft_elem_priv **priv = trans->priv;
9617 for (i = 0; i < trans->count; i++) {
9618 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9619 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9623 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9625 nft_set_put(trans->set);
9626 put_net(trans->net);
9630 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9632 struct nft_elem_priv *elem_priv;
9633 struct nft_trans_gc *trans;
9634 struct nft_ctx ctx = {};
9637 trans = container_of(rcu, struct nft_trans_gc, rcu);
9638 ctx.net = read_pnet(&trans->set->net);
9640 for (i = 0; i < trans->count; i++) {
9641 elem_priv = trans->priv[i];
9642 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9643 atomic_dec(&trans->set->nelems);
9645 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9648 nft_trans_gc_destroy(trans);
9651 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9653 struct nftables_pernet *nft_net;
9654 struct nft_ctx ctx = {};
9656 nft_net = nft_pernet(trans->net);
9658 mutex_lock(&nft_net->commit_mutex);
9660 /* Check for race with transaction, otherwise this batch refers to
9661 * stale objects that might not be there anymore. Skip transaction if
9662 * set has been destroyed from control plane transaction in case gc
9663 * worker loses race.
9665 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9666 mutex_unlock(&nft_net->commit_mutex);
9670 ctx.net = trans->net;
9671 ctx.table = trans->set->table;
9673 nft_trans_gc_setelem_remove(&ctx, trans);
9674 mutex_unlock(&nft_net->commit_mutex);
9679 static void nft_trans_gc_work(struct work_struct *work)
9681 struct nft_trans_gc *trans, *next;
9682 LIST_HEAD(trans_gc_list);
9684 spin_lock(&nf_tables_gc_list_lock);
9685 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9686 spin_unlock(&nf_tables_gc_list_lock);
9688 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9689 list_del(&trans->list);
9690 if (!nft_trans_gc_work_done(trans)) {
9691 nft_trans_gc_destroy(trans);
9694 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9698 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9699 unsigned int gc_seq, gfp_t gfp)
9701 struct net *net = read_pnet(&set->net);
9702 struct nft_trans_gc *trans;
9704 trans = kzalloc(sizeof(*trans), gfp);
9708 trans->net = maybe_get_net(net);
9714 refcount_inc(&set->refs);
9716 trans->seq = gc_seq;
9721 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9723 trans->priv[trans->count++] = priv;
9726 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9728 spin_lock(&nf_tables_gc_list_lock);
9729 list_add_tail(&trans->list, &nf_tables_gc_list);
9730 spin_unlock(&nf_tables_gc_list_lock);
9732 schedule_work(&trans_gc_work);
9735 static int nft_trans_gc_space(struct nft_trans_gc *trans)
9737 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9740 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9741 unsigned int gc_seq, gfp_t gfp)
9743 struct nft_set *set;
9745 if (nft_trans_gc_space(gc))
9749 nft_trans_gc_queue_work(gc);
9751 return nft_trans_gc_alloc(set, gc_seq, gfp);
9754 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9756 if (trans->count == 0) {
9757 nft_trans_gc_destroy(trans);
9761 nft_trans_gc_queue_work(trans);
9764 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9766 struct nft_set *set;
9768 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9771 if (nft_trans_gc_space(gc))
9775 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
9777 return nft_trans_gc_alloc(set, 0, gfp);
9780 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9782 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9784 if (trans->count == 0) {
9785 nft_trans_gc_destroy(trans);
9789 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9792 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9793 unsigned int gc_seq)
9795 struct nft_set_elem_catchall *catchall;
9796 const struct nft_set *set = gc->set;
9797 struct nft_set_ext *ext;
9799 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9800 ext = nft_set_elem_ext(set, catchall->elem);
9802 if (!nft_set_elem_expired(ext))
9804 if (nft_set_elem_is_dead(ext))
9807 nft_set_elem_dead(ext);
9809 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9813 nft_trans_gc_elem_add(gc, catchall->elem);
9819 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
9821 struct nft_set_elem_catchall *catchall, *next;
9822 const struct nft_set *set = gc->set;
9823 struct nft_elem_priv *elem_priv;
9824 struct nft_set_ext *ext;
9826 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
9828 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
9829 ext = nft_set_elem_ext(set, catchall->elem);
9831 if (!nft_set_elem_expired(ext))
9834 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
9838 elem_priv = catchall->elem;
9839 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
9840 nft_setelem_catchall_destroy(catchall);
9841 nft_trans_gc_elem_add(gc, elem_priv);
9847 static void nf_tables_module_autoload_cleanup(struct net *net)
9849 struct nftables_pernet *nft_net = nft_pernet(net);
9850 struct nft_module_request *req, *next;
9852 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9853 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9854 WARN_ON_ONCE(!req->done);
9855 list_del(&req->list);
9860 static void nf_tables_commit_release(struct net *net)
9862 struct nftables_pernet *nft_net = nft_pernet(net);
9863 struct nft_trans *trans;
9865 /* all side effects have to be made visible.
9866 * For example, if a chain named 'foo' has been deleted, a
9867 * new transaction must not find it anymore.
9869 * Memory reclaim happens asynchronously from work queue
9870 * to prevent expensive synchronize_rcu() in commit phase.
9872 if (list_empty(&nft_net->commit_list)) {
9873 nf_tables_module_autoload_cleanup(net);
9874 mutex_unlock(&nft_net->commit_mutex);
9878 trans = list_last_entry(&nft_net->commit_list,
9879 struct nft_trans, list);
9880 get_net(trans->ctx.net);
9881 WARN_ON_ONCE(trans->put_net);
9883 trans->put_net = true;
9884 spin_lock(&nf_tables_destroy_list_lock);
9885 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
9886 spin_unlock(&nf_tables_destroy_list_lock);
9888 nf_tables_module_autoload_cleanup(net);
9889 schedule_work(&trans_destroy_work);
9891 mutex_unlock(&nft_net->commit_mutex);
9894 static void nft_commit_notify(struct net *net, u32 portid)
9896 struct nftables_pernet *nft_net = nft_pernet(net);
9897 struct sk_buff *batch_skb = NULL, *nskb, *skb;
9898 unsigned char *data;
9901 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
9905 len = NLMSG_GOODSIZE - skb->len;
9906 list_del(&skb->list);
9910 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
9911 data = skb_put(batch_skb, skb->len);
9912 memcpy(data, skb->data, skb->len);
9913 list_del(&skb->list);
9917 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9918 NFT_CB(batch_skb).report, GFP_KERNEL);
9923 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9924 NFT_CB(batch_skb).report, GFP_KERNEL);
9927 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9930 static int nf_tables_commit_audit_alloc(struct list_head *adl,
9931 struct nft_table *table)
9933 struct nft_audit_data *adp;
9935 list_for_each_entry(adp, adl, list) {
9936 if (adp->table == table)
9939 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
9943 list_add(&adp->list, adl);
9947 static void nf_tables_commit_audit_free(struct list_head *adl)
9949 struct nft_audit_data *adp, *adn;
9951 list_for_each_entry_safe(adp, adn, adl, list) {
9952 list_del(&adp->list);
9957 static void nf_tables_commit_audit_collect(struct list_head *adl,
9958 struct nft_table *table, u32 op)
9960 struct nft_audit_data *adp;
9962 list_for_each_entry(adp, adl, list) {
9963 if (adp->table == table)
9966 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
9970 if (!adp->op || adp->op > op)
9974 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
9976 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
9978 struct nft_audit_data *adp, *adn;
9979 char aubuf[AUNFTABLENAMELEN];
9981 list_for_each_entry_safe(adp, adn, adl, list) {
9982 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
9984 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
9985 nft2audit_op[adp->op], GFP_KERNEL);
9986 list_del(&adp->list);
9991 static void nft_set_commit_update(struct list_head *set_update_list)
9993 struct nft_set *set, *next;
9995 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
9996 list_del_init(&set->pending_update);
9998 if (!set->ops->commit || set->dead)
10001 set->ops->commit(set);
10005 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10007 unsigned int gc_seq;
10009 /* Bump gc counter, it becomes odd, this is the busy mark. */
10010 gc_seq = READ_ONCE(nft_net->gc_seq);
10011 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10016 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10018 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10021 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10023 struct nftables_pernet *nft_net = nft_pernet(net);
10024 struct nft_trans *trans, *next;
10025 unsigned int base_seq, gc_seq;
10026 LIST_HEAD(set_update_list);
10027 struct nft_trans_elem *te;
10028 struct nft_chain *chain;
10029 struct nft_table *table;
10033 if (list_empty(&nft_net->commit_list)) {
10034 mutex_unlock(&nft_net->commit_mutex);
10038 list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
10039 switch (trans->msg_type) {
10040 case NFT_MSG_NEWSET:
10041 if (!nft_trans_set_update(trans) &&
10042 nft_set_is_anonymous(nft_trans_set(trans)) &&
10043 !nft_trans_set_bound(trans)) {
10044 pr_warn_once("nftables ruleset with unbound set\n");
10048 case NFT_MSG_NEWCHAIN:
10049 if (!nft_trans_chain_update(trans) &&
10050 nft_chain_binding(nft_trans_chain(trans)) &&
10051 !nft_trans_chain_bound(trans)) {
10052 pr_warn_once("nftables ruleset with unbound chain\n");
10059 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10060 if (nf_tables_validate(net) < 0) {
10061 nft_net->validate_state = NFT_VALIDATE_DO;
10065 err = nft_flow_rule_offload_commit(net);
10069 /* 1. Allocate space for next generation rules_gen_X[] */
10070 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10073 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
10075 nf_tables_commit_chain_prepare_cancel(net);
10076 nf_tables_commit_audit_free(&adl);
10079 if (trans->msg_type == NFT_MSG_NEWRULE ||
10080 trans->msg_type == NFT_MSG_DELRULE) {
10081 chain = trans->ctx.chain;
10083 ret = nf_tables_commit_chain_prepare(net, chain);
10085 nf_tables_commit_chain_prepare_cancel(net);
10086 nf_tables_commit_audit_free(&adl);
10092 /* step 2. Make rules_gen_X visible to packet path */
10093 list_for_each_entry(table, &nft_net->tables, list) {
10094 list_for_each_entry(chain, &table->chains, list)
10095 nf_tables_commit_chain(net, chain);
10099 * Bump generation counter, invalidate any dump in progress.
10100 * Cannot fail after this point.
10102 base_seq = READ_ONCE(nft_net->base_seq);
10103 while (++base_seq == 0)
10106 WRITE_ONCE(nft_net->base_seq, base_seq);
10108 gc_seq = nft_gc_seq_begin(nft_net);
10110 /* step 3. Start new generation, rules_gen_X now in use. */
10111 net->nft.gencursor = nft_gencursor_next(net);
10113 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10114 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
10116 switch (trans->msg_type) {
10117 case NFT_MSG_NEWTABLE:
10118 if (nft_trans_table_update(trans)) {
10119 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10120 nft_trans_destroy(trans);
10123 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
10124 nf_tables_table_disable(net, trans->ctx.table);
10126 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10128 nft_clear(net, trans->ctx.table);
10130 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
10131 nft_trans_destroy(trans);
10133 case NFT_MSG_DELTABLE:
10134 case NFT_MSG_DESTROYTABLE:
10135 list_del_rcu(&trans->ctx.table->list);
10136 nf_tables_table_notify(&trans->ctx, trans->msg_type);
10138 case NFT_MSG_NEWCHAIN:
10139 if (nft_trans_chain_update(trans)) {
10140 nft_chain_commit_update(trans);
10141 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
10142 &nft_trans_chain_hooks(trans));
10143 list_splice(&nft_trans_chain_hooks(trans),
10144 &nft_trans_basechain(trans)->hook_list);
10145 /* trans destroyed after rcu grace period */
10147 nft_chain_commit_drop_policy(trans);
10148 nft_clear(net, trans->ctx.chain);
10149 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
10150 nft_trans_destroy(trans);
10153 case NFT_MSG_DELCHAIN:
10154 case NFT_MSG_DESTROYCHAIN:
10155 if (nft_trans_chain_update(trans)) {
10156 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10157 &nft_trans_chain_hooks(trans));
10158 nft_netdev_unregister_hooks(net,
10159 &nft_trans_chain_hooks(trans),
10162 nft_chain_del(trans->ctx.chain);
10163 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10165 nf_tables_unregister_hook(trans->ctx.net,
10170 case NFT_MSG_NEWRULE:
10171 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10172 nf_tables_rule_notify(&trans->ctx,
10173 nft_trans_rule(trans),
10175 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10176 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10178 nft_trans_destroy(trans);
10180 case NFT_MSG_DELRULE:
10181 case NFT_MSG_DESTROYRULE:
10182 list_del_rcu(&nft_trans_rule(trans)->list);
10183 nf_tables_rule_notify(&trans->ctx,
10184 nft_trans_rule(trans),
10186 nft_rule_expr_deactivate(&trans->ctx,
10187 nft_trans_rule(trans),
10190 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10191 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10193 case NFT_MSG_NEWSET:
10194 if (nft_trans_set_update(trans)) {
10195 struct nft_set *set = nft_trans_set(trans);
10197 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10198 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10200 if (nft_trans_set_size(trans))
10201 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10203 nft_clear(net, nft_trans_set(trans));
10204 /* This avoids hitting -EBUSY when deleting the table
10205 * from the transaction.
10207 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10208 !list_empty(&nft_trans_set(trans)->bindings))
10209 nft_use_dec(&trans->ctx.table->use);
10211 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10212 NFT_MSG_NEWSET, GFP_KERNEL);
10213 nft_trans_destroy(trans);
10215 case NFT_MSG_DELSET:
10216 case NFT_MSG_DESTROYSET:
10217 nft_trans_set(trans)->dead = 1;
10218 list_del_rcu(&nft_trans_set(trans)->list);
10219 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10220 trans->msg_type, GFP_KERNEL);
10222 case NFT_MSG_NEWSETELEM:
10223 te = (struct nft_trans_elem *)trans->data;
10225 nft_setelem_activate(net, te->set, te->elem_priv);
10226 nf_tables_setelem_notify(&trans->ctx, te->set,
10228 NFT_MSG_NEWSETELEM);
10229 if (te->set->ops->commit &&
10230 list_empty(&te->set->pending_update)) {
10231 list_add_tail(&te->set->pending_update,
10234 nft_trans_destroy(trans);
10236 case NFT_MSG_DELSETELEM:
10237 case NFT_MSG_DESTROYSETELEM:
10238 te = (struct nft_trans_elem *)trans->data;
10240 nf_tables_setelem_notify(&trans->ctx, te->set,
10243 nft_setelem_remove(net, te->set, te->elem_priv);
10244 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10245 atomic_dec(&te->set->nelems);
10248 if (te->set->ops->commit &&
10249 list_empty(&te->set->pending_update)) {
10250 list_add_tail(&te->set->pending_update,
10254 case NFT_MSG_NEWOBJ:
10255 if (nft_trans_obj_update(trans)) {
10256 nft_obj_commit_update(trans);
10257 nf_tables_obj_notify(&trans->ctx,
10258 nft_trans_obj(trans),
10261 nft_clear(net, nft_trans_obj(trans));
10262 nf_tables_obj_notify(&trans->ctx,
10263 nft_trans_obj(trans),
10265 nft_trans_destroy(trans);
10268 case NFT_MSG_DELOBJ:
10269 case NFT_MSG_DESTROYOBJ:
10270 nft_obj_del(nft_trans_obj(trans));
10271 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
10274 case NFT_MSG_NEWFLOWTABLE:
10275 if (nft_trans_flowtable_update(trans)) {
10276 nft_trans_flowtable(trans)->data.flags =
10277 nft_trans_flowtable_flags(trans);
10278 nf_tables_flowtable_notify(&trans->ctx,
10279 nft_trans_flowtable(trans),
10280 &nft_trans_flowtable_hooks(trans),
10281 NFT_MSG_NEWFLOWTABLE);
10282 list_splice(&nft_trans_flowtable_hooks(trans),
10283 &nft_trans_flowtable(trans)->hook_list);
10285 nft_clear(net, nft_trans_flowtable(trans));
10286 nf_tables_flowtable_notify(&trans->ctx,
10287 nft_trans_flowtable(trans),
10289 NFT_MSG_NEWFLOWTABLE);
10291 nft_trans_destroy(trans);
10293 case NFT_MSG_DELFLOWTABLE:
10294 case NFT_MSG_DESTROYFLOWTABLE:
10295 if (nft_trans_flowtable_update(trans)) {
10296 nf_tables_flowtable_notify(&trans->ctx,
10297 nft_trans_flowtable(trans),
10298 &nft_trans_flowtable_hooks(trans),
10300 nft_unregister_flowtable_net_hooks(net,
10301 &nft_trans_flowtable_hooks(trans));
10303 list_del_rcu(&nft_trans_flowtable(trans)->list);
10304 nf_tables_flowtable_notify(&trans->ctx,
10305 nft_trans_flowtable(trans),
10308 nft_unregister_flowtable_net_hooks(net,
10309 &nft_trans_flowtable(trans)->hook_list);
10315 nft_set_commit_update(&set_update_list);
10317 nft_commit_notify(net, NETLINK_CB(skb).portid);
10318 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10319 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10321 nft_gc_seq_end(nft_net, gc_seq);
10322 nft_net->validate_state = NFT_VALIDATE_SKIP;
10323 nf_tables_commit_release(net);
10328 static void nf_tables_module_autoload(struct net *net)
10330 struct nftables_pernet *nft_net = nft_pernet(net);
10331 struct nft_module_request *req, *next;
10332 LIST_HEAD(module_list);
10334 list_splice_init(&nft_net->module_list, &module_list);
10335 mutex_unlock(&nft_net->commit_mutex);
10336 list_for_each_entry_safe(req, next, &module_list, list) {
10337 request_module("%s", req->module);
10340 mutex_lock(&nft_net->commit_mutex);
10341 list_splice(&module_list, &nft_net->module_list);
10344 static void nf_tables_abort_release(struct nft_trans *trans)
10346 switch (trans->msg_type) {
10347 case NFT_MSG_NEWTABLE:
10348 nf_tables_table_destroy(&trans->ctx);
10350 case NFT_MSG_NEWCHAIN:
10351 if (nft_trans_chain_update(trans))
10352 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10354 nf_tables_chain_destroy(&trans->ctx);
10356 case NFT_MSG_NEWRULE:
10357 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
10359 case NFT_MSG_NEWSET:
10360 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
10362 case NFT_MSG_NEWSETELEM:
10363 nft_set_elem_destroy(nft_trans_elem_set(trans),
10364 nft_trans_elem_priv(trans), true);
10366 case NFT_MSG_NEWOBJ:
10367 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
10369 case NFT_MSG_NEWFLOWTABLE:
10370 if (nft_trans_flowtable_update(trans))
10371 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10373 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10379 static void nft_set_abort_update(struct list_head *set_update_list)
10381 struct nft_set *set, *next;
10383 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10384 list_del_init(&set->pending_update);
10386 if (!set->ops->abort)
10389 set->ops->abort(set);
10393 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10395 struct nftables_pernet *nft_net = nft_pernet(net);
10396 struct nft_trans *trans, *next;
10397 LIST_HEAD(set_update_list);
10398 struct nft_trans_elem *te;
10400 if (action == NFNL_ABORT_VALIDATE &&
10401 nf_tables_validate(net) < 0)
10404 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10406 switch (trans->msg_type) {
10407 case NFT_MSG_NEWTABLE:
10408 if (nft_trans_table_update(trans)) {
10409 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10410 nft_trans_destroy(trans);
10413 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10414 nf_tables_table_disable(net, trans->ctx.table);
10415 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
10416 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10417 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
10419 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10420 nft_trans_destroy(trans);
10422 list_del_rcu(&trans->ctx.table->list);
10425 case NFT_MSG_DELTABLE:
10426 case NFT_MSG_DESTROYTABLE:
10427 nft_clear(trans->ctx.net, trans->ctx.table);
10428 nft_trans_destroy(trans);
10430 case NFT_MSG_NEWCHAIN:
10431 if (nft_trans_chain_update(trans)) {
10432 nft_netdev_unregister_hooks(net,
10433 &nft_trans_chain_hooks(trans),
10435 free_percpu(nft_trans_chain_stats(trans));
10436 kfree(nft_trans_chain_name(trans));
10437 nft_trans_destroy(trans);
10439 if (nft_trans_chain_bound(trans)) {
10440 nft_trans_destroy(trans);
10443 nft_use_dec_restore(&trans->ctx.table->use);
10444 nft_chain_del(trans->ctx.chain);
10445 nf_tables_unregister_hook(trans->ctx.net,
10450 case NFT_MSG_DELCHAIN:
10451 case NFT_MSG_DESTROYCHAIN:
10452 if (nft_trans_chain_update(trans)) {
10453 list_splice(&nft_trans_chain_hooks(trans),
10454 &nft_trans_basechain(trans)->hook_list);
10456 nft_use_inc_restore(&trans->ctx.table->use);
10457 nft_clear(trans->ctx.net, trans->ctx.chain);
10459 nft_trans_destroy(trans);
10461 case NFT_MSG_NEWRULE:
10462 if (nft_trans_rule_bound(trans)) {
10463 nft_trans_destroy(trans);
10466 nft_use_dec_restore(&trans->ctx.chain->use);
10467 list_del_rcu(&nft_trans_rule(trans)->list);
10468 nft_rule_expr_deactivate(&trans->ctx,
10469 nft_trans_rule(trans),
10471 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10472 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10474 case NFT_MSG_DELRULE:
10475 case NFT_MSG_DESTROYRULE:
10476 nft_use_inc_restore(&trans->ctx.chain->use);
10477 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10478 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
10479 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10480 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10482 nft_trans_destroy(trans);
10484 case NFT_MSG_NEWSET:
10485 if (nft_trans_set_update(trans)) {
10486 nft_trans_destroy(trans);
10489 nft_use_dec_restore(&trans->ctx.table->use);
10490 if (nft_trans_set_bound(trans)) {
10491 nft_trans_destroy(trans);
10494 nft_trans_set(trans)->dead = 1;
10495 list_del_rcu(&nft_trans_set(trans)->list);
10497 case NFT_MSG_DELSET:
10498 case NFT_MSG_DESTROYSET:
10499 nft_use_inc_restore(&trans->ctx.table->use);
10500 nft_clear(trans->ctx.net, nft_trans_set(trans));
10501 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10502 nft_map_activate(&trans->ctx, nft_trans_set(trans));
10504 nft_trans_destroy(trans);
10506 case NFT_MSG_NEWSETELEM:
10507 if (nft_trans_elem_set_bound(trans)) {
10508 nft_trans_destroy(trans);
10511 te = (struct nft_trans_elem *)trans->data;
10512 nft_setelem_remove(net, te->set, te->elem_priv);
10513 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10514 atomic_dec(&te->set->nelems);
10516 if (te->set->ops->abort &&
10517 list_empty(&te->set->pending_update)) {
10518 list_add_tail(&te->set->pending_update,
10522 case NFT_MSG_DELSETELEM:
10523 case NFT_MSG_DESTROYSETELEM:
10524 te = (struct nft_trans_elem *)trans->data;
10526 nft_setelem_data_activate(net, te->set, te->elem_priv);
10527 nft_setelem_activate(net, te->set, te->elem_priv);
10528 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10531 if (te->set->ops->abort &&
10532 list_empty(&te->set->pending_update)) {
10533 list_add_tail(&te->set->pending_update,
10536 nft_trans_destroy(trans);
10538 case NFT_MSG_NEWOBJ:
10539 if (nft_trans_obj_update(trans)) {
10540 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
10541 nft_trans_destroy(trans);
10543 nft_use_dec_restore(&trans->ctx.table->use);
10544 nft_obj_del(nft_trans_obj(trans));
10547 case NFT_MSG_DELOBJ:
10548 case NFT_MSG_DESTROYOBJ:
10549 nft_use_inc_restore(&trans->ctx.table->use);
10550 nft_clear(trans->ctx.net, nft_trans_obj(trans));
10551 nft_trans_destroy(trans);
10553 case NFT_MSG_NEWFLOWTABLE:
10554 if (nft_trans_flowtable_update(trans)) {
10555 nft_unregister_flowtable_net_hooks(net,
10556 &nft_trans_flowtable_hooks(trans));
10558 nft_use_dec_restore(&trans->ctx.table->use);
10559 list_del_rcu(&nft_trans_flowtable(trans)->list);
10560 nft_unregister_flowtable_net_hooks(net,
10561 &nft_trans_flowtable(trans)->hook_list);
10564 case NFT_MSG_DELFLOWTABLE:
10565 case NFT_MSG_DESTROYFLOWTABLE:
10566 if (nft_trans_flowtable_update(trans)) {
10567 list_splice(&nft_trans_flowtable_hooks(trans),
10568 &nft_trans_flowtable(trans)->hook_list);
10570 nft_use_inc_restore(&trans->ctx.table->use);
10571 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
10573 nft_trans_destroy(trans);
10578 nft_set_abort_update(&set_update_list);
10582 list_for_each_entry_safe_reverse(trans, next,
10583 &nft_net->commit_list, list) {
10584 nft_trans_list_del(trans);
10585 nf_tables_abort_release(trans);
10588 if (action == NFNL_ABORT_AUTOLOAD)
10589 nf_tables_module_autoload(net);
10591 nf_tables_module_autoload_cleanup(net);
10596 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10597 enum nfnl_abort_action action)
10599 struct nftables_pernet *nft_net = nft_pernet(net);
10600 unsigned int gc_seq;
10603 gc_seq = nft_gc_seq_begin(nft_net);
10604 ret = __nf_tables_abort(net, action);
10605 nft_gc_seq_end(nft_net, gc_seq);
10606 mutex_unlock(&nft_net->commit_mutex);
10611 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10613 struct nftables_pernet *nft_net = nft_pernet(net);
10616 mutex_lock(&nft_net->commit_mutex);
10618 genid_ok = genid == 0 || nft_net->base_seq == genid;
10620 mutex_unlock(&nft_net->commit_mutex);
10622 /* else, commit mutex has to be released by commit or abort function */
10626 static const struct nfnetlink_subsystem nf_tables_subsys = {
10627 .name = "nf_tables",
10628 .subsys_id = NFNL_SUBSYS_NFTABLES,
10629 .cb_count = NFT_MSG_MAX,
10630 .cb = nf_tables_cb,
10631 .commit = nf_tables_commit,
10632 .abort = nf_tables_abort,
10633 .valid_genid = nf_tables_valid_genid,
10634 .owner = THIS_MODULE,
10637 int nft_chain_validate_dependency(const struct nft_chain *chain,
10638 enum nft_chain_types type)
10640 const struct nft_base_chain *basechain;
10642 if (nft_is_base_chain(chain)) {
10643 basechain = nft_base_chain(chain);
10644 if (basechain->type->type != type)
10645 return -EOPNOTSUPP;
10649 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10651 int nft_chain_validate_hooks(const struct nft_chain *chain,
10652 unsigned int hook_flags)
10654 struct nft_base_chain *basechain;
10656 if (nft_is_base_chain(chain)) {
10657 basechain = nft_base_chain(chain);
10659 if ((1 << basechain->ops.hooknum) & hook_flags)
10662 return -EOPNOTSUPP;
10667 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10670 * Loop detection - walk through the ruleset beginning at the destination chain
10671 * of a new jump until either the source chain is reached (loop) or all
10672 * reachable chains have been traversed.
10674 * The loop check is performed whenever a new jump verdict is added to an
10675 * expression or verdict map or a verdict map is bound to a new chain.
10678 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10679 const struct nft_chain *chain);
10681 static int nft_check_loops(const struct nft_ctx *ctx,
10682 const struct nft_set_ext *ext)
10684 const struct nft_data *data;
10687 data = nft_set_ext_data(ext);
10688 switch (data->verdict.code) {
10691 ret = nf_tables_check_loops(ctx, data->verdict.chain);
10701 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
10702 struct nft_set *set,
10703 const struct nft_set_iter *iter,
10704 struct nft_elem_priv *elem_priv)
10706 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
10708 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
10709 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
10712 return nft_check_loops(ctx, ext);
10715 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
10716 struct nft_set *set)
10718 u8 genmask = nft_genmask_next(ctx->net);
10719 struct nft_set_elem_catchall *catchall;
10720 struct nft_set_ext *ext;
10723 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10724 ext = nft_set_elem_ext(set, catchall->elem);
10725 if (!nft_set_elem_active(ext, genmask))
10728 ret = nft_check_loops(ctx, ext);
10736 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10737 const struct nft_chain *chain)
10739 const struct nft_rule *rule;
10740 const struct nft_expr *expr, *last;
10741 struct nft_set *set;
10742 struct nft_set_binding *binding;
10743 struct nft_set_iter iter;
10745 if (ctx->chain == chain)
10748 if (fatal_signal_pending(current))
10751 list_for_each_entry(rule, &chain->rules, list) {
10752 nft_rule_for_each_expr(expr, last, rule) {
10753 struct nft_immediate_expr *priv;
10754 const struct nft_data *data;
10757 if (strcmp(expr->ops->type->name, "immediate"))
10760 priv = nft_expr_priv(expr);
10761 if (priv->dreg != NFT_REG_VERDICT)
10764 data = &priv->data;
10765 switch (data->verdict.code) {
10768 err = nf_tables_check_loops(ctx,
10769 data->verdict.chain);
10779 list_for_each_entry(set, &ctx->table->sets, list) {
10780 if (!nft_is_active_next(ctx->net, set))
10782 if (!(set->flags & NFT_SET_MAP) ||
10783 set->dtype != NFT_DATA_VERDICT)
10786 list_for_each_entry(binding, &set->bindings, list) {
10787 if (!(binding->flags & NFT_SET_MAP) ||
10788 binding->chain != chain)
10791 iter.genmask = nft_genmask_next(ctx->net);
10795 iter.fn = nf_tables_loop_check_setelem;
10797 set->ops->walk(ctx, set, &iter);
10799 iter.err = nft_set_catchall_loops(ctx, set);
10810 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10812 * @attr: netlink attribute to fetch value from
10813 * @max: maximum value to be stored in dest
10814 * @dest: pointer to the variable
10816 * Parse, check and store a given u32 netlink attribute into variable.
10817 * This function returns -ERANGE if the value goes over maximum value.
10818 * Otherwise a 0 is returned and the attribute value is stored in the
10819 * destination variable.
10821 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10825 val = ntohl(nla_get_be32(attr));
10832 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10834 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10838 reg = ntohl(nla_get_be32(attr));
10840 case NFT_REG_VERDICT...NFT_REG_4:
10841 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10843 case NFT_REG32_00...NFT_REG32_15:
10844 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10854 * nft_dump_register - dump a register value to a netlink attribute
10856 * @skb: socket buffer
10857 * @attr: attribute number
10858 * @reg: register number
10860 * Construct a netlink attribute containing the register number. For
10861 * compatibility reasons, register numbers being a multiple of 4 are
10862 * translated to the corresponding 128 bit register numbers.
10864 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10866 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10867 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10869 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10871 return nla_put_be32(skb, attr, htonl(reg));
10873 EXPORT_SYMBOL_GPL(nft_dump_register);
10875 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10877 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10881 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10887 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10892 err = nft_parse_register(attr, ®);
10896 err = nft_validate_register_load(reg, len);
10903 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10905 static int nft_validate_register_store(const struct nft_ctx *ctx,
10906 enum nft_registers reg,
10907 const struct nft_data *data,
10908 enum nft_data_types type,
10914 case NFT_REG_VERDICT:
10915 if (type != NFT_DATA_VERDICT)
10918 if (data != NULL &&
10919 (data->verdict.code == NFT_GOTO ||
10920 data->verdict.code == NFT_JUMP)) {
10921 err = nf_tables_check_loops(ctx, data->verdict.chain);
10928 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10932 if (reg * NFT_REG32_SIZE + len >
10933 sizeof_field(struct nft_regs, data))
10936 if (data != NULL && type != NFT_DATA_VALUE)
10942 int nft_parse_register_store(const struct nft_ctx *ctx,
10943 const struct nlattr *attr, u8 *dreg,
10944 const struct nft_data *data,
10945 enum nft_data_types type, unsigned int len)
10950 err = nft_parse_register(attr, ®);
10954 err = nft_validate_register_store(ctx, reg, data, type, len);
10961 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10963 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10964 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10965 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10966 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10967 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10970 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10971 struct nft_data_desc *desc, const struct nlattr *nla)
10973 u8 genmask = nft_genmask_next(ctx->net);
10974 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10975 struct nft_chain *chain;
10978 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
10979 nft_verdict_policy, NULL);
10983 if (!tb[NFTA_VERDICT_CODE])
10986 /* zero padding hole for memcmp */
10987 memset(data, 0, sizeof(*data));
10988 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
10990 switch (data->verdict.code) {
10992 switch (data->verdict.code & NF_VERDICT_MASK) {
11007 if (tb[NFTA_VERDICT_CHAIN]) {
11008 chain = nft_chain_lookup(ctx->net, ctx->table,
11009 tb[NFTA_VERDICT_CHAIN],
11011 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11012 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11013 tb[NFTA_VERDICT_CHAIN_ID],
11016 return PTR_ERR(chain);
11022 return PTR_ERR(chain);
11023 if (nft_is_base_chain(chain))
11024 return -EOPNOTSUPP;
11025 if (nft_chain_is_bound(chain))
11027 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11028 chain->flags & NFT_CHAIN_BINDING)
11030 if (!nft_use_inc(&chain->use))
11033 data->verdict.chain = chain;
11037 desc->len = sizeof(data->verdict);
11042 static void nft_verdict_uninit(const struct nft_data *data)
11044 struct nft_chain *chain;
11046 switch (data->verdict.code) {
11049 chain = data->verdict.chain;
11050 nft_use_dec(&chain->use);
11055 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11057 struct nlattr *nest;
11059 nest = nla_nest_start_noflag(skb, type);
11061 goto nla_put_failure;
11063 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11064 goto nla_put_failure;
11069 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11071 goto nla_put_failure;
11073 nla_nest_end(skb, nest);
11080 static int nft_value_init(const struct nft_ctx *ctx,
11081 struct nft_data *data, struct nft_data_desc *desc,
11082 const struct nlattr *nla)
11086 len = nla_len(nla);
11089 if (len > desc->size)
11092 if (len != desc->len)
11098 nla_memcpy(data->data, nla, len);
11103 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11106 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11109 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11110 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11111 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11115 * nft_data_init - parse nf_tables data netlink attributes
11117 * @ctx: context of the expression using the data
11118 * @data: destination struct nft_data
11119 * @desc: data description
11120 * @nla: netlink attribute containing data
11122 * Parse the netlink data attributes and initialize a struct nft_data.
11123 * The type and length of data are returned in the data description.
11125 * The caller can indicate that it only wants to accept data of type
11126 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11128 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11129 struct nft_data_desc *desc, const struct nlattr *nla)
11131 struct nlattr *tb[NFTA_DATA_MAX + 1];
11134 if (WARN_ON_ONCE(!desc->size))
11137 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11138 nft_data_policy, NULL);
11142 if (tb[NFTA_DATA_VALUE]) {
11143 if (desc->type != NFT_DATA_VALUE)
11146 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11147 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11148 if (desc->type != NFT_DATA_VERDICT)
11151 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11158 EXPORT_SYMBOL_GPL(nft_data_init);
11161 * nft_data_release - release a nft_data item
11163 * @data: struct nft_data to release
11164 * @type: type of data
11166 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11167 * all others need to be released by calling this function.
11169 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11171 if (type < NFT_DATA_VERDICT)
11174 case NFT_DATA_VERDICT:
11175 return nft_verdict_uninit(data);
11180 EXPORT_SYMBOL_GPL(nft_data_release);
11182 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11183 enum nft_data_types type, unsigned int len)
11185 struct nlattr *nest;
11188 nest = nla_nest_start_noflag(skb, attr);
11193 case NFT_DATA_VALUE:
11194 err = nft_value_dump(skb, data, len);
11196 case NFT_DATA_VERDICT:
11197 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11204 nla_nest_end(skb, nest);
11207 EXPORT_SYMBOL_GPL(nft_data_dump);
11209 int __nft_release_basechain(struct nft_ctx *ctx)
11211 struct nft_rule *rule, *nr;
11213 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11216 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11217 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11218 list_del(&rule->list);
11219 nft_use_dec(&ctx->chain->use);
11220 nf_tables_rule_release(ctx, rule);
11222 nft_chain_del(ctx->chain);
11223 nft_use_dec(&ctx->table->use);
11224 nf_tables_chain_destroy(ctx);
11228 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11230 static void __nft_release_hook(struct net *net, struct nft_table *table)
11232 struct nft_flowtable *flowtable;
11233 struct nft_chain *chain;
11235 list_for_each_entry(chain, &table->chains, list)
11236 __nf_tables_unregister_hook(net, table, chain, true);
11237 list_for_each_entry(flowtable, &table->flowtables, list)
11238 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11242 static void __nft_release_hooks(struct net *net)
11244 struct nftables_pernet *nft_net = nft_pernet(net);
11245 struct nft_table *table;
11247 list_for_each_entry(table, &nft_net->tables, list) {
11248 if (nft_table_has_owner(table))
11251 __nft_release_hook(net, table);
11255 static void __nft_release_table(struct net *net, struct nft_table *table)
11257 struct nft_flowtable *flowtable, *nf;
11258 struct nft_chain *chain, *nc;
11259 struct nft_object *obj, *ne;
11260 struct nft_rule *rule, *nr;
11261 struct nft_set *set, *ns;
11262 struct nft_ctx ctx = {
11264 .family = NFPROTO_NETDEV,
11267 ctx.family = table->family;
11269 list_for_each_entry(chain, &table->chains, list) {
11270 if (nft_chain_binding(chain))
11274 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11275 list_del(&rule->list);
11276 nft_use_dec(&chain->use);
11277 nf_tables_rule_release(&ctx, rule);
11280 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11281 list_del(&flowtable->list);
11282 nft_use_dec(&table->use);
11283 nf_tables_flowtable_destroy(flowtable);
11285 list_for_each_entry_safe(set, ns, &table->sets, list) {
11286 list_del(&set->list);
11287 nft_use_dec(&table->use);
11288 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11289 nft_map_deactivate(&ctx, set);
11291 nft_set_destroy(&ctx, set);
11293 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11295 nft_use_dec(&table->use);
11296 nft_obj_destroy(&ctx, obj);
11298 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11300 nft_chain_del(chain);
11301 nft_use_dec(&table->use);
11302 nf_tables_chain_destroy(&ctx);
11304 nf_tables_table_destroy(&ctx);
11307 static void __nft_release_tables(struct net *net)
11309 struct nftables_pernet *nft_net = nft_pernet(net);
11310 struct nft_table *table, *nt;
11312 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11313 if (nft_table_has_owner(table))
11316 list_del(&table->list);
11318 __nft_release_table(net, table);
11322 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11325 struct nft_table *table, *to_delete[8];
11326 struct nftables_pernet *nft_net;
11327 struct netlink_notify *n = ptr;
11328 struct net *net = n->net;
11329 unsigned int deleted;
11330 bool restart = false;
11331 unsigned int gc_seq;
11333 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11334 return NOTIFY_DONE;
11336 nft_net = nft_pernet(net);
11338 mutex_lock(&nft_net->commit_mutex);
11340 gc_seq = nft_gc_seq_begin(nft_net);
11342 if (!list_empty(&nf_tables_destroy_list))
11343 nf_tables_trans_destroy_flush_work();
11345 list_for_each_entry(table, &nft_net->tables, list) {
11346 if (nft_table_has_owner(table) &&
11347 n->portid == table->nlpid) {
11348 __nft_release_hook(net, table);
11349 list_del_rcu(&table->list);
11350 to_delete[deleted++] = table;
11351 if (deleted >= ARRAY_SIZE(to_delete))
11356 restart = deleted >= ARRAY_SIZE(to_delete);
11359 __nft_release_table(net, to_delete[--deleted]);
11364 nft_gc_seq_end(nft_net, gc_seq);
11366 mutex_unlock(&nft_net->commit_mutex);
11368 return NOTIFY_DONE;
11371 static struct notifier_block nft_nl_notifier = {
11372 .notifier_call = nft_rcv_nl_event,
11375 static int __net_init nf_tables_init_net(struct net *net)
11377 struct nftables_pernet *nft_net = nft_pernet(net);
11379 INIT_LIST_HEAD(&nft_net->tables);
11380 INIT_LIST_HEAD(&nft_net->commit_list);
11381 INIT_LIST_HEAD(&nft_net->binding_list);
11382 INIT_LIST_HEAD(&nft_net->module_list);
11383 INIT_LIST_HEAD(&nft_net->notify_list);
11384 mutex_init(&nft_net->commit_mutex);
11385 nft_net->base_seq = 1;
11386 nft_net->gc_seq = 0;
11387 nft_net->validate_state = NFT_VALIDATE_SKIP;
11392 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11394 struct nftables_pernet *nft_net = nft_pernet(net);
11396 mutex_lock(&nft_net->commit_mutex);
11397 __nft_release_hooks(net);
11398 mutex_unlock(&nft_net->commit_mutex);
11401 static void __net_exit nf_tables_exit_net(struct net *net)
11403 struct nftables_pernet *nft_net = nft_pernet(net);
11404 unsigned int gc_seq;
11406 mutex_lock(&nft_net->commit_mutex);
11408 gc_seq = nft_gc_seq_begin(nft_net);
11410 if (!list_empty(&nft_net->commit_list) ||
11411 !list_empty(&nft_net->module_list))
11412 __nf_tables_abort(net, NFNL_ABORT_NONE);
11414 __nft_release_tables(net);
11416 nft_gc_seq_end(nft_net, gc_seq);
11418 mutex_unlock(&nft_net->commit_mutex);
11419 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11420 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11421 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11424 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11426 flush_work(&trans_gc_work);
11429 static struct pernet_operations nf_tables_net_ops = {
11430 .init = nf_tables_init_net,
11431 .pre_exit = nf_tables_pre_exit_net,
11432 .exit = nf_tables_exit_net,
11433 .exit_batch = nf_tables_exit_batch,
11434 .id = &nf_tables_net_id,
11435 .size = sizeof(struct nftables_pernet),
11438 static int __init nf_tables_module_init(void)
11442 err = register_pernet_subsys(&nf_tables_net_ops);
11446 err = nft_chain_filter_init();
11448 goto err_chain_filter;
11450 err = nf_tables_core_module_init();
11452 goto err_core_module;
11454 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11456 goto err_netdev_notifier;
11458 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11460 goto err_rht_objname;
11462 err = nft_offload_init();
11466 err = netlink_register_notifier(&nft_nl_notifier);
11468 goto err_netlink_notifier;
11471 err = nfnetlink_subsys_register(&nf_tables_subsys);
11473 goto err_nfnl_subsys;
11475 nft_chain_route_init();
11480 netlink_unregister_notifier(&nft_nl_notifier);
11481 err_netlink_notifier:
11482 nft_offload_exit();
11484 rhltable_destroy(&nft_objname_ht);
11486 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11487 err_netdev_notifier:
11488 nf_tables_core_module_exit();
11490 nft_chain_filter_fini();
11492 unregister_pernet_subsys(&nf_tables_net_ops);
11496 static void __exit nf_tables_module_exit(void)
11498 nfnetlink_subsys_unregister(&nf_tables_subsys);
11499 netlink_unregister_notifier(&nft_nl_notifier);
11500 nft_offload_exit();
11501 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11502 nft_chain_filter_fini();
11503 nft_chain_route_fini();
11504 unregister_pernet_subsys(&nf_tables_net_ops);
11505 cancel_work_sync(&trans_gc_work);
11506 cancel_work_sync(&trans_destroy_work);
11508 rhltable_destroy(&nft_objname_ht);
11509 nf_tables_core_module_exit();
11512 module_init(nf_tables_module_init);
11513 module_exit(nf_tables_module_exit);
11515 MODULE_LICENSE("GPL");
11516 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11517 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11518 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.samba.org / sfrench / cifs-2.6.git / blob