2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
32 NFT_VALIDATE_SKIP = 0,
37 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
38 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
39 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
41 static const struct rhashtable_params nft_chain_ht_params = {
42 .head_offset = offsetof(struct nft_chain, rhlhead),
43 .key_offset = offsetof(struct nft_chain, name),
44 .hashfn = nft_chain_hash,
45 .obj_hashfn = nft_chain_hash_obj,
46 .obj_cmpfn = nft_chain_hash_cmp,
48 .automatic_shrinking = true,
51 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
53 switch (net->nft.validate_state) {
54 case NFT_VALIDATE_SKIP:
55 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
57 case NFT_VALIDATE_NEED:
60 if (new_validate_state == NFT_VALIDATE_NEED)
64 net->nft.validate_state = new_validate_state;
67 static void nft_ctx_init(struct nft_ctx *ctx,
69 const struct sk_buff *skb,
70 const struct nlmsghdr *nlh,
72 struct nft_table *table,
73 struct nft_chain *chain,
74 const struct nlattr * const *nla)
82 ctx->portid = NETLINK_CB(skb).portid;
83 ctx->report = nlmsg_report(nlh);
84 ctx->seq = nlh->nlmsg_seq;
87 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
88 int msg_type, u32 size, gfp_t gfp)
90 struct nft_trans *trans;
92 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
96 trans->msg_type = msg_type;
102 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
103 int msg_type, u32 size)
105 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
108 static void nft_trans_destroy(struct nft_trans *trans)
110 list_del(&trans->list);
114 static int nf_tables_register_hook(struct net *net,
115 const struct nft_table *table,
116 struct nft_chain *chain)
118 const struct nft_base_chain *basechain;
119 const struct nf_hook_ops *ops;
121 if (table->flags & NFT_TABLE_F_DORMANT ||
122 !nft_is_base_chain(chain))
125 basechain = nft_base_chain(chain);
126 ops = &basechain->ops;
128 if (basechain->type->ops_register)
129 return basechain->type->ops_register(net, ops);
131 return nf_register_net_hook(net, ops);
134 static void nf_tables_unregister_hook(struct net *net,
135 const struct nft_table *table,
136 struct nft_chain *chain)
138 const struct nft_base_chain *basechain;
139 const struct nf_hook_ops *ops;
141 if (table->flags & NFT_TABLE_F_DORMANT ||
142 !nft_is_base_chain(chain))
144 basechain = nft_base_chain(chain);
145 ops = &basechain->ops;
147 if (basechain->type->ops_unregister)
148 return basechain->type->ops_unregister(net, ops);
150 nf_unregister_net_hook(net, ops);
153 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
155 struct nft_trans *trans;
157 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
161 if (msg_type == NFT_MSG_NEWTABLE)
162 nft_activate_next(ctx->net, ctx->table);
164 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
168 static int nft_deltable(struct nft_ctx *ctx)
172 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
176 nft_deactivate_next(ctx->net, ctx->table);
180 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
182 struct nft_trans *trans;
184 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
188 if (msg_type == NFT_MSG_NEWCHAIN)
189 nft_activate_next(ctx->net, ctx->chain);
191 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
195 static int nft_delchain(struct nft_ctx *ctx)
199 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
204 nft_deactivate_next(ctx->net, ctx->chain);
209 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
210 struct nft_rule *rule)
212 struct nft_expr *expr;
214 expr = nft_expr_first(rule);
215 while (expr != nft_expr_last(rule) && expr->ops) {
216 if (expr->ops->activate)
217 expr->ops->activate(ctx, expr);
219 expr = nft_expr_next(expr);
223 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
224 struct nft_rule *rule)
226 struct nft_expr *expr;
228 expr = nft_expr_first(rule);
229 while (expr != nft_expr_last(rule) && expr->ops) {
230 if (expr->ops->deactivate)
231 expr->ops->deactivate(ctx, expr);
233 expr = nft_expr_next(expr);
238 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
240 /* You cannot delete the same rule twice */
241 if (nft_is_active_next(ctx->net, rule)) {
242 nft_deactivate_next(ctx->net, rule);
249 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
250 struct nft_rule *rule)
252 struct nft_trans *trans;
254 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
258 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
259 nft_trans_rule_id(trans) =
260 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
262 nft_trans_rule(trans) = rule;
263 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
268 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
270 struct nft_trans *trans;
273 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
277 err = nf_tables_delrule_deactivate(ctx, rule);
279 nft_trans_destroy(trans);
282 nft_rule_expr_deactivate(ctx, rule);
287 static int nft_delrule_by_chain(struct nft_ctx *ctx)
289 struct nft_rule *rule;
292 list_for_each_entry(rule, &ctx->chain->rules, list) {
293 err = nft_delrule(ctx, rule);
300 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
303 struct nft_trans *trans;
305 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
309 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
310 nft_trans_set_id(trans) =
311 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
312 nft_activate_next(ctx->net, set);
314 nft_trans_set(trans) = set;
315 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
320 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
324 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
328 nft_deactivate_next(ctx->net, set);
334 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
335 struct nft_object *obj)
337 struct nft_trans *trans;
339 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
343 if (msg_type == NFT_MSG_NEWOBJ)
344 nft_activate_next(ctx->net, obj);
346 nft_trans_obj(trans) = obj;
347 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
352 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
356 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
360 nft_deactivate_next(ctx->net, obj);
366 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
367 struct nft_flowtable *flowtable)
369 struct nft_trans *trans;
371 trans = nft_trans_alloc(ctx, msg_type,
372 sizeof(struct nft_trans_flowtable));
376 if (msg_type == NFT_MSG_NEWFLOWTABLE)
377 nft_activate_next(ctx->net, flowtable);
379 nft_trans_flowtable(trans) = flowtable;
380 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
385 static int nft_delflowtable(struct nft_ctx *ctx,
386 struct nft_flowtable *flowtable)
390 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
394 nft_deactivate_next(ctx->net, flowtable);
404 static struct nft_table *nft_table_lookup(const struct net *net,
405 const struct nlattr *nla,
406 u8 family, u8 genmask)
408 struct nft_table *table;
411 return ERR_PTR(-EINVAL);
413 list_for_each_entry_rcu(table, &net->nft.tables, list) {
414 if (!nla_strcmp(nla, table->name) &&
415 table->family == family &&
416 nft_active_genmask(table, genmask))
420 return ERR_PTR(-ENOENT);
423 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
424 const struct nlattr *nla,
427 struct nft_table *table;
429 list_for_each_entry(table, &net->nft.tables, list) {
430 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
431 nft_active_genmask(table, genmask))
435 return ERR_PTR(-ENOENT);
438 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
440 return ++table->hgenerator;
443 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
445 static const struct nft_chain_type *
446 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
450 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
451 if (chain_type[family][i] != NULL &&
452 !nla_strcmp(nla, chain_type[family][i]->name))
453 return chain_type[family][i];
458 static const struct nft_chain_type *
459 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
461 const struct nft_chain_type *type;
463 type = __nf_tables_chain_type_lookup(nla, family);
466 #ifdef CONFIG_MODULES
468 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
469 request_module("nft-chain-%u-%.*s", family,
470 nla_len(nla), (const char *)nla_data(nla));
471 nfnl_lock(NFNL_SUBSYS_NFTABLES);
472 type = __nf_tables_chain_type_lookup(nla, family);
474 return ERR_PTR(-EAGAIN);
477 return ERR_PTR(-ENOENT);
480 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
481 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
482 .len = NFT_TABLE_MAXNAMELEN - 1 },
483 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
484 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
487 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
488 u32 portid, u32 seq, int event, u32 flags,
489 int family, const struct nft_table *table)
491 struct nlmsghdr *nlh;
492 struct nfgenmsg *nfmsg;
494 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
495 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
497 goto nla_put_failure;
499 nfmsg = nlmsg_data(nlh);
500 nfmsg->nfgen_family = family;
501 nfmsg->version = NFNETLINK_V0;
502 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
504 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
505 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
506 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
507 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
509 goto nla_put_failure;
515 nlmsg_trim(skb, nlh);
519 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
525 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
528 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
532 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
533 event, 0, ctx->family, ctx->table);
539 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
540 ctx->report, GFP_KERNEL);
543 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
546 static int nf_tables_dump_tables(struct sk_buff *skb,
547 struct netlink_callback *cb)
549 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
550 const struct nft_table *table;
551 unsigned int idx = 0, s_idx = cb->args[0];
552 struct net *net = sock_net(skb->sk);
553 int family = nfmsg->nfgen_family;
556 cb->seq = net->nft.base_seq;
558 list_for_each_entry_rcu(table, &net->nft.tables, list) {
559 if (family != NFPROTO_UNSPEC && family != table->family)
565 memset(&cb->args[1], 0,
566 sizeof(cb->args) - sizeof(cb->args[0]));
567 if (!nft_is_active(net, table))
569 if (nf_tables_fill_table_info(skb, net,
570 NETLINK_CB(cb->skb).portid,
572 NFT_MSG_NEWTABLE, NLM_F_MULTI,
573 table->family, table) < 0)
576 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
586 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
587 const struct nlmsghdr *nlh,
588 struct netlink_dump_control *c)
592 if (!try_module_get(THIS_MODULE))
596 err = netlink_dump_start(nlsk, skb, nlh, c);
598 module_put(THIS_MODULE);
603 /* called with rcu_read_lock held */
604 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
605 struct sk_buff *skb, const struct nlmsghdr *nlh,
606 const struct nlattr * const nla[],
607 struct netlink_ext_ack *extack)
609 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
610 u8 genmask = nft_genmask_cur(net);
611 const struct nft_table *table;
612 struct sk_buff *skb2;
613 int family = nfmsg->nfgen_family;
616 if (nlh->nlmsg_flags & NLM_F_DUMP) {
617 struct netlink_dump_control c = {
618 .dump = nf_tables_dump_tables,
619 .module = THIS_MODULE,
622 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
625 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
627 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
628 return PTR_ERR(table);
631 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
635 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
636 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
641 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
648 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
650 struct nft_chain *chain;
653 list_for_each_entry(chain, &table->chains, list) {
654 if (!nft_is_active_next(net, chain))
656 if (!nft_is_base_chain(chain))
659 if (cnt && i++ == cnt)
662 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
666 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
668 struct nft_chain *chain;
671 list_for_each_entry(chain, &table->chains, list) {
672 if (!nft_is_active_next(net, chain))
674 if (!nft_is_base_chain(chain))
677 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
686 nft_table_disable(net, table, i);
690 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
692 nft_table_disable(net, table, 0);
695 static int nf_tables_updtable(struct nft_ctx *ctx)
697 struct nft_trans *trans;
701 if (!ctx->nla[NFTA_TABLE_FLAGS])
704 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
705 if (flags & ~NFT_TABLE_F_DORMANT)
708 if (flags == ctx->table->flags)
711 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
712 sizeof(struct nft_trans_table));
716 if ((flags & NFT_TABLE_F_DORMANT) &&
717 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
718 nft_trans_table_enable(trans) = false;
719 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
720 ctx->table->flags & NFT_TABLE_F_DORMANT) {
721 ret = nf_tables_table_enable(ctx->net, ctx->table);
723 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
724 nft_trans_table_enable(trans) = true;
730 nft_trans_table_update(trans) = true;
731 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
734 nft_trans_destroy(trans);
738 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
740 const char *name = data;
742 return jhash(name, strlen(name), seed);
745 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
747 const struct nft_chain *chain = data;
749 return nft_chain_hash(chain->name, 0, seed);
752 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
755 const struct nft_chain *chain = ptr;
756 const char *name = arg->key;
758 return strcmp(chain->name, name);
761 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
762 struct sk_buff *skb, const struct nlmsghdr *nlh,
763 const struct nlattr * const nla[],
764 struct netlink_ext_ack *extack)
766 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
767 u8 genmask = nft_genmask_next(net);
768 int family = nfmsg->nfgen_family;
769 const struct nlattr *attr;
770 struct nft_table *table;
775 attr = nla[NFTA_TABLE_NAME];
776 table = nft_table_lookup(net, attr, family, genmask);
778 if (PTR_ERR(table) != -ENOENT)
779 return PTR_ERR(table);
781 if (nlh->nlmsg_flags & NLM_F_EXCL) {
782 NL_SET_BAD_ATTR(extack, attr);
785 if (nlh->nlmsg_flags & NLM_F_REPLACE)
788 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
789 return nf_tables_updtable(&ctx);
792 if (nla[NFTA_TABLE_FLAGS]) {
793 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
794 if (flags & ~NFT_TABLE_F_DORMANT)
799 table = kzalloc(sizeof(*table), GFP_KERNEL);
803 table->name = nla_strdup(attr, GFP_KERNEL);
804 if (table->name == NULL)
807 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
811 INIT_LIST_HEAD(&table->chains);
812 INIT_LIST_HEAD(&table->sets);
813 INIT_LIST_HEAD(&table->objects);
814 INIT_LIST_HEAD(&table->flowtables);
815 table->family = family;
816 table->flags = flags;
817 table->handle = ++table_handle;
819 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
820 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
824 list_add_tail_rcu(&table->list, &net->nft.tables);
827 rhltable_destroy(&table->chains_ht);
836 static int nft_flush_table(struct nft_ctx *ctx)
838 struct nft_flowtable *flowtable, *nft;
839 struct nft_chain *chain, *nc;
840 struct nft_object *obj, *ne;
841 struct nft_set *set, *ns;
844 list_for_each_entry(chain, &ctx->table->chains, list) {
845 if (!nft_is_active_next(ctx->net, chain))
850 err = nft_delrule_by_chain(ctx);
855 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
856 if (!nft_is_active_next(ctx->net, set))
859 if (nft_set_is_anonymous(set) &&
860 !list_empty(&set->bindings))
863 err = nft_delset(ctx, set);
868 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
869 err = nft_delflowtable(ctx, flowtable);
874 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
875 err = nft_delobj(ctx, obj);
880 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
881 if (!nft_is_active_next(ctx->net, chain))
886 err = nft_delchain(ctx);
891 err = nft_deltable(ctx);
896 static int nft_flush(struct nft_ctx *ctx, int family)
898 struct nft_table *table, *nt;
899 const struct nlattr * const *nla = ctx->nla;
902 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
903 if (family != AF_UNSPEC && table->family != family)
906 ctx->family = table->family;
908 if (!nft_is_active_next(ctx->net, table))
911 if (nla[NFTA_TABLE_NAME] &&
912 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
917 err = nft_flush_table(ctx);
925 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
926 struct sk_buff *skb, const struct nlmsghdr *nlh,
927 const struct nlattr * const nla[],
928 struct netlink_ext_ack *extack)
930 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
931 u8 genmask = nft_genmask_next(net);
932 int family = nfmsg->nfgen_family;
933 const struct nlattr *attr;
934 struct nft_table *table;
937 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
938 if (family == AF_UNSPEC ||
939 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
940 return nft_flush(&ctx, family);
942 if (nla[NFTA_TABLE_HANDLE]) {
943 attr = nla[NFTA_TABLE_HANDLE];
944 table = nft_table_lookup_byhandle(net, attr, genmask);
946 attr = nla[NFTA_TABLE_NAME];
947 table = nft_table_lookup(net, attr, family, genmask);
951 NL_SET_BAD_ATTR(extack, attr);
952 return PTR_ERR(table);
955 if (nlh->nlmsg_flags & NLM_F_NONREC &&
962 return nft_flush_table(&ctx);
965 static void nf_tables_table_destroy(struct nft_ctx *ctx)
967 BUG_ON(ctx->table->use > 0);
969 rhltable_destroy(&ctx->table->chains_ht);
970 kfree(ctx->table->name);
974 void nft_register_chain_type(const struct nft_chain_type *ctype)
976 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
979 nfnl_lock(NFNL_SUBSYS_NFTABLES);
980 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
981 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
984 chain_type[ctype->family][ctype->type] = ctype;
985 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
987 EXPORT_SYMBOL_GPL(nft_register_chain_type);
989 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
991 nfnl_lock(NFNL_SUBSYS_NFTABLES);
992 chain_type[ctype->family][ctype->type] = NULL;
993 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
995 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1001 static struct nft_chain *
1002 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1004 struct nft_chain *chain;
1006 list_for_each_entry(chain, &table->chains, list) {
1007 if (chain->handle == handle &&
1008 nft_active_genmask(chain, genmask))
1012 return ERR_PTR(-ENOENT);
1015 static struct nft_chain *nft_chain_lookup(struct nft_table *table,
1016 const struct nlattr *nla, u8 genmask)
1018 char search[NFT_CHAIN_MAXNAMELEN + 1];
1019 struct rhlist_head *tmp, *list;
1020 struct nft_chain *chain;
1023 return ERR_PTR(-EINVAL);
1025 nla_strlcpy(search, nla, sizeof(search));
1027 WARN_ON(!rcu_read_lock_held() &&
1028 !lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1030 chain = ERR_PTR(-ENOENT);
1032 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1036 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1037 if (nft_active_genmask(chain, genmask))
1040 chain = ERR_PTR(-ENOENT);
1046 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1047 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1048 .len = NFT_TABLE_MAXNAMELEN - 1 },
1049 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1050 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1051 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1052 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1053 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1054 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1055 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1058 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1059 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1060 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1061 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1062 .len = IFNAMSIZ - 1 },
1065 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1067 struct nft_stats *cpu_stats, total;
1068 struct nlattr *nest;
1073 memset(&total, 0, sizeof(total));
1074 for_each_possible_cpu(cpu) {
1075 cpu_stats = per_cpu_ptr(stats, cpu);
1077 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1078 pkts = cpu_stats->pkts;
1079 bytes = cpu_stats->bytes;
1080 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1082 total.bytes += bytes;
1084 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1086 goto nla_put_failure;
1088 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1089 NFTA_COUNTER_PAD) ||
1090 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1092 goto nla_put_failure;
1094 nla_nest_end(skb, nest);
1101 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1102 u32 portid, u32 seq, int event, u32 flags,
1103 int family, const struct nft_table *table,
1104 const struct nft_chain *chain)
1106 struct nlmsghdr *nlh;
1107 struct nfgenmsg *nfmsg;
1109 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1110 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1112 goto nla_put_failure;
1114 nfmsg = nlmsg_data(nlh);
1115 nfmsg->nfgen_family = family;
1116 nfmsg->version = NFNETLINK_V0;
1117 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1119 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1120 goto nla_put_failure;
1121 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1123 goto nla_put_failure;
1124 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1125 goto nla_put_failure;
1127 if (nft_is_base_chain(chain)) {
1128 const struct nft_base_chain *basechain = nft_base_chain(chain);
1129 const struct nf_hook_ops *ops = &basechain->ops;
1130 struct nlattr *nest;
1132 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1134 goto nla_put_failure;
1135 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1136 goto nla_put_failure;
1137 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1138 goto nla_put_failure;
1139 if (basechain->dev_name[0] &&
1140 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1141 goto nla_put_failure;
1142 nla_nest_end(skb, nest);
1144 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1145 htonl(basechain->policy)))
1146 goto nla_put_failure;
1148 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1149 goto nla_put_failure;
1151 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1152 goto nla_put_failure;
1155 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1156 goto nla_put_failure;
1158 nlmsg_end(skb, nlh);
1162 nlmsg_trim(skb, nlh);
1166 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1168 struct sk_buff *skb;
1172 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1175 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1179 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1180 event, 0, ctx->family, ctx->table,
1187 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1188 ctx->report, GFP_KERNEL);
1191 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1194 static int nf_tables_dump_chains(struct sk_buff *skb,
1195 struct netlink_callback *cb)
1197 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1198 const struct nft_table *table;
1199 const struct nft_chain *chain;
1200 unsigned int idx = 0, s_idx = cb->args[0];
1201 struct net *net = sock_net(skb->sk);
1202 int family = nfmsg->nfgen_family;
1205 cb->seq = net->nft.base_seq;
1207 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1208 if (family != NFPROTO_UNSPEC && family != table->family)
1211 list_for_each_entry_rcu(chain, &table->chains, list) {
1215 memset(&cb->args[1], 0,
1216 sizeof(cb->args) - sizeof(cb->args[0]));
1217 if (!nft_is_active(net, chain))
1219 if (nf_tables_fill_chain_info(skb, net,
1220 NETLINK_CB(cb->skb).portid,
1224 table->family, table,
1228 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1239 /* called with rcu_read_lock held */
1240 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1241 struct sk_buff *skb, const struct nlmsghdr *nlh,
1242 const struct nlattr * const nla[],
1243 struct netlink_ext_ack *extack)
1245 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1246 u8 genmask = nft_genmask_cur(net);
1247 const struct nft_chain *chain;
1248 struct nft_table *table;
1249 struct sk_buff *skb2;
1250 int family = nfmsg->nfgen_family;
1253 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1254 struct netlink_dump_control c = {
1255 .dump = nf_tables_dump_chains,
1256 .module = THIS_MODULE,
1259 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1262 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1263 if (IS_ERR(table)) {
1264 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1265 return PTR_ERR(table);
1268 chain = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1269 if (IS_ERR(chain)) {
1270 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1271 return PTR_ERR(chain);
1274 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1278 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1279 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1280 family, table, chain);
1284 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1291 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1292 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1293 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1296 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1298 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1299 struct nft_stats __percpu *newstats;
1300 struct nft_stats *stats;
1303 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1306 return ERR_PTR(err);
1308 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1309 return ERR_PTR(-EINVAL);
1311 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1312 if (newstats == NULL)
1313 return ERR_PTR(-ENOMEM);
1315 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1316 * are not exposed to userspace.
1319 stats = this_cpu_ptr(newstats);
1320 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1321 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1327 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1328 struct nft_stats __percpu *newstats)
1330 struct nft_stats __percpu *oldstats;
1332 if (newstats == NULL)
1336 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1337 rcu_assign_pointer(chain->stats, newstats);
1339 free_percpu(oldstats);
1341 rcu_assign_pointer(chain->stats, newstats);
1342 static_branch_inc(&nft_counters_enabled);
1346 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1348 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1349 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1355 /* should be NULL either via abort or via successful commit */
1356 WARN_ON_ONCE(chain->rules_next);
1357 kvfree(chain->rules_next);
1360 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1362 struct nft_chain *chain = ctx->chain;
1364 BUG_ON(chain->use > 0);
1366 /* no concurrent access possible anymore */
1367 nf_tables_chain_free_chain_rules(chain);
1369 if (nft_is_base_chain(chain)) {
1370 struct nft_base_chain *basechain = nft_base_chain(chain);
1372 module_put(basechain->type->owner);
1373 free_percpu(basechain->stats);
1374 if (basechain->stats)
1375 static_branch_dec(&nft_counters_enabled);
1384 struct nft_chain_hook {
1387 const struct nft_chain_type *type;
1388 struct net_device *dev;
1391 static int nft_chain_parse_hook(struct net *net,
1392 const struct nlattr * const nla[],
1393 struct nft_chain_hook *hook, u8 family,
1396 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1397 const struct nft_chain_type *type;
1398 struct net_device *dev;
1401 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1402 nft_hook_policy, NULL);
1406 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1407 ha[NFTA_HOOK_PRIORITY] == NULL)
1410 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1411 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1413 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1414 if (nla[NFTA_CHAIN_TYPE]) {
1415 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1418 return PTR_ERR(type);
1420 if (!(type->hook_mask & (1 << hook->num)))
1423 if (type->type == NFT_CHAIN_T_NAT &&
1424 hook->priority <= NF_IP_PRI_CONNTRACK)
1427 if (!try_module_get(type->owner))
1433 if (family == NFPROTO_NETDEV) {
1434 char ifname[IFNAMSIZ];
1436 if (!ha[NFTA_HOOK_DEV]) {
1437 module_put(type->owner);
1441 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1442 dev = __dev_get_by_name(net, ifname);
1444 module_put(type->owner);
1448 } else if (ha[NFTA_HOOK_DEV]) {
1449 module_put(type->owner);
1456 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1458 module_put(hook->type->owner);
1461 struct nft_rules_old {
1463 struct nft_rule **start;
1466 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1469 if (alloc > INT_MAX)
1472 alloc += 1; /* NULL, ends rules */
1473 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1476 alloc *= sizeof(struct nft_rule *);
1477 alloc += sizeof(struct nft_rules_old);
1479 return kvmalloc(alloc, GFP_KERNEL);
1482 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1483 u8 policy, bool create)
1485 const struct nlattr * const *nla = ctx->nla;
1486 struct nft_table *table = ctx->table;
1487 struct nft_base_chain *basechain;
1488 struct nft_stats __percpu *stats;
1489 struct net *net = ctx->net;
1490 struct nft_chain *chain;
1491 struct nft_rule **rules;
1494 if (table->use == UINT_MAX)
1497 if (nla[NFTA_CHAIN_HOOK]) {
1498 struct nft_chain_hook hook;
1499 struct nf_hook_ops *ops;
1501 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1505 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1506 if (basechain == NULL) {
1507 nft_chain_release_hook(&hook);
1511 if (hook.dev != NULL)
1512 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1514 if (nla[NFTA_CHAIN_COUNTERS]) {
1515 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1516 if (IS_ERR(stats)) {
1517 nft_chain_release_hook(&hook);
1519 return PTR_ERR(stats);
1521 basechain->stats = stats;
1522 static_branch_inc(&nft_counters_enabled);
1525 basechain->type = hook.type;
1526 chain = &basechain->chain;
1528 ops = &basechain->ops;
1530 ops->hooknum = hook.num;
1531 ops->priority = hook.priority;
1533 ops->hook = hook.type->hooks[ops->hooknum];
1534 ops->dev = hook.dev;
1536 chain->flags |= NFT_BASE_CHAIN;
1537 basechain->policy = policy;
1539 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1545 INIT_LIST_HEAD(&chain->rules);
1546 chain->handle = nf_tables_alloc_handle(table);
1547 chain->table = table;
1548 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1554 rules = nf_tables_chain_alloc_rules(chain, 0);
1561 rcu_assign_pointer(chain->rules_gen_0, rules);
1562 rcu_assign_pointer(chain->rules_gen_1, rules);
1564 err = nf_tables_register_hook(net, table, chain);
1568 err = rhltable_insert_key(&table->chains_ht, chain->name,
1569 &chain->rhlhead, nft_chain_ht_params);
1573 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1575 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1576 nft_chain_ht_params);
1581 list_add_tail_rcu(&chain->list, &table->chains);
1585 nf_tables_unregister_hook(net, table, chain);
1587 nf_tables_chain_destroy(ctx);
1592 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1595 const struct nlattr * const *nla = ctx->nla;
1596 struct nft_table *table = ctx->table;
1597 struct nft_chain *chain = ctx->chain;
1598 struct nft_base_chain *basechain;
1599 struct nft_stats *stats = NULL;
1600 struct nft_chain_hook hook;
1601 struct nf_hook_ops *ops;
1602 struct nft_trans *trans;
1605 if (nla[NFTA_CHAIN_HOOK]) {
1606 if (!nft_is_base_chain(chain))
1609 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1614 basechain = nft_base_chain(chain);
1615 if (basechain->type != hook.type) {
1616 nft_chain_release_hook(&hook);
1620 ops = &basechain->ops;
1621 if (ops->hooknum != hook.num ||
1622 ops->priority != hook.priority ||
1623 ops->dev != hook.dev) {
1624 nft_chain_release_hook(&hook);
1627 nft_chain_release_hook(&hook);
1630 if (nla[NFTA_CHAIN_HANDLE] &&
1631 nla[NFTA_CHAIN_NAME]) {
1632 struct nft_chain *chain2;
1634 chain2 = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1635 if (!IS_ERR(chain2))
1639 if (nla[NFTA_CHAIN_COUNTERS]) {
1640 if (!nft_is_base_chain(chain))
1643 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1645 return PTR_ERR(stats);
1649 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1650 sizeof(struct nft_trans_chain));
1654 nft_trans_chain_stats(trans) = stats;
1655 nft_trans_chain_update(trans) = true;
1657 if (nla[NFTA_CHAIN_POLICY])
1658 nft_trans_chain_policy(trans) = policy;
1660 nft_trans_chain_policy(trans) = -1;
1662 if (nla[NFTA_CHAIN_HANDLE] &&
1663 nla[NFTA_CHAIN_NAME]) {
1664 struct nft_trans *tmp;
1668 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1673 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1674 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1675 tmp->ctx.table == table &&
1676 nft_trans_chain_update(tmp) &&
1677 nft_trans_chain_name(tmp) &&
1678 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1684 nft_trans_chain_name(trans) = name;
1686 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1695 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1696 struct sk_buff *skb, const struct nlmsghdr *nlh,
1697 const struct nlattr * const nla[],
1698 struct netlink_ext_ack *extack)
1700 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1701 u8 genmask = nft_genmask_next(net);
1702 int family = nfmsg->nfgen_family;
1703 const struct nlattr *attr;
1704 struct nft_table *table;
1705 struct nft_chain *chain;
1706 u8 policy = NF_ACCEPT;
1711 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1713 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1714 if (IS_ERR(table)) {
1715 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1716 return PTR_ERR(table);
1720 attr = nla[NFTA_CHAIN_NAME];
1722 if (nla[NFTA_CHAIN_HANDLE]) {
1723 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1724 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1725 if (IS_ERR(chain)) {
1726 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1727 return PTR_ERR(chain);
1729 attr = nla[NFTA_CHAIN_HANDLE];
1731 chain = nft_chain_lookup(table, attr, genmask);
1732 if (IS_ERR(chain)) {
1733 if (PTR_ERR(chain) != -ENOENT) {
1734 NL_SET_BAD_ATTR(extack, attr);
1735 return PTR_ERR(chain);
1741 if (nla[NFTA_CHAIN_POLICY]) {
1742 if (chain != NULL &&
1743 !nft_is_base_chain(chain)) {
1744 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1748 if (chain == NULL &&
1749 nla[NFTA_CHAIN_HOOK] == NULL) {
1750 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1754 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1764 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1766 if (chain != NULL) {
1767 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1768 NL_SET_BAD_ATTR(extack, attr);
1771 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1774 return nf_tables_updchain(&ctx, genmask, policy, create);
1777 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1780 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1781 struct sk_buff *skb, const struct nlmsghdr *nlh,
1782 const struct nlattr * const nla[],
1783 struct netlink_ext_ack *extack)
1785 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1786 u8 genmask = nft_genmask_next(net);
1787 int family = nfmsg->nfgen_family;
1788 const struct nlattr *attr;
1789 struct nft_table *table;
1790 struct nft_chain *chain;
1791 struct nft_rule *rule;
1797 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1798 if (IS_ERR(table)) {
1799 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1800 return PTR_ERR(table);
1803 if (nla[NFTA_CHAIN_HANDLE]) {
1804 attr = nla[NFTA_CHAIN_HANDLE];
1805 handle = be64_to_cpu(nla_get_be64(attr));
1806 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1808 attr = nla[NFTA_CHAIN_NAME];
1809 chain = nft_chain_lookup(table, attr, genmask);
1811 if (IS_ERR(chain)) {
1812 NL_SET_BAD_ATTR(extack, attr);
1813 return PTR_ERR(chain);
1816 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1820 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1823 list_for_each_entry(rule, &chain->rules, list) {
1824 if (!nft_is_active_next(net, rule))
1828 err = nft_delrule(&ctx, rule);
1833 /* There are rules and elements that are still holding references to us,
1834 * we cannot do a recursive removal in this case.
1837 NL_SET_BAD_ATTR(extack, attr);
1841 return nft_delchain(&ctx);
1849 * nft_register_expr - register nf_tables expr type
1852 * Registers the expr type for use with nf_tables. Returns zero on
1853 * success or a negative errno code otherwise.
1855 int nft_register_expr(struct nft_expr_type *type)
1857 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1858 if (type->family == NFPROTO_UNSPEC)
1859 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1861 list_add_rcu(&type->list, &nf_tables_expressions);
1862 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1865 EXPORT_SYMBOL_GPL(nft_register_expr);
1868 * nft_unregister_expr - unregister nf_tables expr type
1871 * Unregisters the expr typefor use with nf_tables.
1873 void nft_unregister_expr(struct nft_expr_type *type)
1875 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1876 list_del_rcu(&type->list);
1877 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1879 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1881 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1884 const struct nft_expr_type *type;
1886 list_for_each_entry(type, &nf_tables_expressions, list) {
1887 if (!nla_strcmp(nla, type->name) &&
1888 (!type->family || type->family == family))
1894 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1897 const struct nft_expr_type *type;
1900 return ERR_PTR(-EINVAL);
1902 type = __nft_expr_type_get(family, nla);
1903 if (type != NULL && try_module_get(type->owner))
1906 #ifdef CONFIG_MODULES
1908 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1909 request_module("nft-expr-%u-%.*s", family,
1910 nla_len(nla), (char *)nla_data(nla));
1911 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1912 if (__nft_expr_type_get(family, nla))
1913 return ERR_PTR(-EAGAIN);
1915 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1916 request_module("nft-expr-%.*s",
1917 nla_len(nla), (char *)nla_data(nla));
1918 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1919 if (__nft_expr_type_get(family, nla))
1920 return ERR_PTR(-EAGAIN);
1923 return ERR_PTR(-ENOENT);
1926 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1927 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1928 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1931 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1932 const struct nft_expr *expr)
1934 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1935 goto nla_put_failure;
1937 if (expr->ops->dump) {
1938 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1940 goto nla_put_failure;
1941 if (expr->ops->dump(skb, expr) < 0)
1942 goto nla_put_failure;
1943 nla_nest_end(skb, data);
1952 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1953 const struct nft_expr *expr)
1955 struct nlattr *nest;
1957 nest = nla_nest_start(skb, attr);
1959 goto nla_put_failure;
1960 if (nf_tables_fill_expr_info(skb, expr) < 0)
1961 goto nla_put_failure;
1962 nla_nest_end(skb, nest);
1969 struct nft_expr_info {
1970 const struct nft_expr_ops *ops;
1971 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1974 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1975 const struct nlattr *nla,
1976 struct nft_expr_info *info)
1978 const struct nft_expr_type *type;
1979 const struct nft_expr_ops *ops;
1980 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1983 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1987 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1989 return PTR_ERR(type);
1991 if (tb[NFTA_EXPR_DATA]) {
1992 err = nla_parse_nested(info->tb, type->maxattr,
1993 tb[NFTA_EXPR_DATA], type->policy, NULL);
1997 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1999 if (type->select_ops != NULL) {
2000 ops = type->select_ops(ctx,
2001 (const struct nlattr * const *)info->tb);
2013 module_put(type->owner);
2017 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2018 const struct nft_expr_info *info,
2019 struct nft_expr *expr)
2021 const struct nft_expr_ops *ops = info->ops;
2026 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2037 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2038 struct nft_expr *expr)
2040 if (expr->ops->destroy)
2041 expr->ops->destroy(ctx, expr);
2042 module_put(expr->ops->type->owner);
2045 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2046 const struct nlattr *nla)
2048 struct nft_expr_info info;
2049 struct nft_expr *expr;
2052 err = nf_tables_expr_parse(ctx, nla, &info);
2057 expr = kzalloc(info.ops->size, GFP_KERNEL);
2061 err = nf_tables_newexpr(ctx, &info, expr);
2069 module_put(info.ops->type->owner);
2071 return ERR_PTR(err);
2074 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2076 nf_tables_expr_destroy(ctx, expr);
2084 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2087 struct nft_rule *rule;
2089 // FIXME: this sucks
2090 list_for_each_entry_rcu(rule, &chain->rules, list) {
2091 if (handle == rule->handle)
2095 return ERR_PTR(-ENOENT);
2098 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2099 const struct nlattr *nla)
2102 return ERR_PTR(-EINVAL);
2104 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2107 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2108 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2109 .len = NFT_TABLE_MAXNAMELEN - 1 },
2110 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2111 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2112 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2113 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2114 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2115 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2116 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2117 .len = NFT_USERDATA_MAXLEN },
2118 [NFTA_RULE_ID] = { .type = NLA_U32 },
2121 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2122 u32 portid, u32 seq, int event,
2123 u32 flags, int family,
2124 const struct nft_table *table,
2125 const struct nft_chain *chain,
2126 const struct nft_rule *rule)
2128 struct nlmsghdr *nlh;
2129 struct nfgenmsg *nfmsg;
2130 const struct nft_expr *expr, *next;
2131 struct nlattr *list;
2132 const struct nft_rule *prule;
2133 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2135 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2137 goto nla_put_failure;
2139 nfmsg = nlmsg_data(nlh);
2140 nfmsg->nfgen_family = family;
2141 nfmsg->version = NFNETLINK_V0;
2142 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2144 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2145 goto nla_put_failure;
2146 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2147 goto nla_put_failure;
2148 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2150 goto nla_put_failure;
2152 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2153 prule = list_prev_entry(rule, list);
2154 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2155 cpu_to_be64(prule->handle),
2157 goto nla_put_failure;
2160 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2162 goto nla_put_failure;
2163 nft_rule_for_each_expr(expr, next, rule) {
2164 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2165 goto nla_put_failure;
2167 nla_nest_end(skb, list);
2170 struct nft_userdata *udata = nft_userdata(rule);
2171 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2173 goto nla_put_failure;
2176 nlmsg_end(skb, nlh);
2180 nlmsg_trim(skb, nlh);
2184 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2185 const struct nft_rule *rule, int event)
2187 struct sk_buff *skb;
2191 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2194 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2198 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2199 event, 0, ctx->family, ctx->table,
2206 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2207 ctx->report, GFP_KERNEL);
2210 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2213 struct nft_rule_dump_ctx {
2218 static int nf_tables_dump_rules(struct sk_buff *skb,
2219 struct netlink_callback *cb)
2221 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2222 const struct nft_rule_dump_ctx *ctx = cb->data;
2223 const struct nft_table *table;
2224 const struct nft_chain *chain;
2225 const struct nft_rule *rule;
2226 unsigned int idx = 0, s_idx = cb->args[0];
2227 struct net *net = sock_net(skb->sk);
2228 int family = nfmsg->nfgen_family;
2231 cb->seq = net->nft.base_seq;
2233 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2234 if (family != NFPROTO_UNSPEC && family != table->family)
2237 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2240 list_for_each_entry_rcu(chain, &table->chains, list) {
2241 if (ctx && ctx->chain &&
2242 strcmp(ctx->chain, chain->name) != 0)
2245 list_for_each_entry_rcu(rule, &chain->rules, list) {
2246 if (!nft_is_active(net, rule))
2251 memset(&cb->args[1], 0,
2252 sizeof(cb->args) - sizeof(cb->args[0]));
2253 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2256 NLM_F_MULTI | NLM_F_APPEND,
2258 table, chain, rule) < 0)
2261 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2274 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2276 const struct nlattr * const *nla = cb->data;
2277 struct nft_rule_dump_ctx *ctx = NULL;
2279 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2280 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2284 if (nla[NFTA_RULE_TABLE]) {
2285 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2292 if (nla[NFTA_RULE_CHAIN]) {
2293 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2307 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2309 struct nft_rule_dump_ctx *ctx = cb->data;
2319 /* called with rcu_read_lock held */
2320 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2321 struct sk_buff *skb, const struct nlmsghdr *nlh,
2322 const struct nlattr * const nla[],
2323 struct netlink_ext_ack *extack)
2325 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2326 u8 genmask = nft_genmask_cur(net);
2327 const struct nft_chain *chain;
2328 const struct nft_rule *rule;
2329 struct nft_table *table;
2330 struct sk_buff *skb2;
2331 int family = nfmsg->nfgen_family;
2334 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2335 struct netlink_dump_control c = {
2336 .start= nf_tables_dump_rules_start,
2337 .dump = nf_tables_dump_rules,
2338 .done = nf_tables_dump_rules_done,
2339 .module = THIS_MODULE,
2340 .data = (void *)nla,
2343 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2346 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2347 if (IS_ERR(table)) {
2348 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2349 return PTR_ERR(table);
2352 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2353 if (IS_ERR(chain)) {
2354 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2355 return PTR_ERR(chain);
2358 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2360 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2361 return PTR_ERR(rule);
2364 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2368 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2369 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2370 family, table, chain, rule);
2374 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2381 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2382 struct nft_rule *rule)
2384 struct nft_expr *expr;
2387 * Careful: some expressions might not be initialized in case this
2388 * is called on error from nf_tables_newrule().
2390 expr = nft_expr_first(rule);
2391 while (expr != nft_expr_last(rule) && expr->ops) {
2392 nf_tables_expr_destroy(ctx, expr);
2393 expr = nft_expr_next(expr);
2398 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2399 struct nft_rule *rule)
2401 nft_rule_expr_deactivate(ctx, rule);
2402 nf_tables_rule_destroy(ctx, rule);
2405 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2407 struct nft_expr *expr, *last;
2408 const struct nft_data *data;
2409 struct nft_rule *rule;
2412 if (ctx->level == NFT_JUMP_STACK_SIZE)
2415 list_for_each_entry(rule, &chain->rules, list) {
2416 if (!nft_is_active_next(ctx->net, rule))
2419 nft_rule_for_each_expr(expr, last, rule) {
2420 if (!expr->ops->validate)
2423 err = expr->ops->validate(ctx, expr, &data);
2431 EXPORT_SYMBOL_GPL(nft_chain_validate);
2433 static int nft_table_validate(struct net *net, const struct nft_table *table)
2435 struct nft_chain *chain;
2436 struct nft_ctx ctx = {
2438 .family = table->family,
2442 list_for_each_entry(chain, &table->chains, list) {
2443 if (!nft_is_base_chain(chain))
2447 err = nft_chain_validate(&ctx, chain);
2455 #define NFT_RULE_MAXEXPRS 128
2457 static struct nft_expr_info *info;
2459 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2460 struct sk_buff *skb, const struct nlmsghdr *nlh,
2461 const struct nlattr * const nla[],
2462 struct netlink_ext_ack *extack)
2464 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2465 u8 genmask = nft_genmask_next(net);
2466 int family = nfmsg->nfgen_family;
2467 struct nft_table *table;
2468 struct nft_chain *chain;
2469 struct nft_rule *rule, *old_rule = NULL;
2470 struct nft_userdata *udata;
2471 struct nft_trans *trans = NULL;
2472 struct nft_expr *expr;
2475 unsigned int size, i, n, ulen = 0, usize = 0;
2478 u64 handle, pos_handle;
2480 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2482 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2483 if (IS_ERR(table)) {
2484 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2485 return PTR_ERR(table);
2488 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2489 if (IS_ERR(chain)) {
2490 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2491 return PTR_ERR(chain);
2494 if (nla[NFTA_RULE_HANDLE]) {
2495 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2496 rule = __nft_rule_lookup(chain, handle);
2498 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2499 return PTR_ERR(rule);
2502 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2503 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2506 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2511 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2513 handle = nf_tables_alloc_handle(table);
2515 if (chain->use == UINT_MAX)
2519 if (nla[NFTA_RULE_POSITION]) {
2520 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2523 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2524 old_rule = __nft_rule_lookup(chain, pos_handle);
2525 if (IS_ERR(old_rule)) {
2526 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2527 return PTR_ERR(old_rule);
2531 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2535 if (nla[NFTA_RULE_EXPRESSIONS]) {
2536 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2538 if (nla_type(tmp) != NFTA_LIST_ELEM)
2540 if (n == NFT_RULE_MAXEXPRS)
2542 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2545 size += info[n].ops->size;
2549 /* Check for overflow of dlen field */
2551 if (size >= 1 << 12)
2554 if (nla[NFTA_RULE_USERDATA]) {
2555 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2557 usize = sizeof(struct nft_userdata) + ulen;
2561 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2565 nft_activate_next(net, rule);
2567 rule->handle = handle;
2569 rule->udata = ulen ? 1 : 0;
2572 udata = nft_userdata(rule);
2573 udata->len = ulen - 1;
2574 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2577 expr = nft_expr_first(rule);
2578 for (i = 0; i < n; i++) {
2579 err = nf_tables_newexpr(&ctx, &info[i], expr);
2583 if (info[i].ops->validate)
2584 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2587 expr = nft_expr_next(expr);
2590 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2591 if (!nft_is_active_next(net, old_rule)) {
2595 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2597 if (trans == NULL) {
2601 nft_deactivate_next(net, old_rule);
2604 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2609 list_add_tail_rcu(&rule->list, &old_rule->list);
2611 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2616 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2618 list_add_rcu(&rule->list, &old_rule->list);
2620 list_add_tail_rcu(&rule->list, &chain->rules);
2623 list_add_tail_rcu(&rule->list, &old_rule->list);
2625 list_add_rcu(&rule->list, &chain->rules);
2630 if (net->nft.validate_state == NFT_VALIDATE_DO)
2631 return nft_table_validate(net, table);
2635 nf_tables_rule_release(&ctx, rule);
2637 for (i = 0; i < n; i++) {
2638 if (info[i].ops != NULL)
2639 module_put(info[i].ops->type->owner);
2644 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2645 const struct nlattr *nla)
2647 u32 id = ntohl(nla_get_be32(nla));
2648 struct nft_trans *trans;
2650 list_for_each_entry(trans, &net->nft.commit_list, list) {
2651 struct nft_rule *rule = nft_trans_rule(trans);
2653 if (trans->msg_type == NFT_MSG_NEWRULE &&
2654 id == nft_trans_rule_id(trans))
2657 return ERR_PTR(-ENOENT);
2660 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2661 struct sk_buff *skb, const struct nlmsghdr *nlh,
2662 const struct nlattr * const nla[],
2663 struct netlink_ext_ack *extack)
2665 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2666 u8 genmask = nft_genmask_next(net);
2667 struct nft_table *table;
2668 struct nft_chain *chain = NULL;
2669 struct nft_rule *rule;
2670 int family = nfmsg->nfgen_family, err = 0;
2673 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2674 if (IS_ERR(table)) {
2675 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2676 return PTR_ERR(table);
2679 if (nla[NFTA_RULE_CHAIN]) {
2680 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2681 if (IS_ERR(chain)) {
2682 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2683 return PTR_ERR(chain);
2687 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2690 if (nla[NFTA_RULE_HANDLE]) {
2691 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2693 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2694 return PTR_ERR(rule);
2697 err = nft_delrule(&ctx, rule);
2698 } else if (nla[NFTA_RULE_ID]) {
2699 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2701 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2702 return PTR_ERR(rule);
2705 err = nft_delrule(&ctx, rule);
2707 err = nft_delrule_by_chain(&ctx);
2710 list_for_each_entry(chain, &table->chains, list) {
2711 if (!nft_is_active_next(net, chain))
2715 err = nft_delrule_by_chain(&ctx);
2728 static LIST_HEAD(nf_tables_set_types);
2730 int nft_register_set(struct nft_set_type *type)
2732 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2733 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2734 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2737 EXPORT_SYMBOL_GPL(nft_register_set);
2739 void nft_unregister_set(struct nft_set_type *type)
2741 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2742 list_del_rcu(&type->list);
2743 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2745 EXPORT_SYMBOL_GPL(nft_unregister_set);
2747 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2748 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2751 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2753 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2757 * Select a set implementation based on the data characteristics and the
2758 * given policy. The total memory use might not be known if no size is
2759 * given, in that case the amount of memory per element is used.
2761 static const struct nft_set_ops *
2762 nft_select_set_ops(const struct nft_ctx *ctx,
2763 const struct nlattr * const nla[],
2764 const struct nft_set_desc *desc,
2765 enum nft_set_policies policy)
2767 const struct nft_set_ops *ops, *bops;
2768 struct nft_set_estimate est, best;
2769 const struct nft_set_type *type;
2772 #ifdef CONFIG_MODULES
2773 if (list_empty(&nf_tables_set_types)) {
2774 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2775 request_module("nft-set");
2776 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2777 if (!list_empty(&nf_tables_set_types))
2778 return ERR_PTR(-EAGAIN);
2781 if (nla[NFTA_SET_FLAGS] != NULL)
2782 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2789 list_for_each_entry(type, &nf_tables_set_types, list) {
2792 if (!nft_set_ops_candidate(type, flags))
2794 if (!ops->estimate(desc, flags, &est))
2798 case NFT_SET_POL_PERFORMANCE:
2799 if (est.lookup < best.lookup)
2801 if (est.lookup == best.lookup &&
2802 est.space < best.space)
2805 case NFT_SET_POL_MEMORY:
2807 if (est.space < best.space)
2809 if (est.space == best.space &&
2810 est.lookup < best.lookup)
2812 } else if (est.size < best.size || !bops) {
2820 if (!try_module_get(type->owner))
2823 module_put(to_set_type(bops)->owner);
2832 return ERR_PTR(-EOPNOTSUPP);
2835 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2836 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2837 .len = NFT_TABLE_MAXNAMELEN - 1 },
2838 [NFTA_SET_NAME] = { .type = NLA_STRING,
2839 .len = NFT_SET_MAXNAMELEN - 1 },
2840 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2841 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2842 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2843 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2844 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2845 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2846 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2847 [NFTA_SET_ID] = { .type = NLA_U32 },
2848 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2849 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2850 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2851 .len = NFT_USERDATA_MAXLEN },
2852 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2853 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2856 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2857 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2860 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2861 const struct sk_buff *skb,
2862 const struct nlmsghdr *nlh,
2863 const struct nlattr * const nla[],
2864 struct netlink_ext_ack *extack,
2867 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2868 int family = nfmsg->nfgen_family;
2869 struct nft_table *table = NULL;
2871 if (nla[NFTA_SET_TABLE] != NULL) {
2872 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2874 if (IS_ERR(table)) {
2875 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2876 return PTR_ERR(table);
2880 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2884 static struct nft_set *nft_set_lookup(const struct nft_table *table,
2885 const struct nlattr *nla, u8 genmask)
2887 struct nft_set *set;
2890 return ERR_PTR(-EINVAL);
2892 list_for_each_entry_rcu(set, &table->sets, list) {
2893 if (!nla_strcmp(nla, set->name) &&
2894 nft_active_genmask(set, genmask))
2897 return ERR_PTR(-ENOENT);
2900 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2901 const struct nlattr *nla,
2904 struct nft_set *set;
2906 list_for_each_entry(set, &table->sets, list) {
2907 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2908 nft_active_genmask(set, genmask))
2911 return ERR_PTR(-ENOENT);
2914 static struct nft_set *nft_set_lookup_byid(const struct net *net,
2915 const struct nlattr *nla, u8 genmask)
2917 struct nft_trans *trans;
2918 u32 id = ntohl(nla_get_be32(nla));
2920 list_for_each_entry(trans, &net->nft.commit_list, list) {
2921 if (trans->msg_type == NFT_MSG_NEWSET) {
2922 struct nft_set *set = nft_trans_set(trans);
2924 if (id == nft_trans_set_id(trans) &&
2925 nft_active_genmask(set, genmask))
2929 return ERR_PTR(-ENOENT);
2932 struct nft_set *nft_set_lookup_global(const struct net *net,
2933 const struct nft_table *table,
2934 const struct nlattr *nla_set_name,
2935 const struct nlattr *nla_set_id,
2938 struct nft_set *set;
2940 set = nft_set_lookup(table, nla_set_name, genmask);
2945 set = nft_set_lookup_byid(net, nla_set_id, genmask);
2949 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2951 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2954 const struct nft_set *i;
2956 unsigned long *inuse;
2957 unsigned int n = 0, min = 0;
2959 p = strchr(name, '%');
2961 if (p[1] != 'd' || strchr(p + 2, '%'))
2964 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2968 list_for_each_entry(i, &ctx->table->sets, list) {
2971 if (!nft_is_active_next(ctx->net, set))
2973 if (!sscanf(i->name, name, &tmp))
2975 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2978 set_bit(tmp - min, inuse);
2981 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2982 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2983 min += BITS_PER_BYTE * PAGE_SIZE;
2984 memset(inuse, 0, PAGE_SIZE);
2987 free_page((unsigned long)inuse);
2990 set->name = kasprintf(GFP_KERNEL, name, min + n);
2994 list_for_each_entry(i, &ctx->table->sets, list) {
2995 if (!nft_is_active_next(ctx->net, i))
2997 if (!strcmp(set->name, i->name)) {
3005 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3007 u64 ms = be64_to_cpu(nla_get_be64(nla));
3008 u64 max = (u64)(~((u64)0));
3010 max = div_u64(max, NSEC_PER_MSEC);
3014 ms *= NSEC_PER_MSEC;
3015 *result = nsecs_to_jiffies64(ms);
3019 static __be64 nf_jiffies64_to_msecs(u64 input)
3021 u64 ms = jiffies64_to_nsecs(input);
3023 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3026 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3027 const struct nft_set *set, u16 event, u16 flags)
3029 struct nfgenmsg *nfmsg;
3030 struct nlmsghdr *nlh;
3031 struct nlattr *desc;
3032 u32 portid = ctx->portid;
3035 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3036 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3039 goto nla_put_failure;
3041 nfmsg = nlmsg_data(nlh);
3042 nfmsg->nfgen_family = ctx->family;
3043 nfmsg->version = NFNETLINK_V0;
3044 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3046 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3047 goto nla_put_failure;
3048 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3049 goto nla_put_failure;
3050 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3052 goto nla_put_failure;
3053 if (set->flags != 0)
3054 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3055 goto nla_put_failure;
3057 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3058 goto nla_put_failure;
3059 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3060 goto nla_put_failure;
3061 if (set->flags & NFT_SET_MAP) {
3062 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3063 goto nla_put_failure;
3064 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3065 goto nla_put_failure;
3067 if (set->flags & NFT_SET_OBJECT &&
3068 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3069 goto nla_put_failure;
3072 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3073 nf_jiffies64_to_msecs(set->timeout),
3075 goto nla_put_failure;
3077 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3078 goto nla_put_failure;
3080 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3081 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3082 goto nla_put_failure;
3085 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3086 goto nla_put_failure;
3088 desc = nla_nest_start(skb, NFTA_SET_DESC);
3090 goto nla_put_failure;
3092 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3093 goto nla_put_failure;
3094 nla_nest_end(skb, desc);
3096 nlmsg_end(skb, nlh);
3100 nlmsg_trim(skb, nlh);
3104 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3105 const struct nft_set *set, int event,
3108 struct sk_buff *skb;
3109 u32 portid = ctx->portid;
3113 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3116 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3120 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3126 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3130 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3133 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3135 const struct nft_set *set;
3136 unsigned int idx, s_idx = cb->args[0];
3137 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3138 struct net *net = sock_net(skb->sk);
3139 struct nft_ctx *ctx = cb->data, ctx_set;
3145 cb->seq = net->nft.base_seq;
3147 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3148 if (ctx->family != NFPROTO_UNSPEC &&
3149 ctx->family != table->family)
3152 if (ctx->table && ctx->table != table)
3156 if (cur_table != table)
3162 list_for_each_entry_rcu(set, &table->sets, list) {
3165 if (!nft_is_active(net, set))
3169 ctx_set.table = table;
3170 ctx_set.family = table->family;
3172 if (nf_tables_fill_set(skb, &ctx_set, set,
3176 cb->args[2] = (unsigned long) table;
3179 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3192 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3194 struct nft_ctx *ctx_dump = NULL;
3196 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3197 if (ctx_dump == NULL)
3200 cb->data = ctx_dump;
3204 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3210 /* called with rcu_read_lock held */
3211 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3212 struct sk_buff *skb, const struct nlmsghdr *nlh,
3213 const struct nlattr * const nla[],
3214 struct netlink_ext_ack *extack)
3216 u8 genmask = nft_genmask_cur(net);
3217 const struct nft_set *set;
3219 struct sk_buff *skb2;
3220 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3223 /* Verify existence before starting dump */
3224 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3229 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3230 struct netlink_dump_control c = {
3231 .start = nf_tables_dump_sets_start,
3232 .dump = nf_tables_dump_sets,
3233 .done = nf_tables_dump_sets_done,
3235 .module = THIS_MODULE,
3238 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3241 /* Only accept unspec with dump */
3242 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3243 return -EAFNOSUPPORT;
3244 if (!nla[NFTA_SET_TABLE])
3247 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3249 return PTR_ERR(set);
3251 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3255 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3259 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3266 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3267 struct nft_set_desc *desc,
3268 const struct nlattr *nla)
3270 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3273 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3274 nft_set_desc_policy, NULL);
3278 if (da[NFTA_SET_DESC_SIZE] != NULL)
3279 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3284 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3285 struct sk_buff *skb, const struct nlmsghdr *nlh,
3286 const struct nlattr * const nla[],
3287 struct netlink_ext_ack *extack)
3289 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3290 u8 genmask = nft_genmask_next(net);
3291 int family = nfmsg->nfgen_family;
3292 const struct nft_set_ops *ops;
3293 struct nft_table *table;
3294 struct nft_set *set;
3300 u32 ktype, dtype, flags, policy, gc_int, objtype;
3301 struct nft_set_desc desc;
3302 unsigned char *udata;
3306 if (nla[NFTA_SET_TABLE] == NULL ||
3307 nla[NFTA_SET_NAME] == NULL ||
3308 nla[NFTA_SET_KEY_LEN] == NULL ||
3309 nla[NFTA_SET_ID] == NULL)
3312 memset(&desc, 0, sizeof(desc));
3314 ktype = NFT_DATA_VALUE;
3315 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3316 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3317 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3321 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3322 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3326 if (nla[NFTA_SET_FLAGS] != NULL) {
3327 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3328 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3329 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3330 NFT_SET_MAP | NFT_SET_EVAL |
3333 /* Only one of these operations is supported */
3334 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3335 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3340 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3341 if (!(flags & NFT_SET_MAP))
3344 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3345 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3346 dtype != NFT_DATA_VERDICT)
3349 if (dtype != NFT_DATA_VERDICT) {
3350 if (nla[NFTA_SET_DATA_LEN] == NULL)
3352 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3353 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3356 desc.dlen = sizeof(struct nft_verdict);
3357 } else if (flags & NFT_SET_MAP)
3360 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3361 if (!(flags & NFT_SET_OBJECT))
3364 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3365 if (objtype == NFT_OBJECT_UNSPEC ||
3366 objtype > NFT_OBJECT_MAX)
3368 } else if (flags & NFT_SET_OBJECT)
3371 objtype = NFT_OBJECT_UNSPEC;
3374 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3375 if (!(flags & NFT_SET_TIMEOUT))
3378 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3383 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3384 if (!(flags & NFT_SET_TIMEOUT))
3386 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3389 policy = NFT_SET_POL_PERFORMANCE;
3390 if (nla[NFTA_SET_POLICY] != NULL)
3391 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3393 if (nla[NFTA_SET_DESC] != NULL) {
3394 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3399 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3401 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3402 if (IS_ERR(table)) {
3403 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3404 return PTR_ERR(table);
3407 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3409 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3411 if (PTR_ERR(set) != -ENOENT) {
3412 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3413 return PTR_ERR(set);
3416 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3417 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3420 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3426 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3429 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3431 return PTR_ERR(ops);
3434 if (nla[NFTA_SET_USERDATA])
3435 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3438 if (ops->privsize != NULL)
3439 size = ops->privsize(nla, &desc);
3441 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3447 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3453 err = nf_tables_set_alloc_name(&ctx, set, name);
3460 udata = set->data + size;
3461 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3464 INIT_LIST_HEAD(&set->bindings);
3466 write_pnet(&set->net, net);
3469 set->klen = desc.klen;
3471 set->objtype = objtype;
3472 set->dlen = desc.dlen;
3474 set->size = desc.size;
3475 set->policy = policy;
3478 set->timeout = timeout;
3479 set->gc_int = gc_int;
3480 set->handle = nf_tables_alloc_handle(table);
3482 err = ops->init(set, &desc, nla);
3486 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3490 list_add_tail_rcu(&set->list, &table->sets);
3501 module_put(to_set_type(ops)->owner);
3505 static void nft_set_destroy(struct nft_set *set)
3507 set->ops->destroy(set);
3508 module_put(to_set_type(set->ops)->owner);
3513 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3515 list_del_rcu(&set->list);
3516 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3517 nft_set_destroy(set);
3520 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3521 struct sk_buff *skb, const struct nlmsghdr *nlh,
3522 const struct nlattr * const nla[],
3523 struct netlink_ext_ack *extack)
3525 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3526 u8 genmask = nft_genmask_next(net);
3527 const struct nlattr *attr;
3528 struct nft_set *set;
3532 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3533 return -EAFNOSUPPORT;
3534 if (nla[NFTA_SET_TABLE] == NULL)
3537 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3542 if (nla[NFTA_SET_HANDLE]) {
3543 attr = nla[NFTA_SET_HANDLE];
3544 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3546 attr = nla[NFTA_SET_NAME];
3547 set = nft_set_lookup(ctx.table, attr, genmask);
3551 NL_SET_BAD_ATTR(extack, attr);
3552 return PTR_ERR(set);
3554 if (!list_empty(&set->bindings) ||
3555 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3556 NL_SET_BAD_ATTR(extack, attr);
3560 return nft_delset(&ctx, set);
3563 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3564 struct nft_set *set,
3565 const struct nft_set_iter *iter,
3566 struct nft_set_elem *elem)
3568 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3569 enum nft_registers dreg;
3571 dreg = nft_type_to_reg(set->dtype);
3572 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3573 set->dtype == NFT_DATA_VERDICT ?
3574 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3578 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3579 struct nft_set_binding *binding)
3581 struct nft_set_binding *i;
3582 struct nft_set_iter iter;
3584 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3587 if (binding->flags & NFT_SET_MAP) {
3588 /* If the set is already bound to the same chain all
3589 * jumps are already validated for that chain.
3591 list_for_each_entry(i, &set->bindings, list) {
3592 if (i->flags & NFT_SET_MAP &&
3593 i->chain == binding->chain)
3597 iter.genmask = nft_genmask_next(ctx->net);
3601 iter.fn = nf_tables_bind_check_setelem;
3603 set->ops->walk(ctx, set, &iter);
3608 binding->chain = ctx->chain;
3609 list_add_tail_rcu(&binding->list, &set->bindings);
3612 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3614 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3615 struct nft_set_binding *binding)
3617 list_del_rcu(&binding->list);
3619 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3620 nft_is_active(ctx->net, set))
3621 nf_tables_set_destroy(ctx, set);
3623 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3625 const struct nft_set_ext_type nft_set_ext_types[] = {
3626 [NFT_SET_EXT_KEY] = {
3627 .align = __alignof__(u32),
3629 [NFT_SET_EXT_DATA] = {
3630 .align = __alignof__(u32),
3632 [NFT_SET_EXT_EXPR] = {
3633 .align = __alignof__(struct nft_expr),
3635 [NFT_SET_EXT_OBJREF] = {
3636 .len = sizeof(struct nft_object *),
3637 .align = __alignof__(struct nft_object *),
3639 [NFT_SET_EXT_FLAGS] = {
3641 .align = __alignof__(u8),
3643 [NFT_SET_EXT_TIMEOUT] = {
3645 .align = __alignof__(u64),
3647 [NFT_SET_EXT_EXPIRATION] = {
3649 .align = __alignof__(u64),
3651 [NFT_SET_EXT_USERDATA] = {
3652 .len = sizeof(struct nft_userdata),
3653 .align = __alignof__(struct nft_userdata),
3656 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3662 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3663 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3664 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3665 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3666 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3667 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3668 .len = NFT_USERDATA_MAXLEN },
3669 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3670 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3673 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3674 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3675 .len = NFT_TABLE_MAXNAMELEN - 1 },
3676 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3677 .len = NFT_SET_MAXNAMELEN - 1 },
3678 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3679 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3682 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3683 const struct sk_buff *skb,
3684 const struct nlmsghdr *nlh,
3685 const struct nlattr * const nla[],
3686 struct netlink_ext_ack *extack,
3689 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3690 int family = nfmsg->nfgen_family;
3691 struct nft_table *table;
3693 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3695 if (IS_ERR(table)) {
3696 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3697 return PTR_ERR(table);
3700 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3704 static int nf_tables_fill_setelem(struct sk_buff *skb,
3705 const struct nft_set *set,
3706 const struct nft_set_elem *elem)
3708 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3709 unsigned char *b = skb_tail_pointer(skb);
3710 struct nlattr *nest;
3712 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3714 goto nla_put_failure;
3716 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3717 NFT_DATA_VALUE, set->klen) < 0)
3718 goto nla_put_failure;
3720 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3721 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3722 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3724 goto nla_put_failure;
3726 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3727 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3728 goto nla_put_failure;
3730 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3731 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3732 (*nft_set_ext_obj(ext))->name) < 0)
3733 goto nla_put_failure;
3735 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3736 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3737 htonl(*nft_set_ext_flags(ext))))
3738 goto nla_put_failure;
3740 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3741 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3742 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3744 goto nla_put_failure;
3746 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3747 u64 expires, now = get_jiffies_64();
3749 expires = *nft_set_ext_expiration(ext);
3750 if (time_before64(now, expires))
3755 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3756 nf_jiffies64_to_msecs(expires),
3758 goto nla_put_failure;
3761 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3762 struct nft_userdata *udata;
3764 udata = nft_set_ext_userdata(ext);
3765 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3766 udata->len + 1, udata->data))
3767 goto nla_put_failure;
3770 nla_nest_end(skb, nest);
3778 struct nft_set_dump_args {
3779 const struct netlink_callback *cb;
3780 struct nft_set_iter iter;
3781 struct sk_buff *skb;
3784 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3785 struct nft_set *set,
3786 const struct nft_set_iter *iter,
3787 struct nft_set_elem *elem)
3789 struct nft_set_dump_args *args;
3791 args = container_of(iter, struct nft_set_dump_args, iter);
3792 return nf_tables_fill_setelem(args->skb, set, elem);
3795 struct nft_set_dump_ctx {
3796 const struct nft_set *set;
3800 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3802 struct nft_set_dump_ctx *dump_ctx = cb->data;
3803 struct net *net = sock_net(skb->sk);
3804 struct nft_table *table;
3805 struct nft_set *set;
3806 struct nft_set_dump_args args;
3807 bool set_found = false;
3808 struct nfgenmsg *nfmsg;
3809 struct nlmsghdr *nlh;
3810 struct nlattr *nest;
3815 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3816 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3817 dump_ctx->ctx.family != table->family)
3820 if (table != dump_ctx->ctx.table)
3823 list_for_each_entry_rcu(set, &table->sets, list) {
3824 if (set == dump_ctx->set) {
3837 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3838 portid = NETLINK_CB(cb->skb).portid;
3839 seq = cb->nlh->nlmsg_seq;
3841 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3844 goto nla_put_failure;
3846 nfmsg = nlmsg_data(nlh);
3847 nfmsg->nfgen_family = table->family;
3848 nfmsg->version = NFNETLINK_V0;
3849 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3851 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3852 goto nla_put_failure;
3853 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3854 goto nla_put_failure;
3856 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3858 goto nla_put_failure;
3862 args.iter.genmask = nft_genmask_cur(net);
3863 args.iter.skip = cb->args[0];
3864 args.iter.count = 0;
3866 args.iter.fn = nf_tables_dump_setelem;
3867 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3870 nla_nest_end(skb, nest);
3871 nlmsg_end(skb, nlh);
3873 if (args.iter.err && args.iter.err != -EMSGSIZE)
3874 return args.iter.err;
3875 if (args.iter.count == cb->args[0])
3878 cb->args[0] = args.iter.count;
3886 static int nf_tables_dump_set_start(struct netlink_callback *cb)
3888 struct nft_set_dump_ctx *dump_ctx = cb->data;
3890 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
3892 return cb->data ? 0 : -ENOMEM;
3895 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3901 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3902 const struct nft_ctx *ctx, u32 seq,
3903 u32 portid, int event, u16 flags,
3904 const struct nft_set *set,
3905 const struct nft_set_elem *elem)
3907 struct nfgenmsg *nfmsg;
3908 struct nlmsghdr *nlh;
3909 struct nlattr *nest;
3912 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3913 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3916 goto nla_put_failure;
3918 nfmsg = nlmsg_data(nlh);
3919 nfmsg->nfgen_family = ctx->family;
3920 nfmsg->version = NFNETLINK_V0;
3921 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3923 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3924 goto nla_put_failure;
3925 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3926 goto nla_put_failure;
3928 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3930 goto nla_put_failure;
3932 err = nf_tables_fill_setelem(skb, set, elem);
3934 goto nla_put_failure;
3936 nla_nest_end(skb, nest);
3938 nlmsg_end(skb, nlh);
3942 nlmsg_trim(skb, nlh);
3946 static int nft_setelem_parse_flags(const struct nft_set *set,
3947 const struct nlattr *attr, u32 *flags)
3952 *flags = ntohl(nla_get_be32(attr));
3953 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3955 if (!(set->flags & NFT_SET_INTERVAL) &&
3956 *flags & NFT_SET_ELEM_INTERVAL_END)
3962 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3963 const struct nlattr *attr)
3965 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3966 const struct nft_set_ext *ext;
3967 struct nft_data_desc desc;
3968 struct nft_set_elem elem;
3969 struct sk_buff *skb;
3974 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3975 nft_set_elem_policy, NULL);
3979 if (!nla[NFTA_SET_ELEM_KEY])
3982 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3986 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3987 nla[NFTA_SET_ELEM_KEY]);
3992 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3995 priv = set->ops->get(ctx->net, set, &elem, flags);
3997 return PTR_ERR(priv);
4000 ext = nft_set_elem_ext(set, &elem);
4003 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4007 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4008 NFT_MSG_NEWSETELEM, 0, set, &elem);
4012 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4013 /* This avoids a loop in nfnetlink. */
4021 /* this avoids a loop in nfnetlink. */
4022 return err == -EAGAIN ? -ENOBUFS : err;
4025 /* called with rcu_read_lock held */
4026 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4027 struct sk_buff *skb, const struct nlmsghdr *nlh,
4028 const struct nlattr * const nla[],
4029 struct netlink_ext_ack *extack)
4031 u8 genmask = nft_genmask_cur(net);
4032 struct nft_set *set;
4033 struct nlattr *attr;
4037 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4042 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4044 return PTR_ERR(set);
4046 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4047 struct netlink_dump_control c = {
4048 .start = nf_tables_dump_set_start,
4049 .dump = nf_tables_dump_set,
4050 .done = nf_tables_dump_set_done,
4051 .module = THIS_MODULE,
4053 struct nft_set_dump_ctx dump_ctx = {
4059 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4062 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4065 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4066 err = nft_get_set_elem(&ctx, set, attr);
4074 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4075 const struct nft_set *set,
4076 const struct nft_set_elem *elem,
4077 int event, u16 flags)
4079 struct net *net = ctx->net;
4080 u32 portid = ctx->portid;
4081 struct sk_buff *skb;
4084 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4087 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4091 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4098 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4102 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4105 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4107 struct nft_set *set)
4109 struct nft_trans *trans;
4111 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4115 nft_trans_elem_set(trans) = set;
4119 void *nft_set_elem_init(const struct nft_set *set,
4120 const struct nft_set_ext_tmpl *tmpl,
4121 const u32 *key, const u32 *data,
4122 u64 timeout, gfp_t gfp)
4124 struct nft_set_ext *ext;
4127 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4131 ext = nft_set_elem_ext(set, elem);
4132 nft_set_ext_init(ext, tmpl);
4134 memcpy(nft_set_ext_key(ext), key, set->klen);
4135 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4136 memcpy(nft_set_ext_data(ext), data, set->dlen);
4137 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4138 *nft_set_ext_expiration(ext) =
4139 get_jiffies_64() + timeout;
4140 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4141 *nft_set_ext_timeout(ext) = timeout;
4146 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4149 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4150 struct nft_ctx ctx = {
4151 .net = read_pnet(&set->net),
4152 .family = set->table->family,
4155 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4156 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4157 nft_data_release(nft_set_ext_data(ext), set->dtype);
4158 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4159 struct nft_expr *expr = nft_set_ext_expr(ext);
4161 if (expr->ops->destroy_clone) {
4162 expr->ops->destroy_clone(&ctx, expr);
4163 module_put(expr->ops->type->owner);
4165 nf_tables_expr_destroy(&ctx, expr);
4168 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4169 (*nft_set_ext_obj(ext))->use--;
4172 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4174 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4175 * the refcounting from the preparation phase.
4177 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4178 const struct nft_set *set, void *elem)
4180 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4182 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4183 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4187 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4188 const struct nlattr *attr, u32 nlmsg_flags)
4190 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4191 u8 genmask = nft_genmask_next(ctx->net);
4192 struct nft_data_desc d1, d2;
4193 struct nft_set_ext_tmpl tmpl;
4194 struct nft_set_ext *ext, *ext2;
4195 struct nft_set_elem elem;
4196 struct nft_set_binding *binding;
4197 struct nft_object *obj = NULL;
4198 struct nft_userdata *udata;
4199 struct nft_data data;
4200 enum nft_registers dreg;
4201 struct nft_trans *trans;
4207 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4208 nft_set_elem_policy, NULL);
4212 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4215 nft_set_ext_prepare(&tmpl);
4217 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4221 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4223 if (set->flags & NFT_SET_MAP) {
4224 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4225 !(flags & NFT_SET_ELEM_INTERVAL_END))
4227 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4228 flags & NFT_SET_ELEM_INTERVAL_END)
4231 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4236 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4237 if (!(set->flags & NFT_SET_TIMEOUT))
4239 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4243 } else if (set->flags & NFT_SET_TIMEOUT) {
4244 timeout = set->timeout;
4247 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4248 nla[NFTA_SET_ELEM_KEY]);
4252 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4255 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4257 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4258 if (timeout != set->timeout)
4259 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4262 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4263 if (!(set->flags & NFT_SET_OBJECT)) {
4267 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4268 set->objtype, genmask);
4273 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4276 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4277 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4278 nla[NFTA_SET_ELEM_DATA]);
4283 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4286 dreg = nft_type_to_reg(set->dtype);
4287 list_for_each_entry(binding, &set->bindings, list) {
4288 struct nft_ctx bind_ctx = {
4290 .family = ctx->family,
4291 .table = ctx->table,
4292 .chain = (struct nft_chain *)binding->chain,
4295 if (!(binding->flags & NFT_SET_MAP))
4298 err = nft_validate_register_store(&bind_ctx, dreg,
4304 if (d2.type == NFT_DATA_VERDICT &&
4305 (data.verdict.code == NFT_GOTO ||
4306 data.verdict.code == NFT_JUMP))
4307 nft_validate_state_update(ctx->net,
4311 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4314 /* The full maximum length of userdata can exceed the maximum
4315 * offset value (U8_MAX) for following extensions, therefor it
4316 * must be the last extension added.
4319 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4320 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4322 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4327 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4328 timeout, GFP_KERNEL);
4329 if (elem.priv == NULL)
4332 ext = nft_set_elem_ext(set, elem.priv);
4334 *nft_set_ext_flags(ext) = flags;
4336 udata = nft_set_ext_userdata(ext);
4337 udata->len = ulen - 1;
4338 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4341 *nft_set_ext_obj(ext) = obj;
4345 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4349 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4350 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4352 if (err == -EEXIST) {
4353 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4354 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4355 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4356 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4360 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4361 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4362 memcmp(nft_set_ext_data(ext),
4363 nft_set_ext_data(ext2), set->dlen) != 0) ||
4364 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4365 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4366 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4368 else if (!(nlmsg_flags & NLM_F_EXCL))
4375 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4380 nft_trans_elem(trans) = elem;
4381 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4385 set->ops->remove(ctx->net, set, &elem);
4391 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4392 nft_data_release(&data, d2.type);
4394 nft_data_release(&elem.key.val, d1.type);
4399 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4400 struct sk_buff *skb, const struct nlmsghdr *nlh,
4401 const struct nlattr * const nla[],
4402 struct netlink_ext_ack *extack)
4404 u8 genmask = nft_genmask_next(net);
4405 const struct nlattr *attr;
4406 struct nft_set *set;
4410 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4413 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4418 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4419 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4421 return PTR_ERR(set);
4423 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4426 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4427 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4432 if (net->nft.validate_state == NFT_VALIDATE_DO)
4433 return nft_table_validate(net, ctx.table);
4439 * nft_data_hold - hold a nft_data item
4441 * @data: struct nft_data to release
4442 * @type: type of data
4444 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4445 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4446 * NFT_GOTO verdicts. This function must be called on active data objects
4447 * from the second phase of the commit protocol.
4449 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4451 if (type == NFT_DATA_VERDICT) {
4452 switch (data->verdict.code) {
4455 data->verdict.chain->use++;
4461 static void nft_set_elem_activate(const struct net *net,
4462 const struct nft_set *set,
4463 struct nft_set_elem *elem)
4465 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4467 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4468 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4469 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4470 (*nft_set_ext_obj(ext))->use++;
4473 static void nft_set_elem_deactivate(const struct net *net,
4474 const struct nft_set *set,
4475 struct nft_set_elem *elem)
4477 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4479 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4480 nft_data_release(nft_set_ext_data(ext), set->dtype);
4481 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4482 (*nft_set_ext_obj(ext))->use--;
4485 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4486 const struct nlattr *attr)
4488 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4489 struct nft_set_ext_tmpl tmpl;
4490 struct nft_data_desc desc;
4491 struct nft_set_elem elem;
4492 struct nft_set_ext *ext;
4493 struct nft_trans *trans;
4498 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4499 nft_set_elem_policy, NULL);
4504 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4507 nft_set_ext_prepare(&tmpl);
4509 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4513 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4515 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4516 nla[NFTA_SET_ELEM_KEY]);
4521 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4524 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4527 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4529 if (elem.priv == NULL)
4532 ext = nft_set_elem_ext(set, elem.priv);
4534 *nft_set_ext_flags(ext) = flags;
4536 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4537 if (trans == NULL) {
4542 priv = set->ops->deactivate(ctx->net, set, &elem);
4550 nft_set_elem_deactivate(ctx->net, set, &elem);
4552 nft_trans_elem(trans) = elem;
4553 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4561 nft_data_release(&elem.key.val, desc.type);
4566 static int nft_flush_set(const struct nft_ctx *ctx,
4567 struct nft_set *set,
4568 const struct nft_set_iter *iter,
4569 struct nft_set_elem *elem)
4571 struct nft_trans *trans;
4574 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4575 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4579 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4585 nft_trans_elem_set(trans) = set;
4586 nft_trans_elem(trans) = *elem;
4587 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4595 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4596 struct sk_buff *skb, const struct nlmsghdr *nlh,
4597 const struct nlattr * const nla[],
4598 struct netlink_ext_ack *extack)
4600 u8 genmask = nft_genmask_next(net);
4601 const struct nlattr *attr;
4602 struct nft_set *set;
4606 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4611 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4613 return PTR_ERR(set);
4614 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4617 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4618 struct nft_set_iter iter = {
4620 .fn = nft_flush_set,
4622 set->ops->walk(&ctx, set, &iter);
4627 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4628 err = nft_del_setelem(&ctx, set, attr);
4637 void nft_set_gc_batch_release(struct rcu_head *rcu)
4639 struct nft_set_gc_batch *gcb;
4642 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4643 for (i = 0; i < gcb->head.cnt; i++)
4644 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4647 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4649 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4652 struct nft_set_gc_batch *gcb;
4654 gcb = kzalloc(sizeof(*gcb), gfp);
4657 gcb->head.set = set;
4660 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4667 * nft_register_obj- register nf_tables stateful object type
4670 * Registers the object type for use with nf_tables. Returns zero on
4671 * success or a negative errno code otherwise.
4673 int nft_register_obj(struct nft_object_type *obj_type)
4675 if (obj_type->type == NFT_OBJECT_UNSPEC)
4678 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4679 list_add_rcu(&obj_type->list, &nf_tables_objects);
4680 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4683 EXPORT_SYMBOL_GPL(nft_register_obj);
4686 * nft_unregister_obj - unregister nf_tables object type
4689 * Unregisters the object type for use with nf_tables.
4691 void nft_unregister_obj(struct nft_object_type *obj_type)
4693 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4694 list_del_rcu(&obj_type->list);
4695 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4697 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4699 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4700 const struct nlattr *nla, u32 objtype,
4703 struct nft_object *obj;
4705 list_for_each_entry_rcu(obj, &table->objects, list) {
4706 if (!nla_strcmp(nla, obj->name) &&
4707 objtype == obj->ops->type->type &&
4708 nft_active_genmask(obj, genmask))
4711 return ERR_PTR(-ENOENT);
4713 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4715 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4716 const struct nlattr *nla,
4717 u32 objtype, u8 genmask)
4719 struct nft_object *obj;
4721 list_for_each_entry(obj, &table->objects, list) {
4722 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4723 objtype == obj->ops->type->type &&
4724 nft_active_genmask(obj, genmask))
4727 return ERR_PTR(-ENOENT);
4730 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4731 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4732 .len = NFT_TABLE_MAXNAMELEN - 1 },
4733 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4734 .len = NFT_OBJ_MAXNAMELEN - 1 },
4735 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4736 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4737 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4740 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4741 const struct nft_object_type *type,
4742 const struct nlattr *attr)
4745 const struct nft_object_ops *ops;
4746 struct nft_object *obj;
4749 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4754 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4759 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4762 if (type->select_ops) {
4763 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4773 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4777 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4790 return ERR_PTR(err);
4793 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4794 struct nft_object *obj, bool reset)
4796 struct nlattr *nest;
4798 nest = nla_nest_start(skb, attr);
4800 goto nla_put_failure;
4801 if (obj->ops->dump(skb, obj, reset) < 0)
4802 goto nla_put_failure;
4803 nla_nest_end(skb, nest);
4810 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4812 const struct nft_object_type *type;
4814 list_for_each_entry(type, &nf_tables_objects, list) {
4815 if (objtype == type->type)
4821 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4823 const struct nft_object_type *type;
4825 type = __nft_obj_type_get(objtype);
4826 if (type != NULL && try_module_get(type->owner))
4829 #ifdef CONFIG_MODULES
4831 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4832 request_module("nft-obj-%u", objtype);
4833 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4834 if (__nft_obj_type_get(objtype))
4835 return ERR_PTR(-EAGAIN);
4838 return ERR_PTR(-ENOENT);
4841 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4842 struct sk_buff *skb, const struct nlmsghdr *nlh,
4843 const struct nlattr * const nla[],
4844 struct netlink_ext_ack *extack)
4846 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4847 const struct nft_object_type *type;
4848 u8 genmask = nft_genmask_next(net);
4849 int family = nfmsg->nfgen_family;
4850 struct nft_table *table;
4851 struct nft_object *obj;
4856 if (!nla[NFTA_OBJ_TYPE] ||
4857 !nla[NFTA_OBJ_NAME] ||
4858 !nla[NFTA_OBJ_DATA])
4861 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4862 if (IS_ERR(table)) {
4863 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4864 return PTR_ERR(table);
4867 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4868 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4871 if (err != -ENOENT) {
4872 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4876 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4877 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4883 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4885 type = nft_obj_type_get(objtype);
4887 return PTR_ERR(type);
4889 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4895 obj->handle = nf_tables_alloc_handle(table);
4897 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4903 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4907 list_add_tail_rcu(&obj->list, &table->objects);
4913 if (obj->ops->destroy)
4914 obj->ops->destroy(&ctx, obj);
4917 module_put(type->owner);
4921 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4922 u32 portid, u32 seq, int event, u32 flags,
4923 int family, const struct nft_table *table,
4924 struct nft_object *obj, bool reset)
4926 struct nfgenmsg *nfmsg;
4927 struct nlmsghdr *nlh;
4929 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4930 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4932 goto nla_put_failure;
4934 nfmsg = nlmsg_data(nlh);
4935 nfmsg->nfgen_family = family;
4936 nfmsg->version = NFNETLINK_V0;
4937 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4939 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4940 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4941 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4942 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4943 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4944 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4946 goto nla_put_failure;
4948 nlmsg_end(skb, nlh);
4952 nlmsg_trim(skb, nlh);
4956 struct nft_obj_filter {
4961 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4963 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4964 const struct nft_table *table;
4965 unsigned int idx = 0, s_idx = cb->args[0];
4966 struct nft_obj_filter *filter = cb->data;
4967 struct net *net = sock_net(skb->sk);
4968 int family = nfmsg->nfgen_family;
4969 struct nft_object *obj;
4972 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4976 cb->seq = net->nft.base_seq;
4978 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4979 if (family != NFPROTO_UNSPEC && family != table->family)
4982 list_for_each_entry_rcu(obj, &table->objects, list) {
4983 if (!nft_is_active(net, obj))
4988 memset(&cb->args[1], 0,
4989 sizeof(cb->args) - sizeof(cb->args[0]));
4990 if (filter && filter->table &&
4991 strcmp(filter->table, table->name))
4994 filter->type != NFT_OBJECT_UNSPEC &&
4995 obj->ops->type->type != filter->type)
4998 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5001 NLM_F_MULTI | NLM_F_APPEND,
5002 table->family, table,
5006 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5018 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5020 const struct nlattr * const *nla = cb->data;
5021 struct nft_obj_filter *filter = NULL;
5023 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5024 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5028 if (nla[NFTA_OBJ_TABLE]) {
5029 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5030 if (!filter->table) {
5036 if (nla[NFTA_OBJ_TYPE])
5037 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5044 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5046 struct nft_obj_filter *filter = cb->data;
5049 kfree(filter->table);
5056 /* called with rcu_read_lock held */
5057 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5058 struct sk_buff *skb, const struct nlmsghdr *nlh,
5059 const struct nlattr * const nla[],
5060 struct netlink_ext_ack *extack)
5062 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5063 u8 genmask = nft_genmask_cur(net);
5064 int family = nfmsg->nfgen_family;
5065 const struct nft_table *table;
5066 struct nft_object *obj;
5067 struct sk_buff *skb2;
5072 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5073 struct netlink_dump_control c = {
5074 .start = nf_tables_dump_obj_start,
5075 .dump = nf_tables_dump_obj,
5076 .done = nf_tables_dump_obj_done,
5077 .module = THIS_MODULE,
5078 .data = (void *)nla,
5081 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5084 if (!nla[NFTA_OBJ_NAME] ||
5085 !nla[NFTA_OBJ_TYPE])
5088 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5089 if (IS_ERR(table)) {
5090 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5091 return PTR_ERR(table);
5094 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5095 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
5097 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5098 return PTR_ERR(obj);
5101 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5105 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5108 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5109 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5110 family, table, obj, reset);
5114 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5120 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5122 if (obj->ops->destroy)
5123 obj->ops->destroy(ctx, obj);
5125 module_put(obj->ops->type->owner);
5130 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5131 struct sk_buff *skb, const struct nlmsghdr *nlh,
5132 const struct nlattr * const nla[],
5133 struct netlink_ext_ack *extack)
5135 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5136 u8 genmask = nft_genmask_next(net);
5137 int family = nfmsg->nfgen_family;
5138 const struct nlattr *attr;
5139 struct nft_table *table;
5140 struct nft_object *obj;
5144 if (!nla[NFTA_OBJ_TYPE] ||
5145 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5148 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5149 if (IS_ERR(table)) {
5150 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5151 return PTR_ERR(table);
5154 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5155 if (nla[NFTA_OBJ_HANDLE]) {
5156 attr = nla[NFTA_OBJ_HANDLE];
5157 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5159 attr = nla[NFTA_OBJ_NAME];
5160 obj = nft_obj_lookup(table, attr, objtype, genmask);
5164 NL_SET_BAD_ATTR(extack, attr);
5165 return PTR_ERR(obj);
5168 NL_SET_BAD_ATTR(extack, attr);
5172 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5174 return nft_delobj(&ctx, obj);
5177 void nft_obj_notify(struct net *net, struct nft_table *table,
5178 struct nft_object *obj, u32 portid, u32 seq, int event,
5179 int family, int report, gfp_t gfp)
5181 struct sk_buff *skb;
5185 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5188 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5192 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5199 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5202 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5204 EXPORT_SYMBOL_GPL(nft_obj_notify);
5206 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5207 struct nft_object *obj, int event)
5209 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5210 ctx->family, ctx->report, GFP_KERNEL);
5216 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5218 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5219 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5220 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5222 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5224 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5226 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5227 list_del_rcu(&type->list);
5228 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5230 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5232 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5233 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5234 .len = NFT_NAME_MAXLEN - 1 },
5235 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5236 .len = NFT_NAME_MAXLEN - 1 },
5237 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5238 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5241 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5242 const struct nlattr *nla, u8 genmask)
5244 struct nft_flowtable *flowtable;
5246 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5247 if (!nla_strcmp(nla, flowtable->name) &&
5248 nft_active_genmask(flowtable, genmask))
5251 return ERR_PTR(-ENOENT);
5253 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5255 static struct nft_flowtable *
5256 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5257 const struct nlattr *nla, u8 genmask)
5259 struct nft_flowtable *flowtable;
5261 list_for_each_entry(flowtable, &table->flowtables, list) {
5262 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5263 nft_active_genmask(flowtable, genmask))
5266 return ERR_PTR(-ENOENT);
5269 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5270 const struct nlattr *attr,
5271 struct net_device *dev_array[], int *len)
5273 const struct nlattr *tmp;
5274 struct net_device *dev;
5275 char ifname[IFNAMSIZ];
5276 int rem, n = 0, err;
5278 nla_for_each_nested(tmp, attr, rem) {
5279 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5284 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5285 dev = __dev_get_by_name(ctx->net, ifname);
5291 dev_array[n++] = dev;
5292 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5306 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5307 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5308 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5309 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5312 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5313 const struct nlattr *attr,
5314 struct nft_flowtable *flowtable)
5316 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5317 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5318 struct nf_hook_ops *ops;
5319 int hooknum, priority;
5322 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5323 nft_flowtable_hook_policy, NULL);
5327 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5328 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5329 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5332 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5333 if (hooknum != NF_NETDEV_INGRESS)
5336 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5338 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5343 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5347 flowtable->hooknum = hooknum;
5348 flowtable->priority = priority;
5349 flowtable->ops = ops;
5350 flowtable->ops_len = n;
5352 for (i = 0; i < n; i++) {
5353 flowtable->ops[i].pf = NFPROTO_NETDEV;
5354 flowtable->ops[i].hooknum = hooknum;
5355 flowtable->ops[i].priority = priority;
5356 flowtable->ops[i].priv = &flowtable->data;
5357 flowtable->ops[i].hook = flowtable->data.type->hook;
5358 flowtable->ops[i].dev = dev_array[i];
5364 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5366 const struct nf_flowtable_type *type;
5368 list_for_each_entry(type, &nf_tables_flowtables, list) {
5369 if (family == type->family)
5375 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5377 const struct nf_flowtable_type *type;
5379 type = __nft_flowtable_type_get(family);
5380 if (type != NULL && try_module_get(type->owner))
5383 #ifdef CONFIG_MODULES
5385 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5386 request_module("nf-flowtable-%u", family);
5387 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5388 if (__nft_flowtable_type_get(family))
5389 return ERR_PTR(-EAGAIN);
5392 return ERR_PTR(-ENOENT);
5395 static void nft_unregister_flowtable_net_hooks(struct net *net,
5396 struct nft_flowtable *flowtable)
5400 for (i = 0; i < flowtable->ops_len; i++) {
5401 if (!flowtable->ops[i].dev)
5404 nf_unregister_net_hook(net, &flowtable->ops[i]);
5408 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5409 struct sk_buff *skb,
5410 const struct nlmsghdr *nlh,
5411 const struct nlattr * const nla[],
5412 struct netlink_ext_ack *extack)
5414 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5415 const struct nf_flowtable_type *type;
5416 struct nft_flowtable *flowtable, *ft;
5417 u8 genmask = nft_genmask_next(net);
5418 int family = nfmsg->nfgen_family;
5419 struct nft_table *table;
5423 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5424 !nla[NFTA_FLOWTABLE_NAME] ||
5425 !nla[NFTA_FLOWTABLE_HOOK])
5428 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5430 if (IS_ERR(table)) {
5431 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5432 return PTR_ERR(table);
5435 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5437 if (IS_ERR(flowtable)) {
5438 err = PTR_ERR(flowtable);
5439 if (err != -ENOENT) {
5440 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5444 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5445 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5452 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5454 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5458 flowtable->table = table;
5459 flowtable->handle = nf_tables_alloc_handle(table);
5461 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5462 if (!flowtable->name) {
5467 type = nft_flowtable_type_get(family);
5469 err = PTR_ERR(type);
5473 flowtable->data.type = type;
5474 err = type->init(&flowtable->data);
5478 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5483 for (i = 0; i < flowtable->ops_len; i++) {
5484 if (!flowtable->ops[i].dev)
5487 list_for_each_entry(ft, &table->flowtables, list) {
5488 for (k = 0; k < ft->ops_len; k++) {
5489 if (!ft->ops[k].dev)
5492 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5493 flowtable->ops[i].pf == ft->ops[k].pf) {
5500 err = nf_register_net_hook(net, &flowtable->ops[i]);
5505 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5509 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5514 i = flowtable->ops_len;
5516 for (k = i - 1; k >= 0; k--)
5517 nf_unregister_net_hook(net, &flowtable->ops[k]);
5519 kfree(flowtable->ops);
5521 flowtable->data.type->free(&flowtable->data);
5523 module_put(type->owner);
5525 kfree(flowtable->name);
5531 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5532 struct sk_buff *skb,
5533 const struct nlmsghdr *nlh,
5534 const struct nlattr * const nla[],
5535 struct netlink_ext_ack *extack)
5537 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5538 u8 genmask = nft_genmask_next(net);
5539 int family = nfmsg->nfgen_family;
5540 struct nft_flowtable *flowtable;
5541 const struct nlattr *attr;
5542 struct nft_table *table;
5545 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5546 (!nla[NFTA_FLOWTABLE_NAME] &&
5547 !nla[NFTA_FLOWTABLE_HANDLE]))
5550 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5552 if (IS_ERR(table)) {
5553 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5554 return PTR_ERR(table);
5557 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5558 attr = nla[NFTA_FLOWTABLE_HANDLE];
5559 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5561 attr = nla[NFTA_FLOWTABLE_NAME];
5562 flowtable = nft_flowtable_lookup(table, attr, genmask);
5565 if (IS_ERR(flowtable)) {
5566 NL_SET_BAD_ATTR(extack, attr);
5567 return PTR_ERR(flowtable);
5569 if (flowtable->use > 0) {
5570 NL_SET_BAD_ATTR(extack, attr);
5574 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5576 return nft_delflowtable(&ctx, flowtable);
5579 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5580 u32 portid, u32 seq, int event,
5581 u32 flags, int family,
5582 struct nft_flowtable *flowtable)
5584 struct nlattr *nest, *nest_devs;
5585 struct nfgenmsg *nfmsg;
5586 struct nlmsghdr *nlh;
5589 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5590 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5592 goto nla_put_failure;
5594 nfmsg = nlmsg_data(nlh);
5595 nfmsg->nfgen_family = family;
5596 nfmsg->version = NFNETLINK_V0;
5597 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5599 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5600 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5601 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5602 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5603 NFTA_FLOWTABLE_PAD))
5604 goto nla_put_failure;
5606 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5607 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5608 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5609 goto nla_put_failure;
5611 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5613 goto nla_put_failure;
5615 for (i = 0; i < flowtable->ops_len; i++) {
5616 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5619 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5620 goto nla_put_failure;
5622 nla_nest_end(skb, nest_devs);
5623 nla_nest_end(skb, nest);
5625 nlmsg_end(skb, nlh);
5629 nlmsg_trim(skb, nlh);
5633 struct nft_flowtable_filter {
5637 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5638 struct netlink_callback *cb)
5640 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5641 struct nft_flowtable_filter *filter = cb->data;
5642 unsigned int idx = 0, s_idx = cb->args[0];
5643 struct net *net = sock_net(skb->sk);
5644 int family = nfmsg->nfgen_family;
5645 struct nft_flowtable *flowtable;
5646 const struct nft_table *table;
5649 cb->seq = net->nft.base_seq;
5651 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5652 if (family != NFPROTO_UNSPEC && family != table->family)
5655 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5656 if (!nft_is_active(net, flowtable))
5661 memset(&cb->args[1], 0,
5662 sizeof(cb->args) - sizeof(cb->args[0]));
5663 if (filter && filter->table &&
5664 strcmp(filter->table, table->name))
5667 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5669 NFT_MSG_NEWFLOWTABLE,
5670 NLM_F_MULTI | NLM_F_APPEND,
5671 table->family, flowtable) < 0)
5674 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5686 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5688 const struct nlattr * const *nla = cb->data;
5689 struct nft_flowtable_filter *filter = NULL;
5691 if (nla[NFTA_FLOWTABLE_TABLE]) {
5692 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5696 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5698 if (!filter->table) {
5708 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5710 struct nft_flowtable_filter *filter = cb->data;
5715 kfree(filter->table);
5721 /* called with rcu_read_lock held */
5722 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5723 struct sk_buff *skb,
5724 const struct nlmsghdr *nlh,
5725 const struct nlattr * const nla[],
5726 struct netlink_ext_ack *extack)
5728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5729 u8 genmask = nft_genmask_cur(net);
5730 int family = nfmsg->nfgen_family;
5731 struct nft_flowtable *flowtable;
5732 const struct nft_table *table;
5733 struct sk_buff *skb2;
5736 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5737 struct netlink_dump_control c = {
5738 .start = nf_tables_dump_flowtable_start,
5739 .dump = nf_tables_dump_flowtable,
5740 .done = nf_tables_dump_flowtable_done,
5741 .module = THIS_MODULE,
5742 .data = (void *)nla,
5745 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5748 if (!nla[NFTA_FLOWTABLE_NAME])
5751 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5754 return PTR_ERR(table);
5756 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5758 if (IS_ERR(flowtable))
5759 return PTR_ERR(flowtable);
5761 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5765 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5767 NFT_MSG_NEWFLOWTABLE, 0, family,
5772 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5778 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5779 struct nft_flowtable *flowtable,
5782 struct sk_buff *skb;
5786 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5789 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5793 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5795 ctx->family, flowtable);
5801 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5802 ctx->report, GFP_KERNEL);
5805 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5808 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5810 kfree(flowtable->ops);
5811 kfree(flowtable->name);
5812 flowtable->data.type->free(&flowtable->data);
5813 module_put(flowtable->data.type->owner);
5817 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5818 u32 portid, u32 seq)
5820 struct nlmsghdr *nlh;
5821 struct nfgenmsg *nfmsg;
5822 char buf[TASK_COMM_LEN];
5823 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5825 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5827 goto nla_put_failure;
5829 nfmsg = nlmsg_data(nlh);
5830 nfmsg->nfgen_family = AF_UNSPEC;
5831 nfmsg->version = NFNETLINK_V0;
5832 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5834 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5835 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5836 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5837 goto nla_put_failure;
5839 nlmsg_end(skb, nlh);
5843 nlmsg_trim(skb, nlh);
5847 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5848 struct nft_flowtable *flowtable)
5852 for (i = 0; i < flowtable->ops_len; i++) {
5853 if (flowtable->ops[i].dev != dev)
5856 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5857 flowtable->ops[i].dev = NULL;
5862 static int nf_tables_flowtable_event(struct notifier_block *this,
5863 unsigned long event, void *ptr)
5865 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5866 struct nft_flowtable *flowtable;
5867 struct nft_table *table;
5870 if (event != NETDEV_UNREGISTER)
5873 net = maybe_get_net(dev_net(dev));
5877 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5878 list_for_each_entry(table, &net->nft.tables, list) {
5879 list_for_each_entry(flowtable, &table->flowtables, list) {
5880 nft_flowtable_event(event, dev, flowtable);
5883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5888 static struct notifier_block nf_tables_flowtable_notifier = {
5889 .notifier_call = nf_tables_flowtable_event,
5892 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5895 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5896 struct sk_buff *skb2;
5899 if (nlmsg_report(nlh) &&
5900 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5903 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5907 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5914 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5915 nlmsg_report(nlh), GFP_KERNEL);
5918 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5922 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5923 struct sk_buff *skb, const struct nlmsghdr *nlh,
5924 const struct nlattr * const nla[],
5925 struct netlink_ext_ack *extack)
5927 struct sk_buff *skb2;
5930 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5934 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5939 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5945 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5946 [NFT_MSG_NEWTABLE] = {
5947 .call_batch = nf_tables_newtable,
5948 .attr_count = NFTA_TABLE_MAX,
5949 .policy = nft_table_policy,
5951 [NFT_MSG_GETTABLE] = {
5952 .call_rcu = nf_tables_gettable,
5953 .attr_count = NFTA_TABLE_MAX,
5954 .policy = nft_table_policy,
5956 [NFT_MSG_DELTABLE] = {
5957 .call_batch = nf_tables_deltable,
5958 .attr_count = NFTA_TABLE_MAX,
5959 .policy = nft_table_policy,
5961 [NFT_MSG_NEWCHAIN] = {
5962 .call_batch = nf_tables_newchain,
5963 .attr_count = NFTA_CHAIN_MAX,
5964 .policy = nft_chain_policy,
5966 [NFT_MSG_GETCHAIN] = {
5967 .call_rcu = nf_tables_getchain,
5968 .attr_count = NFTA_CHAIN_MAX,
5969 .policy = nft_chain_policy,
5971 [NFT_MSG_DELCHAIN] = {
5972 .call_batch = nf_tables_delchain,
5973 .attr_count = NFTA_CHAIN_MAX,
5974 .policy = nft_chain_policy,
5976 [NFT_MSG_NEWRULE] = {
5977 .call_batch = nf_tables_newrule,
5978 .attr_count = NFTA_RULE_MAX,
5979 .policy = nft_rule_policy,
5981 [NFT_MSG_GETRULE] = {
5982 .call_rcu = nf_tables_getrule,
5983 .attr_count = NFTA_RULE_MAX,
5984 .policy = nft_rule_policy,
5986 [NFT_MSG_DELRULE] = {
5987 .call_batch = nf_tables_delrule,
5988 .attr_count = NFTA_RULE_MAX,
5989 .policy = nft_rule_policy,
5991 [NFT_MSG_NEWSET] = {
5992 .call_batch = nf_tables_newset,
5993 .attr_count = NFTA_SET_MAX,
5994 .policy = nft_set_policy,
5996 [NFT_MSG_GETSET] = {
5997 .call_rcu = nf_tables_getset,
5998 .attr_count = NFTA_SET_MAX,
5999 .policy = nft_set_policy,
6001 [NFT_MSG_DELSET] = {
6002 .call_batch = nf_tables_delset,
6003 .attr_count = NFTA_SET_MAX,
6004 .policy = nft_set_policy,
6006 [NFT_MSG_NEWSETELEM] = {
6007 .call_batch = nf_tables_newsetelem,
6008 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6009 .policy = nft_set_elem_list_policy,
6011 [NFT_MSG_GETSETELEM] = {
6012 .call_rcu = nf_tables_getsetelem,
6013 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6014 .policy = nft_set_elem_list_policy,
6016 [NFT_MSG_DELSETELEM] = {
6017 .call_batch = nf_tables_delsetelem,
6018 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6019 .policy = nft_set_elem_list_policy,
6021 [NFT_MSG_GETGEN] = {
6022 .call_rcu = nf_tables_getgen,
6024 [NFT_MSG_NEWOBJ] = {
6025 .call_batch = nf_tables_newobj,
6026 .attr_count = NFTA_OBJ_MAX,
6027 .policy = nft_obj_policy,
6029 [NFT_MSG_GETOBJ] = {
6030 .call_rcu = nf_tables_getobj,
6031 .attr_count = NFTA_OBJ_MAX,
6032 .policy = nft_obj_policy,
6034 [NFT_MSG_DELOBJ] = {
6035 .call_batch = nf_tables_delobj,
6036 .attr_count = NFTA_OBJ_MAX,
6037 .policy = nft_obj_policy,
6039 [NFT_MSG_GETOBJ_RESET] = {
6040 .call_rcu = nf_tables_getobj,
6041 .attr_count = NFTA_OBJ_MAX,
6042 .policy = nft_obj_policy,
6044 [NFT_MSG_NEWFLOWTABLE] = {
6045 .call_batch = nf_tables_newflowtable,
6046 .attr_count = NFTA_FLOWTABLE_MAX,
6047 .policy = nft_flowtable_policy,
6049 [NFT_MSG_GETFLOWTABLE] = {
6050 .call_rcu = nf_tables_getflowtable,
6051 .attr_count = NFTA_FLOWTABLE_MAX,
6052 .policy = nft_flowtable_policy,
6054 [NFT_MSG_DELFLOWTABLE] = {
6055 .call_batch = nf_tables_delflowtable,
6056 .attr_count = NFTA_FLOWTABLE_MAX,
6057 .policy = nft_flowtable_policy,
6061 static int nf_tables_validate(struct net *net)
6063 struct nft_table *table;
6065 switch (net->nft.validate_state) {
6066 case NFT_VALIDATE_SKIP:
6068 case NFT_VALIDATE_NEED:
6069 nft_validate_state_update(net, NFT_VALIDATE_DO);
6071 case NFT_VALIDATE_DO:
6072 list_for_each_entry(table, &net->nft.tables, list) {
6073 if (nft_table_validate(net, table) < 0)
6082 static void nft_chain_commit_update(struct nft_trans *trans)
6084 struct nft_base_chain *basechain;
6086 if (nft_trans_chain_name(trans)) {
6087 rhltable_remove(&trans->ctx.table->chains_ht,
6088 &trans->ctx.chain->rhlhead,
6089 nft_chain_ht_params);
6090 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6091 rhltable_insert_key(&trans->ctx.table->chains_ht,
6092 trans->ctx.chain->name,
6093 &trans->ctx.chain->rhlhead,
6094 nft_chain_ht_params);
6097 if (!nft_is_base_chain(trans->ctx.chain))
6100 basechain = nft_base_chain(trans->ctx.chain);
6101 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
6103 switch (nft_trans_chain_policy(trans)) {
6106 basechain->policy = nft_trans_chain_policy(trans);
6111 static void nft_commit_release(struct nft_trans *trans)
6113 switch (trans->msg_type) {
6114 case NFT_MSG_DELTABLE:
6115 nf_tables_table_destroy(&trans->ctx);
6117 case NFT_MSG_NEWCHAIN:
6118 kfree(nft_trans_chain_name(trans));
6120 case NFT_MSG_DELCHAIN:
6121 nf_tables_chain_destroy(&trans->ctx);
6123 case NFT_MSG_DELRULE:
6124 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6126 case NFT_MSG_DELSET:
6127 nft_set_destroy(nft_trans_set(trans));
6129 case NFT_MSG_DELSETELEM:
6130 nf_tables_set_elem_destroy(&trans->ctx,
6131 nft_trans_elem_set(trans),
6132 nft_trans_elem(trans).priv);
6134 case NFT_MSG_DELOBJ:
6135 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6137 case NFT_MSG_DELFLOWTABLE:
6138 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6144 static void nf_tables_commit_release(struct net *net)
6146 struct nft_trans *trans, *next;
6148 if (list_empty(&net->nft.commit_list))
6153 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6154 list_del(&trans->list);
6155 nft_commit_release(trans);
6159 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6161 struct nft_rule *rule;
6162 unsigned int alloc = 0;
6165 /* already handled or inactive chain? */
6166 if (chain->rules_next || !nft_is_active_next(net, chain))
6169 rule = list_entry(&chain->rules, struct nft_rule, list);
6172 list_for_each_entry_continue(rule, &chain->rules, list) {
6173 if (nft_is_active_next(net, rule))
6177 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6178 if (!chain->rules_next)
6181 list_for_each_entry_continue(rule, &chain->rules, list) {
6182 if (nft_is_active_next(net, rule))
6183 chain->rules_next[i++] = rule;
6186 chain->rules_next[i] = NULL;
6190 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6192 struct nft_trans *trans, *next;
6194 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6195 struct nft_chain *chain = trans->ctx.chain;
6197 if (trans->msg_type == NFT_MSG_NEWRULE ||
6198 trans->msg_type == NFT_MSG_DELRULE) {
6199 kvfree(chain->rules_next);
6200 chain->rules_next = NULL;
6205 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6207 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6212 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6214 struct nft_rule **r = rules;
6215 struct nft_rules_old *old;
6220 r++; /* rcu_head is after end marker */
6224 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6227 static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain)
6229 struct nft_rule **g0, **g1;
6232 next_genbit = nft_gencursor_next(net);
6234 g0 = rcu_dereference_protected(chain->rules_gen_0,
6235 lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
6236 g1 = rcu_dereference_protected(chain->rules_gen_1,
6237 lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
6239 /* No changes to this chain? */
6240 if (chain->rules_next == NULL) {
6241 /* chain had no change in last or next generation */
6245 * chain had no change in this generation; make sure next
6246 * one uses same rules as current generation.
6249 rcu_assign_pointer(chain->rules_gen_1, g0);
6250 nf_tables_commit_chain_free_rules_old(g1);
6252 rcu_assign_pointer(chain->rules_gen_0, g1);
6253 nf_tables_commit_chain_free_rules_old(g0);
6260 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6262 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6264 chain->rules_next = NULL;
6270 nf_tables_commit_chain_free_rules_old(g1);
6272 nf_tables_commit_chain_free_rules_old(g0);
6275 static void nft_chain_del(struct nft_chain *chain)
6277 struct nft_table *table = chain->table;
6279 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6280 nft_chain_ht_params));
6281 list_del_rcu(&chain->list);
6284 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6286 struct nft_trans *trans, *next;
6287 struct nft_trans_elem *te;
6288 struct nft_chain *chain;
6289 struct nft_table *table;
6291 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6292 if (nf_tables_validate(net) < 0)
6295 /* 1. Allocate space for next generation rules_gen_X[] */
6296 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6299 if (trans->msg_type == NFT_MSG_NEWRULE ||
6300 trans->msg_type == NFT_MSG_DELRULE) {
6301 chain = trans->ctx.chain;
6303 ret = nf_tables_commit_chain_prepare(net, chain);
6305 nf_tables_commit_chain_prepare_cancel(net);
6311 /* step 2. Make rules_gen_X visible to packet path */
6312 list_for_each_entry(table, &net->nft.tables, list) {
6313 list_for_each_entry(chain, &table->chains, list) {
6314 if (!nft_is_active_next(net, chain))
6316 nf_tables_commit_chain_active(net, chain);
6321 * Bump generation counter, invalidate any dump in progress.
6322 * Cannot fail after this point.
6324 while (++net->nft.base_seq == 0);
6326 /* step 3. Start new generation, rules_gen_X now in use. */
6327 net->nft.gencursor = nft_gencursor_next(net);
6329 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6330 switch (trans->msg_type) {
6331 case NFT_MSG_NEWTABLE:
6332 if (nft_trans_table_update(trans)) {
6333 if (!nft_trans_table_enable(trans)) {
6334 nf_tables_table_disable(net,
6336 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6339 nft_clear(net, trans->ctx.table);
6341 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6342 nft_trans_destroy(trans);
6344 case NFT_MSG_DELTABLE:
6345 list_del_rcu(&trans->ctx.table->list);
6346 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6348 case NFT_MSG_NEWCHAIN:
6349 if (nft_trans_chain_update(trans)) {
6350 nft_chain_commit_update(trans);
6351 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6352 /* trans destroyed after rcu grace period */
6354 nft_clear(net, trans->ctx.chain);
6355 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6356 nft_trans_destroy(trans);
6359 case NFT_MSG_DELCHAIN:
6360 nft_chain_del(trans->ctx.chain);
6361 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6362 nf_tables_unregister_hook(trans->ctx.net,
6366 case NFT_MSG_NEWRULE:
6367 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6368 nf_tables_rule_notify(&trans->ctx,
6369 nft_trans_rule(trans),
6371 nft_trans_destroy(trans);
6373 case NFT_MSG_DELRULE:
6374 list_del_rcu(&nft_trans_rule(trans)->list);
6375 nf_tables_rule_notify(&trans->ctx,
6376 nft_trans_rule(trans),
6379 case NFT_MSG_NEWSET:
6380 nft_clear(net, nft_trans_set(trans));
6381 /* This avoids hitting -EBUSY when deleting the table
6382 * from the transaction.
6384 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6385 !list_empty(&nft_trans_set(trans)->bindings))
6386 trans->ctx.table->use--;
6388 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6389 NFT_MSG_NEWSET, GFP_KERNEL);
6390 nft_trans_destroy(trans);
6392 case NFT_MSG_DELSET:
6393 list_del_rcu(&nft_trans_set(trans)->list);
6394 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6395 NFT_MSG_DELSET, GFP_KERNEL);
6397 case NFT_MSG_NEWSETELEM:
6398 te = (struct nft_trans_elem *)trans->data;
6400 te->set->ops->activate(net, te->set, &te->elem);
6401 nf_tables_setelem_notify(&trans->ctx, te->set,
6403 NFT_MSG_NEWSETELEM, 0);
6404 nft_trans_destroy(trans);
6406 case NFT_MSG_DELSETELEM:
6407 te = (struct nft_trans_elem *)trans->data;
6409 nf_tables_setelem_notify(&trans->ctx, te->set,
6411 NFT_MSG_DELSETELEM, 0);
6412 te->set->ops->remove(net, te->set, &te->elem);
6413 atomic_dec(&te->set->nelems);
6416 case NFT_MSG_NEWOBJ:
6417 nft_clear(net, nft_trans_obj(trans));
6418 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6420 nft_trans_destroy(trans);
6422 case NFT_MSG_DELOBJ:
6423 list_del_rcu(&nft_trans_obj(trans)->list);
6424 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6427 case NFT_MSG_NEWFLOWTABLE:
6428 nft_clear(net, nft_trans_flowtable(trans));
6429 nf_tables_flowtable_notify(&trans->ctx,
6430 nft_trans_flowtable(trans),
6431 NFT_MSG_NEWFLOWTABLE);
6432 nft_trans_destroy(trans);
6434 case NFT_MSG_DELFLOWTABLE:
6435 list_del_rcu(&nft_trans_flowtable(trans)->list);
6436 nf_tables_flowtable_notify(&trans->ctx,
6437 nft_trans_flowtable(trans),
6438 NFT_MSG_DELFLOWTABLE);
6439 nft_unregister_flowtable_net_hooks(net,
6440 nft_trans_flowtable(trans));
6445 nf_tables_commit_release(net);
6446 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6451 static void nf_tables_abort_release(struct nft_trans *trans)
6453 switch (trans->msg_type) {
6454 case NFT_MSG_NEWTABLE:
6455 nf_tables_table_destroy(&trans->ctx);
6457 case NFT_MSG_NEWCHAIN:
6458 nf_tables_chain_destroy(&trans->ctx);
6460 case NFT_MSG_NEWRULE:
6461 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6463 case NFT_MSG_NEWSET:
6464 nft_set_destroy(nft_trans_set(trans));
6466 case NFT_MSG_NEWSETELEM:
6467 nft_set_elem_destroy(nft_trans_elem_set(trans),
6468 nft_trans_elem(trans).priv, true);
6470 case NFT_MSG_NEWOBJ:
6471 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6473 case NFT_MSG_NEWFLOWTABLE:
6474 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6480 static int __nf_tables_abort(struct net *net)
6482 struct nft_trans *trans, *next;
6483 struct nft_trans_elem *te;
6485 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6487 switch (trans->msg_type) {
6488 case NFT_MSG_NEWTABLE:
6489 if (nft_trans_table_update(trans)) {
6490 if (nft_trans_table_enable(trans)) {
6491 nf_tables_table_disable(net,
6493 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6495 nft_trans_destroy(trans);
6497 list_del_rcu(&trans->ctx.table->list);
6500 case NFT_MSG_DELTABLE:
6501 nft_clear(trans->ctx.net, trans->ctx.table);
6502 nft_trans_destroy(trans);
6504 case NFT_MSG_NEWCHAIN:
6505 if (nft_trans_chain_update(trans)) {
6506 free_percpu(nft_trans_chain_stats(trans));
6507 kfree(nft_trans_chain_name(trans));
6508 nft_trans_destroy(trans);
6510 trans->ctx.table->use--;
6511 nft_chain_del(trans->ctx.chain);
6512 nf_tables_unregister_hook(trans->ctx.net,
6517 case NFT_MSG_DELCHAIN:
6518 trans->ctx.table->use++;
6519 nft_clear(trans->ctx.net, trans->ctx.chain);
6520 nft_trans_destroy(trans);
6522 case NFT_MSG_NEWRULE:
6523 trans->ctx.chain->use--;
6524 list_del_rcu(&nft_trans_rule(trans)->list);
6525 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6527 case NFT_MSG_DELRULE:
6528 trans->ctx.chain->use++;
6529 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6530 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6531 nft_trans_destroy(trans);
6533 case NFT_MSG_NEWSET:
6534 trans->ctx.table->use--;
6535 list_del_rcu(&nft_trans_set(trans)->list);
6537 case NFT_MSG_DELSET:
6538 trans->ctx.table->use++;
6539 nft_clear(trans->ctx.net, nft_trans_set(trans));
6540 nft_trans_destroy(trans);
6542 case NFT_MSG_NEWSETELEM:
6543 te = (struct nft_trans_elem *)trans->data;
6545 te->set->ops->remove(net, te->set, &te->elem);
6546 atomic_dec(&te->set->nelems);
6548 case NFT_MSG_DELSETELEM:
6549 te = (struct nft_trans_elem *)trans->data;
6551 nft_set_elem_activate(net, te->set, &te->elem);
6552 te->set->ops->activate(net, te->set, &te->elem);
6555 nft_trans_destroy(trans);
6557 case NFT_MSG_NEWOBJ:
6558 trans->ctx.table->use--;
6559 list_del_rcu(&nft_trans_obj(trans)->list);
6561 case NFT_MSG_DELOBJ:
6562 trans->ctx.table->use++;
6563 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6564 nft_trans_destroy(trans);
6566 case NFT_MSG_NEWFLOWTABLE:
6567 trans->ctx.table->use--;
6568 list_del_rcu(&nft_trans_flowtable(trans)->list);
6569 nft_unregister_flowtable_net_hooks(net,
6570 nft_trans_flowtable(trans));
6572 case NFT_MSG_DELFLOWTABLE:
6573 trans->ctx.table->use++;
6574 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6575 nft_trans_destroy(trans);
6582 list_for_each_entry_safe_reverse(trans, next,
6583 &net->nft.commit_list, list) {
6584 list_del(&trans->list);
6585 nf_tables_abort_release(trans);
6591 static void nf_tables_cleanup(struct net *net)
6593 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6596 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6598 return __nf_tables_abort(net);
6601 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6603 return net->nft.base_seq == genid;
6606 static const struct nfnetlink_subsystem nf_tables_subsys = {
6607 .name = "nf_tables",
6608 .subsys_id = NFNL_SUBSYS_NFTABLES,
6609 .cb_count = NFT_MSG_MAX,
6611 .commit = nf_tables_commit,
6612 .abort = nf_tables_abort,
6613 .cleanup = nf_tables_cleanup,
6614 .valid_genid = nf_tables_valid_genid,
6617 int nft_chain_validate_dependency(const struct nft_chain *chain,
6618 enum nft_chain_types type)
6620 const struct nft_base_chain *basechain;
6622 if (nft_is_base_chain(chain)) {
6623 basechain = nft_base_chain(chain);
6624 if (basechain->type->type != type)
6629 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6631 int nft_chain_validate_hooks(const struct nft_chain *chain,
6632 unsigned int hook_flags)
6634 struct nft_base_chain *basechain;
6636 if (nft_is_base_chain(chain)) {
6637 basechain = nft_base_chain(chain);
6639 if ((1 << basechain->ops.hooknum) & hook_flags)
6647 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6650 * Loop detection - walk through the ruleset beginning at the destination chain
6651 * of a new jump until either the source chain is reached (loop) or all
6652 * reachable chains have been traversed.
6654 * The loop check is performed whenever a new jump verdict is added to an
6655 * expression or verdict map or a verdict map is bound to a new chain.
6658 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6659 const struct nft_chain *chain);
6661 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6662 struct nft_set *set,
6663 const struct nft_set_iter *iter,
6664 struct nft_set_elem *elem)
6666 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6667 const struct nft_data *data;
6669 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6670 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6673 data = nft_set_ext_data(ext);
6674 switch (data->verdict.code) {
6677 return nf_tables_check_loops(ctx, data->verdict.chain);
6683 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6684 const struct nft_chain *chain)
6686 const struct nft_rule *rule;
6687 const struct nft_expr *expr, *last;
6688 struct nft_set *set;
6689 struct nft_set_binding *binding;
6690 struct nft_set_iter iter;
6692 if (ctx->chain == chain)
6695 list_for_each_entry(rule, &chain->rules, list) {
6696 nft_rule_for_each_expr(expr, last, rule) {
6697 struct nft_immediate_expr *priv;
6698 const struct nft_data *data;
6701 if (strcmp(expr->ops->type->name, "immediate"))
6704 priv = nft_expr_priv(expr);
6705 if (priv->dreg != NFT_REG_VERDICT)
6709 switch (data->verdict.code) {
6712 err = nf_tables_check_loops(ctx,
6713 data->verdict.chain);
6722 list_for_each_entry(set, &ctx->table->sets, list) {
6723 if (!nft_is_active_next(ctx->net, set))
6725 if (!(set->flags & NFT_SET_MAP) ||
6726 set->dtype != NFT_DATA_VERDICT)
6729 list_for_each_entry(binding, &set->bindings, list) {
6730 if (!(binding->flags & NFT_SET_MAP) ||
6731 binding->chain != chain)
6734 iter.genmask = nft_genmask_next(ctx->net);
6738 iter.fn = nf_tables_loop_check_setelem;
6740 set->ops->walk(ctx, set, &iter);
6750 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6752 * @attr: netlink attribute to fetch value from
6753 * @max: maximum value to be stored in dest
6754 * @dest: pointer to the variable
6756 * Parse, check and store a given u32 netlink attribute into variable.
6757 * This function returns -ERANGE if the value goes over maximum value.
6758 * Otherwise a 0 is returned and the attribute value is stored in the
6759 * destination variable.
6761 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6765 val = ntohl(nla_get_be32(attr));
6772 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6775 * nft_parse_register - parse a register value from a netlink attribute
6777 * @attr: netlink attribute
6779 * Parse and translate a register value from a netlink attribute.
6780 * Registers used to be 128 bit wide, these register numbers will be
6781 * mapped to the corresponding 32 bit register numbers.
6783 unsigned int nft_parse_register(const struct nlattr *attr)
6787 reg = ntohl(nla_get_be32(attr));
6789 case NFT_REG_VERDICT...NFT_REG_4:
6790 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6792 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6795 EXPORT_SYMBOL_GPL(nft_parse_register);
6798 * nft_dump_register - dump a register value to a netlink attribute
6800 * @skb: socket buffer
6801 * @attr: attribute number
6802 * @reg: register number
6804 * Construct a netlink attribute containing the register number. For
6805 * compatibility reasons, register numbers being a multiple of 4 are
6806 * translated to the corresponding 128 bit register numbers.
6808 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6810 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6811 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6813 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6815 return nla_put_be32(skb, attr, htonl(reg));
6817 EXPORT_SYMBOL_GPL(nft_dump_register);
6820 * nft_validate_register_load - validate a load from a register
6822 * @reg: the register number
6823 * @len: the length of the data
6825 * Validate that the input register is one of the general purpose
6826 * registers and that the length of the load is within the bounds.
6828 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6830 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6834 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6839 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6842 * nft_validate_register_store - validate an expressions' register store
6844 * @ctx: context of the expression performing the load
6845 * @reg: the destination register number
6846 * @data: the data to load
6847 * @type: the data type
6848 * @len: the length of the data
6850 * Validate that a data load uses the appropriate data type for
6851 * the destination register and the length is within the bounds.
6852 * A value of NULL for the data means that its runtime gathered
6855 int nft_validate_register_store(const struct nft_ctx *ctx,
6856 enum nft_registers reg,
6857 const struct nft_data *data,
6858 enum nft_data_types type, unsigned int len)
6863 case NFT_REG_VERDICT:
6864 if (type != NFT_DATA_VERDICT)
6868 (data->verdict.code == NFT_GOTO ||
6869 data->verdict.code == NFT_JUMP)) {
6870 err = nf_tables_check_loops(ctx, data->verdict.chain);
6877 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6881 if (reg * NFT_REG32_SIZE + len >
6882 FIELD_SIZEOF(struct nft_regs, data))
6885 if (data != NULL && type != NFT_DATA_VALUE)
6890 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6892 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6893 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6894 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6895 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6898 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6899 struct nft_data_desc *desc, const struct nlattr *nla)
6901 u8 genmask = nft_genmask_next(ctx->net);
6902 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6903 struct nft_chain *chain;
6906 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6911 if (!tb[NFTA_VERDICT_CODE])
6913 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6915 switch (data->verdict.code) {
6917 switch (data->verdict.code & NF_VERDICT_MASK) {
6932 if (!tb[NFTA_VERDICT_CHAIN])
6934 chain = nft_chain_lookup(ctx->table, tb[NFTA_VERDICT_CHAIN],
6937 return PTR_ERR(chain);
6938 if (nft_is_base_chain(chain))
6942 data->verdict.chain = chain;
6946 desc->len = sizeof(data->verdict);
6947 desc->type = NFT_DATA_VERDICT;
6951 static void nft_verdict_uninit(const struct nft_data *data)
6953 switch (data->verdict.code) {
6956 data->verdict.chain->use--;
6961 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6963 struct nlattr *nest;
6965 nest = nla_nest_start(skb, type);
6967 goto nla_put_failure;
6969 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6970 goto nla_put_failure;
6975 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6977 goto nla_put_failure;
6979 nla_nest_end(skb, nest);
6986 static int nft_value_init(const struct nft_ctx *ctx,
6987 struct nft_data *data, unsigned int size,
6988 struct nft_data_desc *desc, const struct nlattr *nla)
6998 nla_memcpy(data->data, nla, len);
6999 desc->type = NFT_DATA_VALUE;
7004 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7007 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7010 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7011 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7012 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7016 * nft_data_init - parse nf_tables data netlink attributes
7018 * @ctx: context of the expression using the data
7019 * @data: destination struct nft_data
7020 * @size: maximum data length
7021 * @desc: data description
7022 * @nla: netlink attribute containing data
7024 * Parse the netlink data attributes and initialize a struct nft_data.
7025 * The type and length of data are returned in the data description.
7027 * The caller can indicate that it only wants to accept data of type
7028 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7030 int nft_data_init(const struct nft_ctx *ctx,
7031 struct nft_data *data, unsigned int size,
7032 struct nft_data_desc *desc, const struct nlattr *nla)
7034 struct nlattr *tb[NFTA_DATA_MAX + 1];
7037 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7041 if (tb[NFTA_DATA_VALUE])
7042 return nft_value_init(ctx, data, size, desc,
7043 tb[NFTA_DATA_VALUE]);
7044 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7045 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7048 EXPORT_SYMBOL_GPL(nft_data_init);
7051 * nft_data_release - release a nft_data item
7053 * @data: struct nft_data to release
7054 * @type: type of data
7056 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7057 * all others need to be released by calling this function.
7059 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7061 if (type < NFT_DATA_VERDICT)
7064 case NFT_DATA_VERDICT:
7065 return nft_verdict_uninit(data);
7070 EXPORT_SYMBOL_GPL(nft_data_release);
7072 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7073 enum nft_data_types type, unsigned int len)
7075 struct nlattr *nest;
7078 nest = nla_nest_start(skb, attr);
7083 case NFT_DATA_VALUE:
7084 err = nft_value_dump(skb, data, len);
7086 case NFT_DATA_VERDICT:
7087 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7094 nla_nest_end(skb, nest);
7097 EXPORT_SYMBOL_GPL(nft_data_dump);
7099 int __nft_release_basechain(struct nft_ctx *ctx)
7101 struct nft_rule *rule, *nr;
7103 BUG_ON(!nft_is_base_chain(ctx->chain));
7105 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7106 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7107 list_del(&rule->list);
7109 nf_tables_rule_release(ctx, rule);
7111 nft_chain_del(ctx->chain);
7113 nf_tables_chain_destroy(ctx);
7117 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7119 static void __nft_release_tables(struct net *net)
7121 struct nft_flowtable *flowtable, *nf;
7122 struct nft_table *table, *nt;
7123 struct nft_chain *chain, *nc;
7124 struct nft_object *obj, *ne;
7125 struct nft_rule *rule, *nr;
7126 struct nft_set *set, *ns;
7127 struct nft_ctx ctx = {
7129 .family = NFPROTO_NETDEV,
7132 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7133 ctx.family = table->family;
7135 list_for_each_entry(chain, &table->chains, list)
7136 nf_tables_unregister_hook(net, table, chain);
7137 list_for_each_entry(flowtable, &table->flowtables, list)
7138 nf_unregister_net_hooks(net, flowtable->ops,
7139 flowtable->ops_len);
7140 /* No packets are walking on these chains anymore. */
7142 list_for_each_entry(chain, &table->chains, list) {
7144 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7145 list_del(&rule->list);
7147 nf_tables_rule_release(&ctx, rule);
7150 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7151 list_del(&flowtable->list);
7153 nf_tables_flowtable_destroy(flowtable);
7155 list_for_each_entry_safe(set, ns, &table->sets, list) {
7156 list_del(&set->list);
7158 nft_set_destroy(set);
7160 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7161 list_del(&obj->list);
7163 nft_obj_destroy(&ctx, obj);
7165 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7167 nft_chain_del(chain);
7169 nf_tables_chain_destroy(&ctx);
7171 list_del(&table->list);
7172 nf_tables_table_destroy(&ctx);
7176 static int __net_init nf_tables_init_net(struct net *net)
7178 INIT_LIST_HEAD(&net->nft.tables);
7179 INIT_LIST_HEAD(&net->nft.commit_list);
7180 net->nft.base_seq = 1;
7181 net->nft.validate_state = NFT_VALIDATE_SKIP;
7186 static void __net_exit nf_tables_exit_net(struct net *net)
7188 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7189 if (!list_empty(&net->nft.commit_list))
7190 __nf_tables_abort(net);
7191 __nft_release_tables(net);
7192 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7193 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7196 static struct pernet_operations nf_tables_net_ops = {
7197 .init = nf_tables_init_net,
7198 .exit = nf_tables_exit_net,
7201 static int __init nf_tables_module_init(void)
7205 nft_chain_filter_init();
7207 info = kmalloc_array(NFT_RULE_MAXEXPRS, sizeof(struct nft_expr_info),
7214 err = nf_tables_core_module_init();
7218 err = nfnetlink_subsys_register(&nf_tables_subsys);
7222 register_netdevice_notifier(&nf_tables_flowtable_notifier);
7224 return register_pernet_subsys(&nf_tables_net_ops);
7226 nf_tables_core_module_exit();
7233 static void __exit nf_tables_module_exit(void)
7235 nfnetlink_subsys_unregister(&nf_tables_subsys);
7236 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7237 nft_chain_filter_fini();
7238 unregister_pernet_subsys(&nf_tables_net_ops);
7240 nf_tables_core_module_exit();
7244 module_init(nf_tables_module_init);
7245 module_exit(nf_tables_module_exit);
7247 MODULE_LICENSE("GPL");
7248 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7249 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.samba.org / sfrench / cifs-2.6.git / blob