2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
31 * nft_register_afinfo - register nf_tables address family info
33 * @afi: address family info to register
35 * Register the address family for use with nf_tables. Returns zero on
36 * success or a negative errno code otherwise.
38 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
40 nfnl_lock(NFNL_SUBSYS_NFTABLES);
41 list_add_tail_rcu(&afi->list, &net->nft.af_info);
42 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
45 EXPORT_SYMBOL_GPL(nft_register_afinfo);
47 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
50 * nft_unregister_afinfo - unregister nf_tables address family info
52 * @afi: address family info to unregister
54 * Unregister the address family for use with nf_tables.
56 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
58 nfnl_lock(NFNL_SUBSYS_NFTABLES);
59 __nft_release_afinfo(net, afi);
60 list_del_rcu(&afi->list);
61 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
63 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
65 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
67 struct nft_af_info *afi;
69 list_for_each_entry(afi, &net->nft.af_info, list) {
70 if (afi->family == family)
76 static struct nft_af_info *
77 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
79 struct nft_af_info *afi;
81 afi = nft_afinfo_lookup(net, family);
86 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
87 request_module("nft-afinfo-%u", family);
88 nfnl_lock(NFNL_SUBSYS_NFTABLES);
89 afi = nft_afinfo_lookup(net, family);
91 return ERR_PTR(-EAGAIN);
94 return ERR_PTR(-EAFNOSUPPORT);
97 static void nft_ctx_init(struct nft_ctx *ctx,
99 const struct sk_buff *skb,
100 const struct nlmsghdr *nlh,
102 struct nft_table *table,
103 struct nft_chain *chain,
104 const struct nlattr * const *nla)
107 ctx->family = family;
111 ctx->portid = NETLINK_CB(skb).portid;
112 ctx->report = nlmsg_report(nlh);
113 ctx->seq = nlh->nlmsg_seq;
116 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
117 int msg_type, u32 size, gfp_t gfp)
119 struct nft_trans *trans;
121 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
125 trans->msg_type = msg_type;
131 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
132 int msg_type, u32 size)
134 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
137 static void nft_trans_destroy(struct nft_trans *trans)
139 list_del(&trans->list);
143 static int nf_tables_register_hook(struct net *net,
144 const struct nft_table *table,
145 struct nft_chain *chain)
147 if (table->flags & NFT_TABLE_F_DORMANT ||
148 !nft_is_base_chain(chain))
151 return nf_register_net_hook(net, &nft_base_chain(chain)->ops);
154 static void nf_tables_unregister_hook(struct net *net,
155 const struct nft_table *table,
156 struct nft_chain *chain)
158 if (table->flags & NFT_TABLE_F_DORMANT ||
159 !nft_is_base_chain(chain))
162 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
165 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
167 struct nft_trans *trans;
169 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
173 if (msg_type == NFT_MSG_NEWTABLE)
174 nft_activate_next(ctx->net, ctx->table);
176 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
180 static int nft_deltable(struct nft_ctx *ctx)
184 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
188 nft_deactivate_next(ctx->net, ctx->table);
192 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
194 struct nft_trans *trans;
196 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
200 if (msg_type == NFT_MSG_NEWCHAIN)
201 nft_activate_next(ctx->net, ctx->chain);
203 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
207 static int nft_delchain(struct nft_ctx *ctx)
211 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
216 nft_deactivate_next(ctx->net, ctx->chain);
222 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
224 /* You cannot delete the same rule twice */
225 if (nft_is_active_next(ctx->net, rule)) {
226 nft_deactivate_next(ctx->net, rule);
233 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
234 struct nft_rule *rule)
236 struct nft_trans *trans;
238 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
242 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
243 nft_trans_rule_id(trans) =
244 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
246 nft_trans_rule(trans) = rule;
247 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
252 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
254 struct nft_trans *trans;
257 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
261 err = nf_tables_delrule_deactivate(ctx, rule);
263 nft_trans_destroy(trans);
270 static int nft_delrule_by_chain(struct nft_ctx *ctx)
272 struct nft_rule *rule;
275 list_for_each_entry(rule, &ctx->chain->rules, list) {
276 err = nft_delrule(ctx, rule);
283 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
286 struct nft_trans *trans;
288 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
292 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
293 nft_trans_set_id(trans) =
294 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
295 nft_activate_next(ctx->net, set);
297 nft_trans_set(trans) = set;
298 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
303 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
307 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
311 nft_deactivate_next(ctx->net, set);
317 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
318 struct nft_object *obj)
320 struct nft_trans *trans;
322 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
326 if (msg_type == NFT_MSG_NEWOBJ)
327 nft_activate_next(ctx->net, obj);
329 nft_trans_obj(trans) = obj;
330 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
335 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
339 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
343 nft_deactivate_next(ctx->net, obj);
349 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
350 struct nft_flowtable *flowtable)
352 struct nft_trans *trans;
354 trans = nft_trans_alloc(ctx, msg_type,
355 sizeof(struct nft_trans_flowtable));
359 if (msg_type == NFT_MSG_NEWFLOWTABLE)
360 nft_activate_next(ctx->net, flowtable);
362 nft_trans_flowtable(trans) = flowtable;
363 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
368 static int nft_delflowtable(struct nft_ctx *ctx,
369 struct nft_flowtable *flowtable)
373 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
377 nft_deactivate_next(ctx->net, flowtable);
387 static struct nft_table *nft_table_lookup(const struct net *net,
388 const struct nlattr *nla,
389 u8 family, u8 genmask)
391 struct nft_table *table;
393 list_for_each_entry(table, &net->nft.tables, list) {
394 if (!nla_strcmp(nla, table->name) &&
395 table->afi->family == family &&
396 nft_active_genmask(table, genmask))
402 static struct nft_table *nf_tables_table_lookup(const struct net *net,
403 const struct nlattr *nla,
404 u8 family, u8 genmask)
406 struct nft_table *table;
409 return ERR_PTR(-EINVAL);
411 table = nft_table_lookup(net, nla, family, genmask);
415 return ERR_PTR(-ENOENT);
418 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
420 return ++table->hgenerator;
423 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
425 static const struct nf_chain_type *
426 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
430 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
431 if (chain_type[family][i] != NULL &&
432 !nla_strcmp(nla, chain_type[family][i]->name))
433 return chain_type[family][i];
438 static const struct nf_chain_type *
439 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
441 const struct nf_chain_type *type;
443 type = __nf_tables_chain_type_lookup(nla, family);
446 #ifdef CONFIG_MODULES
448 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
449 request_module("nft-chain-%u-%.*s", family,
450 nla_len(nla), (const char *)nla_data(nla));
451 nfnl_lock(NFNL_SUBSYS_NFTABLES);
452 type = __nf_tables_chain_type_lookup(nla, family);
454 return ERR_PTR(-EAGAIN);
457 return ERR_PTR(-ENOENT);
460 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
461 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
462 .len = NFT_TABLE_MAXNAMELEN - 1 },
463 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
466 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
467 u32 portid, u32 seq, int event, u32 flags,
468 int family, const struct nft_table *table)
470 struct nlmsghdr *nlh;
471 struct nfgenmsg *nfmsg;
473 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
474 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
476 goto nla_put_failure;
478 nfmsg = nlmsg_data(nlh);
479 nfmsg->nfgen_family = family;
480 nfmsg->version = NFNETLINK_V0;
481 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
483 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
484 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
485 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
486 goto nla_put_failure;
492 nlmsg_trim(skb, nlh);
496 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
502 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
505 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
509 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
510 event, 0, ctx->family, ctx->table);
516 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
517 ctx->report, GFP_KERNEL);
520 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
523 static int nf_tables_dump_tables(struct sk_buff *skb,
524 struct netlink_callback *cb)
526 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
527 const struct nft_table *table;
528 unsigned int idx = 0, s_idx = cb->args[0];
529 struct net *net = sock_net(skb->sk);
530 int family = nfmsg->nfgen_family;
533 cb->seq = net->nft.base_seq;
535 list_for_each_entry_rcu(table, &net->nft.tables, list) {
536 if (family != NFPROTO_UNSPEC && family != table->afi->family)
542 memset(&cb->args[1], 0,
543 sizeof(cb->args) - sizeof(cb->args[0]));
544 if (!nft_is_active(net, table))
546 if (nf_tables_fill_table_info(skb, net,
547 NETLINK_CB(cb->skb).portid,
549 NFT_MSG_NEWTABLE, NLM_F_MULTI,
550 table->afi->family, table) < 0)
553 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
563 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
564 struct sk_buff *skb, const struct nlmsghdr *nlh,
565 const struct nlattr * const nla[],
566 struct netlink_ext_ack *extack)
568 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
569 u8 genmask = nft_genmask_cur(net);
570 const struct nft_af_info *afi;
571 const struct nft_table *table;
572 struct sk_buff *skb2;
573 int family = nfmsg->nfgen_family;
576 if (nlh->nlmsg_flags & NLM_F_DUMP) {
577 struct netlink_dump_control c = {
578 .dump = nf_tables_dump_tables,
580 return netlink_dump_start(nlsk, skb, nlh, &c);
583 afi = nf_tables_afinfo_lookup(net, family, false);
587 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
590 return PTR_ERR(table);
592 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
596 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
597 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
602 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
609 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
611 struct nft_chain *chain;
614 list_for_each_entry(chain, &table->chains, list) {
615 if (!nft_is_active_next(net, chain))
617 if (!nft_is_base_chain(chain))
620 if (cnt && i++ == cnt)
623 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
627 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
629 struct nft_chain *chain;
632 list_for_each_entry(chain, &table->chains, list) {
633 if (!nft_is_active_next(net, chain))
635 if (!nft_is_base_chain(chain))
638 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
647 nft_table_disable(net, table, i);
651 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
653 nft_table_disable(net, table, 0);
656 static int nf_tables_updtable(struct nft_ctx *ctx)
658 struct nft_trans *trans;
662 if (!ctx->nla[NFTA_TABLE_FLAGS])
665 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
666 if (flags & ~NFT_TABLE_F_DORMANT)
669 if (flags == ctx->table->flags)
672 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
673 sizeof(struct nft_trans_table));
677 if ((flags & NFT_TABLE_F_DORMANT) &&
678 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
679 nft_trans_table_enable(trans) = false;
680 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
681 ctx->table->flags & NFT_TABLE_F_DORMANT) {
682 ret = nf_tables_table_enable(ctx->net, ctx->table);
684 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
685 nft_trans_table_enable(trans) = true;
691 nft_trans_table_update(trans) = true;
692 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
695 nft_trans_destroy(trans);
699 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
700 struct sk_buff *skb, const struct nlmsghdr *nlh,
701 const struct nlattr * const nla[],
702 struct netlink_ext_ack *extack)
704 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
705 u8 genmask = nft_genmask_next(net);
706 const struct nlattr *name;
707 struct nft_af_info *afi;
708 struct nft_table *table;
709 int family = nfmsg->nfgen_family;
714 afi = nf_tables_afinfo_lookup(net, family, true);
718 name = nla[NFTA_TABLE_NAME];
719 table = nf_tables_table_lookup(net, name, afi->family, genmask);
721 if (PTR_ERR(table) != -ENOENT)
722 return PTR_ERR(table);
724 if (nlh->nlmsg_flags & NLM_F_EXCL)
726 if (nlh->nlmsg_flags & NLM_F_REPLACE)
729 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
730 return nf_tables_updtable(&ctx);
733 if (nla[NFTA_TABLE_FLAGS]) {
734 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
735 if (flags & ~NFT_TABLE_F_DORMANT)
740 if (!try_module_get(afi->owner))
744 table = kzalloc(sizeof(*table), GFP_KERNEL);
748 table->name = nla_strdup(name, GFP_KERNEL);
749 if (table->name == NULL)
752 INIT_LIST_HEAD(&table->chains);
753 INIT_LIST_HEAD(&table->sets);
754 INIT_LIST_HEAD(&table->objects);
755 INIT_LIST_HEAD(&table->flowtables);
757 table->flags = flags;
759 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
760 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
764 list_add_tail_rcu(&table->list, &net->nft.tables);
771 module_put(afi->owner);
776 static int nft_flush_table(struct nft_ctx *ctx)
778 struct nft_flowtable *flowtable, *nft;
779 struct nft_chain *chain, *nc;
780 struct nft_object *obj, *ne;
781 struct nft_set *set, *ns;
784 list_for_each_entry(chain, &ctx->table->chains, list) {
785 if (!nft_is_active_next(ctx->net, chain))
790 err = nft_delrule_by_chain(ctx);
795 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
796 if (!nft_is_active_next(ctx->net, set))
799 if (nft_set_is_anonymous(set) &&
800 !list_empty(&set->bindings))
803 err = nft_delset(ctx, set);
808 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
809 err = nft_delflowtable(ctx, flowtable);
814 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
815 err = nft_delobj(ctx, obj);
820 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
821 if (!nft_is_active_next(ctx->net, chain))
826 err = nft_delchain(ctx);
831 err = nft_deltable(ctx);
836 static int nft_flush(struct nft_ctx *ctx, int family)
838 struct nft_table *table, *nt;
839 const struct nlattr * const *nla = ctx->nla;
842 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
843 if (family != AF_UNSPEC && table->afi->family != family)
846 ctx->family = table->afi->family;
848 if (!nft_is_active_next(ctx->net, table))
851 if (nla[NFTA_TABLE_NAME] &&
852 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
857 err = nft_flush_table(ctx);
865 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
866 struct sk_buff *skb, const struct nlmsghdr *nlh,
867 const struct nlattr * const nla[],
868 struct netlink_ext_ack *extack)
870 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
871 u8 genmask = nft_genmask_next(net);
872 struct nft_af_info *afi;
873 struct nft_table *table;
874 int family = nfmsg->nfgen_family;
877 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
878 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
879 return nft_flush(&ctx, family);
881 afi = nf_tables_afinfo_lookup(net, family, false);
885 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
888 return PTR_ERR(table);
890 if (nlh->nlmsg_flags & NLM_F_NONREC &&
894 ctx.family = afi->family;
897 return nft_flush_table(&ctx);
900 static void nf_tables_table_destroy(struct nft_ctx *ctx)
902 BUG_ON(ctx->table->use > 0);
904 kfree(ctx->table->name);
906 module_put(ctx->table->afi->owner);
909 int nft_register_chain_type(const struct nf_chain_type *ctype)
913 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
916 nfnl_lock(NFNL_SUBSYS_NFTABLES);
917 if (chain_type[ctype->family][ctype->type] != NULL) {
921 chain_type[ctype->family][ctype->type] = ctype;
923 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
926 EXPORT_SYMBOL_GPL(nft_register_chain_type);
928 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
930 nfnl_lock(NFNL_SUBSYS_NFTABLES);
931 chain_type[ctype->family][ctype->type] = NULL;
932 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
934 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
940 static struct nft_chain *
941 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
944 struct nft_chain *chain;
946 list_for_each_entry(chain, &table->chains, list) {
947 if (chain->handle == handle &&
948 nft_active_genmask(chain, genmask))
952 return ERR_PTR(-ENOENT);
955 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
956 const struct nlattr *nla,
959 struct nft_chain *chain;
962 return ERR_PTR(-EINVAL);
964 list_for_each_entry(chain, &table->chains, list) {
965 if (!nla_strcmp(nla, chain->name) &&
966 nft_active_genmask(chain, genmask))
970 return ERR_PTR(-ENOENT);
973 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
974 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
975 .len = NFT_TABLE_MAXNAMELEN - 1 },
976 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
977 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
978 .len = NFT_CHAIN_MAXNAMELEN - 1 },
979 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
980 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
981 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
982 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
985 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
986 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
987 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
988 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
989 .len = IFNAMSIZ - 1 },
992 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
994 struct nft_stats *cpu_stats, total;
1000 memset(&total, 0, sizeof(total));
1001 for_each_possible_cpu(cpu) {
1002 cpu_stats = per_cpu_ptr(stats, cpu);
1004 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1005 pkts = cpu_stats->pkts;
1006 bytes = cpu_stats->bytes;
1007 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1009 total.bytes += bytes;
1011 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1013 goto nla_put_failure;
1015 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1016 NFTA_COUNTER_PAD) ||
1017 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1019 goto nla_put_failure;
1021 nla_nest_end(skb, nest);
1028 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1029 u32 portid, u32 seq, int event, u32 flags,
1030 int family, const struct nft_table *table,
1031 const struct nft_chain *chain)
1033 struct nlmsghdr *nlh;
1034 struct nfgenmsg *nfmsg;
1036 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1037 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1039 goto nla_put_failure;
1041 nfmsg = nlmsg_data(nlh);
1042 nfmsg->nfgen_family = family;
1043 nfmsg->version = NFNETLINK_V0;
1044 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1046 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1047 goto nla_put_failure;
1048 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1050 goto nla_put_failure;
1051 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1052 goto nla_put_failure;
1054 if (nft_is_base_chain(chain)) {
1055 const struct nft_base_chain *basechain = nft_base_chain(chain);
1056 const struct nf_hook_ops *ops = &basechain->ops;
1057 struct nlattr *nest;
1059 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1061 goto nla_put_failure;
1062 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1063 goto nla_put_failure;
1064 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1065 goto nla_put_failure;
1066 if (basechain->dev_name[0] &&
1067 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1068 goto nla_put_failure;
1069 nla_nest_end(skb, nest);
1071 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1072 htonl(basechain->policy)))
1073 goto nla_put_failure;
1075 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1076 goto nla_put_failure;
1078 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1079 goto nla_put_failure;
1082 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1083 goto nla_put_failure;
1085 nlmsg_end(skb, nlh);
1089 nlmsg_trim(skb, nlh);
1093 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1095 struct sk_buff *skb;
1099 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1102 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1106 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1107 event, 0, ctx->family, ctx->table,
1114 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1115 ctx->report, GFP_KERNEL);
1118 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1121 static int nf_tables_dump_chains(struct sk_buff *skb,
1122 struct netlink_callback *cb)
1124 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1125 const struct nft_table *table;
1126 const struct nft_chain *chain;
1127 unsigned int idx = 0, s_idx = cb->args[0];
1128 struct net *net = sock_net(skb->sk);
1129 int family = nfmsg->nfgen_family;
1132 cb->seq = net->nft.base_seq;
1134 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1135 if (family != NFPROTO_UNSPEC && family != table->afi->family)
1138 list_for_each_entry_rcu(chain, &table->chains, list) {
1142 memset(&cb->args[1], 0,
1143 sizeof(cb->args) - sizeof(cb->args[0]));
1144 if (!nft_is_active(net, chain))
1146 if (nf_tables_fill_chain_info(skb, net,
1147 NETLINK_CB(cb->skb).portid,
1151 table->afi->family, table,
1155 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1166 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1167 struct sk_buff *skb, const struct nlmsghdr *nlh,
1168 const struct nlattr * const nla[],
1169 struct netlink_ext_ack *extack)
1171 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1172 u8 genmask = nft_genmask_cur(net);
1173 const struct nft_af_info *afi;
1174 const struct nft_table *table;
1175 const struct nft_chain *chain;
1176 struct sk_buff *skb2;
1177 int family = nfmsg->nfgen_family;
1180 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1181 struct netlink_dump_control c = {
1182 .dump = nf_tables_dump_chains,
1184 return netlink_dump_start(nlsk, skb, nlh, &c);
1187 afi = nf_tables_afinfo_lookup(net, family, false);
1189 return PTR_ERR(afi);
1191 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
1194 return PTR_ERR(table);
1196 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1198 return PTR_ERR(chain);
1200 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1204 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1205 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1206 family, table, chain);
1210 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1217 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1218 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1219 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1222 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1224 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1225 struct nft_stats __percpu *newstats;
1226 struct nft_stats *stats;
1229 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1232 return ERR_PTR(err);
1234 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1235 return ERR_PTR(-EINVAL);
1237 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1238 if (newstats == NULL)
1239 return ERR_PTR(-ENOMEM);
1241 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1242 * are not exposed to userspace.
1245 stats = this_cpu_ptr(newstats);
1246 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1247 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1253 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1254 struct nft_stats __percpu *newstats)
1256 struct nft_stats __percpu *oldstats;
1258 if (newstats == NULL)
1262 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1263 rcu_assign_pointer(chain->stats, newstats);
1265 free_percpu(oldstats);
1267 rcu_assign_pointer(chain->stats, newstats);
1270 static void nf_tables_chain_destroy(struct nft_chain *chain)
1272 BUG_ON(chain->use > 0);
1274 if (nft_is_base_chain(chain)) {
1275 struct nft_base_chain *basechain = nft_base_chain(chain);
1277 module_put(basechain->type->owner);
1278 free_percpu(basechain->stats);
1279 if (basechain->stats)
1280 static_branch_dec(&nft_counters_enabled);
1281 if (basechain->ops.dev != NULL)
1282 dev_put(basechain->ops.dev);
1291 struct nft_chain_hook {
1294 const struct nf_chain_type *type;
1295 struct net_device *dev;
1298 static int nft_chain_parse_hook(struct net *net,
1299 const struct nlattr * const nla[],
1300 struct nft_chain_hook *hook, u8 family,
1303 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1304 const struct nf_chain_type *type;
1305 struct net_device *dev;
1308 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1309 nft_hook_policy, NULL);
1313 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1314 ha[NFTA_HOOK_PRIORITY] == NULL)
1317 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1318 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1320 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1321 if (nla[NFTA_CHAIN_TYPE]) {
1322 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1325 return PTR_ERR(type);
1327 if (!(type->hook_mask & (1 << hook->num)))
1330 if (type->type == NFT_CHAIN_T_NAT &&
1331 hook->priority <= NF_IP_PRI_CONNTRACK)
1334 if (!try_module_get(type->owner))
1340 if (family == NFPROTO_NETDEV) {
1341 char ifname[IFNAMSIZ];
1343 if (!ha[NFTA_HOOK_DEV]) {
1344 module_put(type->owner);
1348 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1349 dev = dev_get_by_name(net, ifname);
1351 module_put(type->owner);
1355 } else if (ha[NFTA_HOOK_DEV]) {
1356 module_put(type->owner);
1363 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1365 module_put(hook->type->owner);
1366 if (hook->dev != NULL)
1370 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1371 u8 policy, bool create)
1373 const struct nlattr * const *nla = ctx->nla;
1374 struct nft_table *table = ctx->table;
1375 struct nft_base_chain *basechain;
1376 struct nft_stats __percpu *stats;
1377 struct net *net = ctx->net;
1378 struct nft_chain *chain;
1381 if (table->use == UINT_MAX)
1384 if (nla[NFTA_CHAIN_HOOK]) {
1385 struct nft_chain_hook hook;
1386 struct nf_hook_ops *ops;
1388 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1392 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1393 if (basechain == NULL) {
1394 nft_chain_release_hook(&hook);
1398 if (hook.dev != NULL)
1399 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1401 if (nla[NFTA_CHAIN_COUNTERS]) {
1402 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1403 if (IS_ERR(stats)) {
1404 nft_chain_release_hook(&hook);
1406 return PTR_ERR(stats);
1408 basechain->stats = stats;
1409 static_branch_inc(&nft_counters_enabled);
1412 basechain->type = hook.type;
1413 chain = &basechain->chain;
1415 ops = &basechain->ops;
1417 ops->hooknum = hook.num;
1418 ops->priority = hook.priority;
1420 ops->hook = hook.type->hooks[ops->hooknum];
1421 ops->dev = hook.dev;
1423 if (basechain->type->type == NFT_CHAIN_T_NAT)
1424 ops->nat_hook = true;
1426 chain->flags |= NFT_BASE_CHAIN;
1427 basechain->policy = policy;
1429 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1433 INIT_LIST_HEAD(&chain->rules);
1434 chain->handle = nf_tables_alloc_handle(table);
1435 chain->table = table;
1436 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1442 err = nf_tables_register_hook(net, table, chain);
1447 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1452 list_add_tail_rcu(&chain->list, &table->chains);
1456 nf_tables_unregister_hook(net, table, chain);
1458 nf_tables_chain_destroy(chain);
1463 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1466 const struct nlattr * const *nla = ctx->nla;
1467 struct nft_table *table = ctx->table;
1468 struct nft_chain *chain = ctx->chain;
1469 struct nft_base_chain *basechain;
1470 struct nft_stats *stats = NULL;
1471 struct nft_chain_hook hook;
1472 const struct nlattr *name;
1473 struct nf_hook_ops *ops;
1474 struct nft_trans *trans;
1477 if (nla[NFTA_CHAIN_HOOK]) {
1478 if (!nft_is_base_chain(chain))
1481 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1486 basechain = nft_base_chain(chain);
1487 if (basechain->type != hook.type) {
1488 nft_chain_release_hook(&hook);
1492 ops = &basechain->ops;
1493 if (ops->hooknum != hook.num ||
1494 ops->priority != hook.priority ||
1495 ops->dev != hook.dev) {
1496 nft_chain_release_hook(&hook);
1499 nft_chain_release_hook(&hook);
1502 if (nla[NFTA_CHAIN_HANDLE] &&
1503 nla[NFTA_CHAIN_NAME]) {
1504 struct nft_chain *chain2;
1506 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1508 if (!IS_ERR(chain2))
1512 if (nla[NFTA_CHAIN_COUNTERS]) {
1513 if (!nft_is_base_chain(chain))
1516 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1518 return PTR_ERR(stats);
1521 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1522 sizeof(struct nft_trans_chain));
1523 if (trans == NULL) {
1528 nft_trans_chain_stats(trans) = stats;
1529 nft_trans_chain_update(trans) = true;
1531 if (nla[NFTA_CHAIN_POLICY])
1532 nft_trans_chain_policy(trans) = policy;
1534 nft_trans_chain_policy(trans) = -1;
1536 name = nla[NFTA_CHAIN_NAME];
1537 if (nla[NFTA_CHAIN_HANDLE] && name) {
1538 nft_trans_chain_name(trans) =
1539 nla_strdup(name, GFP_KERNEL);
1540 if (!nft_trans_chain_name(trans)) {
1546 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1551 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1552 struct sk_buff *skb, const struct nlmsghdr *nlh,
1553 const struct nlattr * const nla[],
1554 struct netlink_ext_ack *extack)
1556 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1557 const struct nlattr * uninitialized_var(name);
1558 u8 genmask = nft_genmask_next(net);
1559 int family = nfmsg->nfgen_family;
1560 struct nft_af_info *afi;
1561 struct nft_table *table;
1562 struct nft_chain *chain;
1563 u8 policy = NF_ACCEPT;
1568 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1570 afi = nf_tables_afinfo_lookup(net, family, true);
1572 return PTR_ERR(afi);
1574 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
1577 return PTR_ERR(table);
1580 name = nla[NFTA_CHAIN_NAME];
1582 if (nla[NFTA_CHAIN_HANDLE]) {
1583 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1584 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1586 return PTR_ERR(chain);
1588 chain = nf_tables_chain_lookup(table, name, genmask);
1589 if (IS_ERR(chain)) {
1590 if (PTR_ERR(chain) != -ENOENT)
1591 return PTR_ERR(chain);
1596 if (nla[NFTA_CHAIN_POLICY]) {
1597 if (chain != NULL &&
1598 !nft_is_base_chain(chain))
1601 if (chain == NULL &&
1602 nla[NFTA_CHAIN_HOOK] == NULL)
1605 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1615 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
1617 if (chain != NULL) {
1618 if (nlh->nlmsg_flags & NLM_F_EXCL)
1620 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1623 return nf_tables_updchain(&ctx, genmask, policy, create);
1626 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1629 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1630 struct sk_buff *skb, const struct nlmsghdr *nlh,
1631 const struct nlattr * const nla[],
1632 struct netlink_ext_ack *extack)
1634 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1635 u8 genmask = nft_genmask_next(net);
1636 struct nft_af_info *afi;
1637 struct nft_table *table;
1638 struct nft_chain *chain;
1639 struct nft_rule *rule;
1640 int family = nfmsg->nfgen_family;
1645 afi = nf_tables_afinfo_lookup(net, family, false);
1647 return PTR_ERR(afi);
1649 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
1652 return PTR_ERR(table);
1654 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1656 return PTR_ERR(chain);
1658 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1662 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
1665 list_for_each_entry(rule, &chain->rules, list) {
1666 if (!nft_is_active_next(net, rule))
1670 err = nft_delrule(&ctx, rule);
1675 /* There are rules and elements that are still holding references to us,
1676 * we cannot do a recursive removal in this case.
1681 return nft_delchain(&ctx);
1689 * nft_register_expr - register nf_tables expr type
1692 * Registers the expr type for use with nf_tables. Returns zero on
1693 * success or a negative errno code otherwise.
1695 int nft_register_expr(struct nft_expr_type *type)
1697 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1698 if (type->family == NFPROTO_UNSPEC)
1699 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1701 list_add_rcu(&type->list, &nf_tables_expressions);
1702 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1705 EXPORT_SYMBOL_GPL(nft_register_expr);
1708 * nft_unregister_expr - unregister nf_tables expr type
1711 * Unregisters the expr typefor use with nf_tables.
1713 void nft_unregister_expr(struct nft_expr_type *type)
1715 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1716 list_del_rcu(&type->list);
1717 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1719 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1721 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1724 const struct nft_expr_type *type;
1726 list_for_each_entry(type, &nf_tables_expressions, list) {
1727 if (!nla_strcmp(nla, type->name) &&
1728 (!type->family || type->family == family))
1734 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1737 const struct nft_expr_type *type;
1740 return ERR_PTR(-EINVAL);
1742 type = __nft_expr_type_get(family, nla);
1743 if (type != NULL && try_module_get(type->owner))
1746 #ifdef CONFIG_MODULES
1748 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1749 request_module("nft-expr-%u-%.*s", family,
1750 nla_len(nla), (char *)nla_data(nla));
1751 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1752 if (__nft_expr_type_get(family, nla))
1753 return ERR_PTR(-EAGAIN);
1755 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1756 request_module("nft-expr-%.*s",
1757 nla_len(nla), (char *)nla_data(nla));
1758 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1759 if (__nft_expr_type_get(family, nla))
1760 return ERR_PTR(-EAGAIN);
1763 return ERR_PTR(-ENOENT);
1766 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1767 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1768 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1771 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1772 const struct nft_expr *expr)
1774 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1775 goto nla_put_failure;
1777 if (expr->ops->dump) {
1778 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1780 goto nla_put_failure;
1781 if (expr->ops->dump(skb, expr) < 0)
1782 goto nla_put_failure;
1783 nla_nest_end(skb, data);
1792 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1793 const struct nft_expr *expr)
1795 struct nlattr *nest;
1797 nest = nla_nest_start(skb, attr);
1799 goto nla_put_failure;
1800 if (nf_tables_fill_expr_info(skb, expr) < 0)
1801 goto nla_put_failure;
1802 nla_nest_end(skb, nest);
1809 struct nft_expr_info {
1810 const struct nft_expr_ops *ops;
1811 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1814 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1815 const struct nlattr *nla,
1816 struct nft_expr_info *info)
1818 const struct nft_expr_type *type;
1819 const struct nft_expr_ops *ops;
1820 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1823 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1827 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1829 return PTR_ERR(type);
1831 if (tb[NFTA_EXPR_DATA]) {
1832 err = nla_parse_nested(info->tb, type->maxattr,
1833 tb[NFTA_EXPR_DATA], type->policy, NULL);
1837 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1839 if (type->select_ops != NULL) {
1840 ops = type->select_ops(ctx,
1841 (const struct nlattr * const *)info->tb);
1853 module_put(type->owner);
1857 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1858 const struct nft_expr_info *info,
1859 struct nft_expr *expr)
1861 const struct nft_expr_ops *ops = info->ops;
1866 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1871 if (ops->validate) {
1872 const struct nft_data *data = NULL;
1874 err = ops->validate(ctx, expr, &data);
1883 ops->destroy(ctx, expr);
1889 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1890 struct nft_expr *expr)
1892 if (expr->ops->destroy)
1893 expr->ops->destroy(ctx, expr);
1894 module_put(expr->ops->type->owner);
1897 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1898 const struct nlattr *nla)
1900 struct nft_expr_info info;
1901 struct nft_expr *expr;
1904 err = nf_tables_expr_parse(ctx, nla, &info);
1909 expr = kzalloc(info.ops->size, GFP_KERNEL);
1913 err = nf_tables_newexpr(ctx, &info, expr);
1921 module_put(info.ops->type->owner);
1923 return ERR_PTR(err);
1926 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1928 nf_tables_expr_destroy(ctx, expr);
1936 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1939 struct nft_rule *rule;
1941 // FIXME: this sucks
1942 list_for_each_entry(rule, &chain->rules, list) {
1943 if (handle == rule->handle)
1947 return ERR_PTR(-ENOENT);
1950 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1951 const struct nlattr *nla)
1954 return ERR_PTR(-EINVAL);
1956 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1959 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1960 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1961 .len = NFT_TABLE_MAXNAMELEN - 1 },
1962 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1963 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1964 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1965 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1966 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1967 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1968 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1969 .len = NFT_USERDATA_MAXLEN },
1972 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1973 u32 portid, u32 seq, int event,
1974 u32 flags, int family,
1975 const struct nft_table *table,
1976 const struct nft_chain *chain,
1977 const struct nft_rule *rule)
1979 struct nlmsghdr *nlh;
1980 struct nfgenmsg *nfmsg;
1981 const struct nft_expr *expr, *next;
1982 struct nlattr *list;
1983 const struct nft_rule *prule;
1984 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1986 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1988 goto nla_put_failure;
1990 nfmsg = nlmsg_data(nlh);
1991 nfmsg->nfgen_family = family;
1992 nfmsg->version = NFNETLINK_V0;
1993 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1995 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1996 goto nla_put_failure;
1997 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1998 goto nla_put_failure;
1999 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2001 goto nla_put_failure;
2003 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2004 prule = list_prev_entry(rule, list);
2005 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2006 cpu_to_be64(prule->handle),
2008 goto nla_put_failure;
2011 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2013 goto nla_put_failure;
2014 nft_rule_for_each_expr(expr, next, rule) {
2015 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2016 goto nla_put_failure;
2018 nla_nest_end(skb, list);
2021 struct nft_userdata *udata = nft_userdata(rule);
2022 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2024 goto nla_put_failure;
2027 nlmsg_end(skb, nlh);
2031 nlmsg_trim(skb, nlh);
2035 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2036 const struct nft_rule *rule, int event)
2038 struct sk_buff *skb;
2042 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2045 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2049 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2050 event, 0, ctx->family, ctx->table,
2057 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2058 ctx->report, GFP_KERNEL);
2061 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2064 struct nft_rule_dump_ctx {
2069 static int nf_tables_dump_rules(struct sk_buff *skb,
2070 struct netlink_callback *cb)
2072 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2073 const struct nft_rule_dump_ctx *ctx = cb->data;
2074 const struct nft_table *table;
2075 const struct nft_chain *chain;
2076 const struct nft_rule *rule;
2077 unsigned int idx = 0, s_idx = cb->args[0];
2078 struct net *net = sock_net(skb->sk);
2079 int family = nfmsg->nfgen_family;
2082 cb->seq = net->nft.base_seq;
2084 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2085 if (family != NFPROTO_UNSPEC && family != table->afi->family)
2088 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2091 list_for_each_entry_rcu(chain, &table->chains, list) {
2092 if (ctx && ctx->chain &&
2093 strcmp(ctx->chain, chain->name) != 0)
2096 list_for_each_entry_rcu(rule, &chain->rules, list) {
2097 if (!nft_is_active(net, rule))
2102 memset(&cb->args[1], 0,
2103 sizeof(cb->args) - sizeof(cb->args[0]));
2104 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2107 NLM_F_MULTI | NLM_F_APPEND,
2109 table, chain, rule) < 0)
2112 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2125 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2127 struct nft_rule_dump_ctx *ctx = cb->data;
2137 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2138 struct sk_buff *skb, const struct nlmsghdr *nlh,
2139 const struct nlattr * const nla[],
2140 struct netlink_ext_ack *extack)
2142 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2143 u8 genmask = nft_genmask_cur(net);
2144 const struct nft_af_info *afi;
2145 const struct nft_table *table;
2146 const struct nft_chain *chain;
2147 const struct nft_rule *rule;
2148 struct sk_buff *skb2;
2149 int family = nfmsg->nfgen_family;
2152 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2153 struct netlink_dump_control c = {
2154 .dump = nf_tables_dump_rules,
2155 .done = nf_tables_dump_rules_done,
2158 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2159 struct nft_rule_dump_ctx *ctx;
2161 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2165 if (nla[NFTA_RULE_TABLE]) {
2166 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2173 if (nla[NFTA_RULE_CHAIN]) {
2174 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2185 return netlink_dump_start(nlsk, skb, nlh, &c);
2188 afi = nf_tables_afinfo_lookup(net, family, false);
2190 return PTR_ERR(afi);
2192 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
2195 return PTR_ERR(table);
2197 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2199 return PTR_ERR(chain);
2201 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2203 return PTR_ERR(rule);
2205 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2209 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2210 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2211 family, table, chain, rule);
2215 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2222 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2223 struct nft_rule *rule)
2225 struct nft_expr *expr;
2228 * Careful: some expressions might not be initialized in case this
2229 * is called on error from nf_tables_newrule().
2231 expr = nft_expr_first(rule);
2232 while (expr != nft_expr_last(rule) && expr->ops) {
2233 nf_tables_expr_destroy(ctx, expr);
2234 expr = nft_expr_next(expr);
2239 #define NFT_RULE_MAXEXPRS 128
2241 static struct nft_expr_info *info;
2243 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2244 struct sk_buff *skb, const struct nlmsghdr *nlh,
2245 const struct nlattr * const nla[],
2246 struct netlink_ext_ack *extack)
2248 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2249 u8 genmask = nft_genmask_next(net);
2250 struct nft_af_info *afi;
2251 struct nft_table *table;
2252 struct nft_chain *chain;
2253 struct nft_rule *rule, *old_rule = NULL;
2254 struct nft_userdata *udata;
2255 struct nft_trans *trans = NULL;
2256 struct nft_expr *expr;
2259 unsigned int size, i, n, ulen = 0, usize = 0;
2262 u64 handle, pos_handle;
2264 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2266 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2268 return PTR_ERR(afi);
2270 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
2273 return PTR_ERR(table);
2275 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2277 return PTR_ERR(chain);
2279 if (nla[NFTA_RULE_HANDLE]) {
2280 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2281 rule = __nf_tables_rule_lookup(chain, handle);
2283 return PTR_ERR(rule);
2285 if (nlh->nlmsg_flags & NLM_F_EXCL)
2287 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2292 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2294 handle = nf_tables_alloc_handle(table);
2296 if (chain->use == UINT_MAX)
2300 if (nla[NFTA_RULE_POSITION]) {
2301 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2304 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2305 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2306 if (IS_ERR(old_rule))
2307 return PTR_ERR(old_rule);
2310 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
2314 if (nla[NFTA_RULE_EXPRESSIONS]) {
2315 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2317 if (nla_type(tmp) != NFTA_LIST_ELEM)
2319 if (n == NFT_RULE_MAXEXPRS)
2321 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2324 size += info[n].ops->size;
2328 /* Check for overflow of dlen field */
2330 if (size >= 1 << 12)
2333 if (nla[NFTA_RULE_USERDATA]) {
2334 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2336 usize = sizeof(struct nft_userdata) + ulen;
2340 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2344 nft_activate_next(net, rule);
2346 rule->handle = handle;
2348 rule->udata = ulen ? 1 : 0;
2351 udata = nft_userdata(rule);
2352 udata->len = ulen - 1;
2353 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2356 expr = nft_expr_first(rule);
2357 for (i = 0; i < n; i++) {
2358 err = nf_tables_newexpr(&ctx, &info[i], expr);
2362 expr = nft_expr_next(expr);
2365 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2366 if (nft_is_active_next(net, old_rule)) {
2367 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2369 if (trans == NULL) {
2373 nft_deactivate_next(net, old_rule);
2375 list_add_tail_rcu(&rule->list, &old_rule->list);
2380 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2382 list_add_rcu(&rule->list, &old_rule->list);
2384 list_add_tail_rcu(&rule->list, &chain->rules);
2387 list_add_tail_rcu(&rule->list, &old_rule->list);
2389 list_add_rcu(&rule->list, &chain->rules);
2392 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2400 list_del_rcu(&rule->list);
2402 nf_tables_rule_destroy(&ctx, rule);
2404 for (i = 0; i < n; i++) {
2405 if (info[i].ops != NULL)
2406 module_put(info[i].ops->type->owner);
2411 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2412 const struct nlattr *nla)
2414 u32 id = ntohl(nla_get_be32(nla));
2415 struct nft_trans *trans;
2417 list_for_each_entry(trans, &net->nft.commit_list, list) {
2418 struct nft_rule *rule = nft_trans_rule(trans);
2420 if (trans->msg_type == NFT_MSG_NEWRULE &&
2421 id == nft_trans_rule_id(trans))
2424 return ERR_PTR(-ENOENT);
2427 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2428 struct sk_buff *skb, const struct nlmsghdr *nlh,
2429 const struct nlattr * const nla[],
2430 struct netlink_ext_ack *extack)
2432 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2433 u8 genmask = nft_genmask_next(net);
2434 struct nft_af_info *afi;
2435 struct nft_table *table;
2436 struct nft_chain *chain = NULL;
2437 struct nft_rule *rule;
2438 int family = nfmsg->nfgen_family, err = 0;
2441 afi = nf_tables_afinfo_lookup(net, family, false);
2443 return PTR_ERR(afi);
2445 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
2448 return PTR_ERR(table);
2450 if (nla[NFTA_RULE_CHAIN]) {
2451 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2454 return PTR_ERR(chain);
2457 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
2460 if (nla[NFTA_RULE_HANDLE]) {
2461 rule = nf_tables_rule_lookup(chain,
2462 nla[NFTA_RULE_HANDLE]);
2464 return PTR_ERR(rule);
2466 err = nft_delrule(&ctx, rule);
2467 } else if (nla[NFTA_RULE_ID]) {
2468 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2470 return PTR_ERR(rule);
2472 err = nft_delrule(&ctx, rule);
2474 err = nft_delrule_by_chain(&ctx);
2477 list_for_each_entry(chain, &table->chains, list) {
2478 if (!nft_is_active_next(net, chain))
2482 err = nft_delrule_by_chain(&ctx);
2495 static LIST_HEAD(nf_tables_set_types);
2497 int nft_register_set(struct nft_set_type *type)
2499 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2500 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2501 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2504 EXPORT_SYMBOL_GPL(nft_register_set);
2506 void nft_unregister_set(struct nft_set_type *type)
2508 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2509 list_del_rcu(&type->list);
2510 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2512 EXPORT_SYMBOL_GPL(nft_unregister_set);
2514 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2515 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2517 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2519 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2523 * Select a set implementation based on the data characteristics and the
2524 * given policy. The total memory use might not be known if no size is
2525 * given, in that case the amount of memory per element is used.
2527 static const struct nft_set_ops *
2528 nft_select_set_ops(const struct nft_ctx *ctx,
2529 const struct nlattr * const nla[],
2530 const struct nft_set_desc *desc,
2531 enum nft_set_policies policy)
2533 const struct nft_set_ops *ops, *bops;
2534 struct nft_set_estimate est, best;
2535 const struct nft_set_type *type;
2538 #ifdef CONFIG_MODULES
2539 if (list_empty(&nf_tables_set_types)) {
2540 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2541 request_module("nft-set");
2542 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2543 if (!list_empty(&nf_tables_set_types))
2544 return ERR_PTR(-EAGAIN);
2547 if (nla[NFTA_SET_FLAGS] != NULL)
2548 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2555 list_for_each_entry(type, &nf_tables_set_types, list) {
2556 if (!type->select_ops)
2559 ops = type->select_ops(ctx, desc, flags);
2563 if (!nft_set_ops_candidate(ops, flags))
2565 if (!ops->estimate(desc, flags, &est))
2569 case NFT_SET_POL_PERFORMANCE:
2570 if (est.lookup < best.lookup)
2572 if (est.lookup == best.lookup &&
2573 est.space < best.space)
2576 case NFT_SET_POL_MEMORY:
2578 if (est.space < best.space)
2580 if (est.space == best.space &&
2581 est.lookup < best.lookup)
2583 } else if (est.size < best.size) {
2591 if (!try_module_get(type->owner))
2594 module_put(bops->type->owner);
2603 return ERR_PTR(-EOPNOTSUPP);
2606 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2607 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2608 .len = NFT_TABLE_MAXNAMELEN - 1 },
2609 [NFTA_SET_NAME] = { .type = NLA_STRING,
2610 .len = NFT_SET_MAXNAMELEN - 1 },
2611 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2612 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2613 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2614 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2615 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2616 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2617 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2618 [NFTA_SET_ID] = { .type = NLA_U32 },
2619 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2620 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2621 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2622 .len = NFT_USERDATA_MAXLEN },
2623 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2626 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2627 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2630 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2631 const struct sk_buff *skb,
2632 const struct nlmsghdr *nlh,
2633 const struct nlattr * const nla[],
2636 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2637 struct nft_af_info *afi = NULL;
2638 struct nft_table *table = NULL;
2640 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2641 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2643 return PTR_ERR(afi);
2646 if (nla[NFTA_SET_TABLE] != NULL) {
2648 return -EAFNOSUPPORT;
2650 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2651 afi->family, genmask);
2653 return PTR_ERR(table);
2656 nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
2660 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2661 const struct nlattr *nla, u8 genmask)
2663 struct nft_set *set;
2666 return ERR_PTR(-EINVAL);
2668 list_for_each_entry(set, &table->sets, list) {
2669 if (!nla_strcmp(nla, set->name) &&
2670 nft_active_genmask(set, genmask))
2673 return ERR_PTR(-ENOENT);
2676 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2677 const struct nlattr *nla,
2680 struct nft_trans *trans;
2681 u32 id = ntohl(nla_get_be32(nla));
2683 list_for_each_entry(trans, &net->nft.commit_list, list) {
2684 struct nft_set *set = nft_trans_set(trans);
2686 if (trans->msg_type == NFT_MSG_NEWSET &&
2687 id == nft_trans_set_id(trans) &&
2688 nft_active_genmask(set, genmask))
2691 return ERR_PTR(-ENOENT);
2694 struct nft_set *nft_set_lookup(const struct net *net,
2695 const struct nft_table *table,
2696 const struct nlattr *nla_set_name,
2697 const struct nlattr *nla_set_id,
2700 struct nft_set *set;
2702 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2707 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2711 EXPORT_SYMBOL_GPL(nft_set_lookup);
2713 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2716 const struct nft_set *i;
2718 unsigned long *inuse;
2719 unsigned int n = 0, min = 0;
2721 p = strchr(name, '%');
2723 if (p[1] != 'd' || strchr(p + 2, '%'))
2726 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2730 list_for_each_entry(i, &ctx->table->sets, list) {
2733 if (!nft_is_active_next(ctx->net, set))
2735 if (!sscanf(i->name, name, &tmp))
2737 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2740 set_bit(tmp - min, inuse);
2743 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2744 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2745 min += BITS_PER_BYTE * PAGE_SIZE;
2746 memset(inuse, 0, PAGE_SIZE);
2749 free_page((unsigned long)inuse);
2752 set->name = kasprintf(GFP_KERNEL, name, min + n);
2756 list_for_each_entry(i, &ctx->table->sets, list) {
2757 if (!nft_is_active_next(ctx->net, i))
2759 if (!strcmp(set->name, i->name)) {
2767 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2768 const struct nft_set *set, u16 event, u16 flags)
2770 struct nfgenmsg *nfmsg;
2771 struct nlmsghdr *nlh;
2772 struct nlattr *desc;
2773 u32 portid = ctx->portid;
2776 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2777 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2780 goto nla_put_failure;
2782 nfmsg = nlmsg_data(nlh);
2783 nfmsg->nfgen_family = ctx->family;
2784 nfmsg->version = NFNETLINK_V0;
2785 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2787 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2788 goto nla_put_failure;
2789 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2790 goto nla_put_failure;
2791 if (set->flags != 0)
2792 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2793 goto nla_put_failure;
2795 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2796 goto nla_put_failure;
2797 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2798 goto nla_put_failure;
2799 if (set->flags & NFT_SET_MAP) {
2800 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2801 goto nla_put_failure;
2802 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2803 goto nla_put_failure;
2805 if (set->flags & NFT_SET_OBJECT &&
2806 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2807 goto nla_put_failure;
2810 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2811 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2813 goto nla_put_failure;
2815 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2816 goto nla_put_failure;
2818 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2819 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2820 goto nla_put_failure;
2823 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2824 goto nla_put_failure;
2826 desc = nla_nest_start(skb, NFTA_SET_DESC);
2828 goto nla_put_failure;
2830 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2831 goto nla_put_failure;
2832 nla_nest_end(skb, desc);
2834 nlmsg_end(skb, nlh);
2838 nlmsg_trim(skb, nlh);
2842 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2843 const struct nft_set *set, int event,
2846 struct sk_buff *skb;
2847 u32 portid = ctx->portid;
2851 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2854 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2858 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2864 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2868 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2871 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2873 const struct nft_set *set;
2874 unsigned int idx, s_idx = cb->args[0];
2875 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2876 struct net *net = sock_net(skb->sk);
2877 struct nft_ctx *ctx = cb->data, ctx_set;
2883 cb->seq = net->nft.base_seq;
2885 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2886 if (ctx->family != NFPROTO_UNSPEC &&
2887 ctx->family != table->afi->family)
2890 if (ctx->table && ctx->table != table)
2894 if (cur_table != table)
2900 list_for_each_entry_rcu(set, &table->sets, list) {
2903 if (!nft_is_active(net, set))
2907 ctx_set.table = table;
2908 ctx_set.family = table->afi->family;
2910 if (nf_tables_fill_set(skb, &ctx_set, set,
2914 cb->args[2] = (unsigned long) table;
2917 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2930 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2936 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2937 struct sk_buff *skb, const struct nlmsghdr *nlh,
2938 const struct nlattr * const nla[],
2939 struct netlink_ext_ack *extack)
2941 u8 genmask = nft_genmask_cur(net);
2942 const struct nft_set *set;
2944 struct sk_buff *skb2;
2945 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2948 /* Verify existence before starting dump */
2949 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2953 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2954 struct netlink_dump_control c = {
2955 .dump = nf_tables_dump_sets,
2956 .done = nf_tables_dump_sets_done,
2958 struct nft_ctx *ctx_dump;
2960 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2961 if (ctx_dump == NULL)
2967 return netlink_dump_start(nlsk, skb, nlh, &c);
2970 /* Only accept unspec with dump */
2971 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2972 return -EAFNOSUPPORT;
2973 if (!nla[NFTA_SET_TABLE])
2976 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2978 return PTR_ERR(set);
2980 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2984 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2988 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2995 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2996 struct nft_set_desc *desc,
2997 const struct nlattr *nla)
2999 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3002 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3003 nft_set_desc_policy, NULL);
3007 if (da[NFTA_SET_DESC_SIZE] != NULL)
3008 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3013 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3014 struct sk_buff *skb, const struct nlmsghdr *nlh,
3015 const struct nlattr * const nla[],
3016 struct netlink_ext_ack *extack)
3018 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3019 u8 genmask = nft_genmask_next(net);
3020 const struct nft_set_ops *ops;
3021 struct nft_af_info *afi;
3022 struct nft_table *table;
3023 struct nft_set *set;
3029 u32 ktype, dtype, flags, policy, gc_int, objtype;
3030 struct nft_set_desc desc;
3031 unsigned char *udata;
3035 if (nla[NFTA_SET_TABLE] == NULL ||
3036 nla[NFTA_SET_NAME] == NULL ||
3037 nla[NFTA_SET_KEY_LEN] == NULL ||
3038 nla[NFTA_SET_ID] == NULL)
3041 memset(&desc, 0, sizeof(desc));
3043 ktype = NFT_DATA_VALUE;
3044 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3045 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3046 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3050 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3051 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3055 if (nla[NFTA_SET_FLAGS] != NULL) {
3056 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3057 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3058 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3059 NFT_SET_MAP | NFT_SET_EVAL |
3062 /* Only one of these operations is supported */
3063 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3064 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3069 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3070 if (!(flags & NFT_SET_MAP))
3073 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3074 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3075 dtype != NFT_DATA_VERDICT)
3078 if (dtype != NFT_DATA_VERDICT) {
3079 if (nla[NFTA_SET_DATA_LEN] == NULL)
3081 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3082 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3085 desc.dlen = sizeof(struct nft_verdict);
3086 } else if (flags & NFT_SET_MAP)
3089 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3090 if (!(flags & NFT_SET_OBJECT))
3093 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3094 if (objtype == NFT_OBJECT_UNSPEC ||
3095 objtype > NFT_OBJECT_MAX)
3097 } else if (flags & NFT_SET_OBJECT)
3100 objtype = NFT_OBJECT_UNSPEC;
3103 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3104 if (!(flags & NFT_SET_TIMEOUT))
3106 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3107 nla[NFTA_SET_TIMEOUT])));
3110 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3111 if (!(flags & NFT_SET_TIMEOUT))
3113 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3116 policy = NFT_SET_POL_PERFORMANCE;
3117 if (nla[NFTA_SET_POLICY] != NULL)
3118 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3120 if (nla[NFTA_SET_DESC] != NULL) {
3121 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3126 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3128 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3130 return PTR_ERR(afi);
3132 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family,
3135 return PTR_ERR(table);
3137 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
3139 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3141 if (PTR_ERR(set) != -ENOENT)
3142 return PTR_ERR(set);
3144 if (nlh->nlmsg_flags & NLM_F_EXCL)
3146 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3151 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3154 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3156 return PTR_ERR(ops);
3159 if (nla[NFTA_SET_USERDATA])
3160 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3163 if (ops->privsize != NULL)
3164 size = ops->privsize(nla, &desc);
3166 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3172 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3178 err = nf_tables_set_alloc_name(&ctx, set, name);
3185 udata = set->data + size;
3186 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3189 INIT_LIST_HEAD(&set->bindings);
3192 set->klen = desc.klen;
3194 set->objtype = objtype;
3195 set->dlen = desc.dlen;
3197 set->size = desc.size;
3198 set->policy = policy;
3201 set->timeout = timeout;
3202 set->gc_int = gc_int;
3204 err = ops->init(set, &desc, nla);
3208 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3212 list_add_tail_rcu(&set->list, &table->sets);
3221 module_put(ops->type->owner);
3225 static void nft_set_destroy(struct nft_set *set)
3227 set->ops->destroy(set);
3228 module_put(set->ops->type->owner);
3233 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3235 list_del_rcu(&set->list);
3236 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3237 nft_set_destroy(set);
3240 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3241 struct sk_buff *skb, const struct nlmsghdr *nlh,
3242 const struct nlattr * const nla[],
3243 struct netlink_ext_ack *extack)
3245 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3246 u8 genmask = nft_genmask_next(net);
3247 struct nft_set *set;
3251 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3252 return -EAFNOSUPPORT;
3253 if (nla[NFTA_SET_TABLE] == NULL)
3256 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3260 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3262 return PTR_ERR(set);
3264 if (!list_empty(&set->bindings) ||
3265 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3268 return nft_delset(&ctx, set);
3271 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3272 struct nft_set *set,
3273 const struct nft_set_iter *iter,
3274 struct nft_set_elem *elem)
3276 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3277 enum nft_registers dreg;
3279 dreg = nft_type_to_reg(set->dtype);
3280 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3281 set->dtype == NFT_DATA_VERDICT ?
3282 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3286 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3287 struct nft_set_binding *binding)
3289 struct nft_set_binding *i;
3290 struct nft_set_iter iter;
3292 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3295 if (binding->flags & NFT_SET_MAP) {
3296 /* If the set is already bound to the same chain all
3297 * jumps are already validated for that chain.
3299 list_for_each_entry(i, &set->bindings, list) {
3300 if (i->flags & NFT_SET_MAP &&
3301 i->chain == binding->chain)
3305 iter.genmask = nft_genmask_next(ctx->net);
3309 iter.fn = nf_tables_bind_check_setelem;
3311 set->ops->walk(ctx, set, &iter);
3316 binding->chain = ctx->chain;
3317 list_add_tail_rcu(&binding->list, &set->bindings);
3320 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3322 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3323 struct nft_set_binding *binding)
3325 list_del_rcu(&binding->list);
3327 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3328 nft_is_active(ctx->net, set))
3329 nf_tables_set_destroy(ctx, set);
3331 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3333 const struct nft_set_ext_type nft_set_ext_types[] = {
3334 [NFT_SET_EXT_KEY] = {
3335 .align = __alignof__(u32),
3337 [NFT_SET_EXT_DATA] = {
3338 .align = __alignof__(u32),
3340 [NFT_SET_EXT_EXPR] = {
3341 .align = __alignof__(struct nft_expr),
3343 [NFT_SET_EXT_OBJREF] = {
3344 .len = sizeof(struct nft_object *),
3345 .align = __alignof__(struct nft_object *),
3347 [NFT_SET_EXT_FLAGS] = {
3349 .align = __alignof__(u8),
3351 [NFT_SET_EXT_TIMEOUT] = {
3353 .align = __alignof__(u64),
3355 [NFT_SET_EXT_EXPIRATION] = {
3356 .len = sizeof(unsigned long),
3357 .align = __alignof__(unsigned long),
3359 [NFT_SET_EXT_USERDATA] = {
3360 .len = sizeof(struct nft_userdata),
3361 .align = __alignof__(struct nft_userdata),
3364 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3370 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3371 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3372 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3373 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3374 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3375 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3376 .len = NFT_USERDATA_MAXLEN },
3379 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3380 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3381 .len = NFT_TABLE_MAXNAMELEN - 1 },
3382 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3383 .len = NFT_SET_MAXNAMELEN - 1 },
3384 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3385 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3388 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3389 const struct sk_buff *skb,
3390 const struct nlmsghdr *nlh,
3391 const struct nlattr * const nla[],
3394 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3395 struct nft_af_info *afi;
3396 struct nft_table *table;
3398 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3400 return PTR_ERR(afi);
3402 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3403 afi->family, genmask);
3405 return PTR_ERR(table);
3407 nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
3411 static int nf_tables_fill_setelem(struct sk_buff *skb,
3412 const struct nft_set *set,
3413 const struct nft_set_elem *elem)
3415 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3416 unsigned char *b = skb_tail_pointer(skb);
3417 struct nlattr *nest;
3419 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3421 goto nla_put_failure;
3423 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3424 NFT_DATA_VALUE, set->klen) < 0)
3425 goto nla_put_failure;
3427 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3428 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3429 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3431 goto nla_put_failure;
3433 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3434 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3435 goto nla_put_failure;
3437 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3438 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3439 (*nft_set_ext_obj(ext))->name) < 0)
3440 goto nla_put_failure;
3442 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3443 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3444 htonl(*nft_set_ext_flags(ext))))
3445 goto nla_put_failure;
3447 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3448 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3449 cpu_to_be64(jiffies_to_msecs(
3450 *nft_set_ext_timeout(ext))),
3452 goto nla_put_failure;
3454 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3455 unsigned long expires, now = jiffies;
3457 expires = *nft_set_ext_expiration(ext);
3458 if (time_before(now, expires))
3463 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3464 cpu_to_be64(jiffies_to_msecs(expires)),
3466 goto nla_put_failure;
3469 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3470 struct nft_userdata *udata;
3472 udata = nft_set_ext_userdata(ext);
3473 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3474 udata->len + 1, udata->data))
3475 goto nla_put_failure;
3478 nla_nest_end(skb, nest);
3486 struct nft_set_dump_args {
3487 const struct netlink_callback *cb;
3488 struct nft_set_iter iter;
3489 struct sk_buff *skb;
3492 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3493 struct nft_set *set,
3494 const struct nft_set_iter *iter,
3495 struct nft_set_elem *elem)
3497 struct nft_set_dump_args *args;
3499 args = container_of(iter, struct nft_set_dump_args, iter);
3500 return nf_tables_fill_setelem(args->skb, set, elem);
3503 struct nft_set_dump_ctx {
3504 const struct nft_set *set;
3508 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3510 struct nft_set_dump_ctx *dump_ctx = cb->data;
3511 struct net *net = sock_net(skb->sk);
3512 struct nft_table *table;
3513 struct nft_set *set;
3514 struct nft_set_dump_args args;
3515 bool set_found = false;
3516 struct nfgenmsg *nfmsg;
3517 struct nlmsghdr *nlh;
3518 struct nlattr *nest;
3523 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3524 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3525 dump_ctx->ctx.family != table->afi->family)
3528 if (table != dump_ctx->ctx.table)
3531 list_for_each_entry_rcu(set, &table->sets, list) {
3532 if (set == dump_ctx->set) {
3545 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3546 portid = NETLINK_CB(cb->skb).portid;
3547 seq = cb->nlh->nlmsg_seq;
3549 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3552 goto nla_put_failure;
3554 nfmsg = nlmsg_data(nlh);
3555 nfmsg->nfgen_family = table->afi->family;
3556 nfmsg->version = NFNETLINK_V0;
3557 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3559 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3560 goto nla_put_failure;
3561 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3562 goto nla_put_failure;
3564 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3566 goto nla_put_failure;
3570 args.iter.genmask = nft_genmask_cur(net);
3571 args.iter.skip = cb->args[0];
3572 args.iter.count = 0;
3574 args.iter.fn = nf_tables_dump_setelem;
3575 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3578 nla_nest_end(skb, nest);
3579 nlmsg_end(skb, nlh);
3581 if (args.iter.err && args.iter.err != -EMSGSIZE)
3582 return args.iter.err;
3583 if (args.iter.count == cb->args[0])
3586 cb->args[0] = args.iter.count;
3594 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3600 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3601 const struct nft_ctx *ctx, u32 seq,
3602 u32 portid, int event, u16 flags,
3603 const struct nft_set *set,
3604 const struct nft_set_elem *elem)
3606 struct nfgenmsg *nfmsg;
3607 struct nlmsghdr *nlh;
3608 struct nlattr *nest;
3611 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3612 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3615 goto nla_put_failure;
3617 nfmsg = nlmsg_data(nlh);
3618 nfmsg->nfgen_family = ctx->family;
3619 nfmsg->version = NFNETLINK_V0;
3620 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3622 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3623 goto nla_put_failure;
3624 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3625 goto nla_put_failure;
3627 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3629 goto nla_put_failure;
3631 err = nf_tables_fill_setelem(skb, set, elem);
3633 goto nla_put_failure;
3635 nla_nest_end(skb, nest);
3637 nlmsg_end(skb, nlh);
3641 nlmsg_trim(skb, nlh);
3645 static int nft_setelem_parse_flags(const struct nft_set *set,
3646 const struct nlattr *attr, u32 *flags)
3651 *flags = ntohl(nla_get_be32(attr));
3652 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3654 if (!(set->flags & NFT_SET_INTERVAL) &&
3655 *flags & NFT_SET_ELEM_INTERVAL_END)
3661 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3662 const struct nlattr *attr)
3664 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3665 const struct nft_set_ext *ext;
3666 struct nft_data_desc desc;
3667 struct nft_set_elem elem;
3668 struct sk_buff *skb;
3673 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3674 nft_set_elem_policy, NULL);
3678 if (!nla[NFTA_SET_ELEM_KEY])
3681 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3685 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3686 nla[NFTA_SET_ELEM_KEY]);
3691 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3694 priv = set->ops->get(ctx->net, set, &elem, flags);
3696 return PTR_ERR(priv);
3699 ext = nft_set_elem_ext(set, &elem);
3702 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3706 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3707 NFT_MSG_NEWSETELEM, 0, set, &elem);
3711 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3712 /* This avoids a loop in nfnetlink. */
3720 /* this avoids a loop in nfnetlink. */
3721 return err == -EAGAIN ? -ENOBUFS : err;
3724 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3725 struct sk_buff *skb, const struct nlmsghdr *nlh,
3726 const struct nlattr * const nla[],
3727 struct netlink_ext_ack *extack)
3729 u8 genmask = nft_genmask_cur(net);
3730 struct nft_set *set;
3731 struct nlattr *attr;
3735 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3739 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3742 return PTR_ERR(set);
3744 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3745 struct netlink_dump_control c = {
3746 .dump = nf_tables_dump_set,
3747 .done = nf_tables_dump_set_done,
3749 struct nft_set_dump_ctx *dump_ctx;
3751 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3755 dump_ctx->set = set;
3756 dump_ctx->ctx = ctx;
3759 return netlink_dump_start(nlsk, skb, nlh, &c);
3762 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3765 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3766 err = nft_get_set_elem(&ctx, set, attr);
3774 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3775 const struct nft_set *set,
3776 const struct nft_set_elem *elem,
3777 int event, u16 flags)
3779 struct net *net = ctx->net;
3780 u32 portid = ctx->portid;
3781 struct sk_buff *skb;
3784 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3787 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3791 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3798 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3802 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3805 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3807 struct nft_set *set)
3809 struct nft_trans *trans;
3811 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3815 nft_trans_elem_set(trans) = set;
3819 void *nft_set_elem_init(const struct nft_set *set,
3820 const struct nft_set_ext_tmpl *tmpl,
3821 const u32 *key, const u32 *data,
3822 u64 timeout, gfp_t gfp)
3824 struct nft_set_ext *ext;
3827 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3831 ext = nft_set_elem_ext(set, elem);
3832 nft_set_ext_init(ext, tmpl);
3834 memcpy(nft_set_ext_key(ext), key, set->klen);
3835 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3836 memcpy(nft_set_ext_data(ext), data, set->dlen);
3837 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3838 *nft_set_ext_expiration(ext) =
3840 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3841 *nft_set_ext_timeout(ext) = timeout;
3846 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3849 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3851 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3852 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3853 nft_data_release(nft_set_ext_data(ext), set->dtype);
3854 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3855 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3856 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3857 (*nft_set_ext_obj(ext))->use--;
3860 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3862 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3863 * the refcounting from the preparation phase.
3865 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3867 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3869 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3870 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3874 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3875 const struct nlattr *attr, u32 nlmsg_flags)
3877 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3878 u8 genmask = nft_genmask_next(ctx->net);
3879 struct nft_data_desc d1, d2;
3880 struct nft_set_ext_tmpl tmpl;
3881 struct nft_set_ext *ext, *ext2;
3882 struct nft_set_elem elem;
3883 struct nft_set_binding *binding;
3884 struct nft_object *obj = NULL;
3885 struct nft_userdata *udata;
3886 struct nft_data data;
3887 enum nft_registers dreg;
3888 struct nft_trans *trans;
3894 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3895 nft_set_elem_policy, NULL);
3899 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3902 nft_set_ext_prepare(&tmpl);
3904 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3908 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3910 if (set->flags & NFT_SET_MAP) {
3911 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3912 !(flags & NFT_SET_ELEM_INTERVAL_END))
3914 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3915 flags & NFT_SET_ELEM_INTERVAL_END)
3918 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3923 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3924 if (!(set->flags & NFT_SET_TIMEOUT))
3926 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3927 nla[NFTA_SET_ELEM_TIMEOUT])));
3928 } else if (set->flags & NFT_SET_TIMEOUT) {
3929 timeout = set->timeout;
3932 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3933 nla[NFTA_SET_ELEM_KEY]);
3937 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3940 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3942 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3943 if (timeout != set->timeout)
3944 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3947 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3948 if (!(set->flags & NFT_SET_OBJECT)) {
3952 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3953 set->objtype, genmask);
3958 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3961 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3962 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3963 nla[NFTA_SET_ELEM_DATA]);
3968 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3971 dreg = nft_type_to_reg(set->dtype);
3972 list_for_each_entry(binding, &set->bindings, list) {
3973 struct nft_ctx bind_ctx = {
3975 .family = ctx->family,
3976 .table = ctx->table,
3977 .chain = (struct nft_chain *)binding->chain,
3980 if (!(binding->flags & NFT_SET_MAP))
3983 err = nft_validate_register_store(&bind_ctx, dreg,
3990 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3993 /* The full maximum length of userdata can exceed the maximum
3994 * offset value (U8_MAX) for following extensions, therefor it
3995 * must be the last extension added.
3998 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3999 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4001 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4006 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4007 timeout, GFP_KERNEL);
4008 if (elem.priv == NULL)
4011 ext = nft_set_elem_ext(set, elem.priv);
4013 *nft_set_ext_flags(ext) = flags;
4015 udata = nft_set_ext_userdata(ext);
4016 udata->len = ulen - 1;
4017 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4020 *nft_set_ext_obj(ext) = obj;
4024 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4028 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4029 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4031 if (err == -EEXIST) {
4032 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4033 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4034 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4035 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
4037 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4038 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4039 memcmp(nft_set_ext_data(ext),
4040 nft_set_ext_data(ext2), set->dlen) != 0) ||
4041 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4042 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4043 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4045 else if (!(nlmsg_flags & NLM_F_EXCL))
4052 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4057 nft_trans_elem(trans) = elem;
4058 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4062 set->ops->remove(ctx->net, set, &elem);
4068 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4069 nft_data_release(&data, d2.type);
4071 nft_data_release(&elem.key.val, d1.type);
4076 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4077 struct sk_buff *skb, const struct nlmsghdr *nlh,
4078 const struct nlattr * const nla[],
4079 struct netlink_ext_ack *extack)
4081 u8 genmask = nft_genmask_next(net);
4082 const struct nlattr *attr;
4083 struct nft_set *set;
4087 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4090 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4094 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4097 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4098 set = nf_tables_set_lookup_byid(net,
4099 nla[NFTA_SET_ELEM_LIST_SET_ID],
4103 return PTR_ERR(set);
4106 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4109 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4110 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4118 * nft_data_hold - hold a nft_data item
4120 * @data: struct nft_data to release
4121 * @type: type of data
4123 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4124 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4125 * NFT_GOTO verdicts. This function must be called on active data objects
4126 * from the second phase of the commit protocol.
4128 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4130 if (type == NFT_DATA_VERDICT) {
4131 switch (data->verdict.code) {
4134 data->verdict.chain->use++;
4140 static void nft_set_elem_activate(const struct net *net,
4141 const struct nft_set *set,
4142 struct nft_set_elem *elem)
4144 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4146 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4147 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4148 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4149 (*nft_set_ext_obj(ext))->use++;
4152 static void nft_set_elem_deactivate(const struct net *net,
4153 const struct nft_set *set,
4154 struct nft_set_elem *elem)
4156 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4158 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4159 nft_data_release(nft_set_ext_data(ext), set->dtype);
4160 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4161 (*nft_set_ext_obj(ext))->use--;
4164 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4165 const struct nlattr *attr)
4167 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4168 struct nft_set_ext_tmpl tmpl;
4169 struct nft_data_desc desc;
4170 struct nft_set_elem elem;
4171 struct nft_set_ext *ext;
4172 struct nft_trans *trans;
4177 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4178 nft_set_elem_policy, NULL);
4183 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4186 nft_set_ext_prepare(&tmpl);
4188 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4192 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4194 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4195 nla[NFTA_SET_ELEM_KEY]);
4200 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4203 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4206 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4208 if (elem.priv == NULL)
4211 ext = nft_set_elem_ext(set, elem.priv);
4213 *nft_set_ext_flags(ext) = flags;
4215 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4216 if (trans == NULL) {
4221 priv = set->ops->deactivate(ctx->net, set, &elem);
4229 nft_set_elem_deactivate(ctx->net, set, &elem);
4231 nft_trans_elem(trans) = elem;
4232 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4240 nft_data_release(&elem.key.val, desc.type);
4245 static int nft_flush_set(const struct nft_ctx *ctx,
4246 struct nft_set *set,
4247 const struct nft_set_iter *iter,
4248 struct nft_set_elem *elem)
4250 struct nft_trans *trans;
4253 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4254 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4258 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4264 nft_trans_elem_set(trans) = set;
4265 nft_trans_elem(trans) = *elem;
4266 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4274 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4275 struct sk_buff *skb, const struct nlmsghdr *nlh,
4276 const struct nlattr * const nla[],
4277 struct netlink_ext_ack *extack)
4279 u8 genmask = nft_genmask_next(net);
4280 const struct nlattr *attr;
4281 struct nft_set *set;
4285 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4289 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4292 return PTR_ERR(set);
4293 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4296 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4297 struct nft_set_iter iter = {
4299 .fn = nft_flush_set,
4301 set->ops->walk(&ctx, set, &iter);
4306 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4307 err = nft_del_setelem(&ctx, set, attr);
4316 void nft_set_gc_batch_release(struct rcu_head *rcu)
4318 struct nft_set_gc_batch *gcb;
4321 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4322 for (i = 0; i < gcb->head.cnt; i++)
4323 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4326 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4328 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4331 struct nft_set_gc_batch *gcb;
4333 gcb = kzalloc(sizeof(*gcb), gfp);
4336 gcb->head.set = set;
4339 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4346 * nft_register_obj- register nf_tables stateful object type
4349 * Registers the object type for use with nf_tables. Returns zero on
4350 * success or a negative errno code otherwise.
4352 int nft_register_obj(struct nft_object_type *obj_type)
4354 if (obj_type->type == NFT_OBJECT_UNSPEC)
4357 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4358 list_add_rcu(&obj_type->list, &nf_tables_objects);
4359 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4362 EXPORT_SYMBOL_GPL(nft_register_obj);
4365 * nft_unregister_obj - unregister nf_tables object type
4368 * Unregisters the object type for use with nf_tables.
4370 void nft_unregister_obj(struct nft_object_type *obj_type)
4372 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4373 list_del_rcu(&obj_type->list);
4374 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4376 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4378 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4379 const struct nlattr *nla,
4380 u32 objtype, u8 genmask)
4382 struct nft_object *obj;
4384 list_for_each_entry(obj, &table->objects, list) {
4385 if (!nla_strcmp(nla, obj->name) &&
4386 objtype == obj->ops->type->type &&
4387 nft_active_genmask(obj, genmask))
4390 return ERR_PTR(-ENOENT);
4392 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4394 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4395 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4396 .len = NFT_TABLE_MAXNAMELEN - 1 },
4397 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4398 .len = NFT_OBJ_MAXNAMELEN - 1 },
4399 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4400 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4403 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4404 const struct nft_object_type *type,
4405 const struct nlattr *attr)
4407 struct nlattr *tb[type->maxattr + 1];
4408 const struct nft_object_ops *ops;
4409 struct nft_object *obj;
4413 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4418 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4421 if (type->select_ops) {
4422 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4432 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4436 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4446 return ERR_PTR(err);
4449 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4450 struct nft_object *obj, bool reset)
4452 struct nlattr *nest;
4454 nest = nla_nest_start(skb, attr);
4456 goto nla_put_failure;
4457 if (obj->ops->dump(skb, obj, reset) < 0)
4458 goto nla_put_failure;
4459 nla_nest_end(skb, nest);
4466 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4468 const struct nft_object_type *type;
4470 list_for_each_entry(type, &nf_tables_objects, list) {
4471 if (objtype == type->type)
4477 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4479 const struct nft_object_type *type;
4481 type = __nft_obj_type_get(objtype);
4482 if (type != NULL && try_module_get(type->owner))
4485 #ifdef CONFIG_MODULES
4487 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4488 request_module("nft-obj-%u", objtype);
4489 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4490 if (__nft_obj_type_get(objtype))
4491 return ERR_PTR(-EAGAIN);
4494 return ERR_PTR(-ENOENT);
4497 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4498 struct sk_buff *skb, const struct nlmsghdr *nlh,
4499 const struct nlattr * const nla[],
4500 struct netlink_ext_ack *extack)
4502 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4503 const struct nft_object_type *type;
4504 u8 genmask = nft_genmask_next(net);
4505 int family = nfmsg->nfgen_family;
4506 struct nft_af_info *afi;
4507 struct nft_table *table;
4508 struct nft_object *obj;
4513 if (!nla[NFTA_OBJ_TYPE] ||
4514 !nla[NFTA_OBJ_NAME] ||
4515 !nla[NFTA_OBJ_DATA])
4518 afi = nf_tables_afinfo_lookup(net, family, true);
4520 return PTR_ERR(afi);
4522 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
4525 return PTR_ERR(table);
4527 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4528 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4535 if (nlh->nlmsg_flags & NLM_F_EXCL)
4541 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
4543 type = nft_obj_type_get(objtype);
4545 return PTR_ERR(type);
4547 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4553 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4559 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4563 list_add_tail_rcu(&obj->list, &table->objects);
4569 if (obj->ops->destroy)
4570 obj->ops->destroy(obj);
4573 module_put(type->owner);
4577 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4578 u32 portid, u32 seq, int event, u32 flags,
4579 int family, const struct nft_table *table,
4580 struct nft_object *obj, bool reset)
4582 struct nfgenmsg *nfmsg;
4583 struct nlmsghdr *nlh;
4585 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4586 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4588 goto nla_put_failure;
4590 nfmsg = nlmsg_data(nlh);
4591 nfmsg->nfgen_family = family;
4592 nfmsg->version = NFNETLINK_V0;
4593 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4595 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4596 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4597 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4598 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4599 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4600 goto nla_put_failure;
4602 nlmsg_end(skb, nlh);
4606 nlmsg_trim(skb, nlh);
4610 struct nft_obj_filter {
4615 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4617 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4618 const struct nft_table *table;
4619 unsigned int idx = 0, s_idx = cb->args[0];
4620 struct nft_obj_filter *filter = cb->data;
4621 struct net *net = sock_net(skb->sk);
4622 int family = nfmsg->nfgen_family;
4623 struct nft_object *obj;
4626 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4630 cb->seq = net->nft.base_seq;
4632 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4633 if (family != NFPROTO_UNSPEC && family != table->afi->family)
4636 list_for_each_entry_rcu(obj, &table->objects, list) {
4637 if (!nft_is_active(net, obj))
4642 memset(&cb->args[1], 0,
4643 sizeof(cb->args) - sizeof(cb->args[0]));
4644 if (filter && filter->table[0] &&
4645 strcmp(filter->table, table->name))
4648 filter->type != NFT_OBJECT_UNSPEC &&
4649 obj->ops->type->type != filter->type)
4652 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4655 NLM_F_MULTI | NLM_F_APPEND,
4656 table->afi->family, table,
4660 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4672 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4674 struct nft_obj_filter *filter = cb->data;
4677 kfree(filter->table);
4684 static struct nft_obj_filter *
4685 nft_obj_filter_alloc(const struct nlattr * const nla[])
4687 struct nft_obj_filter *filter;
4689 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4691 return ERR_PTR(-ENOMEM);
4693 if (nla[NFTA_OBJ_TABLE]) {
4694 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4695 if (!filter->table) {
4697 return ERR_PTR(-ENOMEM);
4700 if (nla[NFTA_OBJ_TYPE])
4701 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4706 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4707 struct sk_buff *skb, const struct nlmsghdr *nlh,
4708 const struct nlattr * const nla[],
4709 struct netlink_ext_ack *extack)
4711 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4712 u8 genmask = nft_genmask_cur(net);
4713 int family = nfmsg->nfgen_family;
4714 const struct nft_af_info *afi;
4715 const struct nft_table *table;
4716 struct nft_object *obj;
4717 struct sk_buff *skb2;
4722 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4723 struct netlink_dump_control c = {
4724 .dump = nf_tables_dump_obj,
4725 .done = nf_tables_dump_obj_done,
4728 if (nla[NFTA_OBJ_TABLE] ||
4729 nla[NFTA_OBJ_TYPE]) {
4730 struct nft_obj_filter *filter;
4732 filter = nft_obj_filter_alloc(nla);
4738 return netlink_dump_start(nlsk, skb, nlh, &c);
4741 if (!nla[NFTA_OBJ_NAME] ||
4742 !nla[NFTA_OBJ_TYPE])
4745 afi = nf_tables_afinfo_lookup(net, family, false);
4747 return PTR_ERR(afi);
4749 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
4752 return PTR_ERR(table);
4754 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4755 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4757 return PTR_ERR(obj);
4759 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4763 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4766 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4767 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4768 family, table, obj, reset);
4772 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4778 static void nft_obj_destroy(struct nft_object *obj)
4780 if (obj->ops->destroy)
4781 obj->ops->destroy(obj);
4783 module_put(obj->ops->type->owner);
4788 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4789 struct sk_buff *skb, const struct nlmsghdr *nlh,
4790 const struct nlattr * const nla[],
4791 struct netlink_ext_ack *extack)
4793 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4794 u8 genmask = nft_genmask_next(net);
4795 int family = nfmsg->nfgen_family;
4796 struct nft_af_info *afi;
4797 struct nft_table *table;
4798 struct nft_object *obj;
4802 if (!nla[NFTA_OBJ_TYPE] ||
4803 !nla[NFTA_OBJ_NAME])
4806 afi = nf_tables_afinfo_lookup(net, family, true);
4808 return PTR_ERR(afi);
4810 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
4813 return PTR_ERR(table);
4815 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4816 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4818 return PTR_ERR(obj);
4822 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
4824 return nft_delobj(&ctx, obj);
4827 void nft_obj_notify(struct net *net, struct nft_table *table,
4828 struct nft_object *obj, u32 portid, u32 seq, int event,
4829 int family, int report, gfp_t gfp)
4831 struct sk_buff *skb;
4835 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4838 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4842 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4849 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4852 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4854 EXPORT_SYMBOL_GPL(nft_obj_notify);
4856 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4857 struct nft_object *obj, int event)
4859 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4860 ctx->family, ctx->report, GFP_KERNEL);
4866 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4868 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4869 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4870 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4872 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4874 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4876 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4877 list_del_rcu(&type->list);
4878 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4880 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4882 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4883 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4884 .len = NFT_NAME_MAXLEN - 1 },
4885 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4886 .len = NFT_NAME_MAXLEN - 1 },
4887 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4890 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4891 const struct nlattr *nla,
4894 struct nft_flowtable *flowtable;
4896 list_for_each_entry(flowtable, &table->flowtables, list) {
4897 if (!nla_strcmp(nla, flowtable->name) &&
4898 nft_active_genmask(flowtable, genmask))
4901 return ERR_PTR(-ENOENT);
4903 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4905 #define NFT_FLOWTABLE_DEVICE_MAX 8
4907 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4908 const struct nlattr *attr,
4909 struct net_device *dev_array[], int *len)
4911 const struct nlattr *tmp;
4912 struct net_device *dev;
4913 char ifname[IFNAMSIZ];
4914 int rem, n = 0, err;
4916 nla_for_each_nested(tmp, attr, rem) {
4917 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4922 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4923 dev = dev_get_by_name(ctx->net, ifname);
4929 dev_array[n++] = dev;
4930 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
4944 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
4945 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
4946 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
4947 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
4950 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
4951 const struct nlattr *attr,
4952 struct nft_flowtable *flowtable)
4954 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
4955 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
4956 struct nf_hook_ops *ops;
4957 int hooknum, priority;
4960 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
4961 nft_flowtable_hook_policy, NULL);
4965 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
4966 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
4967 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
4970 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
4971 if (hooknum != NF_NETDEV_INGRESS)
4974 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
4976 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
4981 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
4987 flowtable->ops = ops;
4988 flowtable->ops_len = n;
4990 for (i = 0; i < n; i++) {
4991 flowtable->ops[i].pf = NFPROTO_NETDEV;
4992 flowtable->ops[i].hooknum = hooknum;
4993 flowtable->ops[i].priority = priority;
4994 flowtable->ops[i].priv = &flowtable->data.rhashtable;
4995 flowtable->ops[i].hook = flowtable->data.type->hook;
4996 flowtable->ops[i].dev = dev_array[i];
5001 for (i = 0; i < n; i++)
5002 dev_put(dev_array[i]);
5007 static const struct nf_flowtable_type *
5008 __nft_flowtable_type_get(const struct nft_af_info *afi)
5010 const struct nf_flowtable_type *type;
5012 list_for_each_entry(type, &nf_tables_flowtables, list) {
5013 if (afi->family == type->family)
5019 static const struct nf_flowtable_type *
5020 nft_flowtable_type_get(const struct nft_af_info *afi)
5022 const struct nf_flowtable_type *type;
5024 type = __nft_flowtable_type_get(afi);
5025 if (type != NULL && try_module_get(type->owner))
5028 #ifdef CONFIG_MODULES
5030 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5031 request_module("nf-flowtable-%u", afi->family);
5032 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5033 if (__nft_flowtable_type_get(afi))
5034 return ERR_PTR(-EAGAIN);
5037 return ERR_PTR(-ENOENT);
5040 void nft_flow_table_iterate(struct net *net,
5041 void (*iter)(struct nf_flowtable *flowtable, void *data),
5044 struct nft_flowtable *flowtable;
5045 const struct nft_af_info *afi;
5046 const struct nft_table *table;
5049 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
5050 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5051 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5052 iter(&flowtable->data, data);
5058 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5060 static void nft_unregister_flowtable_net_hooks(struct net *net,
5061 struct nft_flowtable *flowtable)
5065 for (i = 0; i < flowtable->ops_len; i++) {
5066 if (!flowtable->ops[i].dev)
5069 nf_unregister_net_hook(net, &flowtable->ops[i]);
5073 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5074 struct sk_buff *skb,
5075 const struct nlmsghdr *nlh,
5076 const struct nlattr * const nla[],
5077 struct netlink_ext_ack *extack)
5079 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5080 const struct nf_flowtable_type *type;
5081 u8 genmask = nft_genmask_next(net);
5082 int family = nfmsg->nfgen_family;
5083 struct nft_flowtable *flowtable;
5084 struct nft_af_info *afi;
5085 struct nft_table *table;
5089 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5090 !nla[NFTA_FLOWTABLE_NAME] ||
5091 !nla[NFTA_FLOWTABLE_HOOK])
5094 afi = nf_tables_afinfo_lookup(net, family, true);
5096 return PTR_ERR(afi);
5098 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5099 afi->family, genmask);
5101 return PTR_ERR(table);
5103 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5105 if (IS_ERR(flowtable)) {
5106 err = PTR_ERR(flowtable);
5110 if (nlh->nlmsg_flags & NLM_F_EXCL)
5116 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
5118 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5122 flowtable->table = table;
5123 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5124 if (!flowtable->name) {
5129 type = nft_flowtable_type_get(afi);
5131 err = PTR_ERR(type);
5135 flowtable->data.type = type;
5136 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5140 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5145 for (i = 0; i < flowtable->ops_len; i++) {
5146 err = nf_register_net_hook(net, &flowtable->ops[i]);
5151 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5155 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5156 queue_delayed_work(system_power_efficient_wq,
5157 &flowtable->data.gc_work, HZ);
5159 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5164 i = flowtable->ops_len;
5166 for (k = i - 1; k >= 0; k--)
5167 nf_unregister_net_hook(net, &flowtable->ops[i]);
5169 kfree(flowtable->ops);
5171 module_put(type->owner);
5173 kfree(flowtable->name);
5179 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5180 struct sk_buff *skb,
5181 const struct nlmsghdr *nlh,
5182 const struct nlattr * const nla[],
5183 struct netlink_ext_ack *extack)
5185 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5186 u8 genmask = nft_genmask_next(net);
5187 int family = nfmsg->nfgen_family;
5188 struct nft_flowtable *flowtable;
5189 struct nft_af_info *afi;
5190 struct nft_table *table;
5193 afi = nf_tables_afinfo_lookup(net, family, true);
5195 return PTR_ERR(afi);
5197 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5198 afi->family, genmask);
5200 return PTR_ERR(table);
5202 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5204 if (IS_ERR(flowtable))
5205 return PTR_ERR(flowtable);
5206 if (flowtable->use > 0)
5209 nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
5211 return nft_delflowtable(&ctx, flowtable);
5214 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5215 u32 portid, u32 seq, int event,
5216 u32 flags, int family,
5217 struct nft_flowtable *flowtable)
5219 struct nlattr *nest, *nest_devs;
5220 struct nfgenmsg *nfmsg;
5221 struct nlmsghdr *nlh;
5224 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5225 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5227 goto nla_put_failure;
5229 nfmsg = nlmsg_data(nlh);
5230 nfmsg->nfgen_family = family;
5231 nfmsg->version = NFNETLINK_V0;
5232 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5234 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5235 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5236 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)))
5237 goto nla_put_failure;
5239 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5240 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5241 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5242 goto nla_put_failure;
5244 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5246 goto nla_put_failure;
5248 for (i = 0; i < flowtable->ops_len; i++) {
5249 if (flowtable->ops[i].dev &&
5250 nla_put_string(skb, NFTA_DEVICE_NAME,
5251 flowtable->ops[i].dev->name))
5252 goto nla_put_failure;
5254 nla_nest_end(skb, nest_devs);
5255 nla_nest_end(skb, nest);
5257 nlmsg_end(skb, nlh);
5261 nlmsg_trim(skb, nlh);
5265 struct nft_flowtable_filter {
5269 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5270 struct netlink_callback *cb)
5272 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5273 struct nft_flowtable_filter *filter = cb->data;
5274 unsigned int idx = 0, s_idx = cb->args[0];
5275 struct net *net = sock_net(skb->sk);
5276 int family = nfmsg->nfgen_family;
5277 struct nft_flowtable *flowtable;
5278 const struct nft_table *table;
5281 cb->seq = net->nft.base_seq;
5283 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5284 if (family != NFPROTO_UNSPEC && family != table->afi->family)
5287 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5288 if (!nft_is_active(net, flowtable))
5293 memset(&cb->args[1], 0,
5294 sizeof(cb->args) - sizeof(cb->args[0]));
5295 if (filter && filter->table[0] &&
5296 strcmp(filter->table, table->name))
5299 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5301 NFT_MSG_NEWFLOWTABLE,
5302 NLM_F_MULTI | NLM_F_APPEND,
5303 table->afi->family, flowtable) < 0)
5306 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5318 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5320 struct nft_flowtable_filter *filter = cb->data;
5325 kfree(filter->table);
5331 static struct nft_flowtable_filter *
5332 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5334 struct nft_flowtable_filter *filter;
5336 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5338 return ERR_PTR(-ENOMEM);
5340 if (nla[NFTA_FLOWTABLE_TABLE]) {
5341 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5343 if (!filter->table) {
5345 return ERR_PTR(-ENOMEM);
5351 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5352 struct sk_buff *skb,
5353 const struct nlmsghdr *nlh,
5354 const struct nlattr * const nla[],
5355 struct netlink_ext_ack *extack)
5357 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5358 u8 genmask = nft_genmask_cur(net);
5359 int family = nfmsg->nfgen_family;
5360 struct nft_flowtable *flowtable;
5361 const struct nft_af_info *afi;
5362 const struct nft_table *table;
5363 struct sk_buff *skb2;
5366 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5367 struct netlink_dump_control c = {
5368 .dump = nf_tables_dump_flowtable,
5369 .done = nf_tables_dump_flowtable_done,
5372 if (nla[NFTA_FLOWTABLE_TABLE]) {
5373 struct nft_flowtable_filter *filter;
5375 filter = nft_flowtable_filter_alloc(nla);
5381 return netlink_dump_start(nlsk, skb, nlh, &c);
5384 if (!nla[NFTA_FLOWTABLE_NAME])
5387 afi = nf_tables_afinfo_lookup(net, family, false);
5389 return PTR_ERR(afi);
5391 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5392 afi->family, genmask);
5394 return PTR_ERR(table);
5396 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5399 return PTR_ERR(flowtable);
5401 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5405 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5407 NFT_MSG_NEWFLOWTABLE, 0, family,
5412 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5418 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5419 struct nft_flowtable *flowtable,
5422 struct sk_buff *skb;
5426 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5429 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5433 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5435 ctx->family, flowtable);
5441 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5442 ctx->report, GFP_KERNEL);
5445 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5448 static void nft_flowtable_destroy(void *ptr, void *arg)
5453 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5455 cancel_delayed_work_sync(&flowtable->data.gc_work);
5456 kfree(flowtable->name);
5457 rhashtable_free_and_destroy(&flowtable->data.rhashtable,
5458 nft_flowtable_destroy, NULL);
5459 module_put(flowtable->data.type->owner);
5462 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5463 u32 portid, u32 seq)
5465 struct nlmsghdr *nlh;
5466 struct nfgenmsg *nfmsg;
5467 char buf[TASK_COMM_LEN];
5468 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5470 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5472 goto nla_put_failure;
5474 nfmsg = nlmsg_data(nlh);
5475 nfmsg->nfgen_family = AF_UNSPEC;
5476 nfmsg->version = NFNETLINK_V0;
5477 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5479 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5480 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5481 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5482 goto nla_put_failure;
5484 nlmsg_end(skb, nlh);
5488 nlmsg_trim(skb, nlh);
5492 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5493 struct nft_flowtable *flowtable)
5497 for (i = 0; i < flowtable->ops_len; i++) {
5498 if (flowtable->ops[i].dev != dev)
5501 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5502 flowtable->ops[i].dev = NULL;
5507 static int nf_tables_flowtable_event(struct notifier_block *this,
5508 unsigned long event, void *ptr)
5510 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5511 struct nft_flowtable *flowtable;
5512 struct nft_table *table;
5514 if (event != NETDEV_UNREGISTER)
5517 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5518 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5519 list_for_each_entry(flowtable, &table->flowtables, list) {
5520 nft_flowtable_event(event, dev, flowtable);
5523 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5528 static struct notifier_block nf_tables_flowtable_notifier = {
5529 .notifier_call = nf_tables_flowtable_event,
5532 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5535 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5536 struct sk_buff *skb2;
5539 if (nlmsg_report(nlh) &&
5540 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5543 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5547 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5554 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5555 nlmsg_report(nlh), GFP_KERNEL);
5558 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5562 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5563 struct sk_buff *skb, const struct nlmsghdr *nlh,
5564 const struct nlattr * const nla[],
5565 struct netlink_ext_ack *extack)
5567 struct sk_buff *skb2;
5570 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5574 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5579 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5585 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5586 [NFT_MSG_NEWTABLE] = {
5587 .call_batch = nf_tables_newtable,
5588 .attr_count = NFTA_TABLE_MAX,
5589 .policy = nft_table_policy,
5591 [NFT_MSG_GETTABLE] = {
5592 .call = nf_tables_gettable,
5593 .attr_count = NFTA_TABLE_MAX,
5594 .policy = nft_table_policy,
5596 [NFT_MSG_DELTABLE] = {
5597 .call_batch = nf_tables_deltable,
5598 .attr_count = NFTA_TABLE_MAX,
5599 .policy = nft_table_policy,
5601 [NFT_MSG_NEWCHAIN] = {
5602 .call_batch = nf_tables_newchain,
5603 .attr_count = NFTA_CHAIN_MAX,
5604 .policy = nft_chain_policy,
5606 [NFT_MSG_GETCHAIN] = {
5607 .call = nf_tables_getchain,
5608 .attr_count = NFTA_CHAIN_MAX,
5609 .policy = nft_chain_policy,
5611 [NFT_MSG_DELCHAIN] = {
5612 .call_batch = nf_tables_delchain,
5613 .attr_count = NFTA_CHAIN_MAX,
5614 .policy = nft_chain_policy,
5616 [NFT_MSG_NEWRULE] = {
5617 .call_batch = nf_tables_newrule,
5618 .attr_count = NFTA_RULE_MAX,
5619 .policy = nft_rule_policy,
5621 [NFT_MSG_GETRULE] = {
5622 .call = nf_tables_getrule,
5623 .attr_count = NFTA_RULE_MAX,
5624 .policy = nft_rule_policy,
5626 [NFT_MSG_DELRULE] = {
5627 .call_batch = nf_tables_delrule,
5628 .attr_count = NFTA_RULE_MAX,
5629 .policy = nft_rule_policy,
5631 [NFT_MSG_NEWSET] = {
5632 .call_batch = nf_tables_newset,
5633 .attr_count = NFTA_SET_MAX,
5634 .policy = nft_set_policy,
5636 [NFT_MSG_GETSET] = {
5637 .call = nf_tables_getset,
5638 .attr_count = NFTA_SET_MAX,
5639 .policy = nft_set_policy,
5641 [NFT_MSG_DELSET] = {
5642 .call_batch = nf_tables_delset,
5643 .attr_count = NFTA_SET_MAX,
5644 .policy = nft_set_policy,
5646 [NFT_MSG_NEWSETELEM] = {
5647 .call_batch = nf_tables_newsetelem,
5648 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5649 .policy = nft_set_elem_list_policy,
5651 [NFT_MSG_GETSETELEM] = {
5652 .call = nf_tables_getsetelem,
5653 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5654 .policy = nft_set_elem_list_policy,
5656 [NFT_MSG_DELSETELEM] = {
5657 .call_batch = nf_tables_delsetelem,
5658 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5659 .policy = nft_set_elem_list_policy,
5661 [NFT_MSG_GETGEN] = {
5662 .call = nf_tables_getgen,
5664 [NFT_MSG_NEWOBJ] = {
5665 .call_batch = nf_tables_newobj,
5666 .attr_count = NFTA_OBJ_MAX,
5667 .policy = nft_obj_policy,
5669 [NFT_MSG_GETOBJ] = {
5670 .call = nf_tables_getobj,
5671 .attr_count = NFTA_OBJ_MAX,
5672 .policy = nft_obj_policy,
5674 [NFT_MSG_DELOBJ] = {
5675 .call_batch = nf_tables_delobj,
5676 .attr_count = NFTA_OBJ_MAX,
5677 .policy = nft_obj_policy,
5679 [NFT_MSG_GETOBJ_RESET] = {
5680 .call = nf_tables_getobj,
5681 .attr_count = NFTA_OBJ_MAX,
5682 .policy = nft_obj_policy,
5684 [NFT_MSG_NEWFLOWTABLE] = {
5685 .call_batch = nf_tables_newflowtable,
5686 .attr_count = NFTA_FLOWTABLE_MAX,
5687 .policy = nft_flowtable_policy,
5689 [NFT_MSG_GETFLOWTABLE] = {
5690 .call = nf_tables_getflowtable,
5691 .attr_count = NFTA_FLOWTABLE_MAX,
5692 .policy = nft_flowtable_policy,
5694 [NFT_MSG_DELFLOWTABLE] = {
5695 .call_batch = nf_tables_delflowtable,
5696 .attr_count = NFTA_FLOWTABLE_MAX,
5697 .policy = nft_flowtable_policy,
5701 static void nft_chain_commit_update(struct nft_trans *trans)
5703 struct nft_base_chain *basechain;
5705 if (nft_trans_chain_name(trans))
5706 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
5708 if (!nft_is_base_chain(trans->ctx.chain))
5711 basechain = nft_base_chain(trans->ctx.chain);
5712 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5714 switch (nft_trans_chain_policy(trans)) {
5717 basechain->policy = nft_trans_chain_policy(trans);
5722 static void nf_tables_commit_release(struct nft_trans *trans)
5724 switch (trans->msg_type) {
5725 case NFT_MSG_DELTABLE:
5726 nf_tables_table_destroy(&trans->ctx);
5728 case NFT_MSG_DELCHAIN:
5729 nf_tables_chain_destroy(trans->ctx.chain);
5731 case NFT_MSG_DELRULE:
5732 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5734 case NFT_MSG_DELSET:
5735 nft_set_destroy(nft_trans_set(trans));
5737 case NFT_MSG_DELSETELEM:
5738 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5739 nft_trans_elem(trans).priv);
5741 case NFT_MSG_DELOBJ:
5742 nft_obj_destroy(nft_trans_obj(trans));
5744 case NFT_MSG_DELFLOWTABLE:
5745 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5751 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5753 struct nft_trans *trans, *next;
5754 struct nft_trans_elem *te;
5756 /* Bump generation counter, invalidate any dump in progress */
5757 while (++net->nft.base_seq == 0);
5759 /* A new generation has just started */
5760 net->nft.gencursor = nft_gencursor_next(net);
5762 /* Make sure all packets have left the previous generation before
5763 * purging old rules.
5767 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5768 switch (trans->msg_type) {
5769 case NFT_MSG_NEWTABLE:
5770 if (nft_trans_table_update(trans)) {
5771 if (!nft_trans_table_enable(trans)) {
5772 nf_tables_table_disable(net,
5774 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5777 nft_clear(net, trans->ctx.table);
5779 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5780 nft_trans_destroy(trans);
5782 case NFT_MSG_DELTABLE:
5783 list_del_rcu(&trans->ctx.table->list);
5784 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5786 case NFT_MSG_NEWCHAIN:
5787 if (nft_trans_chain_update(trans))
5788 nft_chain_commit_update(trans);
5790 nft_clear(net, trans->ctx.chain);
5792 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5793 nft_trans_destroy(trans);
5795 case NFT_MSG_DELCHAIN:
5796 list_del_rcu(&trans->ctx.chain->list);
5797 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5798 nf_tables_unregister_hook(trans->ctx.net,
5802 case NFT_MSG_NEWRULE:
5803 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5804 nf_tables_rule_notify(&trans->ctx,
5805 nft_trans_rule(trans),
5807 nft_trans_destroy(trans);
5809 case NFT_MSG_DELRULE:
5810 list_del_rcu(&nft_trans_rule(trans)->list);
5811 nf_tables_rule_notify(&trans->ctx,
5812 nft_trans_rule(trans),
5815 case NFT_MSG_NEWSET:
5816 nft_clear(net, nft_trans_set(trans));
5817 /* This avoids hitting -EBUSY when deleting the table
5818 * from the transaction.
5820 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5821 !list_empty(&nft_trans_set(trans)->bindings))
5822 trans->ctx.table->use--;
5824 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5825 NFT_MSG_NEWSET, GFP_KERNEL);
5826 nft_trans_destroy(trans);
5828 case NFT_MSG_DELSET:
5829 list_del_rcu(&nft_trans_set(trans)->list);
5830 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5831 NFT_MSG_DELSET, GFP_KERNEL);
5833 case NFT_MSG_NEWSETELEM:
5834 te = (struct nft_trans_elem *)trans->data;
5836 te->set->ops->activate(net, te->set, &te->elem);
5837 nf_tables_setelem_notify(&trans->ctx, te->set,
5839 NFT_MSG_NEWSETELEM, 0);
5840 nft_trans_destroy(trans);
5842 case NFT_MSG_DELSETELEM:
5843 te = (struct nft_trans_elem *)trans->data;
5845 nf_tables_setelem_notify(&trans->ctx, te->set,
5847 NFT_MSG_DELSETELEM, 0);
5848 te->set->ops->remove(net, te->set, &te->elem);
5849 atomic_dec(&te->set->nelems);
5852 case NFT_MSG_NEWOBJ:
5853 nft_clear(net, nft_trans_obj(trans));
5854 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5856 nft_trans_destroy(trans);
5858 case NFT_MSG_DELOBJ:
5859 list_del_rcu(&nft_trans_obj(trans)->list);
5860 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5863 case NFT_MSG_NEWFLOWTABLE:
5864 nft_clear(net, nft_trans_flowtable(trans));
5865 nf_tables_flowtable_notify(&trans->ctx,
5866 nft_trans_flowtable(trans),
5867 NFT_MSG_NEWFLOWTABLE);
5868 nft_trans_destroy(trans);
5870 case NFT_MSG_DELFLOWTABLE:
5871 list_del_rcu(&nft_trans_flowtable(trans)->list);
5872 nf_tables_flowtable_notify(&trans->ctx,
5873 nft_trans_flowtable(trans),
5874 NFT_MSG_DELFLOWTABLE);
5875 nft_unregister_flowtable_net_hooks(net,
5876 nft_trans_flowtable(trans));
5883 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5884 list_del(&trans->list);
5885 nf_tables_commit_release(trans);
5888 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5893 static void nf_tables_abort_release(struct nft_trans *trans)
5895 switch (trans->msg_type) {
5896 case NFT_MSG_NEWTABLE:
5897 nf_tables_table_destroy(&trans->ctx);
5899 case NFT_MSG_NEWCHAIN:
5900 nf_tables_chain_destroy(trans->ctx.chain);
5902 case NFT_MSG_NEWRULE:
5903 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5905 case NFT_MSG_NEWSET:
5906 nft_set_destroy(nft_trans_set(trans));
5908 case NFT_MSG_NEWSETELEM:
5909 nft_set_elem_destroy(nft_trans_elem_set(trans),
5910 nft_trans_elem(trans).priv, true);
5912 case NFT_MSG_NEWOBJ:
5913 nft_obj_destroy(nft_trans_obj(trans));
5915 case NFT_MSG_NEWFLOWTABLE:
5916 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5922 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5924 struct nft_trans *trans, *next;
5925 struct nft_trans_elem *te;
5927 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5929 switch (trans->msg_type) {
5930 case NFT_MSG_NEWTABLE:
5931 if (nft_trans_table_update(trans)) {
5932 if (nft_trans_table_enable(trans)) {
5933 nf_tables_table_disable(net,
5935 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5937 nft_trans_destroy(trans);
5939 list_del_rcu(&trans->ctx.table->list);
5942 case NFT_MSG_DELTABLE:
5943 nft_clear(trans->ctx.net, trans->ctx.table);
5944 nft_trans_destroy(trans);
5946 case NFT_MSG_NEWCHAIN:
5947 if (nft_trans_chain_update(trans)) {
5948 free_percpu(nft_trans_chain_stats(trans));
5950 nft_trans_destroy(trans);
5952 trans->ctx.table->use--;
5953 list_del_rcu(&trans->ctx.chain->list);
5954 nf_tables_unregister_hook(trans->ctx.net,
5959 case NFT_MSG_DELCHAIN:
5960 trans->ctx.table->use++;
5961 nft_clear(trans->ctx.net, trans->ctx.chain);
5962 nft_trans_destroy(trans);
5964 case NFT_MSG_NEWRULE:
5965 trans->ctx.chain->use--;
5966 list_del_rcu(&nft_trans_rule(trans)->list);
5968 case NFT_MSG_DELRULE:
5969 trans->ctx.chain->use++;
5970 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5971 nft_trans_destroy(trans);
5973 case NFT_MSG_NEWSET:
5974 trans->ctx.table->use--;
5975 list_del_rcu(&nft_trans_set(trans)->list);
5977 case NFT_MSG_DELSET:
5978 trans->ctx.table->use++;
5979 nft_clear(trans->ctx.net, nft_trans_set(trans));
5980 nft_trans_destroy(trans);
5982 case NFT_MSG_NEWSETELEM:
5983 te = (struct nft_trans_elem *)trans->data;
5985 te->set->ops->remove(net, te->set, &te->elem);
5986 atomic_dec(&te->set->nelems);
5988 case NFT_MSG_DELSETELEM:
5989 te = (struct nft_trans_elem *)trans->data;
5991 nft_set_elem_activate(net, te->set, &te->elem);
5992 te->set->ops->activate(net, te->set, &te->elem);
5995 nft_trans_destroy(trans);
5997 case NFT_MSG_NEWOBJ:
5998 trans->ctx.table->use--;
5999 list_del_rcu(&nft_trans_obj(trans)->list);
6001 case NFT_MSG_DELOBJ:
6002 trans->ctx.table->use++;
6003 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6004 nft_trans_destroy(trans);
6006 case NFT_MSG_NEWFLOWTABLE:
6007 trans->ctx.table->use--;
6008 list_del_rcu(&nft_trans_flowtable(trans)->list);
6009 nft_unregister_flowtable_net_hooks(net,
6010 nft_trans_flowtable(trans));
6012 case NFT_MSG_DELFLOWTABLE:
6013 trans->ctx.table->use++;
6014 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6015 nft_trans_destroy(trans);
6022 list_for_each_entry_safe_reverse(trans, next,
6023 &net->nft.commit_list, list) {
6024 list_del(&trans->list);
6025 nf_tables_abort_release(trans);
6031 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6033 return net->nft.base_seq == genid;
6036 static const struct nfnetlink_subsystem nf_tables_subsys = {
6037 .name = "nf_tables",
6038 .subsys_id = NFNL_SUBSYS_NFTABLES,
6039 .cb_count = NFT_MSG_MAX,
6041 .commit = nf_tables_commit,
6042 .abort = nf_tables_abort,
6043 .valid_genid = nf_tables_valid_genid,
6046 int nft_chain_validate_dependency(const struct nft_chain *chain,
6047 enum nft_chain_type type)
6049 const struct nft_base_chain *basechain;
6051 if (nft_is_base_chain(chain)) {
6052 basechain = nft_base_chain(chain);
6053 if (basechain->type->type != type)
6058 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6060 int nft_chain_validate_hooks(const struct nft_chain *chain,
6061 unsigned int hook_flags)
6063 struct nft_base_chain *basechain;
6065 if (nft_is_base_chain(chain)) {
6066 basechain = nft_base_chain(chain);
6068 if ((1 << basechain->ops.hooknum) & hook_flags)
6076 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6079 * Loop detection - walk through the ruleset beginning at the destination chain
6080 * of a new jump until either the source chain is reached (loop) or all
6081 * reachable chains have been traversed.
6083 * The loop check is performed whenever a new jump verdict is added to an
6084 * expression or verdict map or a verdict map is bound to a new chain.
6087 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6088 const struct nft_chain *chain);
6090 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6091 struct nft_set *set,
6092 const struct nft_set_iter *iter,
6093 struct nft_set_elem *elem)
6095 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6096 const struct nft_data *data;
6098 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6099 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6102 data = nft_set_ext_data(ext);
6103 switch (data->verdict.code) {
6106 return nf_tables_check_loops(ctx, data->verdict.chain);
6112 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6113 const struct nft_chain *chain)
6115 const struct nft_rule *rule;
6116 const struct nft_expr *expr, *last;
6117 struct nft_set *set;
6118 struct nft_set_binding *binding;
6119 struct nft_set_iter iter;
6121 if (ctx->chain == chain)
6124 list_for_each_entry(rule, &chain->rules, list) {
6125 nft_rule_for_each_expr(expr, last, rule) {
6126 const struct nft_data *data = NULL;
6129 if (!expr->ops->validate)
6132 err = expr->ops->validate(ctx, expr, &data);
6139 switch (data->verdict.code) {
6142 err = nf_tables_check_loops(ctx,
6143 data->verdict.chain);
6152 list_for_each_entry(set, &ctx->table->sets, list) {
6153 if (!nft_is_active_next(ctx->net, set))
6155 if (!(set->flags & NFT_SET_MAP) ||
6156 set->dtype != NFT_DATA_VERDICT)
6159 list_for_each_entry(binding, &set->bindings, list) {
6160 if (!(binding->flags & NFT_SET_MAP) ||
6161 binding->chain != chain)
6164 iter.genmask = nft_genmask_next(ctx->net);
6168 iter.fn = nf_tables_loop_check_setelem;
6170 set->ops->walk(ctx, set, &iter);
6180 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6182 * @attr: netlink attribute to fetch value from
6183 * @max: maximum value to be stored in dest
6184 * @dest: pointer to the variable
6186 * Parse, check and store a given u32 netlink attribute into variable.
6187 * This function returns -ERANGE if the value goes over maximum value.
6188 * Otherwise a 0 is returned and the attribute value is stored in the
6189 * destination variable.
6191 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6195 val = ntohl(nla_get_be32(attr));
6202 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6205 * nft_parse_register - parse a register value from a netlink attribute
6207 * @attr: netlink attribute
6209 * Parse and translate a register value from a netlink attribute.
6210 * Registers used to be 128 bit wide, these register numbers will be
6211 * mapped to the corresponding 32 bit register numbers.
6213 unsigned int nft_parse_register(const struct nlattr *attr)
6217 reg = ntohl(nla_get_be32(attr));
6219 case NFT_REG_VERDICT...NFT_REG_4:
6220 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6222 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6225 EXPORT_SYMBOL_GPL(nft_parse_register);
6228 * nft_dump_register - dump a register value to a netlink attribute
6230 * @skb: socket buffer
6231 * @attr: attribute number
6232 * @reg: register number
6234 * Construct a netlink attribute containing the register number. For
6235 * compatibility reasons, register numbers being a multiple of 4 are
6236 * translated to the corresponding 128 bit register numbers.
6238 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6240 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6241 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6243 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6245 return nla_put_be32(skb, attr, htonl(reg));
6247 EXPORT_SYMBOL_GPL(nft_dump_register);
6250 * nft_validate_register_load - validate a load from a register
6252 * @reg: the register number
6253 * @len: the length of the data
6255 * Validate that the input register is one of the general purpose
6256 * registers and that the length of the load is within the bounds.
6258 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6260 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6264 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6269 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6272 * nft_validate_register_store - validate an expressions' register store
6274 * @ctx: context of the expression performing the load
6275 * @reg: the destination register number
6276 * @data: the data to load
6277 * @type: the data type
6278 * @len: the length of the data
6280 * Validate that a data load uses the appropriate data type for
6281 * the destination register and the length is within the bounds.
6282 * A value of NULL for the data means that its runtime gathered
6285 int nft_validate_register_store(const struct nft_ctx *ctx,
6286 enum nft_registers reg,
6287 const struct nft_data *data,
6288 enum nft_data_types type, unsigned int len)
6293 case NFT_REG_VERDICT:
6294 if (type != NFT_DATA_VERDICT)
6298 (data->verdict.code == NFT_GOTO ||
6299 data->verdict.code == NFT_JUMP)) {
6300 err = nf_tables_check_loops(ctx, data->verdict.chain);
6304 if (ctx->chain->level + 1 >
6305 data->verdict.chain->level) {
6306 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6308 data->verdict.chain->level = ctx->chain->level + 1;
6314 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6318 if (reg * NFT_REG32_SIZE + len >
6319 FIELD_SIZEOF(struct nft_regs, data))
6322 if (data != NULL && type != NFT_DATA_VALUE)
6327 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6329 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6330 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6331 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6332 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6335 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6336 struct nft_data_desc *desc, const struct nlattr *nla)
6338 u8 genmask = nft_genmask_next(ctx->net);
6339 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6340 struct nft_chain *chain;
6343 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6348 if (!tb[NFTA_VERDICT_CODE])
6350 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6352 switch (data->verdict.code) {
6354 switch (data->verdict.code & NF_VERDICT_MASK) {
6369 if (!tb[NFTA_VERDICT_CHAIN])
6371 chain = nf_tables_chain_lookup(ctx->table,
6372 tb[NFTA_VERDICT_CHAIN], genmask);
6374 return PTR_ERR(chain);
6375 if (nft_is_base_chain(chain))
6379 data->verdict.chain = chain;
6383 desc->len = sizeof(data->verdict);
6384 desc->type = NFT_DATA_VERDICT;
6388 static void nft_verdict_uninit(const struct nft_data *data)
6390 switch (data->verdict.code) {
6393 data->verdict.chain->use--;
6398 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6400 struct nlattr *nest;
6402 nest = nla_nest_start(skb, type);
6404 goto nla_put_failure;
6406 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6407 goto nla_put_failure;
6412 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6414 goto nla_put_failure;
6416 nla_nest_end(skb, nest);
6423 static int nft_value_init(const struct nft_ctx *ctx,
6424 struct nft_data *data, unsigned int size,
6425 struct nft_data_desc *desc, const struct nlattr *nla)
6435 nla_memcpy(data->data, nla, len);
6436 desc->type = NFT_DATA_VALUE;
6441 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6444 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6447 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6448 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6449 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6453 * nft_data_init - parse nf_tables data netlink attributes
6455 * @ctx: context of the expression using the data
6456 * @data: destination struct nft_data
6457 * @size: maximum data length
6458 * @desc: data description
6459 * @nla: netlink attribute containing data
6461 * Parse the netlink data attributes and initialize a struct nft_data.
6462 * The type and length of data are returned in the data description.
6464 * The caller can indicate that it only wants to accept data of type
6465 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6467 int nft_data_init(const struct nft_ctx *ctx,
6468 struct nft_data *data, unsigned int size,
6469 struct nft_data_desc *desc, const struct nlattr *nla)
6471 struct nlattr *tb[NFTA_DATA_MAX + 1];
6474 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6478 if (tb[NFTA_DATA_VALUE])
6479 return nft_value_init(ctx, data, size, desc,
6480 tb[NFTA_DATA_VALUE]);
6481 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6482 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6485 EXPORT_SYMBOL_GPL(nft_data_init);
6488 * nft_data_release - release a nft_data item
6490 * @data: struct nft_data to release
6491 * @type: type of data
6493 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6494 * all others need to be released by calling this function.
6496 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6498 if (type < NFT_DATA_VERDICT)
6501 case NFT_DATA_VERDICT:
6502 return nft_verdict_uninit(data);
6507 EXPORT_SYMBOL_GPL(nft_data_release);
6509 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6510 enum nft_data_types type, unsigned int len)
6512 struct nlattr *nest;
6515 nest = nla_nest_start(skb, attr);
6520 case NFT_DATA_VALUE:
6521 err = nft_value_dump(skb, data, len);
6523 case NFT_DATA_VERDICT:
6524 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6531 nla_nest_end(skb, nest);
6534 EXPORT_SYMBOL_GPL(nft_data_dump);
6536 static int __net_init nf_tables_init_net(struct net *net)
6538 INIT_LIST_HEAD(&net->nft.af_info);
6539 INIT_LIST_HEAD(&net->nft.tables);
6540 INIT_LIST_HEAD(&net->nft.commit_list);
6541 net->nft.base_seq = 1;
6545 static void __net_exit nf_tables_exit_net(struct net *net)
6547 WARN_ON_ONCE(!list_empty(&net->nft.af_info));
6548 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6551 int __nft_release_basechain(struct nft_ctx *ctx)
6553 struct nft_rule *rule, *nr;
6555 BUG_ON(!nft_is_base_chain(ctx->chain));
6557 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6558 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6559 list_del(&rule->list);
6561 nf_tables_rule_destroy(ctx, rule);
6563 list_del(&ctx->chain->list);
6565 nf_tables_chain_destroy(ctx->chain);
6569 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6571 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
6572 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
6574 struct nft_flowtable *flowtable, *nf;
6575 struct nft_table *table, *nt;
6576 struct nft_chain *chain, *nc;
6577 struct nft_object *obj, *ne;
6578 struct nft_rule *rule, *nr;
6579 struct nft_set *set, *ns;
6580 struct nft_ctx ctx = {
6582 .family = afi->family,
6585 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6586 list_for_each_entry(chain, &table->chains, list)
6587 nf_tables_unregister_hook(net, table, chain);
6588 list_for_each_entry(flowtable, &table->flowtables, list)
6589 nf_unregister_net_hooks(net, flowtable->ops,
6590 flowtable->ops_len);
6591 /* No packets are walking on these chains anymore. */
6593 list_for_each_entry(chain, &table->chains, list) {
6595 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6596 list_del(&rule->list);
6598 nf_tables_rule_destroy(&ctx, rule);
6601 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6602 list_del(&flowtable->list);
6604 nf_tables_flowtable_destroy(flowtable);
6606 list_for_each_entry_safe(set, ns, &table->sets, list) {
6607 list_del(&set->list);
6609 nft_set_destroy(set);
6611 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6612 list_del(&obj->list);
6614 nft_obj_destroy(obj);
6616 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6617 list_del(&chain->list);
6619 nf_tables_chain_destroy(chain);
6621 list_del(&table->list);
6622 nf_tables_table_destroy(&ctx);
6626 static struct pernet_operations nf_tables_net_ops = {
6627 .init = nf_tables_init_net,
6628 .exit = nf_tables_exit_net,
6631 static int __init nf_tables_module_init(void)
6635 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6642 err = nf_tables_core_module_init();
6646 err = nfnetlink_subsys_register(&nf_tables_subsys);
6650 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6652 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
6653 return register_pernet_subsys(&nf_tables_net_ops);
6655 nf_tables_core_module_exit();
6662 static void __exit nf_tables_module_exit(void)
6664 unregister_pernet_subsys(&nf_tables_net_ops);
6665 nfnetlink_subsys_unregister(&nf_tables_subsys);
6666 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6668 nf_tables_core_module_exit();
6672 module_init(nf_tables_module_init);
6673 module_exit(nf_tables_module_exit);
6675 MODULE_LICENSE("GPL");
6676 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6677 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / kernel / linux-rpi.git / blob